Property Directed Equivalence via Abstract Simulation. Grigory Fedyukovich, Arie Gurfinkel, and Natasha Sharygina

Similar documents
Incremental Proof-Based Verification of Compiler Optimizations

Automated Discovery of Simulation Between Programs. Grigory Fedyukovich, Arie Gurfinkel, and Natasha Sharygina

Property Directed Equivalence via Abstract Simulation

Program Analysis Part I : Sequential Programs

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

SAT-Based Verification with IC3: Foundations and Demands

IC3 and Beyond: Incremental, Inductive Verification

Information Flow Analysis via Path Condition Refinement

Automated Discovery of Simulation Between Programs

EFFICIENT PREDICATE ABSTRACTION OF PROGRAM SUMMARIES

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

Floyd-Hoare Style Program Verification

arxiv: v1 [cs.lo] 29 May 2014

Validity-Guided Synthesis of Reactive Systems from Assume-Guarantee Contracts

Pushing to the Top FMCAD 15. Arie Gurfinkel Alexander Ivrii

Hoare Logic: Reasoning About Imperative Programs

IMITATOR: A Tool for Synthesizing Constraints on Timing Bounds of Timed Automata

Integrating Induction and Deduction for Verification and Synthesis

What happens to the value of the expression x + y every time we execute this loop? while x>0 do ( y := y+z ; x := x:= x z )

Weakest Precondition Calculus

FMCAD 2013 Parameter Synthesis with IC3

Loop Invariants and Binary Search. Chapter 4.4, 5.1

Generalized Property Directed Reachability

Software Verification

Solving SAT Modulo Theories

Topics in Model-Based Reasoning

Hoare Logic (I): Axiomatic Semantics and Program Correctness

Scalable and Accurate Verification of Data Flow Systems. Cesare Tinelli The University of Iowa

Reasoning About Imperative Programs. COS 441 Slides 10b

3-Valued Abstraction-Refinement

Abstractions and Decision Procedures for Effective Software Model Checking

Non-linear Interpolant Generation and Its Application to Program Verification

Understanding IC3. Aaron R. Bradley. ECEE, CU Boulder & Summit Middle School. Understanding IC3 1/55

Hoare Logic and Model Checking

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Model Checking, Theorem Proving, and Abstract Interpretation: The Convergence of Formal Verification Technologies

Constraint Solving for Program Verification: Theory and Practice by Example

Program verification using Hoare Logic¹

Synthesizing from Components: Building from Blocks

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

Validity-Guided Synthesis of Reactive Systems from Assume-Guarantee Contracts

Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 CSE

IC3, PDR, and Friends

Program Verification as Probabilistic Inference

COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

Exploiting Synchrony and Symmetry in Relational Verification

Optimization-based Modeling and Analysis Techniques for Safety-Critical Software Verification

Central Algorithmic Techniques. Iterative Algorithms

Algorithmic verification

Hoare Logic: Part II

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Lecture 2: Symbolic Model Checking With SAT

Formal Methods in Software Engineering

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Ivy: Safety Verification by Interactive Generalization

Last Time. Inference Rules

Axiomatic Verification II

Proof Certificates for SMT-based Model Checkers. Alain Mebsout and Cesare Tinelli SMT 2016 July 2 nd, 2016

Proofs of Correctness: Introduction to Axiomatic Verification

Predicate Abstraction and Refinement for Verifying Multi-Threaded Programs

Foundations of Computation

CSC 7101: Programming Language Structures 1. Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11.

Formal Specification and Verification. Specifications

Constraint Solving for Program Verification: Theory and Practice by Example

Sampling Invariants from Frequency Distributions

SAT-Solving: From Davis- Putnam to Zchaff and Beyond Day 3: Recent Developments. Lintao Zhang

Static Program Analysis using Abstract Interpretation

The TLA + proof system

Axiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Proof Certificates for SMT-based Model Checkers for Infinite State Systems. Alain Mebsout and Cesare Tinelli FMCAD 2016 October 5 th, 2016

Sciduction: Combining Induction, Deduction, and Structure for Verification and Synthesis

CS 267: Automated Verification. Lecture 1: Brief Introduction. Transition Systems. Temporal Logic LTL. Instructor: Tevfik Bultan

Integrating Induction, Deduction and Structure for Synthesis

Computer-Aided Program Design

SAT-based Model Checking: Interpolation, IC3, and Beyond

Model Checking: An Introduction

The Polyranking Principle

The Eager Approach to SMT. Eager Approach to SMT

Logical Abduction and its Applications in Program Verification. Isil Dillig MSR Cambridge

or simply: IC3 A Simplified Description

Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Algorithmic Verification of Stability of Hybrid Systems

Solutions to exercises for the Hoare logic (based on material written by Mark Staples)

Ranking Verification Counterexamples: An Invariant guided approach

G54FOP: Lecture 17 & 18 Denotational Semantics and Domain Theory III & IV

LRA Interpolants from No Man s Land. Leonardo Alt, Antti E. J. Hyvärinen, and Natasha Sharygina University of Lugano, Switzerland

COEN6551: Formal Hardware Verification

INVARIANT RELATIONS: A CONCEPT FOR ANALYZING WHILE LOOPS. Ali Mili, NJIT NII, Tokyo, Japan December 20, 2011

Axiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

The Assignment Axiom (Hoare)

Automatic Verification of Parameterized Data Structures

ICS141: Discrete Mathematics for Computer Science I

CS256/Winter 2009 Lecture #6. Zohar Manna

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Symmetry Reduction and Heuristic Search for Error Detection in Model Checking p.1/??

Transcription:

Property Directed Equivalence via Abstract Simulation Grigory Fedyukovich, Arie Gurfinkel, and Natasha Sharygina CAV, Jul 23, 2016

Motivation / Goals Little Leaks Add Up to Big Bills software safety must be re-proven after even a small change verification from scratch is expensive Property Directed Equivalence of Programs in contrast to absolute equivalence check whether two programs both satisfy the same property Safety Proof Migration formally verify one program aim at establishing a simulation relation lift the proof using the simulation to another program 1

counter-example change impact Big Picture Niagara Framework...... Simulation Discovery to synthesize a mapping between variables [LPAR 15] evolution process V i proof program encoding Simulation Discovery prev. round V i Proof Adapt to migrate the proof certificate across evolution boundaries to obtain a counter-example and a change impact Program Repair 2 to provide a hint to the user how to fix the detected bug [NFM 14] [CAV 16] [tbd...] evolution process... candidate repair simulation relation abstraction of Vi proof to be adapted proof program Proof V i+1 encoding Adapt V i+1 evolution process program encoding program encoding Program Repair adapted proof enable next round...

What We Mean By Proofs [Hoare 69] Hoare Triples {precond} code {postcond} precond, postcond are expressions over program variables code is some code fragment That is, if code starts in a state satisfying precond and terminates, then code ends in a state satisfying postcond Example {x>=0} x++; if (*) x:=1 else x++ {x>=1} validity of the triple as unsatisfiability of the formula: (x 0 0) ^ (x 1 = x 0 + 1) ^ (x 2 =1_ x 2 = x 1 + 1) ^ (x 2 1) =)? 3

Example Safe Program {>} {x 0} {?} Cutpoint graph (CPG) [Beyer et al. 09] generalization of classical Control-Flow graph each edge is a longest loop-free program path A safety proof is a mapping from nodes of CPG to expressions such that each edge is a valid Hoare triple (inductiveness) entry location is mapped to true error location is mapped to false (safety) 4 Assume no overflow for simplicity of presentation

Example Safe Program Evolved and Got an Extra Loop {>} {>} {?} {x 0} {?} {?} {?} 5 Assume no overflow for simplicity of presentation

Example Establishing Simulation between Programs {>} {>} {?} {x 0} {?} {?} {?} 5 Assume no overflow for simplicity of presentation

Example Using Simulation to Lift Proofs between Programs {>} {>} {x 0} {x 0} {x 0} {?} safety is preserved {?} 5 Assume no overflow for simplicity of presentation

Abstract Simulation Discovery [Milner 71] Searching for total simulation relations for each behavior of one program (called source) there should exist a behavior of another program (called target) matched by some simulation relation Synthesizing abstract simulation relations if the target does not simulate the source search for an abstraction of the target that does 6

Prior Work big picture [LPAR 15] source target Two loops T i.e., allowing the target to have more behaviors first, find an abstraction via T second, refine using Skolem as much as possible i.e., removing some infeasible behavior Sk 7

Prior Work big picture [LPAR 15] source target Two loops i.e., allowing the target to have more behaviors first, find an abstraction via T T second, refine using Skolem as much as possible i.e., removing some infeasible behavior Sk Drawback: No control over abstraction Only concrete simulations can be used to lift proofs Abstract simulations are not generally applicable 7

Lifting Proofs via Simulation [Pnueli et al. 00] [Namjoshi 03] Given programs S, T (~y ) is invariant of T (~y ) If T (~y ) simulates S(~x ) via (~x, ~y ) then 9~y (~x, ~y ) ^ (~y ) is an invariant of S(~x ) 8

Lifting Proofs via Simulation [Pnueli et al. 00] [Namjoshi 03] Given programs S, T (~y ) is invariant of T (~y ) If T (~y ) simulates S(~x ) via (~x, ~y ) then 9~y (~x, ~y ) ^ (~y ) is an invariant of S(~x ) But Concrete simulations are not needed It is enough to find an abstraction of T simulates S is safe with respect to (~y ) 8

Property Preserving Abstraction T Produced by mapping each CPG-edge by the invariant over the post-state 9

Our Solution ASSI + : Abstract Simulation Synthesis with Invariants forces the abstraction to preserve safety still goes to abstraction level when needed no Skolem-based refinement 10

Lifting Invariants Directly Given programs, S(~x ) T (~y ) (~y ) is invariant of T (~y ) simulates S(~x ) via then 9~y (~x, ~y ) ^ (~y ) is an invariant of S(~x ) (~x, ~y ) 11

Lifting Invariants Partially When delivered abstraction T (~y ) is too weak: i.e., abstraction T (~y ) does not preserve (~y ) but still S(~x ) T (~y ) S(~x ) thus, 9~y (~x, ~y ) ^ (~y ) is not an invariant of 12

Lifting Invariants Partially We propose weakening (~y ) =) 0 (~y ) 0 (~y ) T (~y ) S(~x ) such that is an invariant for then 9~y (~x, ~y ) ^ 0 (~y ) is an invariant of strengthening 9~y (~x, ~y ) ^ 0 (~y ) to become safe invariant of S(~x ) reducing the problem to Constraint Horn Solving When delivered abstraction T (~y ) is too weak: i.e., abstraction T (~y ) does not preserve (~y ) but still S(~x ) T (~y ) S(~x ) thus, 9~y (~x, ~y ) ^ (~y ) is not an invariant of 12

To recap ASSI + : Abstract Simulation Synthesis with Invariants forces the abstraction to preserve safety still goes to abstraction level when needed no Skolem-based refinement PDE Property Directed Equivalence exploits ASSI + and checks if the delivered abstraction is psi-safe skips verification if success (i.e., if the invariants are lifted completely) Verify 13 lifts the invariants partially via abstract simulation performs counter-example-guided weakening of invariants strengthens the invariants using Constraint Horn Solving

Evaluation ASSI + vs SimAbs Tools LLVM compiler + indvars + licm optimization passes UFO model checker (Z3/ PDR engine) to get proofs 115 Safe C programs from SVCOMP 13 psi-safe abstractions by SimAbs 39 psi-safe abstractions by ASSI in order of magnitude faster 14

Evaluation PDE vs UFO Tools LLVM compiler + indvars + licm optimization passes UFO model checker (Z3/ PDR engine) to get proofs, perform weakening/strengthening 115 Safe C programs from SVCOMP: 90: PDE outperformed UFO 15

Conclusion Incremental Verification Fully automated and exhaustive analysis of software versions SMT-based Unbounded Model Checking The first approach that combines using Reusable specifications Relational specifications Implemented and Evaluated ASSI + and PDE within Niagara framework Validation of non-trivial LLVM-optimizations 16

Thank you!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback