Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Similar documents
Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Model Checking: An Introduction

Counterexample-Guided Abstraction Refinement

Abstractions and Decision Procedures for Effective Software Model Checking

Model Checking, Theorem Proving, and Abstract Interpretation: The Convergence of Formal Verification Technologies

3-Valued Abstraction-Refinement

Predicate Abstraction: A Tutorial

IC3 and Beyond: Incremental, Inductive Verification

SAT-Based Verification with IC3: Foundations and Demands

Model Checking. Boris Feigin March 9, University College London

Understanding IC3. Aaron R. Bradley. ECEE, CU Boulder & Summit Middle School. Understanding IC3 1/55

Lecture 2: Symbolic Model Checking With SAT

Lecture 2: Model Checking My 30 Year Quest to Conquer the State Explosion Problem

MODEL CHECKING. Arie Gurfinkel

Information Flow Analysis via Path Condition Refinement

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Applications of Craig Interpolants in Model Checking

State-Space Exploration. Stavros Tripakis University of California, Berkeley

Learning Abstractions for Model Checking

Symbolic Trajectory Evaluation (STE): Orna Grumberg Technion, Israel

Static Program Analysis

Interpolant-based Transition Relation Approximation

Automata-Theoretic Model Checking of Reactive Systems

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

A Brief Introduction to Model Checking

Software Verification with Abstraction-Based Methods

Verification using Satisfiability Checking, Predicate Abstraction, and Craig Interpolation. Himanshu Jain THESIS ORAL TALK

PLEASE DO NOT REMOVE THIS PAGE

Relative Completeness of Abstraction Refinement for Software Model Checking

Ranking Abstraction as Companion to Predicate Abstraction

CEGAR:Counterexample-Guided Abstraction Refinement

Formal Verification. Lecture 1: Introduction to Model Checking and Temporal Logic¹

Predicate Abstraction via Symbolic Decision Procedures

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

CS 267: Automated Verification. Lecture 1: Brief Introduction. Transition Systems. Temporal Logic LTL. Instructor: Tevfik Bultan

Scalable and Accurate Verification of Data Flow Systems. Cesare Tinelli The University of Iowa

Reasoning about Strategies: From module checking to strategy logic

EECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization

Model checking the basic modalities of CTL with Description Logic

Lecture Notes on Software Model Checking

Automated Compositional Analysis for Checking Component Substitutability

Alan Bundy. Automated Reasoning LTL Model Checking

Formal Verification of Mobile Network Protocols

Abstraction in Program Analysis & Model Checking. Abstraction in Model Checking. Motivations & Results

Finite-State Model Checking

Algorithmic Verification of Stability of Hybrid Systems

SAT-based Model Checking: Interpolation, IC3, and Beyond

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Software Verification

Counterexample-Guided Abstraction Refinement for Symbolic Model Checking

The Software Model Checker BLAST

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

An Interpolating Theorem Prover

Binary Decision Diagrams and Symbolic Model Checking

Algorithmic verification

Relational Interfaces and Refinement Calculus for Compositional System Reasoning

COMPRESSED STATE SPACE REPRESENTATIONS - BINARY DECISION DIAGRAMS

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

CS357: CTL Model Checking (two lectures worth) David Dill

CIS 842: Specification and Verification of Reactive Systems. Lecture Specifications: Specification Patterns

An Informal introduction to Formal Verification

An Introduction to Temporal Logics

Alternating Time Temporal Logics*

The State Explosion Problem

IMITATOR: A Tool for Synthesizing Constraints on Timing Bounds of Timed Automata

Model Checking via Automatic Abstraction

Testing with model checkers: A survey

Undergraduate work. Symbolic Model Checking Using Additive Decomposition by. Himanshu Jain. Joint work with Supratik Chakraborty

or simply: IC3 A Simplified Description

EFFICIENT PREDICATE ABSTRACTION OF PROGRAM SUMMARIES

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Counterexample-Driven Model Checking

Tutorial 1: Modern SMT Solvers and Verification

Dynamic Component Substitutability Analysis

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

- Introduction to propositional, predicate and higher order logics

Sanjit A. Seshia EECS, UC Berkeley

SAT in Formal Hardware Verification

Complexity and algorithms for monomial and clausal predicate abstraction

IC3, PDR, and Friends

arxiv: v1 [cs.lo] 29 May 2014

On Model Checking for Visibly Pushdown Automata

Learning to Verify Branching Time Properties

Vinter: A Vampire-Based Tool for Interpolation

Model Checking with CTL. Presented by Jason Simas

Lecture Notes on Emptiness Checking, LTL Büchi Automata

Automata, Logic and Games: Theory and Application

Progress on the State Explosion Problem in Model Checking

Predicate Abstraction in Protocol Verification

Counterexample-GuidedAbstraction Refinement

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Abstract Interpretation and Static Analysis

Detecting Spurious Counterexamples Efficiently in Abstract Model Checking

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Reducing CTL-live Model Checking to Semantic Entailment in First-Order Logic (Version 1)

Non-Monotonic Refinement of Control Abstraction for Concurrent Programs

An Introduction to Hybrid Systems Modeling

Introduction to SMT Solving And Infinite Bounded Model Checking

Formal Inductive Synthesis -- Theory and Applications

Transcription:

using Predicate Abstraction and Iterative Refinement: Part 1 15-414 Bug Catching: Automated Program Verification and Testing Sagar Chaki November 28, 2011

Outline Overview of Model Checking Creating Models from C Code: Predicate Abstraction Eliminating spurious behaviors from the model: Abstraction Refinement Concluding remarks : research directions, tools etc. 2

Model Checking Algorithm for answering queries about behaviors of state machines Given a state machine M and a query φ does M φ? Standard formulation: M is a Kripke structure φ is a temporal logic formula Computational Tree Logic (CTL) Linear Temporal Logic (LTL) Discovered independently by Clarke & Emerson and Queille & Sifakis in the early 1980 s 3

Scalability of Model Checking Explicit statespace exploration: early 1980s Tens of thousands of states Symbolic statespace exploration: millions of states Binary Decision Diagrams (BDD) : early 1990 s Bounded Model Checking: late 1990 s Based on propositional satisfiability (SAT) techlogy Abstraction and compositional reasoning 10 120 to effectively infinite statespaces (particularly for software) 4

Models of C Code { x=0 y=0 x=1 y=0 ; } else { + 1; + 1 x=0 y=0 x=1 y=0 } ; x=0 y=1 x=1 y=1 Program: Syntax Control Flow Graph Model: Semantics Infinite State 5

Existential Abstraction Partition concrete statespace into abstract states Each abstract state S corresponds to a set of concrete states s We write α(s) to mean the abstract state corresponding to s We define γ(s) = { s S = α(s) } Fix the transitions existentially S S s γ (S). s γ (S ). s s S S s γ (S). s γ (S ). s s Existential Abstraction is conservative [ClarkeGrumbergLong94] Strong & sometimes t computable Weak: computable If a ACTL* property holds on the abstraction, it also holds on the program LTL is a subset of ACTL* However, the converse is t true: a property that fails on the abstraction may still hold on the program Existential abstraction can be viewed as a form of abstract interpretation 6

Example of Existential Abstraction Abstract Initial State Concrete Initial State 6 Concrete State 2 1 5 8 9 Abstract State 3 Concrete Transition Abstractly Reachable but Concretely Unreachable 4 7 10 Abstract Transition Abstractly and Concretely Unreachable 7

Example of Existential Abstraction Concrete State Abstract State Concrete Transition Abstractly Reachable but Concretely Unreachable p Abstract Transition Abstractly and Concretely Unreachable G( p) 8

Predicate Abstraction + 1 Partition the statespace based on values of a finite set of predicates on program variables 9

Predicate Abstraction φ = G( ERROR) + 1 ERROR P P States where y 0 P ( y == 0 ) States where y = 0 10

Predicate Abstraction Call SAT Checker + 1 ERROR P P States where y 0 P ( y == 0 ) States where y = 0 11

Predicate Abstraction SAT Checker Query: x=0 y=1 y 0 x = 0 x = x + 1 x=0 y=1 y = y y 0 SAT Checker Answer: SAT and here s a solution x=0, y=1, x =0, y =1 P States where y 0 P ( y == 0 ) 12

Predicate Abstraction SAT Checker Query: x=1 y=1 y 0 x 0 x = x + 1 x=1 y=1 y = y y 0 SAT Checker Answer: SAT and here s a solution x=1, y=1, x =1, y =1 P States where y 0 P ( y == 0 ) 13

Predicate Abstraction SAT Checker Query: y 0 x = x + 1 x=1 y=1 y = x+1 y 0 SAT Checker Answer: x=1 y=2 SAT and here s a solution P x=1, y=1, x =1, y =2 States where y 0 P ( y == 0 ) 14

Predicate Abstraction SAT Checker Query: y 0 x = x + 1 x=1 y=1 y = x y 0 SAT Checker Answer: x=1 y=1 P SAT and here s a solution x=1, y=1, x =1, y =1 States where y 0 P ( y == 0 ) 15

Predicate Abstraction No predicates about x + 1 ERROR P P States where y 0 P ( y == 0 ) States where y = 0 16

Imprecision due to Predicate Abstraction Counterexamples generated by model checking the abstract model may be spurious, i.e., t concretely realizable Need to refine the abstraction iteratively by changing the set of predicates Can infer new set of predicates by analyzing the spurious counterexample Lot of research in doing this effectively Counterexample Guided Abstraction Refinement (CEGAR) A.K.A. Iterative Abstraction Refinement A.K.A. Iterative Refinement 17

Model Checking + 1 ERROR P P φ = G( ERROR) P ( y == 0 ) 18

Model Checking + 1 ERROR P P φ = G( ERROR) P ( y == 0 ) 19

Model Checking ERROR P P P ( y == 0 ) 20

Counterexample Validation Simulate counterexample symbolically Call SAT Checker to determine if the post-condition is satisfiable In our case, Counterexample is spurious New set of predicates {x==0,y==0} 21

Counterexample Validation SAT Checker Query: x 0 y = x y = 0 SAT Checker Answer: UNSAT and here s an UNSAT core {x 0, y = x, y = 0} Used to derive new predicate (x=0) Different heuristics used in practice 22

Predicate Abstraction: 2 nd Iteration + 1 P Q P P Q P Q P Q x 0 y 0 P ( x == 0 ) Q ( y == 0 ) X = 0 y = 0 23

Predicate Abstraction: 2 nd Iteration + 1 ERROR ERROR P Q P P Q P Q P Q x 0 y 0 P ( x == 0 ) Q ( y == 0 ) X = 0 y = 0 24

Predicate Abstraction: 2 nd Iteration + 1 ERROR ERROR P Q P P Q P Q P Q x 0 y 0 P ( x == 0 ) Q ( y == 0 ) X = 0 y = 0 25

Predicate Abstraction: 2 nd Iteration + 1 ERROR ERROR P Q P P Q P Q P Q x 0 y 0 P ( x == 0 ) Q ( y == 0 ) X = 0 y = 0 26

Predicate Abstraction: 2 nd Iteration + 1 ERROR ERROR P Q P P Q P Q P Q x 0 y 0 P ( x == 0 ) Q ( y == 0 ) X = 0 y = 0 27

Predicate Abstraction: 2 nd Iteration + 1 ERROR ERROR P Q P P Q P Q P Q x 0 y 0 P ( x == 0 ) Q ( y == 0 ) X = 0 y = 0 28

Model Checking: 2 nd Iteration + 1 ERROR ERROR SUCCESS P Q P P Q P Q P Q φ = G( ERROR) P ( x == 0 ) Q ( y == 0 ) 29

Iterative Refinement: Summary Choose an initial set of predicate, and proceed iteratively as follows: 1. Abstraction: Construct an abstract model M of the program using the predicate abstraction 2. Verification: Model check M. If model checking succeeds, exit with success. Otherwise, get counterexample CE.. 3. Validation: Check CE for validity. If CE is valid, exit with failure. 4. Refinement: Otherwise, update the set of predicates and repeat from Step 1. 30

Iterative Refinement Program Initial Predicates Better Predicates Predicate Abstraction Abstract Model SAT Checker Model Checking No Candidate Counterexample Yes System OK Localization Reduction, Kurshan, Bell Labs Counterexampleguided Abstraction Refinement for Symbolic Model Checking, Clarke et al., CMU Predicate Refinement No Counterexample Valid? Yes Problem Found Software Model Checking, SLAM Project, Microsoft, Ball & Rajamani 31

Predicate Abstraction: Optimizations 1. Construct transitions on-the-fly 2. Different set of predicates at different control locations P ( x == 0 ) P ( x == 0 ) + 1 P ( x == 0 ) Q ( y == 0 ) 3. Avoid exponential number of theorem-prover calls 32

Research Areas Finding good predicates Technically as hard as finding good loop invariants Complexity is linear in LOC but exponential in number of predicates Combining with static analysis Alias analysis, invariant detection, constant propagation Inexpensive, and may make subsequent model checking more efficient Bounded model checking 33

Software Model Checking Tools Iterative Refinement SLAM, BLAST, MAGIC, Copper, SATABS, Bounded Model Checking Others CBMC, Engines: MOPED, BEBOP, BOPPO, Next lecture Following lecture Java: Java PathFiner, Bandera, BOGOR, C: CMC, CPAChecker, 34

Bibliography Existential Abstraction: Edmund M. Clarke, Orna Grumberg, David E. Long: Model Checking and Abstraction. ACM Trans. Program. Lang. Syst. 16(5): 1512-1542 (1994) Predicate Abstraction: Construction of abstract state graphs with PVS, S. Graf, H. Saidi, Proceedings of Computer Aided Verification (CAV), 1997 Abstraction Refinement for C: Automatically Validating Temporal Safety Properties of Interfaces, T. Ball, S. Rajamani, Proceedings of the SPIN Workshop, 2001 Software Model Checking Techlogy Transfer: SLAM and Static Driver Verifier: Techlogy Transfer of Formal Methods inside Microsoft, T. Ball, B. Cook, V. Levin, S. Rajamani, Proceedings of Intergrated Formal Methods, 2004 35

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback