Download presentation

Presentation is loading. Please wait.

Published bySydney Gillham Modified over 3 years ago

1
© 2006 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel and Sagar Chaki

2
2 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Automated Software Analysis Program Automated Analysis Correct Incorrect Software Model Checking with Predicate Abstraction e.g., Microsoft’s SDV Abstract Interpretation with Numeric Abstraction e.g., ASTREE, Polyspace

3
3 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Predicate and Numeric Abstractions Predicate Abstraction (PA) (e.g., SDV) Typical property: no lock is acquired twice Reduces program verification to propositional reasoning with model checker Works well for control-driven programs, and poorly for data-driven programs Numeric Abstraction (NA) (e.g, ASTREE) Typical property: no arithmetic overflow Reduces program verification to arithmetic reasoning Works well for data-driven programs, and poorly for control-driven programs How to combine PA and NA to get the best of both?!

4
4 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Outline Predicate and Numeric Abstract for Program Analysis Strength and Weakness An “Ideal” Combination PA+NA Combination Abstract Transformers Data Structures Experimental Results Current and Future Work

5
5 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Predicate Abstraction: An Example Program p1:i=1 p2:i=2 p3:x1>0 p4:x2<0 Pred. Abstraction assume (i=1 || i=2) if (i = 1) x1 := i; else if (i = 2) x2 := -4; if (i = 1) assert (x1 > 0); else if (i = 2) assert (x2 < 0); assume (p1 || p2) if (p1) p3 := ch(p1||p2,false); else if (p2) p4 := true if (p1) assert (p3); else if (p2) assert (p4); p := ch(tt,ff) if (tt) p := 1; else if (ff) p := 0; else p := *;

6
6 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Analysis with Predicate Abstraction p1:i=1 p2:i=2 p3:x1>0 p4:x2<0 Pred. Abstraction assume (p1 || p2) if (p1) p3 := ch(p1||p2,false); else if (p2) p4 := true if (p1) assert (p3); else if (p2) assert (p4); p1 || p2 p1 p1&&p3 !p1&&p2&&p4 p1&&p3 || !p1&&p2&&p4 !p1&&p2 p2&&p4 p1&&p3

7
7 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Predicate Abstraction Strength/Weaknesses Strengths Works well for control-dependent properties Completely automated Predicates can come from any theory that has an automated (semi-)decision procedure Supports any Boolean combination of predicates Compatible with CounterExample Guided Abstraction Refinement Weaknesses Scalability (construction and analysis) Restricted to finite abstract domains

8
8 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Numeric Abstract Interpretation Analysis is restricted to a fixed Abstract Domain Abstract Domain is “a restricted (possibly infinite) set of predicates” + efficient operations. Examples of Numeric Abstract Domains Signs 0 0 Intervals c 1 <= x <= c 2, where c 1,c 2 are a constants Octagons ± x ± y <= c, where c is a constant Polyhedra a 1 x 1 + a 2 x 2 +a 3 x 3 + a 4 <= 0, where a 1,a 2,a 3,a 4 are constants

9
9 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University AbsDom Interface interface AbsDom(V) A – abstract elements, E – expressions, S -- statements α : E → A γ : A → E meet : A x A → A isTop : A → bool isBot : A → bool join : A x A → A leq : A x A → bool αPost : S → (A → A) widen : A x A → A All operations are over approximations, e.g., γ (a) || γ (b) => γ ( join (a, b) ) γ (a) && γ (b) => γ (meet (a,b) )

10
10 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Example: The Domain of Intervals (1, 10) meet (2, 12) = (2,10) (1, 3) join (7, 12) = (1,12) 1 <= x <= 10(1, 10) α γ 1 <= x <= 10 (a, b) meet (c, d) = (max(a,c), min(b,d)) (a, b) join (c, d) = (min(a,c),max(b,d)) α Post (x := x + 1) ((a, b)) = (a+1, b+1)(1, 10) + 1 = (2, 11) OperationsExamples over-approx

11
11 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Analysis with Intervals NA (1) assume (i=1 || i=2) if (i = 1) x1 := i; else if (i = 2) x2 := -4; if (i = 1) assert (x1 > 0); else if (i := 2) assert (x2 < 0); 1 <= i <= 2 i=1 i=1 && x1=1 i=2 i=2 && x2=-4 1 <= i <= 2 i=1 i=2

12
12 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Analysis with Intervals NA (2) if (3 <= y1 <= 4) { x1 := y1-2; x2 := y1+2; } else if (3 <= y2 <= 4) { x1 := y2-2; x2 := y2+2; } else return; assert (5 <= x1 + x2 <= 10); 3 <= y1 <= 4 1 <= x1 <= 2 5 <= x2 <= 6 3 <= y2 <= 4 1 <= x1 <= 2 5 <= x2 <= 6 1<=x1<=2 5<=x2<=6

13
13 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Strength/Weakness of Numeric Abstraction Strength Fully Automated Scalable Supports infinite abstract domains (Supports) Automated Refinement Weakness Limited to a few theories (intervals, octagons, polyhedra) Restricted to conjunctions of terms Looses precision very quickly (join, widen, etc.)

14
14 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Predicates: p: A[y1+y2]=3 q: A[x1+x2]=3 assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 && q := ch ((x1=y1-2)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2 + y1; } assert (x1 = x2) “Ideal” combination of PA + NA assume (x1 = x2); if (A[y1+y2] = 3) { x1 := y1 – 2; x2 := y2 + 2; } else A[x1+x2] := 5; if (A[x1+x2] = 3) { x1 := x1 + x2; x2 := x2 + y1; } assert (x1 = x2) Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3

15
15 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Abstract with Predicates p: A[y1+y2]==3 q: A[x1+x2]==3 “Ideal” combination of PA + NA assume (x1 = x2); if (A[y1+y2] = 3) { x1 := y1 – 2; x2 := y2 + 2; } else A[x1+x2] := 5; if (A[x1+x2] = 3) { x1 := x1 + x2; x2 := x2 + y1; } assert (x1 = x2) assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 && q := ch ((x1=y1-2)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2 + y1; } assert (x1 = x2) Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3

16
16 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Analyzing with PA + NA assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 && q := ch ((x1+2 = y1)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2+y1-2; } assert (x1 = x2) x1=x2 p && x1=x2 p && x1=y1-2 p && x1=y1-2 && x2=y2+2 && q !p && !q && x1=x2 p && x1=y1-2 && x2=y2+2 && q || !p && !q && x1=x2 p && x1=y1-2 && x2=y2+2 && q p && x1=y1+y2 && x2=y2+2 && q p && x1=y1+y2 && x2=y2+y1 && q Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3

17
17 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Grammar for Our Abstract Transformer τ ::= (e? τ N ) && τ P | τ || τ | (nondet) τ ; τ (sequence) e ::= boolean expression over predicate and numeric terms τ P ::= p := ch (e, e) | τ P && τ P (parallel) τ N ::= assignment to numeric terms

18
18 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Transformer Examples Predicates: p 1 :z=&x, p 2 :z=&y, p 3 :y=1 Concrete Transformer Abstract Transformer assume (*z > 0)(p 1 &&x>0 || p 2 &&y>0 || !p 1 &&!p 2 )? skip *z = u + 1 (p 1 ? x := u + 1) || (p 2 ? y := u+1) || (!p 1 && !p 2 ? skip) y = x && x = (y-1? v : w) (p 3 ? x := v || !p 3 ? x := w) && p 3 := ch (x=1,x!=1)

19
19 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Overview of Our 4 Data Structures NameExampleNum. Terms NEXPoint(p||q) && (0 <= x <= 5) Explicit NEX(p&& 0<=x<=3) || (!p && (1<=x<=5)) MTBDD(p&& 0<=x<=3) || (!p && (1<=x<=5)) Symbolic NDD(p && (x=0 || x=3)) || (!p && (x=1 || x=5))

20
20 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University NEXPoint (P, N) NEXPoint elements are of the form: BDD over predicates Element of numeric abstract domain All operations are pairwise

21
21 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Numeric EXplicit (NEX) NEX elements are lists of NEXPoint [(P 1, N 1 ),…, (P k,N k )] Satisfying the partitioning condition P i ∩ P j = { } Operations are done using NEXPoint, but respect the partitioning condition

22
22 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University The Partitioning Condition p !p q !q x>0 y>0

23
23 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Multi-Terminal Numeric Decision Diagrams b1b1 b2b2 x>0 && x=y 1-edges are black, 0-edges are red edges to 0 node are not shown p 1 && !p 2 && (x>0) && (x=y) p 1 : x>0, p 2 : z<y b 1 : p 1, b 2 : p 2 MTNBDD MTNDD elements are Decision Diagrams with Numeric values at the terminals

24
24 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Numeric Decision Diagrams (p 1 &&p 2 ) || (x<0 && y=z) (x>=0 && z>0) || (!(x>=0) && y=z) p 1 : x>=0, p 2 : z>0 b1:x>=0, b2:z>0, b3:y=z b1b1 b2b2 b3b3 1 1-edges are black, 0-edges are red edges to 0 node are not shown normalize NDD elements are BDDs over Predicate and Numeric Terms

25
25 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Summary of the Data Structures PrecisionScalabilityPA aloneNA aloneProp OpNum Op NEXPoint -+++ NEX +-+++- MTNDD +-+++- NDD ++++- --

26
26 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Experimental Results Java Implementation Numeric domains implemented on top of Apron library Synthetic examples used to validate specific conjectures NEX & MTNDD better than NDD when numeric joins are exact — Since NDD uses exact unions while others use numeric join NDD better than others when invariants are propositionally complex — Since NDD has the most sharing capability Realistic examples used to gauge overall performance Total 11 examples: Zitser buffer overflow (3), OpenSSL (2), metal- casting plant controller (4), Micro-C OS (2)

27
27 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Experimental Results Domain#Exp.TotalGammaJoinalphaPostImage Numeric75.71.50.40.50.3 Predicate9133.00.1 0.50.1 NEXPoint1019.00.80.94.55.0 NEX1125.60.92.64.56.3 MTNDD1135.30.030.62.720.4 NDD1123.70.060.42.010.2 (all times are in seconds)

28
28 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Related Work Abstract Interpretation [CC’92] Our domain ≈ reduced direct product of Predicate and Numeric domains Jain et al. [CAV’06] Applies numeric invariants to simplify predicate abstraction Weaker than NEXPoint Fischer et al. [FSE’05], Beyer et al. [CAV’07,CAV’06] Predicate abstraction + Abstract Domain Similar to NEXPoint, but with simpler transfer functions Bultan et al. [TOSEM’00] MC of programs with Boolean and numeric variables using Omega library Similar to NEX, but with simpler transfer functions

29
29 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Current and Future Work We are working on a more comprehensive benchmark suite Need automated abstraction-refinement for PA + NA In the current implementation, the abstract domain is treated as a black box. We are exploring a tighter integration between predicate and numeric domains smarter numeric transfer functions, smarter DD variable ordering, etc.

30
30 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University

Similar presentations

OK

© 2015 Carnegie Mellon University Building Program Verifiers from Compilers and Theorem Provers Software Engineering Institute Carnegie Mellon University.

© 2015 Carnegie Mellon University Building Program Verifiers from Compilers and Theorem Provers Software Engineering Institute Carnegie Mellon University.

© 2018 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google