Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lazy Abstraction Tom Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Lazy Abstraction Tom Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre."— Presentation transcript:

1 Lazy Abstraction Tom Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre

2 2 Goals  Verification of software  safety properties  C programs  Application to systems software  e.g. Check correct use of locks

3 3 How?  Model checking  Predicate Abstraction  focus on essential properties  decision procedures and BDDs  Counterexample driven refinement

4 4 Outline  Counterexample-driven refinement  drawbacks  Predicate Abstraction  Lazy Predicate Abstraction  intuitive description, example  Discussion

5 5 SLAM review  Predicate abstractor: C2bp  C program Boolean program  Model checker: Bebop  on Boolean programs  Predicate discovery: Newton  counterexample guided refinement

6 Is ERROR reachable? Yes, path p No model check Return “No” 66 Is p feasible in P? No, explanationYes refine don’t know Return “Yes”, pReturn “don’t know” P B Is ERROR reachable? abstract Initial predicates

7 7 Related Work  Microsoft SLAM project  Abstractor: C code  Boolean programs  Model checker for boolean programs  Predicate discovery and refinement  [Clarke et al 00]  Bandera Project at KSU  …

8 8 Drawbacks  Redo work at each iteration  compute a brand new abstraction  model-check this new abstraction  what if the new inferred predicates are local?  Does some unnecessary work  No sharing of data structures

9 9 Our proposal  Integrate the three phases  Construct the abstraction on-the-fly  driven by the reachability search  Refine the abstraction on demand  Locally, based on bad error paths Give control to the model checker

10 10 Outline  Counterexample-driven refinement  drawbacks  Predicate Abstraction  Lazy Predicate Abstraction  intuitive description, example  Discussion

11 11 Predicate abstraction  Box: abstract variable valuation  Region: cover of boxes P 1 : x = y P 3 : x  z+1 P 2 : z = t + y P 4 : * u = x Variable value space :P1,:P2:P1,:P2 P 1, P 2 P 1, : P 2 : P 1, P 2 :P3:P4:P3:P4 :P3P4:P3P4 P3P4P3P4 P3:P4P3:P4

12 12 Abstract state graph  Explicit control locations  Abstract state: (control location, box)  Conservative abstraction:  computed using decision procedures  defined as usual

13 13 Outline  Counterexample-driven refinement  drawbacks  Predicate Abstraction  Lazy Predicate Abstraction  intuitive description, example  Discussion

14 14 P 1, …, P k P’ 1, …, P’ h Lazy abstraction  Symbolic model checking  predicate abstraction  on-the-fly post/pre  Refinement by demand  dynamic predicates  Error-free closed sets of states are not checked again.

15 15 Reachability analysis (1)  Forward symbolic reachability tree  Nodes labeled by: (control location, abstract region)  Edges labeled by program statements  Post computed w.r.t {P 1, …, P k }  decision procedure  Refinement: {P 1, …, P k, P k+1, …, P k+h }

16 16 Untouched Reachability analysis (2) Refinement

17 17 Reachability analysis (3) Refinement Unmarked

18 18 Reachability analysis (4)  Correctness independent from search order  Optimization: union closed subtrees  Why compute backwards from error?  fewer marked nodes are unmarked  General symbolic setting: regions

19 Q: Is Error Reachable ? void Example( ) { 1: do { old = new; // Get the write lock AcquireSpinLock(&DevExt  writeListLock); [ acq = True] 2: if ( request && request  status ) { 3: devExt  WriteList = request  next; // Release the lock ReleaseSpinLock(&DevExt  writeListLock); [acq=False] irp = request  irp; if ( request  status > 0 ) { irp  IoStatus.Status = STATUS-SUCCESS; irp  IoStatus.Information = request  Status; } else { irp  IoStatus.Status =STATUS-UNSUCCESS; irp  IoStatus.Information = request  Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp,DO_NO_INCREMENT); new++; 4: } 5: } while ( new != old ) ; // Release the lock 6: ReleaseSpinLock(&DevExt  writeListLock); [ if (acq == False) then ERROR; ] } 1 2 4 5 6 Error7 ? ? ? 3

20 old = new; // Get the write lock AcquireSpinLock(&DevExt  writeListLock); [ acq = True] ( request && request  status ) ? devExt  WriteList = request  next; // Release the lock ReleaseSpinLock(&DevExt  writeListLock); [acq=False] irp = request  irp; if ( request  status > 0 ) { irp  IoStatus.Status = STATUS-SUCCESS; irp  IoStatus.Information = request  Status; } else { irp  IoStatus.Status =STATUS-UNSUCCESS; irp  IoStatus.Information = request  Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp,DO_NO_INCREMENT); new++; (new == old ) ? (acq == False ) ? > 1 acq 2 3 4 : acq 5 6 Err : acq Phase 1: Forward Search Set of Predicates: (acq = False) from Spec Reachability Analysis 1 2 4 5 6 Error7 ? ? ? 3

21 1 2 4 5 6 7 ? ? ? 3 old = new; // Get the write lock AcquireSpinLock(&DevExt  writeListLock); [ acq = True] ( request && request  status ) ? devExt  WriteList = request  next; // Release the lock ReleaseSpinLock(&DevExt  writeListLock); [acq=False] irp = request  irp; if ( request  status > 0 ) { irp  IoStatus.Status = STATUS-SUCCESS; irp  IoStatus.Information = request  Status; } else { irp  IoStatus.Status =STATUS-UNSUCCESS; irp  IoStatus.Information = request  Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp,DO_NO_INCREMENT); new++; (new == old ) ? (acq == False ) ? { : acq} { : acq Æ (new = old)} {acq Æ (new+1 =old)} { : acq Æ (new = old)} {acq Æ new+1=old} {acq Æ new+1=new} New Predicate for Refinement: (new=old) acq > 1 2 3 4 : acq 5 6 Err : acq Reachability Analysis Set of Predicates: (acq = False) from Spec Phase 2: CounterEx Guided Refinement

22 devExt  WriteList = request  next; // Release the lock ReleaseSpinLock(&DevExt  writeListLock); [acq=False] irp = request  irp; if ( request  status > 0 ) { irp  IoStatus.Status = STATUS-SUCCESS; irp  IoStatus.Information = request  Status; } else { irp  IoStatus.Status =STATUS-UNSUCCESS; irp  IoStatus.Information = request  Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp,DO_NO_INCREMENT); new++; old = new; // Get the write lock AcquireSpinLock(&DevExt  writeListLock); [ acq = True] ( request && request  status ) ? (new == old ) ? 1 2 4 5 6 Error7 ? ? ? 3 4 : acq Æ : (new=old) > 1 acq Æ (new=old) 2 3 5 : acq Æ : (new=old) 1 : acq Æ : (new=old) µ > 5 acq Æ (new=old) (new  old ) ? 6 ? 1 ? (new == old ) ? 6 acq Æ (new=old) (acq == False ) ? Err7 acq Æ (new=old) : (acq == False ) ? Error is not reachable Reachability Analysis Set of Predicates: (acq = False), (new = old) Phase 1: Forward Search

23 23 Outcomes Error2 Error1  This lazy approach allows us to share work that we have done before  Once the left part has been searched, we will never look at it again  A different set of predicates, relevant only to the right part, may be used while searching it

24 24 Predicate discovery  Keep substitutions explicit  new variables  operations appear explicitly  Ask a proof of unsatisfiability  Pick predicates appearing in the proof op 1 op 2 op 3 op 4

25 25 Region based Symbolic Model Checking  Region datatype  denote possibly infinite sets of values  e.g. ({P 1, …, P k }, bdd)  Boolean operations  Set Op of operations  Symbolic post / pre : R x Op  R  Focus operation (refinement)

26 26 Outline  Counterexample-driven refinement  drawbacks  Predicate Abstraction  Lazy Predicate Abstraction  intuitive description, example  Discussion

27 27 Tool architecture Control Flow Automaton Regions Operations Model checker

28 28 Development roadmap  C program  Control Flow Automaton  Regions are predicate valuations  BDD representation  Model checker  region-based algorithm  Input: regions, pre, post

29 29 Discussion  Search order: heuristics  Pre/Post duality  Acceleration of loops  Memory usage: hashing?  Application to: ( C programs)  timed automata, hybrid systems  SDL protocols

Download ppt "Lazy Abstraction Tom Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre."

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Introducing BLAST Software Verification John Gallagher CS4117.

Introducing BLAST Software Verification John Gallagher CS4117.
Pushdown Systems Koushik Sen EECS, UC Berkeley Slide Source: Sanjit A. Seshia.

Pushdown Systems Koushik Sen EECS, UC Berkeley Slide Source: Sanjit A. Seshia.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.

Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.
Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.

Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.

Similar presentations

Ads by Google