Presentation is loading. Please wait.

Presentation is loading. Please wait.

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

Similar presentations

Presentation on theme: "A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs."— Presentation transcript:

1 A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs

2 Completeness of abstraction An abstraction is a restricted language L –Example: predicate abstraction L is the language of Boolean combinations of predicates in P –We try to compute the strongest inductive invariant of a program in L An abstraction refinement heuristic chooses a sequence of sublangauges L 0 µ L 1,... from a broader langauge L. –Example: predicate abstraction L is the set of quantifier-free FO formulas (QF) L i is characterized by a set of atomic predictes P i An abstraction refinement heuristic is complete for language L, iff it always eventually chooses a sublanguage L i µ L containing a safety invariant whenever L contains a safety invariant.

3 Divergence Existing refinement heuristics for predicate abstraction are incomplete. –They can produce an infinite sequence of refinements even when a saftey invariant exists in L. x=y Good Predicates Bad Predicates x=0, y=0 x=1, y=1 x=2, y=2... x=i; y=i; while(x!=0) {x--; y--;} assert y==0; Program

4 Cause: CEGAR loop CounterExample Guided Abstraction Refinement (CEGAR) –Abstract counterexample is sequence of minterms in L i. –Refinement adds predicates sufficient to refute counterexample. –Not complete, since predicates can diverge as number of loop iterations in counterexample increases. Refine Abstraction Verify LiLi safe unsafe abstract counterexample

5 Divergence example Most heuristics derive predicates in some way from the refutation of the counterexample. Example: refinement using weakest procondition (WP) x=i,y=i [x!=0] x--, y-- [x=0] [y!=0] Error! x=i; y=i; while(x!=0) {x--; y--;} assert y==0; False x=0 ) y=0 x=1 ) y=1 i=1 ) i=1 x=0,y=0 x 0,y 0 x=0,y 0 Add these predicate

6 Enforcing completeness x=0 x=1 x=2 L Lattice of sublanguages x=y L0L0 L1L1 L2L2... 1. Stratify L into finite languages L 0 µ L 1 µ 2. Refute counterexample at lowest possible stratum If a saftey invariant exists in L k, then we never exit L k. Since this is f finite language, abstraction refinement must converge.

7 Split prover approach To restrict the refutation of counterexamples, we use a "split prover" –Each prover component knows just one time frame –Components can only communicate facts in L k R1R1 R2R2 R3R3 RnRn By restricting the language of communication between time frames, we prevent the prover from using larger constants as the number of loop iterations increase, and force it to generalize.

8 Programs A program is a pair ( T, ) where – T is a set of symbolic transition relations (program statements) – µ T * is a regular language defining the unsafe runs of the program

9 Predicate abstraction Definitions: –Given a set of fmlas L, let B (L) be the set of Boolean combinations of L –Let sp L ( )( ), where 2T be the strongest -postcondition of in B (L) –Let sp L ( 1 n ) = sp L ( 1 ) ± ± sp L ( n ) A program path is L-refutable when sp L ( )(True)=False x=i,y=i [x!=0] x--, y-- [x=0] [y!=0] Error! Example: let L be {x=y}: True x=y False Fact: Predicate abstraction with predicates proves a program safe exactly when every unsafe path 2 is -refutable. A counterexample for predicate abstraction is a non- -refutable path in.

10 Consequence finders A consequence finder takes as input a set of hypothese and returns a set of consequences of. Consequence finder R is complete for L-generation iff, for any 2 L ² implies R ( ) Å L ² That is, the consequence finder need not generate all consequences of in L, but the generated L-consequences must imply all others.

11 Split prover Divide the prover into a sequence of communicating consequence finders... R1R1 R2R2 R3R3 RnRn Each R i knows just i (*) R i and R i+1 exchange only facts in L ( i ) ÅL ( i+1 ) ­ i R i is the composition of the R i s Theorem: If each R i is complete for L ( i+1 )-generation, then ­ i R i is complete for refutation [McIlraith & Amir, 2001]. *Actually, here we mean i instantiated at time i, as in BMC

12 L-restricted split prover In the L-restricted composition, ­ L R i, the provers can exchange only formulas in L. R1R1 R2R2 R3R3 RnRn Theorem: If each R i is complete for L ÅL (T i+1 )-generation, then path is L-refutable exactly when is refuted by ­ L R i. Corrolary: Let be the set of APs exchanged by ­ L R i in refuting. is -refutable LLLL

13 Complete heuristic Given finite languages L 0 µ L 1, µ where [ L i = QF... Pred Abs à {} safe not -refutable µ L k s.t. is -refutable? no k à k+1 à [ yes Theorem: This procedure is complete for QF. That is, if a safety invariant exists in QF, we conclude "safe". k à 0

14 An efficient split prover Complete consequence generation could be expensive! We will consider QF formulas with –integer difference bound constraints (e.g., x · y + c) –equality and uninterpreted functions –restricted use of array operations "select" and "store" Our restriction language L k will be determined by –The finite set C D of allowed constants c in x · y + c –The finite set C B of allowed constants c in x · c –The bound b f on the depth of nesting of function sybols Note that for a finite vocabulary, L k is finite, and as long as the constant and depth bounds are increasing, every formula is included in some L k.

15 Prover architecture SAT solver generates propositionally satisfying minterms Split prover refutes this minterm –Hypotheses of split prover are thus literals, not clauses Convexity: theory is convex if all consequences are Horn –In convex case, provers only exchange literals [Nelson & Oppen, 1980] –Simple proof rules for complete unit consequence finding –In case of a non-Horn consequence, split cases in SAT solver –Integers and array store operations introduce non-convexities. Multiple theories handled by hierarchical decomposition =,f ·+·+ ·+·+ ·+·+ ·+·+ These and other optimizations can result in a relatively efficient prover...

16 Performance comparison Refuting counterexamples for two hardest Widows device driver examples in the Blast benchmark set. Compare split prover against Nelson-Oppen style, same SAT solver

17 Some "trivial" benchmarks main(){ char x[*], z[*]; int from,to,i,j,k; i = from; j = 0; while(x[i] != 0 && i < to){ z[j] = x[i]; i++; j++; } /* prove strlen(z) >= j */ assert !(k >= 0 && k < j && z[k] == 0); } example: substring copy

18 Results exampleSatAbsMagicBlastBlast (new) simple loopXX array copyX two loopsXX array fill (increment)X array fill (fixed size)XX zero fillXX scan for zeroXX string overflowXX string concat (size)X string concat (ovfl)XX TO string copyXX substring (size)XX substring (ovfl)XX X = refine fail, = bug, = diverge, TO = timeout, = verified safe

19 Conclusions An abstraction refinement heuristic is complete for langauge L if it guarantees to find a safety invariant if one exists in L Existing PA heuristics are incomplete and diverge on trivial programs CEGAR can be made complete by... –Stratifying L into hierarchy of finite sublanguages L 0, L 1,... –Refuting counterexamples as low as possible in hierarchy –Using L k -restricted split prover A split prover can be made efficient enough to use in practice –(at least for some useful theories) Future work: –New theories (transitive closure?) –Quantified invariants, indexed predicate abstraction –Interpolant-based software model checker (coming soon)

Download ppt "A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs."

Similar presentations

Ads by Google