Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2014 Carnegie Mellon University Synthesizing Safe Bit-Precise Invariants Arie Gurfinkel (SEI / CMU) Anton Belov (UCD / Synopsys) Joao Marques-Silva (UCD)

Published byAshley Maxwell Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2014 Carnegie Mellon University Synthesizing Safe Bit-Precise Invariants Arie Gurfinkel (SEI / CMU) Anton Belov (UCD / Synopsys) Joao Marques-Silva (UCD)"— Presentation transcript:

1 © 2014 Carnegie Mellon University Synthesizing Safe Bit-Precise Invariants Arie Gurfinkel (SEI / CMU) Anton Belov (UCD / Synopsys) Joao Marques-Silva (UCD)

2 2 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Copyright 2013 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. permission@sei.cmu.edu DM-0001163

3 3 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University 3 Inductive Invariants: Turing / Floyd / Hoare A. M. Turing, Checking a Large Routine. In Report of a Conference on High Speed Automatic Calculating Machines, (1949).

4 4 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Programs, Cexs, Invariants A program P = (V, Init, Tr, Bad) P is UNSAFE if and only if there exists a number N s.t. P is SAFE if and only if there exists a safe inductive invariant Inv s.t. Inductive Safe

5 5 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Many conferences, techniques, tools …

6 6 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University But Bit-Precise Verification is Hard Bounded Model Checking CBMC, Boolector, LLBMC, ESBMC, … efficient discovery of counter-examples no invariants! Propositional Verification (Hardware) Interpolation, IC3, PDR, ABC, … efficient synthesis of propositional invariants does not scale to bit-precise verification of software Linear Arithmetic Verification (Software) Impact, UFO, CPAChecker, Duality, Blast, GPDR, … efficient synthesis of arithmetic invariants not bit-precise (not sound!) is often sufficient (e.g., UFO at SV-COMP’13 and ‘14)

7 7 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University But aren’t bit-vectors = bit-blasting?

8 8 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Typical Bit-vector Decision Procedure B2P is satisfiability preserving (only!) Bit-blast (by itself) is not efficient SAT Bit-blast Simplify B2P

9 9 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Safety Verification by Bit-Blasting Correct, but does not scale Bit-blast Verify propositional verifier

10 10 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Safety Verification by B2P Efficient, but… B2P only preserves satisfiability Original circuit is reduced (abstracted) too much Hard to track correspondence between input and output B2P Verify True

11 11 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Bit-blasting looses all structure! Lack of structure makes it difficult to generalize

12 12 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Our Key Idea: Use Generate and Check Alg. Given an input program P with a safety property  Bad 1. Generate a candidate invariant Cand by verifying  Bad on a “simpler” approximation P simple of P 2. Compute the Maximal Inductive Subset Inv of Cand relative to P using bit-precise reasoning 3. Strengthen Inv using a bit-precise (but possibly slow) verification engine until (Inv  Bad)

13 13 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University M ISPER in a Nutshell Adapt unsound arithmetic reasoning to guess bit-precise invariants Approximate Program P + Property Program P LA LA Verifier Adapt using MIS Candidate C LA BIT Verifier Invariant I BIT Yes + Certificate C BIT No + Cex Unsound Needs validation Needs validation Sound

14 14 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Approximate Bit-Vectors by Arithmetic Ignore (i.e., over-approximate) all bit-vector-specific operations Unsound, but simple and efficient Approximate Bool Bit-vector Arithmetic Bool

15 15 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Maximal Inductive Subset Let L be a set of formulas, P=(V, Init, Tr, Bad) a program A subset X of L is a maximal inductive subset iff it is the largest subset of X such that A Maximal Inductive Subset is unique inductive invariants are closed under conjunction Cormac Flanagan, K. Rustan M. Leino: Houdini, an Annotation Assistant for ESC/Java. FME 2001: 500-517

16 16 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Minimal Unsatisfiable Subset Let  be a formula and A = {a 1, …, a n } be atomic propositions occurring negatively in  Assume  Æ a 1 Æ  Æ a n is UNSAT A minimal unsatisfiable subset (MUS) of  is the smallest subset X µ A such that  Æ X is UNSAT There are efficient algorithms for computing MUS (a.k.a. UNSAT core) for propositional formulas

17 17 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Solving MIS via MUS Reduce MIS to multiple calls to MUS fresh propositional variables called once incremental SAT SAT MUS incremental SAT

18 18 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Var-Equivalence Let A and B be two formulas Let X be a subset of propositional variables of A and B Definition: A and B are var-equivalent relative to X if and only if for any satisfying assignment ¿ of X, A¿ and B¿ are equisatisfiable Claim B2P(  ) is var-equivalent to  relative to X = {post i, pre i }

19 19 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Implementation Misper is implemented in Python and relies on many external tools LLVM for handling C UFO-MUZ for LA invariants Boolector for B2P MUSer2 for MUS step in MIS Z3 for SMT and HORN

20 20 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Results Summary 214 SAFE benchmarks from SVCOMP’2013 includes all non-trivial SAFE benchmarks All times are in seconds bit width inst.cntZ3/PDR #sol (avg/med) Misper #sol (avg/med) Cand #sol (avg/med) MIS #sol (avg/med) 32 all214116 (127/8)174 (28/0.4)165 (8/0.4)9 (392/134) unsol98--58 (75/1)52 (22/0.7)6 (544/366) 16 all214165 (176/8)182 (69/0.4)165 (8/0.4)17 (661/399) unsol49--18 (624/376)6 (50/21)12 (911/1,094)

21 21 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Detailed Results (16 bits)

22 22 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University FrankenBit : Bit-Precise Verification w/ Many Bits M ISPER to synthesize bit-precise invariants LLBMC to search for counterexamples Silver and Bronze medals at SV-COMP 2014 http://sv-comp.sosy-lab.org/2014/results/index.php

23 23 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Related Work Cormac Flanagan, K. Rustan M. Leino: Houdini, an Annotation Assistant for ESC/Java. FME 2001. (the first?) algorithm for computing Maximal Inductive Subset Randal E. Bryant, Daniel Kroening, Joël Ouaknine, Sanjit A. Seshia, Ofer Strichman, Bryan A. Brady: Deciding Bit-Vector Arithmetic with Abstraction. TACAS 2007. sound under-approximation of bit-vector formulas by shrinking bit-width Alberto Griggio: Effective word-level interpolation for software verification. FMCAD 2011. mostly sound over-approximation of bit-vector formulas by arithmetic but, also uses unsound approximation followed by a sound check

24 24 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Conclusion Sound reasoning from unsound approximations Use Linear Arithmetic to guess good invariants Use efficient bit-vector decision procedures to validate invariants Use efficient propositional Minimal Unsatisfiable Subset extractor to find Maximal Inductive Subset Use inefficient bit-precise reasoning to complete the proof Works well on SV-COMP (non bit-vector specific) benchmarks probably because the properties are mostly bit-vector agnostic e.g., API usage in Linux Device Drivers Integrated in FrankenBit: http://arieg.bitbucket.org/fbithttp://arieg.bitbucket.org/fbit

25 25 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Future Work We have just scratched the surface… CounterExample Guided Approximation-Refinement Loop block a counterexample by partial bit-blasting partially embed bit-vectors into integer arithmetic Better approximations such as in related work, e.g., Griggio, and Bryant et al. Adapt lemmas account for bit-width, overflow, and upper bound e.g., replace x > 0 with x > 0 & x <= INT_MAX Tighter integration with fixedpoint solver

26 26 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University

27 27 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Contact Information Arie Gurfinkel Senior Researcher SEI / CMU Telephone: +1 412-268-5800 Email: info@sei.cmu.edu U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA 15213-2612 USA Web www.sei.cmu.edu www.sei.cmu.edu/contact.cfm Customer Relations Email: info@sei.cmu.edu Telephone: +1 412-268-5800 SEI Phone: +1 412-268-5800 SEI Fax: +1 412-268-6257

Download ppt "© 2014 Carnegie Mellon University Synthesizing Safe Bit-Precise Invariants Arie Gurfinkel (SEI / CMU) Anton Belov (UCD / Synopsys) Joao Marques-Silva (UCD)"

Similar presentations

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Carnegie Mellon University Software Engineering Institute CERT® Knowledgebase Copyright © 1997 Carnegie Mellon University VU#14202 UNIX rlogin with stack.

Carnegie Mellon University Software Engineering Institute CERT® Knowledgebase Copyright © 1997 Carnegie Mellon University VU#14202 UNIX rlogin with stack.
© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha.

© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha.
Proofs from SAT Solvers Yeting Ge ACSys NYU Nov 20 2007.

Proofs from SAT Solvers Yeting Ge ACSys NYU Nov
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.

© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.
Aaron Bradley University of Colorado, Boulder

Aaron Bradley University of Colorado, Boulder
© 2011 Carnegie Mellon University System of Systems V&V John B. Goodenough October 19, 2011.

© 2011 Carnegie Mellon University System of Systems V&V John B. Goodenough October 19, 2011.
© 2010 Carnegie Mellon University B OXES : A Symbolic Abstract Domain of Boxes Arie Gurfinkel and Sagar Chaki Software Engineering Institute Carnegie Mellon.

© 2010 Carnegie Mellon University B OXES : A Symbolic Abstract Domain of Boxes Arie Gurfinkel and Sagar Chaki Software Engineering Institute Carnegie Mellon.
© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.

© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.
Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.

Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.
© 2013 Carnegie Mellon University Academy for Software Engineering Education and Training, 2013 Session Architect: Tony Cowling Session Chair: Nancy Mead.

© 2013 Carnegie Mellon University Academy for Software Engineering Education and Training, 2013 Session Architect: Tony Cowling Session Chair: Nancy Mead.
© 2013 Carnegie Mellon University Measuring Assurance Case Confidence using Baconian Probabilities Charles B. Weinstock John B. Goodenough Ari Z. Klein.

© 2013 Carnegie Mellon University Measuring Assurance Case Confidence using Baconian Probabilities Charles B. Weinstock John B. Goodenough Ari Z. Klein.
© 2012 Carnegie Mellon University UFO: Verification with Interpolants and Abstract Interpretation Arie Gurfinkel and Sagar Chaki Software Engineering Institute.

© 2012 Carnegie Mellon University UFO: Verification with Interpolants and Abstract Interpretation Arie Gurfinkel and Sagar Chaki Software Engineering Institute.
© 2015 Carnegie Mellon University Property Directed Polyhedral Abstraction Nikolaj Bjørner and Arie Gurfinkel VMCAI 2015.

© 2015 Carnegie Mellon University Property Directed Polyhedral Abstraction Nikolaj Bjørner and Arie Gurfinkel VMCAI 2015.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
© 2013 Carnegie Mellon University Static Analysis of Real-Time Embedded Systems with REK Arie Gurfinkel 1 joint work with Sagar Chaki 1, Ofer Strichman.

© 2013 Carnegie Mellon University Static Analysis of Real-Time Embedded Systems with REK Arie Gurfinkel 1 joint work with Sagar Chaki 1, Ofer Strichman.

Similar presentations

Ads by Google