© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha.

Slides:

Advertisements

Similar presentations

© 2012 Carnegie Mellon University Panel: Growing the Skills Required for Trustworthy Software Software Engineering Institute Carnegie Mellon University.

Advertisements

Carnegie Mellon University Software Engineering Institute CERT® Knowledgebase Copyright © 1997 Carnegie Mellon University VU#14202 UNIX rlogin with stack.

© 2013 Carnegie Mellon University Trust in Formal Methods Toolchains Arie Gurfinkel Software Engineering Institute Carnegie Mellon University July 14,

© 2006 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

UNCLASSIFIED © 2011 Carnegie Mellon University Building Malware Infection Trees Jose Andre Morales 1, Michael Main 2, Weilang Luo 3, Shouhuai Xu 2,3, Ravi.

Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.

© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.

© 2014 Microsoft Corporation. All rights reserved.

© 2011 Carnegie Mellon University System of Systems V&V John B. Goodenough October 19, 2011.

© 2010 Carnegie Mellon University B OXES : A Symbolic Abstract Domain of Boxes Arie Gurfinkel and Sagar Chaki Software Engineering Institute Carnegie Mellon.

© 2013 Carnegie Mellon University Vinta: Verification with INTerpolation and Abstract interpretation Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and.

This workforce solution was funded by a grant awarded under Workforce Innovation in Regional Economic Development (WIRED) as implemented by the U.S. Department.

© 2013 Carnegie Mellon University Academy for Software Engineering Education and Training, 2013 Session Architect: Tony Cowling Session Chair: Nancy Mead.

© 2013 Carnegie Mellon University Measuring Assurance Case Confidence using Baconian Probabilities Charles B. Weinstock John B. Goodenough Ari Z. Klein.

© 2010 Carnegie Mellon University ® CMMI is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. V&V Principles Verification.

© Carnegie Mellon University The CERT Insider Threat Center.

© 2011 Carnegie Mellon University Time Bounded Analysis of Real-Time Systems Arie Gurfinkel, Sagar Chaki, and Ofer Strichman Software Engineering Institute.

© 2012 Carnegie Mellon University UFO: Verification with Interpolants and Abstract Interpretation Arie Gurfinkel and Sagar Chaki Software Engineering Institute.

© 2012 Carnegie Mellon University From Underapproximations to Overapproximations and Back! Arie Gurfinkel Software Engineering Institute Carnegie Mellon.

© 2015 Carnegie Mellon University Property Directed Polyhedral Abstraction Nikolaj Bjørner and Arie Gurfinkel VMCAI 2015.

© 2013 Carnegie Mellon University Static Analysis of Real-Time Embedded Systems with REK Arie Gurfinkel 1 joint work with Sagar Chaki 1, Ofer Strichman.

© 2011 Carnegie Mellon University Should-Cost: A Use for Parametric Estimates Additional uses for estimation tools Presenters:Bob Ferguson (SEMA) Date:November.

© 2011 Carnegie Mellon University QUELCE: Quantifying Uncertainty in Early Lifecycle Cost Estimation Presenters:Dave Zubrow PhD Bob Ferguson (SEMA) Date:November.

© 2015 Carnegie Mellon University Software Engineering Institute Carnegie Mellon University Pittsburgh, PA A Cognitive Study of Incident Handling.

© 2013 Carnegie Mellon University Vinta: Verification with INTerpolation and Abstract iterpretation Arie Gurfinkel Software Engineering Institute Carnegie.

Ipek Ozkaya, COCOMO Forum © 2012 Carnegie Mellon University Affordability and the Value of Architecting Ipek Ozkaya Research, Technology.

© 2010 Carnegie Mellon University Team Software Process.

© 2015 Carnegie Mellon University Interpolating Property Directed Reachability Software Engineering Institute Carnegie Mellon University Pittsburgh, PA.

© 2013 Carnegie Mellon University Verifying Periodic Programs with Priority Inheritance Locks Sagar Chaki 1, Arie Gurfinkel 1, Ofer Strichman 2 FMCAD,

Conditions and Terms of Use

© 2013 Carnegie Mellon University Vinta: Verification with INTerpolation and Abstract iterpretation Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and.

Lesson Title: Types of RFID Tags Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1.

© 2008 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.

Lesson Title: Guidelines for Securing RFID Systems Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

© 2014 Carnegie Mellon University Synthesizing Safe Bit-Precise Invariants Arie Gurfinkel (SEI / CMU) Anton Belov (UCD / Synopsys) Joao Marques-Silva (UCD)

Lesson Title: EPCglobal Gen2 Tag Finite State Machine Dale R. Thompson and Jia Di Computer Science and Computer Engineering Dept. University of Arkansas.

Author Software Engineering Institute

© 2015 Carnegie Mellon University Parametric Symbolic Reachability Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie.

© 2015 Carnegie Mellon University COCOMO 2015 November 17, 2015 Distribution Statement A: Approved for Public Release; Distribution is Unlimited Causal.

Lesson Title: FCC Rules for ISM Band Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Government Contract Law – Post Award Shraddha Upadhyaya Contract Law Division U.S. Department of Commerce Office of General Counsel GSA Training Conference.

Lesson Title: Tag Architecture Dale R. Thompson and Jia Di Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Animal Identification Standards Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

RTAS 2014 Bounding Memory Interference Delay in COTS-based Multi-Core Systems Hyoseung Kim Dionisio de Niz Bj ӧ rn Andersson Mark Klein Onur Mutlu Raj.

© Anvesh Komuravelli Spacer Model Checking with Proofs and Counterexamples Anvesh Komuravelli Carnegie Mellon University Joint work with Arie Gurfinkel,

1 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution.

The software model checker BLAST Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar Presented by Yunho Kim TexPoint fonts used in EMF. Read.

Data Science: What It Is and How It Can Help Your Company

Secure Software Workforce Development Panel Session

Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.

Low Hanging Fruit Tastes Just as Good

David Svoboda & Aaron Ballman

Author Software Engineering Institute

Michael Spiegel, Esq Timothy Shimeall, Ph.D.

Discussion and Conclusion

Metrics-Focused Analysis of Network Flow Data

Automation in an XML Authoring Environment

Lesson Title: Reader Architecture and Antenna Configurations

Automated Extraction of Inductive Invariants to Aid Model Checking

QUELCE: Quantifying Uncertainty in Early Lifecycle Cost Estimation

Copyright © 2008 by Dale R. Thompson Dale R. Thompson

Dynamic Cyber Training with Moodle

PLACEHOLDER FOR YOUR LOGO

Verifying Periodic Programs with Priority Inheritance Locks

PLACEHOLDER FOR YOUR LOGO

The Software Dilemma Ceci Albert.

This material is based upon work supported by the National Science Foundation under Grant #XXXXXX. Any opinions, findings, and conclusions or recommendations.

Developing Useful Metrics

Presentation transcript:

© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha Chechik (U. of Toronto) and Sagar Chaki (SEI/CMU), and Yi Li (U. of Toronto) TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A

2 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Copyright 2013 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at DM

3 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Automated Analysis Automated Analysis Software Model Checking with Predicate Abstraction e.g., Microsoft’s SDV Software Model Checking with Predicate Abstraction e.g., Microsoft’s SDV Automated Software Analysis Program Correct Incorrect Abstract Interpretation with Numeric Abstraction e.g., ASTREE, Polyspace Abstract Interpretation with Numeric Abstraction e.g., ASTREE, Polyspace

4 UFO Arie Gurfinkel © 2013 Carnegie Mellon University UFO 4 A framework and a tool for software verification Tightly integrates interpolation- and abstraction-based techniques References: [SAS12] Craig Interpretation [CAV12] UFO: A Framework for Abstraction- and Interpolation-based Software Verification [TACAS12] From Under-approximations to Over-approximations and Back [VMCAI12] Whale: An Interpolation-based Algorithm for Interprocedural Verification Check it out at: Check it out at:

5 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Outline Over- and Under-approximation Driven Approaches UFO: From Under- to Over- and Back! Exploration Strategy Refinement Strategy Software Verification Competition (SV-COMP’13) Conclusion

6 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Overapproximation-driven Approach (CEGAR) Program Is safe? Safe Is cex feasible? Refine post operator Cex Interpolation or WP Interpolation or WP Compute invariant using abstract post Compute invariant using abstract post SMT Cex e.g., BLAST, SLAM, CPAChecker, YaSM, SATAbs, etc.

7 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Is ERROR Reachable? 1: int x = 2; int y = 2; 2: while (y <= 2) 3: y = y – 1; 4: if (x == 2) 5: ERROR:; 6: 1: ; 2: while (*) 3: ; 4: if (*) 5: ERROR:; 6: 1: 2: 3:4: 5: 6: Need This! ProgramAbstraction Over- Approximation AbstractTranslateCheckValidate CEGAR steps Repeat

8 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Over-Driven: Is ERROR Reachable? 1: int x = 2; int y = 2; 2: while (y <= 2) 3: y = y – 1; 4: if (x == 2) 5: ERROR:; 6: bool b is (y <= 2) 1: b = T; 2: while (b) 3: b = b ? T : *; 4: if (*) 5: ERROR:; 6: ProgramAbstraction (with y<=2 ) Over- Approximation 1: 2:b=T 3:b=T4:b=F 5:b=F 6:b=F 2:b=F UNREACHABLE AbstractTranslateCheckNO ERROR CEGAR steps

9 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Underapproximation-driven Approach (LAWI) Program Are these paths feasible? Cex Explain why safe Is result an inductive invariant? Safe No SMT Interpolation/ WP Interpolation/ WP Generate some paths to error e.g., Impact, Impact2, Synergy, Dash, Wolverine

10 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Under- Driven: Is ERROR Reachable? 1: int x = 2; int y = 2; 2: while (y <= 2) 3: y = y – 1; 4: if (x == 2) 5: ERROR:; 6: Program 1: 2: 4: 5: {y<=2} {true} {false} 3: 2: 4: 5: {true} {y<=2} {false} ExploreRefineExploreRefine IMPACT steps Cover

11 UFO Arie Gurfinkel © 2013 Carnegie Mellon University E 2 Over- Driven v.s. Under- Driven in a Nutshell int main(){ 1 … 2 while (…){ … } E: ERROR } int main(){ 1 … 2 while (…){ … } E: ERROR } UD 1 2 E OD Explore Refine Explore Unlabeled Pred. abs. label Interpolant label

12 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Over- Driven v.s. Under- Driven in a Nutshell int main(){ 1 … 2 while (…){ … } E: ERROR } int main(){ 1 … 2 while (…){ … } E: ERROR } UD OD Explore Refine Explore Unlabeled Pred. abs. label Interpolant label E 22 E E E

13 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Over- Driven v.s. Under- Driven in a Nutshell int main(){ 1 … 2 while (…){ … } E: ERROR } int main(){ 1 … 2 while (…){ … } E: ERROR } UD OD Explore Refine Explore Unlabeled Pred. abs. label Interpolant label E 22 E E E Explore Refine Explore 1 2 E 1 2 E

14 UFO Arie Gurfinkel © 2013 Carnegie Mellon University OD vs. UD Approaches OD UD Number of Refinements Cost of Exploration

15 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Our Algorithm: UFO UD algorithm Interpolation-based OD algorithm Predicate abstraction based Combination of UD and OD A novel interpolation-based refinement Multiple paths checked and refined with a single SMT call A novel interpolation-based refinement Multiple paths checked and refined with a single SMT call + [TACAS’12]

16 UFO Arie Gurfinkel © 2013 Carnegie Mellon University E L L UFO in a Nutshell 16 Iteration 1 L E L Iteration 2 L E L Imprecise post  UD Explore from root  OD Imprecise post  UD Explore from root  OD L E Unlabeled Pred. abs. label Interpolant label

17 UFO Arie Gurfinkel © 2013 Carnegie Mellon University The UFO Algorithm Explore Refine

18 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Weak Topological Ordering Definition (WTO): A weak topological order (WTO) of a DAG G = (V, E) is a well-parenthesised total- order ¹ of V without two consecutive ‘(‘ such that for every edge (u, v) 2 E: Elements between two matching paren. are called components First element of a component is called head ! (u) is the set of heads of components containing u (1 (2 3 (4) 5 6) 7) WTO: DAG:

© 2013 Carnegie Mellon University Refinement DAG Interpolation

20 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Craig Interpolation Theorem Theorem (Craig 1957) Let A and B be two First Order (FO) formulae such that A ) : B, then there exists a FO formula I, denoted ITP(A, B), such that A ) I I ) : B atoms(I) 2 atoms(A) Å atoms(B) Theorem (McMillan 2003) A Craig interpolant ITP(A, B) can be effectively constructed from a resolution proof of unsatisfiability of A Æ B In Model Checking, Craig Interpolation Theorem is used to safely over- approximate the set of (finitely) reachable states

21 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Craig Interpolation in Model Checking Over-Approximating Reachable States Let R i be the i th step of the transition relation Assume: = Init Æ R 0 Æ … Æ R n Æ Bad is UNSAT (no Bad in n steps) Let A = Init Æ R 0 Æ … Æ R n and B = Bad ITP (A, B) (if exists) is an over-approx of states reachable in n-steps that does not contain any Bad states A A B B ITP(A,B)

22 UFO Arie Gurfinkel © 2013 Carnegie Mellon University )))))) Interpolation Sequence, a.k.a. Path Interpolants Given a sequence of formulas A = {A i } i=0 n, an interpolation sequence ItpSeq(A) = {I 1, …, I n-1 } is a sequence of formulas such that I k is an ITP (A 0 Æ … Æ A k-1, A k Æ … Æ A n ), and 8 k<n. I k Æ A k +1 ) I k+1 A 0 A 1 A 2 A 3 A 4 A 5 A 6 I 0 I 1 I 2 I 3 I 4 I 5 If A i is a transition relation of step i, then the interpolation sequence is a proof why a program trace is safe.

23 UFO Arie Gurfinkel © 2013 Carnegie Mellon University DAG Interpolants: Solving the Refinement Prob. Given a DAG G = (V, E) and a labeling of edges ¼ :E  Expr. A DAG Interpolant (if it exists) is a labeling I:V  Expr such that for any path v 0, …, v n, and 0 < k < n, I(v k ) = ITP ( ¼ (v 0 ) Æ … Æ ¼ (v k-1 ), ¼ (v k ) Æ … Æ ¼ (v n )) 8 (u, v) 2 E. (I(u) Æ ¼ (u, v)) ) I(v) ¼1¼1 ¼2¼2 ¼3¼3 ¼4¼4 ¼5¼5 ¼6¼6 ¼7¼7 ¼8¼8 I1I1 I2I2 I3I3 I4I4 I5I5 I6I6 I7I7 I 2 = ITP ( ¼ 1, ¼ 8 ) I 2 = ITP ( ¼ 1, ¼ 2 Æ ¼ 3 Æ ¼ 6 Æ ¼ 7 ) … (I 1 Æ ¼ 1 ) ) I 2 (I 2 Æ ¼ 8 ) ) I 7 (I 2 Æ ¼ 2 ) ) I 3 …

24 UFO Arie Gurfinkel © 2013 Carnegie Mellon University DAG Interpolation Algorithm Reduce DAG Interpolation to Sequence Interpolation! DagItp ((V, E), ¼ ) { ( A 0, …, A n ) = Encode(V, E, ¼ ) ( I 1, …, I n-1 ) = SeqItp( A 0, …, A n ) for i in [1, n-1] do J i = Clean( I i ) return ( J 1, …, J n-1 ) } DagItp ((V, E), ¼ ) { ( A 0, …, A n ) = Encode(V, E, ¼ ) ( I 1, …, I n-1 ) = SeqItp( A 0, …, A n ) for i in [1, n-1] do J i = Clean( I i ) return ( J 1, …, J n-1 ) } Encode input DAG by a set of constraints. One constraint per vertex. Compute interpolant sequence. One interpolant per vertex. Remove out-of-scope variables

25 UFO Arie Gurfinkel © 2013 Carnegie Mellon University DagItp: Encode Encode ¼1¼1 ¼2¼2 ¼3¼3 ¼4¼4 ¼5¼5 ¼6¼6 ¼7¼7 ¼8¼8 v1v1 ) v2 Æ ¼1v1v1 ) v2 Æ ¼1 A1A1 v 2 ) (v 3 Æ ¼ 2 ) Ç (v 7 Æ ¼ 8 ) A2A2 v 3 ) (v 4 Æ ¼ 3 ) Ç (v 5 Æ ¼ 4 ) A3A3 v4 ) v6 Æ ¼6v4 ) v6 Æ ¼6 A4A4 v5 ) v6 Æ ¼5v5 ) v6 Æ ¼5 A5A5 v6 ) v7 Æ ¼7v6 ) v7 Æ ¼7 A6A6

26 UFO Arie Gurfinkel © 2013 Carnegie Mellon University DagItp: Sequence Interpolate 1 L v1v1 ) v2 Æ ¼1v1v1 ) v2 Æ ¼1 A1A1 v 2 ) (v 3 Æ ¼ 2 ) Ç (v 7 Æ ¼ 8 ) A2A2 v 3 ) (v 4 Æ ¼ 3 ) Ç (v 5 Æ ¼ 4 ) A3A3 v4 ) v6 Æ ¼6v4 ) v6 Æ ¼6 A4A4 v5 ) v6 Æ ¼5v5 ) v6 Æ ¼5 A5A5 v6 ) v7 Æ ¼7v6 ) v7 Æ ¼7 A6A6 I4I4 I4I4

27 UFO Arie Gurfinkel © 2013 Carnegie Mellon University DagItp: Clean Clean(I i ) = The universal quantification is a major bottleneck in practice. We use many heuristics to limit its application. In the worst case, we use quantifier elimination by Loos and Weispfenning as implemented in Z3. We are exploring several approaches that do not require quantifier elimination at all. The universal quantification is a major bottleneck in practice. We use many heuristics to limit its application. In the worst case, we use quantifier elimination by Loos and Weispfenning as implemented in Z3. We are exploring several approaches that do not require quantifier elimination at all.

28 UFO Arie Gurfinkel © 2013 Carnegie Mellon University UFO Refinement 1. Construct DAG of current unfolding 2. Use DagItp to find new labels Refinement is done with a single SMT call Cleaning the labels with quantifier elimination is a major bottleneck 45 E L’ 1 L 3

29 UFO Arie Gurfinkel © 2013 Carnegie Mellon University E L L UFO in a Nutshell 29 Iteration 1 L E L Iteration 2 L E L Imprecise post  UD Explore from root  OD Imprecise post  UD Explore from root  OD L E Unlabeled Pred. abs. label Interpolant label

30 UFO Arie Gurfinkel © 2013 Carnegie Mellon University UFO as a Framework: The Architecture C to LLVM C Program with assertions ARG Constructor Abstract Post Expansion Strategy Refinement Strategy Optimizer Cutpoint Graph SMT interface Mathsat Z3

31 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Recent Related Work Impact [McMillan 06] Original lazy abstraction with interpolants Impact2 [McMillan 10] Targets testing/exploration Wolverine [Weissenbacher 11] Bit-level interpolants Ultimate [Ermis et al. 12] Impact with Large Block Encoding for Refinement Whale [Our work 12] Inter-procedural verification with interpolants FunFrog [Sery et al. 11] Function summarization using interpolants 31 Intra-procedural Inter-procedural

32 UFO Arie Gurfinkel © 2013 Carnegie Mellon University More Recent Related Work Software Model Checking via IC3 [Cimatti and Griggio, 12] IMPACT with IC3-style generalization Duality [McMillan and Rybalchenko, 12] Interpolation-based algorithm for Relational Post-Fixed Point Generalized Property Directed Reachability [Hoder and Bjorner, 12] Relational Post-Fixed Point in Z3 Solving Recursion-Free Horn Clauses over LI+UIF [Gupta et al. 11] solving DAG interpolation and beyond… Alternate and Learn [Sinha et al. 12] strategies for inlining/instantiating procedures in bounded verification

© 2013 Carnegie Mellon University Software Verification Competition (SV-COMP 2013)

34 UFO Arie Gurfinkel © 2013 Carnegie Mellon University SV-COMP nd Software Verification Competition held at TACAS 2013 Goals Provide a snapshot of the state-of-the-art in software verification to the community. Increase the visibility and credits that tool developers receive. Establish a set of benchmarks for software verification in the community. Participants: BLAST, CPAChecker-Explicit, CPAChecker-SeqCom, CSeq, ESBMC, LLBMC, Predator, Symbiotic, Threader, UFO, Ultimate Benchmarks: C programs with ERROR label (programs include pointers, structures, etc.) Over 2,000 files, each 2K – 100K LOC Linux Device Drivers, SystemC, “Old” BLAST, Product Lines

35 UFO Arie Gurfinkel © 2013 Carnegie Mellon University SV-COMP 2013: Scoring Scheme PointsReported ResultDescription 0UNKNOWN Failure to compute verification result, out of resources, program crash. +1 FALSE/UNSAFE correct The error in the program was found and an error path was reported. -4 FALSE/UNSAFE wrong An error is reported for a program that fulfills the property (false alarm, incomplete analysis). +2 TRUE/SAFE correct The program was analyzed to be free of errors. -8 TRUE/SAFE wrong The program had an error but the competition candidate did not find it (missed bug, unsound analysis). Ties are broken by run-time

36 UFO Arie Gurfinkel © 2013 Carnegie Mellon University UFO Results UFO won gold in 4 categories Control Flow Integers (perfect score) Product Lines (perfect score) Device Drivers SystemC Performed much better than mature Predicate Abstraction-based tools

37 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Secret Sauce UFO Front-End Vinta: combining UFO with Abstract Interpretation [SAS ‘2012] Boxes Abstract Domain [SAS ‘2010 w/ Sagar Chaki] DAG Interpolation [TACAS ‘2012 and SAS ‘2012] Run many variants in parallel

38 UFO Arie Gurfinkel © 2013 Carnegie Mellon University UFO Front End In principle simple, but in practice very messy CIL passes to normalize the code (library functions, uninitialized vars, etc.) llvm-gcc (without optimization) to compile C to LLVM bitcode llvm opt with many standard, custom, and modified optimizations – lower pointers, structures, unions, arrays, etc. to registers – constant propagation + many local optimizations – difficult to preserve intended semantics of the benchmarks – based on very old LLVM 2.6 (newer version of LLVM are “too smart”) Many benchmarks discharged by front-end alone 1,321 SAFE (out of 1,592) and 19 UNSAFE (out of 380) C to LLVM C Program with assertions Optimizer Cutpoint Graph

39 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Vinta: Verification with INTERP and AI uses Cutpoint Graph (CPG) maintains an unrolling of CPG computes disjunctive invariants uses novel powerset widening uses SMT to check for CEX DAG Interpolation for Refinement Guided by AI-computed Invs Fills in “gaps” in AI Abstract Interpretation Abstract Interpretation Refinement Program SAFE (+Invariant) SAFE (+Invariant) UNSAFE (+CEX) UNSAFE (+CEX) Interpolation Unsafe Invariant Strengthening

40 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Boxes Abstract Domain: Semantic View * Boxes are “finite union of box values” (alternatively) Boxes are “Boolean formulas over interval constraints” Boxes are “finite union of box values” (alternatively) Boxes are “Boolean formulas over interval constraints” * joint work w/ Sagar Chaki

41 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Linear Decision Diagrams in a Nutshell * x + 2y < 10 z < Linear Decision Diagram decision node decision node true terminal true terminal false edge false edge (x + 2y < 10) OR (x + 2y  10 AND z < 10) Linear Arithmetic Formula Operations Propositional (AND, OR, NOT) Existential Quantification false terminal false terminal true edge true edge Compact Representation Sharing sub-expressions Local numeric reductions Dynamic node reordering * joint work w/ Sagar Chaki and Ofer Strichman

42 UFO Arie Gurfinkel © 2013 Carnegie Mellon University DAG Interpolants: Solving the Refinement Prob. Given a DAG G = (V, E) and a labeling of edges ¼ :E  Expr. A DAG Interpolant (if it exists) is a labeling I:V  Expr such that for any path v 0, …, v n, and 0 < k < n, I(v k ) = ITP ( ¼ (v 0 ) Æ … Æ ¼ (v k-1 ), ¼ (v k ) Æ … Æ ¼ (v n )) 8 (u, v) 2 E. (I(u) Æ ¼ (u, v)) ) I(v) ¼1¼1 ¼2¼2 ¼3¼3 ¼4¼4 ¼5¼5 ¼6¼6 ¼7¼7 ¼8¼8 I1I1 I2I2 I3I3 I4I4 I5I5 I6I6 I7I7 I 2 = ITP ( ¼ 1, ¼ 8 ) I 2 = ITP ( ¼ 1, ¼ 2 Æ ¼ 3 Æ ¼ 6 Æ ¼ 7 ) … (I 1 Æ ¼ 1 ) ) I 2 (I 2 Æ ¼ 8 ) ) I 7 (I 2 Æ ¼ 2 ) ) I 3 …

43 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Parallel Verification Strategy Run 7 verification strategies in parallel until a solution is found cpredO3 – all LLVM optimizations + Cartesian Predicate Abstraction bpredO3 – all LLVM optimizations + Boolean PA + 20s TO bigwO3 – all LLVM optimizations + BOXES + non-aggressive widening + 10s TO boxesO3 – all LLVM optimizations + BOXES + aggressive widening boxO3 – all LLVM optimizations + BOX + aggressive widening + 20s TO boxesO0 – minimal LLVM optimizations + BOXES + aggressive widening boxbpredO3 – all LLVM opts + BOX + Boolean PA + aggressive widening + 60s TO

44 UFO Arie Gurfinkel © 2013 Carnegie Mellon University UFO 44 A framework and a tool for software verification Tightly integrates interpolation- and abstraction-based techniques References: [SAS12] Craig Interpretation [CAV12] UFO: A Framework for Abstraction- and Interpolation-based Software Verification [TACAS12] From Under-approximations to Over-approximations and Back [VMCAI12] Whale: An Interpolation-based Algorithm for Interprocedural Verification Check it out at: Check it out at:

45 UFO Arie Gurfinkel © 2013 Carnegie Mellon University In The Box Image courtesy of Aws Albarghouthi

46 UFO Arie Gurfinkel © 2013 Carnegie Mellon University UFO Family Whale [VMCAI12] Interpolation-based interprocedural analysis Interpolants as procedure summaries State/transition interpolation a.k.a. Tree Interpolants Refinement with DAG interpolants Tight integration of interpolation-based verification with predicate abstraction UFO [TACAS12] Vinta [SAS12] Refinement of Abstract Interpretation (AI) AI-guided DAG Interpolation

47 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Thank You!

48 UFO Arie Gurfinkel © 2013 Carnegie Mellon University Contact Information Presenter Arie Gurfinkel RTSS Telephone: U.S. mail: Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA USA Web: Customer Relations Telephone: SEI Phone: SEI Fax:

© 2013 Carnegie Mellon University THE END