© 2006 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.

Slides:

Advertisements

Similar presentations

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Advertisements

Demand-driven inference of loop invariants in a theorem prover

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

1 Abstraction (Cont’d) Defining an Abstract Domain variable elimination, data abstraction, predicate abstraction Abstraction for Universal/Existential.

Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.

© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha.

© 2013 Carnegie Mellon University Trust in Formal Methods Toolchains Arie Gurfinkel Software Engineering Institute Carnegie Mellon University July 14,

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.

© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.

© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.

© 2012 Carnegie Mellon University Introduction to CBMC Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel November.

T h e G a s L a w s. T H E G A S L A W S z B o y l e ‘ s L a w z D a l t o n ‘ s L a w z C h a r l e s ‘ L a w z T h e C o m b i n e d G a s L a w z B.

© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.

© 2011 Carnegie Mellon University B OXES : Abstract Domain of Boxes Arie Gurfinkel and Sagar Chaki Software Engineering Institute Carnegie Mellon University.

© 2010 Carnegie Mellon University B OXES : A Symbolic Abstract Domain of Boxes Arie Gurfinkel and Sagar Chaki Software Engineering Institute Carnegie Mellon.

1 University of Toronto Department of Computer Science © 2001, Steve Easterbrook Lecture 10: Formal Verification Formal Methods Basics of Logic first order.

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

© 2013 Carnegie Mellon University Vinta: Verification with INTerpolation and Abstract interpretation Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and.

© 2015 Carnegie Mellon University The SeaHorn Verification Framework Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie.

© 2012 Carnegie Mellon University UFO: Verification with Interpolants and Abstract Interpretation Arie Gurfinkel and Sagar Chaki Software Engineering Institute.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

© 2015 Carnegie Mellon University Property Directed Polyhedral Abstraction Nikolaj Bjørner and Arie Gurfinkel VMCAI 2015.

Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.

© 2013 Carnegie Mellon University Static Analysis of Real-Time Embedded Systems with REK Arie Gurfinkel 1 joint work with Sagar Chaki 1, Ofer Strichman.

© 2011 Carnegie Mellon University Binary Decision Diagrams Part Bug Catching: Automated Program Verification and Testing Sagar Chaki September.

© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki November 2, 2011.

© 2011 Carnegie Mellon University Binary Decision Diagrams Part Bug Catching: Automated Program Verification and Testing Sagar Chaki September.

Synergy: A New Algorithm for Property Checking

True/False. False True Subject May Go Here True / False ? Type correct answer here. Type incorrect answer here.

4/17/2017 Section 3.6 Program Correctness ch3.6.

On the Correctness of Model Transformations Gabor Karsai ISIS/Vanderbilt University.

Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.

© 2013 Carnegie Mellon University Vinta: Verification with INTerpolation and Abstract iterpretation Arie Gurfinkel Software Engineering Institute Carnegie.

© 2015 Carnegie Mellon University Building Program Verifiers from Compilers and Theorem Provers Software Engineering Institute Carnegie Mellon University.

© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,

Towards Scalable Modular Checking of User-defined Properties Thomas Ball, MSR Brian Hackett, Mozilla Shuvendu Lahiri, MSR Shaz Qadeer, MSR Julien Vanegue,

© 2013 Carnegie Mellon University Verifying Periodic Programs with Priority Inheritance Locks Sagar Chaki 1, Arie Gurfinkel 1, Ofer Strichman 2 FMCAD,

© 2013 Carnegie Mellon University Vinta: Verification with INTerpolation and Abstract iterpretation Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and.

Proofs of Correctness: An Introduction to Axiomatic Verification Prepared by Stephen M. Thebaut, Ph.D. University of Florida CEN 5035 Software Engineering.

B. Fernández, D. Darvas, E. Blanco Formal methods appliedto PLC code verification Automation seminar CERN – IFAC (CEA) 02/06/2014.

Predicate Abstraction of ANSI-C Programs Using SAT By Edmund Clarke, Daniel Kroening, Natalia Sharygina, Karen Yorav Presented by Yunho Kim Provable Software.

Quality Driven SystemC Design By Nasir Mahmood. Hybrid Approach The idea here is to combine the strengths of simulation – namely the ability to handle.

© 2008 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.

CSCI 6231 – Final Lecture Additional Resources and Topics.

© Andrew IrelandDependable Systems Group Static Analysis and Program Proof Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University.

Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University.

Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball, Sriram K. MSR Presented by Xin Li.

© 2006 Carnegie Mellon University Efficient Embedded Runtime Systems through Optimization of Port Communication Software Engineering Institute Carnegie.

13 Aug 2013 Program Verification. Proofs about Programs Why make you study logic? Why make you do proofs? Because we want to prove properties of programs.

Model Checking for Simple Java Programs Taehoon Lee, Gihwon Kwon Department of Computer Science Kyonggi University, Korea IWFST, Shanghai, China,

Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University.

Random Interpretation Sumit Gulwani UC-Berkeley. 1 Program Analysis Applications in all aspects of software development, e.g. Program correctness Compiler.

© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,

Synergy: A New Algorithm for Property Checking Bhargav S. Gulavani (IIT Bombay)‏ Yamini Kannan (Microsoft Research India)‏ Thomas A. Henzinger (EPFL)‏

CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University

Verifying Component Substitutability Nishant Sinha Sagar Chaki Edmund Clarke Natasha Sharygina Carnegie Mellon University.

© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,

© Anvesh Komuravelli Spacer Model Checking with Proofs and Counterexamples Anvesh Komuravelli Carnegie Mellon University Joint work with Arie Gurfinkel,

Capability Maturity Model Integration

Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.

Standard and Expanded Form

Introduction to Software Verification

Formal Methods in software development

Formal Methods in software development

True or False: {image} is one-to-one function.

Verifying Periodic Programs with Priority Inheritance Locks

Proofs of Correctness: An Introduction to Axiomatic Verification

Dr. Unnikrishnan P.C. Professor, EEE

Presentation transcript:

© 2006 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel and Sagar Chaki

2 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Automated Software Analysis Program Automated Analysis Correct Incorrect Software Model Checking with Predicate Abstraction e.g., Microsoft’s SDV Abstract Interpretation with Numeric Abstraction e.g., ASTREE, Polyspace

3 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Predicate and Numeric Abstractions Predicate Abstraction (PA) (e.g., SDV) Typical property: no lock is acquired twice Reduces program verification to propositional reasoning with model checker Works well for control-driven programs, and poorly for data-driven programs Numeric Abstraction (NA) (e.g, ASTREE) Typical property: no arithmetic overflow Reduces program verification to arithmetic reasoning Works well for data-driven programs, and poorly for control-driven programs How to combine PA and NA to get the best of both?!

4 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Outline Predicate and Numeric Abstract for Program Analysis Strength and Weakness An “Ideal” Combination PA+NA Combination Abstract Transformers Data Structures Experimental Results Current and Future Work

5 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Predicate Abstraction: An Example Program p1:i=1 p2:i=2 p3:x1>0 p4:x2<0 Pred. Abstraction assume (i=1 || i=2) if (i = 1) x1 := i; else if (i = 2) x2 := -4; if (i = 1) assert (x1 > 0); else if (i = 2) assert (x2 < 0); assume (p1 || p2) if (p1) p3 := ch(p1||p2,false); else if (p2) p4 := true if (p1) assert (p3); else if (p2) assert (p4); p := ch(tt,ff) if (tt) p := 1; else if (ff) p := 0; else p := *;

6 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Analysis with Predicate Abstraction p1:i=1 p2:i=2 p3:x1>0 p4:x2<0 Pred. Abstraction assume (p1 || p2) if (p1) p3 := ch(p1||p2,false); else if (p2) p4 := true if (p1) assert (p3); else if (p2) assert (p4); p1 || p2 p1 p1&&p3 !p1&&p2&&p4 p1&&p3 || !p1&&p2&&p4 !p1&&p2 p2&&p4 p1&&p3

7 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Predicate Abstraction Strength/Weaknesses Strengths Works well for control-dependent properties Completely automated Predicates can come from any theory that has an automated (semi-)decision procedure Supports any Boolean combination of predicates Compatible with CounterExample Guided Abstraction Refinement Weaknesses Scalability (construction and analysis) Restricted to finite abstract domains

8 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Numeric Abstract Interpretation Analysis is restricted to a fixed Abstract Domain Abstract Domain is “a restricted (possibly infinite) set of predicates” + efficient operations. Examples of Numeric Abstract Domains Signs 0 0 Intervals c 1 <= x <= c 2, where c 1,c 2 are a constants Octagons ± x ± y <= c, where c is a constant Polyhedra a 1 x 1 + a 2 x 2 +a 3 x 3 + a 4 <= 0, where a 1,a 2,a 3,a 4 are constants

9 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University AbsDom Interface interface AbsDom(V) A – abstract elements, E – expressions, S -- statements α : E → A γ : A → E meet : A x A → A isTop : A → bool isBot : A → bool join : A x A → A leq : A x A → bool αPost : S → (A → A) widen : A x A → A All operations are over approximations, e.g., γ (a) || γ (b) => γ ( join (a, b) ) γ (a) && γ (b) => γ (meet (a,b) )

10 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Example: The Domain of Intervals (1, 10) meet (2, 12) = (2,10) (1, 3) join (7, 12) = (1,12) 1 <= x <= 10(1, 10) α γ 1 <= x <= 10 (a, b) meet (c, d) = (max(a,c), min(b,d)) (a, b) join (c, d) = (min(a,c),max(b,d)) α Post (x := x + 1) ((a, b)) = (a+1, b+1)(1, 10) + 1 = (2, 11) OperationsExamples over-approx

11 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Analysis with Intervals NA (1) assume (i=1 || i=2) if (i = 1) x1 := i; else if (i = 2) x2 := -4; if (i = 1) assert (x1 > 0); else if (i := 2) assert (x2 < 0); 1 <= i <= 2 i=1 i=1 && x1=1 i=2 i=2 && x2=-4 1 <= i <= 2 i=1 i=2

12 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Analysis with Intervals NA (2) if (3 <= y1 <= 4) { x1 := y1-2; x2 := y1+2; } else if (3 <= y2 <= 4) { x1 := y2-2; x2 := y2+2; } else return; assert (5 <= x1 + x2 <= 10); 3 <= y1 <= 4 1 <= x1 <= 2 5 <= x2 <= 6 3 <= y2 <= 4 1 <= x1 <= 2 5 <= x2 <= 6 1<=x1<=2 5<=x2<=6

13 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Strength/Weakness of Numeric Abstraction Strength Fully Automated Scalable Supports infinite abstract domains (Supports) Automated Refinement Weakness Limited to a few theories (intervals, octagons, polyhedra) Restricted to conjunctions of terms Looses precision very quickly (join, widen, etc.)

14 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Predicates: p: A[y1+y2]=3 q: A[x1+x2]=3 assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 && q := ch ((x1=y1-2)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2 + y1; } assert (x1 = x2) “Ideal” combination of PA + NA assume (x1 = x2); if (A[y1+y2] = 3) { x1 := y1 – 2; x2 := y2 + 2; } else A[x1+x2] := 5; if (A[x1+x2] = 3) { x1 := x1 + x2; x2 := x2 + y1; } assert (x1 = x2) Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3

15 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Abstract with Predicates p: A[y1+y2]==3 q: A[x1+x2]==3 “Ideal” combination of PA + NA assume (x1 = x2); if (A[y1+y2] = 3) { x1 := y1 – 2; x2 := y2 + 2; } else A[x1+x2] := 5; if (A[x1+x2] = 3) { x1 := x1 + x2; x2 := x2 + y1; } assert (x1 = x2) assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 && q := ch ((x1=y1-2)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2 + y1; } assert (x1 = x2) Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3

16 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Analyzing with PA + NA assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 && q := ch ((x1+2 = y1)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2+y1-2; } assert (x1 = x2) x1=x2 p && x1=x2 p && x1=y1-2 p && x1=y1-2 && x2=y2+2 && q !p && !q && x1=x2 p && x1=y1-2 && x2=y2+2 && q || !p && !q && x1=x2 p && x1=y1-2 && x2=y2+2 && q p && x1=y1+y2 && x2=y2+2 && q p && x1=y1+y2 && x2=y2+y1 && q Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3

17 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Grammar for Our Abstract Transformer τ ::= (e? τ N ) && τ P | τ || τ | (nondet) τ ; τ (sequence) e ::= boolean expression over predicate and numeric terms τ P ::= p := ch (e, e) | τ P && τ P (parallel) τ N ::= assignment to numeric terms

18 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Transformer Examples Predicates: p 1 :z=&x, p 2 :z=&y, p 3 :y=1 Concrete Transformer Abstract Transformer assume (*z > 0)(p 1 &&x>0 || p 2 &&y>0 || !p 1 &&!p 2 )? skip *z = u + 1 (p 1 ? x := u + 1) || (p 2 ? y := u+1) || (!p 1 && !p 2 ? skip) y = x && x = (y-1? v : w) (p 3 ? x := v || !p 3 ? x := w) && p 3 := ch (x=1,x!=1)

19 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Overview of Our 4 Data Structures NameExampleNum. Terms NEXPoint(p||q) && (0 <= x <= 5) Explicit NEX(p&& 0<=x<=3) || (!p && (1<=x<=5)) MTBDD(p&& 0<=x<=3) || (!p && (1<=x<=5)) Symbolic NDD(p && (x=0 || x=3)) || (!p && (x=1 || x=5))

20 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University NEXPoint (P, N) NEXPoint elements are of the form: BDD over predicates Element of numeric abstract domain All operations are pairwise

21 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Numeric EXplicit (NEX) NEX elements are lists of NEXPoint [(P 1, N 1 ),…, (P k,N k )] Satisfying the partitioning condition P i ∩ P j = { } Operations are done using NEXPoint, but respect the partitioning condition

22 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University The Partitioning Condition p !p q !q x>0 y>0

23 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Multi-Terminal Numeric Decision Diagrams b1b1 b2b2 x>0 && x=y 1-edges are black, 0-edges are red edges to 0 node are not shown p 1 && !p 2 && (x>0) && (x=y) p 1 : x>0, p 2 : z<y b 1 : p 1, b 2 : p 2 MTNBDD MTNDD elements are Decision Diagrams with Numeric values at the terminals

24 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Numeric Decision Diagrams (p 1 &&p 2 ) || (x<0 && y=z) (x>=0 && z>0) || (!(x>=0) && y=z) p 1 : x>=0, p 2 : z>0 b1:x>=0, b2:z>0, b3:y=z b1b1 b2b2 b3b3 1 1-edges are black, 0-edges are red edges to 0 node are not shown normalize NDD elements are BDDs over Predicate and Numeric Terms

25 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Summary of the Data Structures PrecisionScalabilityPA aloneNA aloneProp OpNum Op NEXPoint -+++ NEX MTNDD NDD

26 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Experimental Results Java Implementation Numeric domains implemented on top of Apron library Synthetic examples used to validate specific conjectures NEX & MTNDD better than NDD when numeric joins are exact — Since NDD uses exact unions while others use numeric join NDD better than others when invariants are propositionally complex — Since NDD has the most sharing capability Realistic examples used to gauge overall performance Total 11 examples: Zitser buffer overflow (3), OpenSSL (2), metal- casting plant controller (4), Micro-C OS (2)

27 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Experimental Results Domain#Exp.TotalGammaJoinalphaPostImage Numeric Predicate NEXPoint NEX MTNDD NDD (all times are in seconds)

28 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Related Work Abstract Interpretation [CC’92] Our domain ≈ reduced direct product of Predicate and Numeric domains Jain et al. [CAV’06] Applies numeric invariants to simplify predicate abstraction Weaker than NEXPoint Fischer et al. [FSE’05], Beyer et al. [CAV’07,CAV’06] Predicate abstraction + Abstract Domain Similar to NEXPoint, but with simpler transfer functions Bultan et al. [TOSEM’00] MC of programs with Boolean and numeric variables using Omega library Similar to NEX, but with simpler transfer functions

29 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Current and Future Work We are working on a more comprehensive benchmark suite Need automated abstraction-refinement for PA + NA In the current implementation, the abstract domain is treated as a black box. We are exploring a tighter integration between predicate and numeric domains smarter numeric transfer functions, smarter DD variable ordering, etc.

30 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University