D IAGNOSING A BSTRACTION F AILURE IN S EPARATION L OGIC - BASED A NALYSES Arlen Cox Josh Berdine Samin Ishtiaq Christoph Wintersteiger.

Slides:



Advertisements
Similar presentations
Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
Advertisements

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Theory of Computer Science - Algorithms
Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Delta Debugging and Model Checkers for fault localization
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Bounding Space Usage of Conservative Garbage Collectors Ohad Shacham December 2002 Based on work by Hans-J. Boehm.
Software checking: the performance gap Nils Klarlund Lucent Technologies Bell Labs.
Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.
Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.
Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.
On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.
Counterexample Generation for Separation-Logic-Based Proofs Arlen Cox Samin Ishtiaq Josh Berdine Christoph Wintersteiger.
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.
Finding the Weakest Characterization of Erroneous Inputs Dzintars Avots and Benjamin Livshits.
Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.
1 Completeness and Complexity of Bounded Model Checking.
1 Abstraction Refinement for Bounded Model Checking Anubhav Gupta, CMU Ofer Strichman, Technion Highly Jet Lagged.
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
SAT Solving Presented by Avi Yadgar. The SAT Problem Given a Boolean formula, look for assignment A for such that.  A is a solution for. A partial assignment.
Formal verification Marco A. Peña Universitat Politècnica de Catalunya.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
By D. Beyer et. al. Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor.
7/13/2003BMC A SAT-Based Approach to Abstraction Refinement in Model Checking Bing Li, Chao Wang and Fabio Somenzi University of Colorado at Boulder.
Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007.
Finding Optimum Abstractions in Parametric Dataflow Analysis Xin Zhang Georgia Tech Mayur Naik Georgia Tech Hongseok Yang University of Oxford.
1 Completeness and Complexity of Bounded Model Checking.
Lazy Abstraction Jinseong Jeon ARCS, KAIST CS750b, KAIST2/26 References Lazy Abstraction –Thomas A. Henzinger et al., POPL ’02 Software verification.
Refinements to techniques for verifying shape analysis invariants in Coq Kenneth Roe GBO Presentation 9/30/2013 The Johns Hopkins University.
Lazy Annotation for Program Testing and Verification Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang November 26,
Reasoning about programs March CSE 403, Winter 2011, Brun.
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
1 Predicate Abstraction and Refinement for Verifying Hardware Designs Himanshu Jain Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke.
Learning Symbolic Interfaces of Software Components Zvonimir Rakamarić.
1 Model Checking of Robotic Control Systems Presenting: Sebastian Scherer Authors: Sebastian Scherer, Flavio Lerda, and Edmund M. Clarke.
Author: Alex Groce, Daniel Kroening, and Flavio Lerda Computer Science Department, Carnegie Mellon University Pittsburgh, PA Source: R. Alur and.
Scientific Debugging. Errors in Software Errors are unexpected behaviors or outputs in programs As long as software is developed by humans, it will contain.
Properties Incompleteness Evaluation by Functional Verification IEEE TRANSACTIONS ON COMPUTERS, VOL. 56, NO. 4, APRIL
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
Adaptive Shape Analysis Thomas Wies joint work with Josh Berdine Cristiano Calcagno TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
R-Verify: Deep Checking of Embedded Code James Ezick † Donald Nguyen † Richard Lethin † Rick Pancoast* (†) Reservoir Labs (*) Lockheed Martin The Eleventh.
Complexity 24-1 Complexity Andrei Bulatov Interactive Proofs.
Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi P. Camurati L. Garcia M. Murciano S. Nocco S. Quer.
Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.
Bernd Fischer RW714: SAT/SMT-Based Bounded Model Checking of Software.
Complexity 27-1 Complexity Andrei Bulatov Interactive Proofs (continued)
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
Induction in CEGAR for Detecting Counterexamples
Abstraction and Refinement for Large Scale Model Checking
SS 2017 Software Verification Bounded Model Checking, Outlook
Solving Linear Arithmetic with SAT-based MC
Introduction to Software Verification
Automated Extraction of Inductive Invariants to Aid Model Checking
Scalability in Model Checking
Predicate Abstraction
SAT Based Abstraction/Refinement in Model-Checking
Presentation transcript:

D IAGNOSING A BSTRACTION F AILURE IN S EPARATION L OGIC - BASED A NALYSES Arlen Cox Josh Berdine Samin Ishtiaq Christoph Wintersteiger

The Abstraction Refinement Dream Start Verification Pick Abstraction Attempt Proof Pick New Abstraction Success Fix Bug Success Find Counterexample Failure Diagnose Failure Failure

State of the Art Separation Logic Analysis Start Verification Pick Abstraction Attempt Proof Pick New Abstraction Success Fix Bug Success Find Counterexample Failure Diagnose Failure Failure Previously Unexplored 1 2

Traditional Abstraction Refinement Not Our Contribution

Pick Abstract/Attempt Proof

Proof Fails

Diagnosing Abstraction Failure Weakest Precondition 1.An Abstract State 2.Concrete State Unreachable Reaches Error Contained in Abstract State

Partition the Abstract State

No WP() in Separation Logic Weakest Precondition

No WP() in Separation Logic int* p; … *p = 17; PSPACE-complete* due to aliasing * Calcagno, C., Yang, H., O’Hearn, P.W.: Computability and complexity results for a spatial assertion language for data structures. In: FSTTCS (2001)

Separation Logic-based Analyses  Restricted Logic Does not support separating implication ( ), general negation ( ), general conjunction ( ) Does not support separating implication ( ), general negation ( ), general conjunction ( )  Do not support backward reasoning No weakest precondition No weakest precondition  Contribution: A method to use forward analysis to diagnose failures  Contribution: A method for efficiently performing forward counterexample searches

…ll Example l = new ListNode(new Obj(), NULL); while(*) { l = new ListNode(new Obj(), l); l = new ListNode(new Obj(), l);} while(l != NULL) { n = l->next; n = l->next; free(l->data); free(l->data); free(l); free(l); l = n; l = n;} NULL

Background: Pick Abstraction Start Verification Pick Abstraction Attempt Proof Pick New Abstraction Success Fix Bug Success Find Counterexample Failure Diagnose Failure Failure

Pattern-Based Abstraction … l NULL

… l NULL

… l NULL

Background: Proof Attempt Start Verification Pick Abstraction Attempt Proof Pick New Abstraction Success Fix Bug Success Find Counterexample Failure Diagnose Failure Failure

Proof Search (SLL) l = new ListNode(new Obj(), NULL); while(*) { l = new ListNode(new Obj(), l); l = new ListNode(new Obj(), l);} while(l != NULL) { n = l->next; n = l->next; free(l->data); free(l->data); free(l); free(l); l = n; l = n;}

Proof Search (SLL) l = new ListNode(new Obj(), NULL); while(*) { l = new ListNode(new Obj(), l); l = new ListNode(new Obj(), l);} while(l != NULL) { n = l->next; n = l->next; free(l->data); free(l->data); free(l); free(l); l = n; l = n;}

Proof Search (SLL) l = new ListNode(new Obj(), NULL); while(*) { l = new ListNode(new Obj(), l); l = new ListNode(new Obj(), l);} while(l != NULL) { n = l->next; n = l->next; free(l->data); free(l->data); free(l); free(l); l = n; l = n;} l = new ListNode(new Obj(), l);

Proof Search (SLL) l = new ListNode(new Obj(), NULL); l = new ListNode(new Obj(), l); assume(l != NULL) n = l->next; free(l->data); l = new ListNode(new Obj(), NULL); while(*) { l = new ListNode(new Obj(), l); l = new ListNode(new Obj(), l);} while(l != NULL) { n = l->next; n = l->next; free(l->data); free(l->data); free(l); free(l); l = n; l = n;}

Counterexamples Start Verification Pick Abstraction Attempt Proof Pick New Abstraction Success Fix Bug Success Find Counterexample Failure Diagnose Failure Failure

Traditional Bounded Model Checking l = new ListNode(new Obj(), NULL); l = new ListNode(new Obj(), l); assume(l != NULL) n = l->next; free(l->data); free(l); l = n; assume(l == NULL) 1.Unroll Transition System 2.Check Property 3.Repeat -Can explode for deep properties -Doesn’t help proof process Not Our Contribution

Contribution: BMC Over Abstract Transition System l = new ListNode(new Obj(), NULL); l = new ListNode(new Obj(), l); assume(l != NULL) n = l->next; free(l->data); 1.Unroll Abstract Transition System 2.Check Property 3.Repeat +Restricted search space +Finds counter- examples that caused this proof failure

Contribution: BMC Over Abstract Transition System

Must End in Error

Contribution: BMC Over Abstract Transition System

Unroll up to a bound

Contribution: BMC Over Abstract Transition System Stay in Error

Contribution: BMC Over Abstract Transition System Otherwise Transition According to Program

Contribution: BMC Over Abstract Transition System Send to SMT solver; quantifiers and all.

Contribution: BMC Over Abstract Transition System Send to SMT solver; quantifiers and all.

Encoding of Data Allocated Siz e Address p = malloc(size);

Data Allocated Siz e Address p = malloc(size); q = malloc(size); Encoding of

Data Allocated Siz e Address p = malloc(size); q = malloc(size); Encoding of

Data Allocated Siz e Address p = malloc(size); q = malloc(size); r = p + size; *r = 3; //(no error) Encoding of

Data Allocated Siz e Address p = malloc(size); q = malloc(size); r = p + size; *r = 3; //(error) Encoding of

Counterexample Search l = new ListNode(new Obj(), NULL); assume(l != NULL) n = l->next; free(l->data); l = new ListNode(new Obj(), l);

Counterexample Search l = new ListNode(new Obj(), NULL); assume(l != NULL) n = l->next; free(l->data); l = new ListNode(new Obj(), l); Just need structure. Don’t need separation logic formulas

Counterexample Search No Error

Counterexample Search l = new ListNode(new Obj(), NULL); No Error l NULL

Counterexample Search l = new ListNode(new Obj(), NULL); l = new ListNode(new Obj(), l); Error Unreachable assume(l != NULL) n = l->next; free(l->data); No Error NULL l

Counterexample Search l = new ListNode(new Obj(), NULL); l = new ListNode(new Obj(), l); Error Unreachable assume(l != NULL) n = l->next; free(l->data); No Error NULL l

Counterexample Search l = new ListNode(new Obj(), NULL); l = new ListNode(new Obj(), l); Error Unreachable assume(l != NULL) n = l->next; free(l->data); No Error Error Unreachable assume(l != NULL) n = l->next; free(l->data); NULL l l = new ListNode(new Obj(), l);

Counterexample Search  Produces concrete counterexamples  Contribution: Only explores failed proof Finds counterexamples that would cause this particular proof failure Finds counterexamples that would cause this particular proof failure  Contribution: Relies on SMT solver for unrolling Property-guided, intelligent backtracking Property-guided, intelligent backtracking  Bit-precise memory model

Contribution: Diagnosing Failure Start Verification Pick Abstraction Attempt Proof Pick New Abstraction Success Fix Bug Success Find Counterexample Failure Diagnose Failure Failure

Diagnosing the Failure l = new ListNode(new Obj(), NULL); assume(l != NULL) n = l->next; free(l->data); Was the abstraction here responsible for failure? l = new ListNode(new Obj(), l);

Diagnosing the Failure assume(l != NULL) n = l->next; free(l->data); Delete Program Before Join Point l = new ListNode(new Obj(), l);

Diagnosing the Failure l = NULL assume(l != NULL) n = l->next; free(l->data); l = new ListNode(*, l); Synthesize Program Prefix that Creates Abstract State Precisely Error Found! l = new ListNode(new Obj(), l); Re-run Counterexample Search Non-deterministic data field

Diagnosing the Failure

for p in Join_Points(ATS) { ATS’ = Synthesize_Prefix(p, ATS) ATS’ = Synthesize_Prefix(p, ATS) CEx = Find_Counterexample(ATS’) CEx = Find_Counterexample(ATS’) if(exists CEx) { if(exists CEx) { ATS = Refine(ATS, p, CEx); ATS = Refine(ATS, p, CEx); }}

Picking New Abstraction Start Verification Pick Abstraction Attempt Proof Pick New Abstraction Success Fix Bug Success Find Counterexample Failure Diagnose Failure Failure

Picking New Abstraction  Partial order of abstractions  Pick next best abstraction

Proof Search with SLL_OBJ l = new ListNode(new Obj(), NULL); l = new ListNode(new Obj(), l); assume(l != NULL) n = l->next; free(l->data); free(l); l = n; assume(l == NULL)

Conclusions Start Verification Pick Abstraction Attempt Proof Pick New Abstraction Success Fix Bug Success Find Counterexample Failure Diagnose Failure Failure

Conclusions Start Verification Pick Abstraction Attempt Proof Pick New Abstraction Success Fix Bug Success Find Counterexample Failure Diagnose Failure Failure ✔ New BMC Approach Search abstract transition system instead of program Only finds causes for proof failure Use monolithic encoding Take advantage of intelligent backtracking

Conclusions Start Verification Pick Abstraction Attempt Proof Pick New Abstraction Success Fix Bug Success Find Counterexample Failure Diagnose Failure Failure ✔ ✔ New Approach to Diagnosis Synthesize program prefix Use guided counterexample search to diagnose Find failing abstraction Find failing concrete value contained by abstraction

Conclusions Start Verification Pick Abstraction Attempt Proof Pick New Abstraction Success Fix Bug Success Find Counterexample Failure Diagnose Failure Failure ✔ ✔ -

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.