Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.

Slides:

Advertisements

Similar presentations

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AAA A A A AA A Proving that non-blocking algorithms don't block.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Abstract Transformers for Thread Correlation Analysis Michal Segalov, TAU Tal Lev-Ami, TAU Roman Manevich, TAU G. Ramalingam, MSR India Mooly Sagiv, TAU.

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.

Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Simplifying Loop Invariant Generation Using Splitter Predicates.

Reduction in End-User Shape Analysis Dagstuhl - Typing, Analysis, and Verification of Heap-Manipulating Programs – July 24, 2009 Xavier Rival INRIA and.

Probabilistic CEGAR* Björn Wachter Joint work with Holger Hermanns, Lijun Zhang TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.

Interpolants [Craig 1957] G(y,z) F(x,y)

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]

Synergy: A New Algorithm for Property Checking

1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

Counter Example Guided Refinement CEGAR Mooly Sagiv.

Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.

Temporal-Safety Proofs for Systems Code Thomas A. Henzinger Ranjit Jhala Rupak Majumdar George Necula Westley Weimer Grégoire Sutre UC Berkeley.

1 Abstraction Refinement for Bounded Model Checking Anubhav Gupta, CMU Ofer Strichman, Technion Highly Jet Lagged.

Efficient Software Model Checking of Data Structure Properties Paul T. Darga Chandrasekhar Boyapati The University of Michigan.

Invisible Invariants: Underapproximating to Overapproximate Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Lazy Abstraction Tom Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre.

Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.

By D. Beyer et. al. Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor.

Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.

CSC2108 Lazy Abstraction on Software Model Checking Wai Sum Mong.

Cristian Gherghina Joint work with: Wei-Ngan Chin, Razvan Voicu, Quang Loc Le Florin Craciun, Shengchao Qin TexPoint fonts used in EMF. Read the TexPoint.

Verification of Dynamic Message Passing Systems Thomas Wies AVACS Spring School 2010 TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

1 Testing, Abstraction, Theorem Proving: Better Together! Greta Yorsh joint work with Thomas Ball and Mooly Sagiv.

Program Analysis with Dynamic Change of Precision Dirk Beyer Tom Henzinger Grégory Théoduloz Presented by: Pashootan Vaezipoor Directed Reading ASE 2008.

A Template-based Approach to Complete Predicate Refinement Tachio Terauchi (Nagoya University) Hiroshi Unno (University of Tsukuba) Naoki Kobayashi (University.

Shape Analysis Overview presented by Greta Yorsh.

Quantitative Abstraction Refinement Pavol Černý IST Austria joint work with Thomas Henzinger, Arjun Radhakrishna Haifa, Israel November 2012 TexPoint fonts.

Lazy Abstraction Jinseong Jeon ARCS, KAIST CS750b, KAIST2/26 References Lazy Abstraction –Thomas A. Henzinger et al., POPL ’02 Software verification.

Cristian Gherghina 1, Cristina David 1, Shengchao Qin 2, Wei-Ngan Chin 1 1 National University of Singapore 2 University of Teesside Structured Specifications.

Convergence of Model Checking & Program Analysis Philippe Giabbanelli CMPT 894 – Spring 2008.

Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.

1 Predicate Abstraction and Refinement for Verifying Hardware Designs Himanshu Jain Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke.

Localization and Register Sharing for Predicate Abstraction Himanshu Jain Franjo Ivančić Aarti Gupta Malay Ganai.

11 Counter-Example Based Predicate Discovery in Predicate Abstraction Satyaki Das and David L. Dill Computer Systems Lab Stanford University

Automated Debugging with Error Invariants TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Chanseok Oh.

Synergy: A New Algorithm for Property Checking Bhargav S. Gulavani (IIT Bombay)‏ Yamini Kannan (Microsoft Research India)‏ Thomas A. Henzinger (EPFL)‏

1 Proving program termination Lecture 5 · February 4 th, 2008 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A.

CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.

Adaptive Shape Analysis Thomas Wies joint work with Josh Berdine Cristiano Calcagno TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Property-Guided Shape Analysis S.Itzhaky, T.Reps, M.Sagiv, A.Thakur and T.Weiss Slides by Tomer Weiss Submitted to TACAS 2014.

Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.

© Anvesh Komuravelli Spacer Model Checking with Proofs and Counterexamples Anvesh Komuravelli Carnegie Mellon University Joint work with Arie Gurfinkel,

Counterexample-Guided Abstraction Refinement By Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith Presented by Yunho Kim Provable Software.

The software model checker BLAST Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar Presented by Yunho Kim TexPoint fonts used in EMF. Read.

Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.

Having a BLAST with SLAM

Learning Invariants using Decision Trees and Implication Counterexamples Pranav Garg Amazon India.

Lifting Propositional Interpolants to the Word-Level

Symbolic Characterization of Heap Abstractions

Abstractions from Proofs

Abstraction, Verification & Refinement

Predicate Abstraction

BLAST: A Software Verification Tool for C programs

Presentation transcript:

Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of Science and Technology (IST) Austria joint work with Andreas Podelski University of Freiburg

Motivation public void filter(Predicate p) /*: requires "p  null" modifies content ensures "content = old content Å (pred p)" */ { Node e = root; while (e != null) { Node c = e; e = e.next; if (!p.contains(c.data)) { if (c.prev == null) { e.prev = null; root = e; } else { c.prev.next = e; e.prev = c; } next prev next prev root Verify complex properties of heap-manipulating programs :p:p p p p e c Quantified properties data structure invariants 8 x. next(prev(x)) = x functional correctness 8 x. next*(root,x) $ (old next)*(root, x) Æ x 2 pred(p)

Verification of Safety Properties reachable states state space error states safe invariant

Existing tools: SLAM, BLAST, ARMC, MAGIC, … Software Model Checking P 1 ´ x · 0 P 2 ´ y>0 … P1ÆP2Æ…P1ÆP2Æ… reachable states error states state space generic approach offers high degree of automation (through use of automated reasoning techniques)

The Eternal Quest for the Right Precision/Efficiency Tradeoff reachable states error states reachable states Crucial problem in the verification of heap programs.

Goal: Adapted Abstraction Fine-tune precision to the specific verification task. error states reachable states

Boolean Heaps [Podelski, Wies SAS’05] Use idea of [Sagiv, Reps, Wilhelm 2002]: Partition heap according to a finite set of predicates

Use idea of [Sagiv, Reps, Wilhelm 2002]: Partition heap according to a finite set of predicates. Boolean Heaps Abstract state Abstract domain disjunctions of abstract states

Abstr. transformer for loop Most Precise Abstract Transformer

Abstr. transformer for loopInductive invariant for Verification succeeds! Most Precise Abstract Transformer

reachable states error states Precision-Efficiency Tradeoff Number of abstract states is doubly-exponential in number of predicates Most precise abstract transformer is impractical expensive to construct keeps track of irrelevant information Solution: apply additional abstraction

Cartesian Abstraction x y S S x £ S y SxSx SySy..., [Cousot, Cousot PPCA’95], [Ball, Podelski, Rajamani TACAS’01],… for abstracting sets of vectors

Cartesian Abstraction abstract states are sets of bit-vectors Cartesian abstraction applies abstr. transformer w/ Cartesian abstraction is efficiently implementable: –check entailments between QF formulas –number of entailment checks polynomial in number of predicates precise enough for many practical examples not precise enough for many practical examples

Abstract Transformer with Cartesian Abstraction Inductive invariant for Verification succeeds! 37 Inductive invariant for Verification fails! 07,

Focus Common recipe in shape analysis –start from coarse but efficient abstract transformer –adapt precision to each individual program statement and individual data structures (partial concretization / materialization / focus) Problem Fine-tuning precision uniformly makes analysis again too precise (i.e., often inefficient) Exciting research direction Parameterized focus that adapts abstract transformer to the individual verification tasks e.g. [Manevich et al., 2004, 2007, 2009]

Counterexample-Guided Focus Idea: take this direction to its logical extreme Fine-tune focus to the individual steps of the analysis of the individual verification task This fine-tuning must be automated. We use counterexamples for this purpose.

x y S S x £ S y SxSx SySy Loss of Precision under Cartesian abstraction splitting is guided by counterexamples

Effect of Counterexample-Guided Focus Inductive invariant for Verification succeeds! 37 Inductive invariant for Verification fails! 07

Nested Lazy CEGAR Loop outer loop refines abstract domain by inferring new predicates inner loop fine-tunes abstract transformer using counterexample-guided focus Progress theorem: every spurious counterexample is eventually eliminated

Implementation in the Tool Bohne (doubly-linked) lists lists with iterators sorted lists skip lists search trees trees w/ parent pointers threaded trees first root Verified data structure implementations:

Implementation in the Tool Bohne absence of runtime errors shape invariants -acyclic -sharing-free -doubly-linked -parent-linked -threaded -sorted … partial correctness first root Verified properties: Summary of Experiments no manual adaptation of abstract domain / abstract transformer required many examples fail without counterexample-guided focus number of explored abstract states is drastically reduced

Further Related Work Shape analysis three-valued shape analysis [Sagiv, Reps, Wilhelm 2002] –decision procedures in TVLA [Yorsh et al. 2004, …, Lev-Ami et al. 2006] –parameterized focus for concurrent programs [Manevich et al., 2004, 2007, 2009] … Predicate abstraction CE-guided refinement of abstract transformers [Das, Dill 2002] nested refinement for predicate abstraction [Ball et al. 2004] indexed predicate abstraction [Lahiri, Bryant 2004] lazy abstraction [Henzinger et al. 2002] lazy shape analysis [Beyer et al. 2006] Interpolants quantified Craig interpolants [McMillan 2008, Kovács, Voronkov 2009] abstractions from proofs [Henzinger et al. 2004] Template-based techniques [Gulwani et al. 2008, Srivastava, Gulwani 2009]

Conclusion Focus can be made effective in a CEGAR setting –CEGAR lazily applies focus –CEGAR drives fine-tuning of focus to the extreme CEGAR can be made effective for inferring quantified invariants because –focus provides progress of CEGAR and –focus provides precision needed for verifying practical examples Focus and CEGAR can be fruitfully integrated to enhance one another

Counterexample-Guided Focus analysis of abstract program produces spurious counterexamples spuriousness results from imprecise abstract transformer construct fine-tuned focus operator that locally adapts precision of abstract transformer –locally refine the abstract domain of the pre-image of the abstract transformer –locally refine the pre-image itself by splitting disjuncts below and above the universal quantifier –both refinements are guided by the spurious counterexample

Costs and Gains of Automation Comparison between TVLA and Bohne for various list-manipulating programs Checked properties: absence of runtime errors preservation of list structure (acyclicity, sharing freeness)