Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.

Slides:



Advertisements
Similar presentations
A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Advertisements

Demand-driven inference of loop invariants in a theorem prover
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.
The Dafny program verifier
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
1 Software Verification Computer Science Club, Steklov Math Institute Lecture 1 Natasha Sharygina The University of Lugano, Carnegie Mellon University.
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
Demonstration Of SPIN By Mitra Purandare
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.
Interpolants [Craig 1957] G(y,z) F(x,y)
Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]
Synergy: A New Algorithm for Property Checking
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
Counter Example Guided Refinement CEGAR Mooly Sagiv.
CS 267: Automated Verification Lectures 14: Predicate Abstraction, Counter- Example Guided Abstraction Refinement, Abstract Interpretation Instructor:
Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball and Sriram K. Rajamani Software Productivity Tools, Microsoft Research Presented.
Temporal-Safety Proofs for Systems Code Thomas A. Henzinger Ranjit Jhala Rupak Majumdar George Necula Westley Weimer Grégoire Sutre UC Berkeley.
Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.
Word Level Predicate Abstraction and Refinement for Verifying RTL Verilog Himanshu Jain Daniel Kroening Natasha Sharygina Edmund Clarke Carnegie Mellon.
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Model Checking for Embedded Systems Edmund Clarke, CMU High-Confidence Embedded Systems Workshop, May 1 st.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.
CSC2108 Lazy Abstraction on Software Model Checking Wai Sum Mong.
Grand Challenge Problem: Model Check Concurrent Software Edmund M. Clarke Department of Computer Science Carnegie Mellon University.
50.530: Software Engineering
Verifying Concurrent Message- Passing C Programs with Recursive Calls Sagar Chaki, Edmund Clarke, Nicholas Kidd, Thomas Reps, and Tayssir Touili.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 3: Modular Verification with Magic, Predicate Abstraction.
Aditya V. Nori, Sriram K. Rajamani Microsoft Research India.
Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.
Lazy Abstraction Jinseong Jeon ARCS, KAIST CS750b, KAIST2/26 References Lazy Abstraction –Thomas A. Henzinger et al., POPL ’02 Software verification.
1 Abstractions and Decision Procedures for Effective Software Model Checking Microsoft Summer School, Moscow, July 2011 Lecture 1 Prof. Natasha Sharygina.
1 Predicate Abstraction and Refinement for Verifying Hardware Designs Himanshu Jain Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke.
1 Model Checking of Robotic Control Systems Presenting: Sebastian Scherer Authors: Sebastian Scherer, Flavio Lerda, and Edmund M. Clarke.
Localization and Register Sharing for Predicate Abstraction Himanshu Jain Franjo Ivančić Aarti Gupta Malay Ganai.
Model Checking C Programs Zijiang (James) Yang Department of Computer Science Western Michigan University In collaboration with NEC Laboratories America.
11 Counter-Example Based Predicate Discovery in Predicate Abstraction Satyaki Das and David L. Dill Computer Systems Lab Stanford University
Synergy: A New Algorithm for Property Checking Bhargav S. Gulavani (IIT Bombay)‏ Yamini Kannan (Microsoft Research India)‏ Thomas A. Henzinger (EPFL)‏
Counter Example Guided Refinement CEGAR Mooly Sagiv.
Boolean Programs: A Model and Process For Software Analysis By Thomas Ball and Sriram K. Rajamani Microsoft technical paper MSR-TR Presented by.
Compositional Verification for System-on-Chip Designs SRC Student Symposium Paper 16.5 Nishant Sinha Edmund Clarke Carnegie Mellon University.
Verifying Component Substitutability Nishant Sinha Sagar Chaki Edmund Clarke Natasha Sharygina Carnegie Mellon University.
#1 Having a BLAST with SLAM. #2 Software Model Checking via Counter-Example Guided Abstraction Refinement Topic: Software Model Checking via Counter-Example.
© Anvesh Komuravelli Spacer Model Checking with Proofs and Counterexamples Anvesh Komuravelli Carnegie Mellon University Joint work with Arie Gurfinkel,
The software model checker BLAST Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar Presented by Yunho Kim TexPoint fonts used in EMF. Read.
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
Property Directed Reachability with Word-Level Abstraction
Over-Approximating Boolean Programs with Unbounded Thread Creation
Abstractions from Proofs
Abstraction, Verification & Refinement
Synchronization Verification in System-Level Design with ILP Solvers
Predicate Abstraction
Course: CS60030 Formal Systems
BLAST: A Software Verification Tool for C programs
Presentation transcript:

Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005

Introduction Scalable software verification Properties  Array bounds check, division by zero  Pointer safety  Assertion checking  Lock and unlocking Focus on partial specifications

Predicate Abstraction Extract a finite state model from an infinite state system Used to prove assertions or safety properties Successfully applied for verification of C programs  SLAM (used in windows device driver verification)  MAGIC, BLAST, F-Soft

Example for Predicate Abstraction int main() { int i; i=0; while(even(i)) i++; } + p 1  i=0 p 2  even(i) = void main() { bool p1, p2; p1=TRUE; p2=TRUE; while(p2) { p1=p1?FALSE:nondet(); p2=!p2; } } PredicatesC programBoolean program [Ball, Rajamani ’01] [Graf, Saidi ’97]

Computing Predicate Abstraction How to get predicates for checking a given property? How do we compute the abstraction? Predicate Abstraction is an over-approximation  How to refine coarse abstractions

Counterexample Guided Abstraction Refinement loop C Program Abstract model Model Checker Abstraction refinement Verification Initial Abstraction No error or bug found Simulator Property holds Simulation sucessful Bug found Refinement Spurious counterexample

Abstraction 1 : x = ctr; 2 : y = ctr + 1; 3 : if (x = i-1){ 4 : if (y != i){ ERROR: } 1 : skip; 2 : skip; 3 : if (*){ 4 : if (*){ ERROR: } Abstract C programNo predicates available currently

Checking the abstract model 1 : skip; 2 : skip; 3 : if (*){ 4 : if (*){ ERROR: } Abstract model has a path leading to error state Is ERROR reachable? yes

Simulation 1 : x = ctr; 2 : y = ctr + 1; 3 : assume(x == i-1) 4 : assume (y != i) 1 : skip; 2 : skip; 3 : if (*){ 4 : if (*){ ERROR: } Does this correspond to a real bug? Not possible Concrete trace Check using a SAT solver

Refinement 1 : x = ctr; 2 : y = ctr + 1; 3 : assume(x == i-1) 4 : assume (y != i) 1 : skip; 2 : skip; 3 : if (*){ 4 : if (*){ ERROR: } Spurious Counterexample Initial abstraction

Refinement 1 : x = ctr; 2 : y = ctr + 1; 3 : assume(x == i-1) 4 : assume (y != i) 1 : skip; 2 : skip; 3 : if (*){ 4 : if (b0){ ERROR: } boolean b0 : y != i

Refinement 1 : x = ctr; 2 : y = ctr + 1; 3 : assume(x == i-1) 4 : assume (y != i) 1 : skip; 2 : skip; 3 : if (b1){ 4 : if (b0){ ERROR: } boolean b0 : y != i boolean b1 : x== i-1

Refinement 1 : x = ctr; 2 : y = ctr + 1; 3 : assume(x == i-1) 4 : assume (y != i) 1 : skip; 2 : b0 = b2; 3 : if (b1){ 4 : if (b0){ ERROR: } } boolean b0 : y != i boolean b1 : x== i-1 boolean b2 : ctr + 1 ! = i Weakest precondition of y != i

Refinement 1 : x = ctr; 2 : y = ctr + 1; 3 : assume(x == i-1) 4 : assume (y != i) 1 : b1 = b3; 2 : b0 = b2; 3 : if (b1){ 4 : if (b0){ ERROR: } boolean b0 : y != i boolean b1 : x== i-1 boolean b2 : ctr + 1 ! = i boolean b3: ctr == i -1

Refinement 1 : b1 = b3; 2 : b0 = b2; 3 : if (b1){ 4 : if (b0){ ERROR: } boolean b0 : y != i boolean b1 : x== i-1 boolean b2 : ctr + 1 ! = i boolean b3: ctr == i -1 b2 and b3 are mutually exclusive. b2 =1, b3 = 0 b2 =0, b3 = 1 What about initial values of b2 and b3? So system is safe!

Tools for Predicate Abstraction of C SLAM at Microsoft  Used for verifying correct sequencing of function calls in windows device drivers MAGIC at CMU  Allows verification of concurrent C programs  Found bugs in MicroC OS BLAST at Berkeley  Lazy abstraction, interpolation SATABS at CMU  Computes predicate abstraction using SAT  Can handle pointer arithmetic, bit-vectors F-Soft at NEC Labs  Localization, register sharing

Applications of Predicate Abstraction in Hardware Verification

System on chip design Increase in complexity Gate level (netlists) Structural Behavioral/RTL ………… Level Number of components 10E7 10E5 10E3 10E0 Abstraction System Level

Introduction Emergence of system design languages HardwareC, SpecC, Handel-C, and SystemC Based on C / C++ Allows joint modeling of both hardware and software components of a system Support for bit vectors, concurrency, synchronization, exception handling, timing

Verification support Most model-checkers used in hardware industry work at netlist level Higher abstraction levels offered by languages like SpecC or RTL Verilog are not yet supported Languages like SpecC are more closer to concurrent software Verification tools must reason about:  Programming languages constructs  Concurrency  Pointers, Objects  Bit vector operations like concatenation, extraction

Why predicate abstraction Many properties depend on relationship between registers, and not the values stored in them Predicate Abstraction  Keeps tracks of certain predicates on data  Successfully used in software verification Can handle larger designs

Abstraction-Refinement loop Verilog Program Abstract model Model Checker Abstraction refinement Verification Initial Abstraction No error or bug found Simulator Property holds Simulation sucessful Bug found Refinement Spurious counterexample

An example module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Verilog program

Abstraction-Refinement loop Verilog Program Abstract model Model Checker Abstraction refinement Verification Initial Abstraction No error or bug found Simulator Property holds Simulation sucessful Bug found Refinement Spurious counterexample

Predicate Abstraction module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Initial set of predicates: {x = 100, x = 200} Verilog program Word level predicates

Computing Most Precise Abstraction + x’ = y y’ = x + Current state Next state Equation passed to the SAT solver Transition Relation Computing abstract transitions

Obtain transitions Computing abstract transitions … and so on …

Abstract Model module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Initial set of predicates: {x = 100, x = 200} Verilog program Initial state Failure state

Abstraction-Refinement loop Verilog Program Abstract model Model Checker Abstraction refinement Verification Initial Abstraction No error or bug found Simulator Property holds Simulation sucessful Bug found Refinement Spurious counterexample

Model checking module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; (posedge clk) begin x <= y; y <= x; end endmodule Verilog program Failure state Initial state Abstract Model

Model checking module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; (posedge clk) begin x <= y; y <= x; end endmodule Verilog program Failure state Initial state Abstract Model Counterexample

Abstraction-Refinement loop Verilog Program Abstract model Model Checker Abstraction refinement Verification Initial Abstraction No error or bug found Simulator Property holds Simulation sucessful Bug found Refinement Spurious counterexample

u Counterexample in the abstract model s  (length = 1)  Each state is a valuation of h x = 100, x=200 i Simulation equation Simulation of the counterexample Initial values of the registers predicate values in the first state of the counterexample Transition relation predicate values in the second state of the counterexample equation is unsatisfiable So counterexample is spurious

Abstraction-Refinement loop Verilog Program Abstract model Model Checker Abstraction refinement Verification Initial Abstraction No error or bug found Simulator Property holds Simulation sucessful Bug found Refinement Spurious counterexample

Refinement u Let length of spurious counterexample be k u Take weakest pre-condition of property for k steps with respect to transition functions u Pick atomic predicates from weakest precondition

Refinement (x’ = 100 Ç x’ = 200) Holds after one step x’ = y y’ = x (y = 100 Ç y = 200) weakest precondition x’ = y y’ = x AG (x = 100 Ç x = 200) + Transition functions Property length =1 + spurious counterexample New predicates y = 100, y = 200

Abstract again module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Updated set of predicates: {x = 100, x = 200, y=100, y=200} Verilog program Initial state Model check New abstraction

Model checking module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Updated set of predicates: {x = 100, x = 200, y=100, y=200} Verilog program Initial state Property holds! New abstraction

Result module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Verilog program Property holds!

Experimental results (VIS benchmarks) Benchmark Lines of code #Latches#Variables Veracity Time #Predicates#Iteration cachecoherence s259 mpeg decoder s93 mpeg decoder s94 SDLX s4330 Miim s * 0.57s *42 PI-Bus s * 101 * Using lazy abstraction All use predicate partitioning

Bigger benchmarks Benchmark#Latches Veracity time Cadence SMV time ICU281.3s0.1s ICRAM2KB s25s ICRAM4KB sterminates ARITH s182.4s ARITH s2147s ARITH stimeout ARITH stimeout

Tools u VCEGAR (Verilog Counterexample Guided Abstraction Refinement) at CMU s

Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.