Predicate Abstraction for Software Verification Cormac Flanagan Shaz Qadeer Compaq Systems Research Center
POPL02 The Continuing Saga of Predicate Abstraction
Extended Static Checking Statically verify many correctness properties Type systems catch many errors –e.g. “Cannot multiply a number and a string” Would like to catch additional errors –e.g. “Array index out of bounds at line 10” And verify other correctness properties –assertions –object invariants –lightweight method specifications
Checking loops with ESC/Java loop_invariant i >= 0; loop_invariant 0 <= spot; loop_invariant spot <= MAXDIRENTRY; loop_invariant (\forall int j; 0 <= j && j < i && bdisk[addr].dirEntries[j].inum != DIRENTRY_UNUSED ==> bdisk[addr].dirEntries[j].name != name); loop_invariant (\forall int j; spot == MAXDIRENTRY && 0 bdisk[addr].dirEntries[j].inum != DIRENTRY_UNUSED); loop_invariant spot == MAXDIRENTRY || bdisk[addr].dirEntries[spot].inum == DIRENTRY_UNUSED; loop_invariant (\forall DirEntry t; t != de ==> t.name == \old(t.name)); loop_invariant (\forall DirEntry t; t != de ==> t.inum == \old(t.inum)); loop_invariant (\forall DirEntry t; t.inum == FS.DIRENTRY_UNUSED || (0 <= t.inum && t.inum < FS.IMAX)); */ for (i = 0; i < cwd.inode.length; i++) { GetDirEntry(de, addr, i); if (de.inum != DIRENTRY_UNUSED && de.name == name) { return ERROR; } if (de.inum == DIRENTRY_UNUSED && spot == MAXDIRENTRY) { spot = i; }
Loop invariants C; while e do B end Set of reachable states at loop head is a loop invariant! sp(C, p)p C
Concrete states I0I0 I1I1 I2I2 InIn... Abstract states J0J0 J1J1 J2J2 JnJn... (I k ) = J k I k = (J k ) Abstract interpretation Cousot-Cousot 77 Predicate abstraction Graf-Saidi 97
Computing loop invariants C; while e do X; Y; end { I0 = (sp(C, true)) } { J0 = ( (I0) e) } { K0 = (sp(X, (J0))) } { L0 = (sp(Y, (K0))) }
Computing loop invariants C; while e do X; Y; end { I1 = I0 L0 } { J1 = ( (I1) e) } { K1 = (sp(X, (J1))) } { L1 = (sp(Y, (K1))) }
requires a!=null && b!=null && a.length==b.length ensures \result==a.length || b[\result] */ int find(int[] a, boolean[] b) { int spot = a.length; for (int i=0; i < a.length; i++) { if (spot==a.length && a[i] != 0) spot = i; b[i] = (a[i] != 0); } return spot; } Predicate abstraction example Ten predicates: a != null b != null a.length == b.length spot == a.length b[spot] spot < i 0 <= i i < a.length spot = i a[i] != 0
Computing loop invariants C; while e do X; Y; end { I0 = (sp(C, true)) } { L0 = (sp(“X;Y”, (I0) e)) }
Computing loop invariants C; while e do X; Y; end { I1 = I0 L0 } { L1 = (sp(“X;Y”, (I1) e)) }
requires a!=null && b!=null && a.length==b.length ensures \result==a.length || b[\result] */ int find(int[] a, boolean[] b) { int spot = a.length; for (int i=0; i < a.length; i++) { if (spot==a.length && a[i] != 0) spot = i; b[i] = (a[i] != 0); } return spot; } Predicate abstraction example Seven predicates: a != null b != null a.length == b.length spot == a.length b[spot] spot < i 0 <= i i < a.length spot = i a[i] != 0
Computing loop invariants C; while e do X; Y; end { I0 = (sp(C, true)) } H = havoc variables modified in X;Y P0 = “C;H;assume (I0) e;X;Y” { L0 = (sp(P0, true)) }
Computing loop invariants C; while e do X; Y; end { I1 = I0 L0 } H = havoc variables modified in X;Y P1 = “C;H;assume (I1) e;X;Y” { L1 = (sp(P1, true)) }
requires a!=null && b!=null && a.length==b.length ensures \result==a.length || b[\result] */ int find(int[] a, boolean[] b) { int spot = a.length; for (int i=0; i < a.length; i++) { if (spot==a.length && a[i] != 0) spot = i; b[i] = (a[i] != 0); } return spot; } Predicate abstraction example Four predicates: a != null b != null a.length == b.length spot == a.length b[spot] spot < i 0 <= i i < a.length spot = i a[i] != 0
requires a!=null && b!=null && a.length==b.length ensures ( int j; 0<=j && j<\result ==> !b[j]) */ int find(int[] a, boolean[] b) { int spot = a.length; for (int i=0; i < a.length; i++) { if (spot==a.length && a[i] != 0) spot = i; b[i] = (a[i] != 0); } return spot; } Predicate abstraction example
( int j; 0 !b[j]) Invariant needed: First method: add predicate ( int j; 0 !b[j]) -quantified loop invariants Better method: add skolem constant int j add predicates 0<=j, j<i, j<spot, !b[j] infer 0 !b[j] Magic: int j; 0 !b[j])
Heuristics for guessing predicates for (int i = 0; i < a.length; i++) a[i] = null; Loop targets: i, a[*] First set of predicates: i = \old(i) skolem_constant int sc Second set of predicates: 0 <= sc, sc < i, a[sc] != null Inferred invariant: i >= 0 int sc; 0 <= sc sc < i a[sc] == null
Javafe front end to ESC/Java annotated with lightweight specifications 45KLOC, 2418 routines, 520 loops no inference warnings in 326 routines with inference warnings in 31 routines several failing routines had array bound violations –not caught with loop unrolling
Computing abstraction function Compute –I 0 = (sp(C, true)) –I n+1 = I n (sp(“C;H;assume (I n ) e;B”, true)) Problem: Given F compute (F) (F) = least boolean function G such that F (G) C; {I?}while e do B end
Abstract state space Predicates { a, b, c, d } They generate an abstract space of size 2 4 = 16 F a b a b a b abab cdcd c d c d cdcd State Space (F)
Naïve method (slow!) Is F a b c d satisfiable? No! Can compute (F) by asking 2 n such queries a b a b a b abab cdcd c d c d cdcd F (F) XXXX X X XX X XX
New method F a b c d ? No! a b a b a b abab cdcd c d c d cdcd F (F) XXXX X X XX X XX F a c d ? No! F c d ? No! Removed 1/4 of state space in 3 queries! = ( c d) ( a c) ( a b) ( c d)
Other methods Das-Dill-Park 99 (DDP) Saidi-Shankar 99 (SS)
Experiments
Experiments (Javafe)
Related work Inferring/computing loop invariants –German-Wegbreit 75 –Katz-Manna 76 –Suzuki-Ishihata 77 Predicate abstraction –Graf-Saidi 97 –Bensalem-Lakhnech-Owre 98, Colon-Uribe 98 –Saidi-Shankar 99, Das-Dill-Park 99 –Ball-Majumdar-Millstein-Rajamani 2001 –Henzinger-Jhala-Majumdar-Sutre 2002