SMT and Its Application in Software Verification Yu-Fang Chen IIS, Academia Sinica Based on the slides of Barrett, Sanjit, Kroening, Rummer, Sinha, Jhala,

Slides:



Advertisements
Similar presentations
Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
1 First order theories (Chapter 1, Sections 1.4 – 1.5)
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
Satisfiability Modulo Theories (An introduction)
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.
Proofs and Counterexamples Rupak Majumdar. In the good old days… Decision Procedure  yes no.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley.
Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.
Interpolants [Craig 1957] G(y,z) F(x,y)
Program Verification by Lazy Abstraction Ranjit Jhala UC San Diego Lecture 1 With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre.
1 Satisfiability Modulo Theories Sinan Hanay. 2 Boolean Satisfiability (SAT) Is there an assignment to the p 1, p 2, …, p n variables such that  evaluates.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
Some administrative stuff Class mailing list: –send to with the command “subscribe”
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
ECI 2007: Specification and Verification of Object- Oriented Programs Lecture 4.
1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.
Monadic Predicate Logic is Decidable Boolos et al, Computability and Logic (textbook, 4 th Ed.)
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
Lazy Abstraction Lecture 3 : Partial Analysis Ranjit Jhala UC San Diego With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre.
Program Verification by Lazy Abstraction Ranjit Jhala UC San Diego Lecture 1 With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre, Adam Chlipala.
Ofer Strichman, Technion Deciding Combined Theories.
1 First order theories. 2 Satisfiability The classic SAT problem: given a propositional formula , is  satisfiable ? Example:  Let x 1,x 2 be propositional.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Deciding a Combination of Theories - Decision Procedure - Changki pswlab Combination of Theories Daniel Kroening, Ofer Strichman Presented by Changki.
Model Checking Lecture 4 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
1 A Combination Method for Generating Interpolants Greta Yorsh Madan Musuvathi Tel Aviv University, Israel Microsoft Research, Redmond, US CAV’05.
SAT and SMT solvers Ayrat Khalimov (based on Georg Hofferek‘s slides) AKDV 2014.
Introduction to Satisfiability Modulo Theories
Lazy Abstraction Jinseong Jeon ARCS, KAIST CS750b, KAIST2/26 References Lazy Abstraction –Thomas A. Henzinger et al., POPL ’02 Software verification.
Lazy Annotation for Program Testing and Verification Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang November 26,
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.
© Copyright 2008 STI INNSBRUCK Intelligent Systems Propositional Logic.
1 First order theories (Chapter 1, Sections 1.4 – 1.5) From the slides for the book “Decision procedures” by D.Kroening and O.Strichman.
SMT and Its Application in Software Verification (Part II) Yu-Fang Chen IIS, Academia Sinica Based on the slides of Barrett, Sanjit, Kroening, Rummer,
Daniel Kroening and Ofer Strichman Decision Procedures An Algorithmic Point of View Deciding Combined Theories.
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View Basic Concepts and Background.
Knowledge Repn. & Reasoning Lecture #9: Propositional Logic UIUC CS 498: Section EA Professor: Eyal Amir Fall Semester 2005.
Daniel Kroening and Ofer Strichman 1 Decision Procedures in First Order Logic Decision Procedures for Equality Logic.
#1 Having a BLAST with SLAM. #2 Software Model Checking via Counter-Example Guided Abstraction Refinement Topic: Software Model Checking via Counter-Example.
Satisfiability Modulo Theories and DPLL(T) Andrew Reynolds March 18, 2015.
The software model checker BLAST Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar Presented by Yunho Kim TexPoint fonts used in EMF. Read.
Having a BLAST with SLAM
Introduction to Software Verification
Satisfiability Modulo Theories
CSCI1600: Embedded and Real Time Software
Computer Security: Art and Science, 2nd Edition
CSCI1600: Embedded and Real Time Software
Program Verification by Lazy Abstraction
Abstraction, Verification & Refinement
Software Verification with BLAST
Predicate Abstraction
SAT Based Abstraction/Refinement in Model-Checking
Presentation transcript:

SMT and Its Application in Software Verification Yu-Fang Chen IIS, Academia Sinica Based on the slides of Barrett, Sanjit, Kroening, Rummer, Sinha, Jhala, and Majumdar

Assertion in C int main(){ int x; scanf("%d", &x); assert(x > 10); } Useful tool for debugging. Can be used to describe pre- and post-conditions of a function. A program terminates immediately, if it reaches a violated assertion. 2

Assertion in C int main(){ int x; scanf("%d", &x); while(x<10){ x++; } assert(x > 0); } Will this assertion be violated? No 3

Assertion in C int main(){ int x; scanf("%d", &x); while(x<10){ x--; } assert(x > 0); } Will this assertion be violated? No, but it may not terminate for some cases. 4

Assertion in C int main(){ int x; scanf("%d", &x); while(x< ){ x--; } assert(x > ); } Will this assertion be violated? It is correct for most of the cases, however… Difficult to be found by brute-force testing. 5

Assertion in C One more example: void A(bool h, bool g){ h := !g; g=B(g,h); assert(g); } void B(bool a1,bool a2){ if (a1) return B(a2,a1); else return a2; } 6

Reachabilaty Problem The Problem We are Going to Solve Given a program with assertion, we want to automatically detect if the assertion may be violated. Predicate Abstraction Model Checking Craig Interpolant Control Flow Automata Theory of Linear Arithmetic over Integer Theory of Uninterpreted Functions Logic Satisfiability Modulo Theories (SMT) 7

Part I: Logic and Program Verification 8

9 First-Order Logic: A Quick Review – Logical Symbols Propositional connectives: Ç, Æ, :, !, $ Variables: v1, v2,... Quantifiers: 8, 9 – Non-logical Symbols Functions: +, -, *, suc, … Predicates: ·, =, … Constant symbols: 0, 1, null, … – Example 3*v2 + 5* v1 · 54

Why This is Relevant to Software Verification? For example: Given an integer program without loop and function call. The assertion checking problem can be reduced to satisfibility problem of a trace formula * int main(){ int x; scanf("%d", &x); if(x<10) x= x -1; assert(x != 9); } (x 0 <10 Æ x 1 = x 0 -1 Æ x 1 =9) Æ (x 0 ¸ 10 Æ x 0 =9) The assertion may be violated iff The first order formula is satisfible Note *: a FOL formula under theory of linear integer arithmetic. 10

11 First order logic Theories A first order theory consists of – Variables – Logical symbols: Æ Ç : 8 9 `(’ `)’ – Non-logical Symbols (signature)  : Constants, predicate and function symbols – The meanings of the non-logical symbols.

12 Examples  = {0,1, ‘+’, ‘=’} – ‘0’,’1’ are constant symbols – ‘+’ is a binary function symbol – ‘=’ is a binary predicate symbol An example of a  -formula: 9 x. x + 0 = 1 Is  valid? It depends on the meanings of the non-logical symbols

13 Structures The most common way of specifying the meaning of symbols is to specify a structure Recall that  = 9 x. x + 0 = 1 Consider the structure S: – Domain: N 0 – Interpretation of the non-logical symbols : ‘0’ and ‘1’ are mapped to 0 and 1 in N 0 ‘=’  = (equality) ‘+’  * (multiplication) Now, is  true in S ?

14 Short Summary A theory defines – the signature  (the set of non-logical symbols) and – the interpretations that we can give them.

15 Theories through axioms The number of sentences that are necessary for defining a theory may be large or infinite. Instead, it is common to define a theory through a set of axioms. The theory is defined by these axioms and everything that can be inferred from them by a sound inference system.

16 Example 1 Let  = {‘=’} – An example  -formula is ((x = y) Æ : (y = z)) ! : (x = z) We would now like to define a  -theory T that will limit the interpretation of ‘=‘ to equality. We will do so with the equality axioms: – 8 x. x = x(reflexivity) – 8 x,y. x = y ! y = x (symmetry) – 8 x,y,z. x = y Æ y = z ! x = z (transitivity) Every assignment that satisfies these axioms also satisfies  above. Hence  is T-valid.

17 Example 2 Let  = {‘<’} Consider the  -formula Á : 8 x 9 y. y < x Consider the theory T: – 8 x,y,z. x < y Æ y < z → x < z(transitivity) – 8 x,y. x < y → : (y < x)(anti-symmetry)

18 Quantifier-free Subset In Software Verification, we will largely restrict ourselves to formulas without quantifiers ( 8, 9 )—mainly for efficiency reason. This is called the quantifier-free fragment of first-order logic.

19 Some Useful Theories in Software Verification Equality (with uninterpreted functions) Linear arithmetic (over Q or Z ) – Peano Arithmetic, Presburgh Arithmetic Difference logic (over Q or Z ) Finite-precision bit-vectors – integer or floating-point Arrays Misc.: strings, lists, sets, …

20 Theory of Equality and Uninterpreted Functions (EUF) Signature: – Constants and Function symbols: f, g, etc. In principle, all possible symbols but “=” and those used for variables. – Predicates symbol: “=” equality axioms: – 8 x. x = x(reflexivity) – 8 x,y. x = y ! y = x (symmetry) – 8 x,y,z. x = y Æ y = z ! x = z (transitivity) In addition, we need congruence: the function symbols map identical arguments to identical values, i.e., x = y ) f(x) = f(y)

21 Example EUF Formula (x = y) Æ (y = z) Æ (f(x)  f(z)) Transitivity: (x = y) Æ (y = z) ) (x = z) Congruence: (x = z) ) (f(x) = f(z))

22 Equivalence Checking of Program Fragments int fun1(int y) { int x, z; z = y; y = x; x = z; return sq(x); } int fun2(int y) { return sq(y); } formula  is satisfiable iff the programs are non-equivalent z0= y0 Æ y1 = x0 Æ x1 = z0 Æ ret1 = sq(x1) Æ ret2 = sq(y0) Æ ret1  ret2

23 A Small Practice: int f(int y) { int x, z; x = myFunc(y); x = myFunc(x); z = myFunc(myFunc(y)); assert (x==z); } Write a formula  such that formula  is satisfible ↔ the assertion can be violated x0=myFunc(y0) /\ x1=myFunc(x0) /\ z0 = myFunc(myFunc(y0)) /\ x1!=z0 Solution:

24 First Order Peano Arithmetic  = {0,1,‘+’, ‘*’, ‘=’} Domain: Natural numbers Axioms (“semantics”): 1. 8 x : (0  x + 1) 2. 8 x : 8 y : (x  y) ! (x + 1  y + 1) 3.Induction 4. 8 x : x + 0 = x 5. 8 x : 8 y : (x + y) + 1 = x + (y + 1) 6. 8 x : x * 0 = x 8 y : x * (y + 1) = x * y + x + * Undecidable! These axioms define the semantics of ‘+’ constant function predicate Validity is

25 First Order Presburger Arithmetic  = {0,1,‘+’, ‘*’, ‘=’} Domain: Natural numbers Axioms (“semantics”): 1. 8 x : (0  x + 1) 2. 8 x : 8 y : (x  y) ! (x + 1  y + 1) 3.Induction 4. 8 x : x + 0 = x 5. 8 x : 8 y : (x + y) + 1 = x + (y + 1) 6. 8 x : x * 0 = x 8 y : x * (y + 1) = x * y + x + * decidable! These axioms define the semantics of ‘+’ Note that 3*v2 + 5* v1 · 54 is a Presburger Formula constant function predicate Validity is

Examples in Software Verification Array Bound Checking: void f() { int x[10]; x[0]=1; for(int i=1; i<11; i++){ assert(0<i<10); x[i]=x[i-1]+5; …… } i0=1 Æ i1=2 Æ i2=3 Æ i3=4 Æ... Æ i8=9 Æ 0<i0<10 Æ 0<i1<10 Æ... Æ 0<i8<10 is satisfible iff the assertion may be violated 26

Theory of Arrays Two interpreted functions: select and store – select(A,i) Read from array A at index i – store(A,i,d) Write d to array A at index i Two main axioms: – select( store(A,i,d), i ) = d – select( store(A,i,d), j ) = select(A,j) for i  j Extentionality axiom: – 8 i. select(A,i) = select(B,i)  (A = B) 27

28 Combining Theories Satisfiability Modulo Theories (SMT) problem is a decision problem for logical formulae with respect to combinations of different first order theories. For example: Uninterpreted Function + Linear Integer Arithmetic How to Combine Theory Solvers ? A Classical Algorithm: The Nelson-Oppen Method. Google “Nelson-Oppen” and you can get tons of slides explaining it. 1 ≤ x ∧ x ≤ 2 ∧ f(x) ≠ f(1) ∧ f(x) ≠ f(2) Linear Integer Arithmetic (LIA)Uninterpreted Functions(UF) In this lecture, we will not talk about the algorithm for solving SMT problem. Instead,we will show you tools (SMT solvers) that does the job.

What you have learned so far? Assertions in C First Order Theories related to Verification – Equality and Uninterpreted Functions f(a,b)=a  f(f(a, b), b)=a – Linear Integer Arithmetic x+5>y-7 Æ 3y 0 – Arrays i>j  select(A, i) > select(A, j) [array A is sorted] The SMT Problem 29

Tools: Theorem Provers of FOL An example: Princess (by Philipp Rummer): – (JRE is required) Automatically check validity of a FOL formula modulo linear integer arithmetic. (x 0 <10 Æ x 1 = x 0 -1 Æ x 1 =9) Ç (x 0 ¸ 10 Æ x 0 =9) Princess Input: Note: f is unsatisfible iff !f is valid 30

Tools: Theorem Provers of FOL An example: Princess (by Philipp Rummer): – (JRE is required) 31 Download the binary tarball from the web-site Install JRE 1.5 or above Run Princess: set BASE=. set CLASSPATH=%CLASSPATH%;%BASE%\dist\princess-all.jar java ap.DialogMain

About Princess Theorem prover (SMT solver) for first-order logic + linear integer arithmetic Supported features: Uninterpreted predicates, functions, quantifiers Theory of arrays (using functions + axioms) Craig interpolation 32

Declaration of functions/constants \functions { /* Declare constants and functions occurring in the problem * The keyword "\partial" can be used to define functions without totality axiom, * "\relational" can be used to define "functions" w/o functionality axiom. */ int x, y, z, ar; \partial int select(int, int); \partial int store(int, int, int); int f(int); } [...] Constant Variables Partial functions Total function 33

Declaration of predicates [...] \predicates { /* Declare predicates occurring in the problem */ p; q; r(int, int); } [...] Nullary predicates (propositional variables) Predicates/relations 34

Formulae/problems [...] \problem { /* Problem to be proven. */ \forall int ar, ind, val; select(store(ar, ind, val), ind) = val -> \forall int ar, ind1, ind2, val; (ind1 != ind2 -> select(store(ar, ind1, val), ind2) = select(ar, ind2)) -> x + 1 = 5 -> select(store(ar, x, y), 4) = y } Array axioms Implied formula 35

Syntax of formulae SyntaxMeaning A & B Conjunction A | B Disjunction !A Negation A -> B Implication A B Equivalence \forall int x, y, z; A \exists int x, y, z; A Quantifiers \part[p0] A Labelled formula s = t, s != t s <= t, s < t (Dis)equations, inequalities p(s, t,...) Application of predicates …, -2, -1, 0, 1, 2,... Integer literals (constants) s + t, s * t Sums, products (only linear expressions are allowed) x, y, z Variables, constants f(s, t,...) Application of functions 36

Some Practice 37 int main(){ int x; scanf("%d", &x); if(x<10) x= x -1; assert(x != 9); } (x 0 <10 Æ x 1 = x 0 -1 Æ x 1 =9) Ç (x 0 ¸ 10 Æ x 0 =9) The assertion may be violated iff The first order formula is satisfible ex1.pri \functions { int x0, x1; } \problem { \forall int x0, x1; !((x0 =10 & x0=9)) }

38 Some Practice int fun1(int y) { int x, z; z = y; y = x; x = z; return sq(x); } int fun2(int y) { return sq(y); } formula  is satisfiable iff the programs are non-equivalent z0= y0 Æ y1 = x0 Æ x1 = z0 Æ ret1 = sq(x1) Æ ret2 = sq(y0) Æ ret1  ret2 ex2.pri \functions { int z0, y0, y1, x0, x1, ret1,ret2; int sq(int); } \problem { \forall int z0, y0, y1, x0, x1, ret1,ret2; !( z0=y0 & y1 = x0 & x1 =z0 & ret1 =sq(x1) & ret2=sq(y0) & ret1 != ret2 )}

39 Some Practice int f(int y) { int x, z; x = myFunc(y); x = myFunc(x); z = myFunc(myFunc(y)); assert (x==z); } Write a formula  such that formula  is satisfible ↔ the assertion can be violated x0=myFunc(y0) Æ x1=myFunc(x0) Æ z0 = myFunc(myFunc(y0)) Æ x1!=z0 ex3.pri \functions { int z0, y0, x0, x1; int myFunc(int); } \problem { \forall int z0, y0, x0, x1; !( x0=myFunc(y0) & x1=myFunc(x0) & z0 =myFunc(myFunc(y0)) & x1 != z0 )}

Homework 40 1.Define a small program verification problem. 2.Reduce the problem to a satisfibility problem of FOL 3.Solve it using Princess (send me your pri file via Samples can be found the previous 3 pages. Score of you homework (60%) correctness (40%) creativity

Part II: Software Model Checking 41

Model Checking Given a: – Finite state transition system M – A property p Reachability (Simplest form) CTL, LTL, CTL* (Prof. Farn Wang) Automata (Prof. Yih-Kuen Tsay) The model checking problem: – Does M satisfy p ? 42 I

Model Checking (safety) I = bad state 43

Assertion Checking as Reachability int main(){ int x; scanf("%d", &x); while(x<10){ x++; } assert(x > 0); } int main(){ int x; scanf("%d", &x); while(x<10){ x++; } if(! (x > 0) ){ printf(“ERROR”): } We will show you how to translate a program to a state transition system later 44

Example Example ( ) { 1: do{ assert(!lock) lock=true; old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; assert(lock) lock=false; new ++; } 4: } while(new != old); 5: assert(lock) lock=false; return; } Example ( ) { 1: do{ assert(!lock) lock=true; old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; assert(lock) lock=false; new ++; } 4: } while(new != old); 5: assert(lock) lock=false; return; } lock unlock 45 Fill up a linked list with increasing values

What a program really is… State Transition 3: lock=false; new++; 4:} … 3: lock=false; new++; 4:} … pc lock old new q  3   5  0x133a pc lock old new q  4   5  6  0x133a Example ( ) { 1: do{ assert(!lock) lock=true; old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; assert(lock) lock=false; new ++; } 4: } while(new != old); 5: assert(lock); lock=false; return;} Example ( ) { 1: do{ assert(!lock) lock=true; old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; assert(lock) lock=false; new ++; } 4: } while(new != old); 5: assert(lock); lock=false; return;} 46

The Safety Verification Problem Initial Error Is there a path from an initial to an error state ? Problem: Infinite state graph Solution : Set of states ' logical formula Safe 47

Representing States as Formulas [F] states satisfying F {s | s ² F } F FO fmla over prog. vars [F 1 ] Å [F 2 ]F1 Æ F2F1 Æ F2 [F 1 ] [ [F 2 ]F 1 Ç F 2 [F][F] : F [F 1 ] µ [F 2 ]F 1 implies F 2 i.e. F 1 Æ: F 2 unsatisfiable 48

Idea 1: Predicate Abstraction Predicates on program state: lock old = new States satisfying same predicates are equivalent –Merged into one abstract state #abstract states is finite 49

Abstract States and Transitions State 3: lock=false; new++; 4:} … 3: lock=false; new++; 4:} … pc lock old new q  3   5  0x133a pc lock old new q  4   5  6  0x133a lock old=new : lock : old=new Theorem Prover 50

Abstraction State pc lock old new q  3   5  0x133a pc lock old new q  4   5  6  0x133a lock old=new : lock : old=new Theorem Prover Existential Lifting 3: lock=false; new++; 4:} … 3: lock=false; new++; 4:} … 51

Abstraction State pc lock old new q  3   5  0x133a pc lock old new q  4   5  6  0x133a lock old=new : lock : old=new 3: lock=false; new++; 4:} … 3: lock=false; new++; 4:} … 52

Analyze Abstraction Analyze finite graph Over Approximate: Safe ) System Safe No false negatives Problem Spurious counterexamples 53

Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction ! 54

1. Add predicates to distinguish states across cut 2. Build refined abstraction Solution Use spurious counterexamples to refine abstraction Idea 2: Counterex.-Guided Refinement Imprecision due to merge 55

Iterative Abstraction-Refinement 1. Add predicates to distinguish states across cut 2. Build refined abstraction -eliminates counterexample 3. Repeat search Till real counterexample or system proved safe Solution Use spurious counterexamples to refine abstraction [Kurshan et al 93] [Clarke et al 00] [Ball-Rajamani 01] 56

Problem: Abstraction is Expensive Reachable Problem #abstract states = 2 #predicates Exponential Thm. Prover queries Observe Fraction of state space reachable #Preds ~ 100’s, #States ~ 2 100, 57

Safe Solution Build abstraction during search Problem #abstract states = 2 #predicates Exponential Thm. Prover queries Solution1 : Only Abstract Reachable States 58

A Concrete Example 59

Control Flow Automata void main() { int i = 0; while (i < 2) { i++; } assert (i >= 2); } E i := 0 i<2 i>=2 i := i+1 i < 2 Control Flow Automata Program Assignment, e.g., x := x+1 Proposition, e.g., x < y The operations allowed depends on the power of SMT solvers 60

Abstract Reachability Tree (ART) E i := 0 i<2 i>=2 i := i+1 Control Flow Automata Assume that each node is associated with predicate (i < 2). 1 True 2 ? i := 0 ART i < 2 61

Predicates: LOCK, new==old Refinement How to compute “successors” ? : LOCK Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } LOCK, new=old 4 4 : LOCK, new==old 5 5 SAFE LOCK, new==old : LOCK, : new = old : LOCK, : new == old 62

Post( Á, op) Let Á be a formula describes a set of current states. Post( Á, op) is a formula that describes the set of next states via operation op. Recall that two types of op are considered: – Assignment x:=e, e.g., x:= x + 1 – Proposition e1 < e2 or e1 == e2, e.g., x<y 63

Post( Á, op) Recall that two types of op are considered: – Assignment x:=e, e.g., x:= x + 1 – Proposition p, e.g., x<y Post( Á, x:=e) = Á [x/x’] Æ x=e[x/x’] Post( Á, p) = Á Æ p 64

Abstract Reachability Tree (ART) E i := 0 i<2 i>=2 i := i+1 Control Flow Automata Assume that each node is associated with predicate (i < 2). 1 True 2 ? i := 0 ART i < 2 i >=2 i=0 Post(True, i:=0) = True [i/i’] Æ i=0[i/i’] 65

Abstract Reachability Tree (ART) E i := 0 i<2 i>=2 i := i+1 Control Flow Automata Assume that each node is associated with predicate (i < 2). 1 True 2 i <2 i := 0 ART i < 2 i >=2 i=0 Post(True, i:=0) = True [i/i’] Æ i=0[i/i’] 66

Abstract Reachability Tree (ART) E i := 0 i<2 i>=2 i := i+1 Control Flow Automata Assume that each node is associated with predicate (i < 2). 1 True 2 i <2 i := 0 3 i < 2 ART i < 2 i >=2 Post(i<2, i<2) = i<2 Æ i<2 i<2 67

Abstract Reachability Tree (ART) E i := 0 i<2 i>=2 i := i+1 Control Flow Automata Assume that each node is associated with predicate (i < 2). 1 True 2 i <2 i := 0 3 i < 2 2 True i := i + 1 ART i < 2 i >=2 Post(i<2, i:=i+1) = i<0 [i/i’] Æ i=i+1[i/i’] = I’<0 Æ i=I’+1 i<1 68

Abstract Reachability Tree (ART) E i := 0 i<2 i>=2 i := i+1 Control Flow Automata Assume that each node is associated with predicate (i < 2). 1 True 2 i <2 i := 0 3 i < 2 2 True i := i i >=2 i<2 ART i <

Abstract Reachability Tree (ART) E i := 0 i<2 i>=2 i := i+1 Control Flow Automata Assume that each node is associated with predicate (i < 2). 1 True 2 i <2 i := 0 3 i < 2 2 True i := i i >=2 i<2 ART i < 2 3 Is covered 70

Cover n Á n' Á'Á' is covered by iff (1) n=n’ (2) Á ! Á ’ Then we can stop the search from because all bad states can be reached from can also be reached from n Á n Á n' Á'Á' 71

Abstract Reachability Tree (ART) E i := 0 i<2 i>=2 i := i+1 Control Flow Automata Assume that each node is associated with predicate (i < 2). 1 True 2 i <2 i := 0 3 i < 2 2 True i := i i >=2 i<2 ART QUESTION: how to find useful predicates? i <

Lazy Abstraction (1) E i := 0 i<2 i>=2 i := i+1 i < 2 Control Flow Automata Initially, we do not have any predicates 1 True 2 i := 0 3 True i<2 i >= 2 ART 4 True E i < 2 …… 73

Lazy Abstraction (2) We want to find a predicate that will remove this false counterexample 1 True 2 i := 0 i >= 2 False Counterexample 4 True E i < 2 74

i= > A More Detailed Illustration i= > i := 0 i=0 i= > i>=2 i<2 75

i= > A More Detailed Illustration i= > i := 0 i=0 i= > i>=2 i<2 Find a predicate to separate them 76

i>=2 A More Detailed Illustration i= > i := 0 i=0 i= > i>=2 i<2 Find a predicate to separate them 77

Lazy Abstraction E i := 0 i<2 i>=2 i := i+1 i < 2 Control Flow Automata 1 True 2 i := 0 3 True i<2 i >= 2 ART 4 i>=2 E i < 2 …… 78

Weakest Preconditions [P][P] OP [WP(P, OP)] WP(P,OP) Weakest formula P’ s.t. if P’ is true before OP then P is true after OP Assign x = ex = e P P[e/x] x = x+1 x+1 > 5 x > 5 79

Weakest Preconditions [P][P] OP [WP(P, OP)] WP(P,OP) Weakest formula P’ s.t. if P’ is true before OP then P is true after OP Assign x = ex = e P P[e/x] x = y+1 y+1 > 5 x > 5 80

Weakest Preconditions P P x >5 [c] Branch Assume [x=y] [P][P] OP [WP(P, OP)] WP(P,OP) Weakest formula P’ s.t. if P’ is true before OP then P is true after OP 81

i= > Another Example i= > i := 0 i=0 i= > i>=2 i!=2 82

i= > i := 0 i=0 i= > i>=2 i!=2 i>2 i >= 2 Compute and obtain Interpolant i<=0 83 Another Example

Let R and E be FOL formulae, if R Æ E Is UNSAT., then there exists a first order formula I (interpolant) such that. (a) R ) I (b) E Æ I is UNSAT (c) Var( I ) = Var ( R ) Å Var( E ) Reachable states States that can reach Error (Craig,57) i=0 i= > i>2 Craig Interpolant 84

Compute Interpolant using Princess (i=0) Æ (i>2) is UNSAT i=0 i= > i>2 85 \functions { int i; } \problem { \part[p0] (i=0) & \part[p1] (i>2) -> false } \interpolant {p0; p1} No countermodel exists, formula is valid Interpolants: (-1*i >= 0)

i= > A More Detailed Illustration i= > i := 0 i=0 i<2 i>=2 i <= 0 i!=2 i>2 86

RHS Algorithm (Modified) void A(){ h := !g; g=B(g,h); assert(g); } void B(a1,a2){ if (a1) return B(a2,a1); else return a2; } 87

RHS Algorithm void A(){ h := !g; g=B(g,h); assert(g); } void B(a1,a2){ if (a1) return B(a2,a1); else return a2; } (1) ART A 1 2 (1,0),(0,1), (1,1),(0,0) h:=!g g=B(g,h) (1,0),(0,1) 1 (2) ART B Called by Nd ART(1) 2 !a1 (0,1) 3 return a2 Establish summary edge (0,1)  1 Add it to node ART (1) 1 (3) ART B Called by Nd ART(1) (1,0) 88

RHS Algorithm void A(){ h := !g; g=B(g,h); assert(g); } void B(a1,a2){ if (a1) return B(a2,a1); else return a2; } (1) ART A 1 2 (1,0),(0,1), (1,1),(0,0) h:=!g g=B(g,h), SE(a) (1,0),(0,1) 1 (2) ART B Called by Nd ART(1) 2 !a1 (0,1) 3 return a2 Summary edges (a) (0,1)  1 1 (3) ART B Called by Nd ART(1) (1,0) 3 (1,1) 89

RHS Algorithm void A(){ h := !g; g=B(g,h); assert(g); } void B(a1,a2){ if (a1) return B(a2,a1); else return a2; } (1) ART A 1 2 (1,0),(0,1), (1,1),(0,0) h:=!g g=B(g,h), SE(a) (1,0),(0,1) 1 (2) ART B Called by Nd ART(1) 2 !a1 (0,1) 3 return a2 Summary edges (a) (0,1)  1 1 (3) ART B Called by Nd ART(1) (1,0) 3 (1,1) a1 2 (1,0) return B(a2,a1) 3 Use SE(a) Establish summary edge (1,0)  1 Add it to node ART (1) 90

void B(a1,a2){ if (a1) return B(a2,a1); else return a2; } RHS Algorithm void A(){ h := !g; g=B(g,h); assert(g); } (1) ART A 1 2 (1,0),(0,1), (1,1),(0,0) h:=!g g=B(g,h), SE(a) (1,0),(0,1) 1 (2) ART B Called by Nd ART(1) 2 !a1 (0,1) 3 return a2 Summary edges (a)(0,1)  1 (b)(1,0)  1 1 (3) ART B Called by Nd ART(1) (1,0) 4 (1,1) a1 2 (1,0) return B(a2,a1) 3 3 g=B(g,h), SE(b) (1,0) g=B(g,h) 91

void B(a1,a2){ if (a1) return B(a2,a1); else return a2; } RHS Algorithm void A(){ h := !g; g=B(g,h); assert(g); } (1) ART A 1 2 (1,0),(0,1), (1,1),(0,0) h:=!g g=B(g,h), SE(a) (1,0),(0,1) 1 (2) ART B Called by Nd ART(1) 2 !a1 (0,1) 3 return a2 Summary edges (a)(0,1)  1 (b)(1,0)  1 1 (3) ART B Called by Nd ART(1) (1,0) 4 (1,1) a1 2 (1,0) return B(a2,a1) 3 3 g=B(g,h), SE(b) (1,0) g=B(g,h) SE(b) 5 (1,0) 6 g 92

void B(a1,a2){ if (a1) return B(a2,a1); else return a2; } RHS Algorithm void A(){ h := !g; g=B(g,h); assert(g); } (1) ART A 1 2 (1,0),(0,1), (1,1),(0,0) h:=!g g=B(g,h), SE(a) (1,0),(0,1) 1 (2) ART B Called by Nd ART(1) 2 !a1 (0,1) 3 return a2 Summary edges (a)(0,1)  1 (b)(1,0)  1 1 (3) ART B Called by Nd ART(1) (1,0) 4 (1,1) a1 2 (1,0) return B(a2,a1) 3 3 g=B(g,h), SE(b) (1,0) g=B(g,h) SE(b) 5 (1,0) 6 g 1 (4) ART B Called by Nd ART(1) ART (4) (1,1) a1 2 (1,1) return B(a2,a1) 3 No summary edge for this tree 93

Lazy abstraction + RHS alg. ? Major problems – For each function call, we enumerate all combinations of predicates. – When generate predicates, we hope it only contains local variables of a function. 94