© 2008 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.

Slides:

Advertisements

Similar presentations

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha.

© 2006 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.

© 2011 Carnegie Mellon University B OXES : Abstract Domain of Boxes Arie Gurfinkel and Sagar Chaki Software Engineering Institute Carnegie Mellon University.

© 2010 Carnegie Mellon University B OXES : A Symbolic Abstract Domain of Boxes Arie Gurfinkel and Sagar Chaki Software Engineering Institute Carnegie Mellon.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.

Rahul Sharma, Saurabh Gupta, Bharath Hariharan, Alex Aiken, and Aditya Nori (Stanford, UC Berkeley, Microsoft Research India) Verification as Learning.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.

© 2012 Carnegie Mellon University UFO: Verification with Interpolants and Abstract Interpretation Arie Gurfinkel and Sagar Chaki Software Engineering Institute.

ISBN Chapter 3 Describing Syntax and Semantics.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Simplifying Loop Invariant Generation Using Splitter Predicates.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

© 2011 Carnegie Mellon University Binary Decision Diagrams Part Bug Catching: Automated Program Verification and Testing Sagar Chaki September.

© 2011 Carnegie Mellon University Binary Decision Diagrams Part Bug Catching: Automated Program Verification and Testing Sagar Chaki September.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

Interpolants [Craig 1957] G(y,z) F(x,y)

Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.

Program analysis Mooly Sagiv html://

Synergy: A New Algorithm for Property Checking

1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

Program analysis Mooly Sagiv html://

ECE Synthesis & Verification - Lecture 18 1 ECE 697B (667) Spring 2006 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Word-level.

Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball and Sriram K. Rajamani Software Productivity Tools, Microsoft Research Presented.

Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.

1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.

Describing Syntax and Semantics

1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.

Lazy Abstraction Tom Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre.

CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.

Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.

On Solving Presburger and Linear Arithmetic with SAT Ofer Strichman Carnegie Mellon University.

7/13/2003BMC A SAT-Based Approach to Abstraction Refinement in Model Checking Bing Li, Chao Wang and Fabio Somenzi University of Colorado at Boulder.

By: Pashootan Vaezipoor Path Invariant Simon Fraser University – Spring 09.

SAT and SMT solvers Ayrat Khalimov (based on Georg Hofferek‘s slides) AKDV 2014.

Program Analysis with Dynamic Change of Precision Dirk Beyer Tom Henzinger Grégory Théoduloz Presented by: Pashootan Vaezipoor Directed Reading ASE 2008.

Aditya V. Nori, Sriram K. Rajamani Microsoft Research India.

Variance Analyses from Invariance Analyses Josh Berdine Microsoft Research, Cambridge Joint work with Aziem Chawdhary, Byron Cook, Dino.

Integrating high-level constructs into programming languages Language extensions to make programming more productive Underspecified programs –give assertions,

Convergence of Model Checking & Program Analysis Philippe Giabbanelli CMPT 894 – Spring 2008.

Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.

Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University.

Formal Verification of Synchronization Issues of SpecC Description with Automatic Abstraction Thanyapat Sakunkonchak Masahiro Fujita Department of Electronics.

Localization and Register Sharing for Predicate Abstraction Himanshu Jain Franjo Ivančić Aarti Gupta Malay Ganai.

Predicate Abstraction. Abstract state space exploration Method: (1) start in the abstract initial state (2) use to compute reachable states (invariants)

Random Interpretation Sumit Gulwani UC-Berkeley. 1 Program Analysis Applications in all aspects of software development, e.g. Program correctness Compiler.

© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,

1 Numeric Abstract Domains Mooly Sagiv Tel Aviv University Adapted from Antoine Mine.

Boolean Programs: A Model and Process For Software Analysis By Thomas Ball and Sriram K. Rajamani Microsoft technical paper MSR-TR Presented by.

Verifying Component Substitutability Nishant Sinha Sagar Chaki Edmund Clarke Natasha Sharygina Carnegie Mellon University.

© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,

© Anvesh Komuravelli Spacer Model Checking with Proofs and Counterexamples Anvesh Komuravelli Carnegie Mellon University Joint work with Arie Gurfinkel,

Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 8: Static Analysis II Roman Manevich Ben-Gurion University.

Counterexample-Guided Abstraction Refinement By Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith Presented by Yunho Kim Provable Software.

Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.

Software Testing.

Introduction to Software Verification

ECE 667 Synthesis and Verification of Digital Systems

Software Testing (Lecture 11-a)

Predicate Abstraction

Verifying Clausal Proofs, DRUPing and Interpolants SAT/SMT Seminar

Presentation transcript:

© 2008 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel and Sagar Chaki

2 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Automated Software Analysis Program Automated Analysis Correct Incorrect Software Model Checking with Predicate Abstraction e.g., Microsoft’s SDV Abstract Interpretation with Numeric Abstraction e.g., ASTREE, Polyspace

3 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Predicate and Numeric Abstractions Predicate Abstraction (PA) (e.g., SDV) Typical property: no lock is acquired twice Program verification reduced to propositional reasoning with model checker Works well for control-driven programs Works poorly for data-driven programs Numeric Abstraction (NA) (e.g, ASTREE) Typical property: no arithmetic overflow Program verification reduced to arithmetic reasoning Works well for data-driven programs Works poorly for control-driven programs How to combine PA and NA to get the best of both? Precision Scalability NA PA Unrealistic

4 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Outline Predicate and Numeric Abstract for Program Analysis Strength and Weakness An “Ideal” Combination PA+NA Combination Abstract Transformers Data Structures Experimental Results Current and Future Work

5 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Predicate Abstraction: An Example Concrete Program p1:i=1 p2:i=2 p3:x1>0 p4:x2<0 Abstract Program assume (i=1 || i=2) if (i = 1) x1 := i; else if (i = 2) x2 := -4; if (i = 1) assert (x1 > 0); else if (i = 2) assert (x2 < 0); assume (p1 || p2) if (p1) p3 := ch(p1||p2,false); else if (p2) p4 := true if (p1) assert (p3); else if (p2) assert (p4); p := ch(tt,ff) if (tt) p := 1; else if (ff) p := 0; else p := *;

6 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Analysis with Predicate Abstraction p1:i=1 p2:i=2 p3:x1>0 p4:x2<0 Abstract Program assume (p1 || p2) if (p1) p3 := ch(p1||p2,false); else if (p2) p4 := true if (p1) assert (p3); else if (p2) assert (p4); p1 || p2 p1 p1&&p3 !p1&&p2&&p4 p1&&p3 || !p1&&p2&&p4 !p1&&p2 !p1&&p2&&p4 p1&&p3 Can prove safety

7 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Predicate Abstraction Strength/Weaknesses Strengths Works well for control-dependent properties Completely automated Predicates can come from any theory that has an automated (semi-)decision procedure Supports any Boolean combination of predicates Compatible with CounterExample Guided Abstraction Refinement Weaknesses Scalability (construction and analysis) Restricted to finite abstract domains

8 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Numeric Abstract Interpretation Analysis is restricted to a fixed Abstract Domain Abstract Domain ≡ “a (possibly infinite) set of predicates from a fixed theory” + efficient operations Examples of Numeric Abstract Domains Signs 0 0 Intervals c 1  x  c 2, where c 1,c 2 are a constants Octagons ± x ± y  c, where c is a constant Polyhedra a 1 x 1 + a 2 x 2 +a 3 x 3 + a 4  0, where a i are constants

9 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University AbsDom Interface interface AbsDom(V) : V – set of variables A – abstract elements, E – expressions, S – statements α : E → A γ : A → E meet : A  A → A isTop : A → bool isBot : A → bool join : A  A → A leq : A  A → bool αPost : S → (A → A) widen : A  A → A All operations are over-approximations, e.g., γ (a) || γ (b)  γ ( join (a, b) ) γ (a) && γ (b)  γ (meet (a,b) )

10 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Example: The Domain of Intervals (1, 10) meet (2, 12) = (2,10) (1, 3) join (7, 12) = (1,12) 1  x  10 (1, 10) α γ 1  x  10 (a, b) meet (c, d) = (max(a,c), min(b,d)) (a, b) join (c, d) = (min(a,c),max(b,d)) α Post (x := x + 1) ((a, b)) = (a+1, b+1)(1, 10) + 1 = (2, 11) OperationsExamples over-approximation

11 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Numeric Abstraction: An Example Concrete Program assume (i=1 || i=2) if (i = 1) x1 := i; else if (i = 2) x2 := -4; if (i = 1) assert (x1 > 0); else if (i = 2) assert (x2 < 0); assume (i=1 || i=2) if (i = 1) x1 := i; else if (i = 2) x2 := -4; if (i = 1) assert (x1 > 0); else if (i := 2) assert (x2 < 0); Abstract Program Abstraction

12 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Analysis with Intervals NA (1) assume (i=1 || i=2) if (i = 1) x1 := i; else if (i = 2) x2 := -4; if (i = 1) assert (x1 > 0); else if (i := 2) assert (x2 < 0); 1 <= i <= 2 i=1 i=1 && x1=1 i=2 i=2 && x2=-4 1 <= i <= 2 i=1 i=2 Loss of precision due to join Cannot prove safety Abstract Program

13 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Analysis with Intervals NA (2) if (3 <= y1 <= 4) { x1 := y1-2; x2 := y1+2; } else if (3 <= y2 <= 4) { x1 := y2-2; x2 := y2+2; } else return; assert (5 <= x1 + x2 <= 10); 3 <= y1 <= 4 1 <= x1 <= 2 5 <= x2 <= 6 3 <= y2 <= 4 1 <= x1 <= 2 5 <= x2 <= 6 1<=x1<=2 5<=x2<=6 Using PA expensive! Abstract Program

14 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Strength/Weakness of Numeric Abstraction Strength Fully Automated Scalable Supports infinite abstract domains (Supports) Automated Refinement Weakness Limited to a few theories (intervals, octagons, polyhedra) Restricted to conjunctions of terms Looses precision very quickly (join, widen, etc.)

15 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Predicates: p: A[y1+y2]=3 q: A[x1+x2]=3 assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 &&& q := ch ((x1=y1-2)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2+y1-2; } assert (x1 = x2) “Ideal” combination of PA + NA assume (x1 = x2); if (A[y1+y2] = 3) { x1 := y1 – 2; x2 := y2 + 2; } else A[x1+x2] := 5; if (A[x1+x2] = 3) { x1 := x1 + x2; x2 := x2+y1-2; } assert (x1 = x2) Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3 Concrete ProgramAbstract Program Abstraction

16 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Abstract with Predicates p: A[y1+y2]==3 q: A[x1+x2]==3 “Ideal” combination of PA + NA assume (x1 = x2); if (A[y1+y2] = 3) { x1 := y1 – 2; x2 := y2 + 2; } else A[x1+x2] := 5; if (A[x1+x2] = 3) { x1 := x1 + x2; x2 := x2+y1-2; } assert (x1 = x2) assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 &&& q := ch ((x1=y1-2)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2+y1-2; } assert (x1 = x2) Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3 Concrete ProgramAbstract Program Abstraction Concrete transformer a.k.a. program statement Abstract transformer Parallel composition

17 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Analyzing with PA + NA assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 &&& q := ch ((x1+2 = y1)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2+y1-2; } assert (x1 = x2) x1=x2 p && x1=x2 p && x1=y1-2 p && q && x1=y1-2 && x2=y2+2 !p && !q && x1=x2 p && q && x1=y1-2 && x2=y2+2 || !p && !q && x1=x2 p && q && x1=y1-2 && x2=y2+2 p && q && x1=y1+y2 && x2=y2+2 p && q && x1=y1+y2 && x2=y2+y1 && x1=x2 Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3 p && q && x1=y1+y2 && x2=y2+y1 && x1=x2 || !p && !q && x1=x2 Abstract Program

18 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University NumPredDom Interface interface NumPredDom(VN,VP) extends AbsDom VN – numeric variables, VP – predicates, e – conjunctive expression proj P (VP,e) = conjunction of predicates from VP s.t. e  proj P (VP,e) proj N (VN,e) = conjunction of constraints over VN s.t. e  proj N (VP,e) α P : E → A α N : E → Aunprime : A → A reduce : A → A exists : 2 VP  A → AαPost N : S → (A → A) Information Sharing between NA and PA: Factored out for efficiency Lift numeric-only abstract transformer Lift propositional-only abstract transformer Implementation-dependent. Influences precision and scalability.

19 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University NumPredDom: Definition of α α(e1  e2) = meet ( α(e1), α(e2) ) α(e1  e2) = join ( α(e1), α(e2) ) α(e) = meet ( α P (proj P (VP  VP’, e)), α N (proj N (VN, e)) ) project abstract combine conjunctions disjunctions

20 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University NumPredDom: Abstract Transformers v ::= numeric expression e ::= Boolean expression over predicate and numeric terms τ ::= τ N | τ a | τ c | τ P | τ NP | τ || τ | τ ; τ τ NP ::= (e ? τ N ) &&& τ P (numeric + predicate) τ P ::= p := ch (e, e) | τ P &&& τ P (predicate) τ c ::= e ? τ N (conditional) τ a ::= assume (e)(assume) τ N ::= x := v | τ N &&& τ N (numeric) sequence non-det base-case

21 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Transformer Examples Predicates: p 1 :z=&x, p 2 :z=&y, p 3 :y=1 Concrete Transformer Abstract Transformer assume (*z > 0)(p 1 &&x>0 || p 2 &&y>0 || !p 1 &&!p 2 )? skip *z = u + 1 (p 1 ? x := u + 1) || (p 2 ? y := u+1) || (!p 1 && !p 2 ? skip) y = x &&& x = (y-1? v : w) (p 3 ? x := v || !p 3 ? x := w) &&& p 3 := ch (x=1,x!=1)

22 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University NumPredDom: Four Implementations NameValueExample Num. Terms NEXPoint 2 2^P  N (p||q) && (0 <= x <= 5) Explicit NEX2 P → N(p&& 0<=x<=3) || (!p && (1<=x<=5)) MTBDD2 P → N(p&& 0<=x<=3) || (!p && (1<=x<=5)) Symbolic NDD2 P → 2 N (p && (x=0 || x=3)) || (!p && (x=1 || x=5)) Precision

23 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University NEXPoint (P, N) NEXPoint elements are of the form: BDD over predicates Element of numeric abstract domain All operations are pairwise 2 2^P  N

24 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Numeric EXplicit (NEX) NEX elements are lists of NEXPoint [(P 1, N 1 ),…, (P k,N k )] Satisfying the partitioning condition P i ∩ P j = { } Operations are done using NEXPoint, but respect the partitioning condition 2 P → N

25 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University The Partitioning Condition p !p q !q x>0 y>0

26 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Multi-Terminal Numeric Decision Diagrams b1b1 b2b2 x>0 && x=y 1-edges are black, 0-edges are red edges to 0 node are not shown p 1 && !p 2 && (x>0) && (x=y) p 1 : x>0, p 2 : z<y b 1 : p 1, b 2 : p 2 MTNBDD MTNDD elements are Decision Diagrams with Numeric values at the terminals 2 P → N

27 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Numeric Decision Diagrams (p 1 &&p 2 ) || (x<0 && y=z) (x>=0 && z>0) || (!(x>=0) && y=z) p 1 : x>=0, p 2 : z>0 b1:x>=0, b2:z>0, b3:y=z b1b1 b2b2 b3b3 1 1-edges are black, 0-edges are red edges to 0 node are not shown normalize NDD elements are BDDs over Predicate and Numeric Terms 2 P → 2 N

28 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Summary of the Data Structures PrecisionScalabilityPA aloneNA aloneProp OpNum Op NEXPoint NEX MTNDD NDD

29 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Tool Implementation Java Implementation Numeric domains implemented on top of Apron library Frontend Source Annotated CFG + Initial Node + Target Node Reachability Analysis Report Fixed point computation with widening “Simple” automated abstraction-refinement 1.Check is CE is spurious using WP + TP 2.Add new numeric variables in UNSAT core first 3.Add new predicates only if all numeric variables in UNSAT core already present

30 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Experimental Results Synthetic examples used to validate specific conjectures NEX & MTNDD better than NDD when numeric joins are exact — Since NDD uses exact unions while others use numeric join NDD better than others when invariants are propositionally complex — Since NDD has the most sharing capability Realistic examples used to gauge overall performance Medley: 22 examples: Zitser buffer overflow (3), OpenSSL (2), engine controller (9), Micro-C OS (2), Device drivers (6)

31 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Negative running time means failure

32 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Experimental Results: Medley (2) Domain#Exp.TotalGammaJoinalphaPostApply Numeric Predicate NEXPoint NEX MTNDD NDD (Total # of examples = 22; all times are in seconds)

33 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Negative running time means failure

34 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Related Work Abstract Interpretation [CC’92] Our domain ≈ reduced direct product of Predicate and Numeric domains Jain et al. [CAV’06] Applies numeric invariants to simplify predicate abstraction Weaker than NEXPoint Fischer et al. [FSE’05], Beyer et al. [CAV’07,CAV’06] Predicate abstraction + Abstract Domain Similar to NEXPoint, but with simpler transfer functions Bultan et al. [TOSEM’00] MC of programs with Boolean and numeric variables using Omega library Similar to NEX, but with simpler transfer functions

35 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Current and Future Work Augmenting our benchmark suite Better automated abstraction-refinement for PA + NA In this work, the abstract domain is treated as a black box. Exploring tighter integration between predicate and numeric domains smarter numeric transfer functions, smarter DD variable ordering, etc. We support intervals, octagons and polyhedra. Looking for combinations with other (numeric) domains

36 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University