© 2014 Carnegie Mellon University Synthesizing Safe Bit-Precise Invariants Arie Gurfinkel (SEI / CMU) Anton Belov (UCD / Synopsys) Joao Marques-Silva (UCD)

2 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Copyright 2013 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at DM

3 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University 3 Inductive Invariants: Turing / Floyd / Hoare A. M. Turing, Checking a Large Routine. In Report of a Conference on High Speed Automatic Calculating Machines, (1949).

4 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Programs, Cexs, Invariants A program P = (V, Init, Tr, Bad) P is UNSAFE if and only if there exists a number N s.t. P is SAFE if and only if there exists a safe inductive invariant Inv s.t. Inductive Safe

5 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Many conferences, techniques, tools …

6 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University But Bit-Precise Verification is Hard Bounded Model Checking CBMC, Boolector, LLBMC, ESBMC, … efficient discovery of counter-examples no invariants! Propositional Verification (Hardware) Interpolation, IC3, PDR, ABC, … efficient synthesis of propositional invariants does not scale to bit-precise verification of software Linear Arithmetic Verification (Software) Impact, UFO, CPAChecker, Duality, Blast, GPDR, … efficient synthesis of arithmetic invariants not bit-precise (not sound!) is often sufficient (e.g., UFO at SV-COMP’13 and ‘14)

7 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University But aren’t bit-vectors = bit-blasting?

8 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Typical Bit-vector Decision Procedure B2P is satisfiability preserving (only!) Bit-blast (by itself) is not efficient SAT Bit-blast Simplify B2P

9 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Safety Verification by Bit-Blasting Correct, but does not scale Bit-blast Verify propositional verifier

10 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Safety Verification by B2P Efficient, but… B2P only preserves satisfiability Original circuit is reduced (abstracted) too much Hard to track correspondence between input and output B2P Verify True

11 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Bit-blasting looses all structure! Lack of structure makes it difficult to generalize

12 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Our Key Idea: Use Generate and Check Alg. Given an input program P with a safety property  Bad 1. Generate a candidate invariant Cand by verifying  Bad on a “simpler” approximation P simple of P 2. Compute the Maximal Inductive Subset Inv of Cand relative to P using bit-precise reasoning 3. Strengthen Inv using a bit-precise (but possibly slow) verification engine until (Inv  Bad)

13 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University M ISPER in a Nutshell Adapt unsound arithmetic reasoning to guess bit-precise invariants Approximate Program P + Property Program P LA LA Verifier Adapt using MIS Candidate C LA BIT Verifier Invariant I BIT Yes + Certificate C BIT No + Cex Unsound Needs validation Needs validation Sound

14 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Approximate Bit-Vectors by Arithmetic Ignore (i.e., over-approximate) all bit-vector-specific operations Unsound, but simple and efficient Approximate Bool Bit-vector Arithmetic Bool

15 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Maximal Inductive Subset Let L be a set of formulas, P=(V, Init, Tr, Bad) a program A subset X of L is a maximal inductive subset iff it is the largest subset of X such that A Maximal Inductive Subset is unique inductive invariants are closed under conjunction Cormac Flanagan, K. Rustan M. Leino: Houdini, an Annotation Assistant for ESC/Java. FME 2001:

16 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Minimal Unsatisfiable Subset Let  be a formula and A = {a 1, …, a n } be atomic propositions occurring negatively in  Assume  Æ a 1 Æ  Æ a n is UNSAT A minimal unsatisfiable subset (MUS) of  is the smallest subset X µ A such that  Æ X is UNSAT There are efficient algorithms for computing MUS (a.k.a. UNSAT core) for propositional formulas

17 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Solving MIS via MUS Reduce MIS to multiple calls to MUS fresh propositional variables called once incremental SAT SAT MUS incremental SAT

18 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Var-Equivalence Let A and B be two formulas Let X be a subset of propositional variables of A and B Definition: A and B are var-equivalent relative to X if and only if for any satisfying assignment ¿ of X, A¿ and B¿ are equisatisfiable Claim B2P(  ) is var-equivalent to  relative to X = {post i, pre i }

19 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Implementation Misper is implemented in Python and relies on many external tools LLVM for handling C UFO-MUZ for LA invariants Boolector for B2P MUSer2 for MUS step in MIS Z3 for SMT and HORN

20 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Results Summary 214 SAFE benchmarks from SVCOMP’2013 includes all non-trivial SAFE benchmarks All times are in seconds bit width inst.cntZ3/PDR #sol (avg/med) Misper #sol (avg/med) Cand #sol (avg/med) MIS #sol (avg/med) 32 all (127/8)174 (28/0.4)165 (8/0.4)9 (392/134) unsol (75/1)52 (22/0.7)6 (544/366) 16 all (176/8)182 (69/0.4)165 (8/0.4)17 (661/399) unsol (624/376)6 (50/21)12 (911/1,094)

21 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Detailed Results (16 bits)

22 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University FrankenBit : Bit-Precise Verification w/ Many Bits M ISPER to synthesize bit-precise invariants LLBMC to search for counterexamples Silver and Bronze medals at SV-COMP

23 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Related Work Cormac Flanagan, K. Rustan M. Leino: Houdini, an Annotation Assistant for ESC/Java. FME (the first?) algorithm for computing Maximal Inductive Subset Randal E. Bryant, Daniel Kroening, Joël Ouaknine, Sanjit A. Seshia, Ofer Strichman, Bryan A. Brady: Deciding Bit-Vector Arithmetic with Abstraction. TACAS sound under-approximation of bit-vector formulas by shrinking bit-width Alberto Griggio: Effective word-level interpolation for software verification. FMCAD mostly sound over-approximation of bit-vector formulas by arithmetic but, also uses unsound approximation followed by a sound check

24 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Conclusion Sound reasoning from unsound approximations Use Linear Arithmetic to guess good invariants Use efficient bit-vector decision procedures to validate invariants Use efficient propositional Minimal Unsatisfiable Subset extractor to find Maximal Inductive Subset Use inefficient bit-precise reasoning to complete the proof Works well on SV-COMP (non bit-vector specific) benchmarks probably because the properties are mostly bit-vector agnostic e.g., API usage in Linux Device Drivers Integrated in FrankenBit:

25 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Future Work We have just scratched the surface… CounterExample Guided Approximation-Refinement Loop block a counterexample by partial bit-blasting partially embed bit-vectors into integer arithmetic Better approximations such as in related work, e.g., Griggio, and Bryant et al. Adapt lemmas account for bit-width, overflow, and upper bound e.g., replace x > 0 with x > 0 & x <= INT_MAX Tighter integration with fixedpoint solver

26 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University

27 Synthesizing Safe Bit-Precise Invariants Gurfinkel, Belov, Marques-Silva © 2014 Carnegie Mellon University Contact Information Arie Gurfinkel Senior Researcher SEI / CMU Telephone: U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA USA Web Customer Relations Telephone: SEI Phone: SEI Fax: