Localization and Register Sharing for Predicate Abstraction Himanshu Jain Franjo Ivančić Aarti Gupta Malay Ganai

Introduction Predicate abstraction  Abstracts data by keeping track of certain predicates  Each predicate given a boolean variable in abstract model  Scalability depends on choice and usage of predicates

Counterexample Guided Abstraction and Refinement Property Monitor C programs Static Analysis Abstraction Model check (DiVer) Analysis & Refinement  Discovered bug in software Certified code F-Soft

Motivation Computing predicate relationships is expensive Localization of predicates  Identify important predicates at each program location  Identify important predicate relationships

Some notation Spurious trace  Infeasible sequence of statements Predicate relationships  Example: (p1 Æ : p2), (p1’ $ p3) 1. x = m; 2. y = m; 3. assume (x != y);

Related work BLAST uses interpolation to find important predicates at each statement in spurious trace [Jhala et al., 04]  Localization of predicates  Interpolation produces “good” predicates? Syntactic program transformations for automatic abstraction [Namjoshi et al.] MAGIC tool [Chaki et al.]

Given a spurious trace s 1 ;….;s k Use weakest pre-conditions to identify important predicates at each statement s i Most predicate relationships obtained from refinement itself Our approach

Outline Introduction Localization of predicates Register Sharing Dedicated State Variables Experimental results

Abstraction 1 : x = ctr; 2 : y = ctr + 1; 3 : if (x = i-1){ 4 : if (y != i){ ERROR: } 1 : skip; 2 : skip; 3 : if (*){ 4 : if (*){ ERROR: } Abstract C programNo predicates available currently

Checking the abstract model 1 : skip; 2 : skip; 3 : if (*){ 4 : if (*){ ERROR: } No predicates available currently Is ERROR reachable? yes Abstract model has a path leading to error state

Concretization of abstract counterexample 1 : x = ctr; 2 : y = ctr + 1; 3 : assume(x == i-1) 4 : assume (y != i) 1 : skip; 2 : skip; 3 : if (*){ 4 : if (*){ ERROR: } Concrete trace

Simulation Does this correspond to a real bug? Spurious trace We use a SAT solver 1 : x = ctr; 2 : y = ctr + 1; 3 : assume(x == i-1) 4 : assume (y != i) Concrete trace Spurious Counterexample

Refinement 1 : x = ctr; 2 : y = ctr + 1; 3 : assume(x == i-1) 4 : assume (y != i) Spurious Counterexample y != i ctr + 1 != i x == i -1 ctr == i - 1 Localization information

Predicate relationships 1 : x = ctr; 2 : y = ctr + 1; 3 : assume(x == i-1) 4 : assume (y != i) Spurious Counterexample y != i ctr + 1 != i x == i -1 ctr == i - 1 Localization information ?

1: x = ctr; 2: y = ctr + 1; 3: if (x = i-1){ 4: if (y != i){ ERROR: } What happened so far 1: skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: } Initial abstraction 1: x = ctr; 2: y = ctr + 1; 3: assume(x == i-1) 4: assume (y != i) Spurious counterexample y != i x == i -1 ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information

Computing new abstraction 1: x = ctr; 2: y = ctr + 1; 3: if (x = i-1){ 4: if (y != i){ ERROR: } Computing new abstraction 1: 2: 3: if ( ){ 4: if ( ){ ERROR: } y != i x == i -1 ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information y != i x == i -1ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information

1: x = ctr; 2: y = ctr + 1; 3: if (x = i-1){ 4: if (y != i){ ERROR: } Computing new abstraction 1: 2: 3: if ( ){ 4: if (b0){ ERROR: } Computing new abstraction y != i x == i -1ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information Boolean b0 : y != i

1: x = ctr; 2: y = ctr + 1; 3: if (x = i-1){ 4: if (y != i){ ERROR: } Computing new abstraction 1: 2: 3: if (b1){ 4: if (b0){ ERROR: } Computing new abstraction y != i x == i -1ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information Boolean b1 : x==i-1 Boolean b0 : y != i

1: x = ctr; 2: y = ctr + 1; 3: if (x = i-1){ 4: if (y != i){ ERROR: } Computing new abstraction 1: 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: } Computing new abstraction y != i x == i -1ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information Boolean b2 : ctr+1 != i Boolean b1 : x == i-1 Boolean b0 : y != i

1: x = ctr; 2: y = ctr + 1; 3: if (x = i-1){ 4: if (y != i){ ERROR: } Computing new abstraction 1: b1 = b3; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: } Computing new abstraction y != i x == i -1 ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information Boolean b3 : ctr == i -1 Boolean b2 : ctr+1 != i Boolean b1 : x == i - 1 Boolean b0 : y != i No decision procedure used so far

1: x = ctr; 2: y = ctr + 1; 3: if (x = i-1){ 4: if (y != i){ ERROR: } Computing new abstraction 1: b1 = b3; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: } Computing new abstraction y != i x == i -1 ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information Boolean b3 : ctr == i -1 Boolean b2 : ctr+1 != i Boolean b1 : x == i - 1 Boolean b0 : y != i What about initial values of b2 and b3? SAT-based predicate abstraction Kroening et al. Lahiri et al. ?

1: x = ctr; 2: y = ctr + 1; 3: if (x = i-1){ 4: if (y != i){ ERROR: } Computing new abstraction 1: b1 = b3; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: } Computing new abstraction Boolean b3 : ctr == i -1 Boolean b2 : ctr+1 != i Boolean b1 : x == i - 1 Boolean b0 : y != i Global constraint: (b2 $ : b3) y != i x == i -1 ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information

Abstraction without register sharing 1: b1 = b3; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: } Computing new abstraction Boolean b3 : ctr == i -1 Boolean b2 : ctr+1 != i Boolean b1 : x == i - 1 Boolean b0 : y != i Global constraint: (b2 $ : b3)

Model check 1: b1 = b3; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: } Computing new abstraction Boolean b3 : ctr == i -1 Boolean b2 : ctr+1 != i Boolean b1 : x == i - 1 Boolean b0 : y != i Global constraint: (b2 $ : b3) ERROR is not reachable!

What have we covered so far Localize predicates using weakest pre-conditions Utilizing weakest pre-condition relationships Bottleneck  Model checking of abstraction without register sharing

Due to localization many predicates are useful only at a few program locations Reuse state variables for representing other predicates  Similar to register allocation Register sharing

Abstraction with register sharing y != i x == i -1 ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information y != i x == i -1 ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information b0 b2 b1 b3 Do we need 4 Boolean variables?

Abstraction with register sharing y != i x == i -1 ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information y != i x == i -1 ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information c0 c1 1: b1 = b3; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: } Global constraint: (b2 $ : b3) 1: skip; 2: skip; 3: if (c1){ 4: if (c0){ ERROR: } Local constraint: (PC = 1) ! (c0 $ : c1) Without With b0 b2 b1 b3

Register sharing Reduces Boolean variables in the abstract model by register sharing Speeds up model checking of abstractions What’s next  Reducing number of refinement iterations

Problem with register sharing p p L1 L20 L2 L19 b1 b2 = 0 = 1 Spurious

Dedicated state variable p p L1 L20 L2 L19 b b

Dedicated state variables Initially each predicate is assigned a Boolean variable, which can be reused If a predicate is localized at many statements,  |{s: p 2 local(s)}| > TH for some threshold TH  p is assigned a dedicated state variable (not reused)  By having a low value of TH, we can discover globally useful predicates early Why this works?

Experimental Results TCAS (Traffic Alert and Collision Avoidance System)  Lines of code 1652  We checked 10 different safety properties  Non-trivial number of predicates needed for each property both by F-Soft and BLAST

F-Soft versus BLAST (craig 2 + predH7) F-Soft

Summary Localize predicates using weakest pre-conditions  Most predicate relationships obtained as by product  Faster and less coarse abstractions  Comparable to interpolation based techniques Model checking abstractions  Exploit localization information for reducing Boolean variables Reducing refinement iterations  Predict globally useful predicates early in abstraction refinement process

Questions?