Download presentation
Presentation is loading. Please wait.
1
© 2006 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel and Sagar Chaki
2
2 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Automated Software Analysis Program Automated Analysis Correct Incorrect Software Model Checking with Predicate Abstraction e.g., Microsoft’s SDV Abstract Interpretation with Numeric Abstraction e.g., ASTREE, Polyspace
3
3 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Predicate and Numeric Abstractions Predicate Abstraction (PA) (e.g., SDV) Typical property: no lock is acquired twice Reduces program verification to propositional reasoning with model checker Works well for control-driven programs, and poorly for data-driven programs Numeric Abstraction (NA) (e.g, ASTREE) Typical property: no arithmetic overflow Reduces program verification to arithmetic reasoning Works well for data-driven programs, and poorly for control-driven programs How to combine PA and NA to get the best of both?!
4
4 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Outline Predicate and Numeric Abstract for Program Analysis Strength and Weakness An “Ideal” Combination PA+NA Combination Abstract Transformers Data Structures Experimental Results Current and Future Work
5
5 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Predicate Abstraction: An Example Program p1:i=1 p2:i=2 p3:x1>0 p4:x2<0 Pred. Abstraction assume (i=1 || i=2) if (i = 1) x1 := i; else if (i = 2) x2 := -4; if (i = 1) assert (x1 > 0); else if (i = 2) assert (x2 < 0); assume (p1 || p2) if (p1) p3 := ch(p1||p2,false); else if (p2) p4 := true if (p1) assert (p3); else if (p2) assert (p4); p := ch(tt,ff) if (tt) p := 1; else if (ff) p := 0; else p := *;
6
6 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Analysis with Predicate Abstraction p1:i=1 p2:i=2 p3:x1>0 p4:x2<0 Pred. Abstraction assume (p1 || p2) if (p1) p3 := ch(p1||p2,false); else if (p2) p4 := true if (p1) assert (p3); else if (p2) assert (p4); p1 || p2 p1 p1&&p3 !p1&&p2&&p4 p1&&p3 || !p1&&p2&&p4 !p1&&p2 p2&&p4 p1&&p3
7
7 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Predicate Abstraction Strength/Weaknesses Strengths Works well for control-dependent properties Completely automated Predicates can come from any theory that has an automated (semi-)decision procedure Supports any Boolean combination of predicates Compatible with CounterExample Guided Abstraction Refinement Weaknesses Scalability (construction and analysis) Restricted to finite abstract domains
8
8 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Numeric Abstract Interpretation Analysis is restricted to a fixed Abstract Domain Abstract Domain is “a restricted (possibly infinite) set of predicates” + efficient operations. Examples of Numeric Abstract Domains Signs 0 0 Intervals c 1 <= x <= c 2, where c 1,c 2 are a constants Octagons ± x ± y <= c, where c is a constant Polyhedra a 1 x 1 + a 2 x 2 +a 3 x 3 + a 4 <= 0, where a 1,a 2,a 3,a 4 are constants
9
9 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University AbsDom Interface interface AbsDom(V) A – abstract elements, E – expressions, S -- statements α : E → A γ : A → E meet : A x A → A isTop : A → bool isBot : A → bool join : A x A → A leq : A x A → bool αPost : S → (A → A) widen : A x A → A All operations are over approximations, e.g., γ (a) || γ (b) => γ ( join (a, b) ) γ (a) && γ (b) => γ (meet (a,b) )
10
10 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Example: The Domain of Intervals (1, 10) meet (2, 12) = (2,10) (1, 3) join (7, 12) = (1,12) 1 <= x <= 10(1, 10) α γ 1 <= x <= 10 (a, b) meet (c, d) = (max(a,c), min(b,d)) (a, b) join (c, d) = (min(a,c),max(b,d)) α Post (x := x + 1) ((a, b)) = (a+1, b+1)(1, 10) + 1 = (2, 11) OperationsExamples over-approx
11
11 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Analysis with Intervals NA (1) assume (i=1 || i=2) if (i = 1) x1 := i; else if (i = 2) x2 := -4; if (i = 1) assert (x1 > 0); else if (i := 2) assert (x2 < 0); 1 <= i <= 2 i=1 i=1 && x1=1 i=2 i=2 && x2=-4 1 <= i <= 2 i=1 i=2
12
12 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Analysis with Intervals NA (2) if (3 <= y1 <= 4) { x1 := y1-2; x2 := y1+2; } else if (3 <= y2 <= 4) { x1 := y2-2; x2 := y2+2; } else return; assert (5 <= x1 + x2 <= 10); 3 <= y1 <= 4 1 <= x1 <= 2 5 <= x2 <= 6 3 <= y2 <= 4 1 <= x1 <= 2 5 <= x2 <= 6 1<=x1<=2 5<=x2<=6
13
13 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Strength/Weakness of Numeric Abstraction Strength Fully Automated Scalable Supports infinite abstract domains (Supports) Automated Refinement Weakness Limited to a few theories (intervals, octagons, polyhedra) Restricted to conjunctions of terms Looses precision very quickly (join, widen, etc.)
14
14 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Predicates: p: A[y1+y2]=3 q: A[x1+x2]=3 assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 && q := ch ((x1=y1-2)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2 + y1; } assert (x1 = x2) “Ideal” combination of PA + NA assume (x1 = x2); if (A[y1+y2] = 3) { x1 := y1 – 2; x2 := y2 + 2; } else A[x1+x2] := 5; if (A[x1+x2] = 3) { x1 := x1 + x2; x2 := x2 + y1; } assert (x1 = x2) Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3
![14 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Predicates: p: A[y1+y2]=3 q: A[x1+x2]=3 assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 && q := ch ((x1=y1-2)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2 + y1; } assert (x1 = x2) Ideal combination of PA + NA assume (x1 = x2); if (A[y1+y2] = 3) { x1 := y1 – 2; x2 := y2 + 2; } else A[x1+x2] := 5; if (A[x1+x2] = 3) { x1 := x1 + x2; x2 := x2 + y1; } assert (x1 = x2) Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3](http://images.slideplayer.com/11/3269636/slides/slide_14.jpg "14 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Predicates: p: A[y1+y2]=3 q: A[x1+x2]=3 assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 && q := ch ((x1=y1-2)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2 + y1; } assert (x1 = x2) Ideal combination of PA + NA assume (x1 = x2); if (A[y1+y2] = 3) { x1 := y1 – 2; x2 := y2 + 2; } else A[x1+x2] := 5; if (A[x1+x2] = 3) { x1 := x1 + x2; x2 := x2 + y1; } assert (x1 = x2) Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3")
15
15 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Abstract with Predicates p: A[y1+y2]==3 q: A[x1+x2]==3 “Ideal” combination of PA + NA assume (x1 = x2); if (A[y1+y2] = 3) { x1 := y1 – 2; x2 := y2 + 2; } else A[x1+x2] := 5; if (A[x1+x2] = 3) { x1 := x1 + x2; x2 := x2 + y1; } assert (x1 = x2) assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 && q := ch ((x1=y1-2)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2 + y1; } assert (x1 = x2) Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3
![15 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Abstract with Predicates p: A[y1+y2]==3 q: A[x1+x2]==3 Ideal combination of PA + NA assume (x1 = x2); if (A[y1+y2] = 3) { x1 := y1 – 2; x2 := y2 + 2; } else A[x1+x2] := 5; if (A[x1+x2] = 3) { x1 := x1 + x2; x2 := x2 + y1; } assert (x1 = x2) assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 && q := ch ((x1=y1-2)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2 + y1; } assert (x1 = x2) Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3](http://images.slideplayer.com/11/3269636/slides/slide_15.jpg "15 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Abstract with Predicates p: A[y1+y2]==3 q: A[x1+x2]==3 Ideal combination of PA + NA assume (x1 = x2); if (A[y1+y2] = 3) { x1 := y1 – 2; x2 := y2 + 2; } else A[x1+x2] := 5; if (A[x1+x2] = 3) { x1 := x1 + x2; x2 := x2 + y1; } assert (x1 = x2) assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 && q := ch ((x1=y1-2)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2 + y1; } assert (x1 = x2) Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3")
16
16 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Analyzing with PA + NA assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 && q := ch ((x1+2 = y1)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2+y1-2; } assert (x1 = x2) x1=x2 p && x1=x2 p && x1=y1-2 p && x1=y1-2 && x2=y2+2 && q !p && !q && x1=x2 p && x1=y1-2 && x2=y2+2 && q || !p && !q && x1=x2 p && x1=y1-2 && x2=y2+2 && q p && x1=y1+y2 && x2=y2+2 && q p && x1=y1+y2 && x2=y2+y1 && q Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3
![16 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Analyzing with PA + NA assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 && q := ch ((x1+2 = y1)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2+y1-2; } assert (x1 = x2) x1=x2 p && x1=x2 p && x1=y1-2 p && x1=y1-2 && x2=y2+2 && q !p && !q && x1=x2 p && x1=y1-2 && x2=y2+2 && q || !p && !q && x1=x2 p && x1=y1-2 && x2=y2+2 && q p && x1=y1+y2 && x2=y2+2 && q p && x1=y1+y2 && x2=y2+y1 && q Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3](http://images.slideplayer.com/11/3269636/slides/slide_16.jpg "16 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Analyzing with PA + NA assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 && q := ch ((x1+2 = y1)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2+y1-2; } assert (x1 = x2) x1=x2 p && x1=x2 p && x1=y1-2 p && x1=y1-2 && x2=y2+2 && q !p && !q && x1=x2 p && x1=y1-2 && x2=y2+2 && q || !p && !q && x1=x2 p && x1=y1-2 && x2=y2+2 && q p && x1=y1+y2 && x2=y2+2 && q p && x1=y1+y2 && x2=y2+y1 && q Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3")
17
17 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Grammar for Our Abstract Transformer τ ::= (e? τ N ) && τ P | τ || τ | (nondet) τ ; τ (sequence) e ::= boolean expression over predicate and numeric terms τ P ::= p := ch (e, e) | τ P && τ P (parallel) τ N ::= assignment to numeric terms
18
18 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Transformer Examples Predicates: p 1 :z=&x, p 2 :z=&y, p 3 :y=1 Concrete Transformer Abstract Transformer assume (*z > 0)(p 1 &&x>0 || p 2 &&y>0 || !p 1 &&!p 2 )? skip *z = u + 1 (p 1 ? x := u + 1) || (p 2 ? y := u+1) || (!p 1 && !p 2 ? skip) y = x && x = (y-1? v : w) (p 3 ? x := v || !p 3 ? x := w) && p 3 := ch (x=1,x!=1)
19
19 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Overview of Our 4 Data Structures NameExampleNum. Terms NEXPoint(p||q) && (0 <= x <= 5) Explicit NEX(p&& 0<=x<=3) || (!p && (1<=x<=5)) MTBDD(p&& 0<=x<=3) || (!p && (1<=x<=5)) Symbolic NDD(p && (x=0 || x=3)) || (!p && (x=1 || x=5))
20
20 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University NEXPoint (P, N) NEXPoint elements are of the form: BDD over predicates Element of numeric abstract domain All operations are pairwise
21
21 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Numeric EXplicit (NEX) NEX elements are lists of NEXPoint [(P 1, N 1 ),…, (P k,N k )] Satisfying the partitioning condition P i ∩ P j = { } Operations are done using NEXPoint, but respect the partitioning condition
![21 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Numeric EXplicit (NEX) NEX elements are lists of NEXPoint [(P 1, N 1 ),…, (P k,N k )] Satisfying the partitioning condition P i ∩ P j = { } Operations are done using NEXPoint, but respect the partitioning condition](http://images.slideplayer.com/11/3269636/slides/slide_21.jpg "21 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Numeric EXplicit (NEX) NEX elements are lists of NEXPoint [(P 1, N 1 ),…, (P k,N k )] Satisfying the partitioning condition P i ∩ P j = { } Operations are done using NEXPoint, but respect the partitioning condition")
22
22 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University The Partitioning Condition p !p q !q x>0 y>0
23
23 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Multi-Terminal Numeric Decision Diagrams b1b1 b2b2 x>0 && x=y 1-edges are black, 0-edges are red edges to 0 node are not shown p 1 && !p 2 && (x>0) && (x=y) p 1 : x>0, p 2 : z<y b 1 : p 1, b 2 : p 2 MTNBDD MTNDD elements are Decision Diagrams with Numeric values at the terminals
24
24 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Numeric Decision Diagrams (p 1 &&p 2 ) || (x<0 && y=z) (x>=0 && z>0) || (!(x>=0) && y=z) p 1 : x>=0, p 2 : z>0 b1:x>=0, b2:z>0, b3:y=z b1b1 b2b2 b3b3 1 1-edges are black, 0-edges are red edges to 0 node are not shown normalize NDD elements are BDDs over Predicate and Numeric Terms
25
25 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Summary of the Data Structures PrecisionScalabilityPA aloneNA aloneProp OpNum Op NEXPoint -+++ NEX +-+++- MTNDD +-+++- NDD ++++- --
26
26 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Experimental Results Java Implementation Numeric domains implemented on top of Apron library Synthetic examples used to validate specific conjectures NEX & MTNDD better than NDD when numeric joins are exact — Since NDD uses exact unions while others use numeric join NDD better than others when invariants are propositionally complex — Since NDD has the most sharing capability Realistic examples used to gauge overall performance Total 11 examples: Zitser buffer overflow (3), OpenSSL (2), metal- casting plant controller (4), Micro-C OS (2)
27
27 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Experimental Results Domain#Exp.TotalGammaJoinalphaPostImage Numeric75.71.50.40.50.3 Predicate9133.00.1 0.50.1 NEXPoint1019.00.80.94.55.0 NEX1125.60.92.64.56.3 MTNDD1135.30.030.62.720.4 NDD1123.70.060.42.010.2 (all times are in seconds)
28
28 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Related Work Abstract Interpretation [CC’92] Our domain ≈ reduced direct product of Predicate and Numeric domains Jain et al. [CAV’06] Applies numeric invariants to simplify predicate abstraction Weaker than NEXPoint Fischer et al. [FSE’05], Beyer et al. [CAV’07,CAV’06] Predicate abstraction + Abstract Domain Similar to NEXPoint, but with simpler transfer functions Bultan et al. [TOSEM’00] MC of programs with Boolean and numeric variables using Omega library Similar to NEX, but with simpler transfer functions
![28 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Related Work Abstract Interpretation [CC’92] Our domain ≈ reduced direct product of Predicate and Numeric domains Jain et al.](http://images.slideplayer.com/11/3269636/slides/slide_28.jpg "[CAV’06] Applies numeric invariants to simplify predicate abstraction Weaker than NEXPoint Fischer et al. [FSE’05], Beyer et al. [CAV’07,CAV’06] Predicate abstraction + Abstract Domain Similar to NEXPoint, but with simpler transfer functions Bultan et al. [TOSEM’00] MC of programs with Boolean and numeric variables using Omega library Similar to NEX, but with simpler transfer functions.")
29
29 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University Current and Future Work We are working on a more comprehensive benchmark suite Need automated abstraction-refinement for PA + NA In the current implementation, the abstract domain is treated as a black box. We are exploring a tighter integration between predicate and numeric domains smarter numeric transfer functions, smarter DD variable ordering, etc.
30
30 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2006 Carnegie Mellon University
Similar presentations
