Presentation is loading. Please wait.

Presentation is loading. Please wait.

Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of."— Presentation transcript:

1 Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of Science and Technology (IST) Austria joint work with Andreas Podelski University of Freiburg

2 Motivation public void filter(Predicate p) /*: requires "p  null" modifies content ensures "content = old content Å (pred p)" */ { Node e = root; while (e != null) { Node c = e; e = e.next; if (!p.contains(c.data)) { if (c.prev == null) { e.prev = null; root = e; } else { c.prev.next = e; e.prev = c; } next prev next prev root Verify complex properties of heap-manipulating programs :p:p p p p e c Quantified properties data structure invariants 8 x. next(prev(x)) = x functional correctness 8 x. next*(root,x) $ (old next)*(root, x) Æ x 2 pred(p)

3 Verification of Safety Properties reachable states state space error states safe invariant

4 Existing tools: SLAM, BLAST, ARMC, MAGIC, … Software Model Checking P 1 ´ x · 0 P 2 ´ y>0 … P1ÆP2Æ…P1ÆP2Æ… reachable states error states state space generic approach offers high degree of automation (through use of automated reasoning techniques)

5 The Eternal Quest for the Right Precision/Efficiency Tradeoff reachable states error states reachable states Crucial problem in the verification of heap programs.

6 Goal: Adapted Abstraction Fine-tune precision to the specific verification task. error states reachable states

7 Boolean Heaps [Podelski, Wies SAS’05] Use idea of [Sagiv, Reps, Wilhelm 2002]: Partition heap according to a finite set of predicates. 0 7 3

8 Use idea of [Sagiv, Reps, Wilhelm 2002]: Partition heap according to a finite set of predicates. Boolean Heaps Abstract state 0 7 3 5 Abstract domain disjunctions of abstract states

9 Abstr. transformer for loop Most Precise Abstract Transformer

10 Abstr. transformer for loopInductive invariant for Verification succeeds! Most Precise Abstract Transformer

11 reachable states error states Precision-Efficiency Tradeoff Number of abstract states is doubly-exponential in number of predicates Most precise abstract transformer is impractical expensive to construct keeps track of irrelevant information Solution: apply additional abstraction

12 Cartesian Abstraction x y S S x £ S y SxSx SySy..., [Cousot, Cousot PPCA’95], [Ball, Podelski, Rajamani TACAS’01],… for abstracting sets of vectors

13 Cartesian Abstraction abstract states are sets of bit-vectors Cartesian abstraction applies abstr. transformer w/ Cartesian abstraction is efficiently implementable: –check entailments between QF formulas –number of entailment checks polynomial in number of predicates precise enough for many practical examples not precise enough for many practical examples

14 Abstract Transformer with Cartesian Abstraction Inductive invariant for Verification succeeds! 37 Inductive invariant for Verification fails! 07,

15 Focus Common recipe in shape analysis –start from coarse but efficient abstract transformer –adapt precision to each individual program statement and individual data structures (partial concretization / materialization / focus) Problem Fine-tuning precision uniformly makes analysis again too precise (i.e., often inefficient) Exciting research direction Parameterized focus that adapts abstract transformer to the individual verification tasks e.g. [Manevich et al., 2004, 2007, 2009]

16 Counterexample-Guided Focus Idea: take this direction to its logical extreme Fine-tune focus to the individual steps of the analysis of the individual verification task This fine-tuning must be automated. We use counterexamples for this purpose.

17 x y S S x £ S y SxSx SySy Loss of Precision under Cartesian abstraction splitting is guided by counterexamples

18 Effect of Counterexample-Guided Focus Inductive invariant for Verification succeeds! 37 Inductive invariant for Verification fails! 07

19 Nested Lazy CEGAR Loop outer loop refines abstract domain by inferring new predicates inner loop fine-tunes abstract transformer using counterexample-guided focus Progress theorem: every spurious counterexample is eventually eliminated

20 Implementation in the Tool Bohne (doubly-linked) lists lists with iterators sorted lists skip lists search trees trees w/ parent pointers threaded trees 6 3 9 1 5 4 first root Verified data structure implementations:

21 Implementation in the Tool Bohne absence of runtime errors shape invariants -acyclic -sharing-free -doubly-linked -parent-linked -threaded -sorted … partial correctness 6 3 9 1 5 4 first root Verified properties: Summary of Experiments no manual adaptation of abstract domain / abstract transformer required many examples fail without counterexample-guided focus number of explored abstract states is drastically reduced

22 Further Related Work Shape analysis three-valued shape analysis [Sagiv, Reps, Wilhelm 2002] –decision procedures in TVLA [Yorsh et al. 2004, …, Lev-Ami et al. 2006] –parameterized focus for concurrent programs [Manevich et al., 2004, 2007, 2009] … Predicate abstraction CE-guided refinement of abstract transformers [Das, Dill 2002] nested refinement for predicate abstraction [Ball et al. 2004] indexed predicate abstraction [Lahiri, Bryant 2004] lazy abstraction [Henzinger et al. 2002] lazy shape analysis [Beyer et al. 2006] Interpolants quantified Craig interpolants [McMillan 2008, Kovács, Voronkov 2009] abstractions from proofs [Henzinger et al. 2004] Template-based techniques [Gulwani et al. 2008, Srivastava, Gulwani 2009]

23 Conclusion Focus can be made effective in a CEGAR setting –CEGAR lazily applies focus –CEGAR drives fine-tuning of focus to the extreme CEGAR can be made effective for inferring quantified invariants because –focus provides progress of CEGAR and –focus provides precision needed for verifying practical examples Focus and CEGAR can be fruitfully integrated to enhance one another

24 Counterexample-Guided Focus analysis of abstract program produces spurious counterexamples spuriousness results from imprecise abstract transformer construct fine-tuned focus operator that locally adapts precision of abstract transformer –locally refine the abstract domain of the pre-image of the abstract transformer –locally refine the pre-image itself by splitting disjuncts below and above the universal quantifier –both refinements are guided by the spurious counterexample

25 Costs and Gains of Automation Comparison between TVLA and Bohne for various list-manipulating programs Checked properties: absence of runtime errors preservation of list structure (acyclicity, sharing freeness)

Download ppt "Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of."

Similar presentations

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AAA A A A AA A Proving that non-blocking algorithms don't block.

TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AAA A A A AA A Proving that non-blocking algorithms don't block.
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
Abstract Transformers for Thread Correlation Analysis Michal Segalov, TAU Tal Lev-Ami, TAU Roman Manevich, TAU G. Ramalingam, MSR India Mooly Sagiv, TAU.

Abstract Transformers for Thread Correlation Analysis Michal Segalov, TAU Tal Lev-Ami, TAU Roman Manevich, TAU G. Ramalingam, MSR India Mooly Sagiv, TAU.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.

Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.
Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.

Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.

Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Simplifying Loop Invariant Generation Using Splitter Predicates.

Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Simplifying Loop Invariant Generation Using Splitter Predicates.
Reduction in End-User Shape Analysis Dagstuhl - Typing, Analysis, and Verification of Heap-Manipulating Programs – July 24, 2009 Xavier Rival INRIA and.

Reduction in End-User Shape Analysis Dagstuhl - Typing, Analysis, and Verification of Heap-Manipulating Programs – July 24, 2009 Xavier Rival INRIA and.
Probabilistic CEGAR* Björn Wachter Joint work with Holger Hermanns, Lijun Zhang TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Probabilistic CEGAR* Björn Wachter Joint work with Holger Hermanns, Lijun Zhang TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Similar presentations

Ads by Google