Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation."— Presentation transcript:

1 1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation in SWERVE only)

2 2 Predicate Abstraction of ANSI-C Programs using SAT Abstraction Refinement Loop Actual Program Boolean Program Model Checker Abstraction refinement Verification Initial Abstraction No error or bug found Spurious counterexample This talk: How to compute Boolean program from  Actual ANSI-C program  Set of predicates

3 3 Predicate Abstraction of ANSI-C Programs using SAT Example int main() { int i; i=0; while(even(i)) i++; } + p 1  i=0 p 2  even(i) = int main() { bool p1, p2; p1=TRUE; p2=TRUE; while(p2) { p1=p1?FALSE:nondet(); p2=!p2; }

4 4 Predicate Abstraction of ANSI-C Programs using SAT Problem Abstraction function (predicates) Concrete Transition (basic block) Concrete next state Concrete state Abstract state Abstract next state Abstract Transition (basic block)

5 5 Predicate Abstraction of ANSI-C Programs using SAT Background How to create the initial predicates for abstraction? –(PVS) Manual! (Graf and Saidi, “Construction of abstract state graphs with PVS”) –(SLAM) Manual! (Ball, Majumdar, Millstein, Rajamani, “Automatic Predicate Abstraction of C Programs”) –(Clarke) Control-Driven! (Chaki, Clarke, Groce, Strichman, “Predicate Abstraction with Minimum Predicates”) (modified by Zaher Andraus for presentation in SWERVE only)

6 6 Predicate Abstraction of ANSI-C Programs using SAT Initial Abstract Machine (modified by Zaher Andraus for presentation in SWERVE only)

7 7 Predicate Abstraction of ANSI-C Programs using SAT Optimizations Eliminate Redundant Predicates (e.g. logically related) Dynamic Now we got the Predicates, we need to build the abstract machine! (modified by Zaher Andraus for presentation in SWERVE only)

8 8 Predicate Abstraction of ANSI-C Programs using SAT Existing Tools Basic idea: with n predicates, there are 2 n £ 2 n possible abstract transitions Eliminate “obviously wrong” transitions (e.g.: predicate about variable x changes, but basic block does not mention x ) Try some subset of these possible transitions using a theorem prover To be safe, remaining abstract transitions are added  Over-approximation

9 9 Predicate Abstraction of ANSI-C Programs using SAT Existing Tools: Example Predicates i++; Basic BlockFormula Current Abstract State Next Abstract State p1p1 p2p2 p3p3 000 001 010 011 100 101 110 111 p’ 1 p’ 2 p’ 3 000 001 010 011 100 101 110 111 ?? Query 

10 10 Predicate Abstraction of ANSI-C Programs using SAT Existing Tools: Example Predicates i++; Basic BlockFormula Current Abstract State Next Abstract State p1p1 p2p2 p3p3 000 001 010 011 100 101 110 111 p’ 1 p’ 2 p’ 3 000 001 010 011 100 101 110 111 Query ?? … and so on …

11 11 Predicate Abstraction of ANSI-C Programs using SAT Comment This takes care of unreachable abstract states (modified by Zaher Andraus for presentation in SWERVE only)

12 12 Predicate Abstraction of ANSI-C Programs using SAT What is the problem? Problem of existing tools:  Large number of expensive theorem prover calls – slow  Over-approximation yields additional, unnecessary spurious counterexamples  Theorem prover works on natural numbers, but ANSI-C uses bit-vectors  false positives  Most theorem provers support only few operators (+, -, <, ≤, …), no bitwise operators  Very limited support for pointers, in particular pointer arithmetic

13 13 Predicate Abstraction of ANSI-C Programs using SAT Our Solution – use SAT solver! 1.Generate query equation with predicates as free variables

14 14 Predicate Abstraction of ANSI-C Programs using SAT Our Solution Single query for Theorem Prover Query for SAT

15 15 Predicate Abstraction of ANSI-C Programs using SAT Queries for Larger Basic Blocks i++; j=i; i=i*k; Basic Block Query for SAT Predicates ++ i 1 =i 0 +1; j 1 =i 1 ; i 2 =i 1 *k 0 ;

16 16 Predicate Abstraction of ANSI-C Programs using SAT Our Solution Use SAT solver! 1.Generate query equation with predicates as free variables 2.Transform equation into CNF using Bit Vector Logic One satisfying assignment matches one abstract transition 3.Obtain all satisfying assignments = most precise abstract transition relation Query for SAT

17 17 Predicate Abstraction of ANSI-C Programs using SAT Our Solution This solves two problems: 1.Now can do all ANSI- C integer operators, including *, /, %, <<, etc. 2.Sound with respect to overflow This solves two problems: 1.Now can do all ANSI- C integer operators, including *, /, %, <<, etc. 2.Sound with respect to overflow No more unnecessary spurious counterexamples! Use SAT solver! 1.Generate query equation with predicates as free variables 2.Transform equation into CNF using Bit Vector Logic One satisfying assignment matches one abstract transition 3.Obtain all satisfying assignments = most precise abstract transition relation

18 18 Predicate Abstraction of ANSI-C Programs using SAT Pointers Support for pointer expressions: 1.Address expression is translated into a bit vector with two components: oObject pointed at oInteger width offset within object (for arrays) 2.Supported operators: o&, *, [i] oPointer + Integer (increases offset) oPointer – Pointer oPointer rel Pointer, with rel one of,=, etc. 3.Check for illegal pointer operations added automatically oNULL reference, array bounds violation, etc…

19 19 Predicate Abstraction of ANSI-C Programs using SAT Pointers: Explanation… Paper p. 113-114 (modified by Zaher Andraus for presentation in SWERVE only)

20 20 Predicate Abstraction of ANSI-C Programs using SAT Control-Flow Statements Paper p. 117 (modified by Zaher Andraus for presentation in SWERVE only)

21 21 Predicate Abstraction of ANSI-C Programs using SAT The Set of Satisfying Assignments How do we obtain the set of all satisfying assignments? 1.This is a common problem – also needed for oImage computation / hardware verification oQBF solvers 2.Naïve approach: 1)Run SAT 2)If Satisfying assignment found then add blocking clause continue with 1)

22 22 Predicate Abstraction of ANSI-C Programs using SAT Performance How does the performance compare with existing approaches? 1.Runtime potentially exponential 2.Exponential part is inside SAT solver, instead of exponential number of Theorem Prover calls 3.SAT solver is not re-started; all the learning and pruning done by modern SAT solvers is retained between iterations. 4.All heuristics for “obvious” transitions are still applicable

23 23 Predicate Abstraction of ANSI-C Programs using SAT Performance Worst case: all possible assignments are satisfying Formula includes addition operator Runtime uncritical up to 2^14 assignments

24 24 Predicate Abstraction of ANSI-C Programs using SAT Performance More realistic experiment: two 32-bit variables, plus n predicates Various operators: +, <, shifting, xor, or, and, combinations thereof, … All predicates are affected by basic block Compare to 2 n £ 2 n potential theorem prover calls! No. of PredicatesRuntime (inexpensive) Runtime (with 32-bit * ) 40.03 s0.35 s 80.16 s7.20 s 162.76 s71.16 s 326.35 s512.72 s

25 25 Predicate Abstraction of ANSI-C Programs using SAT Performance Improvements Better than enumerating? 1.Approximation of set cover obtains small set of predicates that is actually required to cover the CNF 2.Analyze literal dependency graph to identify free variables Both techniques yield a set of abstract transitions

26 26 Predicate Abstraction of ANSI-C Programs using SAT Performance Improvements Expensive operators Instead of adding full clause structure for expensive operators such as %, /, *, make it uninterpreted, and add important properties as constraints:  Transitivity  Congruence Closure  Commutativity  Special cases (x/1=x, …)  Others: x/y, y>1  x>x/y etc.

27 27 Predicate Abstraction of ANSI-C Programs using SAT Future Work 1.Interval abstraction for floating point arithmetic 2.Experiments with full abstraction refinement loop: Evaluate effect of more precise abstraction 3.Try predicate abstraction to actually prove properties of computed values 4.Predicate abstraction for concurrent programs

Download ppt "1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation."

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Delta Debugging and Model Checkers for fault localization

Delta Debugging and Model Checkers for fault localization
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀

SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
On Solving Presburger and Linear Arithmetic with SAT Ofer Strichman Carnegie Mellon University.

On Solving Presburger and Linear Arithmetic with SAT Ofer Strichman Carnegie Mellon University.
1 Software Verification Computer Science Club, Steklov Math Institute Lecture 1 Natasha Sharygina The University of Lugano, Carnegie Mellon University.

1 Software Verification Computer Science Club, Steklov Math Institute Lecture 1 Natasha Sharygina The University of Lugano, Carnegie Mellon University.
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.

Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.

Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
1.7.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
Interpolants [Craig 1957] G(y,z) F(x,y)

Interpolants [Craig 1957] G(y,z) F(x,y)
Modeling Data in Formal Verification Bits, Bit Vectors, or Words Randal E. Bryant Carnegie Mellon University.

Modeling Data in Formal Verification Bits, Bit Vectors, or Words Randal E. Bryant Carnegie Mellon University.

Similar presentations

Ads by Google