Presentation is loading. Please wait.

Presentation is loading. Please wait.

Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005."— Presentation transcript:

1 Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005

2 Introduction Scalable software verification Properties  Array bounds check, division by zero  Pointer safety  Assertion checking  Lock and unlocking Focus on partial specifications

3 Predicate Abstraction Extract a finite state model from an infinite state system Used to prove assertions or safety properties Successfully applied for verification of C programs  SLAM (used in windows device driver verification)  MAGIC, BLAST, F-Soft

4 Example for Predicate Abstraction int main() { int i; i=0; while(even(i)) i++; } + p 1  i=0 p 2  even(i) = void main() { bool p1, p2; p1=TRUE; p2=TRUE; while(p2) { p1=p1?FALSE:nondet(); p2=!p2; } } PredicatesC programBoolean program [Ball, Rajamani ’01] [Graf, Saidi ’97]

5 Computing Predicate Abstraction How to get predicates for checking a given property? How do we compute the abstraction? Predicate Abstraction is an over-approximation  How to refine coarse abstractions

6 Counterexample Guided Abstraction Refinement loop C Program Abstract model Model Checker Abstraction refinement Verification Initial Abstraction No error or bug found Simulator Property holds Simulation sucessful Bug found Refinement Spurious counterexample

7 Abstraction 1 : x = ctr; 2 : y = ctr + 1; 3 : if (x = i-1){ 4 : if (y != i){ ERROR: } 1 : skip; 2 : skip; 3 : if (*){ 4 : if (*){ ERROR: } Abstract C programNo predicates available currently

8 Checking the abstract model 1 : skip; 2 : skip; 3 : if (*){ 4 : if (*){ ERROR: } Abstract model has a path leading to error state Is ERROR reachable? yes

9 Simulation 1 : x = ctr; 2 : y = ctr + 1; 3 : assume(x == i-1) 4 : assume (y != i) 1 : skip; 2 : skip; 3 : if (*){ 4 : if (*){ ERROR: } Does this correspond to a real bug? Not possible Concrete trace Check using a SAT solver

10 Refinement 1 : x = ctr; 2 : y = ctr + 1; 3 : assume(x == i-1) 4 : assume (y != i) 1 : skip; 2 : skip; 3 : if (*){ 4 : if (*){ ERROR: } Spurious Counterexample Initial abstraction

11 Refinement 1 : x = ctr; 2 : y = ctr + 1; 3 : assume(x == i-1) 4 : assume (y != i) 1 : skip; 2 : skip; 3 : if (*){ 4 : if (b0){ ERROR: } boolean b0 : y != i

12 Refinement 1 : x = ctr; 2 : y = ctr + 1; 3 : assume(x == i-1) 4 : assume (y != i) 1 : skip; 2 : skip; 3 : if (b1){ 4 : if (b0){ ERROR: } boolean b0 : y != i boolean b1 : x== i-1

13 Refinement 1 : x = ctr; 2 : y = ctr + 1; 3 : assume(x == i-1) 4 : assume (y != i) 1 : skip; 2 : b0 = b2; 3 : if (b1){ 4 : if (b0){ ERROR: } } boolean b0 : y != i boolean b1 : x== i-1 boolean b2 : ctr + 1 ! = i Weakest precondition of y != i

14 Refinement 1 : x = ctr; 2 : y = ctr + 1; 3 : assume(x == i-1) 4 : assume (y != i) 1 : b1 = b3; 2 : b0 = b2; 3 : if (b1){ 4 : if (b0){ ERROR: } boolean b0 : y != i boolean b1 : x== i-1 boolean b2 : ctr + 1 ! = i boolean b3: ctr == i -1

15 Refinement 1 : b1 = b3; 2 : b0 = b2; 3 : if (b1){ 4 : if (b0){ ERROR: } boolean b0 : y != i boolean b1 : x== i-1 boolean b2 : ctr + 1 ! = i boolean b3: ctr == i -1 b2 and b3 are mutually exclusive. b2 =1, b3 = 0 b2 =0, b3 = 1 What about initial values of b2 and b3? So system is safe!

16 Tools for Predicate Abstraction of C SLAM at Microsoft  Used for verifying correct sequencing of function calls in windows device drivers MAGIC at CMU  Allows verification of concurrent C programs  Found bugs in MicroC OS BLAST at Berkeley  Lazy abstraction, interpolation SATABS at CMU  Computes predicate abstraction using SAT  Can handle pointer arithmetic, bit-vectors F-Soft at NEC Labs  Localization, register sharing

17 Applications of Predicate Abstraction in Hardware Verification

18 System on chip design Increase in complexity Gate level (netlists) Structural Behavioral/RTL ………… Level Number of components 10E7 10E5 10E3 10E0 Abstraction System Level

19 Introduction Emergence of system design languages HardwareC, SpecC, Handel-C, and SystemC Based on C / C++ Allows joint modeling of both hardware and software components of a system Support for bit vectors, concurrency, synchronization, exception handling, timing

20 Verification support Most model-checkers used in hardware industry work at netlist level Higher abstraction levels offered by languages like SpecC or RTL Verilog are not yet supported Languages like SpecC are more closer to concurrent software Verification tools must reason about:  Programming languages constructs  Concurrency  Pointers, Objects  Bit vector operations like concatenation, extraction

21 Why predicate abstraction Many properties depend on relationship between registers, and not the values stored in them Predicate Abstraction  Keeps tracks of certain predicates on data  Successfully used in software verification Can handle larger designs

22 Abstraction-Refinement loop Verilog Program Abstract model Model Checker Abstraction refinement Verification Initial Abstraction No error or bug found Simulator Property holds Simulation sucessful Bug found Refinement Spurious counterexample

23 An example module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Verilog program

24 Abstraction-Refinement loop Verilog Program Abstract model Model Checker Abstraction refinement Verification Initial Abstraction No error or bug found Simulator Property holds Simulation sucessful Bug found Refinement Spurious counterexample

25 Predicate Abstraction module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Initial set of predicates: {x = 100, x = 200} Verilog program Word level predicates

26 Computing Most Precise Abstraction + x’ = y y’ = x + Current state Next state Equation passed to the SAT solver Transition Relation Computing abstract transitions

27 Obtain transitions Computing abstract transitions 10 00 01 11 … and so on …

28 Abstract Model module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Initial set of predicates: {x = 100, x = 200} Verilog program Initial state Failure state 10 00 01 11

29 Abstraction-Refinement loop Verilog Program Abstract model Model Checker Abstraction refinement Verification Initial Abstraction No error or bug found Simulator Property holds Simulation sucessful Bug found Refinement Spurious counterexample

30 Model checking module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Verilog program Failure state 10 00 01 11 Initial state Abstract Model

31 Model checking module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Verilog program Failure state 10 00 01 11 Initial state Abstract Model Counterexample

32 Abstraction-Refinement loop Verilog Program Abstract model Model Checker Abstraction refinement Verification Initial Abstraction No error or bug found Simulator Property holds Simulation sucessful Bug found Refinement Spurious counterexample

33 u Counterexample in the abstract model s  (length = 1)  Each state is a valuation of h x = 100, x=200 i Simulation equation Simulation of the counterexample Initial values of the registers predicate values in the first state of the counterexample Transition relation predicate values in the second state of the counterexample equation is unsatisfiable So counterexample is spurious

34 Abstraction-Refinement loop Verilog Program Abstract model Model Checker Abstraction refinement Verification Initial Abstraction No error or bug found Simulator Property holds Simulation sucessful Bug found Refinement Spurious counterexample

35 Refinement u Let length of spurious counterexample be k u Take weakest pre-condition of property for k steps with respect to transition functions u Pick atomic predicates from weakest precondition

36 Refinement (x’ = 100 Ç x’ = 200) Holds after one step x’ = y y’ = x (y = 100 Ç y = 200) weakest precondition x’ = y y’ = x AG (x = 100 Ç x = 200) + Transition functions Property length =1 + spurious counterexample New predicates y = 100, y = 200

37 Abstract again module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Updated set of predicates: {x = 100, x = 200, y=100, y=200} Verilog program 1001 0110 Initial state Model check New abstraction

38 Model checking module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Updated set of predicates: {x = 100, x = 200, y=100, y=200} Verilog program 1001 0110 Initial state Property holds! New abstraction

39 Result module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Verilog program Property holds!

40 Experimental results (VIS benchmarks) Benchmark Lines of code #Latches#Variables Veracity Time #Predicates#Iteration cachecoherence5494317049s259 mpeg decoder 1 121556780029s93 mpeg decoder 2 121556780047s94 SDLX8984181139s4330 Miim84183237 0.57s * 0.57s *42 PI-Bus1020312863 2.42s * 101 * Using lazy abstraction All use predicate partitioning

41 Bigger benchmarks Benchmark#Latches Veracity time Cadence SMV time ICU281.3s0.1s ICRAM2KB16427450.7s25s ICRAM4KB32796843.3sterminates ARITH1002023.5s182.4s ARITH2004029.6s2147s ARITH500100232.2stimeout ARITH10002002122.6stimeout

42 Tools u VCEGAR (Verilog Counterexample Guided Abstraction Refinement) at CMU s www.cs.cmu.edu/~modelcheck/vcegar

43 Questions

Download ppt "Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005."

Similar presentations

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.

Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.
The Dafny program verifier

The Dafny program verifier
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.

Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
1 Software Verification Computer Science Club, Steklov Math Institute Lecture 1 Natasha Sharygina The University of Lugano, Carnegie Mellon University.

1 Software Verification Computer Science Club, Steklov Math Institute Lecture 1 Natasha Sharygina The University of Lugano, Carnegie Mellon University.
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.

Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
Demonstration Of SPIN By Mitra Purandare

Demonstration Of SPIN By Mitra Purandare
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.

Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Similar presentations

Ads by Google