Presentation is loading. Please wait.

Presentation is loading. Please wait.

Predicate Abstraction for Software Verification Cormac Flanagan Shaz Qadeer Compaq Systems Research Center.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Predicate Abstraction for Software Verification Cormac Flanagan Shaz Qadeer Compaq Systems Research Center."— Presentation transcript:

1 Predicate Abstraction for Software Verification Cormac Flanagan Shaz Qadeer Compaq Systems Research Center

2 POPL02 The Continuing Saga of Predicate Abstraction

3 Extended Static Checking Statically verify many correctness properties Type systems catch many errors –e.g. “Cannot multiply a number and a string” Would like to catch additional errors –e.g. “Array index out of bounds at line 10” And verify other correctness properties –assertions –object invariants –lightweight method specifications

4 Checking loops with ESC/Java /*@ loop_invariant i >= 0; loop_invariant 0 <= spot; loop_invariant spot <= MAXDIRENTRY; loop_invariant (\forall int j; 0 <= j && j < i && bdisk[addr].dirEntries[j].inum != DIRENTRY_UNUSED ==> bdisk[addr].dirEntries[j].name != name); loop_invariant (\forall int j; spot == MAXDIRENTRY && 0 bdisk[addr].dirEntries[j].inum != DIRENTRY_UNUSED); loop_invariant spot == MAXDIRENTRY || bdisk[addr].dirEntries[spot].inum == DIRENTRY_UNUSED; loop_invariant (\forall DirEntry t; t != de ==> t.name == \old(t.name)); loop_invariant (\forall DirEntry t; t != de ==> t.inum == \old(t.inum)); loop_invariant (\forall DirEntry t; t.inum == FS.DIRENTRY_UNUSED || (0 <= t.inum && t.inum < FS.IMAX)); */ for (i = 0; i < cwd.inode.length; i++) { GetDirEntry(de, addr, i); if (de.inum != DIRENTRY_UNUSED && de.name == name) { return ERROR; } if (de.inum == DIRENTRY_UNUSED && spot == MAXDIRENTRY) { spot = i; }

5 Loop invariants C; while e do B end Set of reachable states at loop head is a loop invariant! sp(C, p)p C

6 Concrete states I0I0 I1I1 I2I2 InIn... Abstract states J0J0 J1J1 J2J2 JnJn...  (I k ) = J k I k =  (J k ) Abstract interpretation Cousot-Cousot 77 Predicate abstraction Graf-Saidi 97

7 Computing loop invariants C; while e do X; Y; end { I0 =  (sp(C, true)) } { J0 =  (  (I0)  e) } { K0 =  (sp(X,  (J0))) } { L0 =  (sp(Y,  (K0))) }

8 Computing loop invariants C; while e do X; Y; end { I1 = I0  L0 } { J1 =  (  (I1)  e) } { K1 =  (sp(X,  (J1))) } { L1 =  (sp(Y,  (K1))) }

9 /*@ requires a!=null && b!=null && a.length==b.length ensures \result==a.length || b[\result] */ int find(int[] a, boolean[] b) { int spot = a.length; for (int i=0; i < a.length; i++) { if (spot==a.length && a[i] != 0) spot = i; b[i] = (a[i] != 0); } return spot; } Predicate abstraction example Ten predicates: a != null b != null a.length == b.length spot == a.length b[spot] spot < i 0 <= i i < a.length spot = i a[i] != 0

10 Computing loop invariants C; while e do X; Y; end { I0 =  (sp(C, true)) } { L0 =  (sp(“X;Y”,  (I0)  e)) }

11 Computing loop invariants C; while e do X; Y; end { I1 = I0  L0 } { L1 =  (sp(“X;Y”,  (I1)  e)) }

12 /*@ requires a!=null && b!=null && a.length==b.length ensures \result==a.length || b[\result] */ int find(int[] a, boolean[] b) { int spot = a.length; for (int i=0; i < a.length; i++) { if (spot==a.length && a[i] != 0) spot = i; b[i] = (a[i] != 0); } return spot; } Predicate abstraction example Seven predicates: a != null b != null a.length == b.length spot == a.length b[spot] spot < i 0 <= i i < a.length spot = i a[i] != 0

13 Computing loop invariants C; while e do X; Y; end { I0 =  (sp(C, true)) } H = havoc variables modified in X;Y P0 = “C;H;assume  (I0)  e;X;Y” { L0 =  (sp(P0, true)) }

14 Computing loop invariants C; while e do X; Y; end { I1 = I0  L0 } H = havoc variables modified in X;Y P1 = “C;H;assume  (I1)  e;X;Y” { L1 =  (sp(P1, true)) }

15 /*@ requires a!=null && b!=null && a.length==b.length ensures \result==a.length || b[\result] */ int find(int[] a, boolean[] b) { int spot = a.length; for (int i=0; i < a.length; i++) { if (spot==a.length && a[i] != 0) spot = i; b[i] = (a[i] != 0); } return spot; } Predicate abstraction example Four predicates: a != null b != null a.length == b.length spot == a.length b[spot] spot < i 0 <= i i < a.length spot = i a[i] != 0

16 /*@ requires a!=null && b!=null && a.length==b.length ensures (  int j; 0<=j && j<\result ==> !b[j]) */ int find(int[] a, boolean[] b) { int spot = a.length; for (int i=0; i < a.length; i++) { if (spot==a.length && a[i] != 0) spot = i; b[i] = (a[i] != 0); } return spot; } Predicate abstraction example

17 (  int j; 0 !b[j]) Invariant needed: First method: add predicate (  int j; 0 !b[j])  -quantified loop invariants Better method: add skolem constant int j add predicates 0<=j, j<i, j<spot, !b[j] infer 0 !b[j] Magic:  int j; 0 !b[j])

18 Heuristics for guessing predicates for (int i = 0; i < a.length; i++) a[i] = null; Loop targets: i, a[*] First set of predicates: i = \old(i) skolem_constant int sc Second set of predicates: 0 <= sc, sc < i, a[sc] != null Inferred invariant: i >= 0   int sc; 0 <= sc  sc < i  a[sc] == null

19 Javafe front end to ESC/Java annotated with lightweight specifications 45KLOC, 2418 routines, 520 loops no inference  warnings in 326 routines with inference  warnings in 31 routines several failing routines had array bound violations –not caught with loop unrolling

20 Computing abstraction function Compute –I 0 =  (sp(C, true)) –I n+1 = I n   (sp(“C;H;assume  (I n )  e;B”, true)) Problem: Given F compute  (F)  (F) = least boolean function G such that F   (G) C; {I?}while e do B end

21 Abstract state space Predicates { a, b, c, d } They generate an abstract space of size 2 4 = 16 F a  b a  b  a  b abab cdcd c  d  c  d cdcd State Space  (F)

22 Naïve method (slow!) Is F  a  b  c  d satisfiable? No! Can compute  (F) by asking 2 n such queries a  b a  b  a  b abab cdcd c  d  c  d cdcd F  (F) XXXX X X XX X XX

23 New method F  a  b  c  d ? No! a  b a  b  a  b abab cdcd c  d  c  d cdcd F  (F) XXXX X X XX X XX F  a  c  d ? No! F  c  d ? No! Removed 1/4 of state space in 3 queries! =  (  c   d)  (  a   c)  (  a   b)  ( c   d)

24 Other methods Das-Dill-Park 99 (DDP) Saidi-Shankar 99 (SS)

25 Experiments

26 Experiments (Javafe)

27 Related work Inferring/computing loop invariants –German-Wegbreit 75 –Katz-Manna 76 –Suzuki-Ishihata 77 Predicate abstraction –Graf-Saidi 97 –Bensalem-Lakhnech-Owre 98, Colon-Uribe 98 –Saidi-Shankar 99, Das-Dill-Park 99 –Ball-Majumdar-Millstein-Rajamani 2001 –Henzinger-Jhala-Majumdar-Sutre 2002

Download ppt "Predicate Abstraction for Software Verification Cormac Flanagan Shaz Qadeer Compaq Systems Research Center."

Similar presentations

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,

Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.

Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.
50.530: Software Engineering

50.530: Software Engineering
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.

The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.
Data Abstraction II SWE 619 Software Construction Last Modified, Spring 2009 Paul Ammann.

Data Abstraction II SWE 619 Software Construction Last Modified, Spring 2009 Paul Ammann.
Enforcing Sequential Consistency in SPMD Programs with Arrays Wei Chen Arvind Krishnamurthy Katherine Yelick.

Enforcing Sequential Consistency in SPMD Programs with Arrays Wei Chen Arvind Krishnamurthy Katherine Yelick.
JML and ESC/Java2: An Introduction Karl Meinke School of Computer Science and Communication, KTH.

JML and ESC/Java2: An Introduction Karl Meinke School of Computer Science and Communication, KTH.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Dept. of Computer Science A Runtime Assertion Checker for the Java Modeling Language (JML) Yoonsik Cheon and Gary T. Leavens SERP 2002, June 24-27, 2002.

Dept. of Computer Science A Runtime Assertion Checker for the Java Modeling Language (JML) Yoonsik Cheon and Gary T. Leavens SERP 2002, June 24-27, 2002.
Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Simplifying Loop Invariant Generation Using Splitter Predicates.

Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Simplifying Loop Invariant Generation Using Splitter Predicates.
1.7.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Similar presentations

Ads by Google