Download presentation
Presentation is loading. Please wait.
1
Lazy Abstraction Tom Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre
2
2 Goals Verification of software safety properties C programs Application to systems software e.g. Check correct use of locks
3
3 How? Model checking Predicate Abstraction focus on essential properties decision procedures and BDDs Counterexample driven refinement
4
4 Outline Counterexample-driven refinement drawbacks Predicate Abstraction Lazy Predicate Abstraction intuitive description, example Discussion
5
5 SLAM review Predicate abstractor: C2bp C program Boolean program Model checker: Bebop on Boolean programs Predicate discovery: Newton counterexample guided refinement
6
Is ERROR reachable? Yes, path p No model check Return “No” 66 Is p feasible in P? No, explanationYes refine don’t know Return “Yes”, pReturn “don’t know” P B Is ERROR reachable? abstract Initial predicates
7
7 Related Work Microsoft SLAM project Abstractor: C code Boolean programs Model checker for boolean programs Predicate discovery and refinement [Clarke et al 00] Bandera Project at KSU …
8
8 Drawbacks Redo work at each iteration compute a brand new abstraction model-check this new abstraction what if the new inferred predicates are local? Does some unnecessary work No sharing of data structures
9
9 Our proposal Integrate the three phases Construct the abstraction on-the-fly driven by the reachability search Refine the abstraction on demand Locally, based on bad error paths Give control to the model checker
10
10 Outline Counterexample-driven refinement drawbacks Predicate Abstraction Lazy Predicate Abstraction intuitive description, example Discussion
11
11 Predicate abstraction Box: abstract variable valuation Region: cover of boxes P 1 : x = y P 3 : x z+1 P 2 : z = t + y P 4 : * u = x Variable value space :P1,:P2:P1,:P2 P 1, P 2 P 1, : P 2 : P 1, P 2 :P3:P4:P3:P4 :P3P4:P3P4 P3P4P3P4 P3:P4P3:P4
12
12 Abstract state graph Explicit control locations Abstract state: (control location, box) Conservative abstraction: computed using decision procedures defined as usual
13
13 Outline Counterexample-driven refinement drawbacks Predicate Abstraction Lazy Predicate Abstraction intuitive description, example Discussion
14
14 P 1, …, P k P’ 1, …, P’ h Lazy abstraction Symbolic model checking predicate abstraction on-the-fly post/pre Refinement by demand dynamic predicates Error-free closed sets of states are not checked again.
15
15 Reachability analysis (1) Forward symbolic reachability tree Nodes labeled by: (control location, abstract region) Edges labeled by program statements Post computed w.r.t {P 1, …, P k } decision procedure Refinement: {P 1, …, P k, P k+1, …, P k+h }
16
16 Untouched Reachability analysis (2) Refinement
17
17 Reachability analysis (3) Refinement Unmarked
18
18 Reachability analysis (4) Correctness independent from search order Optimization: union closed subtrees Why compute backwards from error? fewer marked nodes are unmarked General symbolic setting: regions
19
Q: Is Error Reachable ? void Example( ) { 1: do { old = new; // Get the write lock AcquireSpinLock(&DevExt writeListLock); [ acq = True] 2: if ( request && request status ) { 3: devExt WriteList = request next; // Release the lock ReleaseSpinLock(&DevExt writeListLock); [acq=False] irp = request irp; if ( request status > 0 ) { irp IoStatus.Status = STATUS-SUCCESS; irp IoStatus.Information = request Status; } else { irp IoStatus.Status =STATUS-UNSUCCESS; irp IoStatus.Information = request Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp,DO_NO_INCREMENT); new++; 4: } 5: } while ( new != old ) ; // Release the lock 6: ReleaseSpinLock(&DevExt writeListLock); [ if (acq == False) then ERROR; ] } 1 2 4 5 6 Error7 ? ? ? 3
20
old = new; // Get the write lock AcquireSpinLock(&DevExt writeListLock); [ acq = True] ( request && request status ) ? devExt WriteList = request next; // Release the lock ReleaseSpinLock(&DevExt writeListLock); [acq=False] irp = request irp; if ( request status > 0 ) { irp IoStatus.Status = STATUS-SUCCESS; irp IoStatus.Information = request Status; } else { irp IoStatus.Status =STATUS-UNSUCCESS; irp IoStatus.Information = request Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp,DO_NO_INCREMENT); new++; (new == old ) ? (acq == False ) ? > 1 acq 2 3 4 : acq 5 6 Err : acq Phase 1: Forward Search Set of Predicates: (acq = False) from Spec Reachability Analysis 1 2 4 5 6 Error7 ? ? ? 3
21
1 2 4 5 6 7 ? ? ? 3 old = new; // Get the write lock AcquireSpinLock(&DevExt writeListLock); [ acq = True] ( request && request status ) ? devExt WriteList = request next; // Release the lock ReleaseSpinLock(&DevExt writeListLock); [acq=False] irp = request irp; if ( request status > 0 ) { irp IoStatus.Status = STATUS-SUCCESS; irp IoStatus.Information = request Status; } else { irp IoStatus.Status =STATUS-UNSUCCESS; irp IoStatus.Information = request Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp,DO_NO_INCREMENT); new++; (new == old ) ? (acq == False ) ? { : acq} { : acq Æ (new = old)} {acq Æ (new+1 =old)} { : acq Æ (new = old)} {acq Æ new+1=old} {acq Æ new+1=new} New Predicate for Refinement: (new=old) acq > 1 2 3 4 : acq 5 6 Err : acq Reachability Analysis Set of Predicates: (acq = False) from Spec Phase 2: CounterEx Guided Refinement
22
devExt WriteList = request next; // Release the lock ReleaseSpinLock(&DevExt writeListLock); [acq=False] irp = request irp; if ( request status > 0 ) { irp IoStatus.Status = STATUS-SUCCESS; irp IoStatus.Information = request Status; } else { irp IoStatus.Status =STATUS-UNSUCCESS; irp IoStatus.Information = request Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp,DO_NO_INCREMENT); new++; old = new; // Get the write lock AcquireSpinLock(&DevExt writeListLock); [ acq = True] ( request && request status ) ? (new == old ) ? 1 2 4 5 6 Error7 ? ? ? 3 4 : acq Æ : (new=old) > 1 acq Æ (new=old) 2 3 5 : acq Æ : (new=old) 1 : acq Æ : (new=old) µ > 5 acq Æ (new=old) (new old ) ? 6 ? 1 ? (new == old ) ? 6 acq Æ (new=old) (acq == False ) ? Err7 acq Æ (new=old) : (acq == False ) ? Error is not reachable Reachability Analysis Set of Predicates: (acq = False), (new = old) Phase 1: Forward Search
23
23 Outcomes Error2 Error1 This lazy approach allows us to share work that we have done before Once the left part has been searched, we will never look at it again A different set of predicates, relevant only to the right part, may be used while searching it
24
24 Predicate discovery Keep substitutions explicit new variables operations appear explicitly Ask a proof of unsatisfiability Pick predicates appearing in the proof op 1 op 2 op 3 op 4
25
25 Region based Symbolic Model Checking Region datatype denote possibly infinite sets of values e.g. ({P 1, …, P k }, bdd) Boolean operations Set Op of operations Symbolic post / pre : R x Op R Focus operation (refinement)
26
26 Outline Counterexample-driven refinement drawbacks Predicate Abstraction Lazy Predicate Abstraction intuitive description, example Discussion
27
27 Tool architecture Control Flow Automaton Regions Operations Model checker
28
28 Development roadmap C program Control Flow Automaton Regions are predicate valuations BDD representation Model checker region-based algorithm Input: regions, pre, post
29
29 Discussion Search order: heuristics Pre/Post duality Acceleration of loops Memory usage: hashing? Application to: ( C programs) timed automata, hybrid systems SDL protocols
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.