Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2008 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.

Published byAileen Logan Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2008 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon."— Presentation transcript:

1 © 2008 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel and Sagar Chaki

2 2 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Automated Software Analysis Program Automated Analysis Correct Incorrect Software Model Checking with Predicate Abstraction e.g., Microsoft’s SDV Abstract Interpretation with Numeric Abstraction e.g., ASTREE, Polyspace

3 3 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Predicate and Numeric Abstractions Predicate Abstraction (PA) (e.g., SDV) Typical property: no lock is acquired twice Program verification reduced to propositional reasoning with model checker Works well for control-driven programs Works poorly for data-driven programs Numeric Abstraction (NA) (e.g, ASTREE) Typical property: no arithmetic overflow Program verification reduced to arithmetic reasoning Works well for data-driven programs Works poorly for control-driven programs How to combine PA and NA to get the best of both? Precision Scalability NA PA Unrealistic

4 4 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Outline Predicate and Numeric Abstract for Program Analysis Strength and Weakness An “Ideal” Combination PA+NA Combination Abstract Transformers Data Structures Experimental Results Current and Future Work

5 5 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Predicate Abstraction: An Example Concrete Program p1:i=1 p2:i=2 p3:x1>0 p4:x2<0 Abstract Program assume (i=1 || i=2) if (i = 1) x1 := i; else if (i = 2) x2 := -4; if (i = 1) assert (x1 > 0); else if (i = 2) assert (x2 < 0); assume (p1 || p2) if (p1) p3 := ch(p1||p2,false); else if (p2) p4 := true if (p1) assert (p3); else if (p2) assert (p4); p := ch(tt,ff) if (tt) p := 1; else if (ff) p := 0; else p := *;

6 6 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Analysis with Predicate Abstraction p1:i=1 p2:i=2 p3:x1>0 p4:x2<0 Abstract Program assume (p1 || p2) if (p1) p3 := ch(p1||p2,false); else if (p2) p4 := true if (p1) assert (p3); else if (p2) assert (p4); p1 || p2 p1 p1&&p3 !p1&&p2&&p4 p1&&p3 || !p1&&p2&&p4 !p1&&p2 !p1&&p2&&p4 p1&&p3 Can prove safety

7 7 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Predicate Abstraction Strength/Weaknesses Strengths Works well for control-dependent properties Completely automated Predicates can come from any theory that has an automated (semi-)decision procedure Supports any Boolean combination of predicates Compatible with CounterExample Guided Abstraction Refinement Weaknesses Scalability (construction and analysis) Restricted to finite abstract domains

8 8 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Numeric Abstract Interpretation Analysis is restricted to a fixed Abstract Domain Abstract Domain ≡ “a (possibly infinite) set of predicates from a fixed theory” + efficient operations Examples of Numeric Abstract Domains Signs 0 0 Intervals c 1  x  c 2, where c 1,c 2 are a constants Octagons ± x ± y  c, where c is a constant Polyhedra a 1 x 1 + a 2 x 2 +a 3 x 3 + a 4  0, where a i are constants

9 9 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University AbsDom Interface interface AbsDom(V) : V – set of variables A – abstract elements, E – expressions, S – statements α : E → A γ : A → E meet : A  A → A isTop : A → bool isBot : A → bool join : A  A → A leq : A  A → bool αPost : S → (A → A) widen : A  A → A All operations are over-approximations, e.g., γ (a) || γ (b)  γ ( join (a, b) ) γ (a) && γ (b)  γ (meet (a,b) )

10 10 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Example: The Domain of Intervals (1, 10) meet (2, 12) = (2,10) (1, 3) join (7, 12) = (1,12) 1  x  10 (1, 10) α γ 1  x  10 (a, b) meet (c, d) = (max(a,c), min(b,d)) (a, b) join (c, d) = (min(a,c),max(b,d)) α Post (x := x + 1) ((a, b)) = (a+1, b+1)(1, 10) + 1 = (2, 11) OperationsExamples over-approximation

11 11 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Numeric Abstraction: An Example Concrete Program assume (i=1 || i=2) if (i = 1) x1 := i; else if (i = 2) x2 := -4; if (i = 1) assert (x1 > 0); else if (i = 2) assert (x2 < 0); assume (i=1 || i=2) if (i = 1) x1 := i; else if (i = 2) x2 := -4; if (i = 1) assert (x1 > 0); else if (i := 2) assert (x2 < 0); Abstract Program Abstraction

12 12 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Analysis with Intervals NA (1) assume (i=1 || i=2) if (i = 1) x1 := i; else if (i = 2) x2 := -4; if (i = 1) assert (x1 > 0); else if (i := 2) assert (x2 < 0); 1 <= i <= 2 i=1 i=1 && x1=1 i=2 i=2 && x2=-4 1 <= i <= 2 i=1 i=2 Loss of precision due to join Cannot prove safety Abstract Program

13 13 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Analysis with Intervals NA (2) if (3 <= y1 <= 4) { x1 := y1-2; x2 := y1+2; } else if (3 <= y2 <= 4) { x1 := y2-2; x2 := y2+2; } else return; assert (5 <= x1 + x2 <= 10); 3 <= y1 <= 4 1 <= x1 <= 2 5 <= x2 <= 6 3 <= y2 <= 4 1 <= x1 <= 2 5 <= x2 <= 6 1<=x1<=2 5<=x2<=6 Using PA expensive! Abstract Program

14 14 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Strength/Weakness of Numeric Abstraction Strength Fully Automated Scalable Supports infinite abstract domains (Supports) Automated Refinement Weakness Limited to a few theories (intervals, octagons, polyhedra) Restricted to conjunctions of terms Looses precision very quickly (join, widen, etc.)

15 15 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Predicates: p: A[y1+y2]=3 q: A[x1+x2]=3 assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 &&& q := ch ((x1=y1-2)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2+y1-2; } assert (x1 = x2) “Ideal” combination of PA + NA assume (x1 = x2); if (A[y1+y2] = 3) { x1 := y1 – 2; x2 := y2 + 2; } else A[x1+x2] := 5; if (A[x1+x2] = 3) { x1 := x1 + x2; x2 := x2+y1-2; } assert (x1 = x2) Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3 Concrete ProgramAbstract Program Abstraction

16 16 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Abstract with Predicates p: A[y1+y2]==3 q: A[x1+x2]==3 “Ideal” combination of PA + NA assume (x1 = x2); if (A[y1+y2] = 3) { x1 := y1 – 2; x2 := y2 + 2; } else A[x1+x2] := 5; if (A[x1+x2] = 3) { x1 := x1 + x2; x2 := x2+y1-2; } assert (x1 = x2) assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 &&& q := ch ((x1=y1-2)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2+y1-2; } assert (x1 = x2) Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3 Concrete ProgramAbstract Program Abstraction Concrete transformer a.k.a. program statement Abstract transformer Parallel composition

17 17 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Analyzing with PA + NA assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 &&& q := ch ((x1+2 = y1)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2+y1-2; } assert (x1 = x2) x1=x2 p && x1=x2 p && x1=y1-2 p && q && x1=y1-2 && x2=y2+2 !p && !q && x1=x2 p && q && x1=y1-2 && x2=y2+2 || !p && !q && x1=x2 p && q && x1=y1-2 && x2=y2+2 p && q && x1=y1+y2 && x2=y2+2 p && q && x1=y1+y2 && x2=y2+y1 && x1=x2 Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3 p && q && x1=y1+y2 && x2=y2+y1 && x1=x2 || !p && !q && x1=x2 Abstract Program

18 18 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University NumPredDom Interface interface NumPredDom(VN,VP) extends AbsDom VN – numeric variables, VP – predicates, e – conjunctive expression proj P (VP,e) = conjunction of predicates from VP s.t. e  proj P (VP,e) proj N (VN,e) = conjunction of constraints over VN s.t. e  proj N (VP,e) α P : E → A α N : E → Aunprime : A → A reduce : A → A exists : 2 VP  A → AαPost N : S → (A → A) Information Sharing between NA and PA: Factored out for efficiency Lift numeric-only abstract transformer Lift propositional-only abstract transformer Implementation-dependent. Influences precision and scalability.

19 19 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University NumPredDom: Definition of α α(e1  e2) = meet ( α(e1), α(e2) ) α(e1  e2) = join ( α(e1), α(e2) ) α(e) = meet ( α P (proj P (VP  VP’, e)), α N (proj N (VN, e)) ) project abstract combine conjunctions disjunctions

20 20 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University NumPredDom: Abstract Transformers v ::= numeric expression e ::= Boolean expression over predicate and numeric terms τ ::= τ N | τ a | τ c | τ P | τ NP | τ || τ | τ ; τ τ NP ::= (e ? τ N ) &&& τ P (numeric + predicate) τ P ::= p := ch (e, e) | τ P &&& τ P (predicate) τ c ::= e ? τ N (conditional) τ a ::= assume (e)(assume) τ N ::= x := v | τ N &&& τ N (numeric) sequence non-det base-case

21 21 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Transformer Examples Predicates: p 1 :z=&x, p 2 :z=&y, p 3 :y=1 Concrete Transformer Abstract Transformer assume (*z > 0)(p 1 &&x>0 || p 2 &&y>0 || !p 1 &&!p 2 )? skip *z = u + 1 (p 1 ? x := u + 1) || (p 2 ? y := u+1) || (!p 1 && !p 2 ? skip) y = x &&& x = (y-1? v : w) (p 3 ? x := v || !p 3 ? x := w) &&& p 3 := ch (x=1,x!=1)

22 22 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University NumPredDom: Four Implementations NameValueExample Num. Terms NEXPoint 2 2^P  N (p||q) && (0 <= x <= 5) Explicit NEX2 P → N(p&& 0<=x<=3) || (!p && (1<=x<=5)) MTBDD2 P → N(p&& 0<=x<=3) || (!p && (1<=x<=5)) Symbolic NDD2 P → 2 N (p && (x=0 || x=3)) || (!p && (x=1 || x=5)) Precision

23 23 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University NEXPoint (P, N) NEXPoint elements are of the form: BDD over predicates Element of numeric abstract domain All operations are pairwise 2 2^P  N

24 24 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Numeric EXplicit (NEX) NEX elements are lists of NEXPoint [(P 1, N 1 ),…, (P k,N k )] Satisfying the partitioning condition P i ∩ P j = { } Operations are done using NEXPoint, but respect the partitioning condition 2 P → N

25 25 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University The Partitioning Condition p !p q !q x>0 y>0

26 26 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Multi-Terminal Numeric Decision Diagrams b1b1 b2b2 x>0 && x=y 1-edges are black, 0-edges are red edges to 0 node are not shown p 1 && !p 2 && (x>0) && (x=y) p 1 : x>0, p 2 : z<y b 1 : p 1, b 2 : p 2 MTNBDD MTNDD elements are Decision Diagrams with Numeric values at the terminals 2 P → N

27 27 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Numeric Decision Diagrams (p 1 &&p 2 ) || (x<0 && y=z) (x>=0 && z>0) || (!(x>=0) && y=z) p 1 : x>=0, p 2 : z>0 b1:x>=0, b2:z>0, b3:y=z b1b1 b2b2 b3b3 1 1-edges are black, 0-edges are red edges to 0 node are not shown normalize NDD elements are BDDs over Predicate and Numeric Terms 2 P → 2 N

28 28 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Summary of the Data Structures PrecisionScalabilityPA aloneNA aloneProp OpNum Op NEXPoint -++++ NEX +-++-++ MTNDD +-+-+- NDD ++++- --

29 29 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Tool Implementation Java Implementation Numeric domains implemented on top of Apron library Frontend Source Annotated CFG + Initial Node + Target Node Reachability Analysis Report Fixed point computation with widening “Simple” automated abstraction-refinement 1.Check is CE is spurious using WP + TP 2.Add new numeric variables in UNSAT core first 3.Add new predicates only if all numeric variables in UNSAT core already present

30 30 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Experimental Results Synthetic examples used to validate specific conjectures NEX & MTNDD better than NDD when numeric joins are exact — Since NDD uses exact unions while others use numeric join NDD better than others when invariants are propositionally complex — Since NDD has the most sharing capability Realistic examples used to gauge overall performance Medley: 22 examples: Zitser buffer overflow (3), OpenSSL (2), engine controller (9), Micro-C OS (2), Device drivers (6)

31 31 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Negative running time means failure

32 32 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Experimental Results: Medley (2) Domain#Exp.TotalGammaJoinalphaPostApply Numeric92.520.430.410.440.38 Predicate17333.380.050.030.200.06 NEXPoint2142.300.381.134.048.50 NEX2245.170.592.223.997.20 MTNDD2294.050.023.712.1156.10 NDD2242.150.030.021.9617.81 (Total # of examples = 22; all times are in seconds)

33 33 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Negative running time means failure

34 34 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Related Work Abstract Interpretation [CC’92] Our domain ≈ reduced direct product of Predicate and Numeric domains Jain et al. [CAV’06] Applies numeric invariants to simplify predicate abstraction Weaker than NEXPoint Fischer et al. [FSE’05], Beyer et al. [CAV’07,CAV’06] Predicate abstraction + Abstract Domain Similar to NEXPoint, but with simpler transfer functions Bultan et al. [TOSEM’00] MC of programs with Boolean and numeric variables using Omega library Similar to NEX, but with simpler transfer functions

35 35 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University Current and Future Work Augmenting our benchmark suite Better automated abstraction-refinement for PA + NA In this work, the abstract domain is treated as a black box. Exploring tighter integration between predicate and numeric domains smarter numeric transfer functions, smarter DD variable ordering, etc. We support intervals, octagons and polyhedra. Looking for combinations with other (numeric) domains

36 36 Combining PA and NA for Soft MC Gurfinkel and Chaki © 2008 Carnegie Mellon University

Download ppt "© 2008 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon."

Similar presentations

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha.

© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha.
© 2006 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.

© 2006 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN 2006 -

Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.

© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.
© 2011 Carnegie Mellon University B OXES : Abstract Domain of Boxes Arie Gurfinkel and Sagar Chaki Software Engineering Institute Carnegie Mellon University.

© 2011 Carnegie Mellon University B OXES : Abstract Domain of Boxes Arie Gurfinkel and Sagar Chaki Software Engineering Institute Carnegie Mellon University.
© 2010 Carnegie Mellon University B OXES : A Symbolic Abstract Domain of Boxes Arie Gurfinkel and Sagar Chaki Software Engineering Institute Carnegie Mellon.

© 2010 Carnegie Mellon University B OXES : A Symbolic Abstract Domain of Boxes Arie Gurfinkel and Sagar Chaki Software Engineering Institute Carnegie Mellon.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Rahul Sharma, Saurabh Gupta, Bharath Hariharan, Alex Aiken, and Aditya Nori (Stanford, UC Berkeley, Microsoft Research India) Verification as Learning.

Rahul Sharma, Saurabh Gupta, Bharath Hariharan, Alex Aiken, and Aditya Nori (Stanford, UC Berkeley, Microsoft Research India) Verification as Learning.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.

Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
© 2012 Carnegie Mellon University UFO: Verification with Interpolants and Abstract Interpretation Arie Gurfinkel and Sagar Chaki Software Engineering Institute.

© 2012 Carnegie Mellon University UFO: Verification with Interpolants and Abstract Interpretation Arie Gurfinkel and Sagar Chaki Software Engineering Institute.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Simplifying Loop Invariant Generation Using Splitter Predicates.

Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Simplifying Loop Invariant Generation Using Splitter Predicates.

Similar presentations

Ads by Google