1 / 45

Formal Verification at the Speed of CVC Lite

Formal Verification at the Speed of CVC Lite. Sergey Berezin Stanford University, U.S.A. Type Checking. Testing / Debugging. Static Analysis. Proof of Correctness. Formal Methods. Is Program Correct?. Tools in Formal Verification.

chun
Download Presentation

Formal Verification at the Speed of CVC Lite

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Formal Verification at theSpeed of CVC Lite Sergey Berezin Stanford University, U.S.A.

  2. Type Checking Testing / Debugging Static Analysis Proof of Correctness Formal Methods Is Program Correct?

  3. Tools in Formal Verification • Virtually all approaches rely on efficient back-end tools • Model Checkers, Theorem Provers • SAT Solvers, Validity Checkers • Very important to make tools • Efficient • Expressive • Usable

  4. A Validity Checker • Automated Theorem Prover • Combination of Decision Procedures: f(x+y) < 2*g(z-a[x+1]) Arithmetic + Uninterpreted functions + Arrays + ...

  5. x < 2y+1 x > y x = 0 Using Validity Checker for ... Path Feasibility if(x < 2*y+1) { z = x; if(x > y) { w = y+1; ... if(x = 0) { // Is this reachable? } } } ) ?

  6. Spec Using Validity Checker for ... Proving Correctness ,

  7. Using Validity Checker for ... • Static checking • Eliminate false alarms • Compute abstractions • Compiler optimizations • Can we skip array bounds check here? • Security properties • Can this buffer overflow? • Can 'su root' be ever executed? • ...

  8. CVC Lite Berezin, Barrett Stanford, NYU DPLL(T) Tinelli, UIowa CVC Stump, Barrett Stanford UCLID Bryant, CMU SVC Stanford Simplify Nelson, HP Verifun Saxe, Joshi, HP ICS SRI Zap Microsoft Ghilardi, '03 Nelson-Oppen, '79 Theory Ganesh & Berezin (unpub) Shostak, '84 Tinelli & Zarba, '04 Validity Checking

  9. A Good Validity Checker is... • Efficient • Can handle large formulas, fast • Expressive • Rich logic, spans many theories • Arithmetic, UFs, Arrays, Bitvectors, Datatypes, ... • Usable • Convenient API / input language • Stable, Sound, Complete (when possible) • Many useful features • Quantifiers, Partial Functions, Counterexamples, Proofs, ... CVC Lite!

  10. What is CVC Lite? • Cooperating Validity Checker "Lite" • Automated theorem prover • Successor of CVC • Based on Combination of DPs • Nelson-Oppen method (extended by Barrett) • General-purpose back-end tool • Used in many [formal] verification techniques

  11. Outline • DP Combination Theory • Nelson-Oppen method • Various Extensions • Developing CVC Lite • Overview; engineering and research challenges • Evolution of a decision procedure • Linear Arithmetic • Future Directions

  12. Outline • DP Combination Theory • Nelson-Oppen method • Various Extensions • Developing CVC Lite • Overview; engineering and research challenges • Evolution of a decision procedure • Linear Arithmetic • Future Directions

  13. Nelson-Oppen Combination Uninterpreted functions: • T1 = { x = y ) f(x) = f(y), ... } • S1 = { f, g, ... } Arithmetic: • T2 = { x + x = 2x, 2z != 2y+1, ...} • S2 = { +, -, <, 0, 1, 2, ...} Conditions: • S1ÅS2 = ; • T1 and T2 are stably-infinite

  14. Combination Problem • Given algorithms for solving T1²f1 T2²f2 • Solve: T1[ T2 ²f

  15. Nelson-Oppen Combination • Problem: T1[ T2²f • Convert to satisfiability of T1[ T2[:f

  16. f(a)< z a G2 G1 a = x+y b < z f(a) = b b Nelson-Oppen Combination • Purify :f into G1 and G2: f(x+y)< z

  17. Nelson-Oppen Combination • Purification: T1[ T2[:f, (T1[G1) [ (T2[G2) • Find arrangement A over shared vars: T1[G1[ A is SAT T2[G2[ A is SAT Example: A = {a=b, b!=c, a!=c} • Guarantees that T1[ T2[:f is SAT

  18. Outline • DP Combination Theory • Nelson-Oppen method • Various Extensions • Developing CVC Lite • Overview; engineering and research challenges • Evolution of a decision procedure • Linear Arithmetic • Future Directions

  19. cvcl.exe C++ API DP API UI Counterexamples Proofs Complete Sound Symbolic Simulator Modular 8, 9 Features Arch Linear Integrated SAT solver Partial Functions Non-Linear Bitvectors Arith subtypes t = x/0 Real DPs Integer Datatypes Completeness Proof Records U. Func Arrays CVC Lite

  20. CVCL Executable Parser & Command Processor CVCL library CVCL API User Input CVC Lite Architecture

  21. CVCL Core Union-Find DB (x=y) SAT Solver Arith Arrays UF CVC Lite: C++ Library Ti[Gi[A ² a = b

  22. (BCP; DP)* s1 s2 s3 :s2 (BCP; DP)* (BCP; DP)* (BCP; DP)* :s3 SAT Solver + DPs BCP: Unit Clauses DP: Ti[Gi[A² a=b ? • Online DP • Conflict analysis • DP Proofs ?

  23. cvcl.exe C++ API Theory API UI Counterexamples Proofs Complete Sound Symbolic Simulator Modular 8, 9 Features Arch Linear Integrated SAT solver Partial Functions Non-Linear Bitvectors Arith subtypes t = x/0 Real DPs Integer Datatypes Completeness Proof Records U. Func Arrays CVC Lite

  24. Arithmetic: Problem • Given a system of constraints: 2x+3y-8z = 42 11y+18z < 17 Determine if it is SAT

  25. Choosing the Algorithm • Automata-based approaches • Explicit: MONA, LASH • BDDs: encoding in SMV • ILP-based approaches • Fourier-Motzkin elimination • Simplex • Interior Point FMCAD'02: comparison of approaches

  26. Fourier-Motzkin for Reals:Equations • Equation: 2x+3y = 8 • Pick a variable x • Solve for it x = 4 – 3/2y • Replace x by 4 – 3/2y everywhere Now x is gone! Variable elimination

  27. β1 < α1 β1 < α2 M β1 < x M βk1 < x x< α1 M x< αk2 γ1 < 0 M γk3 < 0 γ1 < 0 M γk3 < 0 Fourier-Motzkin for Reals:Inequalities x must satisfy: maxiβi < x < minj αj Equivalently: maxiβi < minj αj

  28. Adapting for Combination • Online • Incremental work for new constraints • Proof-producing • For conflict analysis in SAT solver • Specialized proof rules

  29. Original formula CVC Framework SAT solver DP DP DP Derived constraints Eliminating Equations x + z > 2 2¤y + 1 + z > 2 T= x – 2¤y = 1 x = 2¤y + 1

  30. β1 < α1 β1 < α2 M β1 < x M βk1 < x x< α1 M x< αk2 γ1 < 0 M γk3 < 0 γ1 < 0 M γk3 < 0 β1 < α M βk1 < α Produced Projecting Inequalities Received x < a

  31. c1 < c2 const< ? b < x x < a shadow b < a Proof Production • Derive ? from axioms, top-down where c1¸ c2

  32. assump f`f G ` c1 < c2 const< G `? G1` b < x G2` x < a shadow G1[G2` b < a Proof Production: Tracking Dependencies • Sequent: G`f; where c1¸ c2

  33. Extensions and Optimizations • Efficient baseline algorithm • Linear real arithmetic (+, -, =, <) • Extension to integers • Omega-test idea

  34. Extensions and Optimizations • Non-linear extensions • Extended canonical form • Extended solver (Tiwari's idea) • Special case optimizations • Difference constraints: x – y < c

  35. DP Life Cycle Choose algorithm Online & Proofs Implement base-line Extend, Optimize, ...

  36. Other Decision Procedures • Congruence Closure • Uninterpreted functions: f(x), g(y,z) • Mutable Arrays • a[i+1] = (b[j à x]) [k] • Bit-vectors • (0b01100100 @ x32)[15:0] • Recursive Datatypes • cons(car(x), cdr(y))

  37. Lessons • Efficiency, Correctness & Soundness • Important (and possible!) to have them all • Precise specs and good design patterns • Keys to success in getting it run • Clean APIs, features, user support • Keys to success in getting it used

  38. CVC Lite: Developers Project leaders: Sergey Berezin, Clark Barrett, David Dill Developers and contributors: • Vijay Ganesh • Deepak Goyal • Jake Donham • Sean McLaughlin • Mehul Trivedi • Daniel Wichs • Ying Hu • Mark Zavislak • Jim Zhuang

  39. NYU Stanford UCLA CMU U.Iowa Berkeley CVCL Users Academia Industry CEA (France) Genova (Italy) TU Munich (Germany) LRI (France) Static Analysis Compilers Hardware Calypto Intel SRI Cadence Fujitsu Software Protocols Proof oracle

  40. Outline • DP Combination Theory • Nelson-Oppen method • Various Extensions • Developing CVC Lite • Overview; engineering and research challenges • Evolution of a decision procedure • Linear Arithmetic • Future Directions

  41. Overlapping Signatures Domain-specific Optimizations Counterexamples Proofs Interpolants Complete Sound Modular Arch Linear Integrated SAT solver Non-Linear Bitvectors Arith Real DPs Integer Datatypes Completeness Proof Records U. Func Splitter Heuristics Arrays cvcl.exe C++ API Theory API UI Symbolic Simulator CVC Lite 8, 9 Features Partial Functions subtypes t = x/0

  42. Compiler Optimizers Hardware Verifiers Static Checking Theorem Proving CVC Lite Years Later Standard Validity Checking Library CVC Lite

  43. CVC Lite SAT Theorem Proving Static Analysis Model Checking BDDs Abstraction Refinement Future Directions Goal: Reduce Implementation Effort Platform for Rapid Prototyping Easily Replicate Existing Methodologies

  44. Testing Compilers Areas Verification AI Formal Methods in the Design Process Biology Hardware Software Applications Hybrid Security Protocols MC TP Rapid Prototyping BDDs CVCL SAT

  45. Thank you!

More Related