1 / 38

Software Model Checking: on the power of refinement

Software Model Checking: on the power of refinement. Thomas Ball Testing, Verification and Measurement Microsoft Research. Predicate Abstraction. Where do predicates come from? Choice of predicates critical precision of abstraction efficiency

danae
Download Presentation

Software Model Checking: on the power of refinement

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software Model Checking:on the power of refinement Thomas Ball Testing, Verification and Measurement Microsoft Research

  2. Predicate Abstraction • Where do predicates come from? • Choice of predicates critical • precision of abstraction • efficiency • No criteria for guiding design of predicate generation/refinement algorithms • until now, “rule out spurious counterexamples”

  3. Termination of SLAM • [Cousot-Cousot, PLILP’92] • widening + abstract interpretation with infinite lattices (WAIL) is more powerful than a (single) finite abstraction • [Ball-Podelski-Rajamani, TACAS’02] • finite abstractions plus iterative refinement (FAIR) is more powerful than WAIL • Namjoshi/Kurshan, Henzinger/Majumdar • if there is a finite (bi-)simulation quotient then WAIL with no widening will terminate [and therefore so will FAIR]

  4. Termination and Widening • Widening is used to achieve termination by enlarging the set of states (to reach a fixpoint) • 5  x  10 widened to 5  x • Of course, widening may lose precision • Every fixpoint algorithm that loses precision (in order to terminate) applies widening

  5. Relative Completeness • WAIL • widening + abstract intepretation over infinite lattice • FAIR • Finite abstraction + iterative refinement • FAIR terminates with success if • there is an “widening oracle” such that WAIL terminates with success

  6. Fixpoint Fixpoint + Widening(WAIL) X := init; while X  S do X’ := X  F(X) ifX’  X then break i := oracle’s guess X := W(i, X’) od return X  S X := init; while X  S do X’ := X  F(X) ifX’  X then break X := X’ od return X  S

  7. F F F F F F F F W W W F W F W F F Search Space of Widenings

  8. Finite Abstraction + Iterative Refinement • If WAIL succeeds in N iterations then FAIR will succeed in N iterations • But, FAIR can succeed earlier, due to use of interior (abstract) fixpoint X := init; while truedo P := atoms(X); X# := lfp(F#P, init) ifX# S then break X := X  F(X) od return X# S

  9. F F F F F F F F F F W W W F F W F F W F F F Search Space WAIL+oracle FAIR

  10. Outline • Preliminaries • WAIL and FAIR methods • Theorem • Discussion • Related Work

  11. Guarded Command Language • Variables X = {x1, …, xn } • Guarded command c • c  g  x1’=e1 …  xn’=en also written as • c  g  x1:=e1, … xn:=en for true updates • Program is a set of guarded commands • each command is deterministic • set of commands may be non-deterministic

  12. Example L1 : x = 0; L2: while ( x >= 0) { x = x + 1; } L3: if (y == 25) { L4: if ( y != 25) { L5: while ( z != 0) { z = z-1; } ERROR: } } guarded commands: c1: pc = L1  pc := L2; x := 0 c2: pc = L2  x ≥ 0  x := x + 1 c3: pc = L2  x < 0  pc := L3 c4: pc = L3  y = 25  pc := L4 c5: pc = L4  y ≠ 25  pc := L5 c6: pc = L5  z ≠ 0  z := z -1 c8: pc = L5  z=0  pc := ERROR

  13. Symbolic Representation of States   iI jJ(i)ij ij : atomic formula such as (x<5) ’   ’ 

  14. pre/post ofc  g  x1’=e1 …  xn’=en • prec() g [e1,…en/ x1,…xn] • postc() (X.(  c))[X/X’] • pre() cC prec() • post() cC postc()

  15. unreachable reachable States Reachability unsafe unsafe init

  16. unsafe  post() init Safe Forward Invariants •  is a safe forward invariant if • init  • post()   •   safe

  17. Example L1: i:=0; L2: while(i|N|) { L3: i:=i+1; } L4: assert(i>0); L5 • A safe inductive invariant  (pc=L1)  (pc=L2  i=0)  (pc=L3  i0)  (pc=L2  i>0)  (pc=L4  i>0)  (pc=L5) init  (pc=L1) safe  (pc=L4)  (i>0) post() (pc=L2  i=0)  (pc=L3  i=0  i|N|)  (pc=L2  i1)  (pc=L3  i>0  i|N|)  (pc=L4  i>0  i>|N|)  (pc=L5  i>0)  (pc=L5)

  18. unsafe pre()  init Safe Backward Invariants •  is a safe backward invariant if • unsafe  • pre()   •   noninit

  19. Neutral notation •  is a safe <F,start,bound>-invariant if • start • F()   •   bound • <F,start,bound> • <post,init,safe> • <pre,unsafe,noninit>

  20. F# via Predicate Abstraction • A set P of predicates over a program’s state space defines an abstraction of the program • P = { (a=1), (b=1), (a>0) } • Uninterpreted atoms [a=1][b=1][a>0] • If P has n predicates, the abstract domain contains exactly 22n elements • an abstract state = conjunction () of atoms • a set of abstract states = disjunction () of abstract states

  21. [a=1] P [a>0] Abstract Ordering P(read “syntactic implication”) iIci PkKck  for all iI, exists kK: atoms(ci)  atoms(ck) [a=1][b=1] P [a=1] [a=1][b=1] P [a=1][a>0] [a=1][a>0] P [a=1]

  22. true false Free Lattice of DNF over {a,b} a  b  (ab) a  b a  (ab) b  (ab) Logical Implication a b (ab) 

  23. F#PPF  •  the identity function • P() the least ’ (by P) such that    ’ • Example: • P = { (x<2), (x<3), (x=0) } •  P( x=1 ) = (x<2)  (x<3)

  24. Agenda • Two procedures for computing safe invariants • WAIL • FAIR • Is FAIR as powerful as WAIL?

  25. AIL n:= 0;  := start; old := false; loop if (  old) then if ( bound) then return “success” else return “don’t know” else old :=   :=   F() forever

  26. Widening • widen() = ’ such that   ’ • We consider widening that simply drops terms from some conjuncts widen(iI jJ(i)ij ) = iI jJ’(i)ij where J’(i)  J(i) • Results can be extended to other classes of widenings

  27. WAIL n:= 0;  := start; old := false; loop if (  old) then if ( bound) then return “success” else return “Don’t know” else old :=  i := guess provided by oracle  := widen(i,   F() ) forever

  28. FAIR n := 0;  := start loop Pn := atoms() construct F#n, as defined by Pn  := lfp(F#n, start) if (bound) then return “success”  := F( ); n := n + 1; forever

  29. FAIR WAIL n := 0;  := start loop Pn := atoms() construct F#n, as defined by Pn  := lfp(F#n, start) if (bound) then return “success”  := F( ); n := n + 1; forever n:= 0;  := start; old := false; loop if (  old) then if ( bound) then return “success” else return “Don’t know” else old :=  i := guess provided by oracle  := widen(i,   F() ) forever Theorem: Suppose <F,start,bound> = <pre,unsafe,noninit> Then, for any program P, if Method 2 terminates with success for some sequence of widening choices, then Method 1 will terminate with success as well.

  30. Lemma 1: If a safe invariant  can be expressed in terms of predicates in P then lfp(F#P, start) is a safe invariant • Lemma 2: For any guarded command c, prec(  ’) = prec()  prec(’) prec( ’) = prec()  prec(’) • Corollary: For any guarded command c, atoms(prec(  ’)) = atoms(prec())  atoms(prec(’)) atoms(prec(  ’)) = atoms(prec())  atoms(prec(’))

  31. Proof of Theorem ’0 = start ’n+1 = widen(’npre(’n)) 0 = start n+1 = npre(n) for all i, atoms(i)  atoms(’i) by induction on i and Lemma 2 if ’i is a safe inv. then by Lemma 1 and above result lfp(F#atoms(i), start) is a safe inv.

  32. L1 : x = 0; L2: while ( x >= 0) { x = x + 1; } L3: if (y == 25) { L4: if ( y != 25) { L5: while ( z != 0) { z = z-1; } ERROR: } } init: (pc = L1) unsafe: (pc = ERROR) guarded commands: c1: pc = L1  pc := L2; x := 0 c2: pc = L2  x ≥ 0  x := x + 1 c3: pc = L2  x < 0  pc := L3 c4: pc = L3  y = 25  pc := L4 c5: pc = L4  y ≠ 25  pc := L5 c6: pc = L5  z ≠ 0  z := z -1 c8: pc = L5  z=0  pc := ERROR Fact 1 : Both naïve forward and naïve backward reachability don’t terminate Fact 2: WAIL can terminate going forward FAIR cannot terminate going forward

  33. L1 : x = 0; L2: while ( x >= 0) { x = x + 1; } L3: if (y == 25) { L4: if ( y != 25) { L5: while ( z != 0) { z = z-1; } ERROR: } } init: (pc = L1) unsafe: (pc = ERROR) guarded commands: c1: pc = L1  pc := L2; x := 0 c2: pc = L2  x ≥ 0  x := x + 1 c3: pc = L2  x < 0  pc := L3 c4: pc = L3  y = 25  pc := L4 c5: pc = L4  y ≠ 25  pc := L5 c6: pc = L5  z ≠ 0  z := z -1 c8: pc = L5  z=0  pc := ERROR Fact 3: Both methods terminate going backward!

  34. Asymmetry between forward and backward • guarded command notation is asymmetric • satisfiability of formulas resulting from post requires existential quantifier elimination • pre can be done “syntactically” without doing any satisfiability check (in fact this is necessary)

  35. Observations • Results hold for forward abstract fixpoint + “dual” backward refinement • Results generalize for negation • BDDs implement operations in the free lattice • Converse of theorem does not hold • success in FAIR -/-> success of WAIL

  36. Related Work • Namjoshi/Kurshan, Henzinger/Majumdar • if there is a finite (bi-)simulation quotient then Method 1 with no widening will terminate [and therefore so will Method 2] • Cousot/Cousot • fixpoint + widening more powerful than a single abstract fixpoint

  37. Conclusions • Predicate abstraction + refinement and widening can be formally related to each other • Predicate abstraction + refinement = widening with “optimal” guidance

  38. Searching for Solutions • Once upon a time, only a human could play a great game of chess… • … but then smart brute force won the day (Deep Blue vs. Kasparov) • Once upon a time, only a human could design a great abstraction…

More Related