1 / 63

Diagnosing Abstraction Failure in Separation Logic-based Analyses

Diagnosing Abstraction Failure in Separation Logic-based Analyses. Josh Berdine Samin Ishtiaq Christoph Wintersteiger. Arlen Cox. The Abstraction Refinement Dream. Start Verification. Pick Abstraction. Party!!!. Success. Attempt Proof. Pick New Abstraction. Failure.

donny
Download Presentation

Diagnosing Abstraction Failure in Separation Logic-based Analyses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DiagnosingAbstraction Failurein Separation Logic-based Analyses Josh Berdine SaminIshtiaq ChristophWintersteiger Arlen Cox

  2. The Abstraction Refinement Dream Start Verification Pick Abstraction Party!!! Success Attempt Proof Pick New Abstraction Failure Diagnose Failure Failure Fix Bug Find Counterexample Success

  3. State of the ArtSeparation Logic Analysis Start Verification Pick Abstraction Party!!! Success Attempt Proof Pick New Abstraction Failure 2 Diagnose Failure Failure 1 Fix Bug Find Counterexample Previously Unexplored Success

  4. Traditional Abstraction Refinement Not Our Contribution

  5. Pick Abstract/Attempt Proof

  6. Proof Fails

  7. Diagnosing Abstraction Failure • An Abstract State • Concrete State • Unreachable • Reaches Error • Contained in Abstract State Weakest Precondition

  8. Partition the Abstract State

  9. No WP() in Separation Logic Weakest Precondition

  10. No WP() in Separation Logic int* p; … *p = 17; PSPACE-complete* due to aliasing * Calcagno, C., Yang, H., O’Hearn, P.W.: Computability and complexity results for a spatial assertion language for data structures. In: FSTTCS (2001)

  11. Separation Logic-based Analyses • Restricted Logic • Does not support separating implication ( ), general negation ( ), general conjunction ( ) • Do not support backward reasoning • No weakest precondition • Contribution: A method to use forward analysis to diagnose failures • Contribution: A method for efficiently performing forward counterexample searches

  12. Example l l = newListNode(newObj(), NULL); while(*) { l = newListNode(newObj(), l); } while(l != NULL) { n = l->next; free(l->data); free(l); l = n; } … l NULL

  13. Background: Pick Abstraction Start Verification Pick Abstraction Party!!! Success Attempt Proof Pick New Abstraction Failure Diagnose Failure Failure Fix Bug Find Counterexample Success

  14. Pattern-Based Abstraction l … NULL

  15. Pattern-Based Abstraction l … NULL

  16. Pattern-Based Abstraction l … NULL

  17. Background: Proof Attempt Start Verification Pick Abstraction Party!!! Success Attempt Proof Pick New Abstraction Failure Diagnose Failure Failure Fix Bug Find Counterexample Success

  18. Proof Search (SLL) l = newListNode(newObj(), NULL); while(*) { l = newListNode(newObj(), l); } while(l != NULL) { n = l->next; free(l->data); free(l); l = n; }

  19. Proof Search (SLL) l = newListNode(newObj(), NULL); l = newListNode(newObj(), NULL); while(*) { l = newListNode(newObj(), l); } while(l != NULL) { n = l->next; free(l->data); free(l); l = n; }

  20. Proof Search (SLL) l = newListNode(newObj(), NULL); l = newListNode(newObj(), l); l = newListNode(newObj(), NULL); while(*) { l = newListNode(newObj(), l); } while(l != NULL) { n = l->next; free(l->data); free(l); l = n; }

  21. Proof Search (SLL) l = newListNode(newObj(), NULL); l = newListNode(newObj(), l); l = newListNode(newObj(), NULL); while(*) { l = newListNode(newObj(), l); } while(l != NULL) { n = l->next; free(l->data); free(l); l = n; } assume(l != NULL) n = l->next; free(l->data);

  22. Counterexamples Start Verification Pick Abstraction Party!!! Success Attempt Proof Pick New Abstraction Failure Diagnose Failure Failure Fix Bug Find Counterexample Success

  23. Traditional Bounded Model Checking Not Our Contribution l = newListNode(newObj(), NULL); Unroll Transition System Check Property Repeat l = newListNode(newObj(), l); assume(l != NULL) n = l->next; free(l->data); free(l); l = n; • Can explode for deep properties • Doesn’t help proof process assume(l == NULL)

  24. Contribution: BMC Over Abstract Transition System Unroll Abstract Transition System Check Property Repeat l = newListNode(newObj(), NULL); l = newListNode(newObj(), l); • Restricted search space • Finds counter-examples that caused this proof failure assume(l != NULL) n = l->next; free(l->data);

  25. Contribution: BMC Over Abstract Transition System

  26. Contribution: BMC Over Abstract Transition System

  27. Contribution: BMC Over Abstract Transition System Must End in Error

  28. Contribution: BMC Over Abstract Transition System

  29. Contribution: BMC Over Abstract Transition System Unroll up to a bound

  30. Contribution: BMC Over Abstract Transition System Stay in Error

  31. Contribution: BMC Over Abstract Transition System Otherwise Transition According to Program

  32. Contribution: BMC Over Abstract Transition System Send to SMT solver; quantifiers and all.

  33. Contribution: BMC Over Abstract Transition System Send to SMT solver; quantifiers and all.

  34. Encoding of Address Data Allocated Size p = malloc(size);

  35. Encoding of Address Data Allocated Size p = malloc(size); q = malloc(size);

  36. Encoding of Address Data Allocated Size p = malloc(size); q = malloc(size);

  37. Encoding of Address Data Allocated Size p = malloc(size); q = malloc(size); r = p + size; *r = 3; //(no error)

  38. Encoding of Address Data Allocated Size p = malloc(size); q = malloc(size); r = p + size; *r = 3; //(error)

  39. Counterexample Search l = newListNode(newObj(), NULL); l = newListNode(newObj(), l); assume(l != NULL) n = l->next; free(l->data);

  40. Counterexample Search l = newListNode(newObj(), NULL); Just need structure. Don’t need separation logic formulas l = newListNode(newObj(), l); assume(l != NULL) n = l->next; free(l->data);

  41. Counterexample Search No Error

  42. Counterexample Search l l = newListNode(newObj(), NULL); NULL No Error

  43. Counterexample Search l l = newListNode(newObj(), NULL); l = newListNode(newObj(), l); NULL assume(l != NULL) n = l->next; free(l->data); Error Unreachable No Error

  44. Counterexample Search l l = newListNode(newObj(), NULL); l = newListNode(newObj(), l); assume(l != NULL) n = l->next; free(l->data); NULL Error Unreachable No Error

  45. Counterexample Search l l = newListNode(newObj(), NULL); l = newListNode(newObj(), l); assume(l != NULL) n = l->next; free(l->data); l = newListNode(newObj(), l); Error Unreachable assume(l != NULL) n = l->next; free(l->data); NULL Error Unreachable No Error

  46. Counterexample Search • Produces concrete counterexamples • Contribution: Only explores failed proof • Finds counterexamples that would cause this particular proof failure • Contribution: Relies on SMT solver for unrolling • Property-guided, intelligent backtracking • Bit-precise memory model

  47. Contribution: Diagnosing Failure Start Verification Pick Abstraction Party!!! Success Attempt Proof Pick New Abstraction Failure Diagnose Failure Failure Fix Bug Find Counterexample Success

  48. Diagnosing the Failure Was the abstraction here responsible for failure? l = newListNode(newObj(), NULL); l = newListNode(newObj(), l); assume(l != NULL) n = l->next; free(l->data);

  49. Diagnosing the Failure Delete Program Before Join Point l = newListNode(newObj(), l); assume(l != NULL) n = l->next; free(l->data);

  50. Diagnosing the Failure Synthesize Program Prefix that Creates Abstract State Precisely l = NULL l = newListNode(*, l); Re-run Counterexample Search Non-deterministic data field l = newListNode(newObj(), l); assume(l != NULL) n = l->next; free(l->data); Error Found!

More Related