1 / 23

Predicate Abstraction for Software Verification

Predicate Abstraction for Software Verification. Cormac Flanagan Shaz Qadeer. Verifying a Procedure. Given: Precondition Postcondition Loop Invariants specified for all loops Generate a Logical Formula (F) for the procedure And, Prove (using a decision Procedure)

gabi
Download Presentation

Predicate Abstraction for Software Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Predicate Abstraction for Software Verification Cormac Flanagan Shaz Qadeer

  2. Verifying a Procedure • Given: • Precondition • Postcondition • Loop Invariants specified for all loops • Generate a Logical Formula (F) for the procedure • And, Prove (using a decision Procedure) • Precondition && F => Postcondition

  3. This paper… • Specifying Pre & Post conditions of procedures is a useful documentation. • Specifying Loop Invariants is tedious and difficult (and “useless”) • Infer Loop Invariants, using Predicate Abstraction

  4. Outline of Presentation • Symbolic Simulation using Strongest Postconditions • Assuming Loop Invariants are given • Infer Loop Invariants using Predicate Abstraction

  5. Symbolic Simulation

  6. Symbolic Simulation • Convert Java to a Guarded Command Language • Starting from the Precondition, determine the Strongest Postcondition

  7. Strongest Postconditions • Given Q a formula, S a statement • Norm(Q,S) • Given that Q is true before S • Norm(Q,S) is true after Normal Execution of S • Wrong(Q,S) • Given that Q is true before S • Wrong(Q,S) is true when S fails

  8. Strongest Postcondition Semantics • Norm(Q, assert P) = Q && P • Wrong(Q, assert P) = Q && !P • When assert P fails we know !P is true • Norm(Q, assume P) = Q && P • Wrong(Q, assume P) = false • assume P never fails

  9. Strongest Postcondition Semantics (2) • Norm(Q,A;B) = Norm(Norm(Q,A), B) • Norm(Q, A;B) • Norm(Q,A) is true after A • This is the Precondition for B • Wrong(Q,A;B) • Either A fails => Wrong(Q,A) is true • Or A succeeds but B fails => Wrong(Norm(Q,A), B) is true • Wrong(Q,A;B) = Wrong(Q,A) || Wrong(Norm(Q,A), B)

  10. Strongest Postcondition Semantics (3) • Norm(Q, AB) = Norm(Q,A) || Norm(Q,B) • Wrong(Q, AB) = Wrong(Q,A) || Wrong(Q,B) • If(e) x:=y+1 else x:=y+2 • => (assume e; x:=y+1)  (assume !e; x:=y+2) • Norm: e && x=y+1 || !e && x=y+2

  11. Strongest Postcondition Semantics (4) • Assignments • Wrong(Q, x:=e) is false • As assignments can never fail • Norm(Q, x:=e) • Introduce x’ to represent old value of x • Replace all occurrences of x in Q, e with x’ • After the assignment Q is true and x=e is true • Norm: x’. x = e(x  x’) && Q(x  x’)

  12. Strongest Postcondition Semantics (5) • For While loops • Requires the loop invariant, I • Replace the while loop with its Desugar. • I: (i<=n) while( i < n ) { i := i+1; } • assert I; i = y; assume I; ( (assume i<n; i:=i+1; assert I; assume false) assume !(i < n))

  13. Strongest Postcondition Semantics (6) • Norm of the desugar: • i’.i’<=n && (i<=n) && !(i<n) • Loop Inv holds at the beginning • Loop Inv and !(Loop Condn) holds at the end • Wrong of the desugar: • !(i<=n) || i’.i’<=n && i”.i”<n && i=i”+1 && !(i<=n) • Loop Inv fails at the beginning • Loop Inv fails at the end of the loop body

  14. Predicate Abstraction

  15. i=0; n=100 T, F, T i=1; n=100 F, F, T i=2; n=100 F, T, F i=99; n=100 i=100; n=100 Predicate Abstraction Example n := 100; i := 0; while( i < n ) { i := i+1; } Predicates: i=0 i=n i<n

  16. Predicate Abstraction • Given a Concrete System of states. • Use a Set of n Predicates Pi to map a concrete state to an abstract state • An abstract state contains n bits • Bit i represents if Pi is true/false in that state • Set of Concrete states Mapped to a Set of Abstract states ( == Boolean Function)

  17. Using Predicate Abstraction to find the Loop Invariant • Think of the loop body as a “transition” fn. • Starting with a set of concrete states, • Symbolically execute the loop, • Combine the new states with the init states • Repeat till you reach a fixed point = Set of all “reachable” concrete states • Doing the iteration in finite Abstract domain guarantees termination • Loop Invariant = Strongest Predicate true for all reachable concrete states.

  18. Predicate Abstraction Algorithm •  - Abstraction function •  - Concretization function (the inverse) • C; while e do B end; • r = ( Norm(true, C) ) • Do(Till Fixed Point of r ){ Current Concrete Set J =  ( r ) Symbolically Execute: C; Havoc(targets(B)); assume e && J; B Let Q be the new Concrete Set r = r ||  ( Q ) }

  19. Problems with Predicate Abstraction • Determining the set of Predicates is key • Expensive • Exponential Calls to a Decision Procedure • Each call might take (super) exponential time • Abstraction is conservative • Property P holds in AbsDomain • Concrete version of the P holds in ConcDomain • If P does not hold in AbsDomain • P may or may not hold in ConcDomain • Difficult to debug if the program has bugs.

  20. Heuristics to Pick Predicates • For reference p, p != null • For an integer i, i is increasing/decreasing • For skolemized constant sc, 0 <= sc, sc < i, a[sc] != null • Not sure if it works for anything other than the examples.

  21. Optimize Calls to the Decision Procedure • Query for maximal clause m, only if implied by r • Find strongest clause c, that is implied by r • A divide and conquer algorithm that “works in practice”

  22. Results • Seemingly (??) better than previous approaches • Predicate Guessing works for 90% of 396 loops in Javafe benchmark

  23. Conclusion • Problems with the paper • Alias Analysis? • Interprocedural Analysis? • Do not mention any domain where their approach holds

More Related