250 likes | 366 Views
Thomas Wies Institute of Science and Technology (IST) Austria joint work with Andreas Podelski University of Freiburg. Counterexample-Guided Focus. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A A A A A. e. c. prev. next. Motivation.
E N D
Thomas Wies Institute of Science and Technology (IST) Austria joint work with Andreas Podelski University of Freiburg Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAA
e c prev next Motivation Verify complex properties of heap-manipulating programs public void filter(Predicate p) /*: requires "p null" modifies content ensures "content = old content Å (pred p)" */ { Node e = root; while (e != null) { Node c = e; e = e.next; if (!p.contains(c.data)) { if (c.prev == null) { e.prev = null; root = e; } else { c.prev.next = e; e.prev = c; } } } root p next prev Quantified properties • data structure invariants 8 x. next(prev(x)) = x • functional correctness 8 x. next*(root,x) $ (old next)*(root, x)Æ x 2 pred(p) p next :p prev p
Verification of Safety Properties state space safe invariant reachable states error states
Software Model Checking Existing tools: SLAM, BLAST, ARMC, MAGIC, … state space reachable states P1ÆP2Æ… • generic approach • offers high degree of automation(through use of automated reasoning techniques) error states P1´ x·0 P2´ y>0 …
reachable states reachable states error states error states The Eternal Quest for the Right Precision/Efficiency Tradeoff Crucial problem in the verification of heap programs.
Goal: Adapted Abstraction Fine-tune precision to the specific verification task. reachable states error states
Boolean Heaps [Podelski, Wies SAS’05] Use idea of [Sagiv, Reps, Wilhelm 2002]: Partition heap according to a finite set of predicates. 0 7 3
0 7 3 5 Boolean Heaps Use idea of [Sagiv, Reps, Wilhelm 2002]: Partition heap according to a finite set of predicates. Abstract state Abstract domain disjunctions of abstract states
Abstr. transformer for loop Most Precise Abstract Transformer
Abstr. transformer for loop Inductive invariant for Most Precise Abstract Transformer Verification succeeds!
Precision-Efficiency Tradeoff Number of abstract states is doubly-exponential in number of predicates reachable states Most precise abstract transformer is impractical • expensive to construct • keeps track of irrelevant information Solution: apply additional abstraction error states
Cartesian Abstraction for abstracting sets of vectors y Sy S Sx£ Sy x Sx ..., [Cousot, Cousot PPCA’95], [Ball, Podelski, Rajamani TACAS’01],…
Cartesian Abstraction • abstract states are sets of bit-vectors • Cartesian abstraction applies • abstr. transformer w/ Cartesian abstraction is efficiently implementable: • check entailments between QF formulas • number of entailment checks polynomial in number of predicates • precise enough for many practical examples • not precise enough for many practical examples
Inductive invariant for Inductive invariant for Verification succeeds! Verification fails! Abstract Transformer with Cartesian Abstraction 3 7 , 0 7
Focus Common recipe in shape analysis • start from coarse but efficient abstract transformer • adapt precision to each individual program statement and individual data structures (partial concretization / materialization /focus) Problem Fine-tuning precision uniformly makes analysis again too precise (i.e., often inefficient) Exciting research direction Parameterized focus that adapts abstract transformer to the individual verification tasks e.g. [Manevich et al., 2004, 2007, 2009]
Counterexample-Guided Focus Idea: take this direction to its logical extreme Fine-tune focus to the individual steps of the analysis of the individual verification task This fine-tuning must be automated. We use counterexamples for this purpose.
Loss of Precision under Cartesian abstraction y splitting is guided by counterexamples S Sy Sx£ Sy x Sx
Inductive invariant for Inductive invariant for Verification succeeds! Verification fails! Effect of Counterexample-Guided Focus 3 7 0 7
Nested Lazy CEGAR Loop • outer looprefinesabstract domain by inferring new predicates • inner loopfine-tunes abstract transformer using counterexample-guided focus Progress theorem: every spurious counterexample is eventually eliminated
root 6 9 3 5 1 first 4 Implementation in the Tool Bohne Verified data structure implementations: • (doubly-linked) lists • lists with iterators • sorted lists • skip lists • search trees • trees w/ parent pointers • threaded trees
root 6 9 3 5 1 first 4 Implementation in the Tool Bohne Verified properties: • absence of runtime errors • shape invariants • acyclic • sharing-free • doubly-linked • parent-linked • threaded • sorted … • partial correctness Summary of Experiments • no manual adaptation of abstract domain / abstract transformer required • many examples fail without counterexample-guided focus • number of explored abstract states is drastically reduced
Further Related Work Shape analysis • three-valued shape analysis [Sagiv, Reps, Wilhelm 2002] • decision procedures in TVLA [Yorsh et al. 2004, …, Lev-Ami et al. 2006] • parameterized focus for concurrent programs [Manevich et al., 2004, 2007, 2009] • … Predicate abstraction • CE-guided refinement of abstract transformers [Das, Dill 2002] • nested refinement for predicate abstraction [Ball et al. 2004] • indexed predicate abstraction [Lahiri, Bryant 2004] • lazy abstraction [Henzinger et al. 2002] • lazy shape analysis [Beyer et al. 2006] Interpolants • quantified Craig interpolants [McMillan 2008, Kovács, Voronkov 2009] • abstractions from proofs [Henzinger et al. 2004] Template-based techniques [Gulwani et al. 2008, Srivastava, Gulwani 2009]
Conclusion Focus and CEGAR can be fruitfully integrated to enhance one another • Focus can be made effective in a CEGAR setting • CEGAR lazily applies focus • CEGAR drives fine-tuning of focus to the extreme • CEGAR can be made effective for inferring quantified invariants because • focus providesprogress of CEGAR and • focus provides precision needed for verifying practical examples
Counterexample-Guided Focus • analysis of abstract program produces spurious counterexamples • spuriousness results from imprecise abstract transformer • construct fine-tuned focus operator that locally adapts precision of abstract transformer • locally refine the abstract domain of the pre-image of the abstract transformer • locally refine the pre-image itself by splitting disjuncts below and above the universal quantifier • both refinements are guided by the spurious counterexample
Costs and Gains of Automation Comparison between TVLA and Bohne for various list-manipulating programs • Checked properties: • absence of runtime errors • preservation of list structure (acyclicity, sharing freeness)