1 / 31

Abstractions From Proofs Presented in POPL’04

Abstractions From Proofs Presented in POPL’04. Authors: Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar and Kenneth L. McMillan Presented by: Yael Meller June 2008. true. 1: while(*) { 2: if(p 1 ) 3: lock(); 4: if(p 1 ) 5: unlock(); 6: if(p 2 )

kasimir-steele
Download Presentation

Abstractions From Proofs Presented in POPL’04

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Abstractions From ProofsPresented in POPL’04 Authors: Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar and Kenneth L. McMillan Presented by: Yael Meller June 2008

  2. true 1: while(*) { 2: if(p1) 3: lock(); 4: if(p1) 5: unlock(); 6: if(p2) 7: lock(); 8: if(p2) 9: unlock(); … 4n-2: if(pn) lock(); 4n-1: if(pn) unlock(); } return p1 5 2 ret 3 1 6 4 ┐p1 lock() p1 ┐p1 unlock() Program abstraction true

  3. Main obstacle when using CEGAR • Analyze a false negative efficiently: Learn a small set of predicates eliminating spurious counterexample.

  4. 8 ret 5 7 6 4 3 2 assume p1; lock(); assume !p1; assume p2; lock(); Predicate abstraction example 1 true • Goal: check whether locking and unlocking alternate. • Try #1: • Analyze counterexample: • Spurious! • Need to track predicate p1. p1 ┐p1 lock() p1 ┐p1 unlock() p2 ┐p2 lock()

  5. 6 8 7 6 3 2 2 4 ret 5 3 7 8 5 4 Predicate abstraction example 1 true true p1 p1 p1 p1 p1 p1 p1 lock() lock() p1 p1 p1 p1 p1 p1 p1 unlock() unlock() p1 p2 p1 p2 p2 p1 p2 p1 lock() lock() p1 p1

  6. Reminder - Interpolant • Interpolant definition: then • and

  7. Paper’s main contributions • Interpolants from unsatisfiability proof of a formula -+. • Local predicates from interpolants

  8. M and  generateinitial abstraction Mh Mh|=  model check Mh|= generate counterexample Th stop refinement Th Th check spurious counterexample Th is not spurious is spurious Outline of method refinement Trace formula Prove trace formula Formula unsatisfiable: Th is spurious. generate local predicates Formula satisfiable: Th is not spurious

  9. 1: x:=ctr; 2: ctr:=ctr+1; 3: y:=ctr; 4: assume(x=m); 5: assume(y≠m+1); <x,1>=<ctr,0> <ctr,1>=<ctr,0>+1 <y,2>=<ctr,1> <x,1>=<m,0> <y,2>≠<m,0>+1 Build trace formula Abstract trace Constraints (SSA) Conjunction of constraints is the trace formula.

  10. 1: x:=ctr; 2: ctr:=ctr+1; 3: y:=ctr; 4: assume(x=m); 5: assume(y≠m+1); <x,1>=<ctr,0> <ctr,1>=<ctr,0>+1 <y,2>=<ctr,1> <x,1>=<m,0> <y,2>≠<m,0>+1 Check trace formula • User theorem prover on trace formula • Prove unsatisfiable – returns proof. • No proof of unsatisfiablity – concrete trace. Abstract trace Constraints

  11. Splitting the trace • - first 2 constraints: • - last 3 constraints: • Interpolant according to proof : • Replace constants with variables:

  12. Predicates from interpolants • : over-approximation of reachable states. • : no continuation of the trace from any state satisfying • can be used as a predicate. • should be used at location 2.

  13. 1: x:=ctr; 2: ctr:=ctr+1; 3: y:=ctr; 4: assume(x=m); 5: assume(y≠m+1); <x,1>=<ctr,0> <ctr,1>=<ctr,0>+1 <y,2>=<ctr,1> <x,1>=<m,0> <y,2>≠<m,0>+1 x=ctr x=ctr-1 x=y-1 y=m+1 Predicates from interpolants Predicates Infeasible trace Constraints

  14. 1 2 3 ... 5 … 4 1: x:=ctr; 2: ctr:=ctr+1; 3: y:=ctr; 4: assume(x=m); 5: assume(y≠m+1); Adding predicates from interpolants - example x:=ctr ctr:=ctr+1 y:=ctr x=m x≠m y≠m+1 y=m+1 ERR

  15. 4 1 2 3 ... 5 … 1: x:=ctr; 2: ctr:=ctr+1; 3: y:=ctr; 4: assume(x=m); 5: assume(y≠m+1); x=ctr x=ctr-1 x=y-1 y=m+1 Adding predicates from interpolants - example x:=ctr ctr:=ctr+1 x=ctr y:=ctr x=ctr-1 x=y-1 x=m x≠m y=m+1 y≠m+1 y≠m+1 y=m+1 ERR ERR

  16. What do we have so far? Create trace formula from counterexample If trace infeasible - get unsatisfiablity proof Split trace formula at cut-points Missing: derive interpolant from proof Learn local predicates from interpolants based on different cuts

  17. Interpolants from proofs • Use theorem prover to generate refutations. • Formulas given in quantifier-free fragment of first-order logic of linear equality. e.g. • Denote:

  18. The proof system

  19. Proof example This is a refutation proof

  20. Proof structure (HYP,COMB)* Inequality layer RES* Boolean layer CONTRA

  21. Inequality interpolated sequent • (-+) |= (0≤)[0≤’] • - |= (0≤ ’) • + |= (0≤-’) • for all variables +, the coefficients of in  and ’ are the same. • If (0≤) is false then (0≤’) is an interpolant

  22. Inequality interpolated sequent: • - |= (0≤ ’) • + |= (0≤-’) • for all variables +, the coefficients of in  and ’ are the same. Extracting interpolated sequents from proof or

  23. Inequality interpolated sequent: • - |= (0≤ ’) • + |= (0≤-’) • for all variables +, the coefficients of in  and ’ are the same. Extracting interpolated sequents from proof

  24. Prove soundness • - |= (0≤ c1’+c2’) We know: - |= 0≤’ and - |= 0≤’ Apply COMB with c1 and c2 • + |= (0≤ c1+c2- c1’-c2’) We know: + |= (0≤ -’) and + |= (0≤ -’) Apply COMB with c1 and c2 • For all variables +, the coefficients of v in ,’ and , ’ are the same.

  25. Clause interpolation sequence • (-+) |= [] • - |= (\+) • +  |= (+) •  + • If  is false then  is an interpolant

  26. Extracting interpolated sequents from proof

  27. Prove soundness • - |= (\+) in CONTRA: - |= a1…ak • a1…ak|= • +,  |= (+) in CONTRA: +,  |= b1…bm • b1…bm|=(0≤-1) thus |= b1…bm •  + : coefficients equality in -1 and ’ for + • Inequality interpolant sequent • A |= (0≤ ’) • B |= (0≤-’) • For all variables B, the coefficients of v in  and ’ are the same.

  28. Extracting interpolated sequents from proof or

  29. Extracting interpolated sequents from proof - example 0≤-1 is equivalent to false, Thus: 0≤z-x is an interpolant for -+

  30. M and  generateinitial abstraction Mh Mh|=  model check Mh|= generate counterexample Th stop refinement Th Th check spurious counterexample Th is not spurious is spurious Conclusion refinement Trace formula Prove trace formula Formula unsatisfiable: Th is spurious. generate local predicates Formula satisfiable: Th is not spurious

  31. THE END Thank You!

More Related