1 / 23

Predicate Abstraction of ANSI-C Programs Using SAT

Predicate Abstraction of ANSI-C Programs Using SAT. By Edmund Clarke, Daniel Kroening, Natalia Shar y gina, Karen Yorav Presented by Yunho Kim Provable Software Lab, KAIST. Introduction Preparation of C code Abstraction using SAT Model checking Conclusion. Contents.

lang
Download Presentation

Predicate Abstraction of ANSI-C Programs Using SAT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Predicate Abstraction of ANSI-C Programs Using SAT By Edmund Clarke, Daniel Kroening, Natalia Sharygina, Karen Yorav Presented by Yunho Kim Provable Software Lab, KAIST

  2. Introduction Preparation of C code Abstraction using SAT Model checking Conclusion Contents Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  3. A simple C code has too many states for exhaustive analysis However, what we really need is ‘x is 0 or not’, not the concrete value of x Introduction(1/3) Final Example(unsigned int x) L1: while(x>1) { L2: if (x%2 == 1) L3: x = 3*x+1; else L4: x = x/2; } L5: assert(x != 0); L5 L4 Program Counter … L3 L2 L1 0 1 2 … Initial Value of x Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  4. Predicate is a function which returns a Boolean value • A function π: X→ {true, false} is a predicate on X • States satisfying same predicates are equivalent Introduction(2/3) π=true L5 π = true L4 Program Counter … L3 Predicate Abstraction L2 π = false L1 0 1 2 … π = false Value of x π⇔ (x = 0) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  5. Overview of predicate abstraction process Introduction(3/3) Boolean Program C program Predicate Abstraction Model Checking φ true Spec φ φ Predicate Refinement φ false + Spurious? Spurious Counterexample counterexample Today’s focus: How to make a Boolean program effectively and efficiently from a given C program and a set of predicates Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  6. Introduction Preparation of C code Abstraction using SAT Model checking Conclusion Contents Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  7. Preparation of C code(1/3) Concrete transition (basic block) Concretenext state Concretestate Abstraction function (predicates) Abstraction function (predicates) Abstractstate Abstractnext state Abstract transition Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  8. Transform C program into goto-program • Function inlining • Recursion is not supported • Loop is rewritten using if and goto statements • Side-effects are removed • x = 5+(++i); Preparation of C code(2/3) i = i+1; x = 5+i; Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  9. goto-program example Preparation of C code(3/3) C program 1. int global; 2. intfunc(){ 3. global = 1; 4. } 5. 6. int main(){ 7. int x, i; 8. func(); 9. if ((x = 5+(++i))){ 10. global = 2; 11. } 12. else{ 13. global = 3; 14. } 15. } goto-program 1. int global; 2. int x, i; 3. global = 1; 4. i = i+1; 5. x = 5+i; 6. if (!x) goto L1; 7. global = 2; 8. goto L2; 9. L1: global = 3; 10. L2: Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  10. Introduction Preparation of C code Abstraction using SAT Model checking Conclusion Contents Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  11. Definition • v is the vector of all concrete program variables v • v is a state of a concrete program • Program counter is considered as a variable • b denotes the vector of all Boolean variables b • b is a state of a Boolean program • Each predicate πi is associated with a Boolean variable bi • π denotes the vector of predicates πi • π(v) is called the abstraction function, π(v) = b Abstraction using SAT(1/9) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  12. Definition (con’t) • Tis a concrete transition relation which maps a concrete state v into a concrete next state v’ • B is an abstract transition relation which maps an abstract state b into an abstract next state b’ Abstraction using SAT(2/9) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  13. Abstraction using SAT(3/9) Concrete transition (basic block) Concretestate Concretenext state PC=L4, x = 3 PC’=L1, x’ = 1 Abstraction function (predicates) Abstraction function (predicates) π⇔ (x = 0) π⇔ (x = 0) b = false b = false Example(unsigned int x) L1: while(x>1) { L2: if (x%2 == 1) L3: x = 3*x+1; else L4: x = x/2; } L5: assert(x != 0); Abstractnext state Abstractstate Abstract transition Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  14. First defines the concrete transition relation of a basic block • Each basic block consists of a sequence of assignments • Therefore do not consider control statements here • T denotes the CNF formula representing the concrete transition relation Abstraction using SAT(4/9) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  15. Translates a basic block into its Static Single Assignment(SSA) form Each v’ in v’ is the largest numbered SSA variable Abstraction using SAT(5/9) SSA form v[x:=x0, y:=y0, z:=z0] x1 = z0 * x0; y1 = x1 + 1; x2 = x1 + y1; v’[x’:=x2, y’:=y1, z’:=z0] Basic block x = z * x; y = x + 1; x = x + y; CNF formula T(v, v’) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  16. Assignments and arithmetic operations are translated into CNF formula Assume that x,y,z are three bits positive integers represented by propositions x0x1x2, y0y1y2, z0z1z2 C z=x+y (z0(x0⊕y0)⊕( (x1∧y1) ∨ ((x1⊕y1)∧(x2∧y2))) ∧ (z1(x1⊕y1)⊕(x2∧y2)) ∧ (z2(x2⊕y2)) Abstraction using SAT(6/9) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  17. The abstract transition relation B(b, b’) is defined using π as follows: Abstraction using SAT(7/9) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  18. Example Abstraction using SAT(8/9) SAT formula (b1(e0≥0))∧(b2(e0≤100))∧ d1=e0 ∧ e1=e0+1 ∧ (b1’=(e1≥0))∧(b2’=(e1≤100)) Basic block d = e; e = e+1; SSA form v[d:=d0, e:=e0] d1 = e0 e1 = e0+1 v’[d’:=d1, e’:=e1] Predicates: π1 = e ≥ 0 π2 = e ≤ 100 All satisfying assignments obtained using SAT solver Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  19. The condition in if statement can be a predicate Abstraction using SAT(9/9) SAT formula b1x0<2 ∧ x1=0 ∧ b1’  x1<2 ∧ Predicate: π1 = x < 0 Control statement x = 0; if (x<2) x = x+1; b1’x1<2 ∧ x2=x1+1 ∧ b1’’ x2<2 ┐(b1’x1<2)∧ x2=x1∧ b1’’=b1’ ∨ Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  20. Introduction Preparation of C code Abstraction using SAT Model checking Conclusion Contents Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  21. Model checker tries to find a counterexample of the generated Boolean program model. • If no counterexample is found, the concrete program satisfies given requirements. • If a counterexample is found, check its feasibility • If the counterexample is infeasible, refine predicates and re-run predicate abstraction process Model checking(1/1) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  22. Predicate abstraction using SAT performs better than theorem provers • It can use sound abstraction with the power of SAT solver Conclusion(1/1) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

  23. Predicate abstraction of ANSI-C Programs Using SAT by Edmund Clarke, Daniel Kroening, Natasha Sharygina and Karen Yorav in Formal Methods in System Design, Vol. 25, pp. 105-127, 2004 References(1/1) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST

More Related