Predicate abstraction with Minimum Predicates

1. Predicate abstraction with Minimum Predicates Sagar Chaki*, Ed Clarke*, Alex Groce*, Ofer Strichman** * Carnegie Mellon University ** Technion CHARME’03

2. Overview of MAGIC • SpecificationS expressed using Labeled Transition Systems (LTS) • ModelM extracted from C programs using predicate abstraction(LTS) • Checks if Sweakly simulates M • For this talk consider trace containment • Supports most but not all of ANSI-C • Pointers are handled by abstraction • Recursion disallowed

3. Predicate abstraction int x,y L0: x = 1; L1: y = 1; L2: if (x == y) L3: y = 1; L4: else y = 2; Control Flow Automaton

4. Predicate abstraction Control Flow Automaton Predicate inference

5. Predicate abstraction Predicate inference Abstract model

6. No More predicates Counter Example P = P ’ Yes Refinement Counterexample concrete? No Counter Example Guided Abstraction Refinement Model M Yes Predicate Abstraction Model Checking Property  Abstract Model predicates P

7. CE1: (B == 0) or (A==0) CE2: (C == 0) or (A==0) CE1 CE2 Example A = 0; if(A == 0) No B = 0; Existing methods accumulate predicates: Ideally we should choose (A == 0) if(B == 0) No Yes ERROR C = 0; if(C == 0) No ERROR

8. Optimization Problem • Given a set of Candidate Predicates CP, find a minimal subset pµCP s.t. A(M,CP) ² ! A(M,p) ² • If -- no predicates are necessary. Only luck… • If -- not relevant

9.  T Counter Example Guided Abstraction Refinement Model M Yes Predicate Abstraction Model Checking Property  Abstract Model predicates P No Counter Example  More Predicates P = P ’ Yes Refinement Counterexample concrete? No

10.  T Counter Example Guided Abstraction Refinement Model M Yes Predicate Abstraction Model Checking Property  Abstract Model predicates P No Counter Example  Different Predicates P = P ’ Yes Refinement Counterexample concrete? No

11. CP = Candidate Predicates Yes  concrete Fail No Yes P == CP Undecided No T = T[ possible Impossible Find minimal P2CP that eliminates T Algorithm Sample and Eliminate P = Yes Pass A(M,P)² Counter- example No

12. Minimization problem • Given • a set of spurious traces T • A set of candidate predicates CP • Find the smallest subset p2CP that eliminates all traces in T • (If impossible return ‘undecided’)

13. Solution with 0-1 ILP (or PBS) First… • Derive a mapping from each trace t2 T to the set of sets of predicates in CP that eliminate it Second… • Encode each predicate p2CP with a Boolean variable pb

14. Solution with 0-1 ILP (or PBS) Third… • Derive  s.t. every satisfying assignment to  corresponds to a set of predicates that eliminate T. Fourth… • Among all satisfying assignments, find the one that minimizes the number of selected predicates (min pb)

15. Solution with 0-1 ILP (or PBS) • Example • Let {p1,p3},{p2,p3,p5} be the set of sets of predicates that eliminate t1 • Let {p2,p3},{p3,p4,p7} be the set of sets of predicates that eliminate t2 Min  pi s.t. t1: ((p1Æp2) Ç (p2Æp3Æp5)) Æ t2: ((p2Æp3) Ç (p3Æp4Æp7))

16. Avoiding an exponential no. of constraints • Try only combinations up to size k • In almost all examples we tried, counterexample traces could be eliminated with individual predicates. • Use data flow analysis and only combine branches that are related

17. Experiments • Open SSL - 20 properties of the Handshake mechanism of Open SSL. • On average 350 lines of C code per property after slicing • 5 examples from the BLAST benchmark set

18. Comparison with BLAST • BLAST applies Lazy Abstraction • Lazy abstraction is orthogonal to predicate minimization • BLAST looks for fix point of the loops (for a given set of predicates) with theorem prover calls • Magic unrolls loops up to a given bound (Conclusion: Not an entirely fair comparison)

19. Results (time in sec.)

20. Results (time in sec.)

21. Results (time in sec.)

22. Number of predicates

23. Memory (MB)