1 / 36

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1. 15-414 Bug Catching: Automated Program Verification and Testing Sagar Chaki November 28, 2011. Outline. Overview of Model Checking Creating Models from C Code: Predicate Abstraction

oya
Download Presentation

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Software Verification using Predicate Abstraction and Iterative Refinement: Part 1 15-414 Bug Catching: Automated Program Verification and Testing Sagar Chaki November 28, 2011

  2. Outline • Overview of Model Checking • Creating Models from C Code: Predicate Abstraction • Eliminating spurious behaviors from the model: Abstraction Refinement • Concluding remarks : research directions, tools etc.

  3. Model Checking • Algorithm for answering queries about behaviors of state machines • Given a state machine M and a query  does M² ? • Standard formulation: • M is a Kripke structure •  is a temporal logic formula • Computational Tree Logic (CTL) • Linear Temporal Logic (LTL) • Discovered independently by Clarke & Emerson and Queille & Sifakis in the early 1980’s

  4. Scalability of Model Checking • Explicit statespace exploration: early 1980s • Tens of thousands of states • Symbolic statespace exploration: millions of states • Binary Decision Diagrams (BDD) : early 1990’s • Bounded Model Checking: late 1990’s • Based on propositional satisfiability (SAT) technology • Abstraction and compositional reasoning • 10120 to effectively infinite statespaces (particularly for software)

  5. if (x) x=0 y=0 x=1 y=0 no yes y = x y = x + 1 x=1 y=0 x=0 y=0 … x=1 y=1 assert (y) x=0 y=1 Models of C Code • if (x) { • y = x; • } else { • y = x + 1; • } • assert (y); Infinite State Program: Syntax Control Flow Graph Model: Semantics

  6. Existential Abstraction • Partition concrete statespace into abstract states • Each abstract state S corresponds to a set of concrete states s • We write (s) to mean the abstract state corresponding to s • We define (S) = { s | S = (s) } • Fix the transitions existentially • S!S’, 9s2 (S) . 9s’2 (S’) . s!s’ • S!S’( 9s2 (S) . 9s’2 (S’) . s!s’ • Existential Abstraction is conservative [ClarkeGrumbergLong94] • If a ACTL* property holds on the abstraction, it also holds on the program • LTL is a subset of ACTL* • However, the converse is not true: a property that fails on the abstraction may still hold on the program • Existential abstraction can be viewed as a form of abstract interpretation Strong & sometimes not computable Weak: computable

  7. Abstract Transition Example of Existential Abstraction Abstract Initial State Concrete Initial State Concrete State 6 2 8 Abstract State 1 5 9 Concrete Transition 3 Abstractly Reachable but Concretely Unreachable 4 10 7 Abstractly and Concretely Unreachable

  8. Abstract Transition Example of Existential Abstraction Concrete State Abstract State Concrete Transition Abstractly Reachable but Concretely Unreachable p Abstractly and Concretely Unreachable G(: p)

  9. Predicate Abstraction if (x) no yes Partition the statespace based on values of a finite set of predicates on program variables y = x y = x + 1 assert (y)

  10. :P P States where y  0 States where y = 0 Predicate Abstraction  = G(: ERROR) if (x) no yes y = x y = x + 1 assert (y) ERROR P ( y == 0 )

  11. Predicate Abstraction if (x) Call SAT Checker no yes y = x y = x + 1 assert (y) ERROR :P P States where y  0 P ( y == 0 ) States where y = 0

  12. Predicate Abstraction SAT Checker Query: y  0  x = 0  x’ = x  y’ = y  y’  0 SAT Checker Answer: SAT and here’s a solution x=0, y=1, x’=0, y’=1 if (x) x=0 y=1 no yes y = x y = x + 1 x=0 y=1 assert (y) :P States where y  0 P ( y == 0 )

  13. Predicate Abstraction SAT Checker Query: y  0  x  0  x’ = x  y’ = y  y’  0 SAT Checker Answer: SAT and here’s a solution x=1, y=1, x’=1, y’=1 if (x) x=1 y=1 no yes y = x y = x + 1 x=1 y=1 assert (y) :P States where y  0 P  ( y == 0 )

  14. Predicate Abstraction SAT Checker Query: y  0  x’ = x  y’ = x+1  y’  0 SAT Checker Answer: SAT and here’s a solution x=1, y=1, x’=1, y’=2 if (x) no yes y = x y = x + 1 x=1 y=1 assert (y) x=1 y=2 :P States where y  0 P ( y == 0 )

  15. Predicate Abstraction SAT Checker Query: y  0  x’ = x  y’ = x  y’  0 SAT Checker Answer: SAT and here’s a solution x=1, y=1, x’=1, y’=1 if (x) no yes y = x y = x + 1 x=1 y=1 assert (y) x=1 y=1 :P States where y  0 P ( y == 0 )

  16. Predicate Abstraction No predicates about x if (x) no yes y = x y = x + 1 assert (y) ERROR :P P States where y  0 P ( y == 0 ) States where y = 0

  17. Imprecision due to Predicate Abstraction • Counterexamples generated by model checking the abstract model may be spurious, i.e., not concretely realizable • Need to refine the abstraction iteratively by changing the set of predicates • Can infer new set of predicates by analyzing the spurious counterexample • Lot of research in doing this effectively • Counterexample Guided Abstraction Refinement (CEGAR) • A.K.A. Iterative Abstraction Refinement • A.K.A. Iterative Refinement

  18. Model Checking if (x) no yes y = x y = x + 1 assert (y) ERROR :P P  = G(: ERROR) P ( y == 0 )

  19. Model Checking if (x) no yes y = x y = x + 1 assert (y) ERROR :P P  = G(: ERROR) P ( y == 0 )

  20. Model Checking if (x) yes y = x assert (y) ERROR :P P P ( y == 0 )

  21. Counterexample Validation if (x) yes • Simulate counterexample symbolically • Call SAT Checker to determine if • the post-condition is satisfiable • In our case, Counterexample is spurious • New set of predicates {x==0,y==0} y = x assert (y)

  22. Counterexample Validation SAT Checker Query: x  0  y’ = x  y’ = 0 SAT Checker Answer: UNSAT and here’s an UNSAT core {x  0 , y’ = x , y’ = 0} if (x) yes y = x assert (y) • Used to derive new predicate (x=0) • Different heuristics used in practice

  23. Predicate Abstraction: 2nd Iteration if (x) no yes y = x y = x + 1 assert (y) P Q :P Q P :Q :P :Q x  0 y  0 P ( x == 0 ) Q ( y == 0 ) X = 0 y = 0

  24. Predicate Abstraction: 2nd Iteration if (x) no yes y = x y = x + 1 assert (y) ERROR ERROR P Q :P Q P :Q :P :Q x  0 y  0 P ( x == 0 ) Q ( y == 0 ) X = 0 y = 0

  25. Predicate Abstraction: 2nd Iteration if (x) no yes y = x y = x + 1 assert (y) ERROR ERROR P Q :P Q P :Q :P :Q x  0 y  0 P ( x == 0 ) Q ( y == 0 ) X = 0 y = 0

  26. Predicate Abstraction: 2nd Iteration if (x) no yes y = x y = x + 1 assert (y) ERROR ERROR P Q :P Q P :Q :P :Q x  0 y  0 P ( x == 0 ) Q ( y == 0 ) X = 0 y = 0

  27. Predicate Abstraction: 2nd Iteration if (x) no yes y = x y = x + 1 assert (y) ERROR ERROR P Q :P Q P :Q :P :Q x  0 y  0 P ( x == 0 ) Q ( y == 0 ) X = 0 y = 0

  28. Predicate Abstraction: 2nd Iteration if (x) no yes y = x y = x + 1 assert (y) ERROR ERROR P Q :P Q P :Q :P :Q x  0 y  0 P ( x == 0 ) Q ( y == 0 ) X = 0 y = 0

  29. Model Checking: 2nd Iteration if (x) no yes y = x y = x + 1 assert (y) ERROR ERROR SUCCESS P Q :P Q P :Q :P :Q  = G(: ERROR) P ( x == 0 ) Q ( y == 0 )

  30. Iterative Refinement: Summary • Choose an initial set of predicate, and proceed iteratively as follows: • Abstraction: Construct an abstract model M of the program using the predicate abstraction • Verification: Model check M. If model checking succeeds, exit with success. Otherwise, get counterexample CE. • Validation: Check CE for validity. If CE is valid, exit with failure. • Refinement: Otherwise, update the set of predicates and repeat from Step 1.

  31. Iterative Refinement Localization Reduction, Kurshan, Bell Labs Abstract Model Program Predicate Abstraction Model Checking Yes System OK Initial Predicates No Counterexample-guided Abstraction Refinement for Symbolic Model Checking, Clarke et al., CMU Better Predicates SAT Checker Candidate Counter-example No Predicate Refinement Counterexample Valid? Software Model Checking, SLAM Project, Microsoft, Ball & Rajamani Yes Problem Found

  32. if (x) no yes y = x y = x + 1 assert (y) Predicate Abstraction: Optimizations • Construct transitions on-the-fly • Different set of predicates at different control locations • Avoid exponential number of theorem-prover calls P ( x == 0 ) P ( x == 0 ) P ( x == 0 ) Q ( y == 0 )

  33. Research Areas • Finding “good” predicates • Technically as hard as finding “good” loop invariants • Complexity is linear in LOC but exponential in number of predicates • Combining with static analysis • Alias analysis, invariant detection, constant propagation • Inexpensive, and may make subsequent model checking more efficient • Bounded model checking

  34. Software Model Checking Tools • Iterative Refinement • SLAM, BLAST, MAGIC, Copper, SATABS, … • Bounded Model Checking • CBMC, … • Others • Engines: MOPED, BEBOP, BOPPO, … • Java: Java PathFiner, Bandera, BOGOR, … • C: CMC, CPAChecker, … Next lecture Following lecture

  35. Bibliography • Existential Abstraction: Edmund M. Clarke, OrnaGrumberg, David E. Long: Model Checking and Abstraction. ACM Trans. Program. Lang. Syst. 16(5): 1512-1542 (1994) • Predicate Abstraction: Construction of abstract state graphs with PVS, S. Graf, H. Saidi, Proceedings of Computer Aided Verification (CAV), 1997 • Abstraction Refinement for C: Automatically Validating Temporal Safety Properties of Interfaces, T. Ball, S. Rajamani, Proceedings of the SPIN Workshop, 2001 • Software Model Checking Technology Transfer: SLAM and Static Driver Verifier: Technology Transfer of Formal Methods inside Microsoft, T. Ball, B. Cook, V. Levin, S. Rajamani, Proceedings of Intergrated Formal Methods, 2004

More Related