930 likes | 1.06k Views
SMT and Its Application in Software Verification (Part II). Yu-Fang Chen IIS, Academia Sinica Based on the slides of Barrett, Sanjit , Kroening , Rummer , Sinha , Jhala , and Majumdar , McMillan. L=0. [L!=0]. do{ lock(); old = new; if(*){ unlock(); new++; }
E N D
SMT and Its Application in Software Verification (Part II) Yu-Fang Chen IIS, Academia Sinica Based on the slides of Barrett, Sanjit, Kroening , Rummer, Sinha, Jhala, and Majumdar, McMillan
L=0 [L!=0] do{ lock(); old = new; if(*){ unlock(); new++; } } while (new != old); L=1; old=new L=0; new++ [new!=old] program fragment [new==old] control-flow graph Lazy abstraction -- an example
T 0 Unwinding the CFG L=0 [L!=0] L=1; old=new L=0; new++ [new!=old] [new==old] control-flow graph
T 0 L=0 T 1 Unwinding the CFG L=0 [L!=0] L=1; old=new Replace all free occurrences of L in the formula with L’ L=0; new++ [new!=old] [new==old] Compute Post (T, L=0)= T[L/L’] ÆL=0[L/L’] = (L=0) Make Abstraction (L=0) T Pass control-flow graph
T 0 L=0 T [L!=0] 2 1 Unwinding the CFG L=0 [L!=0] L=1; old=new Compute Post (T, [L!=0])= TÆ(L!=0) = (L!=0) ERROR state reached! L=0; new++ [new!=old] [new==old] control-flow graph
T 0 L=0 T [L!=0] 2 1 Unwinding the CFG T T L=0 L!=0 L=0 [L!=0] L=0 [L!=0] L=1; old=new Compute Post (T, [L!=0])= TÆ(L!=0) = (L!=0) ERROR state reached! L=0; new++ [new!=old] [new==old] control-flow graph
T 0 L=0 T [L!=0] 2 1 Unwinding the CFG T T L=0 L!=0 L=0 [L!=0] L=0 [L!=0] L=1; old=new Compute Post (T, [L!=0])= TÆ(L!=0) = (L!=0) ERROR state reached! L=0; new++ L!=0 [new!=old] [new==old] control-flow graph WPre(L!=0, [L!=0]) = (L!=0)
T 0 L=0 T [L!=0] 2 1 Unwinding the CFG L=0 T L=0 L!=0 L=0 [L!=0] L=0 [L!=0] L=1; old=new Compute Post (T, [L!=0])= TÆ(L!=0) = (L!=0) ERROR state reached! L=0; new++ L!=0 [new!=old] [new==old] control-flow graph Compute Craig Interpolant: (L=0) 1. (L=0) (L=0) 2. (L=0) Æ (L=0) is UNSAT 3. Use only share var. of (L=0) and (L!=0) WPre(L!=0, [L!=0]) = (L!=0)
T 0 L=0 L=0 [L!=0] 2 1 Unwinding the CFG L=0 T L=0 L!=0 L=0 [L!=0] L=0 [L!=0] F L=1; old=new Compute Post (T, [L!=0])= TÆ(L!=0) = (L!=0) ERROR state reached! L=0; new++ L!=0 [new!=old] [new==old] control-flow graph Compute Craig Interpolant: (L=0) 1. (L=0) (L=0) 2. (L=0) Æ (L=0) is UNSAT 3. Use only share var. of (L=0) and (L!=0) WPre(L!=0, [L!=0]) = (L!=0)
L=1; old=new L!=0 3 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] Compute Post (L=0, L=1) = (L=0)[L/L’] ÆL=1[L/L’] = (L’=0 ÆL=1) Compute Post (L’=0 ÆL=1, old=new) = (L’=0 ÆL=1)[old/old’] Æ old=new[old/old’] = L’=0 ÆL=1Æold=new Make Abstraction (L’=0 ÆL=1Æold=new) (L!=0) Pass (L’=0 ÆL=1Æold=new) (L=0) Not Passed [new==old] control-flow graph
L=1; old=new L!=0 3 L=0; new++ L=0 4 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] Compute Post (L!=0, L=0) = (L!=0)[L/L’] ÆL=0[L/L’] = (L’!=0 ÆL=0) Compute Post (L’!=0 Æ(L=0), new=new+1) = (L’!=0 ÆL=0)[new/new’] Æ new=(new+1)[new/new’] = (L’!=0 ÆL=0 Æ new=new’+1) Make Abstraction (L’!=0 ÆL=0 Æ new=new’+1) (L!=0) Not Passed (L’!=0 ÆL=0 Æ new=new’+1) (L=0) Pass control-flow graph
L=1; old=new L!=0 3 L=0; new++ L=0 4 [new!=old] L=0 5 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] Compute Post (L=0, [new!=old]) = (L=0 Æ new!=old) Make Abstraction (L=0 Æ new!=old) (L!=0) Not Passed (L=0 Æ new!=old) (L=0) Pass control-flow graph
L=1; old=new L!=0 3 L=0; new++ L=0 4 [new!=old] L=0 5 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] control-flow graph Covering: state 5 is subsumed by state 1. L=1 L=1 Pass
[new==old] L=0 7 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] L=0 5 Compute Post (L=0, [new==old]) = (L=0 Æ new==old) Make Abstraction (L=0 Æ new!=old) (L!=0) Not Passed (L=0 Æ new!=old) (L=0) Pass control-flow graph
L!=0 8 [new==old] L=0 7 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] L=0 5 No Actions control-flow graph
L!=0 8 [new==old] L=0 7 9 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph Compute Post (L!=0, [new==old]) = (L!=0 Æ new==old) Make Abstraction (L!=0 Æ new==old) (L!=0) Pass (L!=0 Æ new==old) (L=0) Not Passed
L!=0 8 [new==old] [new!=old] L=0 10 7 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph Compute Post (L!=0, [new!=old]) = (L!=0 Æ new!=old) Make Abstraction (L!=0 Æ new!=old) (L!=0) Pass (L!=0 Æ new!=old) (L=0) Not Passed
L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph Compute Post (L!=0, [L!=0]) = (L!=0 Æ L!0) ERROR state reached!
L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph L!=0 L!=0 L!=0 L=0 L=1 old=new [L!=0] [new!=old] T L=0 L’=0 Æ L=1Æ old=new L!=0 L!=0 L=0 L!=0 Æ old!=new
L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph L!=0 L!=0 L!=0 L=0 L=1 old=new [L!=0] [new!=old] T L=0 L’=0 Æ L=1Æ old=new L!=0 L!=0 L=0 L!=0 Æ old!=new L!=0 L!=0 Æ old!=new
L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph L!=0 L!=0 L!=0 L=0 L=1 old=new [L!=0] [new!=old] T L=0 L’=0 Æ L=1Æ old=new L!=0 L!=0 L=0 L!=0 Æ old!=new L!=0 L!=0 Æ old!=new L!=0 Æ old!=new L!=0 Æ old!=new
L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph L!=0 L!=0 L!=0 L=0 L=1 old=new [L!=0] [new!=old] T L=0 L’=0 Æ L=1Æ old=new L!=0 L!=0 L=0 L!=0 Æ old!=new L!=0 L!=0 Æ old!=new L!=0 Æ old!=new L!=0 Æ old!=new
L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 Æ old =new 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph L!=0 L!=0 L=0 L!=0 Æ old=new L=1 old=new [L!=0] [new!=old] T L=0 L’=0 Æ L=1Æ old=new L!=0 L!=0 L=0 L!=0 Æ old!=new L!=0 L!=0 Æ old!=new L!=0 Æ old!=new L!=0 Æ old!=new
L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 Remove all of its children L=1; old=new L=1; old=new L!=0 Æ old =new 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph L!=0 L!=0 L=0 L!=0 Æ old=new L=1 old=new [L!=0] [new!=old] T L=0 L’=0 Æ L=1Æ old=new L!=0 L!=0 L=0 L!=0 Æ old!=new L!=0 L!=0 Æ old!=new L!=0 Æ old!=new L!=0 Æ old!=new
L=1; old=new L!=0 Æ old =new 3 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] control-flow graph
L=1; old=new L!=0 Æ old =new 3 L=0; new++ L=0 Æ old !=new 4 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] Compute Post (L!=0 Æ old =new, L=0) = (L!=0 Æ old=new)[L/L’] ÆL=0[L/L’] = (L’!=0 Æ old=new ÆL=0) Compute Post (L’!=0Æ old=new Æ(L=0), new=new+1) = (L’!=0 Æ old=new ÆL=0)[new/new’] Æ new=(new+1)[new/new’] = (L’!=0 Æ old=new’ ÆL=0 Æ new=new’+1) Make Abstraction (L’!=0 Æ old=new’ ÆL=0 Æ new=new’+1) (L!=0) Not Passed (L’!=0 Æ old=new’ ÆL=0 Æ new=new’+1) (L=0) Pass (L’!=0 Æ old=new’ ÆL=0 Æ new=new’+1) (old=new) Not Passed (L’!=0 Æ old=new’ ÆL=0 Æ new=new’+1) (old!=new) Pass control-flow graph
L=1; old=new L!=0 Æ old=new 3 L=0; new++ L=0 Æ old =new 4 [new!=old] L=0 Æ old!=new 5 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] Compute Post (L=0 Æ old!=new, [new!=old]) = (L=0 Æ new!=old) Make Abstraction (L=0 Æ new!=old) (L!=0) Not Passed (L=0 Æ new!=old) (L=0) Pass (L=0 Æ new!=old) (old=new) Not Passed (L=0 Æ new!=old) (old!=new) Pass control-flow graph
L=1; old=new L!=0 Æ old=new 3 L=0; new++ L=0 Æ old =new 4 [new!=old] L=0 Æ old!=new 5 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] control-flow graph Covering: state 5 is subsumed by state 1. L=1 Æ old!=new L=1 Pass
[new==old] L=0Æold=new 7 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 Æ old=new 3 L=0; new++ L=0; new++ [new!=old] L=0 Æ old =new 4 [new!=old] [new==old] 5 L=0 Æ old!=new Compute Post (L=0, [new==old]) = (L=0 Æ new=old) Make Abstraction (L=0 Æ new=old) (L!=0) Not Passed (L=0 Æ new=old) (L=0) Pass (L=0 Æ new=old) (new!=old) Not Passed (L=0 Æ new=old) (new=old) Pass control-flow graph
L!=0 Æ old=new 8 [new==old] 7 L=0 Æ old=new Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 Æ old=new 3 L=0; new++ L=0; new++ [new!=old] L=0 Æ old =new 4 [new!=old] [new==old] 5 L=0 Æ old!=new No Actions control-flow graph
L!=0 Æ old=new 8 [new==old] L!=0 Æ old=new 7 9 L=0 Æ old=new Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 Æ old=new 3 L=0; new++ L=0; new++ [new!=old] L=0 Æ old =new 4 [new!=old] [new==old] [new==old] 5 L=0 Æ old!=new control-flow graph Compute Post (L!=0Ænew=old, [new==old]) = (L!=0 Æ new=old) Make Abstraction (L!=0 Æ new=old) (L!=0) Pass (L!=0 Æ new=old) (L=0) Not Passed (L!=0 Æ new=old) (old=new) Pass (L!=0 Æ new=old) (old!=new) Not Passed
L!=0 Æ old=new 8 [new==old] [new!=old] L!=0 Æ old=new 10 7 9 F L=0 Æ old=new Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 Æ old=new 3 L=0; new++ L=0; new++ [new!=old] L=0 Æ old =new 4 [new!=old] [new==old] [new==old] 5 L=0 Æ old!=new control-flow graph Compute Post (L!=0Ænew=old, [new!=old]) = (L!=0 Æ new=old Æ new!=old ) = false
Another Approach: The IMPACT method Kenneth L. McMillan: Lazy Abstraction with Interpolants. CAV 2006: 123-136
Interpolation Lemma (Craig,57)
Interpolation Lemma (Craig,57) • Notation: L() is the set of FO formulas over the symbols of
Interpolation Lemma (Craig,57) • Notation: L() is the set of FO formulas over the symbols of • If A Ù B = false, there exists an interpolant A' for (A,B) such that: A Þ A' A' Ù B = false A' 2L(A) ÅL(B)
Interpolation Lemma (Craig,57) • Notation: L() is the set of FO formulas over the symbols of • If A Ù B = false, there exists an interpolant A' for (A,B) such that: A Þ A' A' Ù B = false A' 2L(A) ÅL(B) • Example: • A = p Ù q, B = Øq Ù r, A' = q
Interpolation Lemma (Craig,57) • Notation: L() is the set of FO formulas over the symbols of • If A Ù B = false, there exists an interpolant A' for (A,B) such that: A Þ A' A' Ù B = false A' 2L(A) ÅL(B) • Example: • A = p Ù q, B = Øq Ù r, A' = q • Interpolants from proofs • in certain quantifier-free theories, we can obtain an interpolant for a pair A,B from a refutation in linear time. [McMillan 05] • in particular, we can have linear arithmetic,uninterpreted functions, and restricted use of arrays
Interpolants for sequences • Let A1...An be a sequence of formulas
Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when
Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True
Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True • A’i-1Æ Ai) A’i, for i = 1..n
Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True • A’i-1Æ Ai) A’i, for i = 1..n • An = False
Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True • A’i-1Æ Ai) A’i, for i = 1..n • An = False • and finally, A’i2L (A1...Ai) ÅL(Ai+1...An)
... A1 A2 A3 Ak Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True • A’i-1Æ Ai) A’i, for i = 1..n • An = False • and finally, A’i2L (A1...Ai) ÅL(Ai+1...An)
... A1 A2 A3 Ak True False ... ) ) ) ) A'1 A'2 A'3 A'k-1 Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True • A’i-1Æ Ai) A’i, for i = 1..n • An = False • and finally, A’i2L (A1...Ai) ÅL(Ai+1...An)
... A1 A2 A3 Ak True False ... ) ) ) ) A'1 A'2 A'3 A'k-1 Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True • A’i-1Æ Ai) A’i, for i = 1..n • An = False • and finally, A’i2L (A1...Ai) ÅL(Ai+1...An) In other words, the interpolant is a structured refutation of A1...An
x=y; y++; [x=y] Interpolants as Floyd-Hoare proofs