250 likes | 361 Views
Induction in CEGAR for Detecting Counterexamples. Chao Wang, Aarti Gupta, Franjo Ivancic NEC Laboratories America. Background. Detecting long counterexamples is a hard problem Bounded model checking [Biere et al 1999]
E N D
Induction in CEGAR for Detecting Counterexamples Chao Wang, Aarti Gupta, Franjo Ivancic NEC Laboratories America
Background • Detecting long counterexamples is a hard problem • Bounded model checking [Biere et al 1999] • Counterexample guided abstraction refinement (CEGAR) [Kurshan 1994] [Clarke et al. 2000] [Ball et al. 2001] • Interpolation [McMillan 2003] • Induction has been used in model checking for finding proofs • To prove the absence of counterexample • [Sheeran et al. 2000] [Gupta et al. 2003] [de Moura et al. 2003] • It has never been used for finding bugs • We use induction to prove the existence of counterexamples • Target counterexamples that are long and can be captured by regular patterns • Related works • [Bjesse & Kukula 2004] [Nashi & Somenzi 2006] • [Kroening & Weissenbacher 2006] [Ball, Kupferman, Sagiv 2007]
A Motivating Example P: (i<n) A simple and yet representative bug (e.g., array bound violation) P: (i<n) P1: (i+1<n) P2: (i+2<n) …
A Motivating Example • Our Observations: • Counterexample exists regardless of the value of ‘n’ • Counterexample has a regular pattern
Outline • Background • Identifying the Counterexample Pattern • Proving the Existence of Counterexample • Experiments • Conclusions
Parameterized Counterexamples induction parameter recurring segment suffix prefix
Identifying Counterexample Pattern recurring segment suffix prefix • Idea: look at the spurious counterexamples produced by CEGAR Spurious counterexamples in CEGAR: (1)(2)(3)(4)(5) (6)(7) (1)(2)(3)(4)(5) (6)(7)(8) (6)(7) (1)(2)(3)(4)(5) (6)(7)(8) (6)(7)(8) (6)(7) … (1)(2)(3)(4)(5) {(6)(7)(8)}n(6)(7)
Using Induction in the CEGAR Loop Bug found yes no Abstraction Refinement found CEX Induction to prove existence of CEX Model Checking no Concretize abstract counterexample concrete CEX yes Bug found found CEX no Proved CEGAR: [Kushan 1994] [Clarke et al. 2000] [Ball and Rajamani 2000] Step1. identify pattern Step2. induction proof yes
Concretization Test (standard) Abstract counterexample Concrete pre-condition computation
Concretization with Back-leaping At the failing index i such that Find two indexes k and j such that and
Identifying the Induction Parameter head of suffix tail of recurring segment (i <= n) Parameterized counterexample: (1)(2)(3)(4)(5) {(6)(7)(8)}n(6)(7) This is a heurstic (to be verified by induction proof)
Parameterized Traces In prefix, find assignment to n n = expr ; Rewrite it into n = k ; We can set the symbolic value k = 1, 2, 3, …
Outline • Background • Identifying the Counterexample Pattern • Proving the Existence of Counterexample • Experiments • Conclusions
Using Induction in the CEGAR Loop Bug found yes no Abstraction Refinement found CEX Induction to prove existence of CEX Model Checking no Concretize abstract counterexample concrete CEX yes Bug found found CEX no Proved Step1. identify pattern Step2. induction proof yes
What’s easy / hard to compute? Easy to compute Hard to compute • Pre-condition computation • Post-condition computation • Transitive Pre- and Post-condition neverdirectlycompute F
Induction: handling the prefixes F and F’ differ only in the valuations of Vb
Induction: handling the suffixes Theorem 1 F and F’ differ only in the valuations of Vb C0 C1
The Running Example finite-length prefix finite-length suffixes
Outline • Background • Identifying the Counterexample Pattern • Proving the Existence of Counterexample • Experiments • Conclusions
About Implementation: pre*( ) [cf. Dijkstra 1976]
About Implementation: existential quantification Finite domain: BDD (smooth) Linear integer: Polyhedral (F-M elimination) With both: Combination of BDD and Polyhedra [Yang et al. MEMOCODE 2006]
Experiments The GNU bc example with standard CEGAR Induction finds this counterexample in 10 seconds … 256
Experiments bc: GNU bc example Aeon: Aeon-0.02a, Linux mail transfer agent ftpd: wu-ftpd-2.6.2, the ftp daemon run time of standard CEGAR (x-axis: values of the induction parameters)
Conclusions • Induction in CEGAR for detecting long counterexamples • Concretization algorithm to identify counterexample pattern • Induction to prove the existence of counterexamples • Complementary to standard CEGAR (which itself is good for finding proofs) • Well-suited for finding deep bugs • Better than searching for a state-by-state match of the concrete counterexamples • e.g., BMC, predicate abstraction, interpolation • Future work • Static analysis to improve the counterexample pattern identification