Predicate Abstraction Daniel Kroening 1

Transcription

1 Predicate Abstraction Daniel Kroening 1

2 Motivation Software has too many state variables State Space Explosion Graf/Saïdi 97: Predicate Abstraction Idea: Only keep track of predicates on data Abstraction function: Daniel Kroening 2

3 Predicate Abstraction Concrete States: Predicates: Abstract transitions? Daniel Kroening 3

4 nder- vs. Overapproximation How to abstract the transitions? Depends on the property we want to show Typically done in a conservative manner Existential abstraction: Preserves safety properties Daniel Kroening 4

5 Predicate Abstraction Abstract Transitions: Property: Property holds. Ok Daniel Kroening 5

6 Predicate Abstraction Abstract Transitions: Property: This trace is spurious! Daniel Kroening 6

7 Predicate Abstraction Abstract Transitions: Property: New Predicates: Daniel Kroening 7

8 Predicate Abstraction for Software et s take existential abstraction seriously Basic idea: with n predicates, there are 2 n 2 n possible abstract transitions et s just check them! Daniel Kroening 8

9 Existential Abstraction Predicates Basic Block Formula i++; p 1 p 2 p ? p 1 p 2 p Query Current Abstract State Next Abstract State Daniel Kroening 9

10 Existential Abstraction Predicates Basic Block Formula i++; p 1 p 2 p Current Abstract State? p 1 p 2 p Next Abstract State Query and so on Daniel Kroening 10

11 Predicate Abstraction for Software A precise existential abstraction can be way too slow se an over-approximation instead Fast to compute But has additional transitions E.g.: SAM (FastAbs) Predicate partitioning Daniel Kroening 11

12 Example for Predicate Abstraction int main() { int i; } i=0; while(even(i)) i++; + p 1 i=0 = p 2 even(i) void main() { bool p1, p2; } p1=tre; p2=tre; while(p2) { p1= p1?fase:*; p2=!p2; } C program Predicates Boolean program [Graf, Saidi 97] [Ball, Rajamani 00] Daniel Kroening 12

13 Predicate Abstraction for Software How do we get the predicates? Automatic abstraction refinement! [Kurshan et al. 93] [Ball, Rajamani 00] [Clarke et al. 00] Daniel Kroening 13

14 Abstraction Refinement oop Actual Program Initial Abstraction Concurrent Boolean Program Verification Model Checker No error or bug found Property holds Counterexample Abstraction refinement [Kurshan et al. 93] [Ball, Rajamani 00] [Clarke et al. 00] Refinement Simulator Spurious counterexample Simulation successful Bug found Daniel Kroening 14

15 Checking the Boolean Program No more integers! But: function calls non-determinism Concurrency if original program is concurrent BDD-based model checking now scales For sequential programs Bebop (MSR) Even SMV! Daniel Kroening 15

16 SMV for the Boolean Program Program Variables VAR b0_argc_ge_1: boolean; -- argc >= 1 VAR b1_argc_le_ : boolean; -- argc <= VAR b2: boolean; -- argv[argc] == N VAR b3_nmemb_ge_r: boolean; -- nmemb >= r VAR b4: boolean; -- p1 == &array[0] VAR b5_i_ge_8: boolean; -- i >= 8 VAR b6_i_ge_s: boolean; -- i >= s VAR b7: boolean; i >= 8 VAR b8: boolean; i >= s VAR b9_s_gt_0: boolean; -- s > 0 VAR b10_s_gt_1: boolean; -- s > Daniel Kroening 17

17 SMV for the Boolean Program Control Flow -- program counter: 56 is the "terminating" PC VAR PC: 0..56; ASSIGN init(pc):=0; -- initial PC ASSIGN next(pc):=case PC=0: 1; -- other PC=1: 2; -- other... PC=19: case -- goto (with guard) guard19: 26; 1: 20; esac; Daniel Kroening 18

18 SMV for the Boolean Program Data TRANS (PC=0) -> next(b0_argc_ge_1)=b0_argc_ge_1 & next(b1_argc_le_213646)=b1_argc_le_21646 & next(b2)=b2 & (!b30 b36) & (!b17!b30 b42) & (!b30!b42 b48) & (!b17!b30!b42 b54) & (!b54 b60) TRANS (PC=1) -> next(b0_argc_ge_1)=b0_argc_ge_1 & next(b1_argc_le_214646)=b1_argc_le_ & next(b2)=b2 & next(b3_nmemb_ge_r)=b3_nmemb_ge_r & next(b4)=b4 & next(b5_i_ge_8)=b5_i_ge_8 & next(b6_i_ge_s)=b6_i_ge_s Daniel Kroening 19

19 SMV for the Boolean Program Property -- the specification -- file main.c line 20 column 12 function c::very_buggy_function SPEC AG ((PC=51) ->!b23) Daniel Kroening 20

20 SAM Microsoft blames most Windows crashes on third party device drivers The Windows device driver API is quite complicated ow level C code SAM: Tool to automatically check device drivers for certain errors To be shipped with Device Driver Development Kit Full detail (and all the slides) available at Daniel Kroening 21

21 State Machine for ocking nlocked Rel Rel Acq Error ocked Acq Too hard for programmers, and therefore: ocking Rule in SIC state { enum {ocked,nlocked} s = nlocked; } KeAcquireSpinock.entry { if (s==ocked) abort; else s = ocked; } KeReleaseSpinock.entry { if (s==nlocked) abort; else s = nlocked; } Daniel Kroening 23

22 Example do { KeAcquireSpinock(); Does this code obey the locking rule? npacketsold = npackets; if(request){ request = request->next; KeReleaseSpinock(); npackets++; } } while (npackets!= npacketsold); KeReleaseSpinock(); Daniel Kroening 24

23 Example do { KeAcquireSpinock(); Model checking boolean program (bebop) if(*){ } } while (*); KeReleaseSpinock(); E KeReleaseSpinock(); Daniel Kroening 25

24 Example do { KeAcquireSpinock(); npacketsold = npackets; Is error path feasible in C program? (newton) if(request){ request = request->next; KeReleaseSpinock(); npackets++; } } while (npackets!= npacketsold); E KeReleaseSpinock(); Daniel Kroening 26

25 Example b : (npacketsold == npackets) do { KeAcquireSpinock(); npacketsold = npackets; Add new predicate to boolean program (c2bp) b = true; if(request){ request = request->next; KeReleaseSpinock(); npackets++; b = b? false : *; } } while (npackets!= npacketsold);!b E KeReleaseSpinock(); Daniel Kroening 27

26 Example b : (npacketsold == npackets) do { KeAcquireSpinock(); b = true; Model checking refined boolean program (bebop) b b b b!b if(*){ KeReleaseSpinock(); b = b? false : *; } } while (!b ); b KeReleaseSpinock(); b E Daniel Kroening 28

27 Example b : (npacketsold == npackets) do { KeAcquireSpinock(); b = true; Model checking refined boolean program (bebop) b b b b!b if(*){ KeReleaseSpinock(); b = b? false : *; } } while (!b ); b KeReleaseSpinock(); b Daniel Kroening 29

28 Abstraction Refinement oop Actual Program Initial Abstraction Concurrent Boolean Program Verification Model Checker No error or bug found Property holds Abstraction refinement Refinement Simulator Simulation successful Bug found Spurious counterexample Daniel Kroening 30

29 Simulation Given an abstract counterexample, check if there exists corresponding concrete counterexample Transform path into SSA Add if/while guards as constraints Q: What about threads? Daniel Kroening 31

30 Example Predicate: y>x Daniel Kroening 32

31 Example: Simulation SSA SSA Spurious trace! Daniel Kroening 33

32 Abstraction Refinement oop Actual Program Initial Abstraction Concurrent Boolean Program Verification Model Checker No error or bug found Property holds Abstraction refinement Refinement Simulator Simulation successful Bug found Spurious counterexample Daniel Kroening 34

33 Manual Proof! We are using strongest post-conditions here Daniel Kroening 35

34 Tool Overview There are a number of implementations SAM (Microsoft Research) MAGIC (CM, now SEI) DiVer (NEC) Blast (group Henzinger) (and we have one, too) Daniel Kroening 40