Sliced Path Prefixes: An Effective Method to Enable Refinement Selection

Size: px

Start display at page:

Download "Sliced Path Prefixes: An Effective Method to Enable Refinement Selection"

Bathsheba Hopkins
5 years ago
Views:

1 FORTE '15 Sliced Path Prefixes: An Effective Method to Enable Refinement Selection Dirk Beyer, Stefan Löwe, Philipp Wendler SoSy-Lab Software Systems

2 We want Refinement Selection!!! Because straight-forward interpolation completely and utterly sucks!!!11! Dirk Beyer, Stefan Löwe Philipp Wendler SoSy-Lab Software Systems

3 Software Verification Goal: Build an automatic software verifier C program int main() { int x = 10; int y = 3; int z = x+y; assert(z > 0); } specification software verifier SAFE i.e., assertions cannot be violated UNSAFE i.e., there is a bug in the program 3

4 Software Verification Goal: Build an automatic software verifier C program Linux Device Driver int ldv_mutex_is_locked_usb_bus_list_lock(struct mutex *lock ) { int ldv_mutex_is_locked_usb_bus_list_lock(struct mutex *lock ) { int nondetermined ; int nondetermined ; { #line { 1495 #line if (ldv_mutex_usb_bus_list_lock 1495 == 1) { #line if 1498 (ldv_mutex_usb_bus_list_lock == 1) { #line nondetermined 1498 = VERIFIER_nondet_int(); #line nondetermined 1501 = VERIFIER_nondet_int(); #line if (nondetermined) 1501 { #line if 1504 (nondetermined) { #line return 1504 (0); } else return { (0); #line } 1509 else { #line return 1509 (1); } return (1); } else } { #line } else 1515 { #line return 1515(1); } return (1); } } } } #line } 1520 "/work/vladimir/ufo/work/test/work/current--x--drivers/usb/core/usbcore.ko--x--defaultlinux x--32_7a--x--ufo/linux /csd_deg_dscv/29/dscv_tempdir/rule-instrumentor/32_7a/common-model/ldv_common_model.c" #line 1520 "/work/vladimir/ufo/work/test/work/current--x--drivers/usb/core/usbcore.ko--x--defaultlinux x--32_7a--x--ufo/linuxvoid 3.7.3/csd_deg_dscv/29/dscv_tempdir/rule-instrumentor/32_7a/common-model/ldv_common_model.c" ldv_mutex_unlock_usb_bus_list_lock(struct mutex *lock ) { void ldv_mutex_unlock_usb_bus_list_lock(struct mutex *lock ) { SAFE i.e., assertions cannot be violated { #line { 1523 #line if (ldv_mutex_usb_bus_list_lock 1523 == 2) { if (ldv_mutex_usb_bus_list_lock == 2) { } else { #line } else 1523 { #line ldv_error(); 1523 } ldv_error(); #line } 1525 #line ldv_mutex_usb_bus_list_lock 1525 = 1; #line ldv_mutex_usb_bus_list_lock 1526 = 1; #line return; 1526 } return; } } #line } 1528 "/work/vladimir/ufo/work/test/work/current--x--drivers/usb/core/usbcore.ko--x--defaultlinux x--32_7a--x--ufo/linux /csd_deg_dscv/29/dscv_tempdir/rule-instrumentor/32_7a/common-model/ldv_common_model.c" #line 1528 "/work/vladimir/ufo/work/test/work/current--x--drivers/usb/core/usbcore.ko--x--defaultlinux x--32_7a--x--ufo/linuxstatic 3.7.3/csd_deg_dscv/29/dscv_tempdir/rule-instrumentor/32_7a/common-model/ldv_common_model.c" int ldv_mutex_usbfs_mutex ; #line static 1531 int "/work/vladimir/ufo/work/test/work/current--x--drivers/usb/core/usbcore.ko--x--defaultlinux x--32_7a--x--ufo/linux- ldv_mutex_usbfs_mutex ; 3.7.3/csd_deg_dscv/29/dscv_tempdir/rule-instrumentor/32_7a/common-model/ldv_common_model.c" #line 1531 "/work/vladimir/ufo/work/test/work/current--x--drivers/usb/core/usbcore.ko--x--defaultlinux x--32_7a--x--ufo/linuxint 3.7.3/csd_deg_dscv/29/dscv_tempdir/rule-instrumentor/32_7a/common-model/ldv_common_model.c" ldv_mutex_lock_interruptible_usbfs_mutex(struct mutex *lock ) { int ldv_mutex_lock_interruptible_usbfs_mutex(struct mutex *lock ) { int nondetermined ; int nondetermined ; { #line { 1536 #line if (ldv_mutex_usbfs_mutex 1536 == 1) { if (ldv_mutex_usbfs_mutex == 1) { } else { #line } else 1536 { #line ldv_error(); 1536 } ldv_error(); #line } 1539 #line nondetermined 1539 = VERIFIER_nondet_int(); #line nondetermined 1542 = VERIFIER_nondet_int(); #line if (nondetermined) 1542 { #line if 1545 (nondetermined) { #line ldv_mutex_usbfs_mutex 1545 = 2; #line ldv_mutex_usbfs_mutex 1547 = 2; #line return 1547(0); } else return { (0); #line } else 1552 { #line return 1552(-4); } return (-4); } } } } #line } 1557 "/work/vladimir/ufo/work/test/work/current--x--drivers/usb/core/usbcore.ko--x--defaultlinux x--32_7a--x--ufo/linux /csd_deg_dscv/29/dscv_tempdir/rule-instrumentor/32_7a/common-model/ldv_common_model.c" #line 1557 "/work/vladimir/ufo/work/test/work/current--x--drivers/usb/core/usbcore.ko--x--defaultlinux x--32_7a--x--ufo/linuxint 3.7.3/csd_deg_dscv/29/dscv_tempdir/rule-instrumentor/32_7a/common-model/ldv_common_model.c" ldv_mutex_lock_killable_usbfs_mutex(struct mutex *lock ) { int ldv_mutex_lock_killable_usbfs_mutex(struct mutex *lock ) { int nondetermined ; int nondetermined ; { #line { 1562 #line if (ldv_mutex_usbfs_mutex 1562 == 1) { if (ldv_mutex_usbfs_mutex == 1) { } else { #line } else 1562 { #line ldv_error(); 1562 } ldv_error(); #line } 1565 #line nondetermined 1565 = VERIFIER_nondet_int(); #line nondetermined 1568 = VERIFIER_nondet_int(); #line if (nondetermined) 1568 { #line if 1571 (nondetermined) { #line ldv_mutex_usbfs_mutex 1571 = 2; #line ldv_mutex_usbfs_mutex 1573 = 2; #line return 1573(0); } else return { (0); #line } else 1578 { #line return 1578(-4); } return (-4); } } } } #line } 1583 "/work/vladimir/ufo/work/test/work/current--x--drivers/usb/core/usbcore.ko--x--defaultlinux x--32_7a--x--ufo/linux /csd_deg_dscv/29/dscv_tempdir/rule-instrumentor/32_7a/common-model/ldv_common_model.c" #line 1583 "/work/vladimir/ufo/work/test/work/current--x--drivers/usb/core/usbcore.ko--x--defaultlinux x--32_7a--x--ufo/linuxvoid 3.7.3/csd_deg_dscv/29/dscv_tempdir/rule-instrumentor/32_7a/common-model/ldv_common_model.c" ldv_mutex_lock_usbfs_mutex(struct mutex *lock ) { void ldv_mutex_lock_usbfs_mutex(struct mutex *lock ) { { #line { 1586 #line if (ldv_mutex_usbfs_mutex 1586 == 1) { if (ldv_mutex_usbfs_mutex == 1) { } else { #line } else 1586 { #line ldv_error(); 1586 } ldv_error(); #line } 1588 #line 1588 specification software verifier UNKNOWN timeout, memory out... UNSAFE i.e., there is a bug in the program 4

5 Abstraction Disregard irrelevant information Avoids state-space explosion Allows verification of real-world software to scale Success story of SLAM project at Microsoft But how does a good abstraction look like? Too coarse False alarms Too precise More timeouts Impossible to do manually Automation needed 5

6 program source code Counterexample-Guided Abstraction Refinement build & check abstract model no error path error pathfound SAFE UNSAFE refine precision is feasible? error path is infeasible 6

7 program source code Counterexample-Guided Abstraction Refinement build & check abstract model no error path error pathfound SAFE UNSAFE refine precision precision is analysis dependent: e.g., set of predicates for predicate analysis e.g., set of variable identifiers for value analysis is feasible? error path is infeasible 7

8 program source code Counterexample-Guided Abstraction Refinement build & check abstract model no error path error pathfound SAFE UNSAFE refinement procedure: black magic in a mystery box is feasible? error path is infeasible 8

9 program source code Counterexample-Guided Abstraction Refinement build & check abstract model no error path error pathfound SAFE UNSAFE refinement procedure: interpolation over infeasible error path is feasible? error path is infeasible 9

10 L3 L4 L6 L9 L10 L11 error b := 0; i := 0; [i > 9] [b!= 0] [i!= 10] assert(0); Craig Interpolation φ φ + At L6 the interpolant ψ for φ and φ + could be: [b = 0], or [i = 0], or [b = 0 i = 0], or... itp ψ the interpolant [Abstractions from Proofs, 2004, Henzinger, Jhala, Majumdar, McMillan] 10

11 Explicit-Value Interpolation For a pair of constraint sequences γ and γ +, such that γ γ + is contradicting, interpolant ψ is a constraint sequence γ that fulfills the following requirements: 1) γ implies ψ 2) ψ γ + is unsatisfiable 3) ψ only contains symbols that are common to both γ and γ + At L6 the interpolant ψ for γ and γ + could be: [b = 0], or [i = 0], or [b = 0 i = 0], or... γ + L3 L4 L3 L6 L9 L10 L11 error b := 0; i := 0; [i > 9] [b!= 0] [i!= 10] assert(0); [Explicit-State Software Model Checking Based on CEGAR and Interpolation, , D. Beyer, S. Löwe]

12 Interpolants Represent concise explanations for infeasibility of error Therefore, ideally suited for refinement of precision 12

13 Interpolation Represent concise explanations for infeasibility of error Therefore, ideally suited for refinement of precision Theoretically, well suited for refinement of precision 13

14 Example Good vs. Bad Interpolants Input Program 14

15 Example Good vs. Bad Interpolants Input Program Abstract Error Path 15

16 Example Good vs. Bad Interpolants Input Program Abstract Error Path 16

17 Example Good vs. Bad Interpolants Input Program Abstract Error Path Good Interpolants Bad Interpolants 17

18 Example Good vs. Bad Interpolants Input Program Abstract Error Path Good Interpolants Bad Interpolants 18

19 Interpolation Recap Represent concise explanations for infeasibility of error Therefore, ideally suited for refinement of precision Theoretically, well suited for refinement of precision Single interpolation problem typically has several solutions Which interpolant do we get? Some are good, others might lead to divergence Selection controlled by internals of interpolation engine 19

20 Interpolation Guided Represent concise explanations for infeasibility of error Therefore, ideally suited for refinement of precision Theoretically, well suited for refinement of precision Single interpolation problem typically has several solutions Which interpolant do we get? Some are good, others might lead to divergence Selection controlled by internals of interpolation engine Guide interpolation, ideally towards good interpolants 20

21 Extraction of Infeasible Sliced Prefixes Abstract Error Path

22 Extraction of Infeasible Sliced Prefixes Abstract Error Path

23 Extraction of Infeasible Sliced Prefixes Abstract Error Path 1 st Prefix

24 Extraction of Infeasible Sliced Prefixes Abstract Error Path 1 st Prefix Sliced Error Path

25 Extraction of Infeasible Sliced Prefixes Abstract Error Path 1 st Prefix Sliced Error Path

26 Extraction of Infeasible Sliced Prefixes Abstract Error Path 1 st Prefix Sliced Error Path 2 nd Prefix

27 Extraction of Infeasible Sliced Prefixes Single Abstract Error Path 1 st Prefix 2 nd Prefix

28 Extraction of Infeasible Sliced Prefixes Single Abstract Error Path 1 st Prefix 2 nd Prefix itp itp Interpolant sequence over loop-counter variable Interpolant sequence over boolean variable

29 Proposition: Interpolants of Prefixes Any infeasible sliced prefix φ that is extracted from an infeasible error path σ can be used for interpolation to exclude the original error path σ from subsequent iterations of CEGAR loop

Proposition: Interpolants of Prefixes Any infeasible sliced prefix φ that is extracted from an infeasible error path σ can be used for interpolation to exclude the

30 Proposition: Interpolants of Prefixes Any infeasible sliced prefix φ that is extracted from an infeasible error path σ can be used for interpolation to exclude the original error path σ from subsequent iterations of CEGAR loop We can use any prefix we want for interpolation! refinement selection is now possible Proof is in the Paper

31 program source code Couterexample-Guided Abstraction Refinement build & check abstract model no error path error pathfound SAFE UNSAFE refine precision using refinement selection is feasible? error path is infeasible 32

32 Refinement Selection Refinement is now an optimization problem Select any refinement from a set of refinements Different heuristics for selecting an refinement Shortest or longest prefix Best or worst score based on Domain-Types Width of precision Depth of refinement root

33 Implementation & Experiments Evaluated on over 2500 benchmarks from SV-COMP'15 Evaluated under rules of SV-COMP'15 15 minutes CPU Time 15 GB RAM All ideas and concepts described are implemented Integrated into CPAchecker Extended Value Analysis

34 Results Powered by BenchExec -

35 Results Powered by BenchExec -

36 Results Sliced-Prefix Length Powered by BenchExec -

37 Results Domain-Type Score Powered by BenchExec -

38 We want Refinement Selection!!! Because straight-forward interpolation completely and utterly sucks!!!11! Stefan Löwe

39 Now also for Predicate Abstraction!

40 Conclusion Defined and implemented for two domains infeasible sliced prefixes precision selection heuristics Enables refinement selection Nice Results Refinement selection matters! More research needed on how to select refinements 41

Static Program Analysis

Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ws-1617/spa/ Schedule of Lectures Jan 17/19: Interprocedural DFA