CS 510/13. Predicate Abstraction

Size: px

Start display at page:

Download "CS 510/13. Predicate Abstraction"

Eugene Norton
6 years ago
Views:

1 CS 50/3 Predicate Abstraction

2 Predicate Abstraction Extract a finite state model from an infinite state system Used to prove assertions or safety properties Successfully applied for verification of C programs SLAM (used in windows device driver verification) MAGIC, BLAST, F-Soft

3 Example for Predicate Abstraction int main() { int i; i=0; while(even(i)) i++; + p i=0 = p 2 even(i) void main() { bool p, p2; p=true; p2=true; while(p2) { p=p?false:nondet(); p2=!p2; C program Predicates Boolean program [Graf, Saidi 97] [Ball, Rajamani 0]

4 Computing Predicate Abstraction How to get predicates for checking a given property? How do we compute the abstraction? Predicate Abstraction is an overapproximation How to refine coarse abstractions

5 Counterexample Guided Abstraction Refinement loop C Program Initial Abstraction Abstraction refinement Abstract model Refinement Verification Model Checker Simulator No error or bug found Property holds Simulation sucessful Bug found Spurious counterexample

6 Example Example ( ) { : do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; 4: while(new!= old); 5: unlock (); return; unlock lock unlock lock

7 What a program really is pc lock old new q State a 3 a a 5 a 5 a 0x33a Transition 3: 3: unlock(); new++; 4: Example Example ( ) { : : do{ do{ lock(); lock(); old old = new; new; q = q->next; 2: 2: if if (q (q!=!= NULL){ NULL){ 3: 3: q->data q->data = new; new; unlock(); new new ++; ++; 4: 4: while(new!=!= old); old); 5: 5: unlock unlock (); (); return; pc lock old new q a 4 a a 5 a 6 a 0x33a

8 The Safety Verification Problem Error Initial Safe Is there a path from an initial to an error state? Problem: Infinite state graph Solution : Set of states ' logical formula

9 Idea : Predicate Abstraction Predicates on program state: lock old = new States satisfying same predicates are equivalent Merged into one abstract state #abstract states is finite

10 Abstract States and Transitions State pc lock old new q a 3 a a 5 a 5 a 0x33a 3: 3: unlock(); new++; 4: pc lock old new q a 4 a a 5 a 6 a 0x33a lock old=new! lock! old=new

11 Abstraction State pc lock old new q a 3 a a 5 a 5 a 0x33a 3: 3: unlock(); new++; 4: pc lock old new q a 4 a a 5 a 6 a 0x33a Existential Approximation lock old=new! lock! old=new

12 Abstraction State pc lock old new q a 3 a a 5 a 5 a 0x33a 3: 3: unlock(); new++; 4: pc lock old new q a 4 a a 5 a 6 a 0x33a lock old=new! lock! old=new

13 Analyze Abstraction Analyze finite graph Over Approximate: Safe => System Safe Problem Spurious counterexamples

14 Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction!

15 Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction. Add predicates to distinguish states across cut 2. Build refined abstraction

16 Iterative Abstraction-Refinement [Kurshan et al 93] [Clarke et al 00] [Ball-Rajamani 0] Solution Use spurious counterexamples to refine abstraction. Add predicates to distinguish states across cut 2. Build refined abstraction -eliminates counterexample 3. Repeat search Till real counterexample or system proved safe

17 Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); ();! LOCK Predicates: LOCK

18 Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); lock() old = new q=q->next 2! LOCK LOCK 2 Predicates: LOCK

19 Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); [q!=null] 3 2 LOCK! LOCK LOCK 2 3 Predicates: LOCK

20 Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); q->data = new unlock() new LOCK! LOCK! LOCK LOCK Predicates: LOCK

21 Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); 5 [new==old] LOCK! LOCK! LOCK! LOCK LOCK Predicates: LOCK

22 Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); 5 4 unlock() LOCK! LOCK! LOCK! LOCK! LOCK LOCK 2 3 Predicates: LOCK

23 Analyze Counterexample Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK! LOCK! LOCK! LOCK LOCK lock() old = new q=q->next [q!=null] q->data = new unlock() new++ [new==old] unlock() 4! LOCK 2 3 Predicates: LOCK

24 Analyze Counterexample Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK : LOCK : LOCK : LOCK : LOCK LOCK old = new new++ [new==old] Inconsistent new == old Predicates: LOCK

25 Repeat Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); : LOCK Predicates: LOCK, new==old

26 Repeat Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK, new==old 2! LOCK lock() old = new q=q->next 2 Predicates: LOCK, new==old

27 Repeat Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); ();! LOCK LOCK, new==old 2 LOCK, new==old 3 q->data = new unlock()! LOCK,! new = old 4 new Predicates: LOCK, new==old

28 Repeat Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK, new==old 2 LOCK, new==old 3! LOCK,! new = old 4 [new==old]! LOCK Predicates: LOCK, new==old

29 Repeat Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK, new==old 2 LOCK, new==old 3! LOCK,! new = old 4 [new!=old]! LOCK 2 4 3! LOCK,! new == old Predicates: LOCK, new==old

30 Repeat Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK, new==old LOCK, new==old! LOCK,! new = old 3 4! LOCK,! new == old 2 4 5! LOCK! LOCK, new==old LOCK, new=old SAFE Predicates: LOCK, new==old

31 Another Example : x = ctr; 2: y = ctr + ; 3: if (x = i-){ 4: if (y!= i){ ERROR: Abstract : skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: C program No predicates available currently

32 Checking the abstract model Is ERROR reachable? : skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: yes Abstract model has a path leading to error state

33 Does this Simulation correspond to a real bug? : skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: : x = ctr; 2: y = ctr + ; 3: assume(x == i-) 4: assume (y!= i) Check using a Not SAT solver possible Concrete trace

34 Refinement : x = ctr; 2: y = ctr + ; 3: assume(x == i-) 4: assume (y!= i) : skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: Spurious Counterexample Initial abstraction

35 Refinement : x = ctr; 2: y = ctr + ; 3: assume(x == i-) 4: assume (y!= i) : skip; 2: skip; 3: if (*){ 4: if (b0){ ERROR: boolean b0 : y!= i

36 Refinement : x = ctr; 2: y = ctr + ; 3: assume(x == i-) 4: assume (y!= i) : skip; 2: skip; 3: if (b){ 4: if (b0){ ERROR: boolean b0 : y!= i boolean b : x== i-

37 Weakest Preconditions WP(P,OP) Weakest formula P s.t. if P is true before OP then P is true after OP OP [WP(P, OP)] [P]

38 Weakest Preconditions WP(P,OP) Weakest formula P s.t. if P is true before OP then P is true after OP Assign x=e P[e/x] P OP new+ = old new = old new = new+ [WP(P, OP)] [P]

39 Refinement boolean b2 : ctr +! = i Weakest precondition of y!= i : x = ctr; 2: y = ctr + ; 3: assume(x == i-) 4: assume (y!= i) : skip; 2: b0 = b2; 3: if (b){ 4: if (b0){ ERROR: boolean b0 : y!= i boolean b : x== i-

40 Refinement boolean b2 : ctr +! = i boolean b3: ctr == i - : x = ctr; 2: y = ctr + ; 3: assume(x == i-) 4: assume (y!= i) : b = b3; 2: b0 = b2; 3: if (b){ 4: if (b0){ ERROR: boolean b0 : y!= i boolean b : x== i-

41 Refinement What about initial values of b2 and b3? b2 and b3 are mutually exclusive. b2 =, b3 = 0 b2 =0, b3 = So system is safe! boolean b2 : ctr +! = i boolean b3: ctr == i - : b = b3; 2: b0 = b2; 3: if (b){ 4: if (b0){ ERROR: boolean b0 : y!= i boolean b : x== i-

42 Tools for Predicate Abstraction of C SLAM at Microsoft Used for verifying correct sequencing of function calls in windows device drivers MAGIC at CMU Allows verification of concurrent C programs Found bugs in MicroC OS BLAST at Berkeley Lazy abstraction, interpolation SATABS at CMU Computes predicate abstraction using SAT Can handle pointer arithmetic, bit-vectors F-Soft at NEC Labs Localization, register sharing

Software Model Checking. Xiangyu Zhang

Software Model Checking. Xiangyu Zhang Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions