Title: Program Verification by Lazy Abstraction
1Program Verification byLazy Abstraction
- Ranjit Jhala
- UC San Diego
With Tom Henzinger, Rupak Majumdar, Ken
McMillan, Gregoire Sutre
2Motivation
- Software is buggy.
- How can we make it more reliable ?
3Property Checking
- Programmer gives partial specifications
- Code checked for consistency w/ spec
- Different from program correctness
- Specifications are not complete
- Is there a complete spec for Word ? Emacs ?
4Interface Usage Rules
- Rules in documentation
- Order of operations data access
- Resource management
- Incomplete, unenforced, wordy
- Violated rules ) bad behavior
- System crash or deadlock
- Unexpected exceptions
- Failed runtime checks
5Property 1 Double Locking
An attempt to re-acquire an acquired lock or
release a released lock will cause a deadlock.
Calls to lock and unlock must alternate.
6Property 2 Drop Root Privilege
Chen-Dean-Wagner 02
User applications must not run with root
privilege When execv is called, must have
suid ? 0
7Property 3 IRP Handler
Fahndrich
8Does a given usage rule hold?
- Undecidable!
- Equivalent to the halting problem
- Restricted versions are in PSPACE
- Prohibitively expensive
- Why bother ?
- Just because a problem is hard, it doesnt go
away!
9Example
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4 while(new ! old) 5 unlock ()
return
10What a program really is
State
Transition
3 unlock() new 4
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4 while(new ! old) 5 unlock ()
return
11The Safety Verification Problem
Error
Safe
Initial
Is there a path from an initial to an error state
? Problem Infinite state graph Solution Set of
states ' logical formula
12Representing States as Formulas
F states satisfying F s s ² F
F FO fmla over prog. vars
F1 Ã… F2
F1 Æ F2
F1 F2
F1 Ç F2
F
F
F1 µ F2
F1 implies F2
i.e. F1Æ F2 unsatisfiable
13Idea 1 Predicate Abstraction
- Predicates on program state
- lock
- old new
- States satisfying same predicates
- are equivalent
- Merged into one abstract state
- abstract states is finite
-
14Abstract States and Transitions
State
3 unlock() new 4
Theorem Prover
lock oldnew
lock oldnew
15Abstraction
State
3 unlock() new 4
Theorem Prover
lock oldnew
lock oldnew
Existential Lifting
16Abstraction
State
3 unlock() new 4
lock oldnew
lock oldnew
17Analyze Abstraction
Analyze finite graph Over Approximate Safe )
System Safe No false negatives Problem Spurious
counterexamples
18Idea 2 Counterex.-Guided Refinement
Solution Use spurious counterexamples to refine
abstraction !
19Idea 2 Counterex.-Guided Refinement
Solution Use spurious counterexamples to refine
abstraction
1. Add predicates to distinguish states
across cut 2. Build refined abstraction
Imprecision due to merge
20Iterative Abstraction-Refinement
Solution Use spurious counterexamples to refine
abstraction
1. Add predicates to distinguish states
across cut 2. Build refined abstraction -eliminat
es counterexample 3. Repeat search Till real
counterexample or system proved safe
Kurshan et al 93 Clarke et al
00 Ball-Rajamani 01
21Lazy Abstraction
Yes
BLAST
Safe
Abstract
C Program
Refine
No
Property
Trace
22Problem Abstraction is Expensive
Reachable
Problem abstract states 2predicates Exponentia
l Thm. Prover queries
- Observe
- Fraction of state space reachable
- Preds 100s, States 2100 ,
- Reach 1000s
23Solution1 Only Abstract Reachable States
Safe
Solution Build abstraction during search
Problem abstract states 2predicates Exponentia
l Thm. Prover queries
24Solution2 Dont Refine Error-Free Regions
Error Free
Solution Dont refine error-free regions
Problem abstract states 2predicates Exponentia
l Thm. Prover queries
25Key Idea Reachability Tree
Initial
Unroll Abstraction 1. Pick tree-node (abs.
state) 2. Add children (abs. successors) 3. On
re-visiting abs. state, cut-off
1
2
3
Find min infeasible suffix - Learn new
predicates - Rebuild subtree with new preds.
5
4
3
26Key Idea Reachability Tree
Initial
Unroll Abstraction 1. Pick tree-node (abs.
state) 2. Add children (abs. successors) 3. On
re-visiting abs. state, cut-off
1
2
3
6
Find min infeasible suffix - Learn new
predicates - Rebuild subtree with new preds.
4
7
5
3
3
Error Free
27Key Idea Reachability Tree
Initial
Unroll 1. Pick tree-node (abs. state) 2. Add
children (abs. successors) 3. On re-visiting
abs. state, cut-off
1
2
3
6
Find min spurious suffix - Learn new predicates -
Rebuild subtree with new preds.
4
7
8
5
8
3
1
1
3
Error Free
S1 Only Abstract Reachable States S2 Dont
refine error-free regions
SAFE
28Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
1
Reachability Tree
Predicates LOCK
29Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
lock() old new qq-gtnext
2
LOCK
1
2
Reachability Tree
Predicates LOCK
30Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
2
LOCK
q!NULL
3
LOCK
1
2
3
Reachability Tree
Predicates LOCK
31Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
2
LOCK
3
LOCK
q-gtdata new unlock() new
4
LOCK
4
1
2
3
Reachability Tree
Predicates LOCK
32Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
2
LOCK
3
LOCK
4
LOCK
newold
5
LOCK
5
4
1
2
3
Reachability Tree
Predicates LOCK
33Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
2
LOCK
3
LOCK
4
LOCK
5
LOCK
5
unlock()
4
LOCK
1
2
3
Reachability Tree
Predicates LOCK
34Analyze Counterexample
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
lock() old new qq-gtnext
2
LOCK
q!NULL
3
LOCK
q-gtdata new unlock() new
4
LOCK
newold
5
LOCK
5
unlock()
4
LOCK
1
2
3
Reachability Tree
Predicates LOCK
35Analyze Counterexample
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
old new
2
LOCK
3
LOCK
new
4
LOCK
newold
5
LOCK
5
Inconsistent
4
LOCK
new old
1
2
3
Reachability Tree
Predicates LOCK
36Repeat Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
1
Reachability Tree
Predicates LOCK, newold
37Repeat Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
lock() old new qq-gtnext
2
LOCK , newold
1
2
Reachability Tree
Predicates LOCK, newold
38Repeat Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
2
LOCK , newold
3
LOCK , newold
q-gtdata new unlock() new
4
LOCK , new old
4
1
2
3
Reachability Tree
Predicates LOCK, newold
39Repeat Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
2
LOCK , newold
3
LOCK , newold
4
LOCK , new old
newold
4
1
2
3
Reachability Tree
Predicates LOCK, newold
40Repeat Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
2
LOCK , newold
3
LOCK , newold
4
LOCK , new old
new!old
1
LOCK, new old
4
4
1
2
3
Reachability Tree
Predicates LOCK, newold
41Repeat Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
2
LOCK , newold
SAFE
3
LOCK , newold
4
4
LOCK , newold
LOCK , new old
1
5
5
LOCK, new old
4
4
4
1
LOCK , newold
2
3
Reachability Tree
Predicates LOCK, newold
42Key Idea Reachability Tree
Initial
Unroll 1. Pick tree-node (abs. state) 2. Add
children (abs. successors) 3. On re-visiting
abs. state, cut-off
1
2
3
6
Find min spurious suffix - Learn new predicates -
Rebuild subtree with new preds.
4
7
8
5
8
3
1
1
3
Error Free
S1 Only Abstract Reachable States S2 Dont
refine error-free regions
SAFE
43Two handwaves
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
2
LOCK , newold
SAFE
3
LOCK , newold
4
4
LOCK , newold
LOCK , new old
1
5
5
LOCK, new old
4
4
4
1
LOCK , newold
2
3
Reachability Tree
Predicates LOCK, newold
44Two handwaves
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
Q. How to compute successors ?
2
LOCK , newold
SAFE
3
3
LOCK , newold
LOCK , newold
q-gtdata new unlock() new
4
4
4
LOCK , newold
LOCK , new old
LOCK , new old
1
5
5
LOCK, new old
4
4
4
1
LOCK , newold
2
3
Reachability Tree
Predicates LOCK, newold
45Two handwaves
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
Q. How to compute successors ?
2
LOCK , newold
SAFE
Abstraction
3
LOCK , newold
4
4
LOCK , newold
LOCK , new old
Q. How to find predicates ?
1
5
5
Refinement
LOCK, new old
4
4
4
1
LOCK , newold
2
3
Predicates LOCK, newold
46Two handwaves
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
Q. How to compute successors ?
2
LOCK , newold
SAFE
Abstraction
3
LOCK , newold
4
4
LOCK , newold
LOCK , new old
1
5
5
Refinement
LOCK, new old
4
4
4
1
LOCK , newold
2
3
Predicates LOCK, newold
47Weakest Preconditions
WP(P,OP) Weakest formula P s.t. if
P is true before OP then P is true after OP
WP(P, OP)
OP
P
48Weakest Preconditions
WP(P,OP) Weakest formula P s.t. if
P is true before OP then P is true after OP
WP(P, OP)
OP
P
Pe/x
new1 old
Assign
new new1
x e
P
new old
49Weakest Preconditions
WP(P,OP) Weakest formula P s.t. if
P is true before OP then P is true after OP
WP(P, OP)
OP
P
c ) P
newold ) newold
Assume
Branch
newold
c
P
new old
50How to compute successor ?
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
3
F
LOCK , newold
OP
?
4
LOCK , new old
- For each p
- Check if p is true (or false) after OP
- Q When is p true after OP ?
- - If WP(p, OP) is true before OP !
- - We know F is true before OP
- - Thm. Pvr. Query F ) WP(p, OP)
Predicates LOCK, newold
51How to compute successor ?
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
3
F
LOCK , newold
OP
?
4
- For each p
- Check if p is true (or false) after OP
- Q When is p false after OP ?
- - If WP( p, OP) is true before OP !
- - We know F is true before OP
- - Thm. Pvr. Query F ) WP( p, OP)
Predicates LOCK, newold
52How to compute successor ?
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
3
F
LOCK , newold
OP
?
4
new old
LOCK , new old
- For each p
- Check if p is true (or false) after OP
- Q When is p false after OP ?
- - If WP( p, OP) is true before OP !
- - We know F is true before OP
- - Thm. Pvr. Query F ) WP( p, OP)
new new1
Operation
Predicate newold
(LOCK , newold) ) (new 1 old)
True ?
NO
False ?
(LOCK , newold) ) (new 1 ? old)
YES
53Lazy Abstraction
Yes
Safe
Abstract
C Program
Refine
No
Property
Trace
Problem Abstraction is Expensive
Solution 1. Abstract reachable states,
2. Avoid refining error-free regions
Key Idea Reachability Tree
54Property IRP Handler
Fahndrich
55Results
Property3 IRP Handler Win NT DDK
Program Lines Time(mins) Predicates Predicates
kbfiltr 12k 1 34
floppy 17k 7 93
diskprf 14k 5 71
cdaudio 18k 20 85
parport 61k DNF
parclss 138k DNF
Pre-processed
56Predicates grows with program size
while(1) 1 if (p1) lock() if (p1)
unlock() 2 if (p2) lock() if
(p2) unlock() n if (pn) lock()
if (pn) unlock()
T F T
Tracking lock not enough
Problem p1,,pn needed for verification Exponen
tial reachable abstract states
57Predicates grows with program size
while(1) 1 if (p1) lock() if (p1)
unlock() 2 if (p2) lock() if
(p2) unlock() n if (pn) lock()
if (pn) unlock()
LOCK
LOCK, p1
LOCK, p1
LOCK, p1
LOCK, p1
LOCK
p1p2
p1 p2
p1 p2
p1 p2
2n Abstract States
Problem p1,,pn needed for verification Exponen
tial reachable abstract states
58Predicates useful locally
while(1) 1 if (p1) lock() if (p1)
unlock() 2 if (p2) lock() if
(p2) unlock() n if (pn) lock()
if (pn) unlock()
LOCK
p1
LOCK , p1
LOCK, p1
LOCK , p1
LOCK
LOCK , p1
LOCK
LOCK
p2
pn
2n Abstract States
Solution Use predicates only where needed Using
Counterexamples Q1. Find predicates Q2. Find
where predicates are needed
59Lazy Abstraction
Yes
Safe
Abstract
C Program
Refine
No
Property
Trace
Problem Preds grows w/ Program Size
Solution Localize pred. use, find where preds.
needed
Ctrex. Trace
Pred. Map PC ? Preds.
Refine
60Counterexample Traces
1 x ctr 2 ctr ctr 1 3 y ctr 4 if
(x i-1) 5 if (y ! i) ERROR
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
y x 1
61Trace Formulas
1 x ctr 2 ctr ctr1 3 y ctr 4
assume(xi-1) 5 assume(y?i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
1 x1 ctr0 2 ctr1 ctr01 3 y1 ctr1 4
assume(x1i0-1) 5 assume(y1?i0)
Trace
Trace Feasibility Formula
SSA Trace
Thm Trace is feasible , TF is satisfiable
62The Present State
Trace
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
is all the information the executing program
has here
State
1. after executing trace past (prefix) 2.
knows present values of variables 3. makes
trace future (suffix) infeasible
At pc4, which predicate on present state shows
infeasibility of future ?
63What Predicate is needed ?
Trace Formula (TF)
Trace
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
64What Predicate is needed ?
Trace Formula (TF)
Trace
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
Relevant Information
Predicate
1. after executing trace prefix
implied by TF prefix
65What Predicate is needed ?
Trace Formula (TF)
Trace
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
x1
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
x1
Predicate
Relevant Information
1. after executing trace prefix 2. has
present values of variables
implied by TF prefix on common variables
66What Predicate is needed ?
Trace Formula (TF)
Trace
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
Predicate
Relevant Information
1. after executing trace prefix 2. has
present values of variables 3. makes trace
suffix infeasible
implied by TF prefix on common variables
TF suffix is unsatisfiable
67What Predicate is needed ?
Trace Formula (TF)
Trace
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
Predicate
Relevant Information
1. after executing trace prefix 2. has
present values of variables 3. makes trace
suffix infeasible
implied by TF prefix on common variables
TF suffix is unsatisfiable
68Interpolant Predicate !
Trace Formula
Trace
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
Predicate at 4 y x1
?-
Interpolate
?
?
y1 x1 1
Predicate
Craig Interpolant Craig 57 Computable from
Proof of Unsat Krajicek 97 Pudlak 97
implied by TF prefix on common variables
TF suffix is unsatisfiable
69Another interpretation
Trace Formula
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
Predicate at 4 y x1
After exec prefix
?-
?-
?
Interpolate
?
Can exec suffix
?
?
y1 x1 1
Unsat Empty Intersection Trace Infeasible
Interpolant ? Overapprox. states after prefix
that cannot execute suffix
70Interpolant Predicate !
Trace Formula
Trace
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
Predicate at 4 y x1
?-
Interpolate
?
?
y1 x1 1
Predicate
Craig Interpolant Craig 57 Computable from
Proof of Unsat Krajicek 97 Pudlak 97
implied by TF prefix on common variables
TF suffix is unsatisfiable
71Interpolant Predicate !
Trace Formula
Trace
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
Predicate at 4 y x1
?-
Interpolate
?
Q. How to compute interpolants ?
?
y1 x1 1
Predicate
Craig Interpolant Craig 57 Computable from
Proof of Unsat Krajicek 97 Pudlak 97
implied by TF prefix on common variables
TF suffix is unsatisfiable
72Building Predicate Maps
Predicate Map 2 x ctr
Trace
Trace Formula
?-
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
Interpolate
x1 ctr0
?
- Cut Interpolate at each point
- Pred. Map pci ? Interpolant from cut i
73Building Predicate Maps
Predicate Map 2 x ctr 3 x ctr-1
Trace
Trace Formula
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
?-
Interpolate
x1 ctr1-1
?
- Cut Interpolate at each point
- Pred. Map pci ? Interpolant from cut i
74Building Predicate Maps
Predicate Map 2 x ctr 3 x ctr - 1 4 y x
1
Trace
Trace Formula
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
y1 x11
- Cut Interpolate at each point
- Pred. Map pci ? Interpolant from cut i
75Building Predicate Maps
Predicate Map 2 x ctr 3 x ctr - 1 4 y x
1 5 y i
Trace
Trace Formula
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
y1 i0
- Cut Interpolate at each point
- Pred. Map pci ? Interpolant from cut i
76Local Predicate Use
- Use predicates needed at location
- Preds. grows with program size
- Preds per location small
Predicate Map 2 x ctr 3 x ctr - 1 4 y x
1 5 y i
Verification scales
Local Predicate use Ex 2n states
Global Predicate use Ex 2n states
77Results
Property3 IRP Handler Win NT DDK
Program Lines Previous Time(mins) Time (mins) Predicates Total Average Predicates Total Average
kbfiltr 12k 1 3 72 6.5
floppy 17k 7 25 240 7.7
diskprf 14k 5 13 140 10
cdaudio 18k 20 23 256 7.8
parport 61k DNF 74 753 8.1
parclss 138k DNF 77 382 7.2
Pre-processed
78Localizing
Property3 IRP Handler Win NT DDK
Program Lines Previous Time(mins) Time (mins) Predicates Total Average Predicates Total Average
kbfiltr 12k 1 3 72 6.5
floppy 17k 7 25 240 7.7
diskprf 14k 5 13 140 10
cdaudio 18k 20 23 256 7.8
parport 61k DNF 74 753 8.1
parclss 138k DNF 77 382 7.2
Pre-processed
79Q. How to compute interpolants ?
80Proof of Unsatisfiability
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
x1 ctr0
x1 i0 -1
ctr1 ctr01
ctr0 i0-1
ctr1 i0
y1 ctr1
y1 i0
y1? i0
Proof of Unsatisfiability
Trace Formula
81Another Proof of Unsatisfiability
(-1)
1
x1-i0 10
x1 ctr00
1
ctr1- ctr0-10
ctr0-i010
1
y1-ctr10
ctr1-i0 0
1
y1-i0 ?0
y1-i00
0? 0
Rewritten Proof
82Interpolant from Rewritten Proof ?
(-1)
1
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
x1-i0 10
x1 ctr00
1
ctr1- ctr0-10
ctr0-i010
1
y1-ctr10
ctr1-i0 0
Interpolate
1
y1-i0 ?0
y1-i00
0? 0
Rewritten Proof
Trace Formula
83Interpolant from Rewritten Proof ?
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
x1 ctr00
(-1)
1
ctr1- ctr0-10
y1-ctr10
1
Interpolate
y1-x1-10
y1x11
Interpolant !
Trace Formula
84Lazy Abstraction
Yes
Safe
Abstract
C Program
Refine
No
Property
Trace
Problem Preds grows w/ Program Size
Solution Localize pred. use, find where preds.
needed
Refine
Trace Feas Formula
Proof of Unsat
Ctrex. Trace
Pred. Map PC ? Preds.
Thm Pvr
Interpolate
85Verification by Theorem Proving
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4 while(new ! old) 5 unlock ()
return
- 1. Loop Invariants
- 2. Logical formula
- 3. Check Validity
Invariant lock Æ new old Ç
lock Æ new ? old
86Verification by Theorem Proving
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4 while(new ! old) 5 unlock ()
return
- 1. Loop Invariants
- 2. Logical formula
- 3. Check Validity
- - Loop Invariants
- Multithreaded Programs
- Behaviors encoded in logic
- Decision Procedures
-
ESC
Precise
87Verification by Program Analysis
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4 while(new ! old) 5 unlock ()
return
1. Dataflow Facts 2. Constraint System 3. Solve
constraints
- Imprecision due to fixed facts Abstraction
Type/Flow Analyses
CQUAL, ESP, MC
Scalable
88Verification by Model Checking
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4 while(new ! old) 5 unlock ()
return
1. (Finite State) Program 2. State Transition
Graph 3. Reachability
- - Pgm ! Finite state model
- State explosion
- State Exploration
- Counterexamples
SPIN, SMV, Bandera,JPF
Precise
89Combining Strengths
Program Analysis - Imprecise
Abstraction Shrink state space
- Theorem Proving
- - loop invariants
- Behaviors encoded in logic
- Refine
- Theorem provers
- Computing Successors,Refine
Lazy Abstraction
Model Checking - Finite-state model, state
explosion State Space Exploration Path
Sensitive Analysis Counterexamples Finding
Relevant Facts
90Lazy Abstraction Main Ideas
- Predicates
- Abstract infinite program states
- Counterexample-guided Refinement
- Find predicates tailored to program, property
- Abstraction Expensive
- Reachability Tree
- Refinement Find predicates, use locations
Proof of unsat of TF Interpolation