Abstractions%20from%20Proofs

1
Abstractions from Proofs

• Thomas A. Henzinger
• Ranjit Jhala
• UC Berkeley
• Rupak Majumdar
• UC Los Angeles
• Kenneth L. McMillan
• Cadence Berkeley Labs

2
Scalable Program Verification

• Little theorems about big programs
• Partial Specifications
• Device drivers use kernel API correctly
• Applications use root privileges correctly
• Behavioral, path-sensitive properties

3
Predicate Abstraction A crash course
Error
Initial
Program State Space
Abstraction

• Abstraction Predicates on program state
• Signs x gt 0
• Aliasing x ? y
• States satisfying the same predicates are
  equivalent
• Merged into single abstract state

4
(Predicate) Abstraction A crash course
Error
Initial
Program State Space
Abstraction
Q1 Which predicates are required to verify a
property ?
5
Scalability vs. Verification
scalability
verification

• Many predicates tracked
• e.g. values of variables
• State explosion
• Analysis drowned in detail

• Few predicates tracked
• e.g. type of variables
• Imprecision hinders Verification
• Spurious counterexamples

6
Example
while() 1 if (p1) lock() if (p1)
unlock() 2 if (p2) lock() if
(p2) unlock() n if (pn) lock()
if (pn) unlock()

lock
T F T
unlock
scalability
lock
Only track lock

• Bogus Counterexample
• Must correlate branches

Predicate p1 makes trace abstractly
infeasible pi required for verification
7
Example
while() 1 if (p1) lock() if (p1)
unlock() 2 if (p2) lock() if
(p2) unlock() n if (pn) lock()
if (pn) unlock()

lock
unlock
verification
scalability
lock
Only track lock
Track lock, pi s

• Bogus Counterexample
• Must correlate branches

• State Explosion
• gt 2n distinct states
• intractable

How can we get scalable verification ?
8
By Localizing Precision
while () 1 if (p1) lock() if (p1)
unlock() 2 if (p2) lock() if
(p2) unlock() n if (pn) lock()
if (pn) unlock()

Preds. Used locally Ex 2 n states
Preds. used globally Ex 2n states
Q2 Where are the predicates required ?
9
Counterexample Guided Refinement

• What predicates remove trace ?
• Make it abstractly infeasible
• Where are predicates needed ?

Abstract
explanation
Why infeasible ?
Kurshan et al. 93
Clarke et al. 00
Ball, Rajamani 01
10
Counterexample Guided Refinement
Abstract
11
Counterexample Guided Refinement
safe
Abstract
12
This Talk Counterexample Analysis

• What predicates remove trace ?
• Make it abstractly infeasible
• Where are predicates needed ?

Abstract
13
Plan

• Motivation
• Refinement using Traces
• Simple
• Procedure calls
• Results

14
Counterexample Analysis
Q0 Is trace feasible ?
Feasible
Trace
Refine
Q1 What predicates remove trace ?
Explanation of Infeasibility
Q2 Where are preds required ?
Feasible
Y
SSA
Thm Pvr
N
Trace
Trace Feasibility Formula
Predicate Map Prog Ctr ! Predicates
Extract
Proof of Unsat.
15
Counterexample Analysis
Q0 Is trace feasible ?
Feasible
Trace
Refine
Q1 What predicates remove trace ?
Explanation of Infeasibility
Q2 Where are preds required ?
Feasible
Y
SSA
Thm Pvr
N
Trace
Trace Feasibility Formula
Predicate Map Prog Ctr ! Predicates
Extract
Proof of Unsat.
16
Traces
pc1 x ctr pc2 ctr ctr 1 pc3 y
ctr pc4 if (x i-1) pc5 if (y ! i)
ERROR
pc1 x ctr pc2 ctr ctr 1 pc3 y ctr
pc4 assume(x i-1) pc5 assume(y ? i)
y x 1
17
Trace Feasibility Formulas
pc1 x ctr pc2 ctr ctr1 pc3 y ctr
pc4 assume(xi-1) pc5 assume(y?i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
pc1 x1 ctr0 pc2 ctr1 ctr01 pc3 y1
ctr1 pc4 assume(x1i0-1) pc5 assume(y1?i0)
Trace
SSA Trace
Trace Feasibility Formula
Theorem Trace is Feasible , TFF is Satisfiable
Compact Verification Conditions Flanagan,Saxe
00
18
Counterexample Analysis
Q0 Is trace feasible ?
Feasible
Trace
Refine
Q1 What predicates remove trace ?
Explanation of Infeasibility
Q2 Where are preds required ?
Feasible
Y
SSA
Thm Pvr
N
Trace
Trace Feasibility Formula
Predicate Map Prog Ctr ! Predicates
Extract
Proof of Unsat.
19
Counterexample Analysis
Q0 Is trace feasible ?
Feasible
Trace
Refine
Q1 What predicates remove trace ?
Explanation of Infeasibility
Q2 Where are preds required ?
Feasible
Y
SSA
Thm Pvr
N
Trace
Trace Feasibility Formula
Predicate Map Prog Ctr ! Predicates
Extract
Proof of Unsat.
20
Proof of Unsatisfiability
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
x1 ctr0
x1 i0 -1
ctr1 ctr01
ctr0 i0-1
ctr1 i0
y1 ctr1
y1 i0
y1? i0

Proof of Unsatisfiability
Trace Formula

• PROBLEM
• Proof uses entire history of execution
• Information flows up and down
• No localized or state information !

21
The Present State
Trace
pc1 x ctr pc2 ctr ctr 1 pc3 y ctr
pc4 assume(x i-1) pc5 assume(y ? i)
is all the information the executing program
has here
State
1. after executing trace prefix 2. knows
present values of variables 3. makes trace
suffix infeasible
At pc4, which predicate on present state shows
infeasibility of suffix ?
22
What Predicate is needed ?
Trace Formula (TF)
Trace
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
pc1 x ctr pc2 ctr ctr 1 pc3 y ctr
pc4 assume(x i-1) pc5 assume(y ? i)
State
Predicate
1. after executing trace prefix 2. has
present values of variables 3. makes trace
suffix infeasible
implied by TF prefix
23
What Predicate is needed ?
Trace Formula (TF)
Trace
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
pc1 x ctr pc2 ctr ctr 1 pc3 y ctr
pc4 assume(x i-1) pc5 assume(y ? i)
x1
x1
State
Predicate
1. after executing trace prefix 2. has
present values of variables 3. makes trace
suffix infeasible
implied by TF prefix on common variables
24
What Predicate is needed ?
Trace Formula (TF)
Trace
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
pc1 x ctr pc2 ctr ctr 1 pc3 y ctr
pc4 assume(x i-1) pc5 assume(y ? i)
State
Predicate
1. after executing trace prefix 2. has
present values of variables 3. makes trace
suffix infeasible
implied by TF prefix on common variables
TF suffix is unsatisfiable
25
What Predicate is needed ?
Trace Formula (TF)
Trace
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
pc1 x ctr pc2 ctr ctr 1 pc3 y ctr
pc4 assume(x i-1) pc5 assume(y ? i)
State
Predicate
1. after executing trace prefix 2. knows
present values of variables 3. makes trace
suffix infeasible
implied by TF prefix on common variables
TF suffix is unsatisfiable
26
Craigs Interpolation Theorem Craig 57

• Given formulas ?- , ? s.t. ?-Æ ? is
  unsatisfiable
• There exists an Interpolant ? for ?- , ? ,
  s.t.
• ?- implies ?
• ? has symbols common to ?-, ?
• ? Æ ? is unsatisfiable
• ? computable from Proof of Unsat. of ?- Æ ?
• Krajicek 97 Pudlak 97
• (boolean) SAT-based Model Checking McMillan
  03

27
Interpolant Predicate !
Trace
Trace Formula
pc1 x ctr pc2 ctr ctr 1 pc3 y ctr
pc4 assume(x i-1) pc5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
?-
Interpolate
?
?
Require
Interpolant

• 1. ?- implies ?
• 2. ? has symbols common to ?-,?
• 3. ? Æ ? is unsatisfiable

1. Predicate implied by trace prefix 2.
Predicate on common variables common current
value 3. Predicate suffix yields a
contradiction
28
Interpolant Predicate !
Trace
Trace Formula
pc1 x ctr pc2 ctr ctr 1 pc3 y ctr
pc4 assume(x i-1) pc5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
?-
Interpolate
?
?
y1 x1 1
Require
Interpolant

• 1. ?- implies ?
• 2. ? has symbols common to ?-,?
• 3. ? Æ ? is unsatisfiable

• 1. Predicate implied by trace prefix
• 2. Predicate on common variables
• 3. Predicate suffix yields a contradiction

29
Interpolant Predicate !
Trace
Trace Formula
pc1 x ctr pc2 ctr ctr 1 pc3 y ctr
pc4 assume(x i-1) pc5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
Predicate at pc4 y x1
?-
Interpolate
?
pc4
?
y1 x1 1
Require
Interpolant

• 1. ?- implies ?
• 2. ? has symbols common to ?-,?
• 3. ? Æ ? is unsatisfiable

• 1. Predicate implied by trace prefix
• 2. Predicate on common variables
• 3. Predicate suffix yields a contradiction

30
Building Predicate Maps
Predicate Map pc2 x ctr
Trace
Trace Formula
?-
pc1 x ctr pc2 ctr ctr 1 pc3 y ctr
pc4 assume(x i-1) pc5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
Interpolate
x1 ctr0
?
pc2

• Cut Interpolate at each point
• Pred. Map pci ? Interpolant from cut i

31
Building Predicate Maps
Predicate Map pc2 x ctr pc3 x ctr-1
Trace
Trace Formula
pc1 x ctr pc2 ctr ctr 1 pc3 y ctr
pc4 assume(x i-1) pc5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
?-
Interpolate
x1 ctr1-1
pc3
?

• Cut Interpolate at each point
• Pred. Map pci ? Interpolant from cut i

32
Building Predicate Maps
Predicate Map pc2 x ctr pc3 x ctr-1 pc4 y
x1 pc5 y i
Trace
Trace Formula
pc1 x ctr pc2 ctr ctr 1 pc3 y ctr
pc4 assume(x i-1) pc5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
?-
Interpolate
y1 i0
?
pc5

• Cut Interpolate at each point
• Pred. Map pci ? Interpolant from cut i

33
Building Predicate Maps
Predicate Map pc2 x ctr pc3 x ctr-1 pc4 y
x1 pc5 y i
Trace
Trace Formula
pc1 x ctr pc2 ctr ctr 1 pc3 y ctr
pc4 assume(x i-1) pc5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
Theorem Predicate map makes trace abstractly
infeasible
34
Plan

• Motivation
• Refinement using Traces
• Simple
• Procedure calls
• Results

35
Traces with Procedure Calls
Trace Formula
Trace
pc1 x1 3 pc2 assume (x1gt0) pc3 x3
f1(x1) pc4 y2 y1 pc5 y3 f2(y2) pc6 z2
z11 pc7 z3 2z2 pc8 return z3 pc9
return y3 pc10 x4 x31 pc11 x5
f3(x4) pc12 assume(w1lt5) pc13 return w1 pc14
assume x4gt5 pc15 assume (x1x32)
pc1 x1 3 pc2 assume (x1gt0) pc3 x3
f1(x1) pc4 y2 y1 pc5 y3 f2(y2) pc6 z2
z11 pc7 z3 2z2 pc8 return z3 pc9 return
y3 pc10 x4 x31 pc11 x5 f3(x4) pc12
assume(w1lt5) pc13 return w1 pc14 assume
x4gt5 pc15 assume(x1x32)
Find predicate needed at point i
i
i
36
Interprocedural Analysis
Trace Formula
Trace
NO
Find predicate needed at point i
YES
i
i
NO
Require at each point i Well-scoped
predicates YES Variables visible at i NO
Callers local variables
Procedure Summaries Reps,Horwitz,Sagiv 95
Polymorphic Predicate Abstraction
Ball,Millstein,Rajamani 02
37
Problems with Cutting
Trace Formula
Trace
?-
i
i
?

• Caller variables common to ?- and ?
• Unsuitable interpolant not well-scoped

38
Interprocedural Cuts
Trace Formula
Trace
Call begins
i
i
39
Interprocedural Cuts
Trace Formula
Trace
Call begins
?-
?
i
i
Predicate at pci Interpolant from cut i
40
Common Variables
Trace Formula
Trace
Common Variables
Formals
?-
?
Formals
Current locals
i
i
Well-scoped
Predicate at pci Interpolant from i-cut
41
Plan

• Motivation
• Refinement using Traces
• Simple
• Procedure calls
• Results

42
Implementation

• Algorithms implemented in BLAST
• Verifier for C programs, Lazy Abstraction POPL
  02
• FOCI Interpolating decision procedure
• Examples
• Windows Device Drivers (DDK)
• IRP Specification 22 state FSM
• Current Security properties of Linux programs

43
Results
Windows DDK IRP 22 state
Program LOC Previous Time New Time Predicates Total Average Predicates Total Average
kbfiltr 12k 1m12s 3m48s 72 6.5
floppy 17k 7m10s 25m20s 240 7.7
diskperf 14k 5m36s 13m32s 140 10
cdaudio 18k 20m18s 23m51s 256 7.8
parport 61k DNF 74m58s 753 8.1
parclass 138k DNF 77m40s 382 7.2



Pre-processed
44
Localizing works
Windows DDK IRP 22 state
Program LOC Previous Time New Time Predicates Total Average Predicates Total Average
kbfiltr 12k 1m12s 3m48s 72 6.5
floppy 17k 7m10s 25m20s 240 7.7
diskperf 14k 5m36s 13m32s 140 10
cdaudio 18k 20m18s 23m51s 256 7.8
parport 61k DNF 74m58s 753 8.1
parclass 138k DNF 77m40s 382 7.2



Pre-processed
45
Conclusion

• Scalability and Precision by localizing
• Craig Interpolation
• Interprocedural cuts give well-scoped predicates
• Some Current and Future Work
• Multithreaded Programs
• Project local info of thread to predicates over
  globals
• Hierarchical trace analysis

46
BLAST
Berkeley Lazy Abstraction Software Tool
www.eecs.berkeley.edu/blast/
47
Pointers and Aliasing

• McCarthys Axioms (Arrays, Select, Update)
• Theory of arrays doesnt have q.f. interpolants!
• Instantiate axioms when building TF
• Using Morris generalized rule for assignment
• Cuts, Interpolants remain the same

48
Abstract Infeasibility
Property Strongest Postcondition of ith
predicate w.r.t. opi1 implies i1th predicate
Predicate Map pc2 x ctr pc3 x ctr-1 pc4 y
x-1 pc5 y i
pc1 x ctr pc2 ctr ctr 1 pc3 y ctr
pc4 assume(x i-1) pc5 assume(y ? i)
x ctr -1 Æ y ctr
)
x ctr -1
yx1
2nd Predicate
3rd Predicate
Strongest Postcondition
Trace
49
Another Interprocedural Cut
Trace
Trace Formula
Call begins
?-
?
i
i
Predicate at pci Interpolant from i-cut
50
Interprocedural Cuts
Trace Formula
Call begins
x1
x1 a0 Æ y1 x1 1 Æ r1 y1 1 Æ b1
r1 Æ a0 ? b1 - 1
?-
?
x1
r1
r1
Common Symbols x1 Value of passed parameter
x r1 Value of local r
51
Interprocedural Cuts
Trace Formula
Call begins
x1
x1 a0 Æ y1 x1 1 Æ r1 y1 1 Æ b1
r1 Æ a0 ? b1 - 1
?-
?
x1
r1
r1
?
r1 x1 1
Predicate r x 1
y no longer live
52
Operations
op x e assume p
Branch Taken Operation assume (x i-1)
? if (x i-1) ? ?
Branch Not Taken Operation assume (x ? i-1)
53
Localizing Works!
Windows DDK IRP 22 state
Program LOC Previous Time New Time Predicates (Total/Max/Average)
kbfiltr 12k 1m12s 3m48s 72/16/6.5
floppy 17k 7m10s 25m20s 240/77/7.7
diskperf 14k 5m36s 13m32s 140/31/10
cdaudio 18k 20m18s 23m51s 256/27/7.8
parport 61k DNF 74m58s 753/32/8.1
parclass 138k DNF 77m40s 382/28/7.2




Pre-processed
54
Building Predicate Maps
Predicate Map pc2 x ctr pc3 x ctr-1 pc4 y
x-1 pc5 y i
Trace
Trace Formula
pc1 x ctr pc2 ctr ctr 1 pc3 y ctr
pc4 assume(x i-1) pc5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0

• Cut Interpolate at each point
• Pred. Map pci ? Interpolant from cut i

55
Example
while() 1 if (p1) lock() if (p1)
unlock() 2 if (p2) lock() if
(p2) unlock() n if (pn) lock()
if (pn) unlock()

lock
unlock
scalability
lock
Only track lock
Bogus Counterexample assume
p1 lock() assume p1 assume p2 lock() ERROR

Predicate p1 makes trace abstractly
infeasible pi required for verification
lock
lock Æ p1
lock Æ p1

56
Interpolant Predicate !
Trace
Trace Formula
pc1 x ctr pc2 ctr ctr 1 pc3 y ctr
pc4 assume(x i-1) pc5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
?-
Interpolate
?
?
y1 x1 1
Require
Interpolant

• 1. ?- implies ?
• 2. ? has symbols common to ?-,?
• 3. ? Æ ? is unsatisfiable

• 1. Predicate implied by trace prefix
• 2. Predicate on common variables
• 3. Predicate suffix yields a contradiction

57
Interpolant Predicate !
Trace
Trace Formula
x1
pc1 x ctr pc2 ctr ctr 1 pc3 y ctr
pc4 assume(x i-1) pc5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
?-
y1
Interpolate
?
x1
?
y1 x1 1
y1
Require
Interpolant

• 1. ?- implies ?
• 2. ? has symbols common to ?-,?
• 3. ? Æ ? is unsatisfiable

• 1. Predicate implied by trace prefix
• 2. Predicate on common variables
• 3. Predicate suffix yields a contradiction

58
Interpolant Predicate !
Trace
Trace Formula
pc1 x ctr pc2 ctr ctr 1 pc3 y ctr
pc4 assume(x i-1) pc5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
?-
Interpolate
?
?
y1 x1 1
Require
Interpolant

• 1. ?- implies ?
• 2. ? has symbols common to ?-,?
• 3. ? Æ ? is unsatisfiable

• 1. Predicate implied by trace prefix
• 2. Predicate on common variables
• 3. Predicate suffix yields a contradiction

59
Example
while() 1 if (p1) lock() if (p1)
unlock() 2 if (p2) lock() if
(p2) unlock() n if (pn) lock()
if (pn) unlock()

lock
unlock
scalability
lock
Only track lock
Bogus Counterexample assume
p1 lock() assume p1 assume p2 lock() ERROR

Must track p1
60
Example
while() 1 if (p1) lock() if (p1)
unlock() 2 if (p2) lock() if
(p2) unlock() n if (pn) lock()
if (pn) unlock()

lock
unlock
scalability
lock
Only track lock
Bogus Counterexample assume
p1 lock() assume p1 assume p2 lock() ERROR

Predicate p1 makes trace abstractly
infeasible pi required for verification
61
Example
while() 1 if (p1) lock() if (p1)
unlock() 2 if (p2) lock() if
(p2) unlock() n if (pn) lock()
if (pn) unlock()

lock
unlock
scalability
verification
lock
Only track lock
Track lock, pi s
Bogus Counterexample assume
p1 lock() assume p1 assume
p2 lock() ERROR

• State Explosion
• gt 2n distinct states/paths
• complete search infeasible

62
Procedure Calls
main() int a,b b inc(a) if (a ! b-2)
ERROR
int inc (int x) int r,y y x 1
r y 1 return r
pc1 b inc(a) pc2 y x 1 pc3 r y
1 pc4 return r pc5 assume (a ? b-2)
Trace
63
Interprocedural Analysis
pc1 b inc(a) pc2 y x 1 pc3 r y
1 pc4 return r pc5 assume (a ? b-2)
Well-scoped predicates
YES Local variables x,y,r NO
Call-site variables a,b
Trace
Procedure Summaries Reps,Horwitz,Sagiv 95
Polymorphic Predicate Abstraction
Ball,Millstein,Rajamani 02 Relational Analysis
Cousot, Halbwachs 78
64
Cuts dont work
pc1 b inc(a) pc2 y x 1 pc3 r y
1 pc4 return r pc5 assume (a ? b-1)
x1 a0 Æ y1 x1 1 Æ r1 y1 1 Æ b1
r1 Æ a0 ? b1 - 1
a0
?-
?
a0
Trace
Trace Formula

• a appears in Interpolant
• Predicate not well-scoped !

Well-scoped predicates
NO call-site variables a,b
65
Interprocedural Cuts
Trace Formula
Trace
pc1 x1 3 pc2 assume (x1gt0) pc3 x3
f1(x1) pc4 y2 y1 pc5 y3 f2(y2) pc6 z2
z11 pc7 z3 2z2 pc8 return z3 pc9
return y3 pc10 x4 x31 pc11 x5
f3(x4) pc12 assume(w1lt5) pc13 return w1 pc14
assume x4gt5 pc15 assume (x1x32)
pc1 x1 3 pc2 assume (x1gt0) pc3 x3
f1(x1) pc4 y2 y1 pc5 y3 f2(y2) pc6 z2
z11 pc7 z3 2z2 pc8 return z3 pc9 return
y3 pc10 x4 x31 pc11 x5 f3(x4) pc12
assume(w1lt5) pc13 return w1 pc14 assume
x4gt5 pc15 assume(x1x32)
Call begins
i
i
Predicate at pci Interpolant from i-cut
66
Interprocedural Cuts
Trace Formula
Trace
Call begins
?-
?
i
i
Predicate at pci Interpolant from i-cut
67
Common Variables
Trace Formula
Trace
Formals
Current
i
i
Predicate at pci Interpolant from i-cut
68
Another Interprocedural Cut
Trace
Trace Formula
Call begins
?-
?
i
i
Predicate at pci Interpolant from i-cut
69
Another Interprocedural Cut
Trace
Trace Formula
Call begins
?-
?
i
i
Predicate at pci Interpolant from i-cut