Title: Predicate Abstraction for Software Verification
1Predicate Abstraction for Software Verification
- Cormac Flanagan
- Shaz Qadeer
- Compaq Systems Research Center
2POPL02The Continuing Saga of Predicate
Abstraction
3Extended Static Checking
- Statically verify many correctness properties
- Type systems catch many errors
- e.g. Cannot multiply a number and a string
- Would like to catch additional errors
- e.g. Array index out of bounds at line 10
- And verify other correctness properties
- assertions
- object invariants
- lightweight method specifications
4Checking loops with ESC/Java
/_at_ loop_invariant i gt 0 loop_invariant 0
lt spot loop_invariant spot lt
MAXDIRENTRY loop_invariant (\forall int j
0 lt j j lt i
bdiskaddr.dirEntriesj.inum !
DIRENTRY_UNUSED gt
bdiskaddr.dirEntriesj.name !
name) loop_invariant (\forall int j spot
MAXDIRENTRY 0 lt j j lt i gt
bdiskaddr.dirEntriesj
.inum ! DIRENTRY_UNUSED)
loop_invariant spot MAXDIRENTRY
bdiskaddr.dirEntriesspot.inu
m DIRENTRY_UNUSED loop_invariant
(\forall DirEntry t t ! de gt t.name
\old(t.name)) loop_invariant (\forall
DirEntry t t ! de gt t.inum
\old(t.inum)) loop_invariant (\forall
DirEntry t t.inum FS.DIRENTRY_UNUSED
(0
lt t.inum t.inum lt FS.IMAX)) /
for (i 0 i lt cwd.inode.length i)
GetDirEntry(de, addr, i) if (de.inum !
DIRENTRY_UNUSED de.name name)
return ERROR if (de.inum
DIRENTRY_UNUSED spot MAXDIRENTRY)
spot i
5Loop invariants
C while e do B end
Set of reachable states at loop head is a loop
invariant!
C
sp(C, p)
p
6Concrete states
7Computing loop invariants
C while e do X Y end
I0 ?(sp(C, true))
J0 ?(?(I0) ? e)
K0 ?(sp(X, ?(J0)))
L0 ?(sp(Y, ?(K0)))
8Computing loop invariants
C while e do X Y end
I1 I0 ? L0
9Predicate abstraction example
/_at_ requires a!null b!null
a.lengthb.length ensures
\resulta.length b\result
/ int find(int a, boolean b) int
spot a.length for (int i0 i lt a.length
i) if (spota.length ai ! 0)
spot i bi (ai ! 0) return
spot
Ten predicates a ! null b ! null a.length
b.length spot a.length bspot spot lt i 0 lt
i i lt a.length spot i ai ! 0
10Computing loop invariants
C while e do X Y end
I0 ?(sp(C, true))
L0 ?(sp(XY, ?(I0)?e))
11Computing loop invariants
C while e do X Y end
I1 I0 ? L0
L1 ?(sp(XY, ?(I1)?e))
12Predicate abstraction example
/_at_ requires a!null b!null
a.lengthb.length ensures
\resulta.length b\result
/ int find(int a, boolean b) int
spot a.length for (int i0 i lt a.length
i) if (spota.length ai ! 0)
spot i bi (ai ! 0) return
spot
Seven predicates a ! null b ! null a.length
b.length spot a.length bspot spot lt i 0 lt
i i lt a.length spot i ai ! 0
13Computing loop invariants
C while e do X Y end
I0 ?(sp(C, true))
L0 ?(sp(P0, true))
14Computing loop invariants
H havoc variables modified in XY
C while e do X Y end
I1 I0 ? L0
P1 CHassume ?(I1)?eXY L1 ?(sp(P1,
true))
15Predicate abstraction example
/_at_ requires a!null b!null
a.lengthb.length ensures
\resulta.length b\result
/ int find(int a, boolean b) int
spot a.length for (int i0 i lt a.length
i) if (spota.length ai ! 0)
spot i bi (ai ! 0) return
spot
Four predicates a ! null b ! null a.length
b.length spot a.length bspot spot lt i 0 lt
i i lt a.length spot i ai ! 0
16Predicate abstraction example
/_at_ requires a!null b!null
a.lengthb.length ensures (? int
j 0ltj jlt\result gt
!bj) / int find(int a, boolean b)
int spot a.length for (int i0 i lt
a.length i) if (spota.length ai
! 0) spot i bi (ai ! 0)
return spot
17?-quantified loop invariants
18Heuristics for guessing predicates
for (int i 0 i lt a.length i) ai
null
Loop targets i, a
First set of predicates i lt \old(i), i gt
\old(i)
Inferred invariant i gt 0 ? ? int sc 0 lt sc ?
sc lt i ? asc null
19Javafe
- front end to ESC/Java
- annotated with lightweight specifications
- 45KLOC, 2418 routines, 520 loops
- no inference ? warnings in 326 routines
- with inference ? warnings in 31 routines
- several failing routines had array bound
violations - not caught with loop unrolling
20Computing abstraction function
C I?while e do B end
- Compute
- I0 ?(sp(C, true))
- In1 In ? ?(sp(CHassume ?(In)?eB, true))
- Problem Given F compute ?(F)
- ?(F) least boolean function G such that F ? ?(G)
21Abstract state space
- Predicates a, b, c, d
- They generate an abstract space of size 24 16
22Naïve method (slow!)
- Is F ? a ? b ? c ? d satisfiable? No!
- Can compute ?(F) by asking 2n such queries
?c?d
c??d
?c??d
c?d
a?b
X
X
X
?(F)
a??b
F
?a??b
?a?b
23New method
- Removed 1/4 of state space in 3 queries!
?c?d
c??d
?c??d
c?d
a?b
X
X
X
X
? (?c ? ?d) ? (?a ? ?c) ? (?a ? ?b) ? ( c
? ?d)
a??b
X
X
X
F
?a??b
X
X
?a?b
X
X
24Other methods
- Das-Dill-Park 99 (DDP)
- Saidi-Shankar 99 (SS)
25Experiments
26Experiments (Javafe)
27Related work
- Inferring/computing loop invariants
- German-Wegbreit 75
- Katz-Manna 76
- Suzuki-Ishihata 77
- Predicate abstraction
- Graf-Saidi 97
- Bensalem-Lakhnech-Owre 98, Colon-Uribe 98
- Saidi-Shankar 99, Das-Dill-Park 99
- Ball-Majumdar-Millstein-Rajamani 2001
- Henzinger-Jhala-Majumdar-Sutre 2002