Abstract Interpretation and Predicate Abstraction - PowerPoint PPT Presentation

1 / 61
About This Presentation
Title:

Abstract Interpretation and Predicate Abstraction

Description:

Title: Slide 1 Author: Thomas Ball Last modified by: qadeer Created Date: 6/1/2005 5:24:51 PM Document presentation format: On-screen Show Company – PowerPoint PPT presentation

Number of Views:127
Avg rating:3.0/5.0
Slides: 62
Provided by: Thomas551
Category:

less

Transcript and Presenter's Notes

Title: Abstract Interpretation and Predicate Abstraction


1
Abstract Interpretation andPredicate Abstraction
2
Automating Verification of Software
  • Remains a grand challenge of computer science
  • Behavioral abstraction is central to this effort
  • abstractions simplify our view of program
    behavior
  • proofs over the abstractions carry over to proofs
    over the program

3
Reachability
unsafe
unsafe
init
4
Safe Invariants
  • Q is a safe invariant if
  • init ? Q
  • T(Q) ? Q
  • Q ? safe

5
Abstraction Overapproximation of Behavior
Q
unsafe
Q
T(Q)
init
6
More Concretely
do KeAcquireSpinLock() nPacketsOld
nPackets if(request) request
request-gtNext KeReleaseSpinLock() nPackets
while (nPackets ! nPacketsOld) KeRelease
SpinLock()
Rel
Acq
Unlocked
Locked
Rel
Acq
Error
7
Abstraction (via Boolean program)
sU do assert(sU) sL if()
assert(sL) sU while
() assert(sL) sU
do KeAcquireSpinLock() nPacketsOld
nPackets if(request) request
request-gtNext KeReleaseSpinLock() nPackets
while(nPackets!nPacketsOld) KeReleaseSpi
nLock()
8
Abstraction (via Boolean program)
sU do assert(sU) sL if()
assert(sL) sU while
() assert(sL) sU
U
L
L
L
U
L
U
L
U
U
E
9
Overapproximation Too Large!
Q
unsafe
Q
init
10
Refined Boolean Abstraction
b (nPacketsOld nPackets)
sU do assert(sU) sL b true
if() assert(sL) sU b b ?
false while ( !b ) assert(sL)
sU
do KeAcquireSpinLock() nPacketsOld
nPackets if(request) request
request-gtNext KeReleaseSpinLock() nPackets
while(nPackets!nPacketsOld) KeReleaseSpi
nLock()
11
Refined Boolean Abstraction
b (nPacketsOld nPackets)
sU do assert(sU) sL b true
if() assert(sL) sU b b ?
false while ( !b ) assert(sL)
sU
U
L
b
L
b
L
b
U
b
!b
L
U
b
L
b
U
12
Invariant
13
Software VerificationA Search for Abstractions
  • A complex search space with a fitness function
    (false errors)
  • search for right abstraction
  • search within state space of abstraction
  • Can a machine beat a human at search for the
    right abstractions?
  • Deep Blue beat Kasparov

14
Overview
  • Part I Abstract Interpretation
  • Cousot Cousot, POPL77
  • Manual abstraction and refinement
  • ASTRÉE Analyzer
  • Part II Predicate Abstraction
  • Graf Saïdi, CAV 97
  • Automated abstraction and refinement
  • SLAM and Static Driver Verifier
  • Part III Comparing Approaches

15
(No Transcript)
16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
(No Transcript)
26
Abstract Transitions
a
a
27
(No Transcript)
28
(No Transcript)
29
Slide courtesy of Patrick Cousot
30
Slide courtesy of Patrick Cousot
31
Slide courtesy of Patrick Cousot
32
Slide courtesy of Patrick Cousot
33
Diagram from Cousot, Cousot, POPL 1977
34
(No Transcript)
35
(No Transcript)
36
(No Transcript)
37
Patrick Cousot, Radhia Cousot, Jérôme Feret,
Laurent Mauborgne, Antoine Miné, David Monniaux,
Xavier Rival, Bruno Blanchet
ASTRÉE analyzes structured C programs, without
dynamic memory allocation and recursion.
In Nov. 2003, ASTRÉE automatically proved the
absence of any run-time error in the primary
flight control software of the Airbus A340
fly-by-wire system a program of 132,000 lines of
C analyzed in 1h20 on a 2.8 GHz 32-bit PC using
300 Mb of memory
38
Abstraction RefinementPLDI03 Case Study of
Blanchet et al.
  • the initial design phase is an iterative
    manual refinement of the analyzer.
  • Each refinement step starts with a static
    analysis of the program, which yields false
    alarms. Then a manual backward inspection of the
    program starting from sample false alarms leads
    to the understanding of the origin of the
    imprecision of the analysis.
  • There can be two different reasons for the lack
    of precision
  • some local invariants are expressible in the
    current version of the abstract domain but were
    missed
  • some local invariants are necessary in the
    correctness proof but are not expressible in the
    current version of the abstract domain.

39
Part I Summary
  • Create abstract domains and supporting algorithms
  • Relate domains via ? and ? functions
  • Prove Galois connection
  • Create abstract transformer T
  • Show that T approximates ? T ?
  • Widening to achieve termination
  • Refinement to reduce false errors

40
Part II Predicate Abstraction
  • Graf Saïdi, CAV 97
  • Idea
  • Given set of predicates P P1, , Pk
  • Formulas describing properties of system state
  • Abstract State Space
  • Set of Boolean variables B b1, , bk
  • bi true ? Set of states where Pi holds

41
Approximating concrete states
  • Fundamental Operation
  • Approximating a set of concrete states by a set
    of predicates
  • Requires exponential number of theorem prover
    calls in worst case

Partitioning defined by the predicates
42
Abstraction ? and Concretization ? Functions
43
Abstraction ? and Concretization ? Functions
44
Abstraction ? and Concretization ? Functions
45
(No Transcript)
46
(No Transcript)
47
(No Transcript)
48
(No Transcript)
49
(No Transcript)
50
(No Transcript)
51
(No Transcript)
52
(No Transcript)
53
(No Transcript)
54
(No Transcript)
55
Refining Predicate Abstraction
56
  • Initial set I
  • Error set E
  • abstract error path S0, S1, , Sk
  • A E
  • preds
  • for i k downto 0 do
  • A wp(Si, A)
  • if (A is unsatisfiable)
  • return preds
  • add atoms(A) to preds
  • A A
  • if (A ? I is unsatisfiable)
  • add atoms(I) to preds
  • return preds
  • return path is feasible

57
Abstraction (via Boolean program)
do KeAcquireSpinLock() nPacketsOld
nPackets if(request) request
request-gtNext KeReleaseSpinLock() nPackets
while(nPackets!nPacketsOld) KeReleaseSpi
nLock()
U
L
L
L
U
U
E
57
58
Abstraction (via Boolean program)
do KeAcquireSpinLock() nPacketsOld
nPackets if(request) request
request-gtNext KeReleaseSpinLock() nPackets
while(nPackets!nPacketsOld) KeReleaseSpi
nLock()
U
L
L
L
U
U
E
58
59
Abstraction (via Boolean program)
do KeAcquireSpinLock() nPacketsOld
nPackets if(request) request
request-gtNext KeReleaseSpinLock() nPackets
while(nPackets!nPacketsOld) KeReleaseSpi
nLock()
U
L
L
L
U
U
E
59
60
Abstraction (via Boolean program)
do KeAcquireSpinLock() nPacketsOld
nPackets if(request) request
request-gtNext KeReleaseSpinLock() nPackets
while(nPackets!nPacketsOld) KeReleaseSpi
nLock()
U
L
L
L
U
U
E
60
61
Predicate explosion
  • Weakest-precondition technique generates too many
    predicates
  • Generate predicates relevant to each program
    location
  • Interpolation-based approach
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Abstract Interpretation and Predicate Abstraction" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!