Anvesh Komuravelli Carnegie Mellon University Joint work with Arie Gurfinkel Sagar Chaki and Edmund Clarke The Problem Program P Assertions Automatic analysis for assertion failures ID: 584769
Download Presentation The PPT/PDF document "Automatic Abstraction in SMT-Based Unbou..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Automatic Abstraction in SMT-Based Unbounded Software Model Checking
Anvesh KomuravelliCarnegie Mellon University
Joint work with
Arie
Gurfinkel
,
Sagar
Chaki
and Edmund ClarkeSlide2
The Problem
Program P+ Assertions
Automatic analysis for
assertion failures
Safe
Unsafe
Unknown
Software Model Checking
+ Proof
+ Counterexample
+ Partial Proof
reach
(
P
)
error
(
P
)
1
Is it empty?Slide3
reach
(
P
)
error
(
P)
Over-approximation Driven (OD)
2Slide4
reach
(
P
)
error
(
P)
Over-approximation
driven (OD)
3Slide5
Over-approximation driven (OD)
Key Idea
CEGAR based
on Predicate Abstraction
Symbolic Method
BDD
s for fixed point computation,
SMT for new predicates
Tools
SLAM, BLAST, SDV, etc.
4Slide6
reach
(P)
Under-
approximation D
riven (UD)
error
(
P
)
5Slide7
Under-approximation driven (UD)
reach
(
P
)
error
(
P)
6Slide8
Under-approximation driven (UD)
Key IdeaBMC based
Approach
Symbolic Method
SMT
Tools
IMPACT, UFO, etc.
7Slide9
Key Recent Advancements
2003
Interpolation for Hardware Model Checking
McMillan
2006
IMPACT (Path
Interpolants
)McMillan
2009Path Interpolants for Hardware Model Checking
Grumberg et al.2010
IC3 (Different way of computing Interpolants, Hardware)
Bradley2011
WOLVERINE (Bit-level Implementation of IMPACT)Kroening et al.
2012
UFO (DAG Interpolation method, Predicate Abstraction + Interpolation)
Gurfinkel et al.2012
VINTA (Abstract Interpretation + Interpolation)
Gurfinkel
et al.2011FunFrog (
Interprocedural)Sharygina et al.2012
μZ (Horn clause solver based on GPDR)Bjorner et al.
2012Duality (Horn clause solver based on Interpolation)McMillan,
Rybalchenko2012
WHALE (
Interprocedural
)
Gurfinkel
et al.
8Slide10
reach
(
P
)
error
(
P
)
Our Strategy
9
Under-approx.
Abstract
Under-approx.Slide11
reach
(
P
)
error
(
P
)
Our Strategy
10
Under-approx.
Abstract
Under-approx.
RefineSlide12
error
(
P
)
reach
(
P
)
Our Strategy
11
Under-approx.
Abstract
Under-approx.
Refine
AbstractSlide13
error
(
P
)
reach
(
P
)
Our Strategy
12
And so on …Slide14
error
(
P
)
reach
(
P
)
reach
(
P
) is covered
Our Strategy
13
Abstractions guide the SMT solver to look
for general proofsSlide15
It’s based on UD
14
…
…
…
…
Under-approximations
A
b
s
t
r
a
c
tSlide16
It’s based on UD
15
…
…
…
…
Under-approximations
A
b
s
t
r
a
c
t
need not be monotonicSlide17
Spacer is based on UD
16
…
…
…
…
Under-approximations
A
b
s
t
r
a
c
t
non-trivial abstractionSlide18
Spacer
ProgramUnder-Approximate
Check Safety
Feasible?
Feasible?
Abstract
Refine
Proof-Based Abstraction
CEGAR
No
No
Yes
Yes
Safety Proof
Counterexample
17Slide19
Why Abstraction?
x = y = z = w = 0;while (*) { x = *; y = *; assume (0 ≤ y ≤ 100x); if (y > 10w
&&
z ≥ 100x) {
y = −y;
} t = 1;
w += t; z += 10t;}assert (0 ≤ y)
18
only way to fail the assertionSlide20
UD Reasoning
x = y = z = w = 0;while (*) { x = *; y = *; assume (0 ≤ y ≤ 100x); if (y > 10w
&&
z ≥ 100x) {
y = −y;
} t = 1;
w += t; z += 10t;}assert (0 ≤ y)
1st
Iteration:w = 0, z = 0
19
y ≤ 100xSlide21
UD Reasoning
x = y = z = w = 0;while (*) { x = *; y = *; assume (0 ≤ y ≤ 100x); if (y > 10w
&&
z ≥ 100x) {
y = −y;
} t = 1;
w += t; z += 10t;}assert (0 ≤ y)
2nd
Iteration:w = 1, z =10
20
y ≤ 100xSlide22
UD Reasoning
x = y = z = w = 0;while (*) { x = *; y = *; assume (0 ≤ y ≤ 100x); if (y > 10w
&&
z ≥ 100x) {
y = −y;
} t = 1;
w += t; z += 10t;}assert (0 ≤ y)
3rd
Iteration:w = 2, z = 20
21
y ≤ 100x
And so on…Slide23
But …
x = y = z = w = 0;while (*) { x = *; y = *; assume (0 ≤ y ≤ 100x); if (y > 10w
&&
z ≥ 100x) {
y = −y;
} t = 1;
w += t; z += 10t;}assert (0 ≤ y)
22
The value ‘1’ doesn’t matter!Slide24
But …
x = y = z = w = 0;while (*) { x = *; y = *; assume (0 ≤ y ≤ 100x); if (y > 10w
&&
z ≥ 100x) {
y = −y;
} t = *;
w += t; z += 10t;}assert (0 ≤ y)
23Slide25
UD Reasoning on the Abstraction
x = y = z = w = 0;while (*) { x = *; y = *; assume (0 ≤ y ≤ 100x); if (y > 10w
&&
z ≥ 100x) {
y = −y;
} t = *;
w += t; z += 10t;}assert (0 ≤ y)
24
2nd Iteration
w = t, z = 10t
z = 10w
All Iterations
Resolve t
away
y ≤ 100x
RedundantSlide26
Original Example
x = y = z = w = 0;while (*) { if (*) {x++; y += 100;} else if (*) if (x ≥ 4) {x++; y++;}
else if (y > 10w
&&
z ≥ 100x) {
y = −y; }
t = 1; w += t; z += 10t;}
assert (!(x ≥ 4 && y ≤ 2))Source: Automatically Refining Abstract Interpretations,
Gulavani, Chakraborty, Nori and Rajamani
, TACAS ‘08.25
μZ (SMT-Based Model Checker, part of Z3)
Cannot solve in an hour
Spacer (our tool)
Finds a proof in a min.Solves
an abstraction in < 1 sec.
t = *;Slide27
What’s the magic?
Focused ProofsAbstractions guide the SMT solver to look for certain kind of proofsAvoid proofs specific to an under-approximation
How to obtain abstractions?
From proofs of under-approximations!
(Proof-Based Abstraction)
Hope: What’s sufficient for the under-approximation is sufficient in general
Downside: If abstraction is too coarse, need to refine (CEGAR)
26Slide28
Spacer
ProgramUnder-Approximate
Check Safety
Feasible?
Feasible?
Abstract
Refine
Proof-Based Abstraction
CEGAR
No
No
Yes
Yes
Safety Proof
Counterexample
27Slide29
Schematic Example
init_stmt;c = 0;while (*) {
// invar_1, invar_2
// invar_3, invar_4
assume (c <
k1
); if (*) {
v1 = e1; v2 = e2; } else { v3 = e3; v4 = e4;
} v5 = e5; v6 = e6;
c += 1;}
assert (safe);Add Counters
Under-approximate
Solve
Loop Invariants
28Slide30
Schematic Example
Under-approximateSolve
Feasible?
init_stmt
;
c = 0;
assume (invar_1, invar_2
);
while (*) { // invar_1, invar_2
// invar_3, invar_4 assume (c <
k1);
if (*) { v1 = e1; v2 = e2;
} else { v3 = e3; v4 = e4;
} v5 = e5; v6 = e6;
c += 1; assume (invar_1, invar_2)
;}
assert (safe);
Unbounded!
Specific to under-approx.
29
Treat as guessed
unbounded invariants.
Essentially like Houdini [FL’01].
Extract Unbounded
Invariants
Strengthen
with
Invariants
[FL’01]
Houdini, an annotation
assistant for ESC/Java
,
C. Flanagan and K.R.M.
Leino
, 2001Slide31
init_stmt
;c = 0;assume (invar_1, invar_2);while (*) {
// invar_1, invar_2
if (*) {
v1 = e1; v2 = e2; } else { v3 = e3; v4 = e4;
} v5 = e5; v6 = e6; c += 1;
assume (invar_1, invar_2);
}assert (safe);
Does not prove
the assertion
Schematic
Example
Under-approximate
Solve
Feasible?
NO30Slide32
init_stmt
;c = 0;assume (invar_1, invar_2);while (*) {
// invar_1, invar_2
// invar_3, invar_4
assume (c < k
1); if (*) {
v1 = e1; v2 = e2; } else { v3 = e3; v4 = e4;
} v5 = e5; v6 = e6;
c += 1; assume (invar_1, invar_2)
;}
assert (safe);
Redundantfor the proof
Schematic
Example
Under-approximate
Solve
Feasible?
NO
Abstract
31Slide33
Schematic Example
Under-approximateSolve
Feasible?
NO
Abstract
32
init_stmt
;
c = 0;
assume (invar_1, invar_2);
while (*) { // invar_1, invar_2
// invar_3, invar_4
assume (c < k1
); if (*) { v1 = e1;
v2 = *; } else {
v3 = e3; v4 = *;
} v5 = e5; v6 = *;
c += 1; assume (invar_1, invar_2);
}assert (safe);
Proof-BasedAbstractionSlide34
init_stmt
;c = 0;assume (invar_1, invar_2);while (*) {
assume (c <
k
2
);
if (*) { v1 = e1; v2 = *;
} else { v3 = e3; v4 = *;
} v5 = e5;
v6 = *; c += 1;
assume (invar_1, invar_2);}
assert (safe);
Concretize
k
2 > k1
Schematic
Example
Under-approximate
Solve
Abstract
Counterexample!
Feasible?
Concrete control
path is infeasible
NO
Refine
33Slide35
Schematic Example
Under-approximateSolve
Feasible?
NO
Refine
34
init_stmt
;
c = 0;
assume (invar_1, invar_2);
while (*) { assume (c <
k2
); if (*) { v1 = e1;
v2 = e2; } else {
v3 = e3; v4 = e4;
} v5 = e5; v6 = *;
c += 1; assume (invar_1, invar_2)
;}assert (safe);
CEGARSlide36
init_stmt
;c = 0;assume (invar_1, invar_2);while (*) {
// invar_5
// invar_6
assume (c <
k
2); if (*) {
v1 = e1; v2 = e2; } else {
v3 = e3; v4 = e4; }
v5 = e5; v6 = *;
c += 1; assume (invar_1, invar_2)
;}
assert (safe);
Unbounded
Schematic
Example
Under-approximateSolve
Feasible?
YES
35
InvariantsSlide37
Spacer
ProgramUnder-Approximate
Check Safety
Feasible?
Feasible?
Abstract
Refine
Proof-Based Abstraction
CEGAR
No
No
Yes
Yes
Safety Proof
Counterexample
36Slide38
Detailed Example
x = y = z = w = 0;while (*) {
if
:: x++; y += 100;
:: (x ≥ 4) -> x++; y++; :: (y > 10w &&
z ≥ 100x) -> y = −y; fi w++; z += 10;
}
assert (!(x ≥ 4 && y ≤ 2));
if (
nd ()) {x++; y += 100;}else if (
nd () && x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {y = −y;}
else assume (0);
non-deterministic choice
(e.g. as in Promela)
C-like37Slide39
Detailed Example
x = y = z = w = 0;c = 0;while (*) { // (y > 10w) => (z < 100x), z ≤ 100x,
// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1
assume (c < 2);
if
:: x++; y += 100; :: (x ≥ 4) -> x++; y++; :: (y > 10w
&& z ≥ 100x) -> y = −y; fi
w++; z += 10; c += 1;
}assert (!(x ≥ 4 && y ≤ 2));
Add Counters
Under-approximateSolve
Loop Invariants
38Slide40
Detailed Example
x = y = z = w = 0;c = 0;while (*) { // (y > 10w) => (z < 100x), z ≤ 100x,
// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1
assume (c < 2);
if
:: x++; y += 100; :: (x ≥ 4) -> x++; y++; :: (y > 10w
&& z ≥ 100x) -> y = −y; fi
w++; z += 10; c += 1;
}assert (!(x ≥ 4 && y ≤ 2));
Inductive Invariant
Under-approximateSolve
Safe
39Slide41
Detailed Example
x = y = z = w = 0;c = 0;assume (y > 10w => z < 100x, z ≤ 100x);while (*) {
//
(y > 10w) => (z < 100x), z ≤ 100x,
// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1
assume (c < 2); if :: x++; y += 100;
:: (x ≥ 4) -> x++; y++; :: (y > 10w &&
z ≥ 100x) -> y = −y; fi
w++; z += 10; c += 1;
assume (y > 10w => z < 100x, z ≤ 100x);}assert (!(x ≥ 4 && y ≤ 2));
Under-approximate
Solve
Feasible?
Preserved!
Specific to under-approx.
Depend on counter
Extract Unbounded
Invariants
Strengthen
with
Invariants
40Slide42
Detailed Example
x = y = z = w = 0;c = 0;assume (y > 10w => z < 100x, z ≤ 100x);
while (*) {
//
(y > 10w) => (z < 100x), z ≤ 100x,
if
:: x++; y += 100; :: (x ≥ 4) -> x++; y++; :: (y > 10w
&& z ≥ 100x) -> y = −y;
fi w++; z += 10;
c += 1; assume (y > 10w => z < 100x, z
≤ 100x);}
assert (!(x ≥ 4 && y ≤ 2));Under-approximate
Solve
Feasible?
NO
Does not prove
the assertion
41Slide43
Detailed Example
x = y = z = w = 0;c = 0;assume (y > 10w => z < 100x, z ≤ 100x);
while (*) {
// (y > 10w) => (z < 100x), z ≤ 100x,
// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1
assume (c < 2); if
:: x++; y += 100; :: (x ≥ 4) -> x++; y++; :: (y > 10w &&
z ≥ 100x) -> y = −y; fi
w++; z += 10; c += 1;
assume (y > 10w => z < 100x, z ≤ 100x);}
assert (!(x ≥ 4 && y ≤ 2));Under-approximate
Solve
Feasible?
NO
Abstract
Redundant
42Slide44
Detailed Example
x = y = z = w = 0;c = 0;assume (y > 10w => z < 100x, z ≤ 100x);
while (*) {
// (y > 10w) => (z < 100x), z ≤ 100x,
// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1
assume (c < 2); if
:: x++; y = *; :: (x ≥ 4) -> x++; y = *;
:: (y > 10w && z ≥ 100x) ->
y = *; fi
w = *; z = *; c += 1;
assume (y > 10w => z < 100x, z ≤ 100x);}
assert (!(x ≥ 4 && y ≤ 2));
Under-approximateSolve
Feasible?
NOAbstract
Fails
Enlarge error
43Slide45
Detailed Example
x = y = z = w = 0;c = 0;assume (y > 10w => z < 100x, z ≤ 100x);
while (*) {
// (y > 10w) => (z < 100x), z ≤ 100x,
// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1
assume (c < 2); if
:: x++; y = *; :: (x ≥ 4) -> x++; y = *;
:: (y > 10w && z ≥ 100x) ->
y = *; fi
w = *; z = *; c += 1;
assume (y > 10w => z < 100x, z ≤ 100x);}
assert (!(x ≥ 4));
Under-approximateSolve
Feasible?
NOAbstract
44Slide46
Detailed Example
x = y = z = w = 0;c = 0;assume (y > 10w => z < 100x, z ≤ 100x);
while (*) {
assume (c < 4);
if :: x++;
y = *; :: (x ≥ 4) -> x++; y = *;
:: (y > 10w && z ≥ 100x) -> y = *;
fi w = *; z = *;
c += 1;
assume (y > 10w => z < 100x, z ≤ 100x);}assert (!(x ≥ 4));
Under-approximate
Solve
Counterexample!Increment x to 4Choose y arbitrarily
Feasible?
Concrete controlpath is infeasible
NORefine
Concretize
45Slide47
Detailed Example
x = y = z = w = 0;c = 0;assume (y > 10w => z < 100x, z ≤ 100x);
while (*) {
assume (c < 4);
if :: x++;
y += 100; :: (x ≥ 4) -> x++; y++;
:: (y > 10w && z ≥ 100x) -> y = −y;
fi
w = *; z = *; c += 1;
assume (y > 10w => z < 100x, z ≤ 100x);}assert (!(x ≥ 4
&& y ≤ 2));
Under-approximate
Solve
Feasible?
NO
Refine
46Slide48
Detailed Example
x = y = z = w = 0;c = 0;assume (y > 10w => z < 100x, z ≤ 100x);
while (*) {
//
(y > 10w) => (z < 100x), z ≤ 100x
// y > 0, (x > 0) => (y ≥ 100)
assume (c < 4); if :: x++; y += 100;
:: (x ≥ 4) -> x++; y++;
:: (y > 10w && z ≥ 100x) ->
y = −y; fi
w = *; z = *; c += 1;
assume (y > 10w => z < 100x, z ≤ 100x);}
assert (!(x ≥ 4 && y ≤ 2));
Under-approximate
Solve
Feasible?
YESInductive Invariant
Safe
Unbounded
47Slide49
Implementation Details – Unbounded Invariants
Pre-LemmasPost-LemmasConcrete
Counters
Goal
Find maximal
such that
48Slide50
Implementation Details – Unbounded Invariants
UNSAT
SAT
with
true
SAT?
49
Repeat until fixed pointSlide51
Implementation Details – Unbounded Invariants
Maximal subset of true post-lemmasMinimal number of bi’s to be set to false
Fixed point Iteration:
50
Introduce Assumption variablesSlide52
Implementation Details – Unbounded Invariants
Iteration 1✔
✗
Iteration 2
✗
51
disabled
disabledSlide53
Implementation Details – Abstraction
52
Introduce Assumption variablesSlide54
Implementation Details – Abstraction53
Are all lemmas necessary?Slide55
Implementation Details – Abstraction
54
Introduce Assumption variables for lemmasSlide56
Spacer Tool
ProgramUnder-Approximate
Check Safety
Feasible?
Feasible?
Abstract
Refine
Proof-Based Abstraction
CEGAR
No
No
Yes
Yes
Safety Proof
Counterexample
55Slide57
Spacer Tool
ProgramUnder-Approximate
Check Safety
Feasible?
Feasible?
Abstract
Refine
Proof-Based Abstraction
CEGAR
No
No
Yes
Yes
Safety Proof
Counterexample
56
μZ
Horn-Clause
Solver
(part of Z3)Slide58
Spacer Tool
ProgramUnder-Approximate
Check Safety
Feasible?
Feasible?
Abstract
Refine
Proof-Based Abstraction
CEGAR
No
No
Yes
Yes
Safety Proof
Counterexample
57
Horn-Clause Encoding
μZ
Horn-Clause
Solver
(part of Z3)Slide59
Spacer Tool
C ProgramPreprocessing
UFO Frontend (based on LLVM)
Simplification, Large Block Encoding, etc.
Horn Clause Encoding
Implemented using UFO Frontend
58Slide60
Results on SV-COMP’13 Benchmarks
59Abstraction did not help
for UNSAFE
ALSO,
n
ot a challenging pool
of benchmarksSlide61
Results on SV-COMP’13 Benchmarks
60Slide62
Results on SV-COMP’13 Benchmarks
61
~1 min.
Not very meaningful to compareSlide63
Results on SV-COMP’13 Benchmarks
62
< 5 min.
Mixed ResultsSlide64
Results on SV-COMP’13 Benchmarks
63
Advantage!Slide65
Results on SV-COMP’13 Benchmarks
64
Advantage!
Time-out
Mem
-outSlide66
Conclusion
Focused ProofsAbstractions guide the SMT solver to look for certain kind of proofsAvoid proofs specific to an under-approximation
How to obtain abstractions?
From proofs of under-approximations!
(Proof-Based Abstraction)
Hope: What’s sufficient for the under-approximation is sufficient in general
Downside: If abstraction is too coarse, need to refine (CEGAR)
65
A
f
ramework for automated abstraction in SMT-based Software Model CheckingImplementation using an existing SMT-based model checker with practical advantage
ContributionsSlide67
Conclusion (contd…)
66Post-pruning of Proofs during Abstraction (Local vs. Global Proofs)Non-monotonic abstractions
Major role of invariants (exploit the generality of proofs of under-approximations
Visit
spacer.bitbucket.org
to
download tool and detailed slides
!
Why does PBA work?Slide68
On-going and Future Work
Observation: Fixed granularity of abstraction – at the program levelObservation: Restricted space of abstractionsQuestions: When/How to abstract/refine?
Observation:
Proofs too dependent on counter constraints (i.e.
underapprox
.)
Question: How to use counters only when needed? In general, how to minimize the use of a given set of assumptions?
Observation: Abstraction is done offline, after obtaining a proof of an under-approximation.
Question: How does an on-the-fly abstraction work? When each transition is treated as a recursion-free procedure, it is similar to summarizing procedures on-the-fly. Also, how to handle recursion?
67Slide69
Read our CAV’13 paper for details…
Questions?68Slide70
Extra Slides
69Slide71
SMT-Based Model Checking
init
error
CFG
Loop-Free Unrolling
Possibility 1 :
UNSAFE
Possibility 2 :
SAFE
Path
Interpolants
(McMillan ‘06)
Discharge Verification Condition on SMT solver
70Slide72
SMT-Based Model Checking
init
error
CFG
Further Unrolling
Possibility 1 :
UNSAFE
Possibility 2 :
SAFE
DAG
Interpolants
[AGC’12
]
Continue Until Convergence
Discharge Verification Condition on SMT solver
[AGC’12] :
From Under-approximations to Over-approximations and Back
,
Albarghouthi
,
Gurfinkel
and
Chechik
, TACAS ‘12
71