© Anvesh Komuravelli Spacer Model Checking with Proofs and Counterexamples Anvesh Komuravelli Carnegie Mellon University Joint work with Arie Gurfinkel,

Slides:

Advertisements

Similar presentations

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

Advertisements

Exploiting SAT solvers in unbounded model checking

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.

© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Towards More Efficient SAT-Based Model Checking Joao Marques-Silva Electronics & Computer Science University of Southampton LAA C&V Workshop, Isaac Newton.

© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

Revisiting Generalizations Ken McMillan Microsoft Research Aws Albarghouthi University of Toronto.

Probabilistic CEGAR* Björn Wachter Joint work with Holger Hermanns, Lijun Zhang TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

Interpolants [Craig 1957] G(y,z) F(x,y)

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]

1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

SAT-Based Decision Procedures for Subsets of First-Order Logic

Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.

Computing OverApproximations with Bounded Model Checking Daniel Kroening ETH Zürich.

1 Abstraction Refinement for Bounded Model Checking Anubhav Gupta, CMU Ofer Strichman, Technion Highly Jet Lagged.

Word Level Predicate Abstraction and Refinement for Verifying RTL Verilog Himanshu Jain Daniel Kroening Natasha Sharygina Edmund Clarke Carnegie Mellon.

Automated Extraction of Inductive Invariants to Aid Model Checking Mike Case DES/CHESS Seminar EECS Department, UC Berkeley April 10, 2007.

Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.

7/13/2003BMC A SAT-Based Approach to Abstraction Refinement in Model Checking Bing Li, Chao Wang and Fabio Somenzi University of Colorado at Boulder.

By: Pashootan Vaezipoor Path Invariant Simon Fraser University – Spring 09.

1 Automatic Refinement and Vacuity Detection for Symbolic Trajectory Evaluation Orna Grumberg Technion Haifa, Israel Joint work with Rachel Tzoref.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 3: Modular Verification with Magic, Predicate Abstraction.

Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.

Predicate Abstraction of ANSI-C Programs Using SAT By Edmund Clarke, Daniel Kroening, Natalia Sharygina, Karen Yorav Presented by Yunho Kim Provable Software.

© 2014 Carnegie Mellon University Synthesizing Safe Bit-Precise Invariants Arie Gurfinkel (SEI / CMU) Anton Belov (UCD / Synopsys) Joao Marques-Silva (UCD)

A Framework on Synchronization Verification in System-Level Design Thanyapat Sakunkonchak Satoshi Komatsu Masahiro Fujita Fujita Laboratory University.

Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.

Proving Non-Termination Gupta, Henzinger, Majumdar, Rybalchenko, Ru-Gang Xu presentation by erkan.

Learning Symbolic Interfaces of Software Components Zvonimir Rakamarić.

Author: Alex Groce, Daniel Kroening, and Flavio Lerda Computer Science Department, Carnegie Mellon University Pittsburgh, PA Source: R. Alur and.

Localization and Register Sharing for Predicate Abstraction Himanshu Jain Franjo Ivančić Aarti Gupta Malay Ganai.

Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.

Reachability for Linear Hybrid Automata Using Iterative Relaxation Abstraction Sumit K. Jha, Bruce H. Krogh, James E. Weimer, Edmund M. Clarke Carnegie.

SAT-Based Model Checking Without Unrolling Aaron R. Bradley.

CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.

© Anvesh Komuravelli Spacer Compositional Verification of Procedural Programs using Horn Clauses over Integers and Arrays Anvesh Komuravelli work done.

CHARME’03 Predicate abstraction with Minimum Predicates Sagar Chaki*, Ed Clarke*, Alex Groce*, Ofer Strichman** * Carnegie Mellon University ** Technion.

Compositional Verification for System-on-Chip Designs SRC Student Symposium Paper 16.5 Nishant Sinha Edmund Clarke Carnegie Mellon University.

Verifying Component Substitutability Nishant Sinha Sagar Chaki Edmund Clarke Natasha Sharygina Carnegie Mellon University.

1 Computing Abstractions by integrating BDDs and SMT Solvers Alessandro Cimatti Fondazione Bruno Kessler, Trento, Italy Joint work with R. Cavada, A. Franzen,

The software model checker BLAST Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar Presented by Yunho Kim TexPoint fonts used in EMF. Read.

Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.

SS 2017 Software Verification Bounded Model Checking, Outlook

SMT-Based Verification of Parameterized Systems

Solving Linear Arithmetic with SAT-based MC

Enhancing PDR/IC3 with Localization Abstraction

Property Directed Reachability with Word-Level Abstraction

Over-Approximating Boolean Programs with Unbounded Thread Creation

Automated Extraction of Inductive Invariants to Aid Model Checking

Predicate Abstraction

SAT Based Abstraction/Refinement in Model-Checking

Presentation transcript:

© Anvesh Komuravelli Spacer Model Checking with Proofs and Counterexamples Anvesh Komuravelli Carnegie Mellon University Joint work with Arie Gurfinkel, Sagar Chaki, and Edmund Clarke

© Anvesh Komuravelli Spacer Safety of Programs Program P + Safety Assertions Program P + Safety Assertions Automatic verification for assertion failures Automatic verification for assertion failures Safe + Proof Unsafe + Counterexample 2 0. x := 0; 1.while (x < n) { 1. x := x + 1; } 3. x := -x; 4. assert (x ≤ 0) // x ≥ 0 Loop Invariant

© Anvesh Komuravelli Spacer Safety of Programs Program P + Safety Assertions Program P + Safety Assertions Automatic verification for assertion failures Automatic verification for assertion failures Safe + Proof Unsafe + Counterexample 3 While-programs (unbounded variables, no procedure calls, no memory operations) While-programs (unbounded variables, no procedure calls, no memory operations) 0. x := 0; 1.while (x < n) { 2. x := x + 1; } 3. x := -x; 4. assert (x ≤ -1) Counterexample Trace: pc=0. x=0, n=0 pc=1. else branch pc=3. x=0 pc=4. error Counterexample Trace: pc=0. x=0, n=0 pc=1. else branch pc=3. x=0 pc=4. error

© Anvesh Komuravelli Spacer Algorithms for Safety 4 1.Safety is undecidable! Reduction from Halting Problem to safety of a 2-counter machine 2.Existing algorithms use heuristics for verifying many programs in practice 3.Two broad classes of model checking algorithms: A.Generalize feasible and safe behaviors (Proof-Based) B.Eliminate infeasible and unsafe behaviors (Counterexample-based) 1.Safety is undecidable! Reduction from Halting Problem to safety of a 2-counter machine 2.Existing algorithms use heuristics for verifying many programs in practice 3.Two broad classes of model checking algorithms: A.Generalize feasible and safe behaviors (Proof-Based) B.Eliminate infeasible and unsafe behaviors (Counterexample-based) This talk: Improve (A) based on ideas from (B)

© Anvesh Komuravelli Spacer 5 Background on Proof-Based algorithms

© Anvesh Komuravelli Spacer should never hold Transition System Programs as Transition Systems 6 Variables Init conditionTransition relation Error condition 0. x := 0; 1. while (x < n) { 2. x := x + 1; } 3. x := -x; 4. assert (x ≤ 0) encodes how data and control change after every instruction encodes how data and control change after every instruction “ “

© Anvesh Komuravelli Spacer SAT-Based Model Checking 7 Counterexample of length 0? Counterexample of length 1? SAT? … Bounded Model Checking, Clarke et al., TACAS 1999 Transition System 1.Boolean SAT is NP-complete, but we have efficient solvers today 2.SAT modulo theories (SMT) for handling arithmetic, etc. 3.Eg: is unsatisfiable for integers x, y 1.Boolean SAT is NP-complete, but we have efficient solvers today 2.SAT modulo theories (SMT) for handling arithmetic, etc. 3.Eg: is unsatisfiable for integers x, y

© Anvesh Komuravelli Spacer SAT-Based Model Checking 8 … Bounded Model Checking, Clarke et al., TACAS 1999 Transition System No upper bound on the length of a counterexample! Even for finite-state systems, the upper bound can be huge! No upper bound on the length of a counterexample! Even for finite-state systems, the upper bound can be huge! When do we stop? Are initial states safe? Are 1 step-reachable states safe? Keep track of the reachable states! Keep track of the reachable states! Counterexample of length 0? Counterexample of length 1? SAT?

© Anvesh Komuravelli Spacer … Keep Track of the Reachable States 9 err(x) reach(P) Initial States States reachable in ≤1 steps States reachable in ≤2 steps Usually Hopeless!

© Anvesh Komuravelli Spacer Reachable states can be diverging! x := 0; 1. while (x < n) { 2. x := x + 1; } 3. x := -x; 4. assert (x ≤ 0) … reachable states at ( pc =1) n is a symbolic input (diverging) converged!

© Anvesh Komuravelli Spacer err(x) Generalize (Heuristics using Craig Interpolation [1,2] ) Generalize the reachable states! 11 [1] McMillan, Interpolation and SAT-Based Model Checking, CAV 2003 [2] McMillan, Lazy Abstraction with Interpolants, CAV 2006 …

© Anvesh Komuravelli Spacer err(x) Generalize the reachable states! 12 … reach(P)

© Anvesh Komuravelli Spacer Proofs and Invariants x := 0; 1. while (x < n) { 2. x := x + 1; } 3. x := -x; 4. assert (x ≤ 0) … reachable states at ( pc =1) (diverging) x ≥ 0 is a loop invariant! x ≥ 0 is a loop invariant! The actual set of reachable states is stronger: 0 ≤ x ≤ n The actual set of reachable states is stronger: 0 ≤ x ≤ n Proof of Safety Proof of “Bounded” Safety Proof of “Bounded” Safety

© Anvesh Komuravelli Spacer Many heuristics for generalizations! 14 err(x) No unique generalization! Today’s best algorithms for hardware verification are SAT-based Several competitive algorithms exist for software No unique generalization! Today’s best algorithms for hardware verification are SAT-based Several competitive algorithms exist for software One possible generalization Another possible generalization

© Anvesh Komuravelli Spacer 15 The Problem Generalizations are not always sufficient

© Anvesh Komuravelli Spacer Generalizations can suffer from local view x = y = z = w = 0; while (*) { // loop invariant: // (x ≥ 4 => y ≥ 100) && (z ≤ 10w) if (*) {x++; y += 100;} else if (*) if (x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) { y = −y; } t = 1; w += t; z += 10t; } assert (!(x ≥ 4 && y ≤ 2)) State-of-the-art Tool Z3 cannot verify in an hour Source: Automatically Refining Abstract Interpretations, Gulavani, Chakraborty, Nori and Rajamani, TACAS ‘ Proofs of Bounded Safety never connect z and w Proofs of Bounded Safety never connect z and w

© Anvesh Komuravelli Spacer Abstractions for better generalizations! x = y = z = w = 0; while (*) { // loop invariant: // (x ≥ 4 => y ≥ 100) && (z ≤ 10w) if (*) {x++; y += 100;} else if (*) if (x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) { y = −y; } t = 1; w += t; z += 10t; } assert (!(x ≥ 4 && y ≤ 2)) State-of-the-art Tool Z3 cannot verify in an hour Source: Automatically Refining Abstract Interpretations, Gulavani, Chakraborty, Nori and Rajamani, TACAS ‘ Verifies the abstraction in < 1 sec. t = *; Abstractions only add behaviors

© Anvesh Komuravelli Spacer How to obtain helpful abstractions automatically? 18 1.An abstraction of the program can dramatically improve generalizations! 2.How to obtain helpful abstractions? 3.How to efficiently and automatically maintain abstractions? 1.An abstraction of the program can dramatically improve generalizations! 2.How to obtain helpful abstractions? 3.How to efficiently and automatically maintain abstractions?

© Anvesh Komuravelli Spacer Spurious counterexample CounterExample- Guided Abstraction Refinement (CEGAR) [1] CounterExample- Guided Abstraction Refinement (CEGAR) [1] err(x) [1] Clarke et al., Counterexample-Guided Abstraction Refinement, CAV reach(P) Abstractions are great, but not always! 19 Reachable states of an abstraction The second class of algorithms

© Anvesh Komuravelli Spacer 20 Our algorithm Spacer

© Anvesh Komuravelli Spacer Spacer (Software Proof-based Abstraction with CounterExample-based Refinement) Program Fix a Bound Check Safety Feasible? Invariants? Abstract Refine Proof-Based Abstraction CEGAR No Yes Safety ProofCounterexample 21

© Anvesh Komuravelli Spacer Program Fix a Bound Check Safety Feasible? Invariants? Abstract Refine Proof-Based Abstraction CEGAR No Yes Safety ProofCounterexample Spacer (Software Proof-based Abstraction with CounterExample-based Refinement) 22 Proofs from Abstractions

© Anvesh Komuravelli Spacer Spacer (Software Proof-based Abstraction with CounterExample-based Refinement) Program Fix a Bound Check Safety Feasible? Invariants? Abstract Refine Proof-Based Abstraction CEGAR No Yes Safety ProofCounterexample 23 Refinement using Spurious Counterexamples

© Anvesh Komuravelli Spacer Program Fix a Bound Check Safety Feasible? Invariants? Abstract Refine Proof-Based Abstraction CEGAR No Yes Safety ProofCounterexample Spacer (Software Proof-based Abstraction with CounterExample-based Refinement) 24 Proof-Based Abstraction

© Anvesh Komuravelli Spacer Spacer (Software Proof-based Abstraction with CounterExample-based Refinement) Program Fix a Bound Check Safety Feasible? Invariants? Abstract Refine Proof-Based Abstraction CEGAR No Yes Safety ProofCounterexample 25

© Anvesh Komuravelli Spacer Initial States of P Initial States of P Generalization/Proof err(x) reach(P) reach(A 1 ) Spacer at a high level 26 Initial States of A 1 Initial States of A 1 Abstraction Proof-Based Abstraction

© Anvesh Komuravelli Spacer err(x) reach(P) reach(A 1 ) Reachable states of A 1 in ≤1 steps Spurious counterexample Spacer at a high level 27

© Anvesh Komuravelli Spacer err(x) reach(P) reach(A 2 ) Spacer at a high level Reachable states of A 2 in ≤1 steps Refine A 1 to A 2 eliminating the spurious counterexample 28 Generalization/ Proof Reachable states of P in ≤1 steps

© Anvesh Komuravelli Spacer err(x) reach(P) reach(A 3 ) Spacer at a high level Reachable states of A 3 in ≤1 steps 29 Reachable states of P in ≤1 steps Fresh abstraction, to avoid bias Fresh abstraction, to avoid bias Proof-Based Abstraction

© Anvesh Komuravelli Spacer Key Ideas of Spacer 30 1.Abstractions help obtain (hopefully) more general proofs 2.First integration of Proof-Based Abstraction with SAT/SMT-Based Model Checking 3.Orthogonal to heuristics for Interpolation/Generalization 1.Abstractions help obtain (hopefully) more general proofs 2.First integration of Proof-Based Abstraction with SAT/SMT-Based Model Checking 3.Orthogonal to heuristics for Interpolation/Generalization Implementation and Experimental Evidence on C Programs

© Anvesh Komuravelli Spacer Abstractions add a new dimension 31 … … … … SAT-Based Model Checking AbstractAbstract

© Anvesh Komuravelli Spacer SAT-Based Model Checking with Abstractions 32 … … … … Under-approximations AbstractAbstract need not be monotonic

© Anvesh Komuravelli Spacer SAT-Based Model Checking with Abstractions 33 … … … … Under-approximations AbstractAbstract non-trivial abstraction

© Anvesh Komuravelli Spacer Spacer (Software Proof-based Abstraction with CounterExample-based Refinement) Program Fix a Bound Check Safety Feasible? Invariants? Abstract Refine Proof-Based Abstraction CEGAR No Yes Safety ProofCounterexample 34

© Anvesh Komuravelli Spacer 35 Spacer on Example

© Anvesh Komuravelli Spacer Spacer on Example x = y = z = w = 0; c = 0; while (*) { // (y > 10w) => (z < 100x), z ≤ 100x, // x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1 assume (c < 2); if (*) {x++; y += 100;} else if (* && x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) {y = −y;} else assume (false); w++; z += 10; c += 1; } assert (!(x ≥ 4 && y ≤ 2)); Add Counters Bound Solve  Loop Invariants 36

© Anvesh Komuravelli Spacer Spacer on Example x = y = z = w = 0; c = 0; while (*) { // (y > 10w) => (z < 100x), z ≤ 100x, // x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1 assume (c < 2); if (*) {x++; y += 100;} else if (* && x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) {y = −y;} else assume (false); w++; z += 10; c += 1; } assert (!(x ≥ 4 && y ≤ 2)); BoundSolve  Unbounded?  Preserved! Specific to under-approx. Depend on counter Extract Unbounded Invariants 37 Treat as conjectured unbounded invariants. (as in Houdini [1] ). Treat as conjectured unbounded invariants. (as in Houdini [1] ). [1] Houdini, an annotation assistant for ESC/Java, C. Flanagan and K.R.M. Leino, 2001

© Anvesh Komuravelli Spacer Spacer on Example x = y = z = w = 0; c = 0; while (*) { // (y > 10w) => (z < 100x), z ≤ 100x, // x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1 if (*) {x++; y += 100;} else if (* && x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) {y = −y;} else assume (false); w++; z += 10; c += 1; } assert (!(x ≥ 4 && y ≤ 2)); Bound Solve  Unbounded?  NO Invariants are too weak! Invariants are too weak! 38 Abstract  ✖

© Anvesh Komuravelli Spacer Spacer on Example x = y = z = w = 0; c = 0; assume (y > 10w => z < 100x, z ≤ 100x); while (*) { // (y > 10w) => (z < 100x), z ≤ 100x, // x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1 assume (c < 2); if (*) {x++; y += 100;} else if (* && x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) {y = −y;} else assume (false); w++; z += 10; c += 1; assume (y > 10w => z < 100x, z ≤ 100x); } assert (!(x ≥ 4 && y ≤ 2)); Abstract Redundant 39 Bound Solve  Unbounded?  NO  Strengthen with Invariants

© Anvesh Komuravelli Spacer Spacer on Example x = y = z = w = 0; c = 0; assume (y > 10w => z < 100x, z ≤ 100x); while (*) { // (y > 10w) => (z < 100x), z ≤ 100x, // x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1 assume (c < 2); if (*) {x++; y = *;} else if (* && x ≥ 4) {x++; y = *;} else if (y > 10w && z ≥ 100x) {y = *;} else assume (false); w = *; z = *; c += 1; assume (y > 10w => z < 100x, z ≤ 100x); } assert (!(x ≥ 4 && y ≤ 2)); 40 BoundAbstract Solve  Unbounded?  NO  Proof-Based Abstraction

© Anvesh Komuravelli Spacer Spacer on Example x = y = z = w = 0; c = 0; assume (y > 10w => z < 100x, z ≤ 100x); while (*) { assume (c < 4); if (*) {x++; y = *;} else if (* && x ≥ 4) {x++; y = *;} else if (y > 10w && z ≥ 100x) {y = *;} else assume (false); w = *; z = *; c += 1; assume (y > 10w => z < 100x, z ≤ 100x); } assert (!(x ≥ 4 && y ≤ 2)); Bound Solve  Counterexample! Increment x to 4 Choose y arbitrarily Feasible?  Concrete control path is infeasible NORefine  Concretize 41

© Anvesh Komuravelli Spacer Spacer on Example x = y = z = w = 0; c = 0; assume (y > 10w => z < 100x, z ≤ 100x); while (*) { assume (c < 4); if (*) {x++; y += 100;} else if (* && x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) {y = −y;} else assume (false); w = *; z = *; c += 1; assume (y > 10w => z < 100x, z ≤ 100x); } assert (!(x ≥ 4 && y ≤ 2)); BoundSolve  Feasible?  NORefine  42 CEGAR

© Anvesh Komuravelli Spacer Spacer on Example x = y = z = w = 0; c = 0; assume (y > 10w => z < 100x, z ≤ 100x); while (*) { // (y > 10w) => (z < 100x), z ≤ 100x // y > 0, (x > 0) => (y ≥ 100) assume (c < 4); if (*) {x++; y += 100;} else if (* && x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) {y = −y;} else assume (false); w = *; z = *; c += 1; assume (y > 10w => z < 100x, z ≤ 100x); } assert (!(x ≥ 4 && y ≤ 2)); Bound Solve  Unbounded?  YES Invariants 43

© Anvesh Komuravelli Spacer 44 Implementation Details

© Anvesh Komuravelli Spacer Three Key Components 45 1.Extracting Unbounded Invariants 2.Proof-Based Abstraction 3.Counterexample Analysis and Refinement 1.Extracting Unbounded Invariants 2.Proof-Based Abstraction 3.Counterexample Analysis and Refinement How can we efficiently use today’s SAT/SMT solvers? Focus

© Anvesh Komuravelli Spacer An invariant for the transition system is a formula that holds for the initial states and after every transition An invariant for the transition system is a formula that holds for the initial states and after every transition Extracting Unbounded Invariants 46 φ is an invariant iff Given: A set L of conjectures for invariants, each including “initial states”. Goal: A maximal I L s.t. Given: A set L of conjectures for invariants, each including “initial states”. Goal: A maximal I L s.t. (initial) (transition)

© Anvesh Komuravelli Spacer SAT? Re-start from scratch! Extracting Unbounded Invariants 47 unsatsat, making true … until fixed point Given: A set L of conjectures for invariants, each including “initial states”. Goal: A maximal I L s.t. Given: A set L of conjectures for invariants, each including “initial states”. Goal: A maximal I L s.t.

© Anvesh Komuravelli Spacer Given: A set L of conjectures for invariants, each including “initial states”. Goal: A maximal I L s.t. Given: A set L of conjectures for invariants, each including “initial states”. Goal: A maximal I L s.t. Introduce assumption variables Extracting Unbounded Invariants 48 unsatsat, making true …

© Anvesh Komuravelli Spacer Proof of Bounded Safety Proof of Bounded Safety Not all of is necessary! Proof-Based Abstraction 49 A proof of “bounded” safety for is a formula that holds of the initial states and after every transition up to the given bound, and excludes error states. A proof of “bounded” safety for is a formula that holds of the initial states and after every transition up to the given bound, and excludes error states. (initial) (transition) (safety)

© Anvesh Komuravelli Spacer unsat Proof-Based Abstraction 50 unsat UNSAT core Iteratively minimize

© Anvesh Komuravelli Spacer What have we seen so far? 51 1.Generalizing reachable states can be hard! 2.Abstractions can really help! 3.Algorithm Spacer that combines abstraction refinement with SAT-based model checking 4.How Spacer can be efficiently automated 1.Generalizing reachable states can be hard! 2.Abstractions can really help! 3.Algorithm Spacer that combines abstraction refinement with SAT-based model checking 4.How Spacer can be efficiently automated

© Anvesh Komuravelli Spacer 52 Tool and Experimental Evaluation

© Anvesh Komuravelli Spacer Spacer Tool 53 C Program (Horn-SMT) Logical Encoding Spacer Backend (using Z3’s framework) Existing Front-end based on LLVM Proof-Based Abstraction, CEGAR, etc. Theories handled: Linear Arithmetic (Rationals and Integers), Bitvectors Theories handled: Linear Arithmetic (Rationals and Integers), Bitvectors

© Anvesh Komuravelli Spacer Spacer Tool Program Under- Approximate Check Safety Feasible? Abstract Refine Proof-Based Abstraction CEGAR No Yes Safety ProofCounterexample 54 SMT-Based Model Checker in Z3 SMT-Based Model Checker in Z3

© Anvesh Komuravelli Spacer The hard example mentioned in the beginning x = y = z = w = 0; while (*) { if (*) {x++; y += 100;} else if (*) if (x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) { y = −y; } t = 1; w += t; z += 10t; } assert (!(x ≥ 4 && y ≤ 2)) State-of-the-art Tool Z3 cannot verify in an hour Source: Automatically Refining Abstract Interpretations, Gulavani, Chakraborty, Nori and Rajamani, TACAS ‘ Spacer automatically verifies in under a minute! Spacer automatically verifies in under a minute!

© Anvesh Komuravelli Spacer Results on SV-COMP’13 Benchmarks 56 Advantage! Time-out Mem-out

© Anvesh Komuravelli Spacer 57 Summary

© Anvesh Komuravelli Spacer Conclusion Focused Proofs: Abstractions guide Interpolation towards certain generalizations Combine Proof-Based Abstraction and Counterexample-Guided Refinement General framework independent of the underlying model checker Works in practice! Focused Proofs: Abstractions guide Interpolation towards certain generalizations Combine Proof-Based Abstraction and Counterexample-Guided Refinement General framework independent of the underlying model checker Works in practice! Future Directions Verification in presence of assumptions Different kinds of bounding/abstraction Synthesizing ghost code to help verification Verification in presence of assumptions Different kinds of bounding/abstraction Synthesizing ghost code to help verification

© Anvesh Komuravelli Spacer Questions? 59 For more details, read our CAV’13 paper!

© Anvesh Komuravelli Spacer Concrete: Abstract: Counterexample Analysis and Refinement 60 An “abstract counterexample” is a finite length path consistent with error states SAT SAT ? Feasibility Check