Abstraction, Verification & Refinement Samik Basu Dept. of Computer Science, ISU

What is Model Checking Model Checking (Design level) Generate a model describing the behavior (M) Essentially a graph Identify the desired properties () Automatically verify (M ² ) Graph-traversal

Model Checking Source Code Why? Difficult: Programs are more complex Variables, conditionals, recursion

Acknowledgement Abstraction-based techniques Blast (Berkeley), Slam (MS), CEGAR (CMU), FocusCheck (SBU, ISU)

Safety Property Bad things never happen Typical “Bad” things: valuations of variables

Question? Is there a path in the program that leads to satisfaction of Bad? Counter-Example

Example Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4: } while(new != old); 5: unlock (); return; lock unlock

What is a Program-Graph? State Transition pc lock old new q  3   5  0x133a 3: unlock(); new++; 4:} … pc lock old new q  4   5  6  0x133a Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4: } while(new != old); 5: unlock (); return;}

What is infinite about programs? Program state Control Location: finite Variable value: infinite Question: Prove that for all possible values of variables, the program behaves correctly

Abstraction Over-approximation M’ ²  ) M ²  where  = Bad Remove details and partition states Graph over partitions: finite and manageable M’ M’ contains all behavior of M and more M’ ²  ) M ²  where  = Bad

Data Abstraction x:int y:int Even Odd …, -2, 0, 2, 4, … …, -3, -1, 1, 3, … Pos Neg Zero …, -3, -2, -1 y:int 1, 2, 3, …

Abstract Program Code Abstract Data domain int x = 0; if (x == 0) x = x + 1; (n<0) : NEG (n==0): ZERO (n>0) : POS Signs NEG POS ZERO Signs x = ZERO; if (x == ZERO) x = x + POS; we transform the code so that to operate on the abs domain and it looks like this; here the concrete type int was replaced by abs type signs, concrete constants 0 and 1 were replaced with abs ct 0 and pos; and primitive ops on ints were replaced with calls to some methods that implement the abs.ops.that manipulate abstract values. Ex : equality operator was replaced with a call to method signs.eq and + was replace by signs.add . So, how do we apply this abstraction technique to the DEOS example ? We have to decide which variables to abstract, what abstrations to use and then we have to effectively transform the system to encode the abstractions. Abstract the data domain = Abstract the Program behavior

Abstraction leads to Over-approximation h I M’

Abstraction leads to Over-approximation M’ > M, M’ ²  implies M ²  No False Positives Problem: Spurious Counter-Examples M h I M’

Predicate Abstraction Look at characteristic of data NOT its exact valuation Predicate Abstraction Relationship between variables and constants

Spurious Counter-Example h I M’

Spurious Counter-Example h I M’

Break it up and Start over M h I M’

Summary Abstract Model Check Refine if needed Loop-back Blast, Slam (CFG), FocusCheck (PDS)

Build-and-Search Reachability Tree Predicates: LOCK 1 1 Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 1 Reachability Tree

Build-and-Search Reachability Tree Predicates: LOCK 1 2 1 2 Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); lock() old = new q=q->next 1 : LOCK 2 LOCK 1 2 Reachability Tree

Build-and-Search Reachability Tree Predicates: LOCK 1 2 3 1 2 3 Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 2 LOCK [q!=NULL] 3 LOCK 1 2 3 Reachability Tree

Build-and-Search Reachability Tree Predicates: LOCK 1 2 3 4 4 1 2 3 Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 2 LOCK 3 q->data = new unlock() new++ LOCK 4 : LOCK 4 1 2 3 Reachability Tree

Build-and-Search Reachability Tree Predicates: LOCK 1 2 3 4 5 5 4 1 2 Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 2 LOCK 3 LOCK 4 : LOCK 5 [new==old] 5 : LOCK 4 1 2 3 Reachability Tree

Build-and-Search Reachability Tree Predicates: LOCK 1 2 3 4 5 5 4 1 2 Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 2 LOCK 3 LOCK 4 : LOCK 5 5 : LOCK 4 unlock() 1 2 3 : LOCK Reachability Tree

Analyze Counterexample Predicates: LOCK Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK lock() old = new q=q->next 2 LOCK [q!=NULL] 3 LOCK q->data = new unlock() new++ 4 : LOCK 5 [new==old] 5 : LOCK 4 unlock() 1 2 3 : LOCK Reachability Tree

Analyze Counterexample Predicates: LOCK Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK old = new 2 LOCK 3 LOCK new++ 4 : LOCK 5 [new==old] 5 : LOCK 4 Inconsistent 1 2 3 : LOCK new == old Reachability Tree

Repeat Build-and-Search Predicates: LOCK, new==old Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 1 Reachability Tree

Repeat Build-and-Search Predicates: LOCK, new==old Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK lock() old = new q=q->next 2 LOCK , new==old 1 2 Reachability Tree

Repeat Build-and-Search Predicates: LOCK, new==old Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 2 LOCK , new==old LOCK , new==old 3 q->data = new unlock() new++ 4 : LOCK , : new = old 4 1 2 3 Reachability Tree

Repeat Build-and-Search Predicates: LOCK, new==old Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 2 LOCK , new==old LOCK , new==old 3 4 : LOCK , : new = old [new==old] 4 1 2 3 Reachability Tree

Repeat Build-and-Search Predicates: LOCK, new==old Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 2 LOCK , new==old LOCK , new==old 3 4 : LOCK , : new = old [new!=old] 1 4 4 1 : LOCK, : new == old 2 3 Reachability Tree

Repeat Build-and-Search Predicates: LOCK, new==old Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 2 LOCK , new==old SAFE LOCK , new==old 3 4 4 : LOCK , : new = old LOCK , new=old 5 1 5 4 4 4 1 : LOCK, : new == old 2 3 : LOCK , new==old Reachability Tree