© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.

Slides:



Advertisements
Similar presentations
The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Advertisements

Exploiting SAT solvers in unbounded model checking
A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha.
© 2006 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken.
Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.
© 2012 Carnegie Mellon University UFO: Verification with Interpolants and Abstract Interpretation Arie Gurfinkel and Sagar Chaki Software Engineering Institute.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.
1 Abstraction Refinement for Bounded Model Checking Anubhav Gupta, CMU Ofer Strichman, Technion Highly Jet Lagged.
Word Level Predicate Abstraction and Refinement for Verifying RTL Verilog Himanshu Jain Daniel Kroening Natasha Sharygina Edmund Clarke Carnegie Mellon.
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.
By: Pashootan Vaezipoor Path Invariant Simon Fraser University – Spring 09.
Incremental formal verification of hardware Hana Chockler Alexander Ivrii Arie Matsliah Shiri Moran Ziv Nevo IBM Research - Haifa.
Predicate Abstraction of ANSI-C Programs Using SAT By Edmund Clarke, Daniel Kroening, Natalia Sharygina, Karen Yorav Presented by Yunho Kim Provable Software.
Lazy Abstraction Jinseong Jeon ARCS, KAIST CS750b, KAIST2/26 References Lazy Abstraction –Thomas A. Henzinger et al., POPL ’02 Software verification.
Lazy Annotation for Program Testing and Verification Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang November 26,
© 2014 Carnegie Mellon University Synthesizing Safe Bit-Precise Invariants Arie Gurfinkel (SEI / CMU) Anton Belov (UCD / Synopsys) Joao Marques-Silva (UCD)
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
1 Predicate Abstraction and Refinement for Verifying Hardware Designs Himanshu Jain Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke.
Proving Non-Termination Gupta, Henzinger, Majumdar, Rybalchenko, Ru-Gang Xu presentation by erkan.
Learning Symbolic Interfaces of Software Components Zvonimir Rakamarić.
Author: Alex Groce, Daniel Kroening, and Flavio Lerda Computer Science Department, Carnegie Mellon University Pittsburgh, PA Source: R. Alur and.
Localization and Register Sharing for Predicate Abstraction Himanshu Jain Franjo Ivančić Aarti Gupta Malay Ganai.
11 Counter-Example Based Predicate Discovery in Predicate Abstraction Satyaki Das and David L. Dill Computer Systems Lab Stanford University
SMT and Its Application in Software Verification (Part II) Yu-Fang Chen IIS, Academia Sinica Based on the slides of Barrett, Sanjit, Kroening, Rummer,
Reachability for Linear Hybrid Automata Using Iterative Relaxation Abstraction Sumit K. Jha, Bruce H. Krogh, James E. Weimer, Edmund M. Clarke Carnegie.
SAT-Based Model Checking Without Unrolling Aaron R. Bradley.
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
Property-Guided Shape Analysis S.Itzhaky, T.Reps, M.Sagiv, A.Thakur and T.Weiss Slides by Tomer Weiss Submitted to TACAS 2014.
Error Explanation with Distance Metrics Authors: Alex Groce, Sagar Chaki, Daniel Kroening, and Ofer Strichman International Journal on Software Tools for.
© Anvesh Komuravelli Spacer Compositional Verification of Procedural Programs using Horn Clauses over Integers and Arrays Anvesh Komuravelli work done.
CHARME’03 Predicate abstraction with Minimum Predicates Sagar Chaki*, Ed Clarke*, Alex Groce*, Ofer Strichman** * Carnegie Mellon University ** Technion.
Verifying Component Substitutability Nishant Sinha Sagar Chaki Edmund Clarke Natasha Sharygina Carnegie Mellon University.
Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University.
© Anvesh Komuravelli Spacer Model Checking with Proofs and Counterexamples Anvesh Komuravelli Carnegie Mellon University Joint work with Arie Gurfinkel,
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
SS 2017 Software Verification Bounded Model Checking, Outlook
Program Analysis via Satisfiability Modulo Path Programs
Interpolating Property Directed Reachability
SMT-Based Verification of Parameterized Systems
Solving Linear Arithmetic with SAT-based MC
Parametric Symbolic Reachability
Automating Induction for Solving Horn Clauses
Introduction to Software Verification
Enhancing PDR/IC3 with Localization Abstraction
Lifting Propositional Interpolants to the Word-Level
Mining backbone literals in incremental SAT
Inferring Simple Solutions to Recursion-free Horn Clauses via Sampling
Property Directed Reachability with Word-Level Abstraction
Over-Approximating Boolean Programs with Unbounded Thread Creation
Predicate Abstraction
SAT/SMT seminar 18/02/2018 Computing multiple MUSes (Minimal Unsatisfiable Subformulas) and MSISes (Minimal Safe Inductive Subsets) Alexander Ivrii IBM.
Faster Extraction of High-Level Minimal Unsatisfiable Cores
Presentation transcript:

© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work with Arie Gurfinkel, Sagar Chaki and Edmund Clarke

© Anvesh Komuravelli Spacer The Problem Program P + Assertions Program P + Assertions Automatic analysis for assertion failures Automatic analysis for assertion failures Safe Unsafe Unknown Software Model Checking + Proof + Counterexample + Partial Proof reach(P) error(P) 1 Is it empty?

© Anvesh Komuravelli Spacer reach(P) error(P) Over-approximation Driven (OD) 2

© Anvesh Komuravelli Spacer reach(P) error(P) Over-approximation driven (OD) 3

© Anvesh Komuravelli Spacer Over-approximation driven (OD) Key IdeaCEGAR based on Predicate Abstraction Symbolic Method BDDs for fixed point computation, SMT for new predicates ToolsSLAM, BLAST, SDV, etc. 4

© Anvesh Komuravelli Spacer reach(P) Under-approximation Driven (UD) error(P) 5

© Anvesh Komuravelli Spacer Under-approximation driven (UD) reach(P) error(P) 6

© Anvesh Komuravelli Spacer Under-approximation driven (UD) Key IdeaBMC based Approach Symbolic Method SMT ToolsIMPACT, UFO, etc. 7

© Anvesh Komuravelli Spacer Key Recent Advancements 2003Interpolation for Hardware Model CheckingMcMillan 2006IMPACT (Path Interpolants)McMillan 2009Path Interpolants for Hardware Model CheckingGrumberg et al. 2010IC3 (Different way of computing Interpolants, Hardware)Bradley 2011WOLVERINE (Bit-level Implementation of IMPACT)Kroening et al. 2012UFO (DAG Interpolation method, Predicate Abstraction + Interpolation)Gurfinkel et al. 2012VINTA (Abstract Interpretation + Interpolation)Gurfinkel et al. 2011FunFrog (Interprocedural)Sharygina et al. 2012μZ (Horn clause solver based on GPDR)Bjorner et al. 2012Duality (Horn clause solver based on Interpolation) McMillan, Rybalchenko 2012WHALE (Interprocedural)Gurfinkel et al. 8

© Anvesh Komuravelli Spacer reach(P) error(P) Our Strategy 9 Under-approx.  Abstract  Under-approx.

© Anvesh Komuravelli Spacer reach(P) error(P) Our Strategy 10 Under-approx.  Abstract  Under-approx.  Refine

© Anvesh Komuravelli Spacer error(P) reach(P) Our Strategy 11 Under-approx.  Abstract  Under-approx.  Refine  Abstract

© Anvesh Komuravelli Spacer error(P) reach(P) Our Strategy 12 And so on …

© Anvesh Komuravelli Spacer error(P) reach(P) reach(P) is covered Our Strategy 13 Abstractions guide the SMT solver to look for general proofs

© Anvesh Komuravelli Spacer It’s based on UD 14 … … … … Under-approximations AbstractAbstract

© Anvesh Komuravelli Spacer It’s based on UD 15 … … … … Under-approximations AbstractAbstract need not be monotonic

© Anvesh Komuravelli Spacer Spacer is based on UD 16 … … … … Under-approximations AbstractAbstract non-trivial abstraction

© Anvesh Komuravelli Spacer Program Under- Approximate Check Safety Feasible? Abstract Refine Proof-Based Abstraction CEGAR No Yes Safety ProofCounterexample 17

© Anvesh Komuravelli Spacer Why Abstraction? x = y = z = w = 0; while (*) { x = *; y = *; assume (0 ≤ y ≤ 100x); if (y > 10w && z ≥ 100x) { y = −y; } t = 1; w += t; z += 10t; } assert (0 ≤ y) 18 only way to fail the assertion

© Anvesh Komuravelli Spacer UD Reasoning x = y = z = w = 0; while (*) { x = *; y = *; assume (0 ≤ y ≤ 100x); if (y > 10w && z ≥ 100x) { y = −y; } t = 1; w += t; z += 10t; } assert (0 ≤ y) 1 st Iteration: w = 0, z = 0 1 st Iteration: w = 0, z = 0 19 y ≤ 100x

© Anvesh Komuravelli Spacer UD Reasoning x = y = z = w = 0; while (*) { x = *; y = *; assume (0 ≤ y ≤ 100x); if (y > 10w && z ≥ 100x) { y = −y; } t = 1; w += t; z += 10t; } assert (0 ≤ y) 2 nd Iteration: w = 1, z =10 2 nd Iteration: w = 1, z =10 20 y ≤ 100x

© Anvesh Komuravelli Spacer UD Reasoning x = y = z = w = 0; while (*) { x = *; y = *; assume (0 ≤ y ≤ 100x); if (y > 10w && z ≥ 100x) { y = −y; } t = 1; w += t; z += 10t; } assert (0 ≤ y) 3 rd Iteration: w = 2, z = 20 3 rd Iteration: w = 2, z = y ≤ 100x And so on…

© Anvesh Komuravelli Spacer But … x = y = z = w = 0; while (*) { x = *; y = *; assume (0 ≤ y ≤ 100x); if (y > 10w && z ≥ 100x) { y = −y; } t = 1; w += t; z += 10t; } assert (0 ≤ y) 22 The value ‘1’ doesn’t matter!

© Anvesh Komuravelli Spacer But … x = y = z = w = 0; while (*) { x = *; y = *; assume (0 ≤ y ≤ 100x); if (y > 10w && z ≥ 100x) { y = −y; } t = *; w += t; z += 10t; } assert (0 ≤ y) 23

© Anvesh Komuravelli Spacer UD Reasoning on the Abstraction x = y = z = w = 0; while (*) { x = *; y = *; assume (0 ≤ y ≤ 100x); if (y > 10w && z ≥ 100x) { y = −y; } t = *; w += t; z += 10t; } assert (0 ≤ y) 24 2 nd Iteration w = t, z = 10t z = 10w All Iterations Resolve t away y ≤ 100x Redundant

© Anvesh Komuravelli Spacer Original Example x = y = z = w = 0; while (*) { if (*) {x++; y += 100;} else if (*) if (x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) { y = −y; } t = 1; w += t; z += 10t; } assert (!(x ≥ 4 && y ≤ 2)) Source: Automatically Refining Abstract Interpretations, Gulavani, Chakraborty, Nori and Rajamani, TACAS ‘ μZ (SMT-Based Model Checker, part of Z3) Cannot solve in an hour Spacer (our tool) Finds a proof in a min. Solves an abstraction in < 1 sec. t = *;

© Anvesh Komuravelli Spacer What’s the magic? Focused Proofs Abstractions guide the SMT solver to look for certain kind of proofs Avoid proofs specific to an under-approximation Abstractions guide the SMT solver to look for certain kind of proofs Avoid proofs specific to an under-approximation How to obtain abstractions? From proofs of under-approximations! (Proof-Based Abstraction) Hope: What’s sufficient for the under-approximation is sufficient in general Downside: If abstraction is too coarse, need to refine (CEGAR) From proofs of under-approximations! (Proof-Based Abstraction) Hope: What’s sufficient for the under-approximation is sufficient in general Downside: If abstraction is too coarse, need to refine (CEGAR) 26

© Anvesh Komuravelli Spacer Program Under- Approximate Check Safety Feasible? Abstract Refine Proof-Based Abstraction CEGAR No Yes Safety ProofCounterexample 27

© Anvesh Komuravelli Spacer Schematic Example init_stmt; c = 0; while (*) { // invar_1, invar_2 // invar_3, invar_4 assume (c < k 1 ); if (*) { v1 = e1; v2 = e2; } else { v3 = e3; v4 = e4; } v5 = e5; v6 = e6; c += 1; } assert (safe); Add Counters Under-approximate Solve  Loop Invariants 28

© Anvesh Komuravelli Spacer Schematic Example Under-approximate Solve  Feasible? init_stmt; c = 0; assume (invar_1, invar_2); while (*) { // invar_1, invar_2 // invar_3, invar_4 assume (c < k 1 ); if (*) { v1 = e1; v2 = e2; } else { v3 = e3; v4 = e4; } v5 = e5; v6 = e6; c += 1; assume (invar_1, invar_2); } assert (safe);  Unbounded! Specific to under-approx. 29 Treat as guessed unbounded invariants. Essentially like Houdini [FL’01]. Treat as guessed unbounded invariants. Essentially like Houdini [FL’01]. Extract Unbounded Invariants Strengthen with Invariants [FL’01] Houdini, an annotation assistant for ESC/Java, C. Flanagan and K.R.M. Leino, 2001

© Anvesh Komuravelli Spacer init_stmt; c = 0; assume (invar_1, invar_2); while (*) { // invar_1, invar_2 if (*) { v1 = e1; v2 = e2; } else { v3 = e3; v4 = e4; } v5 = e5; v6 = e6; c += 1; assume (invar_1, invar_2); } assert (safe); Does not prove the assertion Does not prove the assertion Schematic Example Under-approximate Solve  Feasible?  NO 30

© Anvesh Komuravelli Spacer init_stmt; c = 0; assume (invar_1, invar_2); while (*) { // invar_1, invar_2 // invar_3, invar_4 assume (c < k 1 ); if (*) { v1 = e1; v2 = e2; } else { v3 = e3; v4 = e4; } v5 = e5; v6 = e6; c += 1; assume (invar_1, invar_2); } assert (safe); Redundant for the proof Schematic Example Under-approximate Solve  Feasible?  NOAbstract  31

© Anvesh Komuravelli Spacer Schematic Example Under-approximate Solve  Feasible?  NOAbstract  32 init_stmt; c = 0; assume (invar_1, invar_2); while (*) { // invar_1, invar_2 // invar_3, invar_4 assume (c < k 1 ); if (*) { v1 = e1; v2 = *; } else { v3 = e3; v4 = *; } v5 = e5; v6 = *; c += 1; assume (invar_1, invar_2); } assert (safe); Proof-Based Abstraction

© Anvesh Komuravelli Spacer init_stmt; c = 0; assume (invar_1, invar_2); while (*) { assume (c < k 2 ); if (*) { v1 = e1; v2 = *; } else { v3 = e3; v4 = *; } v5 = e5; v6 = *; c += 1; assume (invar_1, invar_2); } assert (safe); Concretize k 2 > k 1 Schematic Example Under-approximate Solve  Abstract Counterexample! Feasible?  Concrete control path is infeasible NORefine  33

© Anvesh Komuravelli Spacer Schematic Example Under-approximate Solve  Feasible?  NORefine  34 init_stmt; c = 0; assume (invar_1, invar_2); while (*) { assume (c < k 2 ); if (*) { v1 = e1; v2 = e2; } else { v3 = e3; v4 = e4; } v5 = e5; v6 = *; c += 1; assume (invar_1, invar_2); } assert (safe); CEGAR

© Anvesh Komuravelli Spacer init_stmt; c = 0; assume (invar_1, invar_2); while (*) { // invar_5 // invar_6 assume (c < k 2 ); if (*) { v1 = e1; v2 = e2; } else { v3 = e3; v4 = e4; } v5 = e5; v6 = *; c += 1; assume (invar_1, invar_2); } assert (safe); Unbounded Schematic Example Under-approximate Solve  Feasible?  YES 35 Invariants

© Anvesh Komuravelli Spacer Program Under- Approximate Check Safety Feasible? Abstract Refine Proof-Based Abstraction CEGAR No Yes Safety ProofCounterexample 36

© Anvesh Komuravelli Spacer Detailed Example x = y = z = w = 0; while (*) { if ::x++; y += 100; ::(x ≥ 4) -> x++; y++; ::(y > 10w && z ≥ 100x) -> y = −y; fi w++; z += 10; } assert (!(x ≥ 4 && y ≤ 2)); if (nd ()) {x++; y += 100;} else if (nd () && x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) {y = −y;} else assume (0); if (nd ()) {x++; y += 100;} else if (nd () && x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) {y = −y;} else assume (0); non-deterministic choice (e.g. as in Promela) C-like 37

© Anvesh Komuravelli Spacer Detailed Example x = y = z = w = 0; c = 0; while (*) { // (y > 10w) => (z < 100x), z ≤ 100x, // x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1 assume (c < 2); if ::x++; y += 100; ::(x ≥ 4) -> x++; y++; ::(y > 10w && z ≥ 100x) -> y = −y; fi w++; z += 10; c += 1; } assert (!(x ≥ 4 && y ≤ 2)); Add Counters Under-approximate Solve  Loop Invariants 38

© Anvesh Komuravelli Spacer Detailed Example x = y = z = w = 0; c = 0; while (*) { // (y > 10w) => (z < 100x), z ≤ 100x, // x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1 assume (c < 2); if ::x++; y += 100; ::(x ≥ 4) -> x++; y++; ::(y > 10w && z ≥ 100x) -> y = −y; fi w++; z += 10; c += 1; } assert (!(x ≥ 4 && y ≤ 2)); Inductive Invariant Under-approximate Solve  Safe 39

© Anvesh Komuravelli Spacer Detailed Example x = y = z = w = 0; c = 0; assume (y > 10w => z < 100x, z ≤ 100x); while (*) { // (y > 10w) => (z < 100x), z ≤ 100x, // x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1 assume (c < 2); if ::x++; y += 100; ::(x ≥ 4) -> x++; y++; ::(y > 10w && z ≥ 100x) -> y = −y; fi w++; z += 10; c += 1; assume (y > 10w => z < 100x, z ≤ 100x); } assert (!(x ≥ 4 && y ≤ 2)); Under-approximate Solve  Feasible?  Preserved! Specific to under-approx. Depend on counter Extract Unbounded Invariants Strengthen with Invariants 40

© Anvesh Komuravelli Spacer Detailed Example x = y = z = w = 0; c = 0; assume (y > 10w => z < 100x, z ≤ 100x); while (*) { // (y > 10w) => (z < 100x), z ≤ 100x, if ::x++; y += 100; ::(x ≥ 4) -> x++; y++; ::(y > 10w && z ≥ 100x) -> y = −y; fi w++; z += 10; c += 1; assume (y > 10w => z < 100x, z ≤ 100x); } assert (!(x ≥ 4 && y ≤ 2)); Under-approximate Solve  Feasible?  NO Does not prove the assertion Does not prove the assertion 41

© Anvesh Komuravelli Spacer Detailed Example x = y = z = w = 0; c = 0; assume (y > 10w => z < 100x, z ≤ 100x); while (*) { // (y > 10w) => (z < 100x), z ≤ 100x, // x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1 assume (c < 2); if ::x++; y += 100; ::(x ≥ 4) -> x++; y++; ::(y > 10w && z ≥ 100x) -> y = −y; fi w++; z += 10; c += 1; assume (y > 10w => z < 100x, z ≤ 100x); } assert (!(x ≥ 4 && y ≤ 2)); Under-approximate Solve  Feasible?  NOAbstract  Redundant 42

© Anvesh Komuravelli Spacer Detailed Example x = y = z = w = 0; c = 0; assume (y > 10w => z < 100x, z ≤ 100x); while (*) { // (y > 10w) => (z < 100x), z ≤ 100x, // x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1 assume (c < 2); if ::x++; y = *; ::(x ≥ 4) -> x++; y = *; ::(y > 10w && z ≥ 100x) -> y = *; fi w = *; z = *; c += 1; assume (y > 10w => z < 100x, z ≤ 100x); } assert (!(x ≥ 4 && y ≤ 2)); Under-approximate Solve  Feasible?  NOAbstract  Fails Enlarge error 43

© Anvesh Komuravelli Spacer Detailed Example x = y = z = w = 0; c = 0; assume (y > 10w => z < 100x, z ≤ 100x); while (*) { // (y > 10w) => (z < 100x), z ≤ 100x, // x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1 assume (c < 2); if ::x++; y = *; ::(x ≥ 4) -> x++; y = *; ::(y > 10w && z ≥ 100x) -> y = *; fi w = *; z = *; c += 1; assume (y > 10w => z < 100x, z ≤ 100x); } assert (!(x ≥ 4)); Under-approximate Solve  Feasible?  NOAbstract  44

© Anvesh Komuravelli Spacer Detailed Example x = y = z = w = 0; c = 0; assume (y > 10w => z < 100x, z ≤ 100x); while (*) { assume (c < 4); if ::x++; y = *; ::(x ≥ 4) -> x++; y = *; ::(y > 10w && z ≥ 100x) -> y = *; fi w = *; z = *; c += 1; assume (y > 10w => z < 100x, z ≤ 100x); } assert (!(x ≥ 4)); Under-approximate Solve  Counterexample! Increment x to 4 Choose y arbitrarily Feasible?  Concrete control path is infeasible NORefine  Concretize 45

© Anvesh Komuravelli Spacer Detailed Example x = y = z = w = 0; c = 0; assume (y > 10w => z < 100x, z ≤ 100x); while (*) { assume (c < 4); if ::x++; y += 100; ::(x ≥ 4) -> x++; y++; ::(y > 10w && z ≥ 100x) -> y = −y; fi w = *; z = *; c += 1; assume (y > 10w => z < 100x, z ≤ 100x); } assert (!(x ≥ 4 && y ≤ 2)); Under-approximate Solve  Feasible?  NORefine  46

© Anvesh Komuravelli Spacer Detailed Example x = y = z = w = 0; c = 0; assume (y > 10w => z < 100x, z ≤ 100x); while (*) { // (y > 10w) => (z < 100x), z ≤ 100x // y > 0, (x > 0) => (y ≥ 100) assume (c < 4); if ::x++; y += 100; ::(x ≥ 4) -> x++; y++; ::(y > 10w && z ≥ 100x) -> y = −y; fi w = *; z = *; c += 1; assume (y > 10w => z < 100x, z ≤ 100x); } assert (!(x ≥ 4 && y ≤ 2)); Under-approximate Solve  Feasible?  YES Inductive Invariant Safe Unbounded 47

© Anvesh Komuravelli Spacer Implementation Details – Unbounded Invariants Pre-LemmasPost-LemmasConcreteCounters Goal Find maximalsuch that 48

© Anvesh Komuravelli Spacer Implementation Details – Unbounded Invariants UNSAT SAT withtrue SAT? 49 Repeat until fixed point

© Anvesh Komuravelli Spacer Implementation Details – Unbounded Invariants Maximal subset of true post-lemmas Minimal number of b i ’s to be set to false Maximal subset of true post-lemmas Minimal number of b i ’s to be set to false Fixed point Iteration: 50 Introduce Assumption variables

© Anvesh Komuravelli Spacer Implementation Details – Unbounded Invariants Iteration 1 ✔ ✗ Iteration 2 ✗ 51 disabled

© Anvesh Komuravelli Spacer Implementation Details – Abstraction 52 Introduce Assumption variables

© Anvesh Komuravelli Spacer Implementation Details – Abstraction 53 Are all lemmas necessary?

© Anvesh Komuravelli Spacer Implementation Details – Abstraction 54 Introduce Assumption variables for lemmas

© Anvesh Komuravelli Spacer Spacer Tool Program Under- Approximate Check Safety Feasible? Abstract Refine Proof-Based Abstraction CEGAR No Yes Safety ProofCounterexample 55

© Anvesh Komuravelli Spacer Spacer Tool Program Under- Approximate Check Safety Feasible? Abstract Refine Proof-Based Abstraction CEGAR No Yes Safety ProofCounterexample 56 μZ Horn-Clause Solver (part of Z3) μZ Horn-Clause Solver (part of Z3)

© Anvesh Komuravelli Spacer Spacer Tool Program Under- Approximate Check Safety Feasible? Abstract Refine Proof-Based Abstraction CEGAR No Yes Safety ProofCounterexample 57 Horn-Clause Encoding μZ Horn-Clause Solver (part of Z3) μZ Horn-Clause Solver (part of Z3)

© Anvesh Komuravelli Spacer Spacer Tool C Program Preprocessing UFO Frontend (based on LLVM) Simplification, Large Block Encoding, etc. Horn Clause Encoding Implemented using UFO Frontend 58

© Anvesh Komuravelli Spacer Results on SV-COMP’13 Benchmarks 59 Abstraction did not help for UNSAFE ALSO, not a challenging pool of benchmarks

© Anvesh Komuravelli Spacer Results on SV-COMP’13 Benchmarks 60

© Anvesh Komuravelli Spacer Results on SV-COMP’13 Benchmarks 61 ~1 min. Not very meaningful to compare ~1 min. Not very meaningful to compare

© Anvesh Komuravelli Spacer Results on SV-COMP’13 Benchmarks 62 < 5 min. Mixed Results < 5 min. Mixed Results

© Anvesh Komuravelli Spacer Results on SV-COMP’13 Benchmarks 63 Advantage!

© Anvesh Komuravelli Spacer Results on SV-COMP’13 Benchmarks 64 Advantage! Time-out Mem-out

© Anvesh Komuravelli Spacer Conclusion Focused Proofs Abstractions guide the SMT solver to look for certain kind of proofs Avoid proofs specific to an under-approximation Abstractions guide the SMT solver to look for certain kind of proofs Avoid proofs specific to an under-approximation How to obtain abstractions? From proofs of under-approximations! (Proof-Based Abstraction) Hope: What’s sufficient for the under-approximation is sufficient in general Downside: If abstraction is too coarse, need to refine (CEGAR) From proofs of under-approximations! (Proof-Based Abstraction) Hope: What’s sufficient for the under-approximation is sufficient in general Downside: If abstraction is too coarse, need to refine (CEGAR) 65 A framework for automated abstraction in SMT-based Software Model Checking Implementation using an existing SMT-based model checker with practical advantage A framework for automated abstraction in SMT-based Software Model Checking Implementation using an existing SMT-based model checker with practical advantage Contributions

© Anvesh Komuravelli Spacer Conclusion (contd…) 66 Post-pruning of Proofs during Abstraction (Local vs. Global Proofs) Non-monotonic abstractions Major role of invariants (exploit the generality of proofs of under-approximations Post-pruning of Proofs during Abstraction (Local vs. Global Proofs) Non-monotonic abstractions Major role of invariants (exploit the generality of proofs of under-approximations Visit spacer.bitbucket.org to download tool and detailed slides! Why does PBA work?

© Anvesh Komuravelli Spacer On-going and Future Work Observation: Fixed granularity of abstraction – at the program level Observation: Restricted space of abstractions Questions: When/How to abstract/refine? Observation: Proofs too dependent on counter constraints (i.e. underapprox.) Question: How to use counters only when needed? In general, how to minimize the use of a given set of assumptions? Observation: Abstraction is done offline, after obtaining a proof of an under- approximation. Question: How does an on-the-fly abstraction work? When each transition is treated as a recursion-free procedure, it is similar to summarizing procedures on-the-fly. Also, how to handle recursion? 67

© Anvesh Komuravelli Spacer Read our CAV’13 paper for details… Questions? 68

© Anvesh Komuravelli Spacer Extra Slides 69

© Anvesh Komuravelli Spacer SMT-Based Model Checking init error CFGLoop-Free Unrolling Possibility 1 : UNSAFE Possibility 2 : SAFE Path Interpolants (McMillan ‘06) Discharge Verification Condition on SMT solver 70

© Anvesh Komuravelli Spacer SMT-Based Model Checking init error CFG Further Unrolling Possibility 1 : UNSAFE Possibility 2 : SAFE DAG Interpolants [AGC’12] Continue Until Convergence Discharge Verification Condition on SMT solver [AGC’12] : From Under-approximations to Over- approximations and Back, Albarghouthi, Gurfinkel and Chechik, TACAS ‘12 71

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.