© 2015 Carnegie Mellon University Property Directed Polyhedral Abstraction Nikolaj Bjørner and Arie Gurfinkel VMCAI 2015.

Slides:

Advertisements

Similar presentations

Model Checking Base on Interoplation

Advertisements

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Completeness and Expressiveness

Carnegie Mellon University Software Engineering Institute CERT® Knowledgebase Copyright © 1997 Carnegie Mellon University VU#14202 UNIX rlogin with stack.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

Efficient Implementation of Property Directed Reachability Niklas Een, Alan Mishchenko, Robert Brayton.

© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha.

© 2006 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.

UNCLASSIFIED © 2011 Carnegie Mellon University Building Malware Infection Trees Jose Andre Morales 1, Michael Main 2, Weilang Luo 3, Shouhuai Xu 2,3, Ravi.

Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN

© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken.

© 2011 Carnegie Mellon University System of Systems V&V John B. Goodenough October 19, 2011.

© 2010 Carnegie Mellon University B OXES : A Symbolic Abstract Domain of Boxes Arie Gurfinkel and Sagar Chaki Software Engineering Institute Carnegie Mellon.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.

© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.

© 2015 Carnegie Mellon University The SeaHorn Verification Framework Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie.

© 2013 Carnegie Mellon University Academy for Software Engineering Education and Training, 2013 Session Architect: Tony Cowling Session Chair: Nancy Mead.

© 2013 Carnegie Mellon University Measuring Assurance Case Confidence using Baconian Probabilities Charles B. Weinstock John B. Goodenough Ari Z. Klein.

© Carnegie Mellon University The CERT Insider Threat Center.

© 2012 Carnegie Mellon University UFO: Verification with Interpolants and Abstract Interpretation Arie Gurfinkel and Sagar Chaki Software Engineering Institute.

© 2010 Carnegie Mellon University Acquisition Implications of SOA Adoption Software Engineering Institute Carnegie Mellon University Pittsburgh, PA

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

© 2013 Carnegie Mellon University Static Analysis of Real-Time Embedded Systems with REK Arie Gurfinkel 1 joint work with Sagar Chaki 1, Ofer Strichman.

© 2011 Carnegie Mellon University Binary Decision Diagrams Part Bug Catching: Automated Program Verification and Testing Sagar Chaki September.

© 2011 Carnegie Mellon University Binary Decision Diagrams Part Bug Catching: Automated Program Verification and Testing Sagar Chaki September.

Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.

© 2011 Carnegie Mellon University Should-Cost: A Use for Parametric Estimates Additional uses for estimation tools Presenters:Bob Ferguson (SEMA) Date:November.

Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.

© 2011 Carnegie Mellon University QUELCE: Quantifying Uncertainty in Early Lifecycle Cost Estimation Presenters:Dave Zubrow PhD Bob Ferguson (SEMA) Date:November.

© 2015 Carnegie Mellon University Software Engineering Institute Carnegie Mellon University Pittsburgh, PA A Cognitive Study of Incident Handling.

On Solving Presburger and Linear Arithmetic with SAT Ofer Strichman Carnegie Mellon University.

Ofer Strichman, Technion Deciding Combined Theories.

Ipek Ozkaya, COCOMO Forum © 2012 Carnegie Mellon University Affordability and the Value of Architecting Ipek Ozkaya Research, Technology.

Deciding a Combination of Theories - Decision Procedure - Changki pswlab Combination of Theories Daniel Kroening, Ofer Strichman Presented by Changki.

© 2010 Carnegie Mellon University Team Software Process.

Constraint-based Invariant Inference. Invariants Dictionary Meaning: A function, quantity, or property which remains unchanged Property (in our context):

© 2015 Carnegie Mellon University Interpolating Property Directed Reachability Software Engineering Institute Carnegie Mellon University Pittsburgh, PA.

© 2015 Carnegie Mellon University Building Program Verifiers from Compilers and Theorem Provers Software Engineering Institute Carnegie Mellon University.

© 2013 Carnegie Mellon University Verifying Periodic Programs with Priority Inheritance Locks Sagar Chaki 1, Arie Gurfinkel 1, Ofer Strichman 2 FMCAD,

C&O 355 Mathematical Programming Fall 2010 Lecture 4 N. Harvey TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A.

1 Automatic Refinement and Vacuity Detection for Symbolic Trajectory Evaluation Orna Grumberg Technion Haifa, Israel Joint work with Rachel Tzoref.

© 2014 Carnegie Mellon University Synthesizing Safe Bit-Precise Invariants Arie Gurfinkel (SEI / CMU) Anton Belov (UCD / Synopsys) Joao Marques-Silva (UCD)

Author Software Engineering Institute

© Copyright 2008 STI INNSBRUCK Intelligent Systems Propositional Logic.

Nikolaj Bjørner Microsoft Research DTU Winter course January 2 nd 2012 Organized by Flemming Nielson & Hanne Riis Nielson.

© 2015 Carnegie Mellon University Parametric Symbolic Reachability Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie.

© 2015 Carnegie Mellon University COCOMO 2015 November 17, 2015 Distribution Statement A: Approved for Public Release; Distribution is Unlimited Causal.

SAT-Based Model Checking Without Unrolling Aaron R. Bradley.

Daniel Kroening and Ofer Strichman Decision Procedures An Algorithmic Point of View Deciding Combined Theories.

1 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution.

Data Science: What It Is and How It Can Help Your Company

Secure Software Workforce Development Panel Session

Efficient Generation of Small Interpolants in CNF (for Model Checking)

Author Software Engineering Institute

אימות אוטומטי Intertwined Forward-Backward Reachability Analysis Using Interpolants Work by: Yakir Vizel, Orna Grumberg and Sharon Shoham (TACAS 2013)

Building Program Verifiers from Compilers and Theorem Provers

Michael Spiegel, Esq Timothy Shimeall, Ph.D.

Solving Constrained Horn Clauses by Property Directed Reachability

Interpolating Property Directed Reachability

SMT-Based Verification of Parameterized Systems

Property Directed Reachability

Parametric Symbolic Reachability

Introduction to Software Verification

Metrics-Focused Analysis of Network Flow Data

Property Directed Reachability with Word-Level Abstraction

QUELCE: Quantifying Uncertainty in Early Lifecycle Cost Estimation

Verifying Periodic Programs with Priority Inheritance Locks

Presentation transcript:

© 2015 Carnegie Mellon University Property Directed Polyhedral Abstraction Nikolaj Bjørner and Arie Gurfinkel VMCAI 2015

2 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University Copyright 2015 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at DM

3 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University Abstract Interpretation versus Model Checking Abstract Interpretation strength: scalability weakness: precision Domain: Convex Polyhedra Model Checking strength: precision weakness: scalability Domain: QFLRA (quantifier free fragment of FO over linear arithmetic) How to simulate Poly Abstract Interpretation in QFLRA MC

4 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University For the Impatient Polyhedral Abstract Interpration Convex hull Dual representation Fourier-Motzkin Quantifier Elimination Scales to a few dimensions QFLRA Model Checking Simplex Interpolation Farkas Lemma Farkas Consequences Scales to many dimensions “Simulate” Fourier-Motzkin by Simplex and Interpolation

5 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University Abstract Interpretation Background

6 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University Polyhedral Abstract Domain Convex hull of X 2 Q n, CH (X) = { g*x + (1-g)*y | x,y 2 X, 0 · g · 1} the smallest convex polyhedron containing X Convex closure CC(X) is a topological closure of CH(X) e.g., CC(x=0 Æ y=1 Ç x ¸ 0 Æ x = y) = 0 · x · y · x+1 Polyhedral Abstract Domain the domain of convex polyhedra abstraction: ®(X) = CC(X) concretization: °(X) = X join: P 1 t P 2 = CC(P1[ P2) meet: P 1 u P 2 = P 1 Å P 2 widening: P 1 r P 2 = {H is a half-space of P 1 | P 2  H} Abstract Transformers forward: post ® (X) = CC (post (X)) backward: pre ® (X) = CC (pre (X))

7 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University Problem 1: Computing Best Abstract Image Assume concrete post is a forward image of a transition relation ½ post(X) = F(X), where F(X) = 9 u. (X(u) Æ ½(u,v)) Ç Init(v) and, ½(u,v) and Init(v) are in QFLRA Then, post ® ( X ) = project(u, CC (X Æ ½ (u, v) Ç Init (v) ) ) where, project(u,  ) drops variables/dimensions u from  How to approximate best abstract image without CC and project?

8 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University Approximating Abstract Image Three Ingredients 1. Interpolation 1. Syntactic Convex Closure 2. Property-Directed

9 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University Craig Interpolation Theorem Theorem (Craig 1957) Let A and B be two First Order (FO) formulae such that A ) :B, then there exists a FO formula I, denoted ITP(A, B), such that A ) I I ) :B atoms(I) 2 atoms(A) Å atoms(B) A Craig interpolant ITP(A, B) can be effectively constructed from a resolution proof of unsatisfiability of A Æ B In Model Cheching, Craig Interpolation Theorem is used to safely over- approximate the set of (finitely) reachable states

10 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University Craig Interpolation for Linear Arithmetic Useful properties of existing interpolation algorithms [CGS10] [HB12] I 2 ITP (A, B) then :I 2 ITP (B, A) if A is syntactically convex (a monomial), then I is convex if B is syntactically convex, then I is co-convex (a clause) if A and B are syntactically convex, then I is a half-space A A B B I I

11 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University Syntactic Convex Closure Definition: Let {P i (x) = A i * x · a i } be a set of polyhedra. A syntactic convex closure cc({P i }) is defined as the following set of constraints: Theorem: Let {P i (x) = A i * x · a i } be a set of polyhedra, then CC({P i }) = 9 V. cc({P i }) where V = {z i } [ {¾ i } Florence Benoy, Andy King, Frédéric Mesnard: Computing convex hulls with a linear solver. TPLP 5(1-2): (2005)

12 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University Syntactic Convex Closure Definition: Let {P i (x) = A i * x · a i } be a set of polyhedra. A syntactic convex closure cc({P i }) is defined as the following set of constraints: Theorem: Let {P i (x) = A i * x · a i } be a set of polyhedra, then CC({P i }) = 9 V. cc({P i }) where V = {z i } [ {¾ i } Florence Benoy, Andy King, Frédéric Mesnard: Computing convex hulls with a linear solver. TPLP 5(1-2): (2005)

13 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University Approximating Best Abstract Image Recall, post(X) = F(X), where F(X) = 9 u. (X Æ ½) Ç Init Problem: given X and a syntactically convex set of bad states B, find I 2 Poly such that post ® (X) v I and I u B = ? Solution: let D 1 Ç  Ç D n be a DNF of (X Æ ½) Ç Init in let A = cc ({D 1, …, D n }) in ITP (A, B) Claim: The procedure above is sound and complete A and B are syntactically convex  ITP(A,B) is a half-space SAT(A Æ B) $ post ® (X) u B A ?

14 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University CCSAT: An Efficient Implementation

15 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University Programs, Cexs, Invariants A program P = (V, Init, ½, Bad) P is UNSAFE if and only if there exists a number N s.t. P is SAFE if and only if there exists a safe inductive invariant Inv s.t. Inductive Safe

16 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University IC3/PDR in Pictures MkSafe

17 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University IC3/PDR in Pictures Cex Queue Trace Frame R 0 Frame R 1 lemma cex MkSafe

18 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University Inductive IC3/PDR in Pictures Propagate

19 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University Inductive IC3/PDR in Pictures Propagate PDR Invariants R i  : Bad Init  R i R i  R i+1 R i Æ ½  R i+1 PDR Invariants R i  : Bad Init  R i R i  R i+1 R i Æ ½  R i+1

20 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University IC3/PDR

21 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University IC3/PDR

22 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University Extending PDR to Arithmetic: APDR Model Based Projection: MBP(v, m, F) [KGC’14] generates an implicant of 9 v. F that contains the model m Counter-examples are monomials (conjunction of inequalities) Lemmas are clauses (disjunction of inequalities) APDR computes an (possibly non-convex) QFLRA invariant in CNF

23 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University Kleene Forward Iteration

24 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University FPDR: Simulating Poly Kleene iteration w/ PDR Observations Counter-examples are monomials Lemmas are single inequalities (half-spaces) Invariants are conjunction of inequalities (convex) Widening is “simulated” by not generating strongest possible lemmas Observations Counter-examples are monomials Lemmas are single inequalities (half-spaces) Invariants are conjunction of inequalities (convex) Widening is “simulated” by not generating strongest possible lemmas Computed using CCSAT

25 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University FPDR Properties Theorem 1 (Soundness) If R i+1  R i, then post ® * (Init) u Bad = ? Theorem 2 (Abstract Completeness) If FPDR returns AbstractReachable, then post ® N (Init) u Bad A ?

26 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University Chaotic Backward Iteration

27 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University BPDR: Simulating Poly Backward w/ PDR Observations One lemma per frame (each new lemma is stronger than all previous ones) Lemmas are disjunction of inequalities Computed invariant is co-convex Observations One lemma per frame (each new lemma is stronger than all previous ones) Lemmas are disjunction of inequalities Computed invariant is co-convex A set instead of a queue

28 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University BPDR Properties Theorem 1 (Soundness) If R i+1  R i, then pre ® * (Init) u Bad = ? Theorem 2 (Abstract Completeness) If BPDR returns AbstractReachable, then pre ® N (Init) u Bad A ?

29 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University Conclusion We mimic Polyhedral Abstract Interpretation w/ Arithmetic PDR use syntactic convex closure to decide existence of an abstract image use interpolation to compute an abstract element compute convex inductive invariants Works well for small crafted examples see paper for details available at Our Forward and Backward PDR rules can be mixed see paper for details automatic abstraction refinement – use new abstract rules until counterexample is found – use APDR rules to refine

30 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University

31 PolyPDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University Contact Information Arie Gurfinkel Senior Researcher SEI / CMU Telephone: U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA USA Web Customer Relations Telephone: SEI Phone: SEI Fax: