Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 1 Software Model Checking via Iterative Abstraction Refinement.

Slides:



Advertisements
Similar presentations
Advanced programming tools at Microsoft
Advertisements

Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
Demand-driven inference of loop invariants in a theorem prover
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Computer Science CPSC 322 Lecture 25 Top Down Proof Procedure (Ch 5.2.2)
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Semantics Static semantics Dynamic semantics attribute grammars
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Logic.
ISBN Chapter 3 Describing Syntax and Semantics.
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
CS 355 – Programming Languages
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Avoiding Exponential Explosion: Generating Compact Verification Conditions Cormac Flanagan and James B. Saxe Compaq Systems Research Center With help from.
1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs.
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 Summer School on Logic and Theorem-Proving in Programming.
CS 267: Automated Verification Lectures 14: Predicate Abstraction, Counter- Example Guided Abstraction Refinement, Abstract Interpretation Instructor:
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
1 A Modular Checker for Multithreaded Programs Cormac Flanagan HP Systems Research Center Joint work with Shaz Qadeer Sanjit A. Seshia.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Describing Syntax and Semantics
Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.
1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
C. FlanaganType Systems for Multithreaded Software1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
1 Program Correctness CIS 375 Bruce R. Maxim UM-Dearborn.
SAT and SMT solvers Ayrat Khalimov (based on Georg Hofferek‘s slides) AKDV 2014.
Verification of Java Programs using Symbolic Execution and Loop Invariant Generation Corina Pasareanu (Kestrel Technology LLC) Willem Visser (RIACS/USRA)
1 Inference Rules and Proofs (Z); Program Specification and Verification Inference Rules and Proofs (Z); Program Specification and Verification.
Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.
Extended Static Checking for Java  ESC/Java finds common errors in Java programs: null dereferences, array index bounds errors, type cast errors, race.
CS 363 Comparative Programming Languages Semantics.
COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen.
Ch. 13 Ch. 131 jcmt CSE 3302 Programming Languages CSE3302 Programming Languages (notes?) Dr. Carter Tiernan.
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.
© Copyright 2008 STI INNSBRUCK Intelligent Systems Propositional Logic.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
1 Propositional Logic Limits The expressive power of propositional logic is limited. The assumption is that everything can be expressed by simple facts.
CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
Logical Agents Chapter 7. Outline Knowledge-based agents Propositional (Boolean) logic Equivalence, validity, satisfiability Inference rules and theorem.
Proof Methods for Propositional Logic CIS 391 – Intro to Artificial Intelligence.
Logical Agents. Outline Knowledge-based agents Logic in general - models and entailment Propositional (Boolean) logic Equivalence, validity, satisfiability.
Reasoning about code CSE 331 University of Washington.
Lecture 5 Floyd-Hoare Style Verification
Programming Languages 2nd edition Tucker and Noonan
Predicate Transformers
The Zoo of Software Security Techniques
Programming Languages 2nd edition Tucker and Noonan
Programming Languages 2nd edition Tucker and Noonan
Presentation transcript:

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 1 Software Model Checking via Iterative Abstraction Refinement of Constraint Logic Queries Cormac Flanagan University of California, Santa Cruz

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 2 Software Reliability

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 3 Software Reliability Testing –dominant methodology –costly –test coverage problem Static checking –combats test coverage by considering all paths –Type systems –very effective for certain type errors –Extended Static Checking –targets errors missed by type systems

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 4 Java program + Annotations Translator Error conditions Satisfiability checker Satisfying assignment Post-processor Warning messages ESC/Java Architecture The translator “understands” the semantics of Java. An error condition is a logical formula (boolean combination of constraints) that, ideally, is satisfiable if and only if the program contains an error. The satisfiability checker is invisible to users. Satisfying assignments are turned into precise warning messages. ESC/Java Index out of bounds on line 218 Method does not preserve object invariant on line 223

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 5 ESC/Java Example class Rational { int num, den; Rational(int n, int d) { num = n; den = d; } int trunc() { return num/den; } public static void main(String[] a) { int n = readInt(), d = readInt(); if( d == 0 ) return; Rational r = new Rational(d,n); for(int i=0; i<10000; i++) { print( r.trunc() ); } } } invariant den != 0; requires d != 0; Warning: possible division by zero Warning: invariant possibly not established Warning: precondition possibly not established

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 6 ESC/Java Experience Tested on 40+ KLOC (Java front end, web crawler,...) Finds software defects! Useful educational tool Annotation cost significant –100 annotations per KLOC –3 programmer-hours per KLOC Annotation overhead significantly limits widespread use of extended static checking Why do we need these annotations?

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 7 ESC/Java Architecture The translator “understands” the semantics of Java. An error condition is a logical formula that, ideally, is satisfiable if and only if the program contains an error. The satisfiability checker is invisible to users. Satisfying assignments are turned into precise warning messages. ESC/Java Index out of bounds on line 218 Method does not preserve object invariant on line 223 Java program + Annotations Translator Error conditions Satisfiability checker Satisfying assignment Post-processor Warning messages

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 8 Generating Error Conditions ESC/Java if (x < 0) { x := -x; } assert x >= 0; ( x =0) )  (  (x =0) ) Unsatisfiable, no error Java program + Annotations Translator Error conditions Satisfiability checker Satisfying assignment Post-processor Warning messages

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 9 Generating Error Conditions 2 ESC/Java p := q; p.f := 3; assert q.f != 0; p = q  f’ = store(f, p, 3)  select(f’, q) = 0 Unsatisfiable, no error Java program + Annotations Translator Error conditions Satisfiability checker Satisfying assignment Post-processor Warning messages

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 10 ESC/Java Error Condition Logic ESC/Java terms t ::= x | f(t) constraints c ::= p(t) formulae e ::= c |  c | e  e | e  e |  y. e theories: equality, linear arithmetic, select+store some heuristics for universal quantification logic cannot express iteration or recursion Java program + Annotations Translator Error conditions Satisfiability checker Satisfying assignment Post-processor Warning messages

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 11 Error Conditions for Procedures ESC/Java call p(x); assert x>0  pre(x)   x’. (post(x,x’)   (x’>0)) Java program + Annotations Translator Error conditions Satisfiability checker Satisfying assignment Post-processor Warning messages requires pre(x) ensures post(x,x’) void p(x) {... } Programmer must write procedure specs so procedure calls can be translatec away because EC logic cannot express recursion Many warnings about incorrect or incomplete specifications

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 12 Java program (w/o specifications) Translator Error condition (CLP) CLP checker Satisfying derivation Post-processor Warning messages Verifun Architecture Procedure definitions and calls in source program are translated into analogous relation definitions and calls in logic - no need for procedure specifications Constraint Logic Programming (CLP) query - can express relation definitions and calls Satisfiability checker for CLP The error message includes a complete execution trace - no warnings about missing specifications Verifun

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 13 Java program (w/ calls) Translator Error condition (CLP) CLP checker Satisfying derivation Post-processor Warning messages Verifun Architecture terms t ::= x | f(t) constraints c ::= p(t) formulas e ::= c |  c | e  e | e  e |  y. e | r(t) user-defined relation symbols r definitions d ::= r(x) :- e Query: Given d, is e satisfiable? Constraint Logic Programming –[Jaffar and Lassez, POPL’87] –Efficient implementations! Verifun

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 14 Java program (w/ calls) Translator Error condition CLP checker Satisfying derivation Post-processor Warning messages Error Conditions for Procedures Ep(x)   x’. (Tp(x,x’)   (x’>0)) void p(x) { S } call p(x); assert x>0 ec(S, R) describes states from which S fails an assertion or terminates in state satisfying R error relation true if p goes wrong from x –Ep(x) :- ec(S, false) transfer relation relates pre, post values of x –Tp(x,x’) :- ec(S, (x=x’) ) Verifun

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 15 Example: Factorial int fact(int i) { if (i == 0) return 1; int t = fact(i-1); assert t > 0; return i*t; } Emain() :- Efact(j) void main() { int j = readInt(); fact(j); } Tfact(i, r) :- ( i = 0  r = 1)  ( i != 0  Tfact(i-1,t)  t>0  r=i*t ) Efact(i) :- i != 0  ( Efact(i-1)  (Tfact(i-1, t)  t <= 0 )) Tfact(i, r) relates pre and post states of executions of fact Efact(i) describes pre-states from which fact may go wrong CLP has least fixpoint semantics CLP Query: Is Emain() satisfiable?

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 16 Program correctnessCLP satisfiability Imperative Software Constraint Logic Programming Bounded software model checking Efficient implementations –Sicstus Prolog (depth-first)

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 17 Example: Rational class Rational { int num, den; Rational(int n, int d) { num = n; den = d; } int trunc() { return num/den; } public static void main(String[] a) { int n = readInt(), d = readInt(); if( d == 0 ) return; Rational r = new Rational(d,n); for(int i=0; i<10000; i++) { print( r.trunc() ); } } }

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 18 Error Condition for Rational t_rat(AllocPtr, Num, Den, N, D, This, AllocPtrp, Nump, Denp) :- AllocPtrp is AllocPtr+1, This = AllocPtrp, aset(This,Den,D,Denp), aset(This,Num,N,Nump). t_readInt(R). e_trunc(This, Num, Den) :- aref(This,Den,D), {D = 0}. e_loop(I, This, Num, Den) :- e_trunc(This, Num, Den). e_loop(I, This, Num, Den) :- {I<10000, Ip=I+1}, e_loop(Ip,This, Num, Den). e_main :- AllocPtr = 0, ;; no objs allocated new_array(Num), ;; initialise arrays encoding fields Num new_array(Den), ;; and Den t_readInt(D), t_readInt(N), {D =\= 0}, t_rat(AllocPtr, Num, Den, D, N, This, AllocPtrp, Nump, Denp), e_loop(0, This, Nump, Denp).

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 19 Checking Rational with CLP Feed error condition into CLP implementation (SICStus Prolog) –explicitly explores all paths through EC –symbolically considers all data values, eg, for n,d using theory of linear arithmetic –quickly finds that the EC is satisfiable gives satisfying derivation for EC can convert to erroneous execution trace

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 20 Example: Fixed Rational class Rational { int num, den; Rational(int n, int d) { num = n; den = d; } int trunc() { return num/den; } public static void main(String[] a) { int n = readInt(), d = readInt(); if( d == 0 ) return; Rational r = new Rational(n,d); for(int i=0; i<10000; i++) { print( r.trunc() ); } } }

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 21 Checking Fixed Rational with CLP Feed error condition into CLP implementation –explicitly explores all paths through EC –symbolically considers all data values, eg, for n,d –but searches through all possible program paths 10,000 iterations of loop depth-first search –before saying EC is unsatisfiable and program is ok Programs typically have infinitely many paths –Standard CLP checkers may not terminate

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 22 Java program (w/ calls) Translator Error condition (CLP) Custom CLP checker Satisfying derivation Post-processor Warning messages Deciding CLP Queries: Avoiding All Paths Use ideas from verification/model checking to decide CLP queries without exploring all paths Explicating theorem proving Predicate abstraction + predicate inference [SLAM, BLAST] Verifun

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 23 Query Q:  !(d = 0)   num’ = store(num,this,n)  num’ = store(num,this,0)  den’ = store(den,this,d)  select(den’,this) = 0 Review: Explicating Theorem Proving Query Q b :  !{d = 0}   {num’ = store(num,this,n)}  {num’ = store(num,this,0)}  {den’ = store(den,this,d)}  {select(den’,this) = 0} false !(d = 0) d = d = select(den’,this) select(den’,this)= den’ = store(den,this,d) Truth assignment TA b : !{d = 0} {num’ = store(num,this,n)} {den’ = store(den,this,d)} {select(den’,this) = 0} Truth assignment TA: !(d = 0) num’ = store(num,this,n) den’ = store(den,this,d) select(den’,this) = 0  { den’= store(den,this,d)} => {d=select(den’,this)} den’= store(den,this,d) => d=select(den’,this) d=select(den’,this)  select(den’,this)=0 => d=0  {d=select(den’,this)}  {select(den’,this)=0} => {d=0} Unsatisfiable! invariant den != 0 requires d != 0 Rational(int n, int d) { if (*) num = n; else num = 0; den = d; }

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 24 Explicating Refinement for CLP Queries Use the same approach –abstract to a decidable boolean system –get “trace” from boolean system –check trace using proof-generating decision procedures –if trace is invalid, use invalidity proof to refine the boolean abstraction But boolean abstraction must now include relations

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 25 Abstracting CLP Relations Abstract each relation definition r(x) :- e to propositional relation definition R(B) :- E –B is a list of boolean variables –E is a propositional formula –satisfiability is decidable

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 26 Abstraction Refinement for CLP - 1 Program: void inc(x) { int y = x; x=(* ? 0 : y+1); } void main() { int z = 0; inc(z); assert z = 1; } Error Condition Q: Tinc(x,x’) :-  y=x   x’=0  x’=y+1 Emain() :-  z=0  Tinc(z,z’)   (z’=1) Is Emain() satisfiable? Abstract EC Q a : TINC() :-  {y=x}   {x’=0}  {x’=y+1} EMAIN() :-  {z=0}  TINC()   {z’=1} Is EMAIN() sat?

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 27 Abstraction Refinement for CLP - 2 Abstract Trace T a : TINC() :-  {y=x}  {x’=y+1} EMAIN() :-  {z=0}  TINC()   {z’=1} EMAIN() is sat. Abstract EC Q a : TINC() :-  {y=x}   {x’=0}  {x’=y+1} EMAIN() :-  {z=0}  TINC()   {z’=1} Is EMAIN() sat? Concrete Trace T: Tinc(x,x’) :-  y=x  x’=y+1 Emain() :-  z=0  Tinc(z,z’)   (z’=1) EMAIN() is sat.

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 28 Abstraction Refinement for CLP - 3 Concrete Trace T: Tinc(x,x’) :-  y=x  x’=y+1 Emain() :-  z=0  Tinc(z,z’)   (z’=1) Conjunction of Atoms:  y=x  x’=y+1  z=0  z=x  z’=x’   (z’=1)

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 29 Abstraction Refinement for CLP - 4 Conjunction of Atoms:  y=x  x’=y+1  z=0  z=x  z’=x’   (z’=1) false z’=z+1 z=0  (z’=1) x’=x+1 z=x z’=x’ y=x x’=y+1 Explicated clause in Tinc() y=x  x’=y+1 => x’=x+1 Argument binding inference Add x’=x+1 as interface predicate for Tinc() Explicated clause in Emain() z’=z+1  z=0   (z’=1) => false

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 30 Abstraction Refinement for CLP - 5 Error Condition Q: Tinc(x,x’) :-  y=x   x’=0  x’=y+1 Emain() :-  z=0  Tinc(z,z’)   (z’=1) Abstract EC Q a : TINC({x’=x+1}) :-  {y=x}   {x’=0}  {x’=y+1}  ({y=x}  {x’=y+1} => {x’=x+1}) EMAIN() :-  {z=0}  TINC({z’=z+1})   {z’=1}   ({z’=z+1}  {z=0}   {z’=1})

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 31 Abstraction Refinement for CLP - 6 Abstract Trace T a : TINC({x’=x+1}) :-  {y=x}  {x’=0}   {x’=y+1}   {x’=x+1} EMAIN() :-  {z=0}  TINC({z’=z+1})   {z’=1}   {z’=z+1} Abstract EC Qa: TINC({x’=x+1}) :-  {y=x}   {x’=0}  {x’=y+1}  ({y=x}  {x’=y+1} => {x’=x+1}) EMAIN() :-  {z=0}  TINC({z’=z+1})   {z’=1}   ({z’=z+1}  {z=0}   {z’=1})

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 32 Abstraction Refinement for CLP - 7 Concrete Trace T: TINC(x,x) :-  y=x  x’=0   (x’=y+1)   (x’=x+1) EMAIN() :-  z=0  TINC(z,z’)   (z’=1)   (z’=z+1) Abstract Trace T a : TINC({x’=x+1}) :-  {y=x}  {x’=0}   {x’=y+1}   {x’=x+1} EMAIN() :-  {z=0}  TINC({z’=z+1})   {z’=1}   {z’=z+1} Conjunction of Constraints:  y=x  x’=0   (x’=y+1)   (x’=x+1)  z=0  z=x  z’=x’   (z’=1)   (z’=z+1)

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 33 Abstraction Refinement for CLP - 7 Program Trace: void inc(x) { int y = x; x=(* ? 0 : y+1 ); } void main() { int z = 0; inc(z); assert z = 1; } Conjunction of Constraints:  y=x  x’=0   (x’=y+1)   (x’=x+1)  z=0  z=x  z’=x’   (z’=1)   (z’=z+1) decision procedures say this conjunction of constraints is consistent, so this is a real error trace

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 34 Verifun on Fixed Rational class Rational { int num, den; Rational(int n, int d) { num = n; den = d; } int trunc() { return num/den; } public static void main(String[] a) { int n = readInt(), d = readInt(); if( d == 0 ) return; Rational r = new Rational(n,d); for(int i=0; i<10000; i++) { print( r.trunc() ); } } } Explicated clause: den’=store(den,r,d)  select(den’,r)=0 => d = 0 Interface predicate: den’=store(den,this,d) Interface predicate: select(den,this)=0 Abstract EC unsatisfiable Program correct

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 35 Properties of Verifun CLP Checker Sound –only produces satisfying traces Complete –will find a satisfying trace, if one exists Progress –never considers the same trace twice Semi-algorithm –termination depends on discovering sufficient predicates –may not terminate –could bound depth of recursion

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 36 Unit of Specification Programmers work on “unit of development” Interfaces between such units must be specified –reasonable to make specifications formal Use Verifun to check unit of development with respect to its specification Limitation of ESC is that the unit of specification (procedure) is much smaller than unit of development

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 37 Program correctnessCLP satisfiability Imperative Software Constraint Logic Programming Bounded software model checking Explicating theorem proving Predicate abstraction & predicate inference –SLAM, BLAST Efficient implementations –Sicstus Prolog –depth-first CLP implementation technique –Avoids considering all paths –Verifun CLP satisfiability checker

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 38 Related Work Program checking –Stanford Pascal Verifier, ESC/M3, ESC/Java –SLAM, BLAST –(many, many non-VC approaches) Automatic theorem proving –Simplify, SVC, CVC, Touchstone Constraint Logic Programming –[Jaffar and Lassez, POPL’87], SICStus Prolog, … CLP for model checking –[Delzanno and Podelski] Interactive theorem proving –PVS, HOL, Isabelle, ACL2

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 39 Summary Deep connection between –correctness of imperative programs with pointers, heap allocation, aliasing,... –satisfiability of CLP queries Verifun Checker –interprocedural extended static checker –reduced annotation burden –statically check assertions, API usage rules,... –interprocedural ECs are constraint logic programs.

Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 40 The End

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.