Towards Game-Based Predicate Abstraction experiments in compositional model checking Adam Bakewell, University of Birmingham

GAME BASED MODEL CHECKING

MAGE Compositional (game-based) MC ’ ing works, has benefits, and can be efficient. proof: –Take the regular language game model of IA –Reformulate model as tree of automata –Make model branches be function/model application –Be lazy: make transitions when demanded by checker –Be symbolic: don ’ t build the automata –Do CEGAR: approximate, certify, refine

COMO Compositional MC ’ ing can verify real code with competitive efficiency proof: –Take a C program and process with CIL –Transform to ALGOL-like compositional CFG language –Do MAGE better: pre-composed interaction transitions; bdd; cbv; state compression+random access; etc

compositional CFGs Program ::= ( τ f(x i : τ i ){new y i : τ ’ i.M})+ M ::= expr | M;M | lval:=expr | goto φ | case expr of {k i ->M i } φ = path to target from enclosing function root [[goto φ 1 ]] = jump from state φ 0 · φ 2 to φ 0 · φ 1 where φ 2 is the local path to this goto

still ill Still far too slow Data approximation is easily outwitted Other model checkers do much better with a different kind of approximation ….

e.g. xx1.c e.g. cc1.c #include extern int y; extern int main () { int x=y; assert(x!=x+1); return(0); } #include extern char d; extern int main () { char c=d; assert(c!=c+1); return(0); }

e.g. evenloop.c #include extern int y; int main() { int x = 0; int i = y; while(i-- >= 0) x += 2; assert(x%2==0); return(0); }

PREDICATE ABSTRACTION

evenloop.c CFG model ┴ 0,y 2,y-1 2y,0 SAFE UNSAFE x:=0;i=yi--;x+=2(i--;x+=2) (y-1) i < 0 2y,0 assert state: x,i

predicate abstraction (PA) P is a seq of predicates over program variables PA model is a CFG where States are #P bit-vectors (P-valuations) Transitions exist where some basic block can change state sat. source P-valuation to state sat. target P-valuation If #P <#(program state) then checking PA model is much quicker than checking program model

e.g. CFG PA model ┴ T TF SAFEUNSAFE x:=0;i=yi--;x+=2 i<0 F assert P=[x%2==0] i--;x+=2

PA issues P –must be sufficient to prove (un)safety –must be compact for feasibility (minimization) –derive from program/annotations –infer (e.g. by interpolation) modelling and checking –which p ’ s to update/test (scope) –when to update/test (laziness)

PA needs games? CFG PA Is not compositional! Issues may be addressed elegantly with a compositional, semantic- direct, formulation Let ’ s try it …

GAME BASED PREDICATE ABSTRACTION

GBPA v1 Take COMO architecture Do a simple p. extraction (assert invariants!) Locate each p. in model tree Replace state model with p. model: (:=) sets p. state (case) tests p. state

evenloop.c GBPA model ┴ T,T T,F SAFE UNSAFE x:=0;i=y x+=2tmp>0 tmp ≤ 0 assert P=[x%2==0,tmp>0] tmp:=i;i-- T,T T,F T,T T,F

PA model formalization move: arena + value + p.valuation [[CELL( x,P)]] –Binds vars x, abstracted as preds P –states are P-valuation vectors –write move: (x := v|p) goes to state2 if SAT(state2[x ’ /x] & x ’ =v & p & state) –read move: (x.x|state) preserves state; composition with [[case]] does SAT, e.g. SAT(x=v & p)

laziness is free COMO architecture is built to make model transitions on-demand: (:=) SAT calls can be suspended when a valid next state is found (case) SAT calls suspend while an alternative is explored

lo PREDICATE LOCATION

mind gym

mind gym: verify your answer #include int main() { int x = 19; assert(x==19); x=((((((((x+x)*2)+5)/3)+3)/2)+6)/7)+2; assert(x==??); return(0); }

e.g. multi assignment int main() { int x = 19; x=x+x; x=x*2; x=x+5; x=x/3; x=x+3; x=x/2; x=x+6; x=x/7; x=x+2; assert(x==5); return(0); } x!=5 here x=5 or x!=5 here assert has spurious failure

e.g. manual interpolation int main() { int x = 19; assert(x==19); x=x+x; assert(x==38); x=x*2; assert(x==76); x=x+5; assert(x==81); x=x/3; assert(x==27); x=x+3; assert(x==30); x=x/2; assert(x==15); x=x+6; assert(x==21); x=x/7; assert(x==3); x=x+2; assert(x==5); return(0); }

e.g. manual interpolation 10 assignments 10 predicates 10 assertions how many SAT calls to prove safety?

p location GBPA CELL automatically restricts p scope Program transform with tighter CELLs will need less SAT calls

e.g. manual relocation #include int gym1(z) { int y=2*z; assert(y==38); y=y*2; assert(y==76); y=y+5; assert(y==81); return(y); } int gym2(z) { int y=z/3; assert(y==27); y=y+3; assert(y==30); y=y/2; assert(y==15); return(y); } int gym3(z) { int y=z+6; assert(y==21); y=y/7; assert(y==3); y=y+2; assert(y==5); return(y); } int main() { int x = 19; assert(x==19); x=gym1(x); assert(x==81); x=gym2(x); assert(x==15); x=gym3(x); assert(x==5); return(0); }

e.g. manual relocation in main: –4 p ’ s to update: 16 SAT per (:=) –4 asserts test on state size 4 p ’ s in gymi functions: –3 p ’ s to update: 8 SAT per (:=) –local state size 3 p ’ s mostly sufficient –global state size 7 p ’ s sometimes used total SATs: * 27 = 149

delayed SAT –An alternative to interpolation: –Allow state updates to be delayed until the kth –And delay state tests –Generalise CELL strategy s.t. states also record seq of delayed changes –Refine by increasing k

the position Game based model checking needs PA PA fits the games framework We get lazy PA for free Tight CELL location offers minimization delayed/incremental solving needs to be accommodated