Lazy Abstraction with Interpolants Yakir Vizel (based on the work and slides of K. L. McMillan at CAV06)
Agenda Introduction –Model Checking –Abstraction and CEGAR Software MC Lazy Abstraction Lazy Abstraction with Interpolants
Model Checking Given a system, and a specification – does the system satisfies the specification There are efficient algorithms that receive a model and a formula and return: –“True” if the system satisfy the specification. –“False” and a counterexample otherwise. The problem at hand is Non-Decidable Suffers from the state-explosion problem
Abstraction A way to fight the state explosion problem. Preserves properties – those that hold in the concrete model also hold in the abstract model (over approximation). An abstract state represents a set of concrete states and transitions defined existentially. Types of abstraction: Localization Reduction, Data Abstraction, Predicate Abstraction
CEGAR One problem with over approximations is spurious counterexamples. The solution: Counter-Example Guided Abstraction Refinement. Given an abstract model M’ and a spurious counterexample refine M’ automatically such that a new abstract model is created M’’ ≥ M’ and it does not contain the given spurious counterexample.
CEGAR (cont.) C is not spurious check spurious counterexample C stop M’╞ generate counterexample C M’ |= model check M’ generate initial abstraction M and refinement C is spurious
Modeling Programs FOL formulas are used to characterize programs. –S is the set of individual variables, constants etc. –A state formula is a formula in L(S) where L(S) is the set of well-formed formulas over the vocabulary S. –For a non-logical symbol s, s’ represents s in the next time. –s with n primes represent s at n time units in the future. –For a formula f, the notation f(n) denote the addition of n primes to every symbol in f. –A transition formula is a formula in L(S U S’) Example: x’ = x + 1 Program is usually represented using a Control Flow Graph (CFG).
Modeling Programs (2) A program is a tuple (λ, Δ, l i,l f ) where λ is a finite set of program locations, Δ is a set of actions, l i is the initial location and l f is the error location (both in λ). –An action is a triple (l,T,m) where l,m are respectively the entry and exit locations of the action and T is a transition formula. A path π of a program is a sequence of transitions of the form (l 0,T 0,l 1 ),…,(l n-1,T n-1,l n ). –The unfolding U(π) of path π is the sequence of formulas: T 0 (0),T 1 (1),…,T n-1 (n-1) –A path π is feasible when ΛU(π) is consistent.
Example do{ lock(); old = new; if(*){ unlock(); new++; } } while (new != old); program fragment L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph ΛU(π) = L=0 Λ L’=1 Λ old’=new Λ T Λ new = old’ ΛU(π) = L=0 Λ L’=1 Λ old’=new Λ L’’=0 Λ new’ = new + 1 Λ new’ != old’ Λ L’’ != 0
Modeling Programs (3) A program is said to be safe if every error path of the program is infeasible. An inductive invariant of a program is a map F:λ L(S) such that: –F(l i ) = TRUE –For every action (l,T,m) in Δ, F(l)/\T implies F(m)’. A safety invariant of a program is an inductive invariant such that F(l f ) = FALSE. –Existence of a safety invariant of a program implies that the program is safe.
Program Unwinding An unwinding of a program A = (λ, Δ, l i,l f ) is a quadruple (V,E,M v,M e ), where (V,E) is a directed tree rooted at ε, M v :V λ is the vertex map, and M e :E Δ is the edge map such that: –M v (ε) = l i –For every non-leaf vertex v in V, for every action (M v (v),T,m) in Δ, there exists an edge (v,w) in E such that M v (w) = m and M e (v,w) = T For two vertices v and w of a tree, w < v denotes that w is a proper ancestor of v.
Unwinding the CFG An unwinding is a tree with an embedding in the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] L=0 L=1; old=new [L!=0] L=0; new++ MvMv MeMe
Expansion Every non-leaf vertex of the unwinding must be fully expanded... L=0 0 1 MvMv MeMe If this is not a leaf......and this exists......then this exists....but we allow unexpanded leaves (i.e., we are building a finite prefix of the infinite unwinding)
Program Unwinding (2) A labeled unwinding of a program A = (λ, Δ, l i,l f ) is a triple (U,ψ,C) where –U = (V,E,M v,M e ) is an unwinding of A –Ψ:V L(S) is called the vertex labeling, and –C is a relation in V x V and is called the covering relation A vertex v is said to be covered iff there exists (w,x) in C such that w≤v. Unwinding is said to be safe iff for all vertices v in V, M v (v)=l f implies Ψ(v) ≡ FALSE. Unwinding is said to be complete iff every leaf v in V is covered.
Labeled unwinding A labeled unwinding is equipped with: –a labeling function : V L(S) –a covering relation C in V x V L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] 6 [L!=0] 7 [new==old] T F L=0 F T T These two nodes are covered. (have a ancestor at the tail of a covering arc)...
Program Unwinding (3) A labeled unwinding (U,ψ,C) of a program A = (λ, Δ, l i,l f ) where U = (V,E,M v,M e ), is said to be well-labeled iff: –Ψ(ε) ≡ TRUE, and –For every edge (v,w) in E, Ψ(v) Λ M e (v,w) implies Ψ(w)’, and –For all (v,w) in C, Ψ(v) => Ψ(w), and w is not covered Main Theorem: If there exists a safe, complete, well-labeled unwinding of program A, then A is safe.
Well-Labeled Unwinding An unwinding is well-labeled when... – ( ) = True –every edge is a valid Hoare triple –if (x,y) in C then y is not covered L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] 6 [L!=0] 7 [new==old] T F L=0 F T T
Safe and Complete safe if every error vertex is labeled False complete if every non-terminal leaf is covered T 10 [L!=0] T 9 [new!=old] T 8 T L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 6 [L!=0] F L=0 7 [new==old] T old=new F F T... Theorem: A CFG with a safe complete unwinding is safe. 9 T
Why a Covered Vertex Cannot Cover? y covers x, w covers v y is covered (v≤y) –Ψ(x) Ψ(y) Every state reachable from x is reachable from y. –Ψ(v) Ψ(w) Every state reachable from v is reachable from w. Any state reachable from y should be reachable from w through its descendent z. NOT every state reachable from x is also reachable from z. z is the only vertex that is not covered. vw z yx T T pp p
Proof (Main Theorem) Let U’ be the set of uncovered vertices, and let function M map location l to \/{ψ(v) | M v (v) = l, v in U’} Let’s show that M is a safety invariant for A: –M(l i ) = TRUE – Given by the definition well-labeled unwinding –M(l f ) = FALSE – The unwinding is safe.
Proof (2) Let (l,T,m) be an action: –For every v in U’ M v (v) ≠ l M(l) = FALSE M(l) ΛT implies M(m)’ –There is a v in U’ such that M v (l) = v. Let us assume that there is an action (l,T,m) such that M(l) ΛT does not imply M(m)’. For every w in V such that M v (w) = m, w is covered. Let (v,w) be an edge in E. We know: ψ(v) ΛT implies ψ(w)’. Let u be the covering vertex of w. Then, ψ(w) ψ(u) and u is NOT covered. By adding the assumption that if u covers w then M v (u) = M v (w) we get a contradiction. (ψ(v) ΛT implies ψ(u)’ M(l) Λ T implies M(m)’)
Predicate Abstraction Predicates are defined over system states –X = Y; counter < 100; etc. –Keeps track of certain predicates on data. –Captures relationship between variables. States satisfying the same predicate are equivalent in the abstract model. Merged into the same abstract state. Abstract state space is always finite.
Predicate Abstraction (2) Calculating strongest post-condition over the given set of predicates. Abstract post computation is very expansive. –For N predicates there are possibly 2^2N transitions Information computed about predicates may be irrelevant.
PA with CEGAR Loop Model check abstraction M’ Choose initial M’ Can extend Cex from M’ to M? Add predicates to M’ true, done Cex yes, Cex no Choose predicates to refute cex's –Generalizes failures Still performs expensive deduction without justification –strongest Boolean post-condition Fails to learn from past –Start fresh each iteration –Forgets expensive deductions
Lazy Predicate Abstraction Unwind the program CFG into a tree –Refine paths as needed to refute errors ERR! x=y y=0 Add predicates along path to allow refutation of error Refinement is local to an error path Search continues after refinement –Do not start fresh -- no big CEGAR loop Previously useful predicates applied to new vertices
Lazy Predicate Abstraction (2) Procedure Expand (v in V) if v is uncovered leaf then for all actions (M v (v),T,m) in Δ add a new vertex w to V and a new edge (v,w) to E; M v (w) = m and ψ(w) = post PA (ψ(v),T) M e (v,w) = T Procedure Refine (v in V) if M v (v) = l f and ψ(v) != FALSE then let π = (v 0,T 0,v 1 )…(v n-1,T n-1,v n ) be the unique path from ε to v. pivot = BackwardCexAnalysis(v, π ); if pivot != NULL then AddNewPredicates(pivot); else abort (program is unsafe) Procedure Cover (v,w in V) if v is uncovered and M v (v) = M v (w) and ((v ≤ w)=FALSE) then if ψ(v) ψ(w) then add(v,w) to C delete all (x,y) in C, s.t. v≤y
Example - Lazy PA Error is hit – check if the path is feasible –Backwards CEX analysis (weakest precondition) Refinement… L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph T L=0 L= L=0 L=1; old=new [L!=0] [new!=old] 6 [L!=0] F L=1 {L=1} {L=1 /\ new != old} {L=0 /\ new != new} Pivot
Example (2) - Refinement A theorem prover is used to do the emptiness check at pivot point. –Path: L’=1 Λ old’=new Λ T Λ new != old’ Λ L’!=0 –R: L=0 –Formula: R Λ Path –The result is UnSAT –The reason: old’=new, new!=old’ Add the predicate old=new T L=0 L= L=0 L=1; old=new [L!=0] [new!=old] 6 [L!=0] F L=1 {L=1} {L=1} /\ new != old {L=0} /\ new != new Pivot
Example (3) - MC F L=0 F L=0 Λ old!=new L=1 Λ old=new F F T L=0 Λ old!=new L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] 6 [L!=0] 7 [new==old] [L!=0] [new!=old] 8 9 F L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph
LA – Is It Really That Good? Predicates are being stored locally according to their relevance to the program location. –Computation of post-condition transformer is less expansive. –Still, computing the strongest post-condition transformer. The refinement is local. No fresh restart after refinement is being done –Part of the information computed is being used LA spends most of its time in predicate image operation. The solution…
Interpolants from Proofs Given a pair of formulas (A,B) such that A /\ B is inconsistent, an interpolant for (A,B) is a formula Ā with the following properties: –A implies Ā, –Ā /\ B is unsatisfiable, and –Ā is in L(A) ∩ L(B) Interpolant always exists for inconsistent formulas in FOL (Craig’s lemma)
Interpolants for Sequences We want to handle program paths, therefore a generalization of interpolant is needed. Given a sequence of formulas Γ = A 1,A 2,…,A n, we say that Ā 0, Ā 1,…, Ā n is in an interpolant for Γ when: –Ā 0 = TRUE and Ā n = FALSE, –For all 1≤i≤n, Ā i-1 /\ A i implies Ā i, and –For all 1≤i≤n, Ā i is in L(A 1,…,A i )∩L(A i+1,…,A n ) If Γ is quantifier-free we can derive a quantifier-free interpolant for Γ (from the refutation of Γ )
Interpolants for Sequences (2) A1A1 A2A2 A3A3 AkAk... Ā1Ā1 Ā2Ā2 Ā3Ā3 Ā k-1... TrueFalse An intuition… So this is a structured refutation of A 1,…,A k
Interpolants as Floyd-Hoare proofs False x 1 =y 0 True y 1 >x 1 1. Each formula implies the next 2. Each is over common symbols of prefix and suffix 3. Begins with true, ends with false Path refinement procedure SSA sequence Prover Interpolation Path Refinement proof structured proof x=y; y++; [x=y] x 1 = y 0 y 1 =y 0 +1 x1y1x1y1
Lazy PA with Interpolants (2) Procedure Expand (v in V) if v is uncovered leaf then for all actions (M v (v),T,m) in Δ add a new vertex w to V and a new edge (v,w) to E; M v (w) = m and ψ(w) = T ; M e (v,w) = T; Procedure Refine (v in V) if M v (v) = l f and ψ(v) != FALSE then let π = (v 0,T 0,v 1 )…(v n-1,T n-1,v n ) be the unique path from ε to v. if U(π) has an interpolant A’ 0,…,A’ n then for i=0…n: let Φ = A’ i (-i) if ψ does not imply Φ then remove all pairs (,v i ) from C set ψ(v i ) = ψ(v i )Λ Φ
The Example do{ lock(); old = new; if(*){ unlock(); new++; } } while (new != old); program fragment L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph Property: lock() is not called if the lock is already being held.
1 L=0 T 2 [L!=0] T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 T F L=0 Label error state with false, by refining labels on path
6 [L!=0] T 5 [new!=old] T 4 L=0; new++ T 3 L=1; old=new T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 L=0 [L!=0] F L=0 T Covering: state 5 is subsumed by state 1. F L=0 old=new
11 [L!=0] T 10 [new!=old] T 8 T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 6 [L!=0] F L=0 7 [new==old] T old=new F F T Another cover. Unwinding is now complete. 9 T
Covering Step If (x) (y)... –add covering arc (x, y) to C –remove all (z, w) in C for w descendant of y x≤y x=y X We restrict covers to be descending in a suitable total order on vertices. This prevents covering from diverging.
Covering Step (2) Covering one vertex may result in uncovering others. –Applying covering non-deterministically may not terminate. A total order is defined ◄ on the vertices. –Respects the ancestor relation. v ≤ w v ◄ w Can be defined by a preorder traversal of the tree. Cover is only applied to (v,w) if w ◄ v. –If by adding (v,w) we remove (x,y) where v ≤ y. By transitivity we get v ◄ x. –Covering a vertex v can result in uncovering vertices greater then v. Therefore, we cannot apply covering infinitely.
Refinement Step Label an error vertex False by refining the path to that vertex with an interpolant for that path. By refining with interpolants, we avoid predicate image computation. T T T T T T T x = 0 [x=y] [x y] y++ [y=0] y=2 x=0 y=0 y0y0 F X Refinement may remove covers
The Complete Algorithm A vertex v is said to be closed if either it is covered or no covering arc (v,w) can be added to C (while maintaining well-labeledness). –Procedure Close(v in V) For all w in V s.t. w ◄ v and M v (v) = M v (w): Cover(v,w) –Procedure DFS(v in V) Close(v) if v is uncovered then if M v (v) = l f then Refine(v); for all w ≤ v: Close(w) Expand(v); for all children w of v: DFS(w)
The Complete Algorithm (2) Procedure Unwind() V = {ε}, E = Φ, ψ(ε) = True, C = Φ While there exists an uncovered leaf v in V: for all w in V s.t. w ≤ v: Close(w); DFS(v); Theorem: If procedure Unwind terminates without aborting on a program A, then A is safe. –Proof: Expand, Refine and Cover alter the unwinding and all preserve well-labeledness, the resulting unwinding is well- labeled. –All vertices are refined The unwinding is safe –Terminates when there are no more uncovered leaves Complete.
Something about Interpolant A(X,Y) Λ B(Y,Z) ≡ FALSE –There exists I(Y) such that A(X,Y) I(Y) I(Y) Λ B(Y,Z) ≡ FALSE The “best” interpolant: – – Interpolantion is an Existential Quantification