1 Testing, Abstraction, Theorem Proving: Better Together! Greta Yorsh joint work with Thomas Ball and Mooly Sagiv.

Slides:



Advertisements
Similar presentations
Demand-driven inference of loop invariants in a theorem prover
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Abstraction for Falsification Thomas Ball Orna Kupferman Greta Yorsh Microsoft Research, Redmond, US Hebrew University, Jerusalem, Israel Tel Aviv University,
Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.
Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Synergy: A New Algorithm for Property Checking
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
CS 267: Automated Verification Lectures 14: Predicate Abstraction, Counter- Example Guided Abstraction Refinement, Abstract Interpretation Instructor:
Program analysis Mooly Sagiv html://
Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball and Sriram K. Rajamani Software Productivity Tools, Microsoft Research Presented.
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
Modular Shape Analysis for Dynamically Encapsulated Programs Noam Rinetzky Tel Aviv University Arnd Poetzsch-HeffterUniversität Kaiserlauten Ganesan RamalingamMicrosoft.
Synthesis of Interface Specifications for Java Classes Rajeev Alur University of Pennsylvania Joint work with P. Cerny, G. Gupta, P. Madhusudan, W. Nam,
Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.
Overview of program analysis Mooly Sagiv html://
Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.
Modular Shape Analysis for Dynamically Encapsulated Programs Noam Rinetzky Tel Aviv University Arnd Poetzsch-HeffterUniversität Kaiserlauten Ganesan RamalingamMicrosoft.
1 Abstraction Refinement for Bounded Model Checking Anubhav Gupta, CMU Ofer Strichman, Technion Highly Jet Lagged.
Invisible Invariants: Underapproximating to Overapproximate Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Overview of program analysis Mooly Sagiv html://
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.
State coverage: an empirical analysis based on a user study Dries Vanoverberghe, Emma Eyckmans, and Frank Piessens.
By D. Beyer et. al. Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor.
Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.
7/13/2003BMC A SAT-Based Approach to Abstraction Refinement in Model Checking Bing Li, Chao Wang and Fabio Somenzi University of Colorado at Boulder.
Dagstuhl Seminar "Applied Deductive Verification" November Symbolically Computing Most-Precise Abstract Operations for Shape.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
1 Employing decision procedures for automatic analysis and verification of heap-manipulating programs Greta Yorsh under the supervision of Mooly Sagiv.
Program Analysis with Dynamic Change of Precision Dirk Beyer Tom Henzinger Grégory Théoduloz Presented by: Pashootan Vaezipoor Directed Reading ASE 2008.
Shape Analysis Overview presented by Greta Yorsh.
Rule Checking SLAM Checking Temporal Properties of Software with Boolean Programs Thomas Ball, Sriram K. Rajamani Microsoft Research Presented by Okan.
Aditya V. Nori, Sriram K. Rajamani Microsoft Research India.
Lazy Abstraction Jinseong Jeon ARCS, KAIST CS750b, KAIST2/26 References Lazy Abstraction –Thomas A. Henzinger et al., POPL ’02 Software verification.
Symbolically Computing Most-Precise Abstract Operations for Shape Analysis Greta Yorsh Thomas Reps Mooly Sagiv Tel Aviv University University of Wisconsin.
Convergence of Model Checking & Program Analysis Philippe Giabbanelli CMPT 894 – Spring 2008.
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
Localization and Register Sharing for Predicate Abstraction Himanshu Jain Franjo Ivančić Aarti Gupta Malay Ganai.
Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.
Properties Incompleteness Evaluation by Functional Verification IEEE TRANSACTIONS ON COMPUTERS, VOL. 56, NO. 4, APRIL
ECE/CS 584: Verification of Embedded Computing Systems Model Checking Timed Automata Sayan Mitra Lecture 09.
CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Concrete Model Checking with Abstract Matching and Refinement Corina Păsăreanu QSS, NASA Ames Research Center Radek Pelánek Masaryk University, Brno, Czech.
Synergy: A New Algorithm for Property Checking Bhargav S. Gulavani (IIT Bombay)‏ Yamini Kannan (Microsoft Research India)‏ Thomas A. Henzinger (EPFL)‏
Property-Guided Shape Analysis S.Itzhaky, T.Reps, M.Sagiv, A.Thakur and T.Weiss Slides by Tomer Weiss Submitted to TACAS 2014.
Combining Static and Dynamic Reasoning for Bug Detection Yannis Smaragdakis and Christoph Csallner Elnatan Reisner – April 17, 2008.
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
1 Iterative Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program.
1 Alan Mishchenko Research Update June-September 2008.
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
Symbolic Implementation of the Best Transformer
Property Directed Reachability with Word-Level Abstraction
Over-Approximating Boolean Programs with Unbounded Thread Creation
Symbolic Characterization of Heap Abstractions
A Semantics for Procedure Local Heaps and its Abstractions
Predicate Abstraction
Presentation transcript:

1 Testing, Abstraction, Theorem Proving: Better Together! Greta Yorsh joint work with Thomas Ball and Mooly Sagiv

2Motivation Traditionally, Find errors using testing Prove absence of errors using static analysis –abstract interpretation –theorem proving Recently, finding errors by a combination of static and dynamic analyses Our method: leverage on existing tests to prove absence of errors Static Analysis Testing 1. 2.

3 Main Result A new method for static analysis –leverages on concrete executions –computes program invariants –sound –complete with respect to abstract interpreter –terminates

4 The idea test set executionMonitor existing test set execution AbstractionAbstraction to generalize from a test set Theorem proverTheorem prover to check soundness

5 T’ abstraction  program P Execute Abstract CTCT Check invariant(A T,P) ATAT Check safety properties yes potential error Fabricate tests test set T no verified The Core Algorithm

6 void foo(int x, int y){ int *px = NULL; A: x = x + 1; B: if (x < 4) C: px = &x; D: if (px == &y) E: x = x + 1; F: if (x < 5) G: *px = *px + 1; H: return; } [pc, x, y, px ] Concrete State pc, x<5, px== NULL Abstraction predicates: foo(2,0)foo(6,0)foo(11,0)Test set T :

7 void foo(int x, int y){ int *px = NULL; A: x = x + 1; B: if (x < 4) C: px = &x; D: if (px == &y) E: x = x + 1; F: if (x < 5) G: *px = *px + 1; H: return; } foo(3,0)foo(2,0)foo(6,0)foo(11,0) pc, x<5, px== NULL Abstraction predicates: (A,t,t) (B,t,t) (C,t,t) (D,t,f) (F,t,f) (G,t,f) (H,t,f) (A,f,t) (B,f,t) (D,f,t) (F,f,t) (H,f,t) Check invariant(A T,foo) Test set T : [B,4,0, NULL ] [D,4,0, NULL ] Fabricated States

8 b d A,t,t C,t,t D,t,f F,t,f G,t,f H,t,f F,t,t E,t,f G,t,t F,f,f H,f,f A,f,t B,f,t D,f,t F,f,t H,f,t foo(2,0)foo(11,0) foo(3,0) B,t,t D,t,t foo(6,0) void foo(int x, int y){ int *px = NULL; A: x = x + 1; B: if (x < 4) C: px = &x; D: if (px == &y) E: x = x + 1; F: if (x < 5) G: *px = *px + 1; H: return; } Finding a bug [pc, x, y, px ] (pc, x<5, px== NULL ) Concrete State Abstract State

9 T’ abstraction  program P Execute Abstract CTCT Check invariant(A T,P) ATAT Check safety properties yes potential error Fabricate tests test set T no verified The Core Algorithm

10 What does it require? Execution from fabricate states –fault injection or debugger Check invariants using a theorem prover Fabricate states using counter-examples from the theorem prover

11 Using Theorem Provers Calls to a theorem prover –can be expensive –timeout potentially causes loss of precision –not always generate concrete counter-example Our method is oriented towards finding a proof rather than detecting errors Checking invariants requires less theorem prover calls than computing invariants

12 void foo(int x, int y){ int *px = NULL; A: x = x + 1; B: if (x < 5) C: px = &x; D: if (px == &y) E: x = x + 1; F: if (x < 5) G: *px = *px + 1; H: return; } foo(3,0)foo(2,0)foo(6,0)foo(11,0) pc, x<5, px== NULL Abstraction predicates: Test set T : Check invariant(A T,foo) [D,4,0,&y ] [E,4,0,&y ]

13 e’ A,t,t B,t,t C,t,t F,t,f G,t,f H,t,f F,f,f H,f,f A,f,t B,f,t D,f,t F,f,t H,f,t fixed_foo(2,0)fixed_foo(11,0) d’ D,t,f E,t,f fixed_foo(6,0) pc, x<5, px==NULL void foo(int x, int y){ int *px = NULL; A: x = x + 1; B: if (x < 5) C: px = &x; D: if (px == &y) E: x = x + 1; F: if (x < 5) G: *px = *px + 1; H: return; } Finding a proof

14 Bisimulation – every error is real Weak reachability – every abstract state represents a feasible concrete state Simulation –error in concrete system is error in abstract system –avoids refinements unnecessary to prove the property (our method) Checking Invariants BisimulationWeak reachabilitySimulation less precise more precise (our method)

15 2-Process Bakery Proof by Bisimulation –results from [C. Pasareanu et. al. - CAV’05] –5 refinement steps Our method –invariant with 17 abstract states –no refinement

16 A,A,t B,A,t A,A,f C,A,t A,B,t B,B,t D,A,t C,A,f C,B,t D,B,t C,C,t D,C,t A,C,t B,C,t C,C,f C,D,f C,B,f 2-Process Bakery An invariant with 17 abstract states

17 void foo(int x, int y){ int *px = NULL; A: x = x + 1; B: if (x < 5) C: px = &x; D: if (px == &y) E: x = x + 1; F: if (x < 5) G: *px = *px + 1; H: return; } foo(3,0)foo(2,0)foo(6,0)foo(11,0) pc, x<10, px== NULL Abstraction predicates: Test set T :

18 A,t,t B,t,t C,t,t D,t,f F,t,f G,t,f H,t,f E,t,f F,f,f H,f,f H,t,t fixed_foo(2,0) fixed_foo(6,0) F,t,t G,t,t f’ D,t,t g’ A,f,t B,f,t D,f,t F,f,t H,f,t fixed_foo(11,0) pc, x<10, px==NULL void foo(int x, int y){ int *px = NULL; A: x = x + 1; B: if (x < 5) C: px = &x; D: if (px == &y) E: x = x + 1; F: if (x < 5) G: *px = *px + 1; H: return; } Finding a false error

19 abstraction  T’ program P Execute Abstract CTCT Check invariant(A T,P) ATAT Check safety properties yes potential error Fabricate tests test set T no verified The Algorithm classify errors false alarm refine abstraction real error abstraction  ’

20 Abstract Interpretation Potentially more efficient –execution and abstraction of concrete states is fast –avoid abstract transformers for parametric domains –no static abstract transition system –one concrete state can “discover” many abstract states Potentially more precise –the result is the least fixpoint w.r.t.  (if all theorem prover calls were conclusive)

21 Hybrid Approach It is sound to stop the concrete execution at any moment and check invariant(A,P) Alternate between concrete execution and abstract interpretation Tune the performance of the analysis execution time vs. theorem proving time –timeout new abstract state not covered – while (x < 10 6 ) x++;

22 a0a0...

23 Further Research Directions Robust implementation and evaluation –based on a SAT solver Fabricated states –cover more abstract states –turn fabricated traces into concrete traces –guide refinement Benefits for testing –new notion of coverage related to errors –eliminate redundant tests –infer procedures pre- and post-conditions –unit tests generation

24 The Most Related Work [T.Reps et al. – VMCAI’04 ] Best abstract transformers for statements [T.Ball – FMCO’04] Weak reachability [D.Lee, M.Yannakakis – STOC’92] [C. Pasareanu et. al. - CAV’05] Bisimulation

25Summary A new method for static analysis –computing invariants –leverage existing test suite –Abstraction to generalize from a test –Theorem prover to check soundness –Model generator to create new tests Potentially faster and more precise than abstract interpretation Explain abstract interpretation in terms of concrete execution and abstraction

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.