Predicate Abstraction of ANSI-C Programs Using SAT By Edmund Clarke, Daniel Kroening, Natalia Sharygina, Karen Yorav Presented by Yunho Kim Provable Software Lab, KAIST

Contents Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST2/23 Introduction Preparation of C code Abstraction using SAT Model checking Conclusion

A simple C code has too many states for exhaustive analysis However, what we really need is ‘x is 0 or not’, not the concrete value of x Introduction(1/3) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST3/23 Example(unsigned int x) L1: while(x>1) { L2: if (x%2 == 1) L3: x = 3*x+1; else L4: x = x/2; } L5: assert(x != 0); Initial Value of x 012 … Program Counter L1 L2 L3 L4 L5 … Final

Predicate is a function which returns a Boolean value – A function π : X→ {true, false} is a predicate on X States satisfying same predicates are equivalent Introduction(2/3) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST4/23 π = false Value of x 012 … Program Counter L1 L2 L3 L4 L5 … π=true Predicate Abstraction π = true π = false π ⇔ (x = 0)

Introduction(3/3) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST5/23 Overview of predicate abstraction process Predicate Abstraction Model Checking Predicate Refinement Spurious? C program Spec φ Boolean Program Spurious Counterexample φ false + counterexample φ true φ Today’s focus: How to make a Boolean program effectively and efficiently from a given C program and a set of predicates

Contents Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST6/23 Introduction Preparation of C code Abstraction using SAT Model checking Conclusion

Preparation of C code(1/3) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST7/23 Abstraction function (predicates) Concrete transition (basic block) Concrete next state Concrete state Abstract state Abstract next state Abstract transition Abstraction function (predicates)

Preparation of C code(2/3) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST8/23 Transform C program into goto-program – Function inlining Recursion is not supported – Loop is rewritten using if and goto statements – Side-effects are removed x = 5+(++i); i = i+1; x = 5+i;

Preparation of C code(3/3) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST9/23 goto-program example goto-program 1. int global; 2. int x, i; 3. global = 1; 4. i = i+1; 5. x = 5+i; 6. if (!x) goto L1; 7. global = 2; 8. goto L2; 9. L1: global = 3; 10. L2: C program 1. int global; 2. int func(){ 3. global = 1; 4. } int main(){ 7. int x, i; 8. func(); 9. if ((x = 5+(++i))){ 10. global = 2; 11. } 12. else{ 13. global = 3; 14. } 15. }

Contents Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST10/23 Introduction Preparation of C code Abstraction using SAT Model checking Conclusion

Abstraction using SAT(1/9) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST11/23 Definition – v is the vector of all concrete program variables v v is a state of a concrete program Program counter is considered as a variable – b denotes the vector of all Boolean variables b b is a state of a Boolean program Each predicate π i is associated with a Boolean variable b i – π denotes the vector of predicates π i π( v ) is called the abstraction function, π( v ) = b

Abstraction using SAT(2/9) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST12/23 Definition (con’t) – T is a concrete transition relation which maps a concrete state v into a concrete next state v ’ – B is an abstract transition relation which maps an abstract state b into an abstract next state b ’

Abstraction using SAT(3/9) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST13/23 Abstraction function (predicates) Concrete transition (basic block) Concrete next state Concrete state Abstract state Abstract next state Abstract transition Abstraction function (predicates) Example(unsigned int x) L1: while(x>1) { L2: if (x%2 == 1) L3: x = 3*x+1; else L4: x = x/2; } L5: assert(x != 0); PC=L4, x = 3PC’=L1, x’ = 1 b = false π ⇔ (x = 0) b = false

Abstraction using SAT(4/9) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST14/23 First defines the concrete transition relation of a basic block Each basic block consists of a sequence of assignments – Therefore do not consider control statements here T denotes the CNF formula representing the concrete transition relation

Abstraction using SAT(5/9) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST15/23 Translates a basic block into its Static Single Assignment(SSA) form Each v ’ in v ’ is the largest numbered SSA variable Basic block x = z * x; y = x + 1; x = x + y; SSA form v [x:=x 0, y:=y 0, z:=z 0 ] x 1 = z 0 * x 0 ; y 1 = x 1 + 1; x 2 = x 1 + y 1 ; v ’[x’:=x 2, y’:=y 1, z’:=z 0 ] T ( v, v ’) CNF formula

Abstraction using SAT(6/9) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST16/23 Assignments and arithmetic operations are translated into CNF formula Assume that x,y,z are three bits positive integers represented by propositions x 0 x 1 x 2, y 0 y 1 y 2, z 0 z 1 z 2 C  z=x+y  ( z 0  ( x 0 ⊕ y 0 ) ⊕ ( ( x 1 ∧ y 1 ) ∨ (( x 1 ⊕ y 1 )∧( x 2 ∧ y 2 ))) ∧ ( z 1  ( x 1 ⊕ y 1 ) ⊕ ( x 2 ∧ y 2 )) ∧ ( z 2  (x 2 ⊕ y 2 ))

Abstraction using SAT(7/9) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST17/23 The abstract transition relation B ( b, b ’) is defined using π as follows:

Abstraction using SAT(8/9) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST18/23 Example Basic block d = e; e = e+1; SSA form v [d:=d 0, e:=e 0 ] d 1 = e 0 e 1 = e 0 +1 v ’[d’:=d 1, e’:=e 1 ] SAT formula (b 1  (e 0 ≥0)) ∧ (b 2  (e 0 ≤100)) ∧ d 1 =e 0 ∧ e 1 =e 0 +1 ∧ (b 1 ’=(e 1 ≥0)) ∧ (b 2 ’=(e 1 ≤100)) Predicates: π 1 = e ≥ 0 π 2 = e ≤ 100 b1b1 b2b2 b1’b1’b2’b2’ All satisfying assignments obtained using SAT solver

Abstraction using SAT(9/9) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST19/23 The condition in if statement can be a predicate Control statement x = 0; if (x<2) x = x+1; SAT formula b 1  x 0 <2 ∧ x 1 =0 ∧ b 1 ’  x 1 <2 ∧ Predicate: π 1 = x < 0 b 1 ’  x 1 <2 ∧ x 2 =x 1 +1 ∧ b 1 ’’  x 2 <2 ┐ (b 1 ’  x 1 <2) ∧ x 2 =x 1 ∧ b 1 ’’=b 1 ’ ∨

Contents Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST20/23 Introduction Preparation of C code Abstraction using SAT Model checking Conclusion

Model checking(1/1) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST21/23 Model checker tries to find a counterexample of the generated Boolean program model. If no counterexample is found, the concrete program satisfies given requirements. If a counterexample is found, check its feasibility – If the counterexample is infeasible, refine predicates and re- run predicate abstraction process

Conclusion(1/1) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST22/23 Predicate abstraction using SAT performs better than theorem provers It can use sound abstraction with the power of SAT solver

References(1/1) Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST23/23 Predicate abstraction of ANSI-C Programs Using SAT by Edmund Clarke, Daniel Kroening, Natasha Sharygina and Karen Yorav in Formal Methods in System Design, Vol. 25, pp , 2004