CHARME’03 Predicate abstraction with Minimum Predicates Sagar Chaki*, Ed Clarke*, Alex Groce*, Ofer Strichman** * Carnegie Mellon University ** Technion
Overview of MAGIC Specification S expressed using Labeled Transition Systems (LTS) Model M extracted from C programs using predicate abstraction (LTS) Checks if S weakly simulates M For this talk consider trace containment Supports most but not all of ANSI-C Pointers are handled by abstraction Recursion disallowed
Predicate abstraction int x,y L0:x = 1; L1:y = 1; L2:if (x == y) L3:y = 1; L4:elsey = 2; Control Flow Automaton
Predicate abstraction Control Flow Automaton Predicate inference
Predicate abstraction Predicate inferenceAbstract model
Counter Example Guided Abstraction Refinement Predicate Abstraction Abstract Model predicates Model Checking Yes Model P Property M Counter Example Counterexample concrete? Yes Refinement No More predicates No P = P ’
Example Existing methods accumulate predicates: Ideally we should choose (A == 0) A = 0; if(A == 0) B = 0; if(B == 0) ERRORC = 0; if(C == 0) ERROR No Yes CE1 CE1: (B == 0) or (A==0) CE2 CE2: (C == 0) or (A==0)
Optimization Problem Given a set of Candidate Predicates CP, find a minimal subset p µ CP s.t. A ( M, CP ) ² ! A ( M, p ) ² If -- no predicates are necessary. Only luck… If -- not relevant
Counter Example Guided Abstraction Refinement Predicate Abstraction Abstract Model predicates Model Checking Yes Counter Example Counterexample concrete? Yes Refinement No More Predicates No Model P Property M P = P ’ T
Counter Example Guided Abstraction Refinement Predicate Abstraction Abstract Model predicates Model Checking Yes Counter Example Counterexample concrete? Yes Refinement No Different Predicates No Model P Property M P = P ’ T
A(M,P)² A(M,P)² Yes Counter- example Pass CP = Candidate Predicates P == CP Yes Undecided No Algorithm Sample and Eliminate T = T [ Find minimal P2CP that eliminates T Impossible possible P = concrete Yes Fail No
Minimization problem Given a set of spurious traces T A set of candidate predicates CP Find the smallest subset p 2 CP that eliminates all traces in T (If impossible return ‘undecided’)
Solution with 0-1 ILP (or PBS) Derive a mapping from each trace t 2 T to the set of sets of predicates in CP that eliminate it First… Encode each predicate p 2 CP with a Boolean variable p b Second…
Solution with 0-1 ILP (or PBS) Derive s.t. every satisfying assignment to corresponds to a set of predicates that eliminate T. Third… Among all satisfying assignments, find the one that minimizes the number of selected predicates ( min p b ) Fourth…
Solution with 0-1 ILP (or PBS) Example Let { p 1, p 3 },{ p 2, p 3, p 5 } be the set of sets of predicates that eliminate t 1 Let { p 2, p 3 },{ p 3, p 4, p 7 } be the set of sets of predicates that eliminate t 2 Min p i s.t. t 1 : (( p 1 Æ p 2 ) Ç ( p 2 Æ p 3 Æ p 5 )) Æ t 2 : (( p 2 Æ p 3 ) Ç ( p 3 Æ p 4 Æ p 7 ))
Avoiding an exponential no. of constraints Try only combinations up to size k In almost all examples we tried, counterexample traces could be eliminated with individual predicates. Use data flow analysis and only combine branches that are related
Experiments Open SSL - 20 properties of the Handshake mechanism of Open SSL. On average 350 lines of C code per property after slicing 5 examples from the BLAST benchmark set
Comparison with BLAST BLAST applies Lazy Abstraction Lazy abstraction is orthogonal to predicate minimization BLAST looks for fix point of the loops (for a given set of predicates) with theorem prover calls Magic unrolls loops up to a given bound (Conclusion: Not an entirely fair comparison)
Results (time in sec.)
Number of predicates
Memory (MB)
Solution with 0-1 ILP (or PBS) Let k ( t ), 0 · k ( t ) · 2 | cp | be the number of sets that eliminate t Let l(t,i,j)2CP be the j th literal in the i th set (1 · i · k ( t )) that eliminates t. Third…