Presentation is loading. Please wait.

Presentation is loading. Please wait.

Abstractions from Proofs

Published byJaana Hukkanen Modified over 5 years ago

Similar presentations

Presentation on theme: "Abstractions from Proofs"— Presentation transcript:

1 Abstractions from Proofs
Thomas A. Henzinger Ranjit Jhala [UC Berkeley] Rupak Majumdar [UC Los Angeles] Kenneth L. McMillan [Cadence Berkeley Labs]

2 Scalable Program Verification
Little theorems about big programs Partial Specifications Device drivers use kernel API correctly Applications use root privileges correctly Behavioral, path-sensitive properties

3 Predicate Abstraction: A crash course
Error Initial Program State Space Abstraction Abstraction: Predicates on program state Signs: x > 0 Aliasing: &x  &y States satisfying the same predicates are equivalent Merged into single abstract state

4 (Predicate) Abstraction: A crash course
Error Initial Program State Space Abstraction Q1: Which predicates are required to verify a property ?

5 Scalability vs. Verification
Few predicates tracked e.g. type of variables Imprecision hinders Verification Spurious counterexamples Many predicates tracked e.g. values of variables State explosion Analysis drowned in detail

6 Example Predicate p1 makes trace abstractly infeasible
while(*){ 1: if (p1) lock(); if (p1) unlock(); 2: if (p2) lock(); if (p2) unlock(); n: if (pn) lock(); if (pn) unlock(); } lock T F unlock scalability lock Only track lock Bogus Counterexample Must correlate branches Predicate p1 makes trace abstractly infeasible pi required for verification

7 How can we get scalable verification ?
Example while(*){ 1: if (p1) lock(); if (p1) unlock(); 2: if (p2) lock(); if (p2) unlock(); n: if (pn) lock(); if (pn) unlock(); } lock unlock scalability verification lock Only track lock Track lock, pi s Bogus Counterexample Must correlate branches State Explosion > 2n distinct states intractable How can we get scalable verification ?

8 By Localizing Precision
while (*) { 1: if (p1) lock(); if (p1) unlock(); 2: if (p2) lock(); if (p2) unlock(); n: if (pn) lock(); if (pn) unlock(); } p1 p2 pn Preds. Used locally Ex: 2 £ n states Preds. used globally Ex: 2n states Highlight WHERE … Q2: Where are the predicates required ?

9 Counterexample Guided Refinement
What predicates remove trace ? Make it abstractly infeasible Where are predicates needed ? Seed Abstraction Program Abstract Is model safe ? Check NO! (Trace) YES SAFE explanation explanation Why infeasible ? Refine BUG feasible Why infeasible ? [Kurshan et al. ’93] [Clarke et al. ’00] [Ball, Rajamani ’01]

10 Counterexample Guided Refinement
Seed Abstraction Program Abstract Is model safe ? Check NO! (Trace) YES SAFE explanation Why infeasible ? Refine BUG feasible

11 Counterexample Guided Refinement
safe Seed Abstraction Program Abstract Is model safe ? Check NO! (Trace) YES SAFE explanation Why infeasible ? Refine BUG feasible

12 This Talk: Counterexample Analysis
What predicates remove trace ? Make it abstractly infeasible Where are predicates needed ? Seed Abstraction Program Abstract Is model safe ? Check NO! (Trace) YES SAFE explanation Why infeasible ? Refine BUG feasible

13 Plan Motivation Refinement using Traces Simple Procedure calls Results

14 Counterexample Analysis
Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Where are preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Extract Predicate Map: Prog Ctr ! Predicates Proof of Unsat.

15 Counterexample Analysis
Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Where are preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Extract Predicate Map: Prog Ctr ! Predicates Proof of Unsat.

16 Traces pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr
pc4: if (x = i-1){ pc5: if (y != i){ ERROR: } } pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) y = x +1

17 Trace Feasibility Formulas
pc1: x = ctr pc2: ctr = ctr+1 pc3: y = ctr pc4: assume(x=i-1) pc5: assume(yi) pc1: x1 = ctr0 pc2: ctr1 = ctr0+1 pc3: y1 = ctr1 pc4: assume(x1=i0-1) pc5: assume(y1i0) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1  i0 Trace SSA Trace Trace Feasibility Formula Theorem: Trace is Feasible , TFF is Satisfiable Compact Verification Conditions [Flanagan,Saxe ’00]

18 Counterexample Analysis
Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Where are preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Extract Predicate Map: Prog Ctr ! Predicates Proof of Unsat.

19 Counterexample Analysis
Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Where are preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Extract Predicate Map: Prog Ctr ! Predicates Proof of Unsat.

20 Proof of Unsatisfiability
x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1  i0 x1 = ctr0 x1 = i0 -1 ctr0 = i0-1 ctr1= ctr0+1 ctr1 = i0 y1= ctr1 y1= i0 y1 i0 ; Trace Formula Proof of Unsatisfiability PROBLEM Proof uses entire history of execution Information flows up and down No localized or state information !

21 The Present State… … is all the information the
Trace pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) … is all the information the executing program has here State… 1. … after executing trace prefix 2. … knows present values of variables 3. … makes trace suffix infeasible At pc4, which predicate on present state shows infeasibility of suffix ?

22 What Predicate is needed ?
Trace Trace Formula (TF) pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1  i0 State… Predicate … 1. … after executing trace prefix 2. … has present values of variables 3. … makes trace suffix infeasible … implied by TF prefix

23 What Predicate is needed ?
Trace Trace Formula (TF) pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1  i0 x1 x1 State… Predicate … 1. … after executing trace prefix 2. … has present values of variables 3. … makes trace suffix infeasible … implied by TF prefix … on common variables

24 What Predicate is needed ?
Trace Trace Formula (TF) pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1  i0 State… Predicate … 1. … after executing trace prefix 2. … has present values of variables 3. … makes trace suffix infeasible … implied by TF prefix … on common variables … & TF suffix is unsatisfiable

25 What Predicate is needed ?
Trace Trace Formula (TF) pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1  i0 State… Predicate … 1. … after executing trace prefix 2. … knows present values of variables 3. … makes trace suffix infeasible … implied by TF prefix … on common variables … & TF suffix is unsatisfiable

26 Craig’s Interpolation Theorem [Craig ’57]
Given formulas - , + s.t. -Æ + is unsatisfiable There exists an Interpolant  for - , + , s.t. - implies   has symbols common to -, +  Æ + is unsatisfiable  computable from Proof of Unsat. of - Æ + [Krajicek ’97] [Pudlak ’97] (boolean) SAT-based Model Checking [McMillan ’03]

27 Interpolant = Predicate !
Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1  i0 - Interpolate + Require: Interpolant: 1. - implies  2.  has symbols common to -,+ 3.  Æ + is unsatisfiable 1. Predicate implied by trace prefix 2. Predicate on common variables common = current value 3. Predicate & suffix yields a contradiction

28 Interpolant = Predicate !
Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1  i0 - Interpolate + y1 = x1 + 1 Require: Interpolant: 1. - implies  2.  has symbols common to -,+ 3.  Æ + is unsatisfiable 1. Predicate implied by trace prefix 2. Predicate on common variables 3. Predicate & suffix yields a contradiction

29 Interpolant = Predicate !
Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1  i0 Predicate at pc4: y= x+1 - Interpolate pc4 + y1 = x1 + 1 Require: Interpolant: 1. - implies  2.  has symbols common to -,+ 3.  Æ + is unsatisfiable 1. Predicate implied by trace prefix 2. Predicate on common variables 3. Predicate & suffix yields a contradiction

30 Building Predicate Maps
pc2: x= ctr Trace Trace Formula - pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1  i0 Interpolate x1 = ctr0 pc2 + Cut + Interpolate at each point Pred. Map: pci  Interpolant from cut i

31 Building Predicate Maps
pc2: x = ctr pc3: x= ctr-1 Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1  i0 - Interpolate x1= ctr1-1 pc3 + Cut + Interpolate at each point Pred. Map: pci  Interpolant from cut i

32 Building Predicate Maps
pc2: x = ctr pc3: x = ctr-1 pc4: y = x+1 pc5: y= i Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1  i0 - Interpolate y1= i0 pc5 + Cut + Interpolate at each point Pred. Map: pci  Interpolant from cut i

33 Building Predicate Maps
pc2: x = ctr pc3: x = ctr-1 pc4: y = x+1 pc5: y = i Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1  i0 Theorem: Predicate map makes trace abstractly infeasible

34 Plan Motivation Refinement using Traces Simple Procedure calls Results

35 Traces with Procedure Calls
Trace Formula pc1: x1 = 3 pc2: assume (x1>0) pc3: x3 = f1(x1) pc4: y2 = y1 pc5: y3 = f2(y2) pc6: z2 = z1+1 pc7: z3 = 2*z2 pc8: return z3 pc9: return y3 pc10: x4 = x3+1 pc11: x5 = f3(x4) pc12: assume(w1<5) pc13: return w1 pc14: assume x4>5 pc15: assume(x1=x3+2) pc1: x1 = 3 pc2: assume (x1>0) pc3: x3 = f1(x1) pc4: y2 = y1 pc5: y3 = f2(y2) pc6: z2 = z1+1 pc7: z3 = 2*z2 pc8: return z3 pc9: return y3 pc10: x4 = x3+1 pc11: x5 = f3(x4) pc12: assume(w1<5) pc13: return w1 pc14: assume x4>5 pc15: assume (x1=x3+2) Find predicate needed at point i i i

36 Interprocedural Analysis
Trace Trace Formula NO Find predicate needed at point i YES i i NO Require at each point i: Well-scoped predicates YES: Variables visible at i NO: Caller’s local variables Procedure Summaries [Reps,Horwitz,Sagiv ’95] Polymorphic Predicate Abstraction [Ball,Millstein,Rajamani ’02]

37 Problems with Cutting - + i i Trace Trace Formula
Caller variables common to - and + Unsuitable interpolant: not well-scoped

38 Interprocedural Cuts Trace Trace Formula Call begins i i

39 Interprocedural Cuts + - i i
Trace Trace Formula Call begins + - i i Predicate at pci = Interpolant from cut i

40 Common Variables + - i i Predicate at pci = Interpolant from i-cut
Trace Trace Formula Common Variables Formals + - Formals i i Current locals Well-scoped Predicate at pci = Interpolant from i-cut

41 Plan Motivation Refinement using Traces Simple Procedure calls Results

42 Implementation Algorithms implemented in BLAST
Verifier for C programs, Lazy Abstraction [POPL ’02] FOCI : Interpolating decision procedure Examples: Windows Device Drivers (DDK) IRP Specification: 22 state FSM Current: Security properties of Linux programs

43 Results Program LOC* kbfiltr 12k 1m12s 3m48s 72 6.5 floppy 17k 7m10s
Windows DDK IRP 22 state Results Program LOC* Previous Time New Predicates Total Average kbfiltr 12k 1m12s 3m48s 72 6.5 floppy 17k 7m10s 25m20s 240 7.7 diskperf 14k 5m36s 13m32s 140 10 cdaudio 18k 20m18s 23m51s 256 7.8 parport 61k DNF 74m58s 753 8.1 parclass 138k 77m40s 382 7.2 * Pre-processed

44 Localizing works… Program LOC* kbfiltr 12k 1m12s 3m48s 72 6.5 floppy
Windows DDK IRP 22 state Localizing works… Program LOC* Previous Time New Predicates Total Average kbfiltr 12k 1m12s 3m48s 72 6.5 floppy 17k 7m10s 25m20s 240 7.7 diskperf 14k 5m36s 13m32s 140 10 cdaudio 18k 20m18s 23m51s 256 7.8 parport 61k DNF 74m58s 753 8.1 parclass 138k 77m40s 382 7.2 * Pre-processed

45 Conclusion Scalability and Precision by localizing Craig Interpolation
Interprocedural cuts give well-scoped predicates Some Current and Future Work: Multithreaded Programs Project local info of thread to predicates over globals Hierarchical trace analysis

46 Berkeley Lazy Abstraction Software * Tool
BLAST Berkeley Lazy Abstraction Software * Tool

47 Pointers and Aliasing McCarthy’s Axioms (Arrays, Select, Update)
Theory of arrays doesn’t have q.f. interpolants! Instantiate axioms when building TF Using Morris’ generalized rule for assignment Cuts, Interpolants remain the same

48 Abstract Infeasibility
Property: Strongest Postcondition of ith predicate w.r.t. opi+1 implies i+1th predicate Predicate Map pc2: x = ctr pc3: x = ctr-1 pc4: y = x-1 pc5: y = i pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x = ctr -1 Æ y = ctr x = ctr -1 ) y=x+1 2nd Predicate Strongest Postcondition 3rd Predicate Trace

49 Another Interprocedural Cut
Trace Trace Formula Call begins + - i i Predicate at pci = Interpolant from i-cut

50 Interprocedural Cuts + - Common Symbols
Trace Formula Call begins x1 = a0 Æ y1 = x1 + 1 Æ r1 = y1 + 1 Æ b1 = r1 Æ a0  b1 - 1 x1 + x1 - r1 r1 Common Symbols x1 : Value of passed parameter x r1 : Value of local r

51 Interprocedural Cuts + -  Predicate r = x + 1 y no longer “live”
Trace Formula Call begins x1 = a0 Æ y1 = x1 + 1 Æ r1 = y1 + 1 Æ b1 = r1 Æ a0  b1 - 1 x1 + x1 - r1 r1 r1= x1 + 1 Predicate r = x + 1 y no longer “live”

52 Operations Branch Taken Operation  assume (x = i-1) if (x = i-1){ }
op ::== x = e | assume p Branch Taken Operation assume (x = i-1) if (x = i-1){ } Branch Not Taken Operation assume (x  i-1)

53 Localizing Works! Program LOC* kbfiltr 12k 1m12s 3m48s 72/16/6.5
Windows DDK IRP 22 state Localizing Works! Program LOC* Previous Time New Predicates (Total/Max/Average) kbfiltr 12k 1m12s 3m48s 72/16/6.5 floppy 17k 7m10s 25m20s 240/77/7.7 diskperf 14k 5m36s 13m32s 140/31/10 cdaudio 18k 20m18s 23m51s 256/27/7.8 parport 61k DNF 74m58s 753/32/8.1 parclass 138k 77m40s 382/28/7.2 * Pre-processed

54 Building Predicate Maps
pc2: x = ctr pc3: x = ctr-1 pc4: y = x-1 pc5: y = i Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1  i0 Cut + Interpolate at each point Pred. Map: pci  Interpolant from cut i

55 Example Predicate p1 makes trace abstractly infeasible
while(*){ 1: if (p1) lock(); if (p1) unlock(); 2: if (p2) lock(); if (p2) unlock(); n: if (pn) lock(); if (pn) unlock(); } lock unlock scalability lock Only track lock Bogus Counterexample assume p1 lock() assume : p1 assume p2 ERROR Make bigger fonts unreadable … Predicate p1 makes trace abstractly infeasible pi required for verification : lock : lock Æ p1 lock Æ p1 ;

56 Interpolant = Predicate !
Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1  i0 - Interpolate + y1 = x1 + 1 Require: Interpolant: 1. - implies  2.  has symbols common to -,+ 3.  Æ + is unsatisfiable 1. Predicate implied by trace prefix 2. Predicate on common variables 3. Predicate & suffix yields a contradiction

57 Interpolant = Predicate !
Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1  i0 x1 - y1 Interpolate x1 + y1 = x1 + 1 y1 Require: Interpolant: 1. - implies  2.  has symbols common to -,+ 3.  Æ + is unsatisfiable 1. Predicate implied by trace prefix 2. Predicate on common variables 3. Predicate & suffix yields a contradiction

58 Interpolant = Predicate !
Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1  i0 - Interpolate + y1 = x1 + 1 Require: Interpolant: 1. - implies  2.  has symbols common to -,+ 3.  Æ + is unsatisfiable 1. Predicate implied by trace prefix 2. Predicate on common variables 3. Predicate & suffix yields a contradiction

59 Example Bogus Counterexample Only track lock lock() assume : p1
while(*){ 1: if (p1) lock(); if (p1) unlock(); 2: if (p2) lock(); if (p2) unlock(); n: if (pn) lock(); if (pn) unlock(); } lock unlock scalability lock Only track lock Bogus Counterexample assume p1 lock() assume : p1 assume p2 ERROR Make bigger fonts unreadable … Must track p1

60 Example Predicate p1 makes trace abstractly infeasible
while(*){ 1: if (p1) lock(); if (p1) unlock(); 2: if (p2) lock(); if (p2) unlock(); n: if (pn) lock(); if (pn) unlock(); } lock unlock scalability lock Only track lock Bogus Counterexample assume p1 lock() assume : p1 assume p2 ERROR Make bigger fonts unreadable … Predicate p1 makes trace abstractly infeasible pi required for verification

61 Example Bogus Counterexample State Explosion Only track lock
while(*){ 1: if (p1) lock(); if (p1) unlock(); 2: if (p2) lock(); if (p2) unlock(); n: if (pn) lock(); if (pn) unlock(); } lock unlock scalability verification lock Only track lock Track lock, pi s Bogus Counterexample assume p1 lock() assume : p1 assume p2 ERROR State Explosion > 2n distinct states/paths complete search infeasible Make bigger fonts unreadable …

62 Procedure Calls Trace pc1: b = inc(a) pc2: y = x + 1 pc3: r = y + 1
main(){ int a,b; b = inc(a); if (a != b-2) ERROR: } int inc (int x){ int r,y; y = x + 1; r = y + 1; return r; } pc1: b = inc(a) pc2: y = x + 1 pc3: r = y + 1 pc4: return r pc5: assume (a  b-2) Trace

63 Interprocedural Analysis
pc1: b = inc(a) pc2: y = x + 1 pc3: r = y + 1 pc4: return r pc5: assume (a  b-2) Well-scoped predicates YES: Local variables x,y,r NO : Call-site variables a,b Trace Procedure Summaries [Reps,Horwitz,Sagiv ’95] Polymorphic Predicate Abstraction [Ball,Millstein,Rajamani ’02] Relational Analysis [Cousot, Halbwachs ’78]

64 Cuts don’t work - + Trace Trace Formula a appears in Interpolant
pc1: b = inc(a) pc2: y = x + 1 pc3: r = y + 1 pc4: return r pc5: assume (a  b-1) x1 = a0 Æ y1 = x1 + 1 Æ r1 = y1 +1 Æ b1 = r1 Æ a0  b1 - 1 a0 - + a0 Trace Trace Formula Well-scoped predicates a appears in Interpolant Predicate not well-scoped ! NO call-site variables a,b

65 Interprocedural Cuts i i Predicate at pci = Interpolant from i-cut
Trace Trace Formula pc1: x1 = 3 pc2: assume (x1>0) pc3: x3 = f1(x1) pc4: y2 = y1 pc5: y3 = f2(y2) pc6: z2 = z1+1 pc7: z3 = 2*z2 pc8: return z3 pc9: return y3 pc10: x4 = x3+1 pc11: x5 = f3(x4) pc12: assume(w1<5) pc13: return w1 pc14: assume x4>5 pc15: assume(x1=x3+2) pc1: x1 = 3 pc2: assume (x1>0) pc3: x3 = f1(x1) pc4: y2 = y1 pc5: y3 = f2(y2) pc6: z2 = z1+1 pc7: z3 = 2*z2 pc8: return z3 pc9: return y3 pc10: x4 = x3+1 pc11: x5 = f3(x4) pc12: assume(w1<5) pc13: return w1 pc14: assume x4>5 pc15: assume (x1=x3+2) Call begins i i Predicate at pci = Interpolant from i-cut

66 Interprocedural Cuts + - i i
Trace Trace Formula Call begins + - i i Predicate at pci = Interpolant from i-cut

67 Common Variables i i Predicate at pci = Interpolant from i-cut Trace
Trace Formula Formals i i Current Predicate at pci = Interpolant from i-cut

68 Another Interprocedural Cut
Trace Trace Formula Call begins + - i i Predicate at pci = Interpolant from i-cut

69 Another Interprocedural Cut
Trace Trace Formula Call begins + - i i Predicate at pci = Interpolant from i-cut

Download ppt "Abstractions from Proofs"

Similar presentations

Applications of Craig Interpolation to Model Checking K. L. McMillan Cadence Berkeley Labs.

Applications of Craig Interpolation to Model Checking K. L. McMillan Cadence Berkeley Labs.
Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.

Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.
Introducing BLAST Software Verification John Gallagher CS4117.

Introducing BLAST Software Verification John Gallagher CS4117.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.

Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.
Proofs and Counterexamples Rupak Majumdar. In the good old days… Decision Procedure  yes no.

Proofs and Counterexamples Rupak Majumdar. In the good old days… Decision Procedure  yes no.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.

Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.

Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.
Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley.

Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley.
Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.

Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.
Scalable Error Detection using Boolean Satisfiability 1 Yichen Xie and Alex Aiken Stanford University.

Scalable Error Detection using Boolean Satisfiability 1 Yichen Xie and Alex Aiken Stanford University.
Interpolants [Craig 1957] G(y,z) F(x,y)

Interpolants [Craig 1957] G(y,z) F(x,y)
Program Verification by Lazy Abstraction Ranjit Jhala UC San Diego Lecture 1 With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre.

Program Verification by Lazy Abstraction Ranjit Jhala UC San Diego Lecture 1 With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre.
Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.

Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.

Similar presentations

Ads by Google