Presentation is loading. Please wait.

Presentation is loading. Please wait.

Predicate Abstraction

Published bySára Havlová Modified over 5 years ago

Similar presentations

Presentation on theme: "Predicate Abstraction"— Presentation transcript:

1 Predicate Abstraction
CS 510/08 Predicate Abstraction

2 Predicate Abstraction
Extract a finite state model from an infinite state system Used to prove assertions or safety properties Successfully applied for verification of C programs SLAM (used in windows device driver verification) MAGIC, BLAST, F-Soft If the property holds on the abstract model it also holds on the original C program.

3 Example for Predicate Abstraction
void main() { bool p1, p2; p1=TRUE; p2=TRUE; while(p2) { p1=p1?FALSE:nondet(); p2=!p2; } int main() { int i; i=0; while(even(i)) i++; } + = p1  i=0 p2  even(i) In predicate abstraction a given program is abstracted with respect to a given set of predicates. Consider the C program which has one integer variable i. The boolean program has the same control structure as that of the original C program. Each statement in the C program is replaced by its affect on the predicates in the boolean program. NOW THE QUESTION IS HOW DO WE GET THE PREDICATES and WHERE SHOULD WE USE WHICH PREDICATE???? WHAT PREDICATES ARE USEFUL FOR PROVING THE PROPERTY. We will try to answer these questions in the next few slides. C program Predicates Boolean program [Graf, Saidi ’97] [Ball, Rajamani ’01]

4 Computing Predicate Abstraction
How to get predicates for checking a given property? How do we compute the abstraction? Predicate Abstraction is an over-approximation How to refine coarse abstractions

5 Example Example ( ) { 1: do{ lock(); old = new; q = q->next;
2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4: } while(new != old); 5: unlock (); return; lock unlock

6 What a program really is…
State Transition pc lock old new q  3  5  0x133a 3: unlock(); new++; 4:} … pc lock old new q  4  5  6  0x133a Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4: } while(new != old); 5: unlock (); return;}

7 The Safety Verification Problem
Error Safe Initial Is there a path from an initial to an error state ? Problem: Infinite state graph Solution : Set of states ' logical formula

8 Idea 1: Predicate Abstraction
Predicates on program state: lock old = new States satisfying same predicates are equivalent Merged into one abstract state #abstract states is finite

9 Abstract States and Transitions
pc lock old new q  3  5  0x133a 3: unlock(); new++; 4:} … pc lock old new q  4  5  6  0x133a lock old=new ! lock ! old=new

10 Abstraction Existential Approximation State lock ! lock old=new
pc lock old new q  3  5  0x133a 3: unlock(); new++; 4:} … pc lock old new q  4  5  6  0x133a lock old=new ! lock ! old=new Existential Approximation

11 Abstraction State lock ! lock old=new ! old=new 3: unlock(); new++;
pc lock old new q  3  5  0x133a 3: unlock(); new++; 4:} … pc lock old new q  4  5  6  0x133a lock old=new ! lock ! old=new

12 Analyze Abstraction Problem Analyze finite graph
Over Approximate: Safe => System Safe Problem Spurious counterexamples

13 Idea 2: Counterex.-Guided Refinement
Solution Use spurious counterexamples to refine abstraction !

14 Idea 2: Counterex.-Guided Refinement
Solution Use spurious counterexamples to refine abstraction 1. Add predicates to distinguish states across cut 2. Build refined abstraction

15 Iterative Abstraction-Refinement
Solution Use spurious counterexamples to refine abstraction 1. Add predicates to distinguish states across cut 2. Build refined abstraction -eliminates counterexample 3. Repeat search Till real counterexample or system proved safe [Kurshan et al 93] [Clarke et al 00] [Ball-Rajamani 01]

16 Build-and-Search Predicates: LOCK 1 1 Example ( ) { 1: do{ lock();
old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 ! LOCK 1 Predicates: LOCK

17 Build-and-Search Predicates: LOCK 1 2 1 2 Example ( ) { 1: do{ lock();
old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); lock() old = new q=q->next 1 ! LOCK 2 LOCK 1 2 Predicates: LOCK

18 Build-and-Search Predicates: LOCK 1 2 3 1 2 3 Example ( ) { 1: do{
old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 ! LOCK 2 LOCK [q!=NULL] 3 LOCK 1 2 3 Predicates: LOCK

19 Build-and-Search Predicates: LOCK 1 2 3 4 4 1 2 3 Example ( ) { 1: do{
old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 ! LOCK 2 LOCK 3 q->data = new unlock() new++ LOCK 4 ! LOCK 4 1 2 3 Predicates: LOCK

20 Build-and-Search Predicates: LOCK 1 2 3 4 5 5 4 1 2 3 Example ( ) {
1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 ! LOCK 2 LOCK 3 LOCK 4 ! LOCK [new==old] 5 ! LOCK 5 4 1 2 3 Predicates: LOCK

21 Build-and-Search Predicates: LOCK 1 2 3 4 5 5 4 1 2 3 Example ( ) {
1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 ! LOCK 2 LOCK 3 LOCK 4 ! LOCK 5 ! LOCK 5 unlock() 4 ! LOCK 1 2 3 Predicates: LOCK

22 Analyze Counterexample
1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 ! LOCK lock() old = new q=q->next 2 LOCK [q!=NULL] 3 LOCK q->data = new unlock() new++ 4 ! LOCK [new==old] 5 ! LOCK 5 unlock() 4 ! LOCK 1 2 3 Predicates: LOCK

23 Analyze Counterexample
1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK old = new 2 LOCK 3 LOCK new++ 4 : LOCK [new==old] 5 : LOCK 5 Inconsistent 4 : LOCK new == old 1 2 3 Predicates: LOCK

24 Repeat Build-and-Search
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK Write out the perdicate abstraction P2= !p2 ? 1: * 1 Predicates: LOCK, new==old

25 Repeat Build-and-Search
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 ! LOCK lock() old = new q=q->next 2 LOCK , new==old 1 2 Predicates: LOCK, new==old

26 Repeat Build-and-Search
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 ! LOCK 2 LOCK , new==old LOCK , new==old 3 q->data = new unlock() new++ 4 ! LOCK , ! new = old 4 1 2 3 Predicates: LOCK, new==old

27 Repeat Build-and-Search
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 ! LOCK 2 LOCK , new==old LOCK , new==old 3 4 ! LOCK , ! new = old [new==old] 4 1 2 3 Predicates: LOCK, new==old

28 Repeat Build-and-Search
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 ! LOCK 2 LOCK , new==old LOCK , new==old 3 4 ! LOCK , ! new = old [new!=old] 1 ! LOCK, ! new == old 4 4 1 2 3 Predicates: LOCK, new==old

29 Repeat Build-and-Search
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 ! LOCK 2 LOCK , new==old SAFE LOCK , new==old 3 4 4 ! LOCK , ! new = old LOCK , new=old 1 5 5 ! LOCK, ! new == old 4 4 4 1 ! LOCK , new==old 2 3 Predicates: LOCK, new==old

30 No predicates available currently
Another Example 1: x = ctr; 2: y = ctr + 1; 3: if (x = i-1){ 4: if (y != i){ ERROR: } 1: skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: } Abstract Note that if the abstract model satisfies the property, then the original program will also satisfy the property. Thus, if x equals i-1, then y must be equal to I, as y is one more than x. C program No predicates available currently

31 Checking the abstract model
Is ERROR reachable? 1: skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: } yes Abstract model has a path leading to error state

32 Does this correspond to a real bug? Check using a SAT solver
Simulation 1: x = ctr; 2: y = ctr + 1; 3: assume(x == i-1) 4: assume (y != i) 1: skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: } A general technique to verify large systems is to first abstract them into simpler models, by throwing away irrelevant details. Check using a SAT solver Concrete trace Not possible

33 Spurious Counterexample
Refinement 1: x = ctr; 2: y = ctr + 1; 3: assume(x == i-1) 4: assume (y != i) 1: skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: } Using this spurious counterexample we want to construct a more refined abstraction which eliminates this counterexample. We do this by doing backward counter example analysis. Initial abstraction Spurious Counterexample

34 Refinement ERROR: } boolean b0 : y != i 1: x = ctr; 1: skip;
2: y = ctr + 1; 3: assume(x == i-1) 4: assume (y != i) 1: skip; 2: skip; 3: if (*){ 4: if (b0){ ERROR: } boolean b0 : y != i

35 Refinement ERROR: } boolean b0 : y != i boolean b1 : x== i-1
1: x = ctr; 2: y = ctr + 1; 3: assume(x == i-1) 4: assume (y != i) 1: skip; 2: skip; 3: if (b1){ 4: if (b0){ ERROR: } boolean b0 : y != i boolean b1 : x== i-1

36 Weakest Preconditions
WP(P,OP) Weakest formula P’ s.t. if P’ is true before OP then P is true after OP [WP(P, OP)] OP [P]

37 Weakest Preconditions
WP(P,OP) Weakest formula P’ s.t. if P’ is true before OP then P is true after OP [WP(P, OP)] OP [P] WP (x>5, x=x+1) = x>4, a stronger condition is that x>5, x>10 P[e/x] new+1 = old Assign new = new+1 x = e P new = old

38 Weakest precondition of y != i
Refinement Weakest precondition of y != i boolean b2 : ctr + 1 ! = i 1: x = ctr; 2: y = ctr + 1; 3: assume(x == i-1) 4: assume (y != i) 1: skip; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: } Weakest precondition of a formula wrt to a statement is another formula whose truth before the execution of statement implies the truth of formula after the execution of statement. boolean b0 : y != i boolean b1 : x== i-1

39 Refinement ERROR: } boolean b2 : ctr + 1 ! = i boolean b3: ctr == i -1
1: x = ctr; 2: y = ctr + 1; 3: assume(x == i-1) 4: assume (y != i) 1: b1 = b3; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: } boolean b0 : y != i boolean b1 : x== i-1

40 Refinement ERROR: } boolean b2 : ctr + 1 ! = i boolean b3: ctr == i -1
What about initial values of b2 and b3? 1: b1 = b3; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: } b2 and b3 are mutually exclusive. b2 =1, b3 = 0 b2 =0 , b3 = 1 This is our new refined abstract model. Note that we only have boolean variables here and the control flow is same too. If b2 =1 and b3 =0 So system is safe! boolean b0 : y != i boolean b1 : x== i-1

41 Tools for Predicate Abstraction of C
SLAM at Microsoft Used for verifying correct sequencing of function calls in windows device drivers MAGIC at CMU Allows verification of concurrent C programs Found bugs in MicroC OS BLAST at Berkeley Lazy abstraction, interpolation SATABS at CMU Computes predicate abstraction using SAT Can handle pointer arithmetic, bit-vectors F-Soft at NEC Labs Localization, register sharing

Download ppt "Predicate Abstraction"

Similar presentations

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.

Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.
Abstraction of Source Code (from Bandera lectures and talks)

Abstraction of Source Code (from Bandera lectures and talks)
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.

Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.
1 Software Verification Computer Science Club, Steklov Math Institute Lecture 1 Natasha Sharygina The University of Lugano, Carnegie Mellon University.

1 Software Verification Computer Science Club, Steklov Math Institute Lecture 1 Natasha Sharygina The University of Lugano, Carnegie Mellon University.
Proofs and Counterexamples Rupak Majumdar. In the good old days… Decision Procedure  yes no.

Proofs and Counterexamples Rupak Majumdar. In the good old days… Decision Procedure  yes no.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.

Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley.

Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley.
Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.

Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.
Scalable Error Detection using Boolean Satisfiability 1 Yichen Xie and Alex Aiken Stanford University.

Scalable Error Detection using Boolean Satisfiability 1 Yichen Xie and Alex Aiken Stanford University.
Program Verification by Lazy Abstraction Ranjit Jhala UC San Diego Lecture 1 With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre.

Program Verification by Lazy Abstraction Ranjit Jhala UC San Diego Lecture 1 With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre.
Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.

Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.

Similar presentations

Ads by Google