Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Automatic Predicate Abstraction of C Programs Parts of the slides are from

Published byHomer Robbins Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Automatic Predicate Abstraction of C Programs Parts of the slides are from"— Presentation transcript:

1 1 Automatic Predicate Abstraction of C Programs Parts of the slides are from http://research.microsoft.com/slam/presentations/pldi2001.ppt

2 2 Predicate abstraction by C2BP program P Boolean program BP(P,E) C2BP predicates E

3 3 C2BP: Predicate Abstraction for C Programs Given P : a C program E = {e 1,...,e n } : set of C boolean expressions over the variables in P –no side effects, no procedure calls Produces a boolean program B same control-flow structure as P only vars are 3-valued booleans {{e 1 },...,{e n }} properties true of B are true of P

4 4 Assumptions Operates on intermediate representation of C language –CFG : if-then-else statements and gotos –expressions : side-effect free, no short-circuit evaluation, no multiple dereferences(e.g. **p) –Function call occurs at the top-most level z=x+f(y);  w=f(y); z=x+w; –Return statement is in the following form: return r; (where r is a local variable) Uses a logical memory model –for all i: p+i = p (where p is a pointer)

5 5 Weak/Strong predicates p is weaker than q iff q ) p For example, –‘T’ is weaker than ‘F’ since ‘F’ ) ‘T’ –x < 5 is weaker than x < 4 since x < 4 ) x < 5 ‘Weak’ means ‘easy to be satisfied’ –‘T’ is the weakest predicate. ‘Strong’ means ‘hard to be satisfied’ –‘F’ is the strongest predicate.

6 6 Precondition p 2 P(s, q) iff –8 M 2 States : M 2 [[p]] ) ([[s]] M) 2 [[q]] (where [[p]] denotes the states that satisfy p and [[s]] denotes the transfer function) P(s, q) = the set of predicates whose truth before s entails the truth of q after s terminates Example: –(y<3) 2 P(x=y+1, x<20) –(y<19) 2 P(x=y+1, x<20) It is easy to see that if p,p’ 2 P(s,q) then p Ç p’ 2 P(s,q) –i.e, P(s,q) is closed under Ç –Note that p Ç p’ is weaker than p and p’

7 7 Weakest Precondition WP(s, q) = –the weakest predicate p such that p 2 P(s, q) –equivalently, Ç (P(s,q)) For assignment statement, –WP(x = e, q) = q[e/x] Example: –WP(x = y+1, x<20) = (x<20)[(y+1)/x] = (y+1)<20 = (y<19) –(y<3) 2 P(x = y+1, x<20) but (y<3) ) (y<19)

8 8 Predicate strengthening Example –Given only E={ x<19, y==7, y==z, z<8}, –WP(x = y+1, x<19) = y<18 -> we don’t have (y<18) as a predicate! panic? –Find the weakest boolean expression consisting of E that implies (y<18)! How? –S E (p) = Ç { e | e is a boolean expression over E, e ) p } –But by disjunctive normal form theorem… –c 1 Æ … Æ c n is a cube over E iff (c i = e i or c i = : e i ) and e i 2 E –S E (p) = Ç { e | e is a cube over E, e ) p } –S E (y<18) = (y==7) Ç (y==z Æ z<8)

9 9 Strengthening & Weakening p S E (p) W E (p)

10 10 Translating Assignment Statements In general, –“WP(s, e i ) is true before s” implies “predicate e i is true after s” –“WP(s, : e i ) is true before s” implies “predicate e i is false after s “ But in some cases, WP(s, e i ) is not expressible using E The assignment statement “x=e;” is translated to –{e i } = {S E (WP(x=e, e i ))} ? true : {S E (WP(x=e, : e i ))} ? false : *; for each e i 2 E

11 11 Translation example Translating “x = y+1;” –Given E={ x<19, y==7, y==z, z<8}, –S E (WP(x=y+1, x<19)) = S E (y<18) = (y==7) Ç (y==z Æ z<8) –S E (WP(x=y+1, : (x<19))) = S E (WP(x=y+1, x ¸ 20)) = S E (y ¸ 19) = false –For {x<19}, {x<19} = ( {y==7} || ( {y==z} && {z<8} ) ) ? true : false ? false : *; –Similar for {y==7}, {y==z}, {z<8}

12 12 Handling Pointers Statement : *p = y; predicates E = { x==5 } Weakest Precondition: –WP(*p=y, x==5) = (x==5)[y/*p] = (x==5)??? –What if *p and x alias? Correct Weakest Precondition: –WP(*p=y, x==5) = (p==&x Æ y==5) Ç (p!=&x Æ x==5) Uses Das’s pointer analysis to prune infeasible alias scenarios

13 13 Translating conditional statements (1/2) if (e) { … } else { … } is translated to if (*) { assume(e); … } else { assume( : e); … } But what if ‘e’ is not expressible in terms of the predicates in E? Then find a condition weaker than ‘e’ such that it is expressible in terms of E

14 14 Predicate weakening W E (p) = the strongest predicate among those which are expressible in terms of ‘E’ and are implied by ‘p’ W E (p) = : (S E ( : p))

15 15 Translating conditional statements (2/2) if (e) { … } else { … } is translated to if (*) { assume(W E (e)); … } else { assume(W E ( : e)); … } Example –E = { x>3, x==10 } –if(x>5) { … } else { … }  –if(*) { assume(x>3); … } else { assume(!(x==10)); … }

16 16 Handling Procedures Procedures abstracted in two passes: –a signature is produced for each procedure in isolation –procedure calls are abstracted using the callees’ signatures only

17 17 Global/Local predicates Each predicate in E is annotated as being either global or local to a particular procedure e i 2 E is … –global iff e i refers to global variables only –local to procedure R iff e i refers to a local variable of R (e i cannot refer to local variables of another procedure due to scoping)

18 18 Formal/Return predicates e i 2 E is … –a formal predicate of procedure R iff e i is a local predicate of R and doesn’t refer to any local variables of R –a return predicate of procedure R iff one of the following conditions is true: (1) e i refers to return variable ‘r’ of R and doesn’t refer to any local variable except ‘r’ (2) e i is a formal predicate and e i refers to a global var or to a pointer dereference of formal parameter of R

19 19 Example program int bar(int *q,int y,int z) { int m1,m2; m1 = y+1; return m1; } void foo(int *p, int x) { int r; r=bar(p,x,*p); } bar { y>=0; // formal *q<=y; // formal, return y==m1; // return } foo { *p<=0; // formal, return x==0; // formal r==0 // local }

20 20 Translating procedure “bar” int bar(int *q,int y,int z) { int m1,m2; m1 = y+1; return m1; } bar({y>=0}, {*q<=y}) { bool {y==m1}; {y==m1} = false ? true : !{y==m1} ? false : *; } bar { y>=0; // formal *q<=y; // formal, return y==m1; // return }

21 21 Translating procedure “foo” “foo” invokes “bar” but only the signature of “bar” is needed to handle the procedure call Translated form of “foo”: foo({*p<=0}, {x==0}) { bool {r==0}; … }

22 22 Signature of procedure “bar” int bar(int *q,int y,int z) { int m1,m2; m1 = y+1; return m1; } bar { y>=0; // formal *q<=y; // formal, return y==m1; // return } Signature of “bar”: int bar(int *q,int y,int z); Takes (y>=0), (*q<=y) as formal predicates Returns (*q<=y), (y==m1) as return predicates Return var = m1

23 23 Resolving/Strengthening formal predicates r=bar(p,x,*p); (in procedure foo) Formal predicates of “bar” (y>=0)[p/q, x/y, *p/z] = (x>=0) –S foo (x>=0) = (x==0) –S foo ( : (x>=0)) = false (*q<=y)[p/q, x/y, *p/z] = (*p<=x) –S foo (*p<=x) = (*p<=0) Æ (x==0) –S foo ( : (*p<=x)) = : (*p<=0) Æ (x==0) Signature of “bar”: int bar(int *q,int y,int z); Takes (y>=0), (*q<=y) Returns (*q<=y), (y==m1) Return var = m1 Predicates of “foo”: *p<=0; x==0; r==0

24 24 Translated procedure invocation prm1 = {x==0} ? true : false ? false : *; prm2 = {*p<=0}&&{x==0} ? true : !{*p<=0}&&{x==0} ? false : *; r1,r2 = bar(prm1,prm2); “bar” returns the resulting value of predicates (*q<=y) and (y==m1) Signature of “bar”: int bar(int *q,int y,int z); Takes (y>=0), (*q<=y) Returns (*q<=y), (y==m1) Return var = m1 Predicates of “foo”: *p<=0; x==0; r==0

25 25 Resolving return predicates r=bar(p,x,*p); (in procedure foo) Return predicates of “bar” (*q<=y)[r/m1, p/q, x/y, *p/z] = (*p<=x) (y==m1)[r/m1, p/q, x/y, *p/z] = (x==r) Let R = { (*p<=x), (x==r) } Predicates of “foo” to be updated –(*p<=0) (“p” is passed to “bar”) –(r==0) (“r” is assigned by proc call) Let U foo = { (*p<=x), (r==0) } Signature of “bar”: int bar(int *q,int y,int z); Takes (y>=0), (*q<=y) Returns (*q<=y), (y==m1) Return var = m1 Predicates of “foo”: *p<=0; x==0; r==0

26 26 How to update caller’s predicates r=bar(p,x,*p); (in procedure foo) R = { (*p<=x), (x==r) } U foo = { (*p<=0), (r==0) } Let T = R [ (E foo \ U foo ) = { (*p<=x), (x==r), (x==0) } Strengthening U foo over T –S T (*p<=0) = (*p<=x) Æ (x==0) –S T ( : (*p<=0)) = : (*p<=x) Æ (x==0) –S T (r==0) = (x==r) Æ (x==0) –S T ( : (r==0)) = : (x==r) Æ (x==0) Signature of “bar”: int bar(int *q,int y,int z); Takes (y>=0), (*q<=y) Returns (*q<=y), (y==m1) Return var = m1 Predicates of “foo”: *p<=0; x==0; r==0

27 27 Translated procedure return …; r1,r2 = bar(prm1,prm2); r1,r2 represents {*p<=x}, {x==r} U foo strengthened over T –S T (*p<=0) = (*p<=x) Æ (x==0) –S T ( : (*p<=0)) = : (*p<=x) Æ (x==0) –S T (r==0) = (x==r) Æ (x==0) –S T ( : (r==0)) = : (x==r) Æ (x==0) Updating predicates of U foo –{*p<=0} = r1&&{x==0} : true ? !r1&&{x==0} : false ? *; –{r==0} = r2&&{x==0} : true ? !r2&&{x==0} : false ? *; Signature of “bar”: int bar(int *q,int y,int z); Takes (y>=0), (*q<=y) Returns (*q<=y), (y==m1) Return var = m1 Predicates of “foo”: *p<=0; x==0; r==0

28 28 Finally… foo({*p<=0}, {x==0}) { bool {r==0}; bool prm1, prm2, r1, r2; prm1 = {x==0} ? true : false ? false : *; prm2 = {*p<=0}&&{x==0} ? true : !{*p<=0}&&{x==0} ? false : *; r1,r2 = bar(prm1,prm2); {*p<=0} = r1&&(x==0) : true ? !r1&&(x==0) : false ? *; {r==0} = r2&&(x==0) : true ? !r2&&(x==0) : false ? *; } Signature of “bar”: int bar(int *q,int y,int z); Takes (y>=0), (*q<=y) Returns (*q<=y), (y==m1) Return var = m1 Predicates of “foo”: *p<=0; x==0; r==0

29 29 Formal Properties of C2BP soundness –B has a superset of the feasible paths in P –If {e i } is true (false) at some point on a path in B, then e i is true (false) at that point along a corresponding path in P complexity –linear in size of program –exponential in number of predicates

30 30 Conclusions Contributions –C2BP handles the constructs of C pointers, recursion, structs, casts modular abstraction of procedures –Provably sound Defects –Doesn’t use physical memory model

Download ppt "1 Automatic Predicate Abstraction of C Programs Parts of the slides are from"

Similar presentations

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Abstraction of Source Code (from Bandera lectures and talks)

Abstraction of Source Code (from Bandera lectures and talks)
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Intermediate Code Generation

Intermediate Code Generation
Programming Languages and Paradigms

Programming Languages and Paradigms
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.

1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.

Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Partial correctness © Marcelo d’Amorim 2010.

Partial correctness © Marcelo d’Amorim 2010.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Dynamic semantics Precisely specify the meanings of programs. Why? –programmers need to understand the meanings of programs they read –programmers need.

Dynamic semantics Precisely specify the meanings of programs. Why? –programmers need to understand the meanings of programs they read –programmers need.
1 Discrete Structures Lecture 29 Predicates and Programming Read Ch. 10.1 - 10.2.

1 Discrete Structures Lecture 29 Predicates and Programming Read Ch
Verification of parameterised systems

Verification of parameterised systems
Program Proving Notes Ellen L. Walker.

Program Proving Notes Ellen L. Walker.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

Similar presentations

Ads by Google