Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao."— Presentation transcript:

1 Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao Wang

2 Introduction Predicate abstraction  Abstracts data by keeping track of certain predicates  Each predicate given a Boolean variable in abstract model

3 Counterexample Guided Abstraction and Refinement Loop (CEGAR ) Property Monitor C programs Static Analysis Predicate Abstraction Model check Analysis & Refinement  Discovered bug in software Certified code F-Soft

4 Bottlenecks in CEGAR loop Computing predicate relationships is expensive Over-approximation leads to refinement iterations Finding right predicates not always possible

5 An example 1: x = 100; 2: y = 100; 3. while (x != 0) { 4. x = x – 1; 5. y = y – 1; 6.} 7.if (y != 0) 8. ERROR:; Weakest pre-condition based refinement: x=0, y=0 x=1, y=1……… x=100, y=100 x = y Split theorem prover: Jhala, McMillan [TACAS 2006 ] C program We will discover x=y as an invariant

6 Our approach Use efficiently computable invariants in CEGAR loop Invariants generated by abstract domains  Octagon: ± x ± y ≤ c  Polyhedra: a 1 x 1 ± a 2 x 2 ± … ± a n x n ≤ c  Numerous others in ASTRÉE like static analyzers Combination of abstraction techniques

7 This work: CEGAR loop + Invariants Property Monitor C programs Static Analysis Predicate Abstraction Model check Analysis & Refinement  Discovered bug in software Certified code + Invariants from abstract domains 1.More precise abstractions 2.Fewer refinement iterations 3.Fewer predicates 4.Avoid some convergence problems

8 Related work Idea of using invariants during abstraction  Bensalem et al. [CAV 1998]  Colón et al [CAV 1998]  Saïdi et al. [ASE 1999] Path sensitive data flow analysis  Fischer et al. [FSE 2005]

9 Outline Introduction Using Invariants in abstraction-refinement loop Invariant generation Invariant selection Experimental results

10 Abstraction 1: if (x > y) { 2: y = y + 1;... 5: z = y;... 10: if (x < z) 11: ERROR:; 12:} Abstract C program No predicates available currently 1: if (*) { 2: skip;... 5: skip;... 10: if (*) 11: ERROR:; 12:} Abstract model

11 Checking the abstract model Is ERROR reachable? yes Abstract model has a path leading to error state 1: if (*) { 2: skip;... 5: skip;... 10: if (*) 11: ERROR:; 12:} Abstract model

12 Concretization of abstract counterexample Concrete trace 1: if (*) { 2: skip;... 5: skip;... 10: if (*) 11: ERROR:; 12:} 1: assume (x > y) 2: y = y + 1;... 5: z = y;... 10:assume (x < z) 11: 12: Abstract model

13 Simulation Does this correspond to a real bug? Spurious trace Concrete trace Spurious Counterexample 1: assume (x > y) 2: y = y + 1;... 5: z = y;... 10:assume (x < z) 11: 12:

14 Refinement Spurious Counterexample Localization of predicates [Jhala et al., POPL 2004] [Jain et al., TACAS 2005] x < z x < y x < y + 1 x > y 1: assume (x > y) 2: y = y + 1;... 5: z = y;... 10:assume (x < z)

15 Refinement Spurious Counterexample 1: assume (x > y) 2: y = y + 1;... 5: z = y;... 10:assume (x < z) Need to track value of at least one predicate from locations 1 to 10 Localization of predicates [Jhala et al., POPL 2004] [Jain et al., TACAS 2005]

16 Using invariants 1: if (x > y) { 2: y = y + 1;... 5: z = y;... 10: if (x < z) 11: ERROR:; 12:} 1: 2: x > y... x ≥ y 5: x ≥ y... x ≥ y, y = z, x ≥ z 10: x ≥ y, y = z, x ≥ z 11: 12: C program Two variable invariants

17 Using invariants during simulation 1: 2: x > y... x ≥ y 5: x ≥ y... x ≥ y, y = z, x ≥ z 10: x ≥ y, y = z, x ≥ z 11: 12: 1: assume (x > y) 2: y = y + 1;... 5: z = y;... 10:assume (x < z) infeasible Refinement procedure only needs to look at infeasible trace Spurious Counterexample Two variable invariants

18 What has happened so far 1: assume (x > y) 2: y = y + 1;... 5: z = y;... 10:assume (x < z) 1: if (*) { 2: skip;... 5: skip;... 10: if (*) 11: ERROR:; 1: if (x > y) { 2: y = y + 1;... 5: z = y;... 10: if (x < z) 11: ERROR:; 12:} C program Abstract model Spurious counterexample PC=10: x ≥ z 1: if (*) { 2: skip;... 5: skip;... 10: if (b) 11: ERROR:; Boolean b : x < z (PC=10) →¬b New abstract model

19 Strengthened transition relation Let T b (V,V’) denote transition relation of basic block b Let I b (V) denote the invariants that hold at b ST b (V,V’) := T b (V,V’) Λ I b (V) Replace T b (V,V’) by ST b (V,V’) in CEGAR loop

20 Outline Introduction Using Invariants in abstraction-refinement loop Invariant generation Invariant selection Experimental results

21 Invariant generation Octagon abstract domain: ± x ± y ≤ c  Due to Antoine Miné  Successfully used in ASTRÉE static analyzer  Captures commonly occurring variable relationships Array bound accesses More expressive abstract domains can be used  Eagerly: before CEGAR loop starts  Lazily: on-demand as needed by refinement

22 Octagon packing Octagon relationships between n variables Time per transfer function: O(n 3 ) Memory cost per program location: O(n 2 )

23 Octagon packing Octagon relationships between n variables Time per transfer function: O(n 3 ) Memory cost per program location: O(n 2 ) x1x1 x2x2 x3x3 x4x4 x5x5 x 1000 x 999........ octagon pack

24 Octagon packing Basic block based packing  Variables appearing in a basic block  #octagon packs proportional to #basic blocks Control flow based packing  Associate an octagon pack for each condition  Cone of influence computation  #octagon packs proportional to #conditions

25 Outline Introduction Using Invariants in abstraction-refinement loop Invariant generation Invariant selection Experimental results

26 Invariant selection Use fewer invariants for additional/quicker pruning  Avoid overhead in decision procedure calls Given ERROR label E, basic block b needed(b, E): variables that need to be tracked at b Use invariant I at b iff vars(I)  needed(b,E)

27 Outline Introduction Using Invariants in abstraction-refinement loop Invariant generation Invariant selection Experimental results

28 Experimental results (TCAS) Localization of predicates using weakest pre-conditions [TACAS 2005] Localization of predicates using Craig Interpolation [Jhala et al., POPL 2004] Using octagonal invariants in the Default framework 1. Invariant generation for TCAS took 5 seconds 2. None of the above properties can be verified by octagonal invariants

29 Results from industrial benchmarks Checked for standard property violations

30 Experiments on Industry Programs Several interesting improvements with Octagon invariants  Number of unresolved (#None) checks is reduced (here, 0)  Provides performance improvement  Last example: not much extra cost with Proofs by SAT KLOC# Check s # P by SA # P by SAT # B by SAT # None Time (sec) # P by SA w/ Invar # P by SAT # B by SAT # None Time (sec) f10.5643290235966400015 f21.11686025641600066 f31.118852357216020104 f41.2221063347818130195 f51.21000465846040401 f61.626868457918080197 f71.828484458912440325 f83.62802671300144280000140 Note: #P = # Proofs, #B = # Bugs, # None = unresolved checks Without Octagon InvariantsWith Octagon Invariants

31 Invariant generation results Control flow based packing leads to invariants that are more likely to be useful in CEGAR loop

32 Invariant selection results Invariants generated using control flow based packing After invariant selection

33 Conclusion Using invariants in abstraction-refinement loop  Fewer predicates and refinement iterations  Can help when finding right predicates is difficult Invariant generation and selection  Finding useful invariants  Right packing strategies Current/Future work (by co-authors):  Generation of Disjunctive invariants [SISG SAS 2006]  Applications of invariants during BMC [GG ICCAD 2006]

34 Questions?

Download ppt "Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao."

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.

© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.

Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.

Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Simplifying Loop Invariant Generation Using Splitter Predicates.

Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Simplifying Loop Invariant Generation Using Splitter Predicates.
Probabilistic CEGAR* Björn Wachter Joint work with Holger Hermanns, Lijun Zhang TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Probabilistic CEGAR* Björn Wachter Joint work with Holger Hermanns, Lijun Zhang TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Program Verification as Probabilistic Inference Sumit Gulwani Nebojsa Jojic Microsoft Research, Redmond.

Program Verification as Probabilistic Inference Sumit Gulwani Nebojsa Jojic Microsoft Research, Redmond.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.

Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.

Similar presentations

Ads by Google