Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards Game-Based Predicate Abstraction experiments in compositional model checking Adam Bakewell, University of Birmingham.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Towards Game-Based Predicate Abstraction experiments in compositional model checking Adam Bakewell, University of Birmingham."— Presentation transcript:

1 Towards Game-Based Predicate Abstraction experiments in compositional model checking Adam Bakewell, University of Birmingham

2 GAME BASED MODEL CHECKING

3 MAGE Compositional (game-based) MC ’ ing works, has benefits, and can be efficient. proof: –Take the regular language game model of IA –Reformulate model as tree of automata –Make model branches be function/model application –Be lazy: make transitions when demanded by checker –Be symbolic: don ’ t build the automata –Do CEGAR: approximate, certify, refine

4 COMO Compositional MC ’ ing can verify real code with competitive efficiency proof: –Take a C program and process with CIL –Transform to ALGOL-like compositional CFG language –Do MAGE better: pre-composed interaction transitions; bdd; cbv; state compression+random access; etc

5 compositional CFGs Program ::= ( τ f(x i : τ i ){new y i : τ ’ i.M})+ M ::= expr | M;M | lval:=expr | goto φ | case expr of {k i ->M i } φ = path to target from enclosing function root [[goto φ 1 ]] = jump from state φ 0 · φ 2 to φ 0 · φ 1 where φ 2 is the local path to this goto

6 still ill Still far too slow Data approximation is easily outwitted Other model checkers do much better with a different kind of approximation ….

7 e.g. xx1.c e.g. cc1.c #include extern int y; extern int main () { int x=y; assert(x!=x+1); return(0); } #include extern char d; extern int main () { char c=d; assert(c!=c+1); return(0); }

8 e.g. evenloop.c #include extern int y; int main() { int x = 0; int i = y; while(i-- >= 0) x += 2; assert(x%2==0); return(0); }

9 PREDICATE ABSTRACTION

10 evenloop.c CFG model ┴ 0,y 2,y-1 2y,0 SAFE UNSAFE x:=0;i=yi--;x+=2(i--;x+=2) (y-1) i < 0 2y,0 assert state: x,i

11 predicate abstraction (PA) P is a seq of predicates over program variables PA model is a CFG where States are #P bit-vectors (P-valuations) Transitions exist where some basic block can change state sat. source P-valuation to state sat. target P-valuation If #P <#(program state) then checking PA model is much quicker than checking program model

12 e.g. CFG PA model ┴ T TF SAFEUNSAFE x:=0;i=yi--;x+=2 i<0 F assert P=[x%2==0] i--;x+=2

13 PA issues P –must be sufficient to prove (un)safety –must be compact for feasibility (minimization) –derive from program/annotations –infer (e.g. by interpolation) modelling and checking –which p ’ s to update/test (scope) –when to update/test (laziness)

14 PA needs games? CFG PA Is not compositional! Issues may be addressed elegantly with a compositional, semantic- direct, formulation Let ’ s try it …

15 GAME BASED PREDICATE ABSTRACTION

16 GBPA v1 Take COMO architecture Do a simple p. extraction (assert invariants!) Locate each p. in model tree Replace state model with p. model: (:=) sets p. state (case) tests p. state

17 evenloop.c GBPA model ┴ T,T T,F SAFE UNSAFE x:=0;i=y x+=2tmp>0 tmp ≤ 0 assert P=[x%2==0,tmp>0] tmp:=i;i-- T,T T,F T,T T,F

18 PA model formalization move: arena + value + p.valuation [[CELL( x,P)]] –Binds vars x, abstracted as preds P –states are P-valuation vectors –write move: (x := v|p) goes to state2 if SAT(state2[x ’ /x] & x ’ =v & p & state) –read move: (x.x|state) preserves state; composition with [[case]] does SAT, e.g. SAT(x=v & p)

19 laziness is free COMO architecture is built to make model transitions on-demand: (:=) SAT calls can be suspended when a valid next state is found (case) SAT calls suspend while an alternative is explored

20 lo PREDICATE LOCATION

21 mind gym

22 mind gym: verify your answer #include int main() { int x = 19; assert(x==19); x=((((((((x+x)*2)+5)/3)+3)/2)+6)/7)+2; assert(x==??); return(0); }

23 e.g. multi assignment int main() { int x = 19; x=x+x; x=x*2; x=x+5; x=x/3; x=x+3; x=x/2; x=x+6; x=x/7; x=x+2; assert(x==5); return(0); } x!=5 here x=5 or x!=5 here assert has spurious failure

24 e.g. manual interpolation int main() { int x = 19; assert(x==19); x=x+x; assert(x==38); x=x*2; assert(x==76); x=x+5; assert(x==81); x=x/3; assert(x==27); x=x+3; assert(x==30); x=x/2; assert(x==15); x=x+6; assert(x==21); x=x/7; assert(x==3); x=x+2; assert(x==5); return(0); }

25 e.g. manual interpolation 10 assignments 10 predicates 10 assertions how many SAT calls to prove safety?

26 p location GBPA CELL automatically restricts p scope Program transform with tighter CELLs will need less SAT calls

27 e.g. manual relocation #include int gym1(z) { int y=2*z; assert(y==38); y=y*2; assert(y==76); y=y+5; assert(y==81); return(y); } int gym2(z) { int y=z/3; assert(y==27); y=y+3; assert(y==30); y=y/2; assert(y==15); return(y); } int gym3(z) { int y=z+6; assert(y==21); y=y/7; assert(y==3); y=y+2; assert(y==5); return(y); } int main() { int x = 19; assert(x==19); x=gym1(x); assert(x==81); x=gym2(x); assert(x==15); x=gym3(x); assert(x==5); return(0); }

28 e.g. manual relocation in main: –4 p ’ s to update: 16 SAT per (:=) –4 asserts test on state size 4 p ’ s in gymi functions: –3 p ’ s to update: 8 SAT per (:=) –local state size 3 p ’ s mostly sufficient –global state size 7 p ’ s sometimes used total SATs: 68 + 3 * 27 = 149

29 delayed SAT –An alternative to interpolation: –Allow state updates to be delayed until the kth –And delay state tests –Generalise CELL strategy s.t. states also record seq of delayed changes –Refine by increasing k

30 the position Game based model checking needs PA PA fits the games framework We get lazy PA for free Tight CELL location offers minimization delayed/incremental solving needs to be accommodated

Download ppt "Towards Game-Based Predicate Abstraction experiments in compositional model checking Adam Bakewell, University of Birmingham."

Similar presentations

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.

© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.
© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken.

© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Introducing BLAST Software Verification John Gallagher CS4117.

Introducing BLAST Software Verification John Gallagher CS4117.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.

Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
Fall 20021 Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.

Fall Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.
CS 330 Programming Languages 09 / 19 / 2006 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 19 / 2006 Instructor: Michael Eckmann.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
Relatively Complete Verification of Higher- Order Programs (via Automated Refinement Type Inference) Tachio Terauchi Nagoya University TexPoint fonts used.

Relatively Complete Verification of Higher- Order Programs (via Automated Refinement Type Inference) Tachio Terauchi Nagoya University TexPoint fonts used.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

Similar presentations

Ads by Google