Presentation is loading. Please wait.

Presentation is loading. Please wait.

2006-11-30Newton: A tool for generating abstract explanations of infeasibility1 The Problem P (C Program) BP (Boolean Program of P) CFG(P) CFG(BP)

Published byRonald Hutchinson Modified over 9 years ago

Similar presentations

Presentation on theme: "2006-11-30Newton: A tool for generating abstract explanations of infeasibility1 The Problem P (C Program) BP (Boolean Program of P) CFG(P) CFG(BP)"— Presentation transcript:

1 2006-11-30Newton: A tool for generating abstract explanations of infeasibility1 The Problem P (C Program) BP (Boolean Program of P) CFG(P) CFG(BP)

2 2006-11-30Newton: A tool for generating abstract explanations of infeasibility2 The Problem P (C Program) BP (Boolean Program of P) CFG(P) CFG(BP) need refinement Where do predicates come from?

3 2006-11-30Newton: A tool for generating abstract explanations of infeasibility3 Generating Abstract Explanation of Spurious Counterexamples in C Programs Thomas Ball, Sriram K. Rajamani Technical Report 2006.11.30 Yunkyung Ahn some figures and slides are from http://research.microsoft.com/slam/PLDI03Tutorial.ppt

4 2006-11-30Newton: A tool for generating abstract explanations of infeasibility4 Goal P (path program) Found Bug good explanation (infeasible) Newton

5 2006-11-30Newton: A tool for generating abstract explanations of infeasibility5 The SLAM Process boolean pgm path predicates pgm P SLIC rule slic pgm P’ c2bp bebop newton

6 2006-11-30Newton: A tool for generating abstract explanations of infeasibility6 Path Program (Example) do { KeAcquireSpinLock(); A: KeAcquireSpinLock_return(); nPacketsOld = nPackets; request = devExt->WLHV; if(request){ request = request->Next; KeReleaseSpinLock(); B: KeReleaseSpinLock_return(); nPackets++; } C: } while (nPackets != nPacketsOld); KeReleaseSpinLock(); D: KeReleaseSpinLock_return(); enum { Unlocked=0, Locked=1 } state = Unlocked; void slic_abort() { SLIC_ERROR: ; } void KeAcquireSpinLock_return() { if (state == Locked) slic_abort(); else E: E: state = Locked; } void KeReleaseSpinLock_return { if (state == Unlocked) slic_abort(); else F: F: state = Unlocked; }

7 2006-11-30Newton: A tool for generating abstract explanations of infeasibility7 Path Program (Example) do { skip; A: KeAcquireSpinLock_return(); skip; if(*){ skip; B: KeReleaseSpinLock_return(); skip; } C: } while (*); skip; D: KeReleaseSpinLock_return(); decl {state==Locked}, {state==Unlocked}; void slic_abort() { SLIC_ERROR: skip; } void KeAcquireSpinLock_return() { if ({state==Locked}) slic_abort(); else E: E: {state==Locked},{state==Unlocked} := T,F; } void KeReleaseSpinLock_return() { if ({state == Unlocked}) slic_abort(); else F: F: {state==Locked},{state==Unlocked} := F,T; }

8 2006-11-30Newton: A tool for generating abstract explanations of infeasibility8 Path Program (Example) do { KeAcquireSpinLock(); A: KeAcquireSpinLock_return(); nPacketsOld = nPackets; request = devExt->WLHV; if(request){ request = request->Next; KeReleaseSpinLock(); B: KeReleaseSpinLock_return(); nPackets++; } C: } while (nPackets != nPacketsOld); KeReleaseSpinLock(); D: KeReleaseSpinLock_return(); enum { Unlocked=0, Locked=1 } state = Unlocked; void slic_abort() { SLIC_ERROR: ; } void KeAcquireSpinLock_return() { if (state == Locked) slic_abort(); else E: E: state = Locked; } void KeReleaseSpinLock_return { if (state == Unlocked) slic_abort(); else F: F: state = Unlocked; } nPackets = nPacketsOld; request = devExt->WLHeadVa; nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld);

9 2006-11-30Newton: A tool for generating abstract explanations of infeasibility9 Example p1 is infeasible condition: e1 = (b > 0)  (c = 2b)  (a = b - 1) e1 implies (a  c) E1 = {(b > 0), (c = 2b), (a = b), (a = b-1)} an explanation of p1’ infeasibility 1 assume(b>0); 2 c := 2  b; 3 a := b; 4 a := a – 1; 5 assume(a<b); 6 assume(a=c); p1 (path program ) (b > 0)(b > 0), (c=2b)(b > 0), (c=2b), (a=b)(b > 0), (c=2b), (a=b-1)

10 2006-11-30Newton: A tool for generating abstract explanations of infeasibility10 Example Is there a better explanation than E1? p2 is infeasible condition: e2 = (b > 0)  (c = 2b)  (a < b) e2 implies (a  c) e2 is more abstract (weaker) than e1 e1 = (b > 0)  (c = 2b)  (a = b - 1) e2 = (b > 0)  (c = 2b)  (a < b) e1  e2 1 assume(b>0); 2 c := 2  b; 3 a := b; 4 a := a – 1; 5 assume(a<b); 6 assume(a=c); p1 (path program ) 1 assume(b>0); 2 c := 2  b; 5 assume(a<b); 6 assume(a=c); p2 (path program )

11 2006-11-30Newton: A tool for generating abstract explanations of infeasibility11 Example E1 = {(b > 0), (c = 2b), (a = b), (a = b-1)} E2 = {(b > 0), (c = 2b), (a < b)} E1, E2: explanations of p1’s infeasibility E2 is a better explanation than E1 1 assume(b>0); 2 c := 2  b; 3 a := b; 4 a := a – 1; 5 assume(a<b); 6 assume(a=c); p1 (path program ) 1 assume(b>0); 2 c := 2  b; 5 assume(a<b); 6 assume(a=c); p2 (path program )

12 2006-11-30Newton: A tool for generating abstract explanations of infeasibility12 Example - Annotation introduce a fresh symbolic constant in p1, there is no variable is used without first being defined 1 assume(b>0); 2 c := 2  b; 3 a := b; 4 a := a – 1; 5 assume(a<b); 6 assume(a=c); p1 1 b :=  b 2 assume(b>0); 3 c := 2  b; 4 a := b; 5 a := a – 1; 6 assume(a<b); 7 assume(a=c); p1’

13 2006-11-30Newton: A tool for generating abstract explanations of infeasibility13 Semantics of Path SP (strongest post condition) in terms of p SP maps a context to a new context : a context ,store represents the current valuation ,condition represents the constraints ,history represents the past valuations

14 2006-11-30Newton: A tool for generating abstract explanations of infeasibility14 Strongest Postcondition Example (Path simulation of p1) p1’  : store  : conditions  : history b :=  b ; assume(b>0); c := 2  b; a := b; a := a – 1; assume(a<b); assume(a=c); p1’  : store  : conditions  : history b :=  b ;(b,  b ) assume(b>0); c := 2  b; a := b; a := a – 1; assume(a<b); assume(a=c); p1’  : store  : conditions  : history b :=  b ;(b,  b ) assume(b>0);(b,  b )  b > 0 c := 2  b; a := b; a := a – 1; assume(a<b); assume(a=c); p1’  : store  : conditions  : history b :=  b ;(b,  b ) assume(b>0);(b,  b )  b > 0 c := 2  b;(b,  b ), (c, 2  b )  b > 0 a := b;(a,  b ), (b,  b ), (c, 2  b )  b > 0 a := a – 1;(a,  b -1), (b,  b ), (c, 2  b )  b > 0(a,  b ) assume(a<b);(a,  b -1), (b,  b ), (c, 2  b )  b > 0,  b -1 <  b (a,  b ) assume(a=c);(a,  b -1), (b,  b ), (c, 2  b )  b > 0,  b -1 <  b, 2  b =  b - 1 (a,  b ) p1’  : store  : conditions  : history b :=  b ;(b,  b ) assume(b>0);(b,  b )  b > 0 c := 2  b;(b,  b ), (c, 2  b )  b > 0 a := b;(a,  b ), (b,  b ), (c, 2  b )  b > 0 a := a – 1;(a,  b -1), (b,  b ), (c, 2  b )  b > 0(a,  b ) assume(a<b);(a,  b -1), (b,  b ), (c, 2  b )  b > 0,  b -1 <  b (a,  b ) assume(a=c);(a,  b -1), (b,  b ), (c, 2  b )  b > 0,  b -1 <  b, 2  b =  b - 1 (a,  b )

15 2006-11-30Newton: A tool for generating abstract explanations of infeasibility15 Example How to generate a good explanation p1,p2: infeasible paths p2 is a ICPP (Infeasible Consistent Path Projection) of p1 we can use the ICPP to generate an abstract explanation 1 assume(b>0); 2 c := 2  b; 3 a := b; 4 a := a – 1; 5 assume(a<b); 6 assume(a=c); 1 assume(b>0); 2 c := 2  b; 5 assume(a<b); 6 assume(a=c); p1p2

16 2006-11-30Newton: A tool for generating abstract explanations of infeasibility16 Example p2 is a ICPP of p1 1 assume(b>0); 2 c := 2  b; 3 a := b; 4 a := a – 1; 5 assume(a<b);, b :=  b ; 1 assume(b>0); 2 c := 2  b; 3 a := b; 4 a := a – 1; a :=  a ; 5 assume(a<b); 6 assume(a=b); p2 p1 1 assume(b>0); 2 c := 2  b; a :=  a ; 5 assume(a<b); 6 assume(a=b); b :=  b ; 1 assume(b>0); 2 c := 2  b; a :=  a ; 5 assume(a<b); 6 assume(a=b);

17 2006-11-30Newton: A tool for generating abstract explanations of infeasibility17 Newton implements SP to check if a path p is infeasible find an abstract explanation for the infeasibility of p based on constructing ICPPs, if p is infeasible Internal state of Newton has 3 components store (  ): map from variables to values condition(  ): predicates over symbols history(  ) : past valuations of the store Newton function in 3 phases: Phase1: check feasibility Phase2: minimize conditions Phase3: find a explanation

18 2006-11-30Newton: A tool for generating abstract explanations of infeasibility18 Example Store ConditionsHistory 1 assume(b>0); 2 c := 2  b; 3 a := b; 4 a := a – 1; 5 assume(a<b); 6 assume(a=c);

19 2006-11-30Newton: A tool for generating abstract explanations of infeasibility19 Example Store ConditionsHistoryStore 1b bb () Conditions (  b > 0)(1) 1 assume(b>0); 2 c := 2  b; 3 a := b; 4 a := a – 1; 5 assume(a<b); 6 assume(a=c);

20 2006-11-30Newton: A tool for generating abstract explanations of infeasibility20 Example Store ConditionsHistoryStore 1b bb () Conditions (  b > 0)(1) Store 1b bb () 2c2  b (1) 1 assume(b>0); 2 c := 2  b; 3 a := b; 4 a := a – 1; 5 assume(a<b); 6 assume(a=c);

21 2006-11-30Newton: A tool for generating abstract explanations of infeasibility21 Example Store ConditionsHistoryStore 1b bb () Conditions (  b > 0)(1) Store 1b bb () 2c2  b (1) Store 1b bb () 2c2  b (1) 3a bb 1 assume(b>0); 2 c := 2  b; 3 a := b; 4 a := a – 1; 5 assume(a<b); 6 assume(a=c);

22 2006-11-30Newton: A tool for generating abstract explanations of infeasibility22 Example Store ConditionsHistoryStore 1b bb () Conditions (  b > 0)(1) Store 1b bb () 2c2  b (1) Store 1b bb () 2c2  b (1) 3a bb Store 1b bb () 2c2  b (1) 4a  b -1(3) History 3a bb (1) 1 assume(b>0); 2 c := 2  b; 3 a := b; 4 a := a – 1; 5 assume(a<b); 6 assume(a=c);

23 2006-11-30Newton: A tool for generating abstract explanations of infeasibility23 Example Store ConditionsHistoryStore 1b bb () Conditions (  b > 0)(1) Store 1b bb () 2c2  b (1) Store 1b bb () 2c2  b (1) 3a bb Store 1b bb () 2c2  b (1) 4a  b -1(3) History 3a bb (1) Store 1b bb () 2c2  b (1) 5a aa () Conditions (  b > 0)(1) (  a <  b )(1,5) 1 assume(b>0); 2 c := 2  b; 3 a := b; 4 a := a – 1; 5 assume(a<b); 6 assume(a=c);

24 2006-11-30Newton: A tool for generating abstract explanations of infeasibility24 Example Store ConditionsHistoryStore 1b bb () Conditions (  b > 0)(1) Store 1b bb () 2c2  b (1) Store 1b bb () 2c2  b (1) 3a bb Store 1b bb () 2c2  b (1) 4a  b -1(3) History 3a bb (1) Store 1b bb () 2c2  b (1) 5a aa () Conditions (  b > 0)(1) (  a <  b )(1,5) Conditions (  b > 0)(1) (  a <  b )(1,5) (  a = 2  b )(2,5) a explanation of infeasibility {(  b > 0),(  a <  b ), (  a = 2  b )} {, } 1 assume(b>0); 2 c := 2  b; 3 a := b; 4 a := a – 1; 5 assume(a<b); 6 assume(a=c);

25 2006-11-30Newton: A tool for generating abstract explanations of infeasibility25 Experimental Results Newton generates a very small explanation. Every iteration of Newton took under a minute consumed less than 10MB of memory in a 996Mhz Pentium PC with 256MB RAM

26 2006-11-30Newton: A tool for generating abstract explanations of infeasibility26 Summary Symbolic path simulator Check conditions for inconsistency using theorem prover (Simplify) After detecting inconsistency: minimize inconsistent conditions traverse dependencies obtain predicates SLAM = The first CEGAR project CEGAR = Counter-Example Guided Abstraction Iterative Abstraction Refinement

Download ppt "2006-11-30Newton: A tool for generating abstract explanations of infeasibility1 The Problem P (C Program) BP (Boolean Program of P) CFG(P) CFG(BP)"

Similar presentations

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
The Static Driver Verifier Research Platform

The Static Driver Verifier Research Platform
The SLAM Project: Debugging System Software via Static Analysis

The SLAM Project: Debugging System Software via Static Analysis
Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.

Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
1 Lecture 08(c) – Predicate Abstraction and SLAM Eran Yahav.

1 Lecture 08(c) – Predicate Abstraction and SLAM Eran Yahav.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.

Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.

Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.
State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,

State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,

Similar presentations

Ads by Google