Presentation is loading. Please wait.

Presentation is loading. Please wait.

Localization and Register Sharing for Predicate Abstraction Himanshu Jain Franjo Ivančić Aarti Gupta Malay Ganai.

Published byArchibald Clark Modified over 9 years ago

Similar presentations

Presentation on theme: "Localization and Register Sharing for Predicate Abstraction Himanshu Jain Franjo Ivančić Aarti Gupta Malay Ganai."— Presentation transcript:

1 Localization and Register Sharing for Predicate Abstraction Himanshu Jain Franjo Ivančić Aarti Gupta Malay Ganai

2 Introduction Predicate abstraction  Abstracts data by keeping track of certain predicates  Each predicate given a boolean variable in abstract model  Scalability depends on choice and usage of predicates

3 Counterexample Guided Abstraction and Refinement Property Monitor C programs Static Analysis Abstraction Model check (DiVer) Analysis & Refinement  Discovered bug in software Certified code F-Soft

4 Motivation Computing predicate relationships is expensive Localization of predicates  Identify important predicates at each program location  Identify important predicate relationships

5 Some notation Spurious trace  Infeasible sequence of statements Predicate relationships  Example: (p1 Æ : p2), (p1’ $ p3) 1. x = m; 2. y = m; 3. assume (x != y);

6 Related work BLAST uses interpolation to find important predicates at each statement in spurious trace [Jhala et al., 04]  Localization of predicates  Interpolation produces “good” predicates? Syntactic program transformations for automatic abstraction [Namjoshi et al.] MAGIC tool [Chaki et al.]

7 Given a spurious trace s 1 ;….;s k Use weakest pre-conditions to identify important predicates at each statement s i Most predicate relationships obtained from refinement itself Our approach

8 Outline Introduction Localization of predicates Register Sharing Dedicated State Variables Experimental results

9 Abstraction 1 : x = ctr; 2 : y = ctr + 1; 3 : if (x = i-1){ 4 : if (y != i){ ERROR: } 1 : skip; 2 : skip; 3 : if (*){ 4 : if (*){ ERROR: } Abstract C programNo predicates available currently

10 Checking the abstract model 1 : skip; 2 : skip; 3 : if (*){ 4 : if (*){ ERROR: } No predicates available currently Is ERROR reachable? yes Abstract model has a path leading to error state

11 Concretization of abstract counterexample 1 : x = ctr; 2 : y = ctr + 1; 3 : assume(x == i-1) 4 : assume (y != i) 1 : skip; 2 : skip; 3 : if (*){ 4 : if (*){ ERROR: } Concrete trace

12 Simulation Does this correspond to a real bug? Spurious trace We use a SAT solver 1 : x = ctr; 2 : y = ctr + 1; 3 : assume(x == i-1) 4 : assume (y != i) Concrete trace Spurious Counterexample

13 Refinement 1 : x = ctr; 2 : y = ctr + 1; 3 : assume(x == i-1) 4 : assume (y != i) Spurious Counterexample y != i ctr + 1 != i x == i -1 ctr == i - 1 Localization information

14 Predicate relationships 1 : x = ctr; 2 : y = ctr + 1; 3 : assume(x == i-1) 4 : assume (y != i) Spurious Counterexample y != i ctr + 1 != i x == i -1 ctr == i - 1 Localization information ?

15 1: x = ctr; 2: y = ctr + 1; 3: if (x = i-1){ 4: if (y != i){ ERROR: } What happened so far 1: skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: } Initial abstraction 1: x = ctr; 2: y = ctr + 1; 3: assume(x == i-1) 4: assume (y != i) Spurious counterexample y != i x == i -1 ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information

16 Computing new abstraction 1: x = ctr; 2: y = ctr + 1; 3: if (x = i-1){ 4: if (y != i){ ERROR: } Computing new abstraction 1: 2: 3: if ( ){ 4: if ( ){ ERROR: } y != i x == i -1 ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information y != i x == i -1ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information

17 1: x = ctr; 2: y = ctr + 1; 3: if (x = i-1){ 4: if (y != i){ ERROR: } Computing new abstraction 1: 2: 3: if ( ){ 4: if (b0){ ERROR: } Computing new abstraction y != i x == i -1ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information Boolean b0 : y != i

18 1: x = ctr; 2: y = ctr + 1; 3: if (x = i-1){ 4: if (y != i){ ERROR: } Computing new abstraction 1: 2: 3: if (b1){ 4: if (b0){ ERROR: } Computing new abstraction y != i x == i -1ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information Boolean b1 : x==i-1 Boolean b0 : y != i

19 1: x = ctr; 2: y = ctr + 1; 3: if (x = i-1){ 4: if (y != i){ ERROR: } Computing new abstraction 1: 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: } Computing new abstraction y != i x == i -1ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information Boolean b2 : ctr+1 != i Boolean b1 : x == i-1 Boolean b0 : y != i

20 1: x = ctr; 2: y = ctr + 1; 3: if (x = i-1){ 4: if (y != i){ ERROR: } Computing new abstraction 1: b1 = b3; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: } Computing new abstraction y != i x == i -1 ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information Boolean b3 : ctr == i -1 Boolean b2 : ctr+1 != i Boolean b1 : x == i - 1 Boolean b0 : y != i No decision procedure used so far

21 1: x = ctr; 2: y = ctr + 1; 3: if (x = i-1){ 4: if (y != i){ ERROR: } Computing new abstraction 1: b1 = b3; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: } Computing new abstraction y != i x == i -1 ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information Boolean b3 : ctr == i -1 Boolean b2 : ctr+1 != i Boolean b1 : x == i - 1 Boolean b0 : y != i What about initial values of b2 and b3? SAT-based predicate abstraction Kroening et al. Lahiri et al. ?

22 1: x = ctr; 2: y = ctr + 1; 3: if (x = i-1){ 4: if (y != i){ ERROR: } Computing new abstraction 1: b1 = b3; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: } Computing new abstraction Boolean b3 : ctr == i -1 Boolean b2 : ctr+1 != i Boolean b1 : x == i - 1 Boolean b0 : y != i Global constraint: (b2 $ : b3) y != i x == i -1 ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information

23 Abstraction without register sharing 1: b1 = b3; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: } Computing new abstraction Boolean b3 : ctr == i -1 Boolean b2 : ctr+1 != i Boolean b1 : x == i - 1 Boolean b0 : y != i Global constraint: (b2 $ : b3)

24 Model check 1: b1 = b3; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: } Computing new abstraction Boolean b3 : ctr == i -1 Boolean b2 : ctr+1 != i Boolean b1 : x == i - 1 Boolean b0 : y != i Global constraint: (b2 $ : b3) ERROR is not reachable!

25 What have we covered so far Localize predicates using weakest pre-conditions Utilizing weakest pre-condition relationships Bottleneck  Model checking of abstraction without register sharing

26 Due to localization many predicates are useful only at a few program locations Reuse state variables for representing other predicates  Similar to register allocation Register sharing

27 Abstraction with register sharing y != i x == i -1 ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information y != i x == i -1 ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information b0 b2 b1 b3 Do we need 4 Boolean variables?

28 Abstraction with register sharing y != i x == i -1 ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information y != i x == i -1 ctr + 1 != i x == i - 1 ctr + 1 != ictr == i - 1 Localization information c0 c1 1: b1 = b3; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: } Global constraint: (b2 $ : b3) 1: skip; 2: skip; 3: if (c1){ 4: if (c0){ ERROR: } Local constraint: (PC = 1) ! (c0 $ : c1) Without With b0 b2 b1 b3

29 Register sharing Reduces Boolean variables in the abstract model by register sharing Speeds up model checking of abstractions What’s next  Reducing number of refinement iterations

30 Problem with register sharing p p L1 L20 L2 L19 b1 b2 = 0 = 1 Spurious

31 Dedicated state variable p p L1 L20 L2 L19 b b

32 Dedicated state variables Initially each predicate is assigned a Boolean variable, which can be reused If a predicate is localized at many statements,  |{s: p 2 local(s)}| > TH for some threshold TH  p is assigned a dedicated state variable (not reused)  By having a low value of TH, we can discover globally useful predicates early Why this works?

33 Experimental Results TCAS (Traffic Alert and Collision Avoidance System)  Lines of code 1652  We checked 10 different safety properties  Non-trivial number of predicates needed for each property both by F-Soft and BLAST

34 F-Soft versus BLAST (craig 2 + predH7) F-Soft

35 Summary Localize predicates using weakest pre-conditions  Most predicate relationships obtained as by product  Faster and less coarse abstractions  Comparable to interpolation based techniques Model checking abstractions  Exploit localization information for reducing Boolean variables Reducing refinement iterations  Predict globally useful predicates early in abstraction refinement process

36 Questions?

Download ppt "Localization and Register Sharing for Predicate Abstraction Himanshu Jain Franjo Ivančić Aarti Gupta Malay Ganai."

Similar presentations

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.

© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Introducing BLAST Software Verification John Gallagher CS4117.

Introducing BLAST Software Verification John Gallagher CS4117.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.

Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.

Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.
Scalable Error Detection using Boolean Satisfiability 1 Yichen Xie and Alex Aiken Stanford University.

Scalable Error Detection using Boolean Satisfiability 1 Yichen Xie and Alex Aiken Stanford University.
Interpolants [Craig 1957] G(y,z) F(x,y)

Interpolants [Craig 1957] G(y,z) F(x,y)
Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.

Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]
Lazy Predicate Abstraction in BLAST John Gallagher CS4117.

Lazy Predicate Abstraction in BLAST John Gallagher CS4117.

Similar presentations

Ads by Google