Presentation is loading. Please wait.

Presentation is loading. Please wait.

SMT and Its Application in Software Verification (Part II) Yu-Fang Chen IIS, Academia Sinica Based on the slides of Barrett, Sanjit, Kroening, Rummer,

Published byEsmond Patterson Modified over 9 years ago

Similar presentations

Presentation on theme: "SMT and Its Application in Software Verification (Part II) Yu-Fang Chen IIS, Academia Sinica Based on the slides of Barrett, Sanjit, Kroening, Rummer,"— Presentation transcript:

1 SMT and Its Application in Software Verification (Part II) Yu-Fang Chen IIS, Academia Sinica Based on the slides of Barrett, Sanjit, Kroening, Rummer, Sinha, Jhala, and Majumdar, McMillan

2 Lazy abstraction -- an example do{ lock(); old = new; if(*){ unlock(); new++; } } while (new != old); program fragment L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph

3 Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 T

4 1 L=0 T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 T Compute Post (T, L=0)= T[L/L’] Æ L=0[L/L’] = (L=0) Make Abstraction (L=0)  T Pass Replace all free occurrences of L in the formula with L’

5 1 L=0 T 2 [L!=0] Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 T Compute Post (T, [L!=0])= T Æ (L!=0) = (L!=0) ERROR state reached!

6 1 L=0 T 2 [L!=0] Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 T Compute Post (T, [L!=0])= T Æ (L!=0) = (L!=0) ERROR state reached! T TL=0 L!=0 [L!=0]

7 1 L=0 T 2 [L!=0] Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 T Compute Post (T, [L!=0])= T Æ (L!=0) = (L!=0) ERROR state reached! T TL=0 L!=0 [L!=0] L!=0 WPre(L!=0, [L!=0]) = (L!=0)

8 1 L=0 T 2 [L!=0] Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 T Compute Post (T, [L!=0])= T Æ (L!=0) = (L!=0) ERROR state reached! L=0 T L!=0 [L!=0] L!=0 WPre(L!=0, [L!=0]) = (L!=0) Compute Craig Interpolant: (L=0) 1. (L=0)  (L=0) 2. (L=0) Æ (L=0) is UNSAT 3. Use only share var. of (L=0) and (L!=0)

9 1 L=0 2 [L!=0] Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 T Compute Post (T, [L!=0])= T Æ (L!=0) = (L!=0) ERROR state reached! L=0 T L!=0 [L!=0] L!=0 WPre(L!=0, [L!=0]) = (L!=0) Compute Craig Interpolant: (L=0) 1. (L=0)  (L=0) 2. (L=0) Æ (L=0) is UNSAT 3. Use only share var. of (L=0) and (L!=0) F

10 3 L=1; old=new L!=0 Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 L=0 [L!=0] F L=0 T Compute Post (L=0, L=1) = (L=0)[L/L’] Æ L=1[L/L’] = (L’=0 Æ L=1) Compute Post (L’=0 Æ L=1, old=new) = (L’=0 Æ L=1)[old/old’] Æ old=new[old/old’] = L’=0 Æ L=1 Æ old=new Make Abstraction (L’=0 Æ L=1 Æ old=new)  (L!=0) Pass (L’=0 Æ L=1 Æ old=new)  (L=0) Not Passed

11 4 L=0; new++ L=0 3 L=1; old=new L!=0 Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 L=0 [L!=0] F L=0 T Compute Post (L!=0, L=0) = (L!=0)[L/L’] Æ L=0[L/L’] = (L’!=0 Æ L=0) Compute Post (L’!=0 Æ (L=0), new=new+1) = (L’!=0 Æ L=0)[new/new’] Æ new=(new+1)[new/new’] = (L’!=0 Æ L=0 Æ new=new’+1) Make Abstraction (L’!=0 Æ L=0 Æ new=new’+1)  (L!=0) Not Passed (L’!=0 Æ L=0 Æ new=new’+1)  (L=0) Pass

12 5 [new!=old] L=0 4 L=0; new++ L=0 3 L=1; old=new L!=0 Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 L=0 [L!=0] F L=0 T Compute Post (L=0, [new!=old]) = (L=0 Æ new!=old) Make Abstraction (L=0 Æ new!=old)  (L!=0) Not Passed (L=0 Æ new!=old)  (L=0) Pass

13 5 [new!=old] L=0 4 L=0; new++ L=0 3 L=1; old=new L!=0 Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 L=0 [L!=0] F L=0 T Covering: state 5 is subsumed by state 1. L=1  L=1 Pass

14 L!=0 Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 7 [new==old] L=0 T Compute Post (L=0, [new==old]) = (L=0 Æ new==old) Make Abstraction (L=0 Æ new!=old)  (L!=0) Not Passed (L=0 Æ new!=old)  (L=0) Pass

15 L!=0 Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 7 [new==old] L=0 T No Actions 8 L!=0

16 Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 7 [new==old] L=0 T 8 L!=0 9 [new==old] Compute Post (L!=0, [new==old]) = (L!=0 Æ new==old) Make Abstraction (L!=0 Æ new==old)  (L!=0) Pass (L!=0 Æ new==old)  (L=0) Not Passed

17 L!=0 Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 7 [new==old] L=0 T 8 L!=0 9 [new==old] Compute Post (L!=0, [new!=old]) = (L!=0 Æ new!=old) Make Abstraction (L!=0 Æ new!=old)  (L!=0) Pass (L!=0 Æ new!=old)  (L=0) Not Passed 10 [new!=old] L!=0

18 Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 7 [new==old] L=0 T 8 L!=0 9 [new==old] Compute Post (L!=0, [L!=0]) = (L!=0 Æ L!0) ERROR state reached! 10 [new!=old] L!=0 11 [L!=0]

19 L!=0 Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 7 [new==old] L=0 T 8 L!=0 9 [new==old] 10 [new!=old] L!=0 11 [L!=0] L’=0 Æ L=1 Æ old=new L=0 T L=1 old=new L!=0 [new!=old] L!=0 Æ old!=new L!=0 [L!=0]

20 L!=0 Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 7 [new==old] L=0 T 8 L!=0 9 [new==old] 10 [new!=old] L!=0 11 [L!=0] L’=0 Æ L=1 Æ old=new L=0 T L=1 old=new L!=0 [new!=old] L!=0 Æ old!=new L!=0 [L!=0] L!=0 L!=0 Æ old!=new

21 L!=0 Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 7 [new==old] L=0 T 8 L!=0 9 [new==old] 10 [new!=old] L!=0 11 [L!=0] L’=0 Æ L=1 Æ old=new L=0 T L=1 old=new L!=0 [new!=old] L!=0 Æ old!=new L!=0 [L!=0] L!=0 L!=0 Æ old!=new

22 L!=0 Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 7 [new==old] L=0 T 8 L!=0 9 [new==old] 10 [new!=old] L!=0 11 [L!=0] L’=0 Æ L=1 Æ old=new L=0 T L=1 old=new L!=0 [new!=old] L!=0 Æ old!=new L!=0 [L!=0] L!=0 L!=0 Æ old!=new

23 L!=0 Æ old =new Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 7 [new==old] L=0 T 8 L!=0 9 [new==old] 10 [new!=old] L!=0 11 [L!=0] L’=0 Æ L=1 Æ old=new L=0 T L=1 old=new L!=0 Æ old=new L!=0 [new!=old] L!=0 Æ old!=new L!=0 [L!=0] L!=0 L!=0 Æ old!=new

24 L!=0 Æ old =new Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 7 [new==old] L=0 T 8 L!=0 9 [new==old] 10 [new!=old] L!=0 11 [L!=0] L’=0 Æ L=1 Æ old=new L=0 T L=1 old=new L!=0 Æ old=new L!=0 [new!=old] L!=0 Æ old!=new L!=0 [L!=0] L!=0 L!=0 Æ old!=new Remove all of its children

25 3 L=1; old=new L!=0 Æ old =new Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 L=0 [L!=0] F L=0 T

26 4 L=0; new++ L=0 Æ old !=new 3 L=1; old=new L!=0 Æ old =new Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 L=0 [L!=0] F L=0 T Compute Post (L!=0 Æ old =new, L=0) = (L!=0 Æ old=new)[L/L’] Æ L=0[L/L’] = (L’!=0 Æ old=new Æ L=0) Compute Post (L’!=0 Æ old=new Æ (L=0), new=new+1) = (L’!=0 Æ old=new Æ L=0)[new/new’] Æ new=(new+1)[new/new’] = (L’!=0 Æ old=new’ Æ L=0 Æ new=new’+1) Make Abstraction (L’!=0 Æ old=new’ Æ L=0 Æ new=new’+1)  (L!=0) Not Passed (L’!=0 Æ old=new’ Æ L=0 Æ new=new’+1)  (L=0) Pass (L’!=0 Æ old=new’ Æ L=0 Æ new=new’+1)  (old=new) Not Passed (L’!=0 Æ old=new’ Æ L=0 Æ new=new’+1)  (old!=new) Pass

27 5 [new!=old] L=0 Æ old!=new 4 L=0; new++ L=0 Æ old =new 3 L=1; old=new L!=0 Æ old=new Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 L=0 [L!=0] F L=0 T Compute Post (L=0 Æ old!=new, [new!=old]) = (L=0 Æ new!=old) Make Abstraction (L=0 Æ new!=old)  (L!=0) Not Passed (L=0 Æ new!=old)  (L=0) Pass (L=0 Æ new!=old)  (old=new) Not Passed (L=0 Æ new!=old)  (old!=new) Pass

28 5 [new!=old] L=0 Æ old!=new 4 L=0; new++ L=0 Æ old =new 3 L=1; old=new L!=0 Æ old=new Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 L=0 [L!=0] F L=0 T Covering: state 5 is subsumed by state 1. L=1 Æ old!=new  L=1 Pass

29 L!=0 Æ old=new Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 L=0 Æ old!=new L=0 Æ old =new 7 [new==old] L=0 Æ old=new T Compute Post (L=0, [new==old]) = (L=0 Æ new=old) Make Abstraction (L=0 Æ new=old)  (L!=0) Not Passed (L=0 Æ new=old)  (L=0) Pass (L=0 Æ new=old)  (new!=old) Not Passed (L=0 Æ new=old)  (new=old) Pass

30 L!=0 Æ old=new Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 L=0 Æ old!=new L=0 Æ old =new 7 [new==old] L=0 Æ old=new T No Actions 8 L!=0 Æ old=new

31 Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 L=0 Æ old!=new L=0 Æ old =new 7 [new==old] L=0 Æ old=new T 8 L!=0 Æ old=new 9 L!=0 Æ old=new [new==old] Compute Post (L!=0 Æ new=old, [new==old]) = (L!=0 Æ new=old) Make Abstraction (L!=0 Æ new=old)  (L!=0) Pass (L!=0 Æ new=old)  (L=0) Not Passed (L!=0 Æ new=old)  (old=new) Pass (L!=0 Æ new=old)  (old!=new) Not Passed

32 L!=0 Æ old=new Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 L=0 Æ old!=new L=0 Æ old =new 7 [new==old] L=0 Æ old=new T 8 L!=0 Æ old=new 9 L!=0 Æ old=new [new==old] Compute Post (L!=0 Æ new=old, [new!=old]) = (L!=0 Æ new=old Æ new!=old ) = false 10 [new!=old] F

33 Another Approach: The IMPACT method Kenneth L. McMillan: Lazy Abstraction with Interpolants. CAV 2006: 123-136 33

34 Interpolation Lemma (Craig,57)

35 Interpolation Lemma Notation: L (  ) is the set of FO formulas over the symbols of  (Craig,57)

36 Interpolation Lemma Notation: L (  ) is the set of FO formulas over the symbols of  If A  B = false, there exists an interpolant A' for (A,B) such that: A  A' A'  B = false A' 2 L (A) Å L (B) (Craig,57)

37 Interpolation Lemma Notation: L (  ) is the set of FO formulas over the symbols of  If A  B = false, there exists an interpolant A' for (A,B) such that: A  A' A'  B = false A' 2 L (A) Å L (B) Example: – A = p  q, B =  q  r, A' = q (Craig,57)

38 Interpolation Lemma Notation: L (  ) is the set of FO formulas over the symbols of  If A  B = false, there exists an interpolant A' for (A,B) such that: A  A' A'  B = false A' 2 L (A) Å L (B) Example: – A = p  q, B =  q  r, A' = q Interpolants from proofs – in certain quantifier-free theories, we can obtain an interpolant for a pair A,B from a refutation in linear time. [McMillan 05] – in particular, we can have linear arithmetic,uninterpreted functions, and restricted use of arrays (Craig,57)

39 Interpolants for sequences

40 Let A 1...A n be a sequence of formulas

41 Interpolants for sequences Let A 1...A n be a sequence of formulas A sequence A’ 0...A’ n is an interpolant for A 1...A n when

42 Interpolants for sequences Let A 1...A n be a sequence of formulas A sequence A’ 0...A’ n is an interpolant for A 1...A n when – A’ 0 = True

43 Interpolants for sequences Let A 1...A n be a sequence of formulas A sequence A’ 0...A’ n is an interpolant for A 1...A n when – A’ 0 = True – A’ i -1 Æ A i ) A’ i, for i = 1..n

44 Interpolants for sequences Let A 1...A n be a sequence of formulas A sequence A’ 0...A’ n is an interpolant for A 1...A n when – A’ 0 = True – A’ i -1 Æ A i ) A’ i, for i = 1..n – A n = False

45 Interpolants for sequences Let A 1...A n be a sequence of formulas A sequence A’ 0...A’ n is an interpolant for A 1...A n when – A’ 0 = True – A’ i -1 Æ A i ) A’ i, for i = 1..n – A n = False – and finally, A’ i 2 L (A 1...A i ) Å L (A i+1...A n )

46 Interpolants for sequences Let A 1...A n be a sequence of formulas A sequence A’ 0...A’ n is an interpolant for A 1...A n when – A’ 0 = True – A’ i -1 Æ A i ) A’ i, for i = 1..n – A n = False – and finally, A’ i 2 L (A 1...A i ) Å L (A i+1...A n ) A1A1 A2A2 A3A3 AkAk...

47 Interpolants for sequences Let A 1...A n be a sequence of formulas A sequence A’ 0...A’ n is an interpolant for A 1...A n when – A’ 0 = True – A’ i -1 Æ A i ) A’ i, for i = 1..n – A n = False – and finally, A’ i 2 L (A 1...A i ) Å L (A i+1...A n ) A1A1 A2A2 A3A3 AkAk... A' 1 A' 2 A' 3 A' k-1... TrueFalse ))))

48 Interpolants for sequences Let A 1...A n be a sequence of formulas A sequence A’ 0...A’ n is an interpolant for A 1...A n when – A’ 0 = True – A’ i -1 Æ A i ) A’ i, for i = 1..n – A n = False – and finally, A’ i 2 L (A 1...A i ) Å L (A i+1...A n ) A1A1 A2A2 A3A3 AkAk... A' 1 A' 2 A' 3 A' k-1... TrueFalse )))) In other words, the interpolant is a structured refutation of A 1...A n

49 Interpolants as Floyd-Hoare proofs

50 x=y; y++; [x=y]

51 Interpolants as Floyd-Hoare proofs x=y; y++; [x=y] x 1 = y 0 y 1 =y 0 +1 x1y1x1y1

52 Interpolants as Floyd-Hoare proofs False x 1 =y 0 True y 1 >x 1 x=y; y++; [x=y] x 1 = y 0 y 1 =y 0 +1 x1y1x1y1

53 Interpolants as Floyd-Hoare proofs False x 1 =y 0 True y 1 >x 1 ) ) ) 1. Each formula implies the next x=y; y++; [x=y] x 1 = y 0 y 1 =y 0 +1 x1y1x1y1

54 Interpolants as Floyd-Hoare proofs False x 1 =y 0 True y 1 >x 1 ) ) ) 1. Each formula implies the next 2. Each is over common symbols of prefix and suffix x=y; y++; [x=y] x 1 = y 0 y 1 =y 0 +1 x1y1x1y1

55 Interpolants as Floyd-Hoare proofs False x 1 =y 0 True y 1 >x 1 ) ) ) 1. Each formula implies the next 2. Each is over common symbols of prefix and suffix 3. Begins with true, ends with false x=y; y++; [x=y] x 1 = y 0 y 1 =y 0 +1 x1y1x1y1

56 Interpolants as Floyd-Hoare proofs False x 1 =y 0 True y 1 >x 1 ) ) ) 1. Each formula implies the next 2. Each is over common symbols of prefix and suffix 3. Begins with true, ends with false Path refinement procedure SSA sequence Prover Interpolation Path Refinement proof structured proof x=y; y++; [x=y] x 1 = y 0 y 1 =y 0 +1 x1y1x1y1

57 Lazy abstraction -- an example do{ lock(); old = new; if(*){ unlock; new++; } } while (new != old); program fragment

58 Lazy abstraction -- an example do{ lock(); old = new; if(*){ unlock; new++; } } while (new != old); program fragment L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph

59 Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph

60 Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 T

61 1 L=0 T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 T

62 1 L=0 T 2 [L!=0] T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 T Interpolant for (L 0 =0) Æ (L 0 !=0) =?

63 1 L=0 T 2 [L!=0] T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 T F L=0 Label error state with false, by refining labels on path T L 0 =0 F Interpolant for (L 0 =0) Æ (L 0 !=0) =?

64 Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 L=0 [L!=0] F L=0 T

65 3 L=1; old=new T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 L=0 [L!=0] F L=0 T

66 4 L=0; new++ T 3 L=1; old=new T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 L=0 [L!=0] F L=0 T

67 5 [new!=old] T 4 L=0; new++ T 3 L=1; old=new T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 L=0 [L!=0] F L=0 T

68 6 [L!=0] T 5 [new!=old] T 4 L=0; new++ T 3 L=1; old=new T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 L=0 [L!=0] F L=0 T Interpolant for (L 0 =0) Æ (L 1 =1 Æ old 0 =new 0 ) Æ (L 2 =0 Æ new 1 =new 0 +1) Æ (new 1 !=old 0 ) Æ (L 2 !=0) =?

69 6 [L!=0] T 5 [new!=old] T 4 L=0; new++ T 3 L=1; old=new T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 L=0 [L!=0] F L=0 T Interpolant for (L 0 =0) Æ (L 1 =1 Æ old 0 =new 0 ) Æ (L 2 =0 Æ new 1 =new 0 +1) Æ (new 1 !=old 0 ) Æ (L 2 !=0) =? T L 2 =0 T T F

70 6 [L!=0] T 5 [new!=old] T 4 L=0; new++ T 3 L=1; old=new T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 L=0 [L!=0] F L=0 F T Interpolant for (L 0 =0) Æ (L 1 =1 Æ old 0 =new 0 ) Æ (L 2 =0 Æ new 1 =new 0 +1) Æ (new 1 !=old 0 ) Æ (L 2 !=0) =? T L 2 =0 T T F Comes from L=0 Æ T

71 6 [L!=0] T 5 [new!=old] T 4 L=0; new++ T 3 L=1; old=new T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 L=0 [L!=0] F L=0 F T Covering: state 5 is subsumed by state 1.

72 T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 6 [L!=0] F L=0 T

73 T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 6 [L!=0] F L=0 7 [new==old] T T

74 T 8 T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 6 [L!=0] F L=0 7 [new==old] T T

75 T 8 T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 6 [L!=0] F L=0 7 [new==old] T T 9 T

76 T 10 [new!=old] T 8 T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 6 [L!=0] F L=0 7 [new==old] T T 9 T

77 T 11 [L!=0] T 10 [new!=old] T 8 T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 6 [L!=0] F L=0 7 [new==old] T T 9 T

78 T 11 [L!=0] T 10 [new!=old] T 8 T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 6 [L!=0] F L=0 7 [new==old] T old=new F F T 9 T

79 T 11 [L!=0] T 10 [new!=old] T 8 T Unwinding the CFG L=0 L=1; old=new [L!=0] L=0; new++ [new==old] [new!=old] control-flow graph 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 6 [L!=0] F L=0 7 [new==old] T old=new F F T Another cover. Unwinding is now complete. 9 T

80 Covering step If  (x) )  (y)... – add covering arc x B y – remove all z B w for w descendant of y

81 Covering step If  (x) )  (y)... – add covering arc x B y – remove all z B w for w descendant of y x · y x=y

82 Covering step If  (y) )  (x)... – add covering arc x B y – remove all w B z for w descendant of y x · y x=y X

83 Covering step x · y x=y X We restrict covers to be descending in a suitable total order on vertices. This prevents covering from diverging. If  (y) )  (x)... – add covering arc x B y – remove all w B z for w descendant of y

84 Refinement step Label an error vertex False by refining the path to that vertex with an interpolant for that path. By refining with interpolants, we avoid predicate image computation. T T T T T T T x = 0 [x=y] [x  y] y++ [y=0] y=2

85 Refinement step Label an error vertex False by refining the path to that vertex with an interpolant for that path. By refining with interpolants, we avoid predicate image computation. T T T T T T T x = 0 [x=y] [x  y] y++ [y=0] y=2 x=0 y=0 y0y0 F X

86 Refinement step Label an error vertex False by refining the path to that vertex with an interpolant for that path. By refining with interpolants, we avoid predicate image computation. T T T T T T T x = 0 [x=y] [x  y] y++ [y=0] y=2 x=0 y=0 y0y0 F X Refinement may remove covers

87 Forced cover Try to refine a sub-path to force a cover – show that path from nearest common ancestor of x,y proves  (x) at y T T T T T T T x = 0 [x=y] [x  y] y++ [y=0] y=2 x=0 y=0 y0y0 F Forced cover allow us to efficiently handle nested control structure

88 Forced cover Try to refine a sub-path to force a cover – show that path from nearest common ancestor of x,y proves  (x) at y T T T T T T T x = 0 [x=y] [x  y] y++ [y=0] y=2 x=0 y=0 y0y0 F refine this path y0y0 Forced cover allow us to efficiently handle nested control structure

89 Safe and complete An unwinding is – safe if every error vertex is labeled False – complete if every nonterminal leaf is covered T 10 [L!=0] T 9 [new!=old] T 8 T 0 12 3 4 5 L=0 L=1; old=new [L!=0] L=0; new++ [new!=old] F L=0 6 [L!=0] F L=0 7 [new==old] T old=new F F T... Theorem: A CFG with a safe complete unwinding is safe. 9 T

90 Unwinding steps Three basic operations: – Expand a nonterminal leaf – Cover: add a covering arc – Refine: strengthen labels along a path so error vertex labeled False

91 Overall algorithm 1.Do as much covering as possible 2.If a leaf can't be covered, try forced covering 3.If the leaf still can't be covered, expand it 4.Label all error states False by refining with an interpolant 5.Continue until unwinding is safe and complete

92 Interpolant Seqeunce in Princess 92 Interpolant for (L 0 =0) Æ (L 1 =1 Æ old 0 =new 0 ) Æ (L 2 =0 Æ new 1 =new 0 +1) Æ (new 1 !=old 0 ) Æ (L 2 !=0) \functions { int L0, L1, old0, new0, L2, new1; } \problem { \part[p1] (L0 =0) & \part[p2] (L1 =1 & old0=new0) & \part[p3] (L2=0 & new1 =new0+1) & \part[p4] (new1 != old0) & \part[p5] (L2!=0) -> false } \interpolant {p1; p2, p3, p4, p5} \interpolant {p1, p2; p3, p4, p5} \interpolant {p1, p2, p3; p4, p5} \interpolant {p1, p2, p3, p4; p5}

93 Homework Run the two versions of verification algorithms on the following control flow graph, using Princess for computing interpolants 93 L=0;Cnt=0 L=1; old=new [L=0] [new==old] [new!=old] control-flow graph [Cnt>3] [Cnt · 3] L=0; new++

Download ppt "SMT and Its Application in Software Verification (Part II) Yu-Fang Chen IIS, Academia Sinica Based on the slides of Barrett, Sanjit, Kroening, Rummer,"

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Consequence Generation, Interpolants, and Invariant Discovery Ken McMillan Cadence Berkeley Labs.

Consequence Generation, Interpolants, and Invariant Discovery Ken McMillan Cadence Berkeley Labs.
SAT, Interpolants and Software Model Checking Ken McMillan Cadence Berkeley Labs.

SAT, Interpolants and Software Model Checking Ken McMillan Cadence Berkeley Labs.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Recognising Languages We will tackle the problem of defining languages by considering how we could recognise them. Problem: Is there a method of recognising.

Recognising Languages We will tackle the problem of defining languages by considering how we could recognise them. Problem: Is there a method of recognising.
50.530: Software Engineering

50.530: Software Engineering
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
SSA.

SSA.
A Separator Theorem for Graphs with an Excluded Minor and its Applications Paul Seymour Noga Alon Robin Thomas Lecturer : Daniel Motil.

A Separator Theorem for Graphs with an Excluded Minor and its Applications Paul Seymour Noga Alon Robin Thomas Lecturer : Daniel Motil.
Interpolation and Widening Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Interpolation and Widening Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.

Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.
Proofs and Counterexamples Rupak Majumdar. In the good old days… Decision Procedure  yes no.

Proofs and Counterexamples Rupak Majumdar. In the good old days… Decision Procedure  yes no.
What Can the SAT Experience Teach Us About Abstraction? Ken McMillan Cadence Berkeley Labs.

What Can the SAT Experience Teach Us About Abstraction? Ken McMillan Cadence Berkeley Labs.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

Similar presentations

Ads by Google