Presentation is loading. Please wait.

Presentation is loading. Please wait.

CHARME’03 Predicate abstraction with Minimum Predicates Sagar Chaki*, Ed Clarke*, Alex Groce*, Ofer Strichman** * Carnegie Mellon University ** Technion.

Published byMaria O’Connor’ Modified over 8 years ago

Similar presentations

Presentation on theme: "CHARME’03 Predicate abstraction with Minimum Predicates Sagar Chaki*, Ed Clarke*, Alex Groce*, Ofer Strichman** * Carnegie Mellon University ** Technion."— Presentation transcript:

1 CHARME’03 Predicate abstraction with Minimum Predicates Sagar Chaki*, Ed Clarke*, Alex Groce*, Ofer Strichman** * Carnegie Mellon University ** Technion

2 Overview of MAGIC  Specification S expressed using Labeled Transition Systems (LTS)  Model M extracted from C programs using predicate abstraction (LTS)  Checks if S weakly simulates M For this talk consider trace containment  Supports most but not all of ANSI-C Pointers are handled by abstraction Recursion disallowed

3 Predicate abstraction int x,y L0:x = 1; L1:y = 1; L2:if (x == y) L3:y = 1; L4:elsey = 2; Control Flow Automaton

4 Predicate abstraction Control Flow Automaton Predicate inference

5 Predicate abstraction Predicate inferenceAbstract model

6 Counter Example Guided Abstraction Refinement Predicate Abstraction Abstract Model predicates Model Checking Yes Model P Property M  Counter Example  Counterexample concrete? Yes Refinement No More predicates No P = P ’

7 Example Existing methods accumulate predicates: Ideally we should choose (A == 0) A = 0; if(A == 0) B = 0; if(B == 0) ERRORC = 0; if(C == 0) ERROR No Yes CE1 CE1: (B == 0) or (A==0) CE2 CE2: (C == 0) or (A==0)

8 Optimization Problem  Given a set of Candidate Predicates CP, find a minimal subset p µ CP s.t. A ( M, CP ) ²  ! A ( M, p ) ²  If -- no predicates are necessary. Only luck… If -- not relevant

9 Counter Example Guided Abstraction Refinement Predicate Abstraction Abstract Model predicates Model Checking Yes Counter Example  Counterexample concrete? Yes Refinement No More Predicates No Model P Property M  P = P ’  T

10 Counter Example Guided Abstraction Refinement Predicate Abstraction Abstract Model predicates Model Checking Yes Counter Example  Counterexample concrete? Yes Refinement No Different Predicates No Model P Property M  P = P ’  T

11 A(M,P)² A(M,P)²  Yes Counter- example  Pass CP = Candidate Predicates P == CP Yes Undecided No Algorithm Sample and Eliminate T = T [  Find minimal P2CP that eliminates T Impossible possible P =   concrete Yes Fail No

12 Minimization problem  Given a set of spurious traces T A set of candidate predicates CP  Find the smallest subset p 2 CP that eliminates all traces in T (If impossible return ‘undecided’)

13 Solution with 0-1 ILP (or PBS)  Derive a mapping from each trace t 2 T to the set of sets of predicates in CP that eliminate it First…  Encode each predicate p 2 CP with a Boolean variable p b Second…

14 Solution with 0-1 ILP (or PBS)  Derive  s.t. every satisfying assignment to  corresponds to a set of predicates that eliminate T. Third…  Among all satisfying assignments, find the one that minimizes the number of selected predicates ( min  p b ) Fourth…

15 Solution with 0-1 ILP (or PBS)  Example Let { p 1, p 3 },{ p 2, p 3, p 5 } be the set of sets of predicates that eliminate t 1 Let { p 2, p 3 },{ p 3, p 4, p 7 } be the set of sets of predicates that eliminate t 2 Min  p i s.t. t 1 : (( p 1 Æ p 2 ) Ç ( p 2 Æ p 3 Æ p 5 )) Æ t 2 : (( p 2 Æ p 3 ) Ç ( p 3 Æ p 4 Æ p 7 ))

16 Avoiding an exponential no. of constraints  Try only combinations up to size k In almost all examples we tried, counterexample traces could be eliminated with individual predicates.  Use data flow analysis and only combine branches that are related

17 Experiments  Open SSL - 20 properties of the Handshake mechanism of Open SSL. On average 350 lines of C code per property after slicing  5 examples from the BLAST benchmark set

18 Comparison with BLAST  BLAST applies Lazy Abstraction Lazy abstraction is orthogonal to predicate minimization  BLAST looks for fix point of the loops (for a given set of predicates) with theorem prover calls Magic unrolls loops up to a given bound (Conclusion: Not an entirely fair comparison)

19 Results (time in sec.)

20

21

22 Number of predicates

23 Memory (MB)

24 Solution with 0-1 ILP (or PBS)  Let k ( t ), 0 · k ( t ) · 2 | cp | be the number of sets that eliminate t  Let l(t,i,j)2CP be the j th literal in the i th set (1 · i · k ( t )) that eliminates t. Third…

Download ppt "CHARME’03 Predicate abstraction with Minimum Predicates Sagar Chaki*, Ed Clarke*, Alex Groce*, Ofer Strichman** * Carnegie Mellon University ** Technion."

Similar presentations

Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs.

Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.

Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.
Delta Debugging and Model Checkers for fault localization

Delta Debugging and Model Checkers for fault localization
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
On Solving Presburger and Linear Arithmetic with SAT Ofer Strichman Carnegie Mellon University.

On Solving Presburger and Linear Arithmetic with SAT Ofer Strichman Carnegie Mellon University.
1 Regression-Verification Benny Godlin Ofer Strichman Technion.

1 Regression-Verification Benny Godlin Ofer Strichman Technion.
© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.

© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.
Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.

Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.

Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
A … Framework for Verifying Concurrent C Programs Sagar Chaki Thesis Defense Talk.

A … Framework for Verifying Concurrent C Programs Sagar Chaki Thesis Defense Talk.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

Similar presentations

Ads by Google