1 predicate abstraction of ansi-c programs using sat edmund clarke daniel kroening natalia sharygina...
Post on 20-Dec-2015
218 views
TRANSCRIPT
1
Predicate Abstraction of ANSI-C Programs using SAT
Predicate Abstraction ofANSI-C Programs using SAT
Edmund ClarkeDaniel Kroening
Natalia SharyginaKaren Yorav
(modified by Zaher Andraus for presentation in SWERVE only)
2
Predicate Abstraction of ANSI-C Programs using SAT
Abstraction Refinement Loop
ActualProgramActual
ProgramBooleanProgramBooleanProgram
ModelChecker
Abstraction refinement
VerificationInitial
Abstraction
No erroror bug found
Spuriouscounterexample
This talk: How to compute Boolean program from
Actual ANSI-C program
Set of predicates
3
Predicate Abstraction of ANSI-C Programs using SAT
Example
int main() { int i;
i=0;
while(even(i)) i++; }
int main() { int i;
i=0;
while(even(i)) i++; }
+ p1 i=0p2 even(i)
p1 i=0p2 even(i) =
int main() { bool p1, p2;
p1=TRUE; p2=TRUE;
while(p2) { p1=p1?FALSE:nondet(); p2=!p2; } }
int main() { bool p1, p2;
p1=TRUE; p2=TRUE;
while(p2) { p1=p1?FALSE:nondet(); p2=!p2; } }
4
Predicate Abstraction of ANSI-C Programs using SAT
Problem
Abstractionfunction(predicates)
Concrete Transition(basic block) Concrete
next stateConcrete
state
Abstractstate
Abstractnext stateAbstract Transition
(basic block)
5
Predicate Abstraction of ANSI-C Programs using SAT
Background
• How to create the initial predicates for abstraction?– (PVS) Manual! (Graf and Saidi, “Construction of
abstract state graphs with PVS”)– (SLAM) Manual! (Ball, Majumdar, Millstein, Rajamani,
“Automatic Predicate Abstraction of C Programs”)– (Clarke) Control-Driven! (Chaki, Clarke, Groce,
Strichman, “Predicate Abstraction with Minimum Predicates”)
(modified by Zaher Andraus for presentation in SWERVE only)
6
Predicate Abstraction of ANSI-C Programs using SAT
Initial Abstract Machine
(modified by Zaher Andraus for presentation in SWERVE only)
7
Predicate Abstraction of ANSI-C Programs using SAT
Optimizations
• Eliminate Redundant Predicates (e.g. logically related)
• Dynamic
• Now we got the Predicates, we need to build the abstract machine!
(modified by Zaher Andraus for presentation in SWERVE only)
8
Predicate Abstraction of ANSI-C Programs using SAT
Existing Tools
• Basic idea: with n predicates, there are2n £ 2n possible abstract transitions
• Eliminate “obviously wrong” transitions(e.g.: predicate about variable x changes, but basic block does not mention x)
• Try some subset of these possible transitions using a theorem prover
• To be safe, remaining abstract transitions are added Over-approximation
9
Predicate Abstraction of ANSI-C Programs using SAT
Existing Tools: ExamplePredicates
i++;i++;
Basic Block Formula
Current Abstract State Next Abstract State
p1 p2 p3
0 0 0
0 0 1
0 1 0
0 1 1
1 0 0
1 0 1
1 1 0
1 1 1
p’1 p’2 p’3
0 0 0
0 0 1
0 1 0
0 1 1
1 0 0
1 0 1
1 1 0
1 1 1
????Query
10
Predicate Abstraction of ANSI-C Programs using SAT
Existing Tools: ExamplePredicates
i++;i++;
Basic Block Formula
Current Abstract State Next Abstract State
p1 p2 p3
0 0 0
0 0 1
0 1 0
0 1 1
1 0 0
1 0 1
1 1 0
1 1 1
p’1 p’2 p’3
0 0 0
0 0 1
0 1 0
0 1 1
1 0 0
1 0 1
1 1 0
1 1 1
Query
????
… … and so on …and so on …
11
Predicate Abstraction of ANSI-C Programs using SAT
Comment
• This takes care of unreachable abstract states
(modified by Zaher Andraus for presentation in SWERVE only)
12
Predicate Abstraction of ANSI-C Programs using SAT
What is the problem?
Problem of existing tools: Large number of expensive theorem prover calls – slow
Over-approximation yields additional,unnecessary spurious counterexamples
Theorem prover works on natural numbers, but ANSI-C uses bit-vectors false positives
Most theorem provers support only few operators(+, -, <, ≤, …), no bitwise operators
Very limited support for pointers,in particular pointer arithmetic
13
Predicate Abstraction of ANSI-C Programs using SAT
Our Solution – use SAT solver!
1. Generate query equation withpredicates as free variables
14
Predicate Abstraction of ANSI-C Programs using SAT
Our SolutionSingle query for Theorem Prover
Query for SAT
15
Predicate Abstraction of ANSI-C Programs using SAT
Queries for Larger Basic Blocks
i++; j=i; i=i*k;
i++; j=i; i=i*k;
Basic Block
Query for SAT
Predicates
++++ i1=i0+1; j1=i1; i2=i1*k0;
i1=i0+1; j1=i1; i2=i1*k0;
16
Predicate Abstraction of ANSI-C Programs using SAT
Our Solution
Use SAT solver!1. Generate query equation with
predicates as free variables
2. Transform equation into CNF using Bit Vector Logic
One satisfying assignment matches one abstract transition
3. Obtain all satisfying assignments= most precise abstract transition relation
Query for SAT
17
Predicate Abstraction of ANSI-C Programs using SAT
Our Solution
This solves two problems:1. Now can do all ANSI-C
integer operators, including *, /, %, <<, etc.
2. Sound with respect to overflow
This solves two problems:1. Now can do all ANSI-C
integer operators, including *, /, %, <<, etc.
2. Sound with respect to overflow
No moreunnecessary spurious
counterexamples!
No moreunnecessary spurious
counterexamples!
Use SAT solver!1. Generate query equation with
predicates as free variables
2. Transform equation into CNF using Bit Vector Logic
One satisfying assignment matches one abstract transition
3. Obtain all satisfying assignments= most precise abstract transition relation
18
Predicate Abstraction of ANSI-C Programs using SAT
PointersSupport for pointer expressions:
1. Address expression is translated into a bit vector with two components:
o Object pointed ato Integer width offset within object (for arrays)
2. Supported operators:o &, *, [i]o Pointer + Integer (increases offset)o Pointer – Pointero Pointer rel Pointer, with rel one of <,>,=, etc.
3. Check for illegal pointer operations added automaticallyo NULL reference, array bounds violation, etc…
19
Predicate Abstraction of ANSI-C Programs using SAT
Pointers: Explanation…
• Paper p. 113-114
(modified by Zaher Andraus for presentation in SWERVE only)
20
Predicate Abstraction of ANSI-C Programs using SAT
Control-Flow Statements
• Paper p. 117
(modified by Zaher Andraus for presentation in SWERVE only)
21
Predicate Abstraction of ANSI-C Programs using SAT
The Set of Satisfying Assignments
How do we obtain the set of all satisfying assignments?
1. This is a common problem – also needed foro Image computation / hardware verificationo QBF solvers
2. Naïve approach:
1) Run SAT
2) If Satisfying assignment found then• add blocking clause• continue with 1)
1) Run SAT
2) If Satisfying assignment found then• add blocking clause• continue with 1)
22
Predicate Abstraction of ANSI-C Programs using SAT
Performance
How does the performance compare with existing approaches?
1. Runtime potentially exponential
2. Exponential part is inside SAT solver,instead of exponential number ofTheorem Prover calls
3. SAT solver is not re-started; all the learning and pruning done by modern SAT solvers is retained between iterations.
4. All heuristics for “obvious” transitions are still applicable
23
Predicate Abstraction of ANSI-C Programs using SAT
Performance
• Worst case:all possible assignments are satisfying
• Formula includes addition operator
• Runtime uncritical up to 2^14 assignments
24
Predicate Abstraction of ANSI-C Programs using SAT
Performance
• More realistic experiment: two 32-bit variables, plus n predicates
• Various operators: +, <, shifting, xor, or, and, combinations thereof, …
• All predicates are affected by basic block
Compare to 2n £ 2n potential theorem prover calls!
No. of Predicates Runtime(inexpensive)
Runtime(with 32-bit *)
4 0.03 s 0.35 s
8 0.16 s 7.20 s
16 2.76 s 71.16 s
32 6.35 s 512.72 s
25
Predicate Abstraction of ANSI-C Programs using SAT
Performance Improvements
Better than enumerating?
1. Approximation of set cover obtains small set of predicates that is actually required to cover the CNF
2. Analyze literal dependency graph to identify free variables
Both techniques yield a set of abstracttransitions
26
Predicate Abstraction of ANSI-C Programs using SAT
Performance Improvements
Expensive operators
Instead of adding full clause structure for expensive operators such as %, /, *,make it uninterpreted, and add important properties as constraints:
Transitivity Congruence Closure Commutativity Special cases (x/1=x, …) Others: x/y, y>1 x>x/y etc.
27
Predicate Abstraction of ANSI-C Programs using SAT
Future Work
1. Interval abstraction for floating point arithmetic
2. Experiments with full abstraction refinement loop: Evaluate effect of more precise abstraction
3. Try predicate abstraction to actually prove properties of computed values
4. Predicate abstraction for concurrent programs