© 2014 carnegie mellon university synthesizing safe bit-precise invariants arie gurfinkel (sei /...
Post on 05-Jan-2016
217 Views
Preview:
TRANSCRIPT
© 2014 Carnegie Mellon University
Synthesizing Safe Bit-Precise Invariants
Arie Gurfinkel (SEI / CMU)Anton Belov (UCD / Synopsys)Joao Marques-Silva (UCD)
3
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University3
Inductive Invariants: Turing / Floyd / Hoare
A. M. Turing, Checking a Large Routine. In Report of a Conference on High Speed Automatic Calculating Machines, (1949).
4
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
Programs, Cexs, Invariants
A program P = (V, Init, Tr, Bad)P is UNSAFE if and only if there exists a number N s.t.
P is SAFE if and only if there exists a safe inductive invariant Inv s.t.
Inductive
Safe
5
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
Many conferences, techniques, tools …
6
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
But Bit-Precise Verification is Hard
Bounded Model Checking•CBMC, Boolector, LLBMC, ESBMC, …•efficient discovery of counter-examples•no invariants!
Propositional Verification (Hardware)• Interpolation, IC3, PDR, ABC, …•efficient synthesis of propositional invariants•does not scale to bit-precise verification of software
Linear Arithmetic Verification (Software)• Impact, UFO, CPAChecker, Duality, Blast, GPDR, …•efficient synthesis of arithmetic invariants•not bit-precise (not sound!)• is often sufficient (e.g., UFO at SV-COMP’13 and ‘14)
7
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
But aren’t
bit-vectors = bit-blasting?
8
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
Typical Bit-vector Decision Procedure
B2P is satisfiability preserving (only!)
Bit-blast (by itself) is not efficient
SAT
Bit-blast
Simplify
B2P
9
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
Safety Verification by Bit-Blasting
Correct, but does not scale
Bit-blast Verify
propositional verifier
10
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
Safety Verification by B2P
Efficient, but…•B2P only preserves satisfiability•Original circuit is reduced (abstracted) too much•Hard to track correspondence between input and output
B2P Verify
True
11
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
Bit-blasting looses all structure!
Lack of structure makes it difficult to generalize
12
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
Our Key Idea: Use Generate and Check Alg.
Given an input program P with a safety property Bad
1. Generate a candidate invariant Cand by verifying Bad on a “simpler” approximation Psimple of P
2. Compute the Maximal Inductive Subset Inv of Cand relative to P using bit-precise reasoning
3. Strengthen Inv using a bit-precise (but possibly slow) verification engine until (Inv Bad)
13
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
MISPER in a Nutshell
Adapt unsound arithmetic reasoning to guess bit-precise invariants
ApproximateProgram P
+Property
Program PLA
LA Verifier
Adapt using MIS
Candidate CLA
BIT VerifierInvariant IBIT
Yes +Certificate CBIT No + Cex
No + Cex
Unsound
Needs validation
Sound
14
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
Approximate Bit-Vectors by Arithmetic
Ignore (i.e., over-approximate) all bit-vector-specific operationsUnsound, but simple and efficient
Approximate
BoolBit-vector
ArithmeticBool
15
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
Maximal Inductive Subset
Let L be a set of formulas, P=(V, Init, Tr, Bad) a programA subset X of L is a maximal inductive subset iff it is the largest subset of X such that
A Maximal Inductive Subset is unique•inductive invariants are closed under conjunction
Cormac Flanagan, K. Rustan M. Leino: Houdini, an Annotation Assistant for ESC/Java. FME 2001: 500-517
16
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
Minimal Unsatisfiable Subset
Let be a formula and A = {a1, …, an} be atomic propositions occurring negatively in
Assume Æ a1 Æ Æ an is UNSAT
A minimal unsatisfiable subset (MUS) of is the smallest subset X µ A such that Æ X is UNSAT
There are efficient algorithms for computing MUS (a.k.a. UNSAT core) for propositional formulas
17
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
Solving MIS via MUS
Reduce MIS to multiple calls to MUS
fresh propositional
variables
fresh propositional
variables
called once
incremental SAT
SAT MUS
incremental SAT
18
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
Var-Equivalence
Let A and B be two formulas
Let X be a subset of propositional variables of A and B
Definition: A and B are var-equivalent relative to X if and only if for any satisfying assignment ¿ of X, A¿ and B¿ are equisatisfiable
Claim
B2P() is var-equivalent to relative to X = {posti, prei}
19
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
Implementation
Misper is implemented in Python and relies on many external tools•LLVM for handling C•UFO-MUZ for LA invariants•Boolector for B2P•MUSer2 for MUS step in MIS •Z3 for SMT and HORN
20
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
Results Summary
214 SAFE benchmarks from SVCOMP’2013• includes all non-trivial SAFE benchmarks
All times are in seconds
bit width
inst. cnt Z3/PDR#sol (avg/med)
Misper#sol (avg/med)
Cand#sol (avg/med)
MIS#sol (avg/med)
32
all 214 116 (127/8) 174 (28/0.4) 165 (8/0.4) 9 (392/134)
unsol 98 -- 58 (75/1) 52 (22/0.7) 6 (544/366)
16
all 214 165 (176/8) 182 (69/0.4) 165 (8/0.4) 17 (661/399)
unsol 49 -- 18 (624/376) 6 (50/21) 12 (911/1,094)
21
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
Detailed Results (16 bits)
22
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
FrankenBit: Bit-Precise Verification w/ Many BitsMISPER to synthesize bit-precise invariantsLLBMC to search for counterexamplesSilver and Bronze medals at SV-COMP 2014
http://sv-comp.sosy-lab.org/2014/results/index.php
23
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
Related Work
Cormac Flanagan, K. Rustan M. Leino: Houdini, an Annotation Assistant for ESC/Java. FME 2001.• (the first?) algorithm for computing Maximal Inductive Subset
Randal E. Bryant, Daniel Kroening, Joël Ouaknine, Sanjit A. Seshia, Ofer Strichman, Bryan A. Brady: Deciding Bit-Vector Arithmetic with Abstraction. TACAS 2007.•sound under-approximation of bit-vector formulas by shrinking bit-width
Alberto Griggio: Effective word-level interpolation for software verification. FMCAD 2011.•mostly sound over-approximation of bit-vector formulas by arithmetic•but, also uses unsound approximation followed by a sound check
24
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
Conclusion
Sound reasoning from unsound approximations•Use Linear Arithmetic to guess good invariants
•Use efficient bit-vector decision procedures to validate invariants
•Use efficient propositional Minimal Unsatisfiable Subset extractor to find Maximal Inductive Subset
•Use inefficient bit-precise reasoning to complete the proof
Works well on SV-COMP (non bit-vector specific) benchmarks•probably because the properties are mostly bit-vector agnostic•e.g., API usage in Linux Device Drivers
Integrated in FrankenBit: http://arieg.bitbucket.org/fbit
25
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
Future Work
We have just scratched the surface…
CounterExample Guided Approximation-Refinement Loop•block a counterexample by partial bit-blasting•partially embed bit-vectors into integer arithmetic
Better approximations•such as in related work, e.g., Griggio, and Bryant et al.
Adapt lemmas•account for bit-width, overflow, and upper bound•e.g., replace x > 0 with x > 0 & x <= INT_MAX
Tighter integration with fixedpoint solver
26
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
?
?
?
?
?
?
27
Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva
© 2014 Carnegie Mellon University
Contact Information
Arie GurfinkelSenior ResearcherSEI / CMUTelephone: +1 412-268-5800Email: info@sei.cmu.edu
U.S. MailSoftware Engineering InstituteCustomer Relations4500 Fifth AvenuePittsburgh, PA 15213-2612USA
Webwww.sei.cmu.eduwww.sei.cmu.edu/contact.cfm
Customer RelationsEmail: info@sei.cmu.eduTelephone: +1 412-268-5800SEI Phone: +1 412-268-5800SEI Fax: +1 412-268-6257
top related