chao wang, aarti gupta, franjo ivancic nec laboratories america
DESCRIPTION
Induction in CEGAR for Detecting Counterexamples. Chao Wang, Aarti Gupta, Franjo Ivancic NEC Laboratories America. Background. Detecting long counterexamples is a hard problem Bounded model checking [Biere et al 1999] - PowerPoint PPT PresentationTRANSCRIPT
1FMCAD 2007
Chao Wang, Aarti Gupta, Franjo Ivancic
NEC Laboratories America
Induction in CEGAR for Detecting Counterexamples
2FMCAD 2007
Background
Detecting long counterexamples is a hard problem Bounded model checking [Biere et al 1999] Counterexample guided abstraction refinement (CEGAR) [Kurshan 1994]
[Clarke et al. 2000] [Ball et al. 2001] Interpolation [McMillan 2003]
Induction has been used in model checking for finding proofs To prove the absence of counterexample
[Sheeran et al. 2000] [Gupta et al. 2003] [de Moura et al. 2003] It has never been used for finding bugs
We use induction to prove the existence of counterexamples Target counterexamples that are long and can be captured by regular patterns
Related works [Bjesse & Kukula 2004] [Nashi & Somenzi 2006] [Kroening & Weissenbacher 2006] [Ball, Kupferman, Sagiv 2007]
3FMCAD 2007
A Motivating ExampleA simple and yet representative bug (e.g., array bound violation)
P: (i<n)P: (i<n)
P1: (i+1<n)
P2: (i+2<n)
…
4FMCAD 2007
A Motivating Example
Our Observations:
1. Counterexample exists regardless of the value of ‘n’
2. Counterexample has a regular pattern
5FMCAD 2007
Outline
Background Identifying the Counterexample Pattern Proving the Existence of Counterexample Experiments Conclusions
6FMCAD 2007
Parameterized Counterexamples
prefix recurring segment
suffix
induction parameter
7FMCAD 2007
Identifying Counterexample Pattern
Spurious counterexamples in CEGAR:
(1)(2)(3)(4)(5) (6)(7)
(1)(2)(3)(4)(5) (6)(7)(8) (6)(7)
(1)(2)(3)(4)(5) (6)(7)(8) (6)(7)(8) (6)(7)
…
(1)(2)(3)(4)(5) {(6)(7)(8)}n (6)(7)
Idea: look at the spurious counterexamples produced by CEGAR
prefix recurring segment
suffix
8FMCAD 2007
Using Induction in the CEGAR Loop
found CEX
Proved
no
Concretize abstract counterexample concrete CEX
Bug found
yes
Refinement
no
Model Checking
Abstraction
yes
Induction to prove existence of CEX
found CEX
yes
Bug found
no
Step1. identify patternStep2. induction proof
CEGAR: [Kushan 1994] [Clarke et al. 2000] [Ball and Rajamani 2000]
9FMCAD 2007
Concretization Test (standard)
Abstract counterexample
Concrete pre-condition computation
10FMCAD 2007
Concretization with Back-leaping
At the failing index i such that
Find two indexes k and j such that
and
11FMCAD 2007
Identifying the Induction Parameter
Parameterized counterexample:
(1)(2)(3)(4)(5) {(6)(7)(8)}n (6)(7)
tail of recurring segment head of suffix
(i <= n)
This is a heurstic (to be verified by induction proof)
12FMCAD 2007
Parameterized Traces
In prefix, find assignment to n
n = expr ;
Rewrite it into
n = k ;
We can set the symbolic value
k = 1, 2, 3, …
13FMCAD 2007
Outline
Background Identifying the Counterexample Pattern Proving the Existence of Counterexample Experiments Conclusions
14FMCAD 2007
Using Induction in the CEGAR Loop
found CEX
Proved
no
Concretize abstract counterexample concrete CEX
Bug found
yes
Refinement
no
Model Checking
Abstraction
yes
Induction to prove existence of CEX
found CEX
yes
Bug found
no
Step1. identify patternStep2. induction proof
15FMCAD 2007
What’s easy / hard to compute?
Pre-condition computation Post-condition computation Transitive Pre- and Post-condition
Easy to compute
Hard to compute
never directly compute F
16FMCAD 2007
Induction Proof
17FMCAD 2007
Induction: handling the prefixes
F and F’ differ only in the valuations of Vb
18FMCAD 2007
Induction: handling the suffixes
F and F’ differ only in the valuations of Vb
Theorem 1
C0
C1
19FMCAD 2007
The Running Example
finite-length suffixes
finite-length prefix
20FMCAD 2007
Outline
Background Identifying the Counterexample Pattern Proving the Existence of Counterexample Experiments Conclusions
21FMCAD 2007
About Implementation: pre*( )
[cf. Dijkstra 1976]
22FMCAD 2007
About Implementation: existential quantification
Finite domain: BDD (smooth)
Linear integer: Polyhedral (F-M elimination)
With both: Combination of BDD and Polyhedra [Yang et al. MEMOCODE 2006]
23FMCAD 2007
Experiments
The GNU bc example
Induction finds this counterexample in 10 seconds
…
256
with standard CEGAR
24FMCAD 2007
Experiments
run time of standard CEGAR (x-axis: values of the induction parameters)
bc:
GNU bc example
Aeon:
Aeon-0.02a, Linux mail transfer agent
ftpd:
wu-ftpd-2.6.2, the ftp daemon
25FMCAD 2007
Conclusions
Induction in CEGAR for detecting long counterexamples Concretization algorithm to identify counterexample pattern Induction to prove the existence of counterexamples
Complementary to standard CEGAR (which itself is good for finding proofs) Well-suited for finding deep bugs Better than searching for a state-by-state match of the concrete
counterexamples e.g., BMC, predicate abstraction, interpolation
Future work Static analysis to improve the counterexample pattern identification