tball@microsoft - university of oregon
TRANSCRIPT
![Page 1: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/1.jpg)
1
• Falcons, Apple ][,1981• B.A. Cornell, 1987• Ph.D. Univ. Wisc., 1993• AT&T Bell Labs, 1993-96• Lucent Technologies Bell Labs, 1996-99• Microsoft Research, 1999-present• Research interests
– software reliability– programming languages, program analysis, model
checking, automated theorem proving
![Page 2: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/2.jpg)
2
![Page 3: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/3.jpg)
3
![Page 4: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/4.jpg)
4
Testing, Verification and Measurement
• Tom Ball• Madan Musuvathi (Stanford)• Shuvendu Lahiri (CMU)• Nachi Nagappan (NCSU)
• Visitors– Orna Kupferman (Hebrew Univ.), Mooly Sagiv (Tel-
Aviv Univ.), Andrei Voronkov (Univ. Manchester), Andreas Zeller (Univ. Saarland)
– Domagoj Babic, Sumit Gulwani, Krishna Mehra, Roman Manevich, Carlos Pacheco, Greta Yorsh
![Page 5: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/5.jpg)
5
Microsoft Research:University Relations
• Hiring Ph.D.s• Fellowships• Summer internships• New faculty awards• Research grants in selected areas• Sabattical• Faculty Summit
![Page 6: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/6.jpg)
6
![Page 7: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/7.jpg)
7
Automating Verification of Software
• Remains a “grand challenge” of computer science
• Behavioral abstraction is central to this effort– abstractions simplify our view of program
behavior– proofs over the abstractions carry over to
proofs over the program
![Page 8: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/8.jpg)
8
unreachable
States
Reachability
reachable
init
unsafeunsafe
![Page 9: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/9.jpg)
9
![Page 10: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/10.jpg)
10
Safe Invariants
• Q is a safe invariant if– init Q– T(Q) Q– Q safe
T(Q)
init
Q
unsafe
![Page 11: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/11.jpg)
11
Abstraction = Overapproximation of Behavior
T(Q)
init
Qunsafe
Q#
T#(Q#)
![Page 12: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/12.jpg)
12
Unlocked Locked
Error
Rel Acq
Acq
Rel
do {KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++;
}} while (nPackets != nPacketsOld);
KeReleaseSpinLock();
More Concretely
![Page 13: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/13.jpg)
13
s:=U;do {
assert(s=U); s:=L;
if(*){
assert(s=L); s:=U;
}} while (*);
assert(s=L); s:=U;
Abstraction (via Boolean program)
do {KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++;
}} while(nPackets!=nPacketsOld);
KeReleaseSpinLock();
![Page 14: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/14.jpg)
14
s:=U;do {
assert(s=U); s:=L;
if(*){
assert(s=L); s:=U;
}} while (*);
assert(s=L); s:=U;
State Space Exploration
U
L
L
L
L
U
L
U
U
U
E
L
E
![Page 15: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/15.jpg)
15
Overapproximation Too Large!
init
Qunsafe
Q#
![Page 16: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/16.jpg)
16
Refined Boolean Abstraction
s:=U;do {
assert(s=U); s:=L;
b := true;
if(*){
assert(s=L); s:=U;b := b ? false : *;
}} while ( !b );
assert(s=L); s:=U;
b : (nPacketsOld == nPackets)
do {KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++;
}} while(nPackets!=nPacketsOld);
KeReleaseSpinLock();
![Page 17: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/17.jpg)
17
Refined Boolean Abstraction
s:=U;do {
assert(s=U); s:=L;
b := true;
if(*){
assert(s=L); s:=U;b := b ? false : *;
}} while ( !b );
assert(s=L); s:=U;
b : (nPacketsOld == nPackets)
b
b
b
b
U
L
L
L
L
U
L
U
U
b
b
!b
![Page 18: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/18.jpg)
18
Invariant
![Page 19: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/19.jpg)
19
Software Verification:A Search for Abstractions
• A complex search space with a fitness function (false errors)– search for right abstraction– search within state space of abstraction
• Can a machine beat a human at search for the right abstractions?
![Page 20: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/20.jpg)
20
Overview• Part I: Abstract Interpretation
– [Cousot & Cousot, POPL’77]– Manual abstraction and refinement– ASTRÉE Analyzer
• Part II: Predicate Abstraction– [Graf & Saïdi, CAV ’97]– Automated abstraction and refinement– SLAM and Static Driver Verifier
• Part III: Comparing Approaches
![Page 21: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/21.jpg)
21
![Page 22: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/22.jpg)
22
Safe Invariants
• Q is a safe invariant if– I Q– T(Q) Q– Q F
T(Q)
I
Q
unsafe
![Page 23: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/23.jpg)
23
![Page 24: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/24.jpg)
24
![Page 25: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/25.jpg)
25
![Page 26: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/26.jpg)
26
![Page 27: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/27.jpg)
27
![Page 28: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/28.jpg)
28
![Page 29: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/29.jpg)
29
![Page 30: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/30.jpg)
30
![Page 31: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/31.jpg)
31
![Page 32: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/32.jpg)
32
![Page 33: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/33.jpg)
33
![Page 34: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/34.jpg)
34
![Page 35: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/35.jpg)
35
![Page 36: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/36.jpg)
36
Abstract Transition Relation
a
a’
![Page 37: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/37.jpg)
37
![Page 38: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/38.jpg)
38
![Page 39: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/39.jpg)
39
![Page 40: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/40.jpg)
40
![Page 41: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/41.jpg)
41
![Page 42: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/42.jpg)
42
![Page 43: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/43.jpg)
43
![Page 44: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/44.jpg)
44
![Page 45: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/45.jpg)
45Slide courtesy of Patrick Cousot
![Page 46: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/46.jpg)
46Slide courtesy of Patrick Cousot
![Page 47: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/47.jpg)
47Slide courtesy of Patrick Cousot
![Page 48: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/48.jpg)
48Slide courtesy of Patrick Cousot
![Page 49: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/49.jpg)
49
Overview• Part I: Abstract Interpretation
– [Cousot & Cousot, POPL’77]– Manual abstraction and refinement– ASTRÉE Analyzer
• Part II: Predicate Abstraction– [Graf & Saïdi, CAV ’97]– Automated abstraction and refinement– SLAM and Static Driver Verifier
• Part III: Comparing Approaches
![Page 50: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/50.jpg)
50
Abstract Interpretation, So Far
• Create abstract domain and supporting algorithms
• Relate domains via and functions • Prove Galois connection• Create abstract transformer T#• Show that T# approximates ° T ° • Refinement to reduce false errors• Widening to achieve termination
![Page 51: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/51.jpg)
51
![Page 52: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/52.jpg)
52Diagram from Cousot, Cousot, POPL 1977
![Page 53: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/53.jpg)
53
![Page 54: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/54.jpg)
54
![Page 55: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/55.jpg)
55
![Page 56: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/56.jpg)
56
![Page 57: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/57.jpg)
57
![Page 58: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/58.jpg)
58
![Page 59: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/59.jpg)
59
Patrick Cousot, Radhia Cousot, Jérôme Feret, Laurent Mauborgne, Antoine Miné, David Monniaux, Xavier Rival, Bruno Blanchet
ASTRÉE analyzes structured C programs, without dynamic memory allocation and recursion.
In Nov. 2003, ASTRÉE automatically proved the absence of any run-time error in the primary flight control software of the Airbus A340 fly-by-wire system
a program of 132,000 lines of C analyzed in 1h20 on a 2.8 GHz 32-bit PC using 300 Mb of memory
![Page 60: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/60.jpg)
60
Abstraction Refinement:PLDI’03 Case Study of Blanchet et al.
• “… the initial design phase is an iterative manual refinement of the analyzer.”
• “Each refinement step starts with a static analysis of the program, which yields false alarms. Then a manual backward inspection of the program starting from sample false alarms leads to the understanding of the origin of the imprecision of the analysis.”
• “There can be two different reasons for the lack of precision:– some local invariants are expressible in the current version of
the abstract domain but were missed– some local invariants are necessary in the correctness proof
but are not expressible in the current version of the abstract domain.”
![Page 61: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/61.jpg)
61
Part I: Summary
• Create abstract domains and supporting algorithms
• Relate domains via and functions • Prove Galois connection• Create abstract transformer T#• Show that T# approximates ° T ° • Refinement to reduce false errors• Widening to achieve termination
![Page 62: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/62.jpg)
62
Overview• Part I: Abstract Interpretation
– [Cousot & Cousot, POPL’77]– Manual abstraction and refinement– ASTRÉE Analyzer
• Part II: Predicate Abstraction– [Graf & Saïdi, CAV ’97]– Automated abstraction and refinement– SLAM and Static Driver Verifier
• Part III: Comparing Approaches
![Page 63: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/63.jpg)
63
Boolean Abstraction
s:=U;do {
assert(s=U); s:=L;
b := true;
if(*){
assert(s=L); s:=U;b := b ? false : *;
}} while ( !b );
assert(s=L); s:=U;
b : (nPacketsOld == nPackets)
do {KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++;
}} while(nPackets!=nPacketsOld);
KeReleaseSpinLock();
![Page 64: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/64.jpg)
64
Counterexample-driven Abstraction Refinement
C Prog
predicate abstraction
booleanprogram
pathfeasibility
&predicatediscovery
symbolicreachability
SLICRule
+
refinementpredicates
errorpath
[Clarke et al. ’00][Ball, Rajamani ’00]
[Kurshan et al. ’93]
![Page 65: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/65.jpg)
65
Part II: Overview
• Predicate Abstraction
• Symbolic Reachability with BDDs
• Predicate Refinement
![Page 66: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/66.jpg)
66
Predicate Abstraction
– Graf & Saïdi, CAV ’97• Idea
– Given set of predicates P = { P1, …, Pk }• Formulas describing properties of system state
• Abstract State Space– Set of Boolean variables B = { b1, …, bk }
• bi = true Set of states where Pi holds
![Page 67: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/67.jpg)
– 67 –
Approximating concrete states
Fundamental OperationFundamental Operation Approximating a set of
concrete states by a set of predicates
Requires exponential number of theorem prover calls in worst case
Compute SymbolicallyCompute Symbolically Main Operation
X. X. [ ( ii bbii PPii ) ]
##
Partitioning defined by the predicates
Similar to existential abstraction of finite state machines [Clarke, Grumberg, Long]
![Page 68: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/68.jpg)
68
Abstraction and Concretization Functions
![Page 69: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/69.jpg)
69
Abstraction and Concretization Functions
![Page 70: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/70.jpg)
70
Abstraction and Concretization Functions
![Page 71: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/71.jpg)
71
![Page 72: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/72.jpg)
72
![Page 73: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/73.jpg)
73
![Page 74: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/74.jpg)
74
![Page 75: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/75.jpg)
75
![Page 76: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/76.jpg)
76
![Page 77: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/77.jpg)
77
• WP(x:=e,Q) = Q[x -> e]
• WP(y:=y+1, y<5) = (y<5) [y -> y+1] =
(y+1<5) = (y<4)
Abstracting Assigns via WP
![Page 78: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/78.jpg)
78
WP Problem
• WP(s, pi) not always expressible via P
• Example
– P = { x=0, x=1, x<5 }
– WP( x:=x+1 , x<5 ) = x<4
![Page 79: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/79.jpg)
79
ImpliesF(e) and ImpliedByF(e) e
ImpliesP(e)
ImpliedBy(e)
![Page 80: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/80.jpg)
80
Abstracting Assignments
• if ImpliesP(WP(s, pi)) is true before s then– pi is true after s
• if ImpliesP(WP(s, !pi)) is true before s then– pi is false after s
bi := ImpliesP(WP(s, pi)) ? true : ImpliesF(WP(s, !pi)) ? false
: *;
![Page 81: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/81.jpg)
81
Assignment Example
Statement: Predicates in P:y := y+1; {x=y}
Weakest Precondition:WP(y:=y+1, x=y) = x=y+1
ImpliesF( x=y+1 ) = ?
ImpliesF( x!=y+1 ) = ?
![Page 82: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/82.jpg)
82
Assignment Example
Statement: Predicates in P:y := y+1; {x=y}
Weakest Precondition:WP(y:=y+1, x=y) = x=y+1
ImpliesF( x=y+1 ) =
ImpliesF( x!=y+1 ) =
Abstraction of assignment in B:b = b ? false : *;
![Page 83: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/83.jpg)
83
Abstracting Assumes
• assume(e) is abstracted to: assume( ImpliedByP(e) )
• Example:P = {x=2, x<5}assume(x < 2) is abstracted to:
assume( {x<5} && !{x==2} )
![Page 84: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/84.jpg)
84
![Page 85: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/85.jpg)
85
Refined Boolean Abstraction
s:=U;do {
assert(s=U); s:=L;
b := true;
if(*){
assert(s=L); s:=U;b := b ? false : *;
}} while ( !b );
assert(s=L); s:=U;
b : (nPacketsOld == nPackets)
do {KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++;
}} while(nPackets!=nPacketsOld);
KeReleaseSpinLock();
![Page 86: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/86.jpg)
86
![Page 87: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/87.jpg)
87
Part II: Overview
• Predicate Abstraction
• Symbolic Reachability with BDDs
• Predicate Refinement
![Page 88: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/88.jpg)
88
Reachability in Boolean Programs
![Page 89: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/89.jpg)
89
Reachability in Boolean Programs
![Page 90: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/90.jpg)
90
Reachability in Boolean Programs
![Page 91: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/91.jpg)
91
Reachability in Boolean Programs
![Page 92: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/92.jpg)
92
Reachability in Boolean Programs
![Page 93: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/93.jpg)
93
Binary Decision Diagrams
• Acyclic graph data structure for representing a boolean function (equivalently, a set of bit vectors)
• F(x,y,z) = (x=y)
![Page 94: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/94.jpg)
94
Binary Decision Diagrams
• Acyclic graph data structure for representing a boolean function (equivalently, a set of bit vectors)
• F(x,y,z) = (x=y)
xy
z1 1
z0 0
yz
0 0z
1 1
![Page 95: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/95.jpg)
95
Binary Decision Diagrams
• Acyclic graph data structure for representing a boolean function (equivalently, a set of bit vectors)
• F(x,y,z) = (x=y)
xyz
1 1z
0 0
yz
0 0z
1 1
![Page 96: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/96.jpg)
96
Hash Consing + Variable Elimination
x
y y
z
0
z
1
x
y y
0
1
x
y
z
1 1
z
0 0
y
z
0 0
z
1 1
![Page 97: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/97.jpg)
97
![Page 98: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/98.jpg)
98
Part II: Overview
• Predicate Abstraction
• Symbolic Reachability with BDDs
• Predicate Refinement
![Page 99: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/99.jpg)
99
Refinement
a
b
c
![Page 100: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/100.jpg)
100
Refinement
a
b
c
![Page 101: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/101.jpg)
101
![Page 102: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/102.jpg)
102
Abstraction (via Boolean program)
U
L
L
L
U
U
U
E
do {KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++;
}} while(nPackets!=nPacketsOld);
KeReleaseSpinLock();
![Page 103: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/103.jpg)
103
Abstraction (via Boolean program)
U
L
L
L
U
U
U
E
do {KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++;
}} while(nPackets!=nPacketsOld);
KeReleaseSpinLock();
![Page 104: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/104.jpg)
104
Abstraction (via Boolean program)
U
L
L
L
U
U
U
E
do {KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++;
}} while(nPackets!=nPacketsOld);
KeReleaseSpinLock();
![Page 105: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/105.jpg)
105
Abstraction (via Boolean program)
U
L
L
L
U
U
U
E
do {KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++;
}} while(nPackets!=nPacketsOld);
KeReleaseSpinLock();
![Page 106: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/106.jpg)
106Source Code
TestingDevelopment
PreciseAPI Usage Rules
(SLIC)
Software Model Checking
Read forunderstanding
New API rules
Drive testingtools
Defects
100% pathcoverage
Rules
Static Driver VerifierStatic Driver Verifier
![Page 107: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/107.jpg)
107
![Page 108: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/108.jpg)
108
Part III: Comparison
• Informal• Formal
![Page 109: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/109.jpg)
109
![Page 110: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/110.jpg)
110
![Page 111: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/111.jpg)
111
![Page 112: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/112.jpg)
112
Formaly Comparing the Two Approaches
• WAIL– widening + abstract intepretation over infinite lattice
• FAIR– finite abstraction + iterative refinement
![Page 113: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/113.jpg)
113
Abstraction/Refinement
• [Cousot-Cousot, PLILP’92]– widening + abstract interpretation with infinite lattices (WAIL) is
more powerful than a (single) finite abstraction
• [Namjoshi/Kurshan, CAV’00]– if there is a finite (bi-)simulation quotient then WAIL with no
widening will terminate [and therefore so will FAIR]
• [Ball-Podelski-Rajamani, TACAS’02]– finite abstractions plus iterative refinement (FAIR) is more powerful
than WAIL
![Page 114: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/114.jpg)
114
Guarded Command Language
• Variables X = {x1, …, xn }
• Guarded command c– g x1’=e1 … xn’=en
• Program is a set of guarded commands– each command is deterministic– set of commands may be non-deterministic
![Page 115: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/115.jpg)
115
Symbolic Representation of States
iI jJ(i) ij
ij : atomic formula such as (x<5)
’ ’
![Page 116: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/116.jpg)
116
pre ofc g x1’=e1 … xn’=en
• prec() g [e1,…en/ x1,…xn]
• pre() cC prec()
![Page 117: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/117.jpg)
117
Safe Backward Invariants
is a safe backward invariant if– unsafe – pre() noninit
pre( )
init
unsafe
![Page 118: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/118.jpg)
118
Predicate Abstraction
– A set P of predicates over a program’s state space defines an abstraction of the program
• P = { (a=1), (b=1), (a>0) }• Uninterpreted atoms [a=1][b=1][a>0]
– If P has n predicates, the abstract domain contains exactly 22n elements
• an abstract state = conjunction () of atoms• a set of abstract states = disjunction () of abstract
states
![Page 119: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/119.jpg)
119
Free Lattice of DNF over {a,b}
a b
(ab)
a (ab)
a b
a b (ab)
b (ab)
LogicalImplication
false
true
![Page 120: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/120.jpg)
120
pre#P
P pre
the identity function
P() the least ’ such that ’
• Example:– P = { (x<2), (x<3), (x=0) }P( x=1 ) = (x<2) (x<3)
![Page 121: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/121.jpg)
121
FAIRn := 0; := unsafeloop Pn := atoms() construct pre#
n, as defined by Pn
:= lfp(pre#n, unsafe)
if ( noninit) then return “success”
:= pre();
n := n + 1;forever
![Page 122: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/122.jpg)
122
Widening
• widen() = ’ such that ’
• We consider widening that simply drops terms from some conjuncts
widen(iI jJ(i) ij ) =
iI jJ’(i) ij where J’(i) J(i)
• Results can be extended to other classes of widenings
![Page 123: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/123.jpg)
123
Interval Widening, Revisited
![Page 124: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/124.jpg)
124
WAIL
n:= 0; := unsafe; old := false; loop if ( old) then if ( noninit) then return “success” else return “Don’t know” else old := i := guess provided by oracle := widen(i, pre() ) n := n+1forever
![Page 125: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/125.jpg)
125
FAIR
n := 0; := unsafeloop Pn := atoms() construct pre#
n, as defined by Pn
:= lfp(pre#n, unsafe)
if ( noninit) then return “success”
:= pre();
n := n + 1;forever
WAIL
n:= 0; := unsafe; old := false; loop if ( old) then if ( noninit) then return “success” else return “Don’t know” else old := i := guess provided by oracle := widen(i, pre() ) n := n+1;forever
![Page 126: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/126.jpg)
126
• Lemma 1: If a safe invariant can be expressed in terms of predicates in P then lfp(pre
#P, unsafe) is a safe invariant
• Lemma 2: For any guarded command c, prec( ’) = prec() prec(’)
prec( ’) = prec() prec(’)
• Corollary: For any guarded command c, atoms(prec( ’)) = atoms(prec()) atoms(prec(’))
atoms(prec( ’)) = atoms(prec()) atoms(prec(’))
Theorem. For any program P, if WAIL terminates with success for some sequence of widening choices, then FAIR will terminate with success as well.
![Page 127: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/127.jpg)
127
Proof of Theorem0 = unsafen+1 = n pre(n)
’0 = unsafe’n+1 = widen(’n pre(’n))
for all i, atoms(i) atoms(’i)by induction on i and Lemma 2
if ’i is a safe inv. then by Lemma 1 and above result
lfp(F#
atoms(i), start) is a safe inv.
![Page 128: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/128.jpg)
128
Summary
• Predicate abstraction + refinement and widening can be formally related to each other
• Predicate abstraction + refinement = widening with “optimal” guidance
![Page 129: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/129.jpg)
129
What We Did• Part I: Abstract Interpretation
– [Cousot & Cousot, POPL’77]– Manual abstraction and refinement– ASTRÉE Analyzer
• Part II: Predicate Abstraction– [Graf & Saïdi, CAV ’97]– Automated abstraction and refinement– SLAM and Static Driver Verifier
• Part III: Comparing Approaches
![Page 130: tball@microsoft - University of Oregon](https://reader033.vdocuments.net/reader033/viewer/2022042307/625b1ebfc4c30a4d9c611994/html5/thumbnails/130.jpg)
130
Searching for Solutions
• Once upon a time, only a human could play a great game of chess…– … but then smart brute force won the day
• Once upon a time, only a human could design a great abstraction…