Post on 18-Jan-2016
transcript
Localization and Register Sharing for Predicate Abstraction
Himanshu Jain
Franjo Ivančić
Aarti Gupta
Malay Ganai
Introduction
Predicate abstraction
Abstracts data by keeping track of certain predicates
Each predicate given a boolean variable in abstract model
Scalability depends on choice and usage of predicates
Counterexample Guided Abstraction and Refinement
PropertyMonitorC programs
Static Analysis
Abstraction
Model check(DiVer)
Analysis &Refinement
Discovered bug in software
Certified code
F-Soft
Motivation
Computing predicate relationships is expensive
Localization of predicates
Identify important predicates at each program location
Identify important predicate relationships
Some notation
Spurious trace Infeasible sequence of statements
Predicate relationships Example: (p1 Æ : p2), (p1’ $ p3)
1. x = m;
2. y = m;
3. assume (x != y);
Related work
BLAST uses interpolation to find important predicates at each statement in spurious trace [Jhala et al., 04]
Localization of predicates
Interpolation produces “good” predicates?
Syntactic program transformations for automatic abstraction [Namjoshi et al.]
MAGIC tool [Chaki et al.]
Given a spurious trace s1;….;sk
Use weakest pre-conditions to identify important predicates at each statement si
Most predicate relationships obtained from refinement itself
Our approach
Outline
Introduction
Localization of predicates
Register Sharing
Dedicated State Variables
Experimental results
Abstraction
1: x = ctr;
2: y = ctr + 1;
3: if (x = i-1){
4: if (y != i){
ERROR: }
}
1: skip;
2: skip;
3: if (*){
4: if (*){
ERROR: }
}
Abstract
C program No predicates available currently
Checking the abstract model
1: skip;
2: skip;
3: if (*){
4: if (*){
ERROR: }
}
No predicates available currently
Is ERROR reachable?
yes
Abstract model has a
path leading to error state
Concretization of abstract counterexample
1: x = ctr;
2: y = ctr + 1;
3: assume(x == i-1)
4: assume (y != i)
1: skip;
2: skip;
3: if (*){
4: if (*){
ERROR: }
}
Concrete trace
SimulationDoes this
correspond to a real bug?
Spurious trace
We use a SAT solver
1: x = ctr;
2: y = ctr + 1;
3: assume(x == i-1)
4: assume (y != i)
Concrete traceSpurious Counterexample
Refinement
1: x = ctr;
2: y = ctr + 1;
3: assume(x == i-1)
4: assume (y != i)
Spurious Counterexample
y != i
y != i
ctr + 1 != i
ctr + 1 != i
x == i -1
x == i - 1
ctr == i - 1
Localization information
Predicate relationships
1: x = ctr;
2: y = ctr + 1;
3: assume(x == i-1)
4: assume (y != i)
Spurious Counterexample
y != i
y != i
ctr + 1 != i
ctr + 1 != i
x == i -1
x == i - 1
ctr == i - 1
Localization information
?
1: x = ctr;
2: y = ctr + 1;
3: if (x = i-1){
4: if (y != i){
ERROR: }
}
What happened so far
1: skip;
2: skip;
3: if (*){
4: if (*){
ERROR: }
}
Initial abstraction
1: x = ctr;
2: y = ctr + 1;
3: assume(x == i-1)
4: assume (y != i)
Spurious counterexample
y != i
y != i x == i -1ctr + 1 != i x == i - 1
ctr + 1 != i ctr == i - 1
Localization information
Computing new abstraction
1: x = ctr;
2: y = ctr + 1;
3: if (x = i-1){
4: if (y != i){
ERROR: }
}
Computing new abstraction
1:
2:
3: if ( ){
4: if ( ){
ERROR: }
}
y != i
y != i x == i -1ctr + 1 != i x == i - 1
ctr + 1 != i ctr == i - 1
Localization information
y != i
y != i x == i -1ctr + 1 != i x == i - 1
ctr + 1 != i ctr == i - 1
Localization information
1: x = ctr;
2: y = ctr + 1;
3: if (x = i-1){
4: if (y != i){
ERROR: }
}
Computing new abstraction
1:
2:
3: if ( ){
4: if (b0){
ERROR: }
}
Computing new abstraction
y != i
y != i x == i -1ctr + 1 != i x == i - 1
ctr + 1 != i ctr == i - 1
Localization information
Boolean b0 : y != i
1: x = ctr;
2: y = ctr + 1;
3: if (x = i-1){
4: if (y != i){
ERROR: }
}
Computing new abstraction
1:
2:
3: if (b1){
4: if (b0){
ERROR: }
}
Computing new abstraction
y != i
y != i x == i -1ctr + 1 != i x == i - 1
ctr + 1 != i ctr == i - 1
Localization information
Boolean b1 : x==i-1
Boolean b0 : y != i
1: x = ctr;
2: y = ctr + 1;
3: if (x = i-1){
4: if (y != i){
ERROR: }
}
Computing new abstraction
1:
2: b0 = b2;
3: if (b1){
4: if (b0){
ERROR: }
}
Computing new abstraction
y != i
y != i x == i -1ctr + 1 != i x == i - 1
ctr + 1 != i ctr == i - 1
Localization information
Boolean b2 : ctr+1 != i
Boolean b1 : x == i-1
Boolean b0 : y != i
1: x = ctr;
2: y = ctr + 1;
3: if (x = i-1){
4: if (y != i){
ERROR: }
}
Computing new abstraction
1: b1 = b3;
2: b0 = b2;
3: if (b1){
4: if (b0){
ERROR: }
}
Computing new abstraction
y != i
y != i x == i -1ctr + 1 != i x == i - 1
ctr + 1 != i ctr == i - 1
Localization information
Boolean b3 : ctr == i -1
Boolean b2 : ctr+1 != i
Boolean b1 : x == i - 1
Boolean b0 : y != i
No decision procedure
used so far
1: x = ctr;
2: y = ctr + 1;
3: if (x = i-1){
4: if (y != i){
ERROR: }
}
Computing new abstraction
1: b1 = b3;
2: b0 = b2;
3: if (b1){
4: if (b0){
ERROR: }
}
Computing new abstraction
y != i
y != i x == i -1ctr + 1 != i x == i - 1
ctr + 1 != i ctr == i - 1
Localization information
Boolean b3 : ctr == i -1
Boolean b2 : ctr+1 != i
Boolean b1 : x == i - 1
Boolean b0 : y != i
What about initial values of
b2 and b3?
SAT-based predicate
abstraction
Kroening et al.
Lahiri et al.
?
1: x = ctr;
2: y = ctr + 1;
3: if (x = i-1){
4: if (y != i){
ERROR: }
}
Computing new abstraction
1: b1 = b3;
2: b0 = b2;
3: if (b1){
4: if (b0){
ERROR: }
}
Computing new abstraction
Boolean b3 : ctr == i -1
Boolean b2 : ctr+1 != i
Boolean b1 : x == i - 1
Boolean b0 : y != i
Global constraint:
(b2 $ : b3)
y != i
y != i x == i -1ctr + 1 != i x == i - 1
ctr + 1 != i ctr == i - 1
Localization information
Abstraction without register sharing
1: b1 = b3;
2: b0 = b2;
3: if (b1){
4: if (b0){
ERROR: }
}
Computing new abstraction
Boolean b3 : ctr == i -1
Boolean b2 : ctr+1 != i
Boolean b1 : x == i - 1
Boolean b0 : y != i
Global constraint:
(b2 $ : b3)
Model check
1: b1 = b3;
2: b0 = b2;
3: if (b1){
4: if (b0){
ERROR: }
}
Computing new abstraction
Boolean b3 : ctr == i -1
Boolean b2 : ctr+1 != i
Boolean b1 : x == i - 1
Boolean b0 : y != i
Global constraint:
(b2 $ : b3)
ERROR is not reachable!
What have we covered so far
Localize predicates using weakest pre-conditions
Utilizing weakest pre-condition relationships
Bottleneck Model checking of abstraction without register sharing
Due to localization many predicates are useful only at a few program locations
Reuse state variables for representing other predicates
Similar to register allocation
Register sharing
Abstraction with register sharing
y != i
y != i x == i -1ctr + 1 != i x == i - 1
ctr + 1 != i ctr == i - 1
Localization information
y != i
y != i x == i -1ctr + 1 != i x == i - 1
ctr + 1 != i ctr == i - 1
Localization information
b0
b0
b2
b2
b1
b1
b3
Do we need 4 Boolean variables?
Abstraction with register sharing
y != i
y != i x == i -1ctr + 1 != i x == i - 1
ctr + 1 != i ctr == i - 1
Localization information
y != i
y != i x == i -1ctr + 1 != i x == i - 1
ctr + 1 != i ctr == i - 1
Localization information
c0
c0
c0
c0
c1
c1
c1
1: b1 = b3;
2: b0 = b2;
3: if (b1){
4: if (b0){
ERROR: }
}Global constraint:
(b2 $ : b3)
1: skip;
2: skip;
3: if (c1){
4: if (c0){
ERROR: }
}Local constraint:
(PC = 1) ! (c0 $ : c1)
Without With
b0
b0
b2
b2
b1
b1
b3
Register sharing
Reduces Boolean variables in the abstract model by register sharing
Speeds up model checking of abstractions
What’s next Reducing number of refinement iterations
Problem with register sharing
p
p
L1
L20
L2
L19
b1
b2
= 0
= 1
Spurious
Dedicated state variable
p
p
L1
L20
L2
L19
b
b
Dedicated state variables
Initially each predicate is assigned a Boolean variable, which can be reused
If a predicate is localized at many statements, |{s: p 2 local(s)}| > TH for some threshold TH
p is assigned a dedicated state variable (not reused)
By having a low value of TH, we can discover globally useful predicates early
Why this works?
Experimental Results
TCAS (Traffic Alert and Collision Avoidance System)
Lines of code 1652
We checked 10 different safety properties
Non-trivial number of predicates needed for each property both by F-Soft and BLAST
F-Soft versus BLAST (craig 2 + predH7)
F-Soft
Summary
Localize predicates using weakest pre-conditions Most predicate relationships obtained as by product Faster and less coarse abstractions Comparable to interpolation based techniques
Model checking abstractions Exploit localization information for reducing Boolean
variables
Reducing refinement iterations Predict globally useful predicates early in abstraction
refinement process
Questions?