Automatic Abstraction in SMT-Based Unbounded Software Model Checking

Anvesh KomuravelliCarnegie Mellon University

Joint work with Arie Gurfinkel, Sagar Chaki and Edmund Clarke

The Problem

Program P+ Assertions

Automatic analysis for

assertion failures

Unsafe

Unknown

Software Model Checking

+ Proof

+ Counterexample

+ Partial Proof

reach(P) error(P)

Is it empty?

reach(P) error(P)

Over-approximation Driven (OD)

reach(P) error(P)

Over-approximation driven (OD)

Key Idea CEGAR based on Predicate Abstraction

Symbolic Method

BDDs for fixed point computation,SMT for new predicates

Tools SLAM, BLAST, SDV, etc.

reach(P)

Under-approximation Driven (UD)

error(P)

Under-approximation driven (UD)

reach(P) error(P)

Under-approximation driven (UD)

Key Idea BMC based Approach

Symbolic Method SMT

Tools IMPACT, UFO, etc.

Key Recent Advancements

2003 Interpolation for Hardware Model Checking McMillan

2006 IMPACT (Path Interpolants) McMillan

2009 Path Interpolants for Hardware Model Checking Grumberg et al.

2010 IC3 (Different way of computing Interpolants, Hardware) Bradley

2011 WOLVERINE (Bit-level Implementation of IMPACT) Kroening et al.

2012 UFO (DAG Interpolation method, Predicate Abstraction + Interpolation) Gurfinkel et al.

2012 VINTA (Abstract Interpretation + Interpolation) Gurfinkel et al.

2011 FunFrog (Interprocedural) Sharygina et al.

2012 μZ (Horn clause solver based on GPDR) Bjorner et al.

2012 Duality (Horn clause solver based on Interpolation) McMillan, Rybalchenko

2012 WHALE (Interprocedural) Gurfinkel et al.

reach(P) error(P)

Our Strategy

Under-approx. Abstract Under-approx.

reach(P) error(P)

Our Strategy

Under-approx. Abstract Under-approx. Refine

error(P)reach(P)

Our Strategy

Under-approx. Abstract Under-approx. Refine Abstract

error(P)reach(P)

Our Strategy

And so on …

error(P)reach(P)

reach(P) is covered

Our Strategy

Abstractions guide the SMT solver to look for general proofs

It’s based on UD

……

Under-approximations

Abstract

It’s based on UD

……

Abstract

need not be monotonic

Spacer is based on UD

……

Abstract

non-trivial abstraction

SpacerProgram

Under-Approximate

Check Safety Feasible?Feasible?

Abstract Refine

Proof-Based Abstraction CEGARNo No

Yes Yes

Safety Proof Counterexample

Why Abstraction?

x = y = z = w = 0;while (*) {

x = *; y = *;assume (0 ≤ y ≤ 100x);if (y > 10w && z ≥ 100x) {

y = −y;}t = 1;w += t; z += 10t;

}assert (0 ≤ y)

only way to fail the assertion

UD Reasoning

x = y = z = w = 0;while (*) {

y = −y;}t = 1;w += t; z += 10t;

}assert (0 ≤ y)

1st Iteration:w = 0, z = 0

y ≤ 100x

UD Reasoning

x = y = z = w = 0;while (*) {

y = −y;}t = 1;w += t; z += 10t;

}assert (0 ≤ y)

2nd Iteration:w = 1, z =10

y ≤ 100x

UD Reasoning

x = y = z = w = 0;while (*) {

y = −y;}t = 1;w += t; z += 10t;

}assert (0 ≤ y)

3rd Iteration:w = 2, z = 20

y ≤ 100x

And so on…

But …

x = y = z = w = 0;while (*) {

y = −y;}t = 1;w += t; z += 10t;

}assert (0 ≤ y)

The value ‘1’ doesn’t matter!

But …

x = y = z = w = 0;while (*) {

y = −y;}t = *;w += t; z += 10t;

}assert (0 ≤ y)

UD Reasoning on the Abstraction

x = y = z = w = 0;while (*) {

y = −y;}t = *;w += t; z += 10t;

}assert (0 ≤ y)

2nd Iteration

w = t, z = 10t

z = 10w

All Iterations

Resolve t away

y ≤ 100x

Redundant

Original Example

x = y = z = w = 0;while (*) {

if (*) {x++; y += 100;}else if (*)

if (x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {

y = −y;}t = 1;w += t; z += 10t;

}assert (!(x ≥ 4 && y ≤ 2))

Source: Automatically Refining Abstract Interpretations, Gulavani, Chakraborty, Nori and Rajamani, TACAS ‘08.

μZ (SMT-Based Model Checker,part of Z3)

Cannot solve in an hour

Spacer (our tool)

Finds a proof in a min.

Solves an abstraction in < 1 sec.

t = *;

What’s the magic?

Focused Proofs

Abstractions guide the SMT solver to look for certain kind of proofs Avoid proofs specific to an under-approximation

How to obtain abstractions?

From proofs of under-approximations! (Proof-Based Abstraction) Hope: What’s sufficient for the under-approximation is sufficient in general Downside: If abstraction is too coarse, need to refine (CEGAR)

SpacerProgram

Under-Approximate

Abstract Refine

Yes Yes

Schematic Example

init_stmt;c = 0;

while (*) {// invar_1, invar_2// invar_3, invar_4assume (c < k1);if (*) {

v1 = e1; v2 = e2;} else {

v3 = e3; v4 = e4;}v5 = e5; v6 = e6;c += 1;

assert (safe);

Add Counters

Under-approximate Solve

Loop Invariants

Schematic Example

Under-approximate Solve Feasible?

init_stmt;c = 0;assume (invar_1, invar_2);while (*) {

// invar_1, invar_2// invar_3, invar_4assume (c < k1);if (*) {

v1 = e1; v2 = e2;} else {

v3 = e3; v4 = e4;}v5 = e5; v6 = e6;c += 1;assume (invar_1, invar_2);

assert (safe);

Unbounded!

Specific to under-approx.

Treat as guessedunbounded invariants.

Essentially like Houdini [FL’01].

Extract UnboundedInvariants

Strengthenwith

Invariants

[FL’01] Houdini, an annotationassistant for ESC/Java,C. Flanagan and K.R.M. Leino, 2001

// invar_1, invar_2

if (*) {v1 = e1; v2 = e2;

} else {v3 = e3; v4 = e4;

}v5 = e5; v6 = e6;c += 1;assume (invar_1, invar_2);

assert (safe);

Does not provethe assertion

Schematic Example

Under-approximate Solve Feasible? NO

v1 = e1; v2 = e2;} else {

v3 = e3; v4 = e4;}v5 = e5; v6 = e6;c += 1;assume (invar_1, invar_2);

assert (safe);

Redundantfor the proof

Schematic Example

Under-approximate Solve Feasible? NO Abstract

Schematic Example

v1 = e1; v2 = *;} else {

v3 = e3; v4 = *;}v5 = e5; v6 = *;c += 1;assume (invar_1, invar_2);

assert (safe);

Proof-BasedAbstraction

assume (c < k2);if (*) {

v1 = e1; v2 = *;} else {

v3 = e3; v4 = *;}v5 = e5; v6 = *;c += 1;assume (invar_1, invar_2);

assert (safe);

Concretize

k2 > k1

Schematic Example

AbstractCounterexample!

Feasible?

Concrete controlpath is infeasible

NO Refine

Schematic Example

Under-approximate Solve Feasible? NO Refine

assume (c < k2);if (*) {

v1 = e1; v2 = e2;} else {

v3 = e3; v4 = e4;}v5 = e5; v6 = *;c += 1;assume (invar_1, invar_2);

assert (safe);

// invar_5// invar_6assume (c < k2);if (*) {

v1 = e1; v2 = e2;} else {

v3 = e3; v4 = e4;}v5 = e5; v6 = *;c += 1;assume (invar_1, invar_2);

assert (safe);

Unbounded

Schematic Example

Under-approximate Solve Feasible? YES

Invariants

SpacerProgram

Under-Approximate

Abstract Refine

Yes Yes

Detailed Example

x = y = z = w = 0;

while (*) {

if:: x++; y += 100;:: (x ≥ 4) -> x++; y++;:: (y > 10w && z ≥ 100x) -> y = −y;fiw++; z += 10;

assert (!(x ≥ 4 && y ≤ 2));

if (nd ()) {x++; y += 100;}else if (nd () && x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {y = −y;}else assume (0);

non-deterministic choice(e.g. as in Promela)

C-like

Detailed Example

x = y = z = w = 0;c = 0;

while (*) {// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1assume (c < 2);if:: x++; y += 100;:: (x ≥ 4) -> x++; y++;:: (y > 10w && z ≥ 100x) -> y = −y;fiw++; z += 10;c += 1;

assert (!(x ≥ 4 && y ≤ 2));

Add Counters

Loop Invariants

Detailed Example

x = y = z = w = 0;c = 0;

while (*) {// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1assume (c < 2);if:: x++; y += 100;:: (x ≥ 4) -> x++; y++;:: (y > 10w && z ≥ 100x) -> y = −y;fiw++; z += 10;c += 1;

assert (!(x ≥ 4 && y ≤ 2));

Inductive Invariant

Detailed Example

x = y = z = w = 0;c = 0;assume (y > 10w => z < 100x, z ≤ 100x);while (*) {

// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1assume (c < 2);if:: x++; y += 100;:: (x ≥ 4) -> x++; y++;:: (y > 10w && z ≥ 100x) -> y = −y;fiw++; z += 10;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);

assert (!(x ≥ 4 && y ≤ 2));

Under-approximate Solve Feasible?

Preserved!Specific to under-approx.

Depend on counter

Extract UnboundedInvariants

Strengthenwith

Invariants

Detailed Example

// (y > 10w) => (z < 100x), z ≤ 100x,

if:: x++; y += 100;:: (x ≥ 4) -> x++; y++;:: (y > 10w && z ≥ 100x) -> y = −y;fiw++; z += 10;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);

assert (!(x ≥ 4 && y ≤ 2));

Under-approximate Solve Feasible? NO

Does not provethe assertion

Detailed Example

// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1assume (c < 2);if:: x++; y += 100;:: (x ≥ 4) -> x++; y++;:: (y > 10w && z ≥ 100x) -> y = −y;fiw++; z += 10;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);

assert (!(x ≥ 4 && y ≤ 2));

Redundant

Detailed Example

// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1assume (c < 2);if:: x++; y = *;:: (x ≥ 4) -> x++; y = *;:: (y > 10w && z ≥ 100x) -> y = *;fiw = *; z = *;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);

assert (!(x ≥ 4 && y ≤ 2));

Fails Enlarge error

Detailed Example

// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1assume (c < 2);if:: x++; y = *;:: (x ≥ 4) -> x++; y = *;:: (y > 10w && z ≥ 100x) -> y = *;fiw = *; z = *;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);

assert (!(x ≥ 4));

Detailed Example

assume (c < 4);if:: x++; y = *;:: (x ≥ 4) -> x++; y = *;:: (y > 10w && z ≥ 100x) -> y = *;fiw = *; z = *;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);

assert (!(x ≥ 4));

Counterexample!

Increment x to 4Choose y arbitrarily

Feasible?

Concrete controlpath is infeasible

NO Refine

Concretize

Detailed Example

assume (c < 4);if:: x++; y += 100;:: (x ≥ 4) -> x++; y++;:: (y > 10w && z ≥ 100x) -> y = −y;fiw = *; z = *;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);

assert (!(x ≥ 4 && y ≤ 2));

Under-approximate Solve Feasible? NO Refine

Detailed Example

// (y > 10w) => (z < 100x), z ≤ 100x// y > 0, (x > 0) => (y ≥ 100)assume (c < 4);if:: x++; y += 100;:: (x ≥ 4) -> x++; y++;:: (y > 10w && z ≥ 100x) -> y = −y;fiw = *; z = *;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);

assert (!(x ≥ 4 && y ≤ 2));

Under-approximate Solve Feasible? YES

Inductive Invariant

Unbounded

Implementation Details – Unbounded Invariants

Pre-Lemmas Post-LemmasConcrete Counters

Goal Find maximal such that

SAT with true

Repeat until fixed point

Maximal subset of true post-lemmasMinimal number of bi’s to be set to falseFixed point Iteration:

Introduce Assumption

variables

Iteration 1

Iteration 2

disableddisabled

Implementation Details – Abstraction

Introduce Assumption

variables

Are all lemmas necessary?

Introduce Assumption variables for

lemmas

Spacer ToolProgram

Under-Approximate

Abstract Refine

Yes Yes

Spacer ToolProgram

Under-Approximate

Abstract Refine

Yes Yes

μZ Horn-Clause Solver(part of Z3)

Spacer ToolProgram

Under-Approximate

Abstract Refine

Yes Yes

Horn-Clause Encoding

μZ Horn-Clause Solver(part of Z3)

Spacer Tool

C Program

Preprocessing UFO Frontend (based on LLVM)Simplification, Large Block Encoding, etc.

Horn Clause Encoding Implemented using UFO Frontend

Results on SV-COMP’13 Benchmarks

0 50 100 1500

UNSAFE Benchmarks

μZ (secs)

Abstraction did not helpfor UNSAFE

ALSO,not a challenging pool

of benchmarks

0 100 200 300 400 500 600 700 800 9000

SAFE Benchmarks

μZ (secs)

0 100 200 300 400 500 600 700 800 9000

SAFE Benchmarks

μZ (secs)

~1 min.Not very meaningful

to compare

0 100 200 300 400 500 600 700 800 9000

SAFE Benchmarks

μZ (secs)

< 5 min.Mixed

Results

0 100 200 300 400 500 600 700 800 9000

SAFE Benchmarks

μZ (secs)

Advantage!

0 100 200 300 400 500 600 700 800 9000

SAFE Benchmarks

μZ (secs)

Advantage!

Time-out

Mem-out

Conclusion

Focused Proofs

Abstractions guide the SMT solver to look for certain kind of proofs Avoid proofs specific to an under-approximation

How to obtain abstractions?

From proofs of under-approximations! (Proof-Based Abstraction) Hope: What’s sufficient for the under-approximation is sufficient in general Downside: If abstraction is too coarse, need to refine (CEGAR)

A framework for automated abstraction in SMT-based Software Model Checking Implementation using an existing SMT-based model checker with practical

advantage

Contributions

Conclusion (contd…)

Post-pruning of Proofs during Abstraction (Local vs. Global Proofs) Non-monotonic abstractions Major role of invariants (exploit the generality of proofs of under-approximations

Visit spacer.bitbucket.org todownload tool and detailed slides!

Why does PBA work?

On-going and Future Work

Observation: Fixed granularity of abstraction – at the program levelObservation: Restricted space of abstractions

Questions: When/How to abstract/refine?

Observation: Proofs too dependent on counter constraints (i.e. underapprox.)

Question: How to use counters only when needed? In general, how to minimize the use of a given set of assumptions?

Observation: Abstraction is done offline, after obtaining a proof of an under-approximation.

Question: How does an on-the-fly abstraction work? When each transition is treated as a recursion-free procedure, it is similar to summarizing procedures on-the-fly. Also, how to handle recursion?

Read our CAV’13 paper for details…

Questions?

Extra Slides

SMT-Based Model Checking

CFG Loop-Free Unrolling

Possibility 1 : UNSAFE

Possibility 2 : SAFE

Path Interpolants (McMillan ‘06)

Discharge Verification Condition on SMT solver

SMT-Based Model Checking

Further Unrolling

Possibility 1 : UNSAFE

Possibility 2 : SAFE

DAG Interpolants [AGC’12]

Continue Until Convergence

Discharge Verification Condition on SMT solver

[AGC’12] : From Under-approximations to Over-approximations and Back,Albarghouthi, Gurfinkel and Chechik, TACAS ‘12

Automatic Abstraction in SMT-Based Unbounded Software Model Checking

Documents

ORGANIZING FIELDS - Unbounded Organization

SAT & SMT. Software Verification & Testing SAT & SMT Test case generation Predicate Abstraction Verifying Compilers

Lesson 4 - UnboundEd

Abstraction€¦ · Chapter1 Abstraction Abstractionisbasedontheconceptoflayersinwhichthedetailsofonelayerofabstrac-tionarehiddenfromlayersatahigherlevel.Acomputerscientistusesabstractionasa

Monitor LED Monitor SMT-2730 SMT-2232 SMT-1934 SMT ......SMT-2232 SMT-1934 SMT-1930 SMT-1914 • Support up to 1920 x 1080 resolution • High contrast ratio 1000 : 1 • Fast response

Monitor LED Monitors SMT-3231 SMT-2730/2232 SMT-1930 ......HDMI, VGA, BNC (SMT-1734) • Tempered glass screen 19" LED / 17" LED Monitor SMT-3231 SMT-2730/2232 SMT-1930/1934 SMT-1914/1734

Chapter 12 Unbounded linear operatorsweb.math.ku.dk/~grubb/chap12.pdfChapter 12 Unbounded linear operators 12.1 Unbounded operators in Banach spaces In the elementary theory of Hilbert

Dealing With Abstraction: Reducing Abstraction in ... - Summit

Mastering Abstraction NATURE OF ABSTRACTION NEED FOR ABSTRACTION DIFFERENCES BETWEEN ABSTRACTION AND REALITY DEVISING ABSTRACT MODES FOR DIFFERENT SITUATIONS

Unbounded Symmetric Homogeneous Domains in …larry/paper.dir/symdom.pdf · Unbounded Symmetric Homogeneous Domains in Spaces of ... alization of the Potapov-Ginzburg ... our unbounded

Enabling Unbounded Possibilities - RSD

SMT spare parts, such as SMT nozzle, SMT feeder, SMT feeder parts, SMT filter, SMT cutter, SMT consumbles,

Unbounded Data Model Verification Using SMT Solvers

Semi-Abstraction to Abstraction – A Continuum

UNBOUNDED: Borders in Disorder Brosjye

Introduction to Unbounded Flexible Pipe

Project WODA: Water Over Abstraction & Illegal Abstraction

Abstraction CMPS 2143. 2 Abstraction Abstraction mechanisms are techniques to deal with creating, understanding and managing complex systems Abstraction

Unbounded vision, unlimited enjoyment

Functional abstraction What is abstraction?