Model Checking with Proofs and Counterexamples

  • View
    14

  • Download
    0

Embed Size (px)

DESCRIPTION

Model Checking with Proofs and Counterexamples. Anvesh Komuravelli Carnegie Mellon University. Joint work with Arie Gurfinkel , Sagar Chaki , and Edmund Clarke. Safety of Programs. Safe + Proof. Automatic verification for assertion failures. Program P + Safety Assertions. - PowerPoint PPT Presentation

Text of Model Checking with Proofs and Counterexamples

PowerPoint Presentation

Model Checking withProofs and CounterexamplesAnvesh KomuravelliCarnegie Mellon UniversityJoint work with Arie Gurfinkel, Sagar Chaki, and Edmund Clarke Anvesh KomuravelliSpacerThis talk is based on joint work with 1Safety of ProgramsProgram P+ Safety AssertionsAutomatic verification forassertion failuresSafe + ProofUnsafe + Counterexample20. x := 0;while (x < n) {

x := x + 1; }3. x := -x;4. assert (x 0)// x 0Loop Invariant Anvesh KomuravelliSpacerSo, safety is just reachability analysis. What can be hard about it?

2Safety of ProgramsProgram P+ Safety AssertionsAutomatic verification forassertion failuresSafe + ProofUnsafe + Counterexample3While-programs(unbounded variables,no procedure calls,no memory operations)0. x := 0;while (x < n) { x := x + 1; }3. x := -x;4. assert (x -1)Counterexample Trace:pc=0. x=0, n=0pc=1. else branchpc=3. x=0pc=4. error Anvesh KomuravelliSpacer3Algorithms for Safety4Safety is undecidable!Reduction from Halting Problem to safety of a 2-counter machine

Existing algorithms use heuristics for verifying many programs in practice

Two broad classes of model checking algorithms:Generalize feasible and safe behaviors (Proof-Based)Eliminate infeasible and unsafe behaviors (Counterexample-based)This talk: Improve (A) based on ideas from (B) Anvesh KomuravelliSpacerLet me start with a background on proof-based algorithmsand then I will explain how we can improve them45Backgroundon Proof-Based algorithms Anvesh KomuravelliSpacer

should never hold

Transition SystemPrograms as Transition Systems6VariablesInit conditionTransition relationError condition0. x := 0;1. while (x < n) { x := x + 1; }3. x := -x;4. assert (x 0)encodes how data and controlchange after every instruction

Anvesh KomuravelliSpacerTo explain the algorithms and formalize the ideas, 6SAT-Based Model Checking7Counterexample of length 0?Counterexample of length 1?

SAT?

SAT?Bounded Model Checking, Clarke et al., TACAS 1999

Transition SystemBoolean SAT is NP-complete, but we have efficient solvers todaySAT modulo theories (SMT) for handling arithmetic, etc.Eg: is unsatisfiable for integers x, y

Anvesh KomuravelliSpacerSAT-Based Model Checking8Bounded Model Checking, Clarke et al., TACAS 1999

Transition SystemNo upper bound on the length of a counterexample!Even for finite-state systems, the upper bound can be huge!When do we stop?Are initial states safe?Are 1 step-reachable states safe?Keep track of thereachable states!Counterexample of length 0?Counterexample of length 1?

SAT?

SAT? Anvesh KomuravelliSpacerKeep Track of the Reachable States9err(x)reach(P)Initial StatesStates reachable in 1 stepsStates reachable in 2 steps

Usually Hopeless!

Anvesh KomuravelliSpacermost often, going to divergeincorporate every detail of the program most of which may be unnecessary for the property at hand9Reachable states can be diverging!100. x := 0;1. while (x < n) { x := x + 1; }3. x := -x;4. assert (x 0)

reachable statesat (pc=1)n is a symbolic input

(diverging)

converged! Anvesh KomuravelliSpacerlength of execution corresponds to # loop iterationsdont care about exactly how x is updated10err(x)Generalize(Heuristics usingCraig Interpolation[1,2])

Generalize the reachable states!11[1] McMillan, Interpolation and SAT-Based Model Checking, CAV 2003[2] McMillan, Lazy Abstraction with Interpolants, CAV 2006

Anvesh KomuravelliSpacerinterpolation is cheap given proof of safetymay need us to go back and strengthen previous generalizations11err(x)

Generalize the reachable states!12

reach(P) Anvesh KomuravelliSpacerinterpolation is cheap given proof of safetymay need us to go back and strengthen previous generalizations12Proofs and Invariants130. x := 0;1. while (x < n) { x := x + 1; }3. x := -x;4. assert (x 0)

reachable statesat (pc=1)

(diverging)x 0 is aloop invariant!The actual set of reachable states is stronger:0 x nProof of SafetyProof ofBounded Safety

Anvesh KomuravelliSpacerlength of execution corresponds to # loop iterations13Many heuristics for generalizations!14err(x)No unique generalization!Todays best algorithms for hardware verification are SAT-basedSeveral competitive algorithms exist for softwareOne possible generalizationAnother possible generalization Anvesh KomuravelliSpacerso far we have seen how sat-based algorithms behave by generalizing whats known to be reachable in a bounded number of steps

1415The ProblemGeneralizations are not always sufficient Anvesh KomuravelliSpacerhowever, generalizations need not always be sufficientYou might say thats obvious given the undecidability of safety, but 15Generalizations can suffer from local viewx = y = z = w = 0;while (*) {// loop invariant:// (x 4 => y 100) && (z 10w)if (*) {x++; y += 100;}else if (*)if (x 4) {x++; y++;}else if (y > 10w && z 100x) {y = y;}t = 1;w += t; z += 10t;}assert (!(x 4 && y 2))State-of-the-art Tool Z3cannot verify in an hourSource: Automatically Refining Abstract Interpretations, Gulavani, Chakraborty, Nori and Rajamani, TACAS 08.16Proofs ofBounded Safety never connectz and w Anvesh KomuravelliSpacer16Abstractions for better generalizations!x = y = z = w = 0;while (*) {// loop invariant:// (x 4 => y 100) && (z 10w)if (*) {x++; y += 100;}else if (*)if (x 4) {x++; y++;}else if (y > 10w && z 100x) {y = y;}t = 1;w += t; z += 10t;}assert (!(x 4 && y 2))State-of-the-art Tool Z3cannot verify in an hourSource: Automatically Refining Abstract Interpretations, Gulavani, Chakraborty, Nori and Rajamani, TACAS 08.17Verifies the abstractionin < 1 sec.t = *;Abstractions only add behaviors Anvesh KomuravelliSpacerExplain *17How to obtain helpful abstractions automatically?18An abstraction of the program can dramatically improve generalizations!

How to obtain helpful abstractions?

How to efficiently and automatically maintain abstractions? Anvesh KomuravelliSpacerSpurious counterexampleCounterExample-Guided Abstraction Refinement(CEGAR)[1]err(x)[1] Clarke et al., Counterexample-Guided Abstraction Refinement, CAV 2000.reach(P)Abstractions are great, but not always!19Reachable states of an abstractionThe second class of algorithms Anvesh KomuravelliSpacerFortunately, we know how to cope with it!

This is essentially the basis for the second class of algorithms I mentioned in the very beginning!1920Our algorithm Spacer Anvesh KomuravelliSpacerSpacer(Software Proof-based Abstraction with CounterExample-based Refinement)ProgramFix a BoundCheck SafetyFeasible?Invariants?AbstractRefineProof-Based AbstractionCEGARNoNo

YesYesSafety ProofCounterexample21 Anvesh KomuravelliSpacerThe name will be clear shortly!21ProgramFix a BoundCheck SafetyFeasible?Invariants?AbstractRefineProof-Based AbstractionCEGARNoNo

YesYesSafety ProofCounterexampleSpacer(Software Proof-based Abstraction with CounterExample-based Refinement)22

Proofs from Abstractions Anvesh KomuravelliSpacer22Spacer(Software Proof-based Abstraction with CounterExample-based Refinement)ProgramFix a BoundCheck SafetyFeasible?Invariants?AbstractRefineProof-Based AbstractionCEGARNoNo

YesYesSafety ProofCounterexample23

Refinement using Spurious Counterexamples Anvesh KomuravelliSpacer23ProgramFix a BoundCheck SafetyFeasible?Invariants?AbstractRefineProof-Based AbstractionCEGARNoNo

YesYesSafety ProofCounterexampleSpacer(Software Proof-based Abstraction with CounterExample-based Refinement)24

Proof-Based Abstraction Anvesh KomuravelliSpacer24Spacer(Software Proof-based Abstraction with CounterExample-based Refinement)ProgramFix a BoundCheck SafetyFeasible?Invariants?AbstractRefineProof-Based AbstractionCEGARNoNo

YesYesSafety ProofCounterexample25 Anvesh KomuravelliSpacerBrings in ideas from Abstraction Refinement to SAT-based algorithms25Initial Statesof PGeneralization/Prooferr(x)reach(P)reach(A1)Spacer at a high level26Initial Statesof A1AbstractionProof-Based Abstraction

Anvesh KomuravelliSpacerIntuition/Hope of PBA: Abstraction safe up to the current bound is safe for all bounds26err(x)reach(P)reach(A1)Reachable states of A1 in 1 stepsSpurious counterexampleSpacer at a high level27

Anvesh KomuravelliSpacererr(x)reach(P)reach(A2)Spacer at a high levelReachable states of A2 in 1 stepsRefine A1 to A2 eliminating the spurious counterexample 28Generalization/ProofReachable states of P in 1 steps

Anvesh KomuravelliSpacererr(x)reach(P)reach(A3)Spacer at a high levelReachable states of A3 in 1 steps29Reachable states of P in 1 stepsFresh abstraction,to avoid biasProof-Based Abstraction

Anvesh KomuravelliSpacerKey Ideas of Spacer30Abstractions help obtain (hopefully) more general proofs

First integration of Proof-Based Abstraction with SAT/SMT-Based Model Checking

Orthogonal to heuristics for Interpolation/GeneralizationImplementation and Experimental Evidence on C Programs Anvesh KomuravelliSpacerAbstractions add a new dimension31SAT-Based Model CheckingAbstract

Anvesh KomuravelliSpacerSAT-Based Model Checking with Abstractions32Under-approximationsAbstract

need not be monotonic Anvesh KomuravelliSpacerFresh abstraction to avoid bias32SAT-Based Model Checking with Abstractions33Under-approximationsAbstract

non-trivial abstraction Anvesh KomuravelliSpacerSpacer(Software Proof-based Abstraction with CounterExample-based Refinement)ProgramFix a BoundCheck SafetyFeasible?Invariants?AbstractRefineProof-Based AbstractionCEGARNoNo

YesYesSafety ProofCounterexample34 Anvesh KomuravelliSpacerSay out loud the expansion of spacerMake the orthogonality clear say that one can simply