Upload
herb
View
27
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Model Checking with Proofs and Counterexamples. Anvesh Komuravelli Carnegie Mellon University. Joint work with Arie Gurfinkel , Sagar Chaki , and Edmund Clarke. Safety of Programs. Safe + Proof. Automatic verification for assertion failures. Program P + Safety Assertions. - PowerPoint PPT Presentation
Citation preview
© Anvesh KomuravelliSpacer
Model Checking withProofs and Counterexamples
Anvesh Komuravelli
Carnegie Mellon University
Joint work with Arie Gurfinkel, Sagar Chaki, and Edmund Clarke
© Anvesh KomuravelliSpacer 2
Safety of Programs
Program P
+ Safety Assertions
Automatic verification for
assertion failures
Safe + Proof
Unsafe + Counterexample
0. x := 0;1. while (x < n) {
2. x := x + 1; }3. x := -x;4. assert (x ≤ 0)
// x ≥ 0
Loop Invariant
© Anvesh KomuravelliSpacer 3
Safety of Programs
Program P
+ Safety Assertions
Automatic verification for
assertion failures
Safe + Proof
Unsafe + Counterexample
While-programs(unbounded variables,
no procedure calls,no memory operations)
0. x := 0;1. while (x < n) {2. x := x + 1; }3. x := -x;4. assert (x ≤ -1)
Counterexample Trace:pc=0. x=0, n=0pc=1. else branchpc=3. x=0pc=4. error
© Anvesh KomuravelliSpacer 4
Algorithms for Safety
1. Safety is undecidable!• Reduction from Halting Problem to safety of a 2-counter machine
2. Existing algorithms use heuristics for verifying many programs in practice
3. Two broad classes of model checking algorithms:A. Generalize feasible and safe behaviors (Proof-Based)B. Eliminate infeasible and unsafe behaviors (Counterexample-based)
This talk: Improve (A) based on ideas from (B)
© Anvesh KomuravelliSpacer 5
Backgroundon Proof-Based algorithms
© Anvesh KomuravelliSpacer 6
should never hold
Transition System
Programs as Transition Systems
Variables
Init condition Transition relation
Error condition
0. x := 0;1. while (x < n) {2. x := x + 1; }3. x := -x;4. assert (x ≤ 0)
encodes how data and controlchange after every instruction
“
“
© Anvesh KomuravelliSpacer 7
SAT-Based Model Checking
Counterexample of length 0?Counterexample of length 1?
SAT?SAT?
…Bounded Model Checking, Clarke et al., TACAS 1999
Transition System
1. Boolean SAT is NP-complete, but we have efficient solvers today2. SAT modulo theories (SMT) for handling arithmetic, etc.3. Eg: is unsatisfiable for integers x, y
© Anvesh KomuravelliSpacer 8
SAT-Based Model Checking
…Bounded Model Checking, Clarke et al., TACAS 1999
Transition System
No upper bound on the length of a counterexample!Even for finite-state systems, the upper bound can be huge!
When do we stop?
Are initial states safe?
Are 1 step-reachable states safe?
Keep track of thereachable states!
Counterexample of length 0?Counterexample of length 1?
SAT?SAT?
© Anvesh KomuravelliSpacer 9
…
Keep Track of the Reachable States
err(x)
reach(P)
Initial States
States reachable in
≤1 steps
States reachable in
≤2 steps
Usually Hopeless!
© Anvesh KomuravelliSpacer 10
Reachable states can be diverging!
0. x := 0;1. while (x < n) {2. x := x + 1; }3. x := -x;4. assert (x ≤ 0)
…
reachable statesat (pc=1)
n is a symbolic
input
(diverging)
converged!
© Anvesh KomuravelliSpacer 11
err(x)
Generalize
(Heuristics usingCraig Interpolation[1,2])
Generalize the reachable states!
[1] McMillan, Interpolation and SAT-Based Model Checking, CAV 2003[2] McMillan, Lazy Abstraction with Interpolants, CAV 2006
…
© Anvesh KomuravelliSpacer 12
err(x)
Generalize the reachable states!
…
reach(P)
© Anvesh KomuravelliSpacer 13
Proofs and Invariants
0. x := 0;1. while (x < n) {2. x := x + 1; }3. x := -x;4. assert (x ≤ 0)
…
reachable statesat (pc=1)
(diverging)
x ≥ 0 is aloop invariant!
The actual set of reachable states
is stronger:0 ≤ x ≤ n
Proof of SafetyProof of
“Bounded” Safety
© Anvesh KomuravelliSpacer 14
Many heuristics for generalizations!
err(x)
• No unique generalization!• Today’s best algorithms for hardware verification are SAT-based• Several competitive algorithms exist for software
One possible generalization
Another possible
generalization
© Anvesh KomuravelliSpacer 15
The ProblemGeneralizations are not always sufficient
© Anvesh KomuravelliSpacer 16
Generalizations can suffer from local view
x = y = z = w = 0;while (*) {
// loop invariant:// (x ≥ 4 => y ≥ 100) && (z ≤ 10w)if (*) {x++; y += 100;}else if (*)
if (x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {
y = −y;}t = 1;w += t; z += 10t;
}assert (!(x ≥ 4 && y ≤ 2))
State-of-the-art Tool Z3cannot verify in an hour
Source: Automatically Refining Abstract Interpretations, Gulavani, Chakraborty, Nori and Rajamani, TACAS ‘08.
Proofs ofBounded Safety never connect
z and w
© Anvesh KomuravelliSpacer 17
Abstractions for better generalizations!
x = y = z = w = 0;while (*) {
// loop invariant:// (x ≥ 4 => y ≥ 100) && (z ≤ 10w)if (*) {x++; y += 100;}else if (*)
if (x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {
y = −y;}t = 1;w += t; z += 10t;
}assert (!(x ≥ 4 && y ≤ 2))
State-of-the-art Tool Z3cannot verify in an hour
Source: Automatically Refining Abstract Interpretations, Gulavani, Chakraborty, Nori and Rajamani, TACAS ‘08.
Verifies the abstractionin < 1 sec.
t = *;
Abstractions only add behaviors
© Anvesh KomuravelliSpacer 18
How to obtain helpful abstractions automatically?
1. An abstraction of the program can dramatically improve generalizations!
2. How to obtain helpful abstractions?
3. How to efficiently and automatically maintain abstractions?
© Anvesh KomuravelliSpacer 19
Spurious counterexample
CounterExample-Guided Abstraction
Refinement(CEGAR)[1]
err(x)
[1] Clarke et al., Counterexample-Guided Abstraction Refinement, CAV 2000.
reach(P)
Abstractions are great, but not always!
Reachable states of an abstraction
The second class of
algorithms
© Anvesh KomuravelliSpacer 20
Our algorithm Spacer
© Anvesh KomuravelliSpacer 21
Spacer(Software Proof-based Abstraction with CounterExample-based Refinement)
Program
Fix a Bound
Check Safety
Feasible?Invariants?
Abstract Refine
Proof-Based Abstraction CEGARNo No
Yes Yes
Safety Proof Counterexample
© Anvesh KomuravelliSpacer 22
Program
Fix a Bound
Check Safety
Feasible?Invariants?
Abstract Refine
Proof-Based Abstraction CEGARNo No
Yes Yes
Safety Proof Counterexample
Spacer(Software Proof-based Abstraction with CounterExample-based Refinement)
Proofs from Abstractions
© Anvesh KomuravelliSpacer 23
Spacer(Software Proof-based Abstraction with CounterExample-based Refinement)
Program
Fix a Bound
Check Safety
Feasible?Invariants?
Abstract Refine
Proof-Based Abstraction CEGARNo No
Yes Yes
Safety Proof Counterexample
Refinement using Spurious
Counterexamples
© Anvesh KomuravelliSpacer 24
Program
Fix a Bound
Check Safety
Feasible?Invariants?
Abstract Refine
Proof-Based Abstraction CEGARNo No
Yes Yes
Safety Proof Counterexample
Spacer(Software Proof-based Abstraction with CounterExample-based Refinement)
Proof-Based Abstraction
© Anvesh KomuravelliSpacer 25
Spacer(Software Proof-based Abstraction with CounterExample-based Refinement)
Program
Fix a Bound
Check Safety
Feasible?Invariants?
Abstract Refine
Proof-Based Abstraction CEGARNo No
Yes Yes
Safety Proof Counterexample
© Anvesh KomuravelliSpacer 26
Initial Statesof P Generalization/Proof
err(x)
reach(P)
reach(A1)
Spacer at a high level
Initial Statesof A1
Abstraction
Proof-Based Abstraction
© Anvesh KomuravelliSpacer 27
err(x)
reach(P)
reach(A1)
Reachable states of A1 in ≤1 steps
Spurious counterexample
Spacer at a high level
© Anvesh KomuravelliSpacer 28
err(x)
reach(P)
reach(A2)
Spacer at a high level
Reachable states of A2 in ≤1 steps
Refine A1 to A2 eliminating the
spurious counterexample
Generalization/Proof Reachable states
of P in ≤1 steps
© Anvesh KomuravelliSpacer 29
err(x)
reach(P)
reach(A3)
Spacer at a high level
Reachable states of A3 in ≤1 steps
Reachable states of P in ≤1 steps
Fresh abstraction,to avoid bias
Proof-Based Abstraction
© Anvesh KomuravelliSpacer 30
Key Ideas of Spacer
1. Abstractions help obtain (hopefully) more general proofs
2. First integration of Proof-Based Abstraction with SAT/SMT-Based Model Checking
3. Orthogonal to heuristics for Interpolation/Generalization
Implementation and Experimental Evidence on C Programs
© Anvesh KomuravelliSpacer 31
Abstractions add a new dimension
…
…
……
SAT-Based Model Checking
Abstract
© Anvesh KomuravelliSpacer 32
SAT-Based Model Checking with Abstractions
…
…
……
Under-approximations
Abstract
need not be monotonic
© Anvesh KomuravelliSpacer 33
SAT-Based Model Checking with Abstractions
…
…
……
Under-approximations
Abstract
non-trivial abstraction
© Anvesh KomuravelliSpacer 34
Spacer(Software Proof-based Abstraction with CounterExample-based Refinement)
Program
Fix a Bound
Check Safety
Feasible?Invariants?
Abstract Refine
Proof-Based Abstraction CEGARNo No
Yes Yes
Safety Proof Counterexample
© Anvesh KomuravelliSpacer 35
Spacer on Example
© Anvesh KomuravelliSpacer 36
Spacer on Example
x = y = z = w = 0;c = 0;
while (*) {// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1assume (c < 2);if (*) {x++; y += 100;}else if (* && x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {y = −y;}else assume (false);w++; z += 10;c += 1;
}
assert (!(x ≥ 4 && y ≤ 2));
Add Counters
Bound Solve
Loop Invariants
© Anvesh KomuravelliSpacer 37
Spacer on Example
x = y = z = w = 0;c = 0;
while (*) {// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1assume (c < 2);if (*) {x++; y += 100;}else if (* && x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {y = −y;}else assume (false);w++; z += 10;c += 1;
}
assert (!(x ≥ 4 && y ≤ 2));
Bound Solve Unbounded?
Preserved!Specific to
under-approx.
Depend on counter
Extract UnboundedInvariants
Treat as conjecturedunbounded invariants.
(as in Houdini[1]).
[1] Houdini, an annotationassistant for ESC/Java,C. Flanagan and K.R.M. Leino, 2001
© Anvesh KomuravelliSpacer 38
Spacer on Example
x = y = z = w = 0;c = 0;
while (*) {// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1
if (*) {x++; y += 100;}else if (* && x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {y = −y;}else assume (false);w++; z += 10;c += 1;
}
assert (!(x ≥ 4 && y ≤ 2));
Bound Solve Unbounded? NO
Invariants aretoo weak!
Abstract
✖
© Anvesh KomuravelliSpacer 39
Spacer on Example
x = y = z = w = 0;c = 0;assume (y > 10w => z < 100x, z ≤ 100x);while (*) {
// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1assume (c < 2);if (*) {x++; y += 100;}else if (* && x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {y = −y;}else assume (false);w++; z += 10;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);
}
assert (!(x ≥ 4 && y ≤ 2));
Abstract
Redundant
Bound Solve Unbounded? NO
Strengthenwith
Invariants
© Anvesh KomuravelliSpacer 40
Spacer on Example
x = y = z = w = 0;c = 0;assume (y > 10w => z < 100x, z ≤ 100x);while (*) {
// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1assume (c < 2);if (*) {x++; y = *;}else if (* && x ≥ 4) {x++; y = *;}else if (y > 10w && z ≥ 100x) {y = *;}else assume (false);w = *; z = *;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);
}
assert (!(x ≥ 4 && y ≤ 2));
Bound AbstractSolve Unbounded? NO
Proof-BasedAbstraction
© Anvesh KomuravelliSpacer 41
Spacer on Example
x = y = z = w = 0;c = 0;assume (y > 10w => z < 100x, z ≤ 100x);while (*) {
assume (c < 4);if (*) {x++; y = *;}else if (* && x ≥ 4) {x++; y = *;}else if (y > 10w && z ≥ 100x) {y = *;}else assume (false);w = *; z = *;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);
}
assert (!(x ≥ 4 && y ≤ 2));
Bound Solve
Counterexample!
Increment x to 4Choose y arbitrarily
Feasible?
Concrete controlpath is infeasible
NO Refine
Concretize
© Anvesh KomuravelliSpacer 42
Spacer on Example
x = y = z = w = 0;c = 0;assume (y > 10w => z < 100x, z ≤ 100x);while (*) {
assume (c < 4);if (*) {x++; y += 100;}else if (* && x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {y = −y;}else assume (false);w = *; z = *;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);
}
assert (!(x ≥ 4 && y ≤ 2));
Bound Solve Feasible? NO Refine
CEGAR
© Anvesh KomuravelliSpacer 43
Spacer on Example
x = y = z = w = 0;c = 0;assume (y > 10w => z < 100x, z ≤ 100x);while (*) {
// (y > 10w) => (z < 100x), z ≤ 100x// y > 0, (x > 0) => (y ≥ 100)assume (c < 4);if (*) {x++; y += 100;}else if (* && x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {y = −y;}else assume (false);w = *; z = *;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);
}
assert (!(x ≥ 4 && y ≤ 2));
Bound Solve Unbounded? YES
Invariants
© Anvesh KomuravelliSpacer 44
Implementation Details
© Anvesh KomuravelliSpacer 45
Three Key Components
1. Extracting Unbounded Invariants
2. Proof-Based Abstraction
3. Counterexample Analysis and Refinement
How can we efficiently use today’s SAT/SMT solvers?
Focus
© Anvesh KomuravelliSpacer 46
An invariant for the transition systemis a formula that holds for the initial states and after every transition
Extracting Unbounded Invariants
φ is an invariant iff
Given: A set L of conjectures for invariants, each including “initial states”.
Goal: A maximal I L s.t.
(initial)
(transition)
© Anvesh KomuravelliSpacer 47
SAT?
SAT?
Re-start from scratch!
Extracting Unbounded Invariants
unsat sat, making true
…until fixed point
Given: A set L of conjectures for invariants, each including “initial states”.
Goal: A maximal I L s.t.
© Anvesh KomuravelliSpacer 48
Given: A set L of conjectures for invariants, each including “initial states”.
Goal: A maximal I L s.t.
Introduce assumption
variables
Extracting Unbounded Invariants
unsat sat, making true
…
© Anvesh KomuravelliSpacer 49
Proof ofBounded Safety
Not all of is necessary!
Proof-Based Abstraction
A proof of “bounded” safety foris a formula that holds of the initial states and after every transitionup to the given bound, and excludes error states.
(initial)
(transition)
(safety)
© Anvesh KomuravelliSpacer 50
unsat
unsat
Proof-Based Abstraction
unsat UNSAT core
Iteratively minimize
© Anvesh KomuravelliSpacer 51
What have we seen so far?
1. Generalizing reachable states can be hard!
2. Abstractions can really help!
3. Algorithm Spacer that combines abstraction refinement with SAT-based model checking
4. How Spacer can be efficiently automated
© Anvesh KomuravelliSpacer 52
Tool andExperimental Evaluation
© Anvesh KomuravelliSpacer 53
Spacer Tool
C Program
(Horn-SMT) Logical Encoding
Spacer Backend(using Z3’s framework)
Existing Front-end based on LLVM
Proof-Based Abstraction, CEGAR, etc.
Theories handled:Linear Arithmetic
(Rationals and Integers),Bitvectors
© Anvesh KomuravelliSpacer 54
Spacer Tool
Program
Under-Approximate
Check Safety
Feasible?Feasible?
Abstract Refine
Proof-Based Abstraction CEGARNo No
Yes Yes
Safety Proof Counterexample
SMT-BasedModel Checker in Z3
© Anvesh KomuravelliSpacer 55
The hard example mentioned in the beginning
x = y = z = w = 0;while (*) {
if (*) {x++; y += 100;}else if (*)
if (x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {
y = −y;}t = 1;w += t; z += 10t;
}assert (!(x ≥ 4 && y ≤ 2))
State-of-the-art Tool Z3cannot verify in an hour
Source: Automatically Refining Abstract Interpretations, Gulavani, Chakraborty, Nori and Rajamani, TACAS ‘08.
Spacerautomatically
verifies in under a minute!
© Anvesh KomuravelliSpacer 56
Results on SV-COMP’13 Benchmarks
0 100 200 300 400 500 600 700 800 9000
100
200
300
400
500
600
700
800
900
No abstraction (secs)
Wit
h a
bst
ract
ion
(se
cs)
Advantage!
Time-out
Mem-out
© Anvesh KomuravelliSpacer 57
Summary
© Anvesh KomuravelliSpacer
Conclusion
Focused Proofs: Abstractions guide Interpolation towards certain generalizations
Combine Proof-Based Abstraction and Counterexample-Guided Refinement
General framework independent of the underlying model checker
Works in practice!
Future Directions
Verification in presence of assumptions
Different kinds of bounding/abstraction
Synthesizing ghost code to help verification
© Anvesh KomuravelliSpacer 59
Questions?
For more details, read our CAV’13 paper!
© Anvesh KomuravelliSpacer 60
Concrete:
Abstract:
Counterexample Analysis and Refinement
An “abstract counterexample” is a finite length path consistent with error states
SAT
SAT ?
Feasibility Check