Program Verification by Lazy Abstraction Ranjit Jhala UC San Diego Lecture 1 With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre

Program Verification by

Lazy Abstraction

Ranjit JhalaUC San Diego

Lecture 1

With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre

Software Validation

• Large scale reliable software is hard to build and test

• Different groups write different components

• Integration testing is a nightmare

Property Checking

• Programmer gives partial specifications

• Code checked for consistency w/ spec

• Different from program correctness – Specifications are not complete– Is there a complete spec for Word ?

Emacs ?

Interface Usage Rules

• Rules in documentation–Order of operations & data access–Resource management –Incomplete, unenforced, wordy

• Violated rules ) bad behavior–System crash or deadlock–Unexpected exceptions–Failed runtime checks

Property 1: Double Locking

“An attempt to re-acquire an acquired lock or release a released lock will cause a deadlock.”

Calls to lock and unlock must alternate.

lock

lock

unlock

unlock

Property 2: Drop Root Privilege

“User applications must not run with root privilege”

When execv is called, must have suid 0

[Chen-Dean-Wagner ’02]

Property 3 : IRP Handler

[Fahndrich]

MPR3

CallDriver

MPRcompletion

synch

not pending returned

SKIP2

IPCCallDriverSkip

returnchild status

DC

Completerequest return

not Pend

PPCprop

completion

CallDriver

N/A

no propcompletion CallDriver

start NP

returnPending

NP

MPR1

MPRcompletion

SKIP2

IPCCallDriver

CallDriver

DC

Completerequest

PPCprop

completion

CallDriver

N/A


start P Mark Pending

IRP accessible N/A

synch

SKIP1CallDriver

SKIP1Skip

MPR2 MPR1

NP

MPR3

CallDrivernot pending returned

MPR2

synch

Does a given usage rule hold?• Undecidable!

– Equivalent to the halting problem

• Restricted computable versions are prohibitively expensive (PSPACE)

• Why bother ?– Just because a problem is undecidable, it doesn’t go away!

Example

Example ( ) {1: do{ lock(); old = new;

q = q->next;2: if (q != NULL){3: q->data = new;

unlock(); new ++; }4: } while(new != old);5: unlock (); return;}




lock

lock

unlock

unlock

What a program really is…

StateTransition

3: unlock(); new++;4:} …

3: unlock(); new++;4:} …

pclockoldnewq

3 5 5 0x133a

pclockoldnewq

4 5 6 0x133a







The Safety Verification Problem

Initial

Error

Is there a path from an initial to an error state ?Problem: Infinite state graphSolution : Set of states ' logical formula

Safe

Representing States as Formulas

[F]states satisfying F {s | s ² F }

FFO fmla over prog. vars

[F1] Å [F2] F1 Æ F2

[F1] [ [F2] F1 Ç F2

[F] : F

[F1] µ [F2] F1 implies F2

i.e. F1Æ: F2 unsatisfiable

Idea 1: Predicate Abstraction

• Predicates on program state:lockold = new

• States satisfying same predicatesare equivalent– Merged into one abstract state

• #abstract states is finite

Abstract States and Transitions

State

3: unlock(); new++;4:} …

3: unlock(); new++;4:} …

pclockoldnewq

3 5 5 0x133a

pclockoldnewq

4 5 6 0x133a

lock old=new

: lock : old=new

Theorem Prover

Abstraction

State

3: unlock(); new++;4:} …

3: unlock(); new++;4:} …

pclockoldnewq

3 5 5 0x133a

pclockoldnewq

4 5 6 0x133a

lock old=new

: lock : old=new

Theorem Prover

Existential Lifting

Abstraction

State

3: unlock(); new++;4:} …

3: unlock(); new++;4:} …

pclockoldnewq

3 5 5 0x133a

pclockoldnewq

4 5 6 0x133a

lock old=new

: lock : old=new

Analyze Abstraction

Analyze finite graph

Over Approximate: Safe ) System Safe

No false negatives

ProblemSpurious

counterexamples

Idea 2: Counterex.-Guided Refinement

SolutionUse spurious

counterexamplesto refine abstraction !

1. Add predicates to distinguish

states across cut2. Build refined abstraction


counterexamplesto refine abstraction

Idea 2: Counterex.-Guided Refinement

Imprecision due to merge

Iterative Abstraction-Refinement

1. Add predicates to distinguish states across cut2. Build refined abstraction

-eliminates counterexample

3. Repeat searchTill real counterexampleor system proved safe


counterexamplesto refine abstraction

[Kurshan et al 93] [Clarke et al 00][Ball-Rajamani 01]

Lazy Abstraction

Abstract

Refine

C Program

Safe

Trace

Yes

NoPropert

y

BLAST

Problem: Abstraction is Expensive

Reachable

Problem#abstract states = 2#predicates

Exponential Thm. Prover queries

ObserveFraction of state space reachable#Preds ~ 100’s, #States ~ 2100 ,#Reach ~ 1000’s

Safe

SolutionBuild abstraction during search



Solution1: Only Abstract Reachable States

SolutionDon’t refine error-free regions



Solution2: Don’t Refine Error-Free Regions

Error Free

Key Idea: Reachability Tree

5

1

2

3

4

3

Unroll Abstraction1. Pick tree-node (=abs. state)2. Add children (=abs. successors)3. On re-visiting abs. state, cut-off

Find min infeasible suffix

- Learn new predicates- Rebuild subtree with new preds.

Initial


3

1

2

3

4 5

3

7

6

Error Free

Unroll Abstraction1. Pick tree-node (=abs. state)2. Add children (=abs. successors)3. On re-visiting abs. state, cut-off

Find min infeasible suffix


Initial


3

1

2

3

4 5

3

6

Error Free

7

1

8

8 1

SAFE

Unroll1. Pick tree-node (=abs. state)2. Add children (=abs. successors)3. On re-visiting abs. state, cut-off

Find min spurious suffix


S1: Only Abstract Reachable States

S2: Don’t refine error-free regions

Initial

Build-and-Search

Predicates: LOCK

: LOCK

Example ( ) {1: do{ lock(); old = new; q = q->next;2: if (q != NULL){3: q->data = new; unlock(); new ++; }4:}while(new != old);5: unlock ();}


1

1

Reachability Tree

Build-and-Search

Predicates: LOCK

: LOCK



1

1

lock()

old = new

q=q->next LOCK2

2

Reachability Tree

Build-and-Search

Predicates: LOCK

: LOCK



1

1

LOCK2

2

LOCK

[q!=NULL]

3

3

Reachability Tree

Build-and-Search

Predicates: LOCK

: LOCK



1

1

LOCK2

2

LOCK3

3

q->data = new

unlock()

new++ 4

4

: LOCK

Reachability Tree

Build-and-Search

Predicates: LOCK

: LOCK



1

1

LOCK2

2

LOCK3

3

4

4

: LOCK

: LOCK

[new==old]

55

Reachability Tree

Build-and-Search

Predicates: LOCK

: LOCK



1

1

LOCK2

2

LOCK3

3

4

4

: LOCK

: LOCK55

unlock()

: LOCK

Reachability Tree

Analyze Counterexample

Predicates: LOCK

: LOCK



1

1

LOCK2

2

LOCK3

3

4

4

: LOCK

: LOCK55

: LOCK

Reachability Tree

lock()

old = new

q=q->next

[q!=NULL]

q->data = new

unlock()

new++

[new==old]

unlock()

Analyze Counterexample

Predicates: LOCK

: LOCK



1

1

LOCK2

2

LOCK3

3

4

4

: LOCK

: LOCK55

: LOCK

[new==old]

new++

old = new

Inconsistent

new == oldReachability Tree

Repeat Build-and-Search

Predicates: LOCK, new==old

: LOCK



1

1

Reachability Tree



: LOCK



1

1

LOCK , new==old

2

2

lock()

old = new

q=q->next

Reachability Tree



: LOCK



1

1

LOCK , new==old

2

2

LOCK , new==old

3

3

4

4

q->data = new

unlock()

new++: LOCK , : new =

old

Reachability Tree



: LOCK



1

1

LOCK , new==old

2

2

LOCK , new==old

3

3

4

4

: LOCK , : new = old

[new==old]

Reachability Tree



: LOCK



1

1

LOCK , new==old

2

2

LOCK , new==old

3

3

4

4


: LOCK, : new == old

1

[new!=old]

4

Reachability Tree



: LOCK



1

1

2

2

3

3

4

4

1

4

LOCK , new=old

4

4

: LOCK , new==old

55

SAFE

Reachability Tree

LOCK , new==old

LOCK , new==old




3

1

2

3

4 5

3

6

Error Free

7

1

8

8 1

SAFE

Unroll1. Pick tree-node (=abs. state)2. Add children (=abs. successors)3. On re-visiting abs. state, cut-off

Find min spurious suffix


S1: Only Abstract Reachable States

S2: Don’t refine error-free regions

Initial

Two handwaves


: LOCK



1

1

2

2

3

3

4

4

1

4

LOCK , new=old

4

4

: LOCK , new==old

55

SAFE

Reachability Tree

LOCK , new==old

LOCK , new==old



Two handwaves


: LOCK



1

1

2

2

3

3

4

4

1

4

LOCK , new=old

4

4

: LOCK , new==old

55

SAFE

Reachability Tree

LOCK , new==old

LOCK , new==old



3

4

LOCK , new==old


q->data = new

unlock()

new++

Q. How to compute “successors” ?

Two handwaves

: LOCK



1

1

2

2

3

3

4

4

1

4

LOCK , new=old

4

4

: LOCK , new==old

55

SAFE

LOCK , new==old

LOCK , new==old



Q. How to find predicates ?



Refinement


Refinement

Two handwaves

: LOCK



1

1

2

2

3

3

4

4

1

4

LOCK , new=old

4

4

: LOCK , new==old

55

SAFE

LOCK , new==old

LOCK , new==old




Weakest Preconditions

[P]

OP

[WP(P, OP)]WP(P,OP) Weakest formula P’ s.t. if P’ is true before OP then P is true after OP


[P]

OP


Assign x = e

P

P[e/x]

new = old

new = new+1

new+1 = old


P

c ) P

new = old

new=old ) new=old

[c]BranchAssume [new=old]

[P]

OP


How to compute successor ?




3

4

LOCK , new==old


OP

For each p• Check if p is true (or false) after OP

Q: When is p true after OP ? - If WP(p, OP) is true before OP ! - We know F is true before OP

- Thm. Pvr. Query: F ) WP(p, OP)

F

?

How to compute successor ?




3

4

LOCK , new==old

OP


Q: When is p false after OP ? - If WP(: p, OP) is true before OP ! - We know F is true before OP

- Thm. Pvr. Query: F ) WP(: p, OP)

F

?

How to compute successor ?Example ( ) {1: do{ lock(); old = new; q = q->next;2: if (q != NULL){3: q->data = new; unlock(); new ++; }4:}while(new != old);5: unlock ();}


3

4

LOCK , new==old

: new = old

OP


Q: When is p false after OP ? - If WP(: p, OP) is true before OP ! - We know F is true before OP

- Thm. Pvr. Query: F ) WP(: p, OP)

F

?

(LOCK , new==old) ) (new + 1 = old) (LOCK , new==old) ) (new + 1 old)

NO

YES


Predicate: new==old

True ?

False ?

Lazy Abstraction

Abstract

Refine

C Program

Safe

Trace

Yes

NoPropert

y


Solution: 1. Abstract reachable states, 2. Avoid refining error-free regions

Problem: Abstraction is Expensive

Property: IRP Handler

[Fahndrich]

MPR3

CallDriver

MPRcompletion

synch

not pending returned

SKIP2

IPCCallDriverSkip

returnchild status

DC

Completerequest return

not Pend

PPCprop

completion

CallDriver

N/A


start NP

returnPending

NP

MPR1

MPRcompletion

SKIP2

IPCCallDriver

CallDriver

DC

Completerequest

PPCprop

completion

CallDriver

N/A


start P Mark Pending

IRP accessible N/A

synch

SKIP1CallDriver

SKIP1Skip

MPR2 MPR1

NP

MPR3

CallDrivernot pending returned

MPR2

synch

Results

Program Lines*

Time(mins)

Predicates

kbfiltr 12k 1 34

floppy 17k 7 93

diskprf 14k 5 71

cdaudio 18k 20 85

parport 61k DNF

parclss 138k DNF

Property3:

IRP Handler

Win NT DDK

* Pre-processed

Tracking lock not enough

#Predicates grows with program size

Problem:p1,…,pn needed for verification

Exponential reachable abstract states

while(1){1: if (p1) lock() ; if (p1) unlock() ; …2: if (p2) lock() ; if (p2) unlock() ; … n: if (pn) lock() ; if (pn) unlock() ;}


TF

T

#Predicates grows with program size

Problem:p1,…,pn needed for verification

Exponential reachable abstract states



: LOCK

: LOCK, p1

p1p2

p1: p2 : p1 p2 : p1: p2

LOCK, p1 : LOCK, : p1

: LOCK, : p1

2n Abstract States

: LOCK

Predicates useful locally



: LOCK

: LOCK , p1

LOCK , p1

: LOCK, : p1

: LOCK , : p1

2n Abstract States

p1

p2

pn

: LOCK : LOCK: LOCK

LOCK , p2

: LOCK , : p2

: LOCK

Solution: Use predicates only where needed

Using Counterexamples:Q1. Find predicatesQ2. Find where predicates are needed

Lazy Abstraction

Abstract

Refine

C Program

Safe

Trace

Yes

NoPropert

y

Refine Pred. MapPC Preds.

Ctrex.Trace

Solution: Localize pred. use, find where preds. needed

Problem: #Preds grows w/ Program Size

Counterexample Traces

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y i)

y = x +1

1: x = ctr;2: ctr = ctr + 1;3: y = ctr;4: if (x = i-1){5: if (y != i){

ERROR: }

}

1: x = ctr;2: ctr = ctr + 1;3: y = ctr;4: if (x = i-1){5: if (y != i){

ERROR: }

}

Trace Formulas

1: x = ctr

2: ctr = ctr+1

3: y = ctr

4: assume(x=i-1)

5: assume(yi)

Trace SSA Trace

x1 = ctr0

Æ ctr1 = ctr0+ 1

Æ y1 = ctr1

Æ x1 = i0 - 1

Æ y1 i0

1: x1 = ctr0

2: ctr1 = ctr0+1

3: y1 = ctr1

4: assume(x1=i0-1)

5: assume(y1i0)

Trace FeasibilityFormula

Thm: Trace is feasible , TF is satisfiable

The Present State…

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y i)

Trace

… is all the information the executing program has here

1. … after executing trace past (prefix)

2. … knows present values of variables

3. … makes trace future (suffix) infeasible

State…

At pc4, which predicate on present state shows infeasibility of future ?

What Predicate is needed ?

Trace

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y i)

Trace Formula (TF)

x1 = ctr0

Æ ctr1 = ctr0 +1

Æ y1 = ctr1

Æ x1 = i0 - 1

Æ y1 i0


Trace

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y i)

Trace Formula (TF)

x1 = ctr0

Æ ctr1 = ctr0+ 1

Æ y1 = ctr1

Æ x1 = i0 - 1

Æ y1 i0

1. … after executing trace prefix

Relevant Information

… implied by TF prefix

Predicate …

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y i)


2. … has present values of variables


Trace Trace Formula (TF)

x1 = ctr0

Æ ctr1 = ctr0+ 1

Æ y1 = ctr1

Æ x1 = i0 - 1

Æ y1 i0


… on common variables

Predicate …

x1

x1


1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y i)



3. … makes trace suffix infeasible



x1 = ctr0

Æ ctr1 = ctr0+ 1

Æ y1 = ctr1

Æ x1 = i0 - 1

Æ y1 i0



… & TF suffix is unsatisfiable

Predicate …Relevant Information

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y i)



x1 = ctr0

Æ ctr1 = ctr0+ 1

Æ y1 = ctr1

Æ x1 = i0 - 1

Æ y1 i0

Predicate …



3. … makes trace suffix infeasible





Interpolant = Predicate !

-

+

Interpolate

Trace Formula

x1 = ctr0

Æ ctr1 = ctr0+ 1

Æ y1 = ctr1

Æ x1 = i0 - 1

Æ y1 i0

y1 = x1 + 1

Predicate …




Craig Interpolant[Craig 57]

Computable from Proof of Unsat[Krajicek 97] [Pudlak 97]

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y i)

Trace

Predicate at 4:y= x+1

Another interpretation …

-

+

Interpolate

Trace Formula

x1 = ctr0

Æ ctr1 = ctr0+ 1

Æ y1 = ctr1

Æ x1 = i0 - 1

Æ y1 i0

y1 = x1 + 1

Unsat = Empty Intersection = Trace Infeasible

Predicate at 4:y= x+1-

+

After execprefix

Canexecsuffix

Interpolant = Overapprox. states after prefix

that cannot execute suffix


-

+

Interpolate

Trace Formula

x1 = ctr0

Æ ctr1 = ctr0+ 1

Æ y1 = ctr1

Æ x1 = i0 - 1

Æ y1 i0

y1 = x1 + 1

Predicate …






1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y i)

Trace



-

+

Interpolate

Trace Formula

x1 = ctr0

Æ ctr1 = ctr0+ 1

Æ y1 = ctr1

Æ x1 = i0 - 1

Æ y1 i0

y1 = x1 + 1

Predicate …






1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y i)

Trace


Q. How to compute interpolants ? …

Building Predicate Maps

Trace Trace Formula

x1 = ctr0

Æ ctr1 = ctr0+ 1

Æ y1 = ctr1

Æ x1 = i0 - 1

Æ y1 i0

•Cut + Interpolate at each point

•Pred. Map: pci Interpolant from cut i

-

+x1 = ctr0

Predicate Map 2: x= ctr

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y i)

Interpolate


Trace Trace Formula

x1 = ctr0

Æ ctr1 = ctr0+ 1

Æ y1 = ctr1

Æ x1 = i0 - 1

Æ y1 i0

-

+

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y i)

Predicate Map 2: x = ctr3: x= ctr-1

x1= ctr1-1Interpolat

e




Trace Trace Formula

x1 = ctr0

Æ ctr1 = ctr0+ 1

Æ y1 = ctr1

Æ x1 = i0 - 1

Æ y1 i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y i)

Predicate Map 2: x = ctr3: x= ctr - 14: y= x + 1

y1= x1+1

-

+

Interpolate




Trace Trace Formula

x1 = ctr0

Æ ctr1 = ctr0+ 1

Æ y1 = ctr1

Æ x1 = i0 - 1

Æ y1 i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y i)

Predicate Map 2: x = ctr3: x= ctr - 14: y= x + 15: y = i

y1= i0

-

+

Interpolate



Local Predicate Use

Predicate Map 2: x = ctr3: x= ctr - 14: y= x + 15: y = i

Use predicates needed at location

• #Preds. grows with program size

• #Preds per location small

Local Predicate use

Ex: 2n states

Global Predicate use

Ex: 2n states

Verification scales …

Results

Program

Lines* PreviousTime(min

s)

Time(mins)

Predicates Total

Average

kbfiltr 12k 1 3 72 6.5

floppy 17k 7 25 240 7.7

diskprf 14k 5 13 140 10

cdaudio 18k 20 23 256 7.8

parport 61k DNF 74 753 8.1

parclss 138k DNF 77 382 7.2

* Pre-processed

Property3:

IRP Handler

Win NT DDK

Localizing

Program

Lines* PreviousTime(min

s)

Time(mins)

Predicates Total

Average

kbfiltr 12k 1 3 72 6.5

floppy 17k 7 25 240 7.7

diskprf 14k 5 13 140 10

cdaudio 18k 20 23 256 7.8

parport 61k DNF 74 753 8.1

parclss 138k DNF 77 382 7.2

* Pre-processed

Property3:

IRP Handler

Win NT DDK

Q. How to compute interpolants ?

Proof of Unsatisfiability

Trace Formula

x1 = ctr0

Æ ctr1 = ctr0 + 1

Æ y1 = ctr1

Æ x1 = i0 - 1

Æ y1 i0

x1 = ctr0 x1 = i0 -1

ctr0 = i0-1 ctr1= ctr0+1

ctr1 = i0 y1= ctr1

y1= i0 y1 i0

;


Another Proof of Unsatisfiability

x1– ctr0=0 x1-i0 +1=0

ctr0-i0+1=0 ctr1- ctr0-1=0

ctr1-i0 =0 y1-ctr1=0

y1-i0=0 y1-i0 0

0 0

Rewritten Proof

£ 1£ (-1)

£ 1

£ 1

£ 1

x1 = ctr0 x1 = i0 -1

ctr0 = i0-1 ctr1= ctr0+1

ctr1 = i0 y1= ctr1

y1= i0 y1 i0

;


Interpolant from Rewritten Proof ?

Trace Formula

x1 = ctr0

Æ ctr1 = ctr0 + 1

Æ y1 = ctr1

Æ x1 = i0 - 1

Æ y1 i0

x1– ctr0=0 x1-i0 +1=0

ctr0-i0+1=0 ctr1- ctr0-1=0

ctr1-i0 =0 y1-ctr1=0

y1-i0=0 y1-i0 0

0 0

Rewritten Proof

£ 1£ (-1)

£ 1

£ 1

£ 1

Interpolate

Interpolant from Rewritten Proof ?

Trace Formula

x1 = ctr0

Æ ctr1 = ctr0 + 1

Æ y1 = ctr1

Æ x1 = i0 - 1

Æ y1 i0

x1– ctr0=0

ctr1- ctr0-1=0

y1-ctr1=0

Interpolant !

£ (-1)

£ 1

£ 1

Interpolatey1-x1-1=0y1=x1+1

Lazy Abstraction

Abstract

Refine

C Program

Safe

Trace

Yes

NoPropert

y

Refine TraceFeas

FormulaThm Pvr

Proof of Unsat

Pred. MapPC Preds.

Ctrex.Trace

Interpolate

Solution: Localize pred. use, find where preds. needed

Problem: #Preds grows w/ Program Size

Verification by Theorem Proving

1. Loop Invariants2. Logical formula3. Check Validity

Invariant: lock Æ new = old

Ç : lock Æ new old







Verification by Theorem Proving

1. Loop Invariants2. Logical formula3. Check Validity

- Loop Invariants- Multithreaded Programs + Behaviors encoded in logic+ Decision Procedures-






unlock(); new ++; }4: } while(new != old);5: unlock (); return;} Precis

e[ESC]

Verification by Program Analysis

1. Dataflow Facts2. Constraint

System3. Solve constraints







- Imprecision due to fixed facts

+ Abstraction

+ Type/Flow AnalysesScalable[CQUAL, ESP, MC]

Verification by Model Checking

1. (Finite State) Program

2. State Transition Graph

3. Reachability







- Pgm ! Finite state model

- State explosion + State Exploration+ CounterexamplesPrecise[SPIN, SMV, Bandera,JPF ]

Combining StrengthsTheorem Proving

- loop invariants

+ Behaviors encoded in logicRefine+ Theorem proversComputing Successors,Refine

Program Analysis

- Imprecise+ AbstractionShrink state space

Model Checking- Finite-state model, state explosion+ State Space ExplorationPath Sensitive Analysis+ CounterexamplesFinding Relevant Facts

Lazy Abstraction

Lazy Abstraction: Main Ideas• Predicates:

– Abstract infinite program states

• Counterexample-guided Refinement:– Find predicates tailored to prog, property

1. Abstraction : Expensive Reachability Tree

2. Refinement : Find predicates, use locations Proof of unsat of TF + Interpolation

Next Lecture: Modular Analyses

Procedures- Summaries

Concurrency- Thread-Context Reasoning

Documents

Program Verification by Lazy Abstraction Ranjit Jhala UC San Diego Lecture 1 With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre