Predicate Abstraction for Software Verification - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

Predicate Abstraction for Software Verification

Description:

Predicate Abstraction for Software Verification – PowerPoint PPT presentation

Number of Views:31
Avg rating:3.0/5.0
Slides: 28
Provided by: cadg2
Category:

less

Transcript and Presenter's Notes

Title: Predicate Abstraction for Software Verification


1
Predicate Abstraction for Software Verification
  • Cormac Flanagan
  • Shaz Qadeer
  • Compaq Systems Research Center

2
POPL02The Continuing Saga of Predicate
Abstraction
3
Extended Static Checking
  • Statically verify many correctness properties
  • Type systems catch many errors
  • e.g. Cannot multiply a number and a string
  • Would like to catch additional errors
  • e.g. Array index out of bounds at line 10
  • And verify other correctness properties
  • assertions
  • object invariants
  • lightweight method specifications

4
Checking loops with ESC/Java
/_at_ loop_invariant i gt 0 loop_invariant 0
lt spot loop_invariant spot lt
MAXDIRENTRY loop_invariant (\forall int j
0 lt j j lt i
bdiskaddr.dirEntriesj.inum !
DIRENTRY_UNUSED gt
bdiskaddr.dirEntriesj.name !
name) loop_invariant (\forall int j spot
MAXDIRENTRY 0 lt j j lt i gt
bdiskaddr.dirEntriesj
.inum ! DIRENTRY_UNUSED)
loop_invariant spot MAXDIRENTRY
bdiskaddr.dirEntriesspot.inu
m DIRENTRY_UNUSED loop_invariant
(\forall DirEntry t t ! de gt t.name
\old(t.name)) loop_invariant (\forall
DirEntry t t ! de gt t.inum
\old(t.inum)) loop_invariant (\forall
DirEntry t t.inum FS.DIRENTRY_UNUSED
(0
lt t.inum t.inum lt FS.IMAX)) /
for (i 0 i lt cwd.inode.length i)
GetDirEntry(de, addr, i) if (de.inum !
DIRENTRY_UNUSED de.name name)
return ERROR if (de.inum
DIRENTRY_UNUSED spot MAXDIRENTRY)
spot i
5
Loop invariants
C while e do B end
Set of reachable states at loop head is a loop
invariant!
C
sp(C, p)
p
6
Concrete states
7
Computing loop invariants
C while e do X Y end
I0 ?(sp(C, true))
J0 ?(?(I0) ? e)
K0 ?(sp(X, ?(J0)))
L0 ?(sp(Y, ?(K0)))
8
Computing loop invariants
C while e do X Y end
I1 I0 ? L0
9
Predicate abstraction example
/_at_ requires a!null b!null
a.lengthb.length ensures
\resulta.length b\result
/ int find(int a, boolean b) int
spot a.length for (int i0 i lt a.length
i) if (spota.length ai ! 0)
spot i bi (ai ! 0) return
spot
Ten predicates a ! null b ! null a.length
b.length spot a.length bspot spot lt i 0 lt
i i lt a.length spot i ai ! 0
10
Computing loop invariants
C while e do X Y end
I0 ?(sp(C, true))
L0 ?(sp(XY, ?(I0)?e))
11
Computing loop invariants
C while e do X Y end
I1 I0 ? L0
L1 ?(sp(XY, ?(I1)?e))
12
Predicate abstraction example
/_at_ requires a!null b!null
a.lengthb.length ensures
\resulta.length b\result
/ int find(int a, boolean b) int
spot a.length for (int i0 i lt a.length
i) if (spota.length ai ! 0)
spot i bi (ai ! 0) return
spot
Seven predicates a ! null b ! null a.length
b.length spot a.length bspot spot lt i 0 lt
i i lt a.length spot i ai ! 0
13
Computing loop invariants
C while e do X Y end
I0 ?(sp(C, true))
L0 ?(sp(P0, true))
14
Computing loop invariants
H havoc variables modified in XY
C while e do X Y end
I1 I0 ? L0
P1 CHassume ?(I1)?eXY L1 ?(sp(P1,
true))
15
Predicate abstraction example
/_at_ requires a!null b!null
a.lengthb.length ensures
\resulta.length b\result
/ int find(int a, boolean b) int
spot a.length for (int i0 i lt a.length
i) if (spota.length ai ! 0)
spot i bi (ai ! 0) return
spot
Four predicates a ! null b ! null a.length
b.length spot a.length bspot spot lt i 0 lt
i i lt a.length spot i ai ! 0
16
Predicate abstraction example
/_at_ requires a!null b!null
a.lengthb.length ensures (? int
j 0ltj jlt\result gt
!bj) / int find(int a, boolean b)
int spot a.length for (int i0 i lt
a.length i) if (spota.length ai
! 0) spot i bi (ai ! 0)
return spot
17
?-quantified loop invariants
18
Heuristics for guessing predicates
for (int i 0 i lt a.length i) ai
null
Loop targets i, a
First set of predicates i lt \old(i), i gt
\old(i)
Inferred invariant i gt 0 ? ? int sc 0 lt sc ?
sc lt i ? asc null
19
Javafe
  • front end to ESC/Java
  • annotated with lightweight specifications
  • 45KLOC, 2418 routines, 520 loops
  • no inference ? warnings in 326 routines
  • with inference ? warnings in 31 routines
  • several failing routines had array bound
    violations
  • not caught with loop unrolling

20
Computing abstraction function
C I?while e do B end
  • Compute
  • I0 ?(sp(C, true))
  • In1 In ? ?(sp(CHassume ?(In)?eB, true))
  • Problem Given F compute ?(F)
  • ?(F) least boolean function G such that F ? ?(G)

21
Abstract state space
  • Predicates a, b, c, d
  • They generate an abstract space of size 24 16

22
Naïve method (slow!)
  • Is F ? a ? b ? c ? d satisfiable? No!
  • Can compute ?(F) by asking 2n such queries

?c?d
c??d
?c??d
c?d
a?b
X
X
X
?(F)
a??b
F
?a??b
?a?b
23
New method
  • F ? a ? b ? c ? d ? No!
  • F ? a ? c ? d ? No!
  • F ? c ? d ? No!
  • Removed 1/4 of state space in 3 queries!

?c?d
c??d
?c??d
c?d
a?b
X
X
X
X
? (?c ? ?d) ? (?a ? ?c) ? (?a ? ?b) ? ( c
? ?d)
a??b
X
X
X
F
?a??b
X
X
?a?b
X
X
24
Other methods
  • Das-Dill-Park 99 (DDP)
  • Saidi-Shankar 99 (SS)

25
Experiments
26
Experiments (Javafe)
27
Related work
  • Inferring/computing loop invariants
  • German-Wegbreit 75
  • Katz-Manna 76
  • Suzuki-Ishihata 77
  • Predicate abstraction
  • Graf-Saidi 97
  • Bensalem-Lakhnech-Owre 98, Colon-Uribe 98
  • Saidi-Shankar 99, Das-Dill-Park 99
  • Ball-Majumdar-Millstein-Rajamani 2001
  • Henzinger-Jhala-Majumdar-Sutre 2002
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Predicate Abstraction for Software Verification" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!