Localization and Register Sharing for Predicate Abstraction

1
Localization and Register Sharing for Predicate
Abstraction

• Himanshu Jain
• Franjo Ivancic
• Aarti Gupta
• Malay Ganai

2
Introduction

• Predicate abstraction
• Abstracts data by keeping track of certain
  predicates
• Each predicate given a boolean variable in
  abstract model
• Scalability depends on choice and usage of
  predicates

3
Counterexample Guided Abstraction and Refinement
Property Monitor
C programs
Discovered bug in software
Static Analysis
F-Soft
Abstraction
Analysis Refinement
Model check (DiVer)
?
?
Certified code
4
Motivation

• Computing predicate relationships is expensive
• Localization of predicates
• Identify important predicates at each program
  location
• Identify important predicate relationships

5
Some notation

• Spurious trace
• Infeasible sequence of statements
• Predicate relationships
• Example (p1 Æ p2), (p1 p3)

1. x m 2. y m 3. assume (x ! y)
6
Related work

• BLAST uses interpolation to find important
  predicates at each statement in spurious trace
  Jhala et al., 04
• Localization of predicates
• Interpolation produces good predicates?
• Syntactic program transformations for automatic
  abstraction Namjoshi et al.
• MAGIC tool Chaki et al.

7
Our approach

• Given a spurious trace s1.sk
• Use weakest pre-conditions to identify important
  predicates at each statement si
• Most predicate relationships obtained from
  refinement itself

8
Outline

• Introduction
• Localization of predicates
• Register Sharing
• Dedicated State Variables
• Experimental results

9
Abstraction
1 x ctr 2 y ctr 1 3 if (x i-1) 4
if (y ! i) ERROR
1 skip 2 skip 3 if () 4 if ()
ERROR
Abstract
C program
No predicates available currently
10
Checking the abstract model
Is ERROR reachable?
1 skip 2 skip 3 if () 4 if ()
ERROR
yes
Abstract model has a path leading to error state
No predicates available currently
11
Concretization of abstract counterexample
1 x ctr 2 y ctr 1 3 assume(x
i-1) 4 assume (y ! i)
1 skip 2 skip 3 if () 4 if ()
ERROR
Concrete trace
12
Simulation
Does this correspond to a real bug?
1 x ctr 2 y ctr 1 3 assume(x
i-1) 4 assume (y ! i)
We use a SAT solver
Spurious trace
Spurious Counterexample
Concrete trace
13
Refinement
ctr 1 ! i
ctr i - 1
1 x ctr 2 y ctr 1 3 assume(x
i-1) 4 assume (y ! i)
ctr 1 ! i
x i - 1
y ! i
x i -1
y ! i
Localization information
Spurious Counterexample
14
Predicate relationships
?
ctr 1 ! i
ctr i - 1
1 x ctr 2 y ctr 1 3 assume(x
i-1) 4 assume (y ! i)
ctr 1 ! i
x i - 1
y ! i
x i -1
y ! i
Localization information
Spurious Counterexample
15
What happened so far
1 x ctr 2 y ctr 1 3 if (x i-1) 4
if (y ! i) ERROR
16
Computing new abstraction
1 x ctr 2 y ctr 1 3 if (x i-1) 4
if (y ! i) ERROR
ctr 1 ! i
ctr i - 1
ctr 1 ! i
ctr i - 1
ctr 1 ! i
x i - 1
y ! i
x i -1
y ! i
y ! i
Localization information
Localization information
1 2 3 if ( ) 4 if ( ) ERROR

Computing new abstraction
17
Computing new abstraction
1 x ctr 2 y ctr 1 3 if (x i-1) 4
if (y ! i) ERROR
ctr 1 ! i
ctr i - 1
y ! i
Localization information
1 2 3 if ( ) 4 if (b0) ERROR

Boolean b0 y ! i
Computing new abstraction
18
Computing new abstraction
1 x ctr 2 y ctr 1 3 if (x i-1) 4
if (y ! i) ERROR
ctr 1 ! i
ctr i - 1
y ! i
Localization information
1 2 3 if (b1) 4 if (b0) ERROR

Boolean b1 xi-1 Boolean b0 y ! i
Computing new abstraction
19
Computing new abstraction
1 x ctr 2 y ctr 1 3 if (x i-1) 4
if (y ! i) ERROR
ctr 1 ! i
ctr i - 1
y ! i
Localization information
1 2 b0 b2 3 if (b1) 4 if (b0)
ERROR
Boolean b2 ctr1 ! i Boolean b1 x
i-1 Boolean b0 y ! i
Computing new abstraction
20
Computing new abstraction
1 x ctr 2 y ctr 1 3 if (x i-1) 4
if (y ! i) ERROR
ctr 1 ! i
ctr i - 1
ctr 1 ! i
x i - 1
y ! i
x i -1
y ! i
Localization information
1 b1 b3 2 b0 b2 3 if (b1) 4 if
(b0) ERROR
Boolean b3 ctr i -1 Boolean b2 ctr1 ! i
Boolean b1 x i - 1 Boolean b0 y ! i
No decision procedure used so far
Computing new abstraction
21
Computing new abstraction
?
1 x ctr 2 y ctr 1 3 if (x i-1) 4
if (y ! i) ERROR
ctr 1 ! i
ctr i - 1
ctr 1 ! i
x i - 1
y ! i
x i -1
y ! i
Localization information
What about initial values of b2 and b3?
1 b1 b3 2 b0 b2 3 if (b1) 4 if
(b0) ERROR
Boolean b3 ctr i -1 Boolean b2 ctr1 ! i
Boolean b1 x i - 1 Boolean b0 y ! i
SAT-based predicate abstraction Kroening et
al. Lahiri et al.
Computing new abstraction
22
Computing new abstraction
1 x ctr 2 y ctr 1 3 if (x i-1) 4
if (y ! i) ERROR
Global constraint (b2 b3)
1 b1 b3 2 b0 b2 3 if (b1) 4 if
(b0) ERROR
Boolean b3 ctr i -1 Boolean b2 ctr1 ! i
Boolean b1 x i - 1 Boolean b0 y ! i
Computing new abstraction
23
Abstraction without register sharing
Global constraint (b2 b3)
1 b1 b3 2 b0 b2 3 if (b1) 4 if
(b0) ERROR
Boolean b3 ctr i -1 Boolean b2 ctr1 ! i
Boolean b1 x i - 1 Boolean b0 y ! i
Computing new abstraction
24
Model check
ERROR is not reachable!
Global constraint (b2 b3)
1 b1 b3 2 b0 b2 3 if (b1) 4 if
(b0) ERROR
Boolean b3 ctr i -1 Boolean b2 ctr1 ! i
Boolean b1 x i - 1 Boolean b0 y ! i
Computing new abstraction
25
What have we covered so far

• Localize predicates using weakest pre-conditions
• Utilizing weakest pre-condition relationships
• Bottleneck
• Model checking of abstraction without register
  sharing

26
Register sharing

• Due to localization many predicates are useful
  only at a few program locations
• Reuse state variables for representing other
  predicates
• Similar to register allocation

27
Abstraction with register sharing
Do we need 4 Boolean variables?
28
Abstraction with register sharing
c0
c1
c0
c1
c0
c1
c0
With
Without
1 b1 b3 2 b0 b2 3 if (b1) 4 if
(b0) ERROR
1 skip 2 skip 3 if (c1) 4 if (c0)
ERROR
Global constraint (b2 b3)
Local constraint (PC 1) ! (c0 c1)
29
Register sharing

• Reduces Boolean variables in the abstract model
  by register sharing
• Speeds up model checking of abstractions
• Whats next
• Reducing number of refinement iterations

30
Problem with register sharing
p
0
b1
L1
L2
Spurious
L19
L20
b2
1
31
Dedicated state variable
p
b
L1
L2
L19
L20
b
32
Dedicated state variables

• Initially each predicate is assigned a Boolean
  variable, which can be reused
• If a predicate is localized at many statements,
• s p 2 local(s) gt TH for some threshold TH
• p is assigned a dedicated state variable (not
  reused)
• By having a low value of TH, we can discover
  globally useful predicates early
• Why this works?

33
Experimental Results

• TCAS (Traffic Alert and Collision Avoidance
  System)
• Lines of code 1652
• We checked 10 different safety properties
• Non-trivial number of predicates needed for each
  property both by F-Soft and BLAST

34
F-Soft versus BLAST (craig 2 predH7)
F-Soft
35
Summary

• Localize predicates using weakest pre-conditions
• Most predicate relationships obtained as by
  product
• Faster and less coarse abstractions
• Comparable to interpolation based techniques
• Model checking abstractions
• Exploit localization information for reducing
  Boolean variables
• Reducing refinement iterations
• Predict globally useful predicates early in
  abstraction refinement process

36
Questions?