Lazy Abstraction

1
Lazy Abstraction

• Thomas A. Henzinger
• Ranjit Jhala
• Rupak Majumdar
• Grégoire Sutre
• UC Berkeley

2
Motivation

• Verification of systems code
• Locking disciplines
• Interface specifications
• Essential for correct operation
• High rate of bugs
• Temporal properties
• Require path-sensitive analysis
• Swamped by false positives
• Really hard to check

3
Model Checking

• Doesnt scale to low level implementations
• Can only model check abstractions
• Requires human intervention
• Abstract Check Refine Loop
• Microsoft SLAM Project
• Clarke et. al. 00, Saidi 00

4
Abstract-Check-Refine Loop
Abstract
Is model unsafe ?
Check
Refine
Why infeasible ?
Infeasible
5
Model Checking 101

• Keep searching successors until
• Hit error states report bug !
• Add no new successors report safe
• Could take a long time

Init
ERROR STATES
SYSTEMS STATE SPACE
6
Model Checking Abstraction

• Problem Far too many states
• Iterations dont terminate !
• Solution Abstract

7
Model Checking Abstraction

• Problem Abstraction too coarse
• Solution Refine abstraction
• Make boxes smaller

Init

ERROR STATES
8
Model Checking Abstraction

• Problem Abstraction too coarse
• Solution Refine abstraction
• Make boxes smaller

Init

ERROR STATES
9
Abstract Only Where Required

• Abstraction is very expensive
• Why abstract regions that are never visited ?

• On-the-fly abstraction driven by the search

Init
ERROR STATES
10
Refine Only Where Required

• Why be precise everywhere ?
• Dont refine error-free regions

Init
ERROR STATES
ERROR FREE

11
Refine Only Where Required

• Why be precise everywhere ?
• Dont refine error-free regions

• Different precision for different regions
• Local Refinement driven by the search

Init
ERROR STATES
ERROR FREE

12
How to improve

• Abstract only where required
• Reachable state space is very sparse
• Construct the abstraction on-the-fly
• Use greater precision only where required
• Different precisions/abstractions for different
  regions
• Refine locally
• Reuse work from earlier phases
• Batch-oriented ) lose work from previous runs
• Integrate the three phases
• Exploit control flow structure

13
Example
Example ( ) 1 if () 7 do
got_lock 0 8 if
() 9 lock()
got_lock 10
if (got_lock) 11
unlock() 12 while
() 2 do lock()
old new 3 if () 4
unlock() new
5 while ( new ! old) 6
unlock () return
Q Is Error Reachable ?
14
ExampleCFA
1
Example ( ) 1 if () 7 do
got_lock 0 8 if
() 9 lock()
got_lock 10
if (got_lock) 11
unlock() 12 while
() 2 do lock()
old new 3 if () 4
unlock() new
5 while ( new ! old) 6
unlock () return
15
ExampleCFA
Example ( ) 1 if () 7 do
got_lock 0 8 if
() 9 lock()
got_lock 10
if (got_lock) 11
unlock() 12 while
() 2 do lock()
old new 3 if () 4
unlock() new
5 while ( new ! old) 6
unlock () return
got_lock0
gt
gt
lock() got_lock
got_lock ! 0
got_lock 0
unlock()
gt
gt
16
ExampleCFA
Example ( ) 1 if () 7 do
got_lock 0 8 if
() 9 lock()
got_lock 10
if (got_lock) 11
unlock() 12 while
() 2 do lock()
old new 3 if () 4
unlock() new
5 while ( new ! old) 6
unlock () return
Q Is Error Reachable ?
17
Step 1 Search
gt
lock() old new
gt
unlock() new
newold
Set of predicates LOCK0, LOCK1
unlock()
18
Step 2 Analyze Counterexample
Q When can
States that can wp( gt,ops) States at node n
Rn ) check Rn Æ wp( gt,ops) ? ?
19
Step 2 Analyze Counterexample
LOCK0 Æ new1 new
lock() old new
LOCK1 Æ new1 old
gt
LOCK1 Æ new 1 old
unlock() new
LOCK0 Æ new old
newold
LOCK0
unlock()
LOCK0
Rn Æ wp (gt,ops) ? ?
20
Step 2 Analyze Counterexample
LOCK0 Æ new1 new
lock() old new
LOCK1 Æ new1 old
gt
LOCK1 Æ new 1 old
unlock() new
LOCK0 Æ new old
Track the predicate new old
newold
LOCK0
unlock()
LOCK0
21
Step 3 Resume search
1
LOCK0
lock() old new
gt
unlock() new
Set of predicates LOCK0, LOCK1
newold
new!old
New predicate new old,
22
Step 3 Resume search
gt
new!old
newold
Set of predicates LOCK0, LOCK1
unlock()
LOCK0 Æ new old
New predicate new old
23
ExampleCFA
Example ( ) 1 if () 7 do
got_lock 0 8 if
() 9 lock()
got_lock 10
if (got_lock) 11
unlock() 12 while
() 2 do lock()
old new 3 if () 4
unlock() new
5 while ( new ! old) 6
unlock () return
got_lock0
gt
gt
lock() got_lock
got_lock ! 0
got_lock 0
unlock()
gt
gt
24
Step 4 Search Right Branch
Set of predicates LOCK0, LOCK1
New predicate (from trace) got_lock 0
25
Leaves Covered (Reuse work)
Leaves covered Avoid repeating search
when paths merge
LOCK0 Æ
COVERED !
26
Different Abstractions
Different predicates for different parts of
state space
Local refinement Preserves work on left tree
got_lock 0
new old
27
Predicate Discovery

• Information lost in substitution
• Keep substitutions explicit
• Ask a proof of unsatisfiability
• Pick predicates appearing in proof

28
Predicate Discovery
Weakest Precondition wp(Y, xe) Y e/x
Explicit WP wp(Y, xe) 9 x. x e Æ Y
x/x
LOCK 0 Æ 9 old new LOCK. old
new Æ LOCK0 Æ new old Æ new
new 1
New Predicates from proof of unsatisfiability
old new, new old, new new 1
29
Lazy abstraction

• For any system, require
• Region representation
• Boolean operations , Å,
• Covering check µ
• post Region ! Approx. succ. Region
• Forward Search
• pre Region ! Exact pred. Region
• Backward counterexample analysis
• focus why a trace is infeasible

30
BLAST

• Berkeley Lazy Abstraction Software verification
  Tool
• 10K Lines of Ocaml
• Analyze Linux/Windows Device Drivers

LAZY ABSTRACTION
31
Experiments Not in POPL paper

• Linux Device Drivers (Locking protocol)
• Windows Drivers (IRP Spec 22 states)

32
Why Abstract Lazily ?

• Reach set is very sparse
• Abstract on-the-fly
• Only the reachable region
• Requires very fast post
• Exploit Control-Flow Structure
• Free partitioning of state space
• Partition preds different abstractions
• Refine locally dont repeat old work

33
Problems/Future work

• Monolithic vs. Multi-model abstractions
• How to partition predicates ?
• Predicate-flow analyses ?
• Recursion
• Summaries tricky with on-the-fly search
• Smarter abstractions
• Heap data structures ?

34
Predicate Abstraction
Region Representation formulas over predicates
Set of states
Abstract Set P1P2P4 Ç P1 P2 P3 P4
35
Predicate Abstraction

• Box abstract variable valuation
• BoxCover(S) Set of boxes covering S
• Theorem prover used to compute BoxCover

36
Post, Pre
post
post(S)
post(S)

• pre(S,op) s 9s2S. s !op s (Weakest
  Precondition)
• post(S,op) s 9s2S. s !op s (Strongest
  Postcondition)
• Abstract Operators post
• post(S,op) µ post(S,op)
• Concrete Operators pre
• Classical Weakest Precondition

37
Predicate Abstraction in SLAM

• Abstraction Boolean Programs (C2BP)
• Boolean variable for each predicate
• C program ? Boolean program
• Model checker Bebop
• Refine Newton
• Extracts new predicates from error trace
• Start afresh with new abstraction
• Can we do better ?
• Reuse work from earlier phases
• Abstract only where required
• Use additional predicates only where required

38
Example
Example ( ) 1 if () 7 do
got_lock 0 8 if
() 9 lock()
got_lock 10
if (got_lock) 11
unlock() 12 while
() 2 do lock()
old new 3 if () 4
unlock() new
5 while ( new ! old) 6
unlock () return
39
Example Specification
Example ( ) 1 if () 7 do
got_lock 0 8 if
() 9 lock()
got_lock 10
if (got_lock) 11
unlock() 12 while
() 2 do lock()
old new 3 if () 4
unlock() new
5 while ( new ! old) 6
unlock () return
lock () if (LOCK 0) LOCK 1
else ERROR
Q Is Error Reachable ?
unlock () if (LOCK 1) LOCK 0
else ERROR
40
ExampleCFA
Example ( ) 1 if () 7 do
got_lock 0 8 if
() 9 lock()
got_lock 10
if (got_lock) 11
unlock() 12 while
() 2 do lock()
old new 3 if () 4
unlock() new
5 while ( new ! old) 6
unlock () return
got_lock0
get_lock ! 0
get_lock 0
unlock()
41
ExampleCFA
Example ( ) 1 if () 7 do
got_lock 0 8 if
() 9 lock()
got_lock 10
if (got_lock) 11
unlock() 12 while
() 2 do lock()
old new 3 if () 4
unlock() new
5 while ( new ! old) 6
unlock () return
lock () if (LOCK 0) LOCK 1
else ERROR
unlock () if (LOCK 1) LOCK 0
else ERROR
Q Is Error Reachable ?
42
Model Checking

• Doesnt scale to low level implementations
• Abstract Check Refine Loop
• Microsoft SLAM Project
• Clarke et. al. 00, Saidi 00
• Abstraction is expensive !
• Abstract only if/where required
• Different abstractions for different parts of
  system
• Reuse work from previous iterations
• Lazy abstraction
• Short circuits the loop
• Avoids repeating work
• Abstractions computed locally, if/where required

43
Can We Do Better ?

• Abstract only where required
• Reachable state space is very sparse
• Use greater precision only where required
• Different precisions/abstractions for different
  regions
• Reuse work from earlier phases
• Batch-oriented ) lose work from previous runs
• Dont repeat search in error-free regions

44
Our proposal

• Integrate the three phases
• Construct the abstraction on-the-fly
• Driven by the reachability search
• Refine the abstraction on demand
• Refine locally

45
Outline

• Motivation
• The verification loop
• An example
• The Lazy abstraction algorithm
• BLAST
• Conclusions

46
Outline

• Motivation
• The verification loop
• An example
• The Lazy abstraction algorithm
• BLAST
• Conclusions

47
Outline

• Motivation
• The verification loop
• An example
• The lazy abstraction algorithm
• For sequential code
• Blast
• Conclusions

48
Outline

• Motivation
• The verification loop
• An example
• The lazy abstraction algorithm
• For sequential code
• Blast
• Conclusions

49
1 Forward Search
post
µ
50
2 Counterexample Analysis
pre, Å
51
3 Refine
Focus
52
A complication
Uncovered!
53
Model Checking Abstraction

• Problem Abstraction too coarse
• Solution Refine abstraction
• Make boxes smaller