Automatic Predicate Abstraction of CPrograms

1
Automatic Predicate Abstraction of C-Programs

• T. Ball, R. Majumdar
• T. Millstein, S. Rajamani

2
Overview (1)

• Motivation Software systems typically infinite
  state
• model checking finite state ? check an
  abstraction of a software system
• Automatic predicate abstraction
• 1st proposed by Graf Saidi
• concrete states mapped to abstract states under a
  finite set of predicates
• designed and implemented for
• finite state systems
• infinite state systems specified as guarded
  commands
• not implemented for a programming language such
  as C
• The C2BP tool
• performs automatic predicate abstraction of C
  programs
• given (P, E) ? BP(P, E) boolean program(P C
  program, E finite set of predicates)

3
Overview (2)

• Boolean program BP(P, E) a C program with bool
  as single type
• plus some additional constructs
• same control structure as P
• contains only E boolean variables, one for each
  predicate in E
• e.g. (xlty) ? E ? xlty is a boolean variable for
  BP(P, E).then xlty is true at program point P
  ? (xlty) is true at P
• transfer function automatically for each
  statement s in P
• conservatively represents the effect of s on
  predicates in E
• BEBOP model checker
• used to analyze the boolean program
• performs interprocedural dataflow analysis using
  binary dicision diagrams (BDDs)

4
Results from applying C2BP

• Pointer manipulating programs identify
  invariants involving pointers
• more precise alias information than with a flow
  sensitive alias analysis
• structural properties of the heap preserved by
  list manipulating code
• Examples on proof-carrying code to identify loop
  invariants
• SLAM toolkit to check safety properties of
  windows NT device drivers
• C2BP BEBOP to statically determine whether or
  not an assertion violation can take place in
  C-code
• demand-driven abstraction-refinement to
  automatically find new predicates for a
  particular assertion
• convergence (undeniability) was not a problem on
  all Windows NT drivers checked

5
Challenges of predicate abstraction in C (1)

• Pointers two related subproblems treated in a
  uniform way
• assignments through dereferenced pointers in
  original C-program
• pointers pointer-dereferences in the predicates
  for the abstraction
• Procedures allow procedural abstraction in
  boolean programs. They also have
• global variables
• procedures with local variables
• call-by-value parameter passing
• procedural abstraction signatures constructed
  in isolation
• Procedure calls abstraction process is
  challenging in the presence of pointers
• after a call the caller must conservatively
  update local state modified by procedure
• sound and precise approach that takes
  side-effects into account

Make both abstraction and analysis more efficient
by exploiting procedural abstraction.? recursive
proc. e.g. inlining
6
Challenges of predicate abstraction in C (2)

• Unknown values it is not always possible to
  determine the effect of a statement in the
  C-program in terms of the input predicate set E
• such nondeterminism (?) handled in BP with
  (non-determenistic choice) which allows to
  implicitly express 3-valued domain for boolean
  variables
• Precision-efficiency tradeoff computing abstract
  transfer function for a statement s in the
  C-program with respect to the set E of predicates
  may require the use of a theorem prover
• O(2E) calls to the theorem prover
• apply optimization techniques to reduce this
  number

7
Predicate abstraction overview

• PA Problem given (P, E) where
• P is a C-program
• E f1, , fn is a set of pure boolean
  C-expressions over variables and constants of the
  C-language
• Compute BP(P, E) which is a boolean program that
• has some control structure as P
• contains only boolean variables V b1, , bn
  where bi fi represents predicate fi
• guaranteed to be an abstraction of P (superset of
  traces modulo )
• Assumption over a C-program
• all interprocedural control flow is by if and
  goto
• all expressions are free of side-effects
  short-circuit evaluation
• all expressions do not contain multiple pointer
  dereferences (e.g. P)
• function calls occur at topmost level of
  expressions

8
Weakest precondition and cube (monoids)

• Weakest precondition WP(s, f) ? s f
• the weakest predicate whose truth before s
  entails truth of f after s terminates (if it
  terminates)
• assignment WP(xe, f) fe/x (no
  side-effects)
• Example WP(xx1, xlt5) (xlt5)x1/x x1 lt 5
  xlt4
• central to predicate abstractionp s and fi??
  Ep WP(s, fi) true bj WP(s,
  fi) C-code BP(P, E) code
• However, no such bj may exist if WP(s, f) ? E
• ExampleE (xlt5), (x2)WP(xx1, xlt5) x lt4
  ? E? strengthen the predicate by using DP x2 ?
  xlt4 use x2 instead

p if (bj) then bi truep
9
Strengthening and weakening

• Cube over V a conjunction ci1 ? ? cik where
  ci1 ? bij, ?bij for bij ? V
• Concretization function e e(bi) fi, e(?bi)
  ?fi
• extend e over disjunction of cubes in natural way
• Predicate Fv(f) largest disjunction of cubes c
  over V so that e(c) ? f
• Fv(f) Vci ci ? cubes_over(V) ? e(ci) ? f
• Strengthening of f e(Fv(f))
• weakest predicate over e(V) that implies f
• Example e(Fv(xlt4)) (x2)
• Weakening of f e(Gv(f)) where Gv(f) Fv(?f)
• e(Gv(f)) is the strongest predicate over e(V)
  implied by f
• Theorem prover for each cube, check implication
  ? decision procedure
• Simplify Vampyre equational (Nelson-Oppen)
  style provers