Software Model Checking: on the power of refinement

1
Software Model Checkingon the power of
refinement

• Thomas Ball
• Testing, Verification and Measurement
• Microsoft Research

2
Predicate Abstraction

• Where do predicates come from?
• Choice of predicates critical
• precision of abstraction
• efficiency
• No criteria for guiding design of predicate
  generation/refinement algorithms
• until now, rule out spurious counterexamples

3
Termination of SLAM

• Cousot-Cousot, PLILP92
• widening abstract interpretation with infinite
  lattices (WAIL) is more powerful than a (single)
  finite abstraction
• Ball-Podelski-Rajamani, TACAS02
• finite abstractions plus iterative refinement
  (FAIR) is more powerful than WAIL
• Namjoshi/Kurshan, Henzinger/Majumdar
• if there is a finite (bi-)simulation quotient
  then WAIL with no widening will terminate and
  therefore so will FAIR

4
Termination and Widening

• Widening is used to achieve termination by
  enlarging the set of states (to reach a fixpoint)
• 5 ? x ? 10 widened to 5 ? x
• Of course, widening may lose precision
• Every fixpoint algorithm that loses precision (in
  order to terminate) applies widening

5
Relative Completeness

• WAIL
• widening abstract intepretation over infinite
  lattice
• FAIR
• Finite abstraction iterative refinement
• FAIR terminates with success if
• there is an widening oracle such that WAIL
  terminates with success

6
Fixpoint
Fixpoint Widening(WAIL)
X init while X ? S do X X ? F(X)
if X ? X then break i oracles
guess X W(i, X) od return X ? S
X init while X ? S do X X ? F(X)
if X ? X then break X
X od return X ? S
7
Search Space of Widenings
8
Finite Abstraction Iterative Refinement

• If WAIL succeeds in N iterations then FAIR will
  succeed in N iterations
• But, FAIR can succeed earlier, due to use of
  interior (abstract) fixpoint

X init while true do P
atoms(X) X lfp(FP, init) if X
? S then break X X ? F(X) od return X
? S
9
Search Space
WAILoracle
FAIR
10
Outline

• Preliminaries
• WAIL and FAIR methods
• Theorem
• Discussion
• Related Work

11
Guarded Command Language

• Variables X x1, , xn
• Guarded command c
• c ? g ? x1e1 ? ? xnen also written
  as
• c ? g ? x1e1, xnen for true updates
• Program is a set of guarded commands
• each command is deterministic
• set of commands may be non-deterministic

12
Example
L1 x 0 L2 while ( x gt 0) x x 1
L3 if (y 25) L4 if ( y ! 25) L5
while ( z ! 0) z z-1 ERROR

guarded commands c1 pc L1 ? pc L2 x
0 c2 pc L2 ? x 0 ? x x 1 c3 pc
L2 ? x lt 0 ? pc L3 c4 pc L3 ? y 25 ?
pc L4 c5 pc L4 ? y ? 25 ? pc L5 c6
pc L5 ? z ? 0 ? z z -1 c8 pc L5 ? z0
? pc ERROR
13
Symbolic Representation of States

• ? ? ?i?I ? j?J(i) ?ij
• ?ij atomic formula such as (xlt5)
• ? ? ? ? ? ? ?

14
pre/post ofc ? g ? x1e1 ? ? xnen

• prec(?) ? g ? ?e1,en/ x1,xn
• postc(?) ? (?X.(? ? c))X/X
• pre(?) ? ?c?C prec(?)
• post(?) ? ?c?C postc(?)

15
Reachability
unsafe
unsafe
init
16
Safe Forward Invariants

• ? is a safe forward invariant if
• init ? ?
• post(?) ? ?
• ? ? safe

17
Example

• L1 i0
• L2 while(i?N) L3 ii1
• L4 assert(igt0) L5
• A safe inductive invariant ?
• (pcL1) ?
• (pcL2 ? i0) ?
• (pcL3 ? i?0) ?
• (pcL2 ? igt0) ?
• (pcL4 ? igt0) ?
• (pcL5)

init ? (pcL1) safe ? (pcL4) ? (igt0)
post(?) (pcL2 ? i0) ? (pcL3 ? i0 ? i?N)
? (pcL2 ? i?1) ? (pcL3 ? igt0 ? i?N) ? (pcL4
? igt0 ? igtN) ? (pcL5 ? igt0) ? (pcL5)
18
Safe Backward Invariants

• ? is a safe backward invariant if
• unsafe ? ?
• pre(?) ? ?
• ? ? noninit

19
Neutral notation

• ? is a safe ltF,start,boundgt-invariant if
• start ? ?
• F(?) ? ?
• ? ? bound
• ltF,start,boundgt
• ltpost,init,safegt
• ltpre,unsafe,noninitgt

20
F via Predicate Abstraction

• A set P of predicates over a programs state
  space defines an abstraction of the program
• P (a1), (b1), (agt0)
• Uninterpreted atoms a1b1agt0
• If P has n predicates, the abstract domain
  contains exactly 22n elements
• an abstract state conjunction (?) of atoms
• a set of abstract states disjunction (?) of
  abstract states

21
Abstract Ordering ?P(read syntactic
implication)

• ?i?Ici ?P ?k?Kck ?

for all i?I, exists k?K atoms(ci) ? atoms(ck)
a1?b1 ?P a1
a1?b1 ?P a1?agt0
a1?agt0 ?P a1
22
Free Lattice of DNF over a,b
a ? b ? (a?b)
a ? b
a ? (a?b)
b ? (a?b)
Logical Implication
a
b
(a?b)
?
23
FP ? ?P F ?

• ? ? the identity function
• ?P(?) ? the least ? (by ?P) such that ? ? ? ?
• Example
• P (xlt2), (xlt3), (x0)
• ? ?P( x1 ) (xlt2) ? (xlt3)

24
Agenda

• Two procedures for computing safe invariants
• WAIL
• FAIR
• Is FAIR as powerful as WAIL?

25
AIL
n 0 ? start old false loop if
(? ? old) then if (? ? bound) then
return success else return
dont know else old ? ?
? ? F(?) forever
26
Widening

• widen(?) ? such that ? ? ?
• We consider widening that simply drops terms from
  some conjuncts
• widen(?i?I ? j?J(i) ?ij )
• ?i?I ? j?J(i) ?ij where J(i) ? J(i)
• Results can be extended to other classes of
  widenings

27
WAIL
n 0 ? start old false loop if
(? ? old) then if (? ? bound) then
return success else return
Dont know else old ? i
guess provided by oracle ?
widen(i, ? ? F(?) ) forever
28
FAIR
n 0 ? start loop Pn atoms(?)
construct Fn, as defined by Pn ? lfp(Fn,
start) if (? ? bound) then return
success ? ? ? F( ?) n n
1 forever
29
FAIR
WAIL
n 0 ? start loop Pn atoms(?)
construct Fn, as defined by Pn ? lfp(Fn,
start) if (? ? bound) then return
success ? ? ? F( ?) n n
1 forever
n 0 ? start old false loop if
(? ? old) then if (? ? bound) then
return success else return
Dont know else old ? i
guess provided by oracle ?
widen(i, ? ? F(?) ) forever
Theorem Suppose ltF,start,boundgt
ltpre,unsafe,noninitgt Then, for any program P,
if Method 2 terminates with success for some
sequence of widening choices, then Method 1 will
terminate with success as well.
30

• Lemma 1 If a safe invariant ? can be expressed
  in terms of predicates in P then lfp(FP, start)
  is a safe invariant
• Lemma 2 For any guarded command c,
• prec(? ? ?) prec(?) ? prec(?)
• prec(? ? ?) prec(?) ? prec(?)
• Corollary For any guarded command c,
• atoms(prec(? ? ?)) atoms(prec(?)) ?
  atoms(prec(?))
• atoms(prec(? ? ?)) atoms(prec(?)) ?
  atoms(prec(?))

31
Proof of Theorem

• ?0 start
• ?n1 ?n ? pre(?n)

?0 start ?n1 widen(?n ? pre(?n))
for all i, atoms(?i) ? atoms(?i) by induction on
i and Lemma 2
if ?i is a safe inv. then by Lemma 1 and above
result lfp(Fatoms(?i), start) is a safe inv.
32
L1 x 0 L2 while ( x gt 0) x x 1
L3 if (y 25) L4 if ( y ! 25) L5
while ( z ! 0) z z-1 ERROR

init (pc L1) unsafe (pc ERROR) guarded
commands c1 pc L1 ? pc L2 x 0 c2
pc L2 ? x 0 ? x x 1 c3 pc L2 ? x lt
0 ? pc L3 c4 pc L3 ? y 25 ? pc
L4 c5 pc L4 ? y ? 25 ? pc L5 c6 pc L5
? z ? 0 ? z z -1 c8 pc L5 ? z0 ? pc
ERROR
Fact 1 Both naïve forward and naïve
backward reachability dont terminate Fact 2
WAIL can terminate going forward FAIR cannot
terminate going forward
33
L1 x 0 L2 while ( x gt 0) x x 1
L3 if (y 25) L4 if ( y ! 25) L5
while ( z ! 0) z z-1 ERROR

init (pc L1) unsafe (pc ERROR) guarded
commands c1 pc L1 ? pc L2 x 0 c2
pc L2 ? x 0 ? x x 1 c3 pc L2 ? x lt
0 ? pc L3 c4 pc L3 ? y 25 ? pc
L4 c5 pc L4 ? y ? 25 ? pc L5 c6 pc L5
? z ? 0 ? z z -1 c8 pc L5 ? z0 ? pc
ERROR
Fact 3 Both methods terminate going
backward!
34
Asymmetry between forward and backward

• guarded command notation is asymmetric
• satisfiability of formulas resulting from post
  requires existential quantifier elimination
• pre can be done syntactically without doing any
  satisfiability check (in fact this is necessary)

35
Observations

• Results hold for forward abstract fixpoint
  dual backward refinement
• Results generalize for negation
• BDDs implement operations in the free lattice
• Converse of theorem does not hold
• success in FAIR -/-gt success of WAIL

36
Related Work

• Namjoshi/Kurshan, Henzinger/Majumdar
• if there is a finite (bi-)simulation quotient
  then Method 1 with no widening will terminate
  and therefore so will Method 2
• Cousot/Cousot
• fixpoint widening more powerful than a single
  abstract fixpoint

37
Conclusions

• Predicate abstraction refinement and widening
  can be formally related to each other
• Predicate abstraction refinement widening
  with optimal guidance

38
Searching for Solutions

• Once upon a time, only a human could play a great
  game of chess
• but then smart brute force won the day (Deep
  Blue vs. Kasparov)
• Once upon a time, only a human could design a
  great abstraction