Motivation - PowerPoint PPT Presentation

1 / 32
About This Presentation
Title:

Motivation

Description:

CAV, Seattle - August 20, 2006. Motivation. Verify safety properties of software involving heap-based data ... Shape analysis can be used to compactly represent ... – PowerPoint PPT presentation

Number of Views:37
Avg rating:3.0/5.0
Slides: 33
Provided by: DB296
Category:

less

Transcript and Presenter's Notes

Title: Motivation


1
(No Transcript)
2
Motivation
  • Verify safety properties of software involving
    heap-based data structures
  • Arrays
  • Recursive data structures (lists, trees, )
  • BLAST is based on predicate abstraction
  • Drawback hard to find compact abstraction of the
    heap

3
Shape Analysis
  • Shape analysis can be used to compactly represent
    heap configurations
  • Integrate shape analysis into BLAST
  • 3-valued logical structures to represent shape
    graphs Sagiv Reps Wilhelm 02
  • Nodes represent memory cells
  • Unary and binary predicates over nodes

4
Shape Graphs as Heap Model
Shape class
a
Points-to predicates pta, ptp Field
predicates fdh1, fdh3 Other predicates n, ra,n,
rp,n
Unary predicate with value 1
Binary predicate with value 1
Node
ptp
n
n
n
n
v1
v2
v3
v4
v5
pta
p
fdh1 ra,n
fdh1 ra,n
fdh1 ra,n
fdh1 ra,n
fdh3ra,n rp,n
Heap configuration
Shape graph
5
Abstract Shape Graphs
ptp
Concrete shape graph
n
n
n
n
v1
v2
v3
v4
v5
pta
fdh1 ra,n
fdh1 ra,n
fdh1 ra,n
fdh1 ra,n
fdh3ra,n rp,n
½ value
summary node
n
ptp
Abstraction predicates pta, ptp, fdh1,
fdh2, ra,n, rp,n
n
n
v1
v5
Abstract shape graph
vs
pta
fdh1 ra,n
fdh1 ra,n
fdh3ra,n rp,n
in 3-valued logic
6
CEGAR (CounterExample-Guided Abstraction
Refinement)
ClarkeEtAl00,BallRajamani02
Code
Build Abstraction
New Predicates of Interest
Model Check Abstraction
Concretize Trace
Abstract Trace
Correctness Certificate SAFE!
Concrete Trace BUG!
7
CEGAR with Shape Analysis
Code
Build Abstraction Predicate Shape
New Nullary, Points-to and Field Predicates
Model Check Abstraction Predicate Shape
Concretize Trace
Abstract Trace
Correctness Certificate SAFE!
Concrete Trace BUG!
8
Lazy Shape Refinement
Code
Build On-the-flyand Locally Refine
Build Abstraction Predicate Shape
New Nullary, Points-to and Field Predicates
Refined Parts of the Abstraction
Model Check Abstraction Predicate Shape
Concretize Trace
Abstract Trace
Correctness Certificate SAFE!
Concrete Trace BUG!
9
Contributions
  • Integrate shape analysis into CEGAR loop
  • Track shape graphs during reachability analysis
  • Automatic refinement of shape classes (by adding
    new points-to and field predicates)
  • ? More programs proved safe by BLAST

10
Contributions Lazyness
  • Lazy Refinement for nullary predicates works well
  • Apply same idea to unary and binary predicates
  • track only if needed(track only lists that are
    relevant)
  • track only where needed(parsimonious
    abstraction)
  • track the most abstract shape class(small number
    of predicates)

11
Shape Tracking
Current Shape Abstraction
Model checker
Current Predicate Abstraction
Abstract error path found
Exploration finished
Abstract state(PC, Boolean abstr., Shape abstr.)
Analyze abstract counterexample
SAFE!
l1
(l1, P, S)
l2
(l2, postPA(P), postSA(S))
12
Shape Refinement
Current Shape Abstraction
Model checker
Current Predicate Abstraction
New unary and binary predicates
Abstract error path found
Exploration finished
New nullary predicates
Interpolation
Path Formula
SAFE!
UNSAT
SAT
Interpolation
Extended Path Formula
UNSAT
SAT
BUG!
13
List a (List)malloc(...) List p a while
(non det.) if (flag) p-gth 1 else
p-gth 2 p-gtn (List)malloc(...) p
p-gtn p-gth 3 p a if (flag) while (p-gth
1) p p-gtn else while (p-gth 2) p
p-gtn assert(p-gth 3)
Heap-stored list
Boolean control
Both are needed to prove the assertion
14
List a (List)malloc(...) List p a while
(non det.) if (flag) p-gth 1 else
p-gth 2 p-gtn (List)malloc(...) p
p-gtn p-gth 3 p a if (flag) while (p-gth
1) p p-gtn else while (p-gth 2) p
p-gtn assert(p-gth 3)
15
Imprecision of Path-Insensitive Dataflow Analysis
flag?
Join point
p-gth 1
p-gth 2
? join the two facts
flag?
Information on correlation lost
while (p-gth 1)
while (p-gth 2)
16
Imprecision of Path-Insensitive Dataflow Analysis
flag?
Join point
p-gth 1
p-gth 2
? join the two facts
flag?
Information on correlation lost
while (p-gth 1)
while (p-gth 2)
? Nullary predicates (e.g. flag 0) can make the
analysis as path-sensitive as necessary
17
Refinement Example
List a (List)malloc(...) List p a while
(non det.) if (flag) p-gth 1 else
p-gth 2 p-gtn (List)malloc(...) p
p-gtn p-gth 3 p a if (flag) while (p-gth
1) p p-gtn else while (p-gth 2) p
p-gtn assert(p-gth 3)
1 2 3 4 5 6 7 8 9
a (List) malloc() p a while not taken p-gth
3 p a assume(! flag) assume(p-gth !
2) assume(p-gth ! 3) ERROR
(Infeasible) abstract path
18
Refinement Example
1 2 3 4 5 6 7 8 9
true p2 a1 true (p2-gth)4 3 p5 a1 and
(p5-gth)5 (a1-gth)4 ! flag0 (p5-gth)5 ! 2
(p5-gth)5 ! 3
a (List) malloc() p a while not taken p-gth
3 p a assume(! flag) assume(p-gth !
2) assume(p-gth ! 3) ERROR
(Infeasible) abstract path
Path formula
Does not account for aliasing precisely
19
Refinement Example
1 2 3 4 5 6 7 8 9
true p2 a1 true (p2-gth)4 3 p5 a1 and
(p5-gth)5 (a1-gth)4 ! flag0 (p5-gth)5 ! 2
(p5-gth)5 ! 3
a (List) malloc() p a while not taken p-gth
3 p a assume(! flag) assume(p-gth !
2) assume(p-gth ! 3) ERROR
(Infeasible) abstract path
Path formula
satisfiable
Try with the extended path formula!
20
Refinement Example
1 2 3 4 5 6 7 8 9
true p2 a1 true (p2-gth)4 3 and (p2
a1 gt (a1-gth)4 3) p5 a1 and (p5-gth)5
(a1-gth)4 ! flag0 (p5-gth)5 ! 2 (p5-gth)5 ! 3
a (List) malloc() p a while not taken p-gth
3 p a assume(! flag) assume(p-gth !
2) assume(p-gth ! 3) ERROR
Extended path formula
(Infeasible) abstract path
21
Refinement Example
1 2 3 4 5 6 7 8 9
true p2 a1 true (p2-gth)4 3 and (p2
a1 gt (a1-gth)4 3) p5 a1 and (p5-gth)5
(a1-gth)4 ! flag0 (p5-gth)5 ! 2 (p5-gth)5 ! 3
a (List) malloc() p a while not taken p-gth
3 p a assume(! flag) assume(p-gth !
2) assume(p-gth ! 3) ERROR
unsatisfiable
(Infeasible) abstract path
Interpolants p2 a1, (p5-gth)5 3, (a1-gth)4
3
Add points-to predicates pta, ptp,and field
predicate fdh3
?
22
Refinement Example
1 2 3 4 5 6 7 8 9
a (List) malloc() p a while not taken p-gth
3 p a assume(! flag) assume(p-gth !
2) assume(p-gth ! 3) ERROR
pta ptp
(in the next round of reachability)
v1
fdh 3
Infeasible
The spurious counterexample will be ruled out
because of the refined shape class
23
Refinement Example (2)
a (List) malloc() p a while taken assume(!
flag) p-gth 2 p-gtn (List) malloc() p
p-gtn while not taken p-gth 3 p a assume(!
flag) assume(p-gth ! 2) assume(p-gth ! 3) ERROR
1 2 3 4 5 6 7 8 9 10 11 12 13 14
List a (List)malloc(...) List p a while
(non det.) if (flag) p-gth 1 else
p-gth 2 p-gtn (List)malloc(...) p
p-gtn p-gth 3 p a if (flag) while (p-gth
1) p p-gtn else while (p-gth 2) p
p-gtn assert(p-gth 3)
Infeasible abstract path (according to the
extended path formula)
24
Refinement Example (2)
a (List) malloc() p a while taken assume(!
flag) p-gth 2 p-gtn (List) malloc() p
p-gtn while not taken p-gth 3 p a assume(!
flag) assume(p-gth ! 2) assume(p-gth ! 3) ERROR
1 2 3 4 5 6 7 8 9 10 11 12 13 14
pta ptp
n
v1
v2
fdh 3
Interpolant (a1-gth)5 2
Add field predicate fdh2
?
25
Refinement Example (2)
a (List) malloc() p a while taken assume(!
flag) p-gth 2 p-gtn (List) malloc() p
p-gtn while not taken p-gth 3 p a assume(!
flag) assume(p-gth ! 2) assume(p-gth ! 3) ERROR
1 2 3 4 5 6 7 8 9 10 11 12 13 14
pta ptp
n
v1
v2
fdh 3
pta ptp
n
v1
v2
(in the next round of reachability)
fdh 3
fdh 2
26
List a (List)malloc(...) List p a while
(non det.) if (flag) p-gth 1 else
p-gth 2 p-gtn (List)malloc(...) p
p-gtn p-gth 3 p a if (flag) while (p-gth
1) p p-gtn else while (p-gth 2) p
p-gtn assert(p-gth 3)
Predicate abstraction flag 0p-gth 1p-gtn-gth
1p-gtn-gtn-gth 1p-gtn-gtn-gtn-gth 1... ?
Infinitely many predicates ? BLAST fails
27
Implementation
  • BLAST as verification engine
  • Calls to TVLA for 3-valued operations

28
Experiments red false-positive, green safe
29
Future work Refinement
  • Now Automatic discovery of points-to and field
    predicates
  • Future Automatic discovery of derived
    (instrumentation) predicates
  • E.g. reachability, cyclicity, sharing
  • Currently pre-defined

30
Related Work
  • Loginov Reps Sagiv CAV 05Abstraction
    refinement via inductive learning- Refinement by
    adding instrumentation predicates
  • Fischer Jhala Majumdar FSE 05Predicated
    lattice- run data flow analysis in parallel-
    fixed abstract domain (no refinement)
  • Gulavani Rajamani TACAS 06CEGAR for abstract
    interpretation- not a lazy refinement

31
Conclusion
  • Extend BLASTs abstract region with shape
    graphs? Extends the class of program that can
    be proved by BLAST (precision)
  • Lazy refinement of shape classes? Improves
    performance of shape analysis (efficiency)

32
Thanks Questions
  • ?
  • Visit the BLAST website
  • http//mtc.epfl.ch/blast
Write a Comment
User Comments (0)
About PowerShow.com