Title: Motivation
1(No Transcript)
2Motivation
- Verify safety properties of software involving
heap-based data structures - Arrays
- Recursive data structures (lists, trees, )
- BLAST is based on predicate abstraction
- Drawback hard to find compact abstraction of the
heap
3Shape Analysis
- Shape analysis can be used to compactly represent
heap configurations - Integrate shape analysis into BLAST
- 3-valued logical structures to represent shape
graphs Sagiv Reps Wilhelm 02 - Nodes represent memory cells
- Unary and binary predicates over nodes
4Shape Graphs as Heap Model
Shape class
a
Points-to predicates pta, ptp Field
predicates fdh1, fdh3 Other predicates n, ra,n,
rp,n
Unary predicate with value 1
Binary predicate with value 1
Node
ptp
n
n
n
n
v1
v2
v3
v4
v5
pta
p
fdh1 ra,n
fdh1 ra,n
fdh1 ra,n
fdh1 ra,n
fdh3ra,n rp,n
Heap configuration
Shape graph
5Abstract Shape Graphs
ptp
Concrete shape graph
n
n
n
n
v1
v2
v3
v4
v5
pta
fdh1 ra,n
fdh1 ra,n
fdh1 ra,n
fdh1 ra,n
fdh3ra,n rp,n
½ value
summary node
n
ptp
Abstraction predicates pta, ptp, fdh1,
fdh2, ra,n, rp,n
n
n
v1
v5
Abstract shape graph
vs
pta
fdh1 ra,n
fdh1 ra,n
fdh3ra,n rp,n
in 3-valued logic
6CEGAR (CounterExample-Guided Abstraction
Refinement)
ClarkeEtAl00,BallRajamani02
Code
Build Abstraction
New Predicates of Interest
Model Check Abstraction
Concretize Trace
Abstract Trace
Correctness Certificate SAFE!
Concrete Trace BUG!
7CEGAR with Shape Analysis
Code
Build Abstraction Predicate Shape
New Nullary, Points-to and Field Predicates
Model Check Abstraction Predicate Shape
Concretize Trace
Abstract Trace
Correctness Certificate SAFE!
Concrete Trace BUG!
8Lazy Shape Refinement
Code
Build On-the-flyand Locally Refine
Build Abstraction Predicate Shape
New Nullary, Points-to and Field Predicates
Refined Parts of the Abstraction
Model Check Abstraction Predicate Shape
Concretize Trace
Abstract Trace
Correctness Certificate SAFE!
Concrete Trace BUG!
9Contributions
- Integrate shape analysis into CEGAR loop
- Track shape graphs during reachability analysis
- Automatic refinement of shape classes (by adding
new points-to and field predicates) - ? More programs proved safe by BLAST
10Contributions Lazyness
- Lazy Refinement for nullary predicates works well
- Apply same idea to unary and binary predicates
- track only if needed(track only lists that are
relevant) - track only where needed(parsimonious
abstraction) - track the most abstract shape class(small number
of predicates)
11Shape Tracking
Current Shape Abstraction
Model checker
Current Predicate Abstraction
Abstract error path found
Exploration finished
Abstract state(PC, Boolean abstr., Shape abstr.)
Analyze abstract counterexample
SAFE!
l1
(l1, P, S)
l2
(l2, postPA(P), postSA(S))
12Shape Refinement
Current Shape Abstraction
Model checker
Current Predicate Abstraction
New unary and binary predicates
Abstract error path found
Exploration finished
New nullary predicates
Interpolation
Path Formula
SAFE!
UNSAT
SAT
Interpolation
Extended Path Formula
UNSAT
SAT
BUG!
13List a (List)malloc(...) List p a while
(non det.) if (flag) p-gth 1 else
p-gth 2 p-gtn (List)malloc(...) p
p-gtn p-gth 3 p a if (flag) while (p-gth
1) p p-gtn else while (p-gth 2) p
p-gtn assert(p-gth 3)
Heap-stored list
Boolean control
Both are needed to prove the assertion
14List a (List)malloc(...) List p a while
(non det.) if (flag) p-gth 1 else
p-gth 2 p-gtn (List)malloc(...) p
p-gtn p-gth 3 p a if (flag) while (p-gth
1) p p-gtn else while (p-gth 2) p
p-gtn assert(p-gth 3)
15Imprecision of Path-Insensitive Dataflow Analysis
flag?
Join point
p-gth 1
p-gth 2
? join the two facts
flag?
Information on correlation lost
while (p-gth 1)
while (p-gth 2)
16Imprecision of Path-Insensitive Dataflow Analysis
flag?
Join point
p-gth 1
p-gth 2
? join the two facts
flag?
Information on correlation lost
while (p-gth 1)
while (p-gth 2)
? Nullary predicates (e.g. flag 0) can make the
analysis as path-sensitive as necessary
17Refinement Example
List a (List)malloc(...) List p a while
(non det.) if (flag) p-gth 1 else
p-gth 2 p-gtn (List)malloc(...) p
p-gtn p-gth 3 p a if (flag) while (p-gth
1) p p-gtn else while (p-gth 2) p
p-gtn assert(p-gth 3)
1 2 3 4 5 6 7 8 9
a (List) malloc() p a while not taken p-gth
3 p a assume(! flag) assume(p-gth !
2) assume(p-gth ! 3) ERROR
(Infeasible) abstract path
18Refinement Example
1 2 3 4 5 6 7 8 9
true p2 a1 true (p2-gth)4 3 p5 a1 and
(p5-gth)5 (a1-gth)4 ! flag0 (p5-gth)5 ! 2
(p5-gth)5 ! 3
a (List) malloc() p a while not taken p-gth
3 p a assume(! flag) assume(p-gth !
2) assume(p-gth ! 3) ERROR
(Infeasible) abstract path
Path formula
Does not account for aliasing precisely
19Refinement Example
1 2 3 4 5 6 7 8 9
true p2 a1 true (p2-gth)4 3 p5 a1 and
(p5-gth)5 (a1-gth)4 ! flag0 (p5-gth)5 ! 2
(p5-gth)5 ! 3
a (List) malloc() p a while not taken p-gth
3 p a assume(! flag) assume(p-gth !
2) assume(p-gth ! 3) ERROR
(Infeasible) abstract path
Path formula
satisfiable
Try with the extended path formula!
20Refinement Example
1 2 3 4 5 6 7 8 9
true p2 a1 true (p2-gth)4 3 and (p2
a1 gt (a1-gth)4 3) p5 a1 and (p5-gth)5
(a1-gth)4 ! flag0 (p5-gth)5 ! 2 (p5-gth)5 ! 3
a (List) malloc() p a while not taken p-gth
3 p a assume(! flag) assume(p-gth !
2) assume(p-gth ! 3) ERROR
Extended path formula
(Infeasible) abstract path
21Refinement Example
1 2 3 4 5 6 7 8 9
true p2 a1 true (p2-gth)4 3 and (p2
a1 gt (a1-gth)4 3) p5 a1 and (p5-gth)5
(a1-gth)4 ! flag0 (p5-gth)5 ! 2 (p5-gth)5 ! 3
a (List) malloc() p a while not taken p-gth
3 p a assume(! flag) assume(p-gth !
2) assume(p-gth ! 3) ERROR
unsatisfiable
(Infeasible) abstract path
Interpolants p2 a1, (p5-gth)5 3, (a1-gth)4
3
Add points-to predicates pta, ptp,and field
predicate fdh3
?
22Refinement Example
1 2 3 4 5 6 7 8 9
a (List) malloc() p a while not taken p-gth
3 p a assume(! flag) assume(p-gth !
2) assume(p-gth ! 3) ERROR
pta ptp
(in the next round of reachability)
v1
fdh 3
Infeasible
The spurious counterexample will be ruled out
because of the refined shape class
23Refinement Example (2)
a (List) malloc() p a while taken assume(!
flag) p-gth 2 p-gtn (List) malloc() p
p-gtn while not taken p-gth 3 p a assume(!
flag) assume(p-gth ! 2) assume(p-gth ! 3) ERROR
1 2 3 4 5 6 7 8 9 10 11 12 13 14
List a (List)malloc(...) List p a while
(non det.) if (flag) p-gth 1 else
p-gth 2 p-gtn (List)malloc(...) p
p-gtn p-gth 3 p a if (flag) while (p-gth
1) p p-gtn else while (p-gth 2) p
p-gtn assert(p-gth 3)
Infeasible abstract path (according to the
extended path formula)
24Refinement Example (2)
a (List) malloc() p a while taken assume(!
flag) p-gth 2 p-gtn (List) malloc() p
p-gtn while not taken p-gth 3 p a assume(!
flag) assume(p-gth ! 2) assume(p-gth ! 3) ERROR
1 2 3 4 5 6 7 8 9 10 11 12 13 14
pta ptp
n
v1
v2
fdh 3
Interpolant (a1-gth)5 2
Add field predicate fdh2
?
25Refinement Example (2)
a (List) malloc() p a while taken assume(!
flag) p-gth 2 p-gtn (List) malloc() p
p-gtn while not taken p-gth 3 p a assume(!
flag) assume(p-gth ! 2) assume(p-gth ! 3) ERROR
1 2 3 4 5 6 7 8 9 10 11 12 13 14
pta ptp
n
v1
v2
fdh 3
pta ptp
n
v1
v2
(in the next round of reachability)
fdh 3
fdh 2
26List a (List)malloc(...) List p a while
(non det.) if (flag) p-gth 1 else
p-gth 2 p-gtn (List)malloc(...) p
p-gtn p-gth 3 p a if (flag) while (p-gth
1) p p-gtn else while (p-gth 2) p
p-gtn assert(p-gth 3)
Predicate abstraction flag 0p-gth 1p-gtn-gth
1p-gtn-gtn-gth 1p-gtn-gtn-gtn-gth 1... ?
Infinitely many predicates ? BLAST fails
27Implementation
- BLAST as verification engine
- Calls to TVLA for 3-valued operations
28Experiments red false-positive, green safe
29Future work Refinement
- Now Automatic discovery of points-to and field
predicates - Future Automatic discovery of derived
(instrumentation) predicates - E.g. reachability, cyclicity, sharing
- Currently pre-defined
30Related Work
- Loginov Reps Sagiv CAV 05Abstraction
refinement via inductive learning- Refinement by
adding instrumentation predicates - Fischer Jhala Majumdar FSE 05Predicated
lattice- run data flow analysis in parallel-
fixed abstract domain (no refinement) - Gulavani Rajamani TACAS 06CEGAR for abstract
interpretation- not a lazy refinement
31Conclusion
- Extend BLASTs abstract region with shape
graphs? Extends the class of program that can
be proved by BLAST (precision) - Lazy refinement of shape classes? Improves
performance of shape analysis (efficiency)
32Thanks Questions
- ?
- Visit the BLAST website
- http//mtc.epfl.ch/blast