Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop

1
Using Statically Computed Invariants Inside the
Predicate Abstraction and Refinement Loop

• Himanshu Jain
• Franjo Ivancic
• Aarti Gupta
• Ilya Shlyakhter
• Chao Wang

2
Introduction

• Predicate abstraction
• Abstracts data by keeping track of certain
  predicates
• Each predicate given a Boolean variable in
  abstract model

3
Counterexample Guided Abstraction and Refinement
Loop (CEGAR )
Property Monitor
C programs
Discovered bug in software
Static Analysis
F-Soft
Predicate Abstraction
Analysis Refinement
Model check
?
?
Certified code
4
Bottlenecks in CEGAR loop

• Computing predicate relationships is expensive
• Over-approximation leads to refinement iterations
• Finding right predicates not always possible

5
An example
Weakest pre-condition based refinement
x0, y0
x1, y1

• 1 x 100
• 2 y 100
• 3. while (x ! 0)
• x x 1
• y y 1
• if (y ! 0)
• ERROR

x100, y100
x y
Split theorem prover Jhala, McMillan TACAS 2006
We will discover xy as an invariant
C program
6
Our approach

• Use efficiently computable invariants in CEGAR
  loop
• Invariants generated by abstract domains
• Octagon x y c
• Polyhedra a1 x1 a2 x2 anxn c
• Numerous others in ASTRÉE like static analyzers
• Combination of abstraction techniques

7
This work CEGAR loop Invariants
Property Monitor
C programs
Discovered bug in software
Static Analysis
Invariants from abstract domains

1. More precise abstractions
2. Fewer refinement iterations
3. Fewer predicates
4. Avoid some convergence problems

Predicate Abstraction
Analysis Refinement
Model check
?
?
Certified code
8
Related work

• Idea of using invariants during abstraction
• Bensalem et al. CAV 1998
• Colón et al CAV 1998
• Saïdi et al. ASE 1999
• Path sensitive data flow analysis
• Fischer et al. FSE 2005

9
Outline

• Introduction
• Using Invariants in abstraction-refinement loop
• Invariant generation
• Invariant selection
• Experimental results

10
Abstraction
1 if (x gt y) 2 y y 1 ... 5 z
y ... 10 if (x lt z) 11 ERROR 12
1 if () 2 skip ... 5 skip ... 10 if
() 11 ERROR 12
Abstract
No predicates available currently
C program
Abstract model
11
Checking the abstract model
Is ERROR reachable?
1 if () 2 skip ... 5 skip ... 10 if
() 11 ERROR 12
yes
Abstract model has a path leading to error state
Abstract model
12
Concretization of abstract counterexample
1 if () 2 skip ... 5 skip ... 10 if
() 11 ERROR 12
1 assume (x gt y) 2 y y 1 ... 5 z
y ... 10assume (x lt z) 11 12
Concrete trace
Abstract model
13
Simulation
Does this correspond to a real bug?
1 assume (x gt y) 2 y y 1 ... 5 z
y ... 10assume (x lt z) 11 12
Spurious trace
Spurious Counterexample
Concrete trace
14
Refinement
1 assume (x gt y) 2 y y 1 ... 5 z
y ... 10assume (x lt z)
Localization of predicates Jhala et al., POPL
2004 Jain et al., TACAS 2005
Spurious Counterexample
15
Refinement
1 assume (x gt y) 2 y y 1 ... 5 z
y ... 10assume (x lt z)
Need to track value of at least one predicate
from locations 1 to 10
Localization of predicates Jhala et al., POPL
2004 Jain et al., TACAS 2005
Spurious Counterexample
16
Using invariants
1 if (x gt y) 2 y y 1 ... 5 z
y ... 10 if (x lt z) 11 ERROR 12
1 2 x gt y ...x y 5 x y ...x y, y z,
x z 10x y, y z, x z 11 12
C program
Two variable invariants
17
Using invariants during simulation
1 2 x gt y ...x y 5 x y ...x y, y z,
x z 10x y, y z, x z 11 12
1 assume (x gt y) 2 y y 1 ... 5 z
y ... 10assume (x lt z)
infeasible
infeasible
Spurious Counterexample
Two variable invariants
Refinement procedure only needs to look at
infeasible trace
18
What has happened so far
Abstract model
C program
1 if () 2 skip ... 5 skip ... 10
if () 11 ERROR
1 if (x gt y) 2 y y 1 ... 5 z
y ... 10 if (x lt z) 11 ERROR 12
1 assume (x gt y) 2 y y 1 ... 5 z
y ... 10assume (x lt z)
1 if () 2 skip ... 5 skip ... 10
if (b) 11 ERROR
Boolean b x lt z
PC10 x z
(PC10) ?b
Spurious counterexample
New abstract model
19
Strengthened transition relation

• Let Tb(V,V) denote transition relation of basic
  block b
• Let Ib(V) denote the invariants that hold at b
• STb(V,V) Tb(V,V) ? Ib(V)
• Replace Tb(V,V) by STb(V,V) in CEGAR loop

20
Outline

• Introduction
• Using Invariants in abstraction-refinement loop
• Invariant generation
• Invariant selection
• Experimental results

21
Invariant generation

• Octagon abstract domain x y c
• Due to Antoine Miné
• Successfully used in ASTRÉE static analyzer
• Captures commonly occurring variable
  relationships
• Array bound accesses
• More expressive abstract domains can be used
• Eagerly before CEGAR loop starts
• Lazily on-demand as needed by refinement

22
Octagon packing

• Octagon relationships between n variables
• Time per transfer function O(n3)
• Memory cost per program location O(n2)

23
Octagon packing

• Octagon relationships between n variables
• Time per transfer function O(n3)
• Memory cost per program location O(n2)

.
.
.
.
x2
x1
x1000
.
.
x5
x3
x999
x4
.
.
octagon pack
24
Octagon packing

• Basic block based packing
• Variables appearing in a basic block
• octagon packs proportional to basic blocks
• Control flow based packing
• Associate an octagon pack for each condition
• Cone of influence computation
• octagon packs proportional to conditions

25
Outline

• Introduction
• Using Invariants in abstraction-refinement loop
• Invariant generation
• Invariant selection
• Experimental results

26
Invariant selection

• Use fewer invariants for additional/quicker
  pruning
• Avoid overhead in decision procedure calls
• Given ERROR label E, basic block b
• needed(b, E) variables that need to be tracked
  at b
• Use invariant I at b iff vars(I) ? needed(b,E)

27
Outline

• Introduction
• Using Invariants in abstraction-refinement loop
• Invariant generation
• Invariant selection
• Experimental results

28
Experimental results (TCAS)
Localization of predicates using weakest
pre-conditions TACAS 2005
Localization of predicates using Craig
Interpolation Jhala et al., POPL 2004
Using octagonal invariants in the Default
framework
1. Invariant generation for TCAS took 5
seconds 2. None of the above properties can be
verified by octagonal invariants
29
Results from industrial benchmarks

• Checked for standard property violations

30
Experiments on Industry Programs
Without Octagon Invariants
With Octagon Invariants
KLOC Checks P by SA P by SAT B by SAT None Time (sec) P by SA w/ Invar P by SAT B by SAT None Time (sec)
f1 0.5 64 32 9 0 23 596 64 0 0 0 15
f2 1.1 16 8 6 0 2 564 16 0 0 0 66
f3 1.1 18 8 5 2 3 572 16 0 2 0 104
f4 1.2 22 10 6 3 3 478 18 1 3 0 195
f5 1.2 10 0 0 4 6 584 6 0 4 0 401
f6 1.6 26 8 6 8 4 579 18 0 8 0 197
f7 1.8 28 4 8 4 4 589 12 4 4 0 325
f8 3.6 280 267 13 0 0 144 280 0 0 0 140
Note P Proofs, B Bugs, None
unresolved checks

• Several interesting improvements with Octagon
  invariants
• Number of unresolved (None) checks is reduced
  (here, 0)
• Provides performance improvement
• Last example not much extra cost with Proofs by
  SAT

31
Invariant generation results
Control flow based packing leads to invariants
that are more likely to be useful in CEGAR loop
32
Invariant selection results
Invariants generated using control flow based
packing
After invariant selection
33
Conclusion

• Using invariants in abstraction-refinement loop
• Fewer predicates and refinement iterations
• Can help when finding right predicates is
  difficult
• Invariant generation and selection
• Finding useful invariants
• Right packing strategies
• Current/Future work (by co-authors)
• Generation of Disjunctive invariants SISG
  SAS 2006
• Applications of invariants during BMC GG ICCAD
  2006

34
Questions?