Title: Software Verification with BLAST
1Software Verification withBLAST
Tom Henzinger Ranjit Jhala Rupak Majumdar
2Blast Web Site
- http//www.eecs.berkeley.edu/blast
3Software Validation
- Large scale reliable software is hard to build
and test - Different groups write different components
- Integration testing is a nightmare
4Property Checking
- Programmer gives partial specifications
- Code checked for consistency w/ spec
- Different from program correctness
- Specifications are not complete
- Is there a complete spec for Word ? Emacs ?
5Interface Usage Rules
- Rules in documentation
- Order of operations data access
- Resource management
- Incomplete, unenforced, wordy
- Violated rules ) bad behavior
- System crash or deadlock
- Unexpected exceptions
- Failed runtime checks
6Property 1 Double Locking
An attempt to re-acquire an acquired lock or
release a released lock will cause a deadlock.
Calls to lock and unlock must alternate.
7Property 2 Drop Root Privilege
Chen-Dean-Wagner 02
User applications must not run with root
privilege When execv is called, must have
suid ? 0
8Property 3 IRP Handler
Fahndrich
9Does a given usage rule hold?
- Undecidable!
- Equivalent to the halting problem
- Restricted computable versions are
- prohibitively expensive (PSPACE)
- Why bother ?
- Just because a problem is undecidable,
- it doesnt go away!
10Plan
- Motivation
- Lazy Abstraction
- Demo
- Technical Details
11Example
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4 while(new ! old) 5 unlock ()
return
12What a program really is
State
Transition
3 unlock() new 4
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4 while(new ! old) 5 unlock ()
return
13The Safety Verification Problem
Error
Safe
Initial
Is there a path from an initial to an error state
? Problem Infinite state graph Solution Set of
states ' logical formula
14Representing States as Formulas
F states satisfying F s s ² F
F FO fmla over prog. vars
F1 Å F2
F1 Æ F2
F1 F2
F1 Ç F2
F
F
F1 µ F2
F1 implies F2
i.e. F1Æ F2 unsatisfiable
15Idea 1 Predicate Abstraction
- Predicates on program state
- lock
- old new
- States satisfying same predicates
- are equivalent
- Merged into one abstract state
- abstract states is finite
-
16Abstract States and Transitions
State
3 unlock() new 4
Theorem Prover
lock oldnew
lock oldnew
17Abstraction
State
3 unlock() new 4
Theorem Prover
lock oldnew
lock oldnew
Existential Lifting
18Abstraction
State
3 unlock() new 4
lock oldnew
lock oldnew
19Analyze Abstraction
Analyze finite graph Over Approximate Safe )
System Safe No false negatives Problem Spurious
counterexamples
20Idea 2 Counterex.-Guided Refinement
Solution Use spurious counterexamples to refine
abstraction !
21Idea 2 Counterex.-Guided Refinement
Solution Use spurious counterexamples to refine
abstraction
1. Add predicates to distinguish states
across cut 2. Build refined abstraction
Imprecision due to merge
22Iterative Abstraction-Refinement
Solution Use spurious counterexamples to refine
abstraction
1. Add predicates to distinguish states
across cut 2. Build refined abstraction -eliminat
es counterexample 3. Repeat search Till real
counterexample or system proved safe
Kurshan et al 93 Clarke et al
00 Ball-Rajamani 01
23Lazy Abstraction
Yes
BLAST
Safe
Abstract
C Program
Refine
No
Property
Trace
24Lazy Abstraction
Yes
BLAST
Safe
C Program
Instrumented C file With ERROR label
spec.opt
Property
No
Trace
25Problem Abstraction is Expensive
Reachable
Problem abstract states 2predicates Exponentia
l Thm. Prover queries
- Observe
- Fraction of state space reachable
- Preds 100s, States 2100 ,
- Reach 1000s
26Solution1 Only Abstract Reachable States
Safe
Solution Build abstraction during search
Problem abstract states 2predicates Exponentia
l Thm. Prover queries
27Solution2 Dont Refine Error-Free Regions
Error Free
Solution Dont refine error-free regions
Problem abstract states 2predicates Exponentia
l Thm. Prover queries
28Key Idea Reachability Tree
Initial
Unroll Abstraction 1. Pick tree-node (abs.
state) 2. Add children (abs. successors) 3. On
re-visiting abs. state, cut-off
1
2
3
Find min infeasible suffix - Learn new
predicates - Rebuild subtree with new preds.
5
4
3
29Key Idea Reachability Tree
Initial
Unroll Abstraction 1. Pick tree-node (abs.
state) 2. Add children (abs. successors) 3. On
re-visiting abs. state, cut-off
1
2
3
6
Find min infeasible suffix - Learn new
predicates - Rebuild subtree with new preds.
4
7
5
3
3
Error Free
30Key Idea Reachability Tree
Initial
Unroll 1. Pick tree-node (abs. state) 2. Add
children (abs. successors) 3. On re-visiting
abs. state, cut-off
1
2
3
6
Find min spurious suffix - Learn new predicates -
Rebuild subtree with new preds.
4
7
8
5
8
3
1
1
3
Error Free
S1 Only Abstract Reachable States S2 Dont
refine error-free regions
SAFE
31Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
1
Reachability Tree
Predicates LOCK
32Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
lock() old new qq-gtnext
2
LOCK
1
2
Reachability Tree
Predicates LOCK
33Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
2
LOCK
q!NULL
3
LOCK
1
2
3
Reachability Tree
Predicates LOCK
34Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
2
LOCK
3
LOCK
q-gtdata new unlock() new
4
LOCK
4
1
2
3
Reachability Tree
Predicates LOCK
35Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
2
LOCK
3
LOCK
4
LOCK
newold
5
LOCK
5
4
1
2
3
Reachability Tree
Predicates LOCK
36Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
2
LOCK
3
LOCK
4
LOCK
5
LOCK
5
unlock()
4
LOCK
1
2
3
Reachability Tree
Predicates LOCK
37Analyze Counterexample
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
lock() old new qq-gtnext
2
LOCK
q!NULL
3
LOCK
q-gtdata new unlock() new
4
LOCK
newold
5
LOCK
5
unlock()
4
LOCK
1
2
3
Reachability Tree
Predicates LOCK
38Analyze Counterexample
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
old new
2
LOCK
3
LOCK
new
4
LOCK
newold
5
LOCK
5
Inconsistent
4
LOCK
new old
1
2
3
Reachability Tree
Predicates LOCK
39Repeat Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
1
Reachability Tree
Predicates LOCK, newold
40Repeat Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
lock() old new qq-gtnext
2
LOCK , newold
1
2
Reachability Tree
Predicates LOCK, newold
41Repeat Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
2
LOCK , newold
3
LOCK , newold
q-gtdata new unlock() new
4
LOCK , new old
4
1
2
3
Reachability Tree
Predicates LOCK, newold
42Repeat Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
2
LOCK , newold
3
LOCK , newold
4
LOCK , new old
newold
4
1
2
3
Reachability Tree
Predicates LOCK, newold
43Repeat Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
2
LOCK , newold
3
LOCK , newold
4
LOCK , new old
new!old
1
LOCK, new old
4
4
1
2
3
Reachability Tree
Predicates LOCK, newold
44Repeat Build-and-Search
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
2
LOCK , newold
SAFE
3
LOCK , newold
4
4
LOCK , newold
LOCK , new old
1
5
5
LOCK, new old
4
4
4
1
LOCK , newold
2
3
Reachability Tree
Predicates LOCK, newold
45Key Idea Reachability Tree
Initial
Unroll 1. Pick tree-node (abs. state) 2. Add
children (abs. successors) 3. On re-visiting
abs. state, cut-off
1
2
3
6
Find min spurious suffix - Learn new predicates -
Rebuild subtree with new preds.
4
7
8
5
8
3
1
1
3
Error Free
S1 Only Abstract Reachable States S2 Dont
refine error-free regions
SAFE
46Lazy Abstraction
Yes
Safe
Abstract
C Program
Refine
No
Property
Trace
Problem Abstraction is Expensive
Solution 1. Abstract reachable states,
2. Avoid refining error-free regions
Key Idea Reachability Tree
47Plan
- Motivation
- Lazy Abstraction
- Demo
- Technical Details
48Demo
49Plan
- Motivation
- Lazy Abstraction
- Demo
- Technical Details
50Technical Details
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
2
LOCK , newold
SAFE
3
LOCK , newold
4
4
LOCK , newold
LOCK , new old
1
5
5
LOCK, new old
4
4
4
1
LOCK , newold
2
3
Reachability Tree
Predicates LOCK, newold
51Technical Details
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
Q. How to compute successors ?
2
LOCK , newold
SAFE
3
3
LOCK , newold
LOCK , newold
q-gtdata new unlock() new
4
4
4
LOCK , newold
LOCK , new old
LOCK , new old
1
5
5
LOCK, new old
4
4
4
1
LOCK , newold
2
3
Reachability Tree
Predicates LOCK, newold
52Technical Details
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
Q. How to compute successors ?
2
LOCK , newold
SAFE
3
LOCK , newold
4
4
LOCK , newold
LOCK , new old
Q. How to find predicates ?
1
5
5
Refinement
LOCK, new old
4
4
4
1
LOCK , newold
2
3
Predicates LOCK, newold
53Plan
- Motivation
- Lazy Abstraction
- Demo
- Technical Details
- Q How to compute successors ?
- Q How to find predicates ?
54Plan
- Motivation
- Lazy Abstraction
- Demo
- Technical Details
- Q How to compute successors ?
- Q How to find predicates ?
- Q How to analyze (recursive) procedures ?
55Plan
- Motivation
- Lazy Abstraction
- Demo
- Technical Details
- Q How to compute successors ?
- Q How to find predicates ?
- Q How to analyze (recursive) procedures ?
- Q How to analyze long traces ?
56Technical Details
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
Q. How to compute successors ?
2
LOCK , newold
SAFE
3
LOCK , newold
4
4
LOCK , newold
LOCK , new old
1
5
5
Refinement
LOCK, new old
4
4
4
1
LOCK , newold
2
3
Predicates LOCK, newold
57Weakest Preconditions
WP(P,OP) Weakest formula P s.t. if
P is true before OP then P is true after OP
WP(P, OP)
OP
P
58Weakest Preconditions
WP(P,OP) Weakest formula P s.t. if
P is true before OP then P is true after OP
WP(P, OP)
OP
P
Pe/x
new1 old
Assign
new new1
x e
P
new old
59Weakest Preconditions
WP(P,OP) Weakest formula P s.t. if
P is true before OP then P is true after OP
WP(P, OP)
OP
P
c ) P
newold ) newold
Assume
Branch
newold
c
P
new old
60How to compute successor ?
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
3
F
LOCK , newold
OP
?
4
LOCK , new old
- For each p
- Check if p is true (or false) after OP
- Q When is p true after OP ?
- - If WP(p, OP) is true before OP !
- - We know F is true before OP
- - Thm. Pvr. Query F ) WP(p, OP)
Predicates LOCK, newold
61How to compute successor ?
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
3
F
LOCK , newold
OP
?
4
- For each p
- Check if p is true (or false) after OP
- Q When is p false after OP ?
- - If WP( p, OP) is true before OP !
- - We know F is true before OP
- - Thm. Pvr. Query F ) WP( p, OP)
Predicates LOCK, newold
62How to compute successor ?
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
3
F
LOCK , newold
OP
?
4
new old
LOCK , new old
- For each p
- Check if p is true (or false) after OP
- Q When is p false after OP ?
- - If WP( p, OP) is true before OP !
- - We know F is true before OP
- - Thm. Pvr. Query F ) WP( p, OP)
Predicate newold
(LOCK , newold) ) (new 1 old)
True ?
NO
False ?
(LOCK , newold) ) (new 1 ? old)
YES
63Plan
- Motivation
- Lazy Abstraction
- Demo
- Technical Details
- Q How to compute successors ?
- Q How to find predicates ?
- Q How to analyze (recursive) procedures ?
- Q How to analyze long traces ?
64Technical Details
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
Q. How to find predicates ?
2
LOCK , newold
SAFE
3
LOCK , newold
4
4
LOCK , newold
LOCK , new old
1
5
5
Refinement
LOCK, new old
4
4
4
1
LOCK , newold
2
3
Predicates LOCK, newold
65Predicates grows with program size
while(1) 1 if (p1) lock() if (p1)
unlock() 2 if (p2) lock() if
(p2) unlock() n if (pn) lock()
if (pn) unlock()
T F T
Tracking lock not enough
Problem p1,,pn needed for verification Exponen
tial reachable abstract states
66Predicates grows with program size
while(1) 1 if (p1) lock() if (p1)
unlock() 2 if (p2) lock() if
(p2) unlock() n if (pn) lock()
if (pn) unlock()
LOCK
LOCK, p1
LOCK, p1
LOCK, p1
LOCK, p1
LOCK
p1p2
p1 p2
p1 p2
p1 p2
2n Abstract States
Problem p1,,pn needed for verification Exponen
tial reachable abstract states
67Predicates useful locally
while(1) 1 if (p1) lock() if (p1)
unlock() 2 if (p2) lock() if
(p2) unlock() n if (pn) lock()
if (pn) unlock()
LOCK
p1
LOCK , p1
LOCK, p1
LOCK , p1
LOCK
LOCK , p1
LOCK
LOCK
p2
pn
2n Abstract States
Solution Use predicates only where needed Using
Counterexamples Q1. Find predicates Q2. Find
where predicates are needed
68Lazy Abstraction
Yes
Safe
Abstract
C Program
Refine
No
Property
Trace
Problem Preds grows w/ Program Size
Solution Localize pred. use, find where preds.
needed
Ctrex. Trace
Pred. Map PC ? Preds.
Refine
69Counterexample Traces
1 x ctr 2 ctr ctr 1 3 y ctr 4 if
(x i-1) 5 if (y ! i) ERROR
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
y x 1
70Trace Formulas
1 x ctr 2 ctr ctr1 3 y ctr 4
assume(xi-1) 5 assume(y?i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
1 x1 ctr0 2 ctr1 ctr01 3 y1 ctr1 4
assume(x1i0-1) 5 assume(y1?i0)
Trace
Trace Feasibility Formula
SSA Trace
Thm Trace is feasible , TF is satisfiable
71The Present State
Trace
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
is all the information the executing program
has here
State
1. after executing trace past (prefix) 2.
knows present values of variables 3. makes
trace future (suffix) infeasible
At pc4, which predicate on present state shows
infeasibility of future ?
72What Predicate is needed ?
Trace Formula (TF)
Trace
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
73What Predicate is needed ?
Trace Formula (TF)
Trace
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
Relevant Information
Predicate
1. after executing trace prefix
implied by TF prefix
74What Predicate is needed ?
Trace Formula (TF)
Trace
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
x1
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
x1
Predicate
Relevant Information
1. after executing trace prefix 2. has
present values of variables
implied by TF prefix on common variables
75What Predicate is needed ?
Trace Formula (TF)
Trace
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
Predicate
Relevant Information
1. after executing trace prefix 2. has
present values of variables 3. makes trace
suffix infeasible
implied by TF prefix on common variables
TF suffix is unsatisfiable
76What Predicate is needed ?
Trace Formula (TF)
Trace
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
Predicate
Relevant Information
1. after executing trace prefix 2. has
present values of variables 3. makes trace
suffix infeasible
implied by TF prefix on common variables
TF suffix is unsatisfiable
77Interpolant Predicate !
Trace Formula
Trace
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
Predicate at 4 y x1
?-
Interpolate
?
?
y1 x1 1
Predicate
Craig Interpolant Craig 57 Computable from
Proof of Unsat Krajicek 97 Pudlak 97
implied by TF prefix on common variables
TF suffix is unsatisfiable
78Another interpretation
Trace Formula
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
Predicate at 4 y x1
After exec prefix
?-
?-
?
Interpolate
?
Can exec suffix
?
?
y1 x1 1
Unsat Empty Intersection Trace Infeasible
Interpolant ? Overapprox. states after prefix
that cannot execute suffix
79Interpolant Predicate !
Trace Formula
Trace
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
Predicate at 4 y x1
?-
Interpolate
?
?
y1 x1 1
Predicate
Craig Interpolant Craig 57 Computable from
Proof of Unsat Krajicek 97 Pudlak 97
implied by TF prefix on common variables
TF suffix is unsatisfiable
80Interpolant Predicate !
Trace Formula
Trace
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
Predicate at 4 y x1
?-
Interpolate
?
Q. How to compute interpolants ?
?
y1 x1 1
Predicate
Craig Interpolant Craig 57 Computable from
Proof of Unsat Krajicek 97 Pudlak 97
implied by TF prefix on common variables
TF suffix is unsatisfiable
81Building Predicate Maps
Predicate Map 2 x ctr
Trace
Trace Formula
?-
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
Interpolate
x1 ctr0
?
- Cut Interpolate at each point
- Pred. Map pci ? Interpolant from cut i
82Building Predicate Maps
Predicate Map 2 x ctr 3 x ctr-1
Trace
Trace Formula
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
?-
Interpolate
x1 ctr1-1
?
- Cut Interpolate at each point
- Pred. Map pci ? Interpolant from cut i
83Building Predicate Maps
Predicate Map 2 x ctr 3 x ctr - 1 4 y x
1
Trace
Trace Formula
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
y1 x11
- Cut Interpolate at each point
- Pred. Map pci ? Interpolant from cut i
84Building Predicate Maps
Predicate Map 2 x ctr 3 x ctr - 1 4 y x
1 5 y i
Trace
Trace Formula
1 x ctr 2 ctr ctr 1 3 y ctr 4
assume(x i-1) 5 assume(y ? i)
x1 ctr0 Æ ctr1 ctr0 1 Æ y1
ctr1 Æ x1 i0 - 1 Æ y1 ? i0
y1 i0
- Cut Interpolate at each point
- Pred. Map pci ? Interpolant from cut i
85Local Predicate Use
- Use predicates needed at location
- Preds. grows with program size
- Preds per location small
Predicate Map 2 x ctr 3 x ctr - 1 4 y x
1 5 y i
Verification scales
Local Predicate use Ex 2n states
Global Predicate use Ex 2n states
86Localizing
Property3 IRP Handler Win NT DDK
Pre-processed
87Lazy Abstraction
Yes
Safe
Abstract
C Program
Refine
No
Property
Trace
Problem Preds grows w/ Program Size
Solution Localize pred. use, find where preds.
needed
Refine
Trace Feas Formula
Proof of Unsat
Ctrex. Trace
Pred. Map PC ? Preds.
Thm Pvr
Interpolate
88So far
- Lazy Abstraction
- Predicates
- Abstract infinite program states
- Counterexample-guided Refinement
- Find predicates tailored to prog, property
- Abstraction Expensive
- Reachability Tree
- Refinement Find predicates, use locations
Proof of unsat of TF Interpolation
89Plan
- Motivation
- Lazy Abstraction
- Demo
- Technical Details
- Q How to compute successors ?
- Q How to find predicates ?
- Q How to analyze (recursive) procedures ?
- Q How to analyze long traces ?
90Technical Details
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
Q. How to analyze recursive procedures ?
2
LOCK , newold
SAFE
3
LOCK , newold
4
4
LOCK , newold
LOCK , new old
1
5
5
Refinement
LOCK, new old
4
4
4
1
LOCK , newold
2
3
Predicates LOCK, newold
91An example
main() ? 1 if (flag) 2 y
inc(x,flag) 3 if (yltx) ERROR else 4
y inc(z,flag) 5 if (ygtz) ERROR
? return
inc(int a, int sign) 1 if (sign) 2 rv
a1 else 3 rv a-1 4 return
rv
92Inline Calls in Reach Tree
main() ? 1 if (flag) 2 y
inc(x,flag) 3 if (yltx) ERROR else 4
y inc(z,flag) 5 if (ygtz) ERROR
? return
Initial
1
4
2
1,4
1,2
2,4
3,4
2,2
3,2
inc(int a, int sign) 1 if (sign) 2 rv
a1 else 3 rv a-1 4 return
rv
4,4
4,4
4,2
4,2
5
5
3
3
93Inline Calls in Reach Tree
- Problem
- Repeated analysis for inc
- Exploding call contexts
Initial
1
4
2
int x //global f1() 1 x 0 2 if()
f2() 3 else f2() 4 if (xlt0)
ERROR return
1,4
1,2
f2() 1 if() f3() 2 else f3() return
f3() 1 if() f4() 2 else f4() return
2,4
3,4
2,2
3,2
f4() 1 if() f5() 2 else f5() return
fn() 1 x return
4,4
4,4
4,2
4,2
5
5
3
3
2n nodes in Reach Tree
94Inline Calls in Reach Tree
- Problem
- Repeated analysis for inc
- Exploding call contexts
- Cyclic call graph (Recursion)
- Infinite Tree!
Initial
1
4
2
1,4
1,2
2,4
3,4
2,2
3,2
4,4
4,4
4,2
4,2
5
5
3
3
95Solution Procedure Summaries
- Summaries Input/Output behavior
- Plug summaries in at each callsite
- instead of inlining entire procedure
- Sharir-Pnueli 81, Reps-Horwitz-Sagiv 95
- Summary set of (F ? F)
- F Precondition formula describing input state
- F Postcondition formula describing output
state
96Solution Procedure Summaries
- Summaries Input/Output behavior
- Plug summaries in at each callsite
- instead of inlining entire procedure
- Sharir-Pnueli 81, Reps-Horwitz-Sagiv 95,
Ball-Rajamani 01 - Summary set of (F ? F)
- F Precondition formula describing input state
- F Postcondition formula describing output
state
inc(int a, int sign) 1 if (sign) 2 rv
a1 else 3 rv a-1 4 return
rv
- ( sign0 ? rv gt a)
- (sign 0 ? rv lt a)
Q. How to compute, use summaries ?
97Lazy Abstraction Procedure Summaries
Yes
Safe
Abstract
C Program
Refine
No
Property
Trace
Q. How to compute, use summaries ?
98Abstraction with Summaries
main
main() ? 1 if (flag) 2 y
inc(x,flag) 3 if (yltx) ERROR else 4
y inc(z,flag) 5 if (ygtz) ERROR
? return
1
flag!0
2
flag0
ax signflag
sign0
inc(int a, int sign) 1 if (sign) 2 rv
a1 else 3 rv a-1 4 return
rv
Predicates flag0 , ygtx , yltz sign0
, rvgta , rvlta
99Abstraction with Summaries
main
inc
main() ? 1 if (flag) 2 y
inc(x,flag) 3 if (yltx) ERROR else 4
y inc(z,flag) 5 if (ygtz) ERROR
? return
1
1
sign0
sign!0
2
flag0
2
sign0
ax signflag
rva1
sign0
4
rvgta
inc(int a, int sign) 1 if (sign) 2 rv
a1 else 3 rv a-1 4 return
rv
Predicates flag0 , ygtx , yltz sign0
, rvgta , rvlta
Summary ( sign0 ? rvgta),
100Summary Successor
main
inc
main() ? 1 if (flag) 2 y
inc(x,flag) 3 if (yltx) ERROR else 4
y inc(z,flag) 5 if (ygtz) ERROR
? return
1
1
sign0
ax signflag
2
flag0
2
assume rvgta
3
ygtx
yrv
4
rvgta
inc(int a, int sign) 1 if (sign) 2 rv
a1 else 3 rv a-1 4 return
rv
Predicates flag0 , ygtx , yltz sign0
, rvgta , rvlta
Summary ( sign0 ? rvgta),
101Abstraction with Summaries
main
inc
main() ? 1 if (flag) 2 y
inc(x,flag) 3 if (yltx) ERROR else 4
y inc(z,flag) 5 if (ygtz) ERROR
? return
1
1
sign0
flag0
sign0
2
4
flag0
flag0
3
2
3
ygtx
sign0
4
rvgta
yltx
az signflag
inc(int a, int sign) 1 if (sign) 2 rv
a1 else 3 rv a-1 4 return
rv
Predicates flag0 , ygtx , yltz sign0
, rvgta , rvlta
Summary ( sign0 ? rvgta),
102Abstraction with Summaries
main
inc
main() ? 1 if (flag) 2 y
inc(x,flag) 3 if (yltx) ERROR else 4
y inc(z,flag) 5 if (ygtz) ERROR
? return
1
1
1
sign0
sign0
2
4
flag0
flag0
3
3
2
2
3
ygtx
sign0
4
4
rvgta
rvlta
az signflag
inc(int a, int sign) 1 if (sign) 2 rv
a1 else 3 rv a-1 4 return
rv
Predicates flag0 , ygtx , yltz sign0
, rvgta , rvlta
Summary ( sign0 ? rvgta),
(sign0 ? rvlta)
103Summary Successor
main
inc
main() ? 1 if (flag) 2 y
inc(x,flag) 3 if (yltx) ERROR else 4
y inc(z,flag) 5 if (ygtz) ERROR
? return
1
1
1
sign0
sign0
2
4
flag0
flag0
3
3
2
2
3
3
ygtx
yltz
4
4
rvgta
rvlta
ax signflag
inc(int a, int sign) 1 if (sign) 2 rv
a1 else 3 rv a-1 4 return
rv
assume rvlta
yrv
Predicates flag0 , ygtx , yltz sign0
, rvgta , rvlta
Summary ( sign0 ? rvgta),
(sign0 ? rvlta)
104Abstraction with Summaries
main
inc
main() ? 1 if (flag) 2 y
inc(x,flag) 3 if (yltx) ERROR else 4
y inc(z,flag) 5 if (ygtz) ERROR
? return
1
1
1
sign0
sign0
2
4
flag0
flag0
3
3
2
2
3
3
ygtx
yltz
4
4
rvgta
rvlta
ygtz
inc(int a, int sign) 1 if (sign) 2 rv
a1 else 3 rv a-1 4 return
rv
Predicates flag0 , ygtx , yltz sign0
, rvgta , rvlta
Summary ( sign0 ? rvgta),
(sign0 ? rvlta)
105Another Call
main
inc
main() ? 1 if (flag) 2 y
inc(x,flag) 3 if (yltx) ERROR else 4
y inc(z,flag) 5 if (ygtz) ERROR 6
y1 inc(z1,1) 7 if (y1ltz1) ERROR return
1
1
1
sign0
sign0
2
4
flag0
flag0
3
3
2
2
3
3
ygtx
yltz
4
4
rvgta
rvlta
inc(int a, int sign) 1 if (sign) 2 rv
a1 else 3 rv a-1 4 return
rv
6
6
az1 sign1
sign0
Summary ( sign0 ? rvgta),
(sign0 ? rvlta)
Predicates flag0 ,ygtx,yltz, y1gtz1
sign0 , rvgta , rvlta
106Another Call
main
inc
main() ? 1 if (flag) 2 y
inc(x,flag) 3 if (yltx) ERROR else 4
y inc(z,flag) 5 if (ygtz) ERROR 6
y1 inc(z1,1) 7 if (y1ltz1) ERROR return
1
1
1
sign0
sign0
2
4
flag0
flag0
3
3
2
2
3
3
ygtx
yltz
4
4
rvgta
rvlta
inc(int a, int sign) 1 if (sign) 2 rv
a1 else 3 rv a-1 4 return
rv
6
6
SAFE
az1 sign1
7
y1gtz1
assume rvgta
y1rv
Summary ( sign0 ? rvgta),
(sign0 ? rvlta)
Predicates flag0 ,ygtx,yltz, y1gtz1
sign0 , rvgta , rvlta
107Plan
- Motivation
- Lazy Abstraction
- Demo
- Technical Details
- Q How to compute successors ?
- Q How to find predicates ?
- Q How to analyze (recursive) procedures ?
- Q How to analyze long traces ?
108Technical Details
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4while(new ! old) 5 unlock ()
1
LOCK
Q. How to analyze long traces ?
2
LOCK , newold
SAFE
3
LOCK , newold
4
4
LOCK , newold
LOCK , new old
1
5
5
Refinement
LOCK, new old
4
4
4
1
LOCK , newold
2
3
Predicates LOCK, newold
109Example
- Assume f always terminates
- ERR is reachable
- a and x are unconstrained
- Any feasible path to error must unroll the loop
1000 times AND find feasible paths through f - Any other path must be dismissed as a false
positive
- Example ( )
- 1c 0
- 2for(i1ilt1000i)
- 3 c c f(i)
- 4if (agt0)
- 5 if (x0)
- ERR
-
-
110Example
- Intuitively, the for loop is irrelevant
- ERR reachable as long as there exists some path
from 2 to 4 that does not modify a or x - Can we use static analysis to precisely report a
statement is reachable without finding a feasible
path?
- Example ( )
- 1c 0
- 2for(i1ilt1000i)
- 3 c c f(i)
- 4if (agt0)
- 5 if (x0)
- ERR
-
-
111Example
1
1
- Example ( )
- 1c 0
- 2for(i1ilt1000i)
- 3 c c f(i)
- 4if (agt0)
- 5 if (x0)
- ERR
-
-
c 0
2
i 1
2
ilt1000
3
c c f(i)i
2
i1000
4
4
agt0
agt0
5
5
x0
x0
112Path Slice, Formally
- The path slice of a program path ? is a
subsequence of the edges of ? such that if the
sequence of operations along the subsequence is - infeasible, then ? is infeasible, and
- feasible, then the last location of ? is
reachable (but not necessarily along ?)
113Computing Path Slices
- Intuitively, drop some edges, but leave branches
that must be taken to reach the target, and
assignments that feed into the branch conditions - Backward dataflow over the path, tracking at each
node - step location source location of the last edge
along the path added to the slice - live variables set of relevant variables whose
values determine whether or not the target is
reachable along the suffix
114Example
A conditional is taken if either (1) there is a
path from the current node to the step location
on which a live variable is modified, or (2) the
current node does not post-dominate the step
location
1
- Example ( )
- 1c 0
- 2for(i1ilt1000i)
- 3 c c f(i)
- 4if (agt0)
- 5 if (x0)
- ERR
-
-
c 0
2
i 1
2
ilt1000
3
c c f(i)i
2
i1000
4
agt0
5
x0
ERR,
115Conditionals
current
current
x2 Live
X
step
step
?
?
116Example
A conditional is taken if either (1) there is a
path from the current node to the step location
on which a live variable is modified, or (2) the
current node does not post-dominate the step
location
1
- Example ( )
- 1c 0
- 2for(i1ilt1000i)
- 3 c c f(i)
- 4if (agt0)
- 5 if (x0)
- ERR
-
-
c 0
2
i 1
2
ilt1000
3
c c f(i)i
2
Live (Live n Wr(op)) Rd(op)
i1000
4
agt0
5
x0
ERR,
117Example
1
- Example ( )
- 1c 0
- 2for(i1ilt1000i)
- 3 c c f(i)
- 4if (agt0)
- 5 if (x0)
- ERR
-
-
c 0
2
i 1
2
ilt1000
3
c c f(i)i
2
i1000
4
agt0
5
x0
ERR,
118Example
1
- Example ( )
- 1c 0
- 2for(i1ilt1000i)
- 3 c c f(i)
- 4if (agt0)
- 5 if (x0)
- ERR
-
-
c 0
2
i 1
2
ilt1000
3
c c f(i)i
2
4, x, a
i1000
4
4, x, a
agt0
5
5, x
x0
ERR,
119Example
1
- Example ( )
- 1c 0
- 2for(i1ilt1000i)
- 3 c c f(i)
- 4if (agt0)
- 5 if (x0)
- ERR
-
-
c 0
2
An assignment is taken if the assigned variable
is in the Live set
i 1
2
ilt1000
3
c c f(i)i
2
4, x, a
i1000
4
4, x, a
agt0
5
5, x
x0
ERR,
120Example
1
4, x, a
- Example ( )
- 1c 0
- 2for(i1ilt1000i)
- 3 c c f(i)
- 4if (agt0)
- 5 if (x0)
- ERR
-
-
c 0
2
4, x, a
i 1
4, x, a
2
ilt1000
4, x, a
3
c c f(i)i
2
4, x, a
i1000
4
4, x, a
agt0
5
5, x
x0
ERR,
121Slice
1
- Example ( )
- 1c 0
- 2for(i1ilt1000i)
- 3 c c f(i)
- 4if (agt0)
- 5 if (x0)
- ERR
-
-
4
agt0
5
x0
122Example 2 Infeasible Path
- Example ( )
- Aif (agt0)
- B x 1
-
- 1 c 0
- 2for(i1ilt1000i)
- 3 c c f(i)
- 4if (agt0)
- 5 if (x0)
- ERR
-
-
123Example 2 Infeasible Path
- Example ( )
- Aif (agt0)
- B x 1
-
- 1 c 0
- 2for(i1ilt1000i)
- 3 c c f(i)
- 4if (agt0)
- 5 if (x0)
- ERR
-
-
A, a
A
agt0
B, a
B
x 1
1
4, x, a
c 0
2
4, x, a
i 1
Live (Live n Wr(op)) Rd(op)
4, x, a
2
ilt1000
4, x, a
3
c c f(i)i
2
4, x, a
i1000
4
4, x, a
agt0
5
5, x
x0
ERR,
124Slice
Example ( ) Aif (agt0) B x 1 1 c
0 2for(i1ilt1000i) 3 c c f(i) 4if
(agt0) 5 if (x0) ERR
A
agt0
B
x 1
1
Infeasible Slice implies Infeasible trace
4
agt0
5
x0
125Lazy Abstraction Summary
Yes
Safe
Abstract
C Program
Path Slice
Refine
No
Property
Trace
126Lazy Abstraction Summary
- Predicates
- Abstract infinite program states
- Counterexample-guided Refinement
- Find predicates tailored to prog, property
- Abstraction Expensive
- Reachability Tree, Procedure summaries
- Refinement Find predicates, use locations
- Slice irrelevant details
- Proof of unsat of TF Interpolation
127Verification by Theorem Proving
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4 while(new ! old) 5 unlock ()
return
- 1. Loop Invariants
- 2. Logical formula
- 3. Check Validity
Invariant lock Æ new old Ç
lock Æ new ? old
128Verification by Theorem Proving
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4 while(new ! old) 5 unlock ()
return
- 1. Loop Invariants
- 2. Logical formula
- 3. Check Validity
- - Loop Invariants
- Multithreaded Programs
- Behaviors encoded in logic
- Decision Procedures
-
ESC
Precise
129Verification by Program Analysis
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4 while(new ! old) 5 unlock ()
return
1. Dataflow Facts 2. Constraint System 3. Solve
constraints
- Imprecision due to fixed facts Abstraction
Type/Flow Analyses
CQUAL, ESP, MC
Scalable
130Verification by Model Checking
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4 while(new ! old) 5 unlock ()
return
1. (Finite State) Program 2. State Transition
Graph 3. Reachability
- - Pgm ! Finite state model
- State explosion
- State Exploration
- Counterexamples
SPIN, SMV, Bandera,JPF
Precise
131Combining Strengths
Program Analysis - Imprecise
Abstraction Shrink state space
- Theorem Proving
- - loop invariants
- Behaviors encoded in logic
- Refine
- Theorem provers
- Computing Successors,Refine
Lazy Abstraction
Model Checking - Finite-state model, state
explosion State Space Exploration Path
Sensitive Analysis Counterexamples Finding
Relevant Facts
132Thank you
- http//www.eecs.berkeley.edu/blast