Counterexample-Guided Focus - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

Counterexample-Guided Focus

Description:

Title: Nested Lazy Abstraction Refinement Author: Administrator Last modified by: wies Document presentation format: On-screen Show Other titles: Arial Wingdings ... – PowerPoint PPT presentation

Number of Views:142
Avg rating:3.0/5.0
Slides: 26
Provided by: Admini618
Learn more at: https://cs.nyu.edu
Category:

less

Transcript and Presenter's Notes

Title: Counterexample-Guided Focus


1
Counterexample-Guided Focus
  • Thomas Wies
  • Institute of Science and Technology (IST) Austria
  • joint work with
  • Andreas Podelski
  • University of Freiburg

TexPoint fonts used in EMF. Read the TexPoint
manual before you delete this box. AAAAAAAAAA
2
Motivation
Verify complex properties of heap-manipulating
programs
root
  • public void filter(Predicate p)
  • / requires "p ? null"
  • modifies content
  • ensures "content old content Ã… (pred p)"
    /
  • Node e root
  • while (e ! null)
  • Node c e
  • e e.next
  • if (!p.contains(c.data))
  • if (c.prev null)
  • e.prev null root e
  • else
  • c.prev.next e e.prev c


p
next
prev
  • Quantified properties
  • data structure invariants
  • 8 x. next(prev(x)) x
  • functional correctness
  • 8 x. next(root,x)
  • (old next)(root, x)Æ x 2 pred(p)


p
next

p
prev

p
3
Verification of Safety Properties
state space
safe invariant
reachable states
error states
4
Software Model Checking
Existing tools SLAM, BLAST, ARMC, MAGIC,
state space
reachable states
P1ÆP2Æ
  • generic approach
  • offers high degree of automation(through use of
    automated reasoning techniques)

error states
P1 x0 P2 ygt0
5
The Eternal Quest for the Right
Precision/Efficiency Tradeoff
Crucial problem in the verification of heap
programs.
6
Goal Adapted Abstraction
Fine-tune precision to the specific verification
task.
reachable states
error states
7
Boolean Heaps Podelski, Wies SAS05
Use idea of Sagiv, Reps, Wilhelm
2002 Partition heap according to a finite set
of predicates.
0
7
3
8
Boolean Heaps
Use idea of Sagiv, Reps, Wilhelm
2002 Partition heap according to a finite set
of predicates.
Abstract state
Abstract domain disjunctions of abstract states
9
Most Precise Abstract Transformer
10
Most Precise Abstract Transformer
Verification succeeds!
11
Precision-Efficiency Tradeoff
Number of abstract states is doubly-exponential
in number of predicates
reachable states
  • Most precise abstract transformer is impractical
  • expensive to construct
  • keeps track of irrelevant information
  • Solution apply additional abstraction

error states
12
Cartesian Abstraction
for abstracting sets of vectors
y
S
Sy
Sx Sy
x
Sx
..., Cousot, Cousot PPCA95, Ball, Podelski,
Rajamani TACAS01,
13
Cartesian Abstraction
  • abstract states are sets of bit-vectors
  • Cartesian abstraction applies
  • abstr. transformer w/ Cartesian abstraction is
    efficiently implementable
  • check entailments between QF formulas
  • number of entailment checks polynomial in number
    of predicates
  • precise enough for many practical examples
  • not precise enough for many practical examples

14
Abstract Transformer with Cartesian Abstraction
3
7
,
0
7
15
Focus
  • Common recipe in shape analysis
  • start from coarse but efficient abstract
    transformer
  • adapt precision to each individual program
    statement and individual data structures
  • (partial concretization / materialization /
    focus)
  • Problem
  • Fine-tuning precision uniformly makes analysis
    again too precise (i.e., often
    inefficient)
  • Exciting research direction
  • Parameterized focus that adapts abstract
    transformer to the individual verification tasks
  • e.g. Manevich et al., 2004, 2007, 2009

16
Counterexample-Guided Focus
  • Idea take this direction to its logical extreme
  • Fine-tune focus to the individual steps of the
    analysis of the individual verification task
  • This fine-tuning must be automated.
  • We use counterexamples for this purpose.

17
Loss of Precision under Cartesian abstraction
y
splitting is guided by counterexamples
S
Sy
Sx Sy
x
Sx
18
Effect of Counterexample-Guided Focus
3
7
0
7
19
Nested Lazy CEGAR Loop
  • outer loop refines abstract domain by inferring
    new predicates
  • inner loop fine-tunes abstract transformer using
    counterexample-guided focus

Progress theorem every spurious counterexample
is eventually eliminated
20
Implementation in the Tool Bohne
Verified data structure implementations
  • (doubly-linked) lists
  • lists with iterators
  • sorted lists
  • skip lists
  • search trees
  • trees w/ parent pointers
  • threaded trees

21
Implementation in the Tool Bohne
Verified properties
  • absence of runtime errors
  • shape invariants
  • acyclic
  • sharing-free
  • doubly-linked
  • parent-linked
  • threaded
  • sorted
  • partial correctness
  • Summary of Experiments
  • no manual adaptation of abstract domain /
    abstract transformer required
  • many examples fail without counterexample-guided
    focus
  • number of explored abstract states is drastically
    reduced

22
Further Related Work
  • Shape analysis
  • three-valued shape analysis Sagiv, Reps, Wilhelm
    2002
  • decision procedures in TVLA Yorsh et al. 2004,
    , Lev-Ami et al. 2006
  • parameterized focus for concurrent programs
    Manevich et al., 2004, 2007, 2009
  • Predicate abstraction
  • CE-guided refinement of abstract transformers
    Das, Dill 2002
  • nested refinement for predicate abstraction Ball
    et al. 2004
  • indexed predicate abstraction Lahiri, Bryant
    2004
  • lazy abstraction Henzinger et al. 2002
  • lazy shape analysis Beyer et al. 2006
  • Interpolants
  • quantified Craig interpolants McMillan 2008,
    Kovács, Voronkov 2009
  • abstractions from proofs Henzinger et al. 2004
  • Template-based techniques Gulwani et al. 2008,
    Srivastava, Gulwani 2009

23
Conclusion
Focus and CEGAR can be fruitfully integrated to
enhance one another
  • Focus can be made effective in a CEGAR setting
  • CEGAR lazily applies focus
  • CEGAR drives fine-tuning of focus to the extreme
  • CEGAR can be made effective for inferring
    quantified invariants because
  • focus provides progress of CEGAR and
  • focus provides precision needed for verifying
    practical examples

24
Counterexample-Guided Focus
  • analysis of abstract program produces spurious
    counterexamples
  • spuriousness results from imprecise abstract
    transformer
  • construct fine-tuned focus operator that locally
    adapts precision of abstract transformer
  • locally refine the abstract domain of the
    pre-image of the abstract transformer
  • locally refine the pre-image itself by splitting
    disjuncts below and above the universal
    quantifier
  • both refinements are guided by the spurious
    counterexample

25
Costs and Gains of Automation
Comparison between TVLA and Bohne for
various list-manipulating programs
  • Checked properties
  • absence of runtime errors
  • preservation of list structure (acyclicity,
    sharing freeness)
Write a Comment
User Comments (0)
About PowerShow.com