JPF2: Predicate Abstraction CS 510 / 10
Predicate Abstraction Extract a finite state model from an infinite state system Used to prove assertions or safety properties Successfully applied for verification of C programs SLAM (used in windows device driver verification) MAGIC, BLAST, F-Soft
Example for Predicate Abstraction void main() { void main() { bool p1, p2; bool p1, p2; int main() { int main() { int i; int i; p1=TRUE; p1=TRUE; p2=TRUE; p2=TRUE; p 2 ⇔ even(i) = i=0; i=0; + p 1 ⇔ i=0 p 1 ⇔ i=0 while(p2) while(p2) while(even(i)) while(even(i)) p 2 ⇔ even(i) { { i++; i++; p1=p1?FALSE:nondet(); p1=p1?FALSE:nondet(); } } p2=!p2; p2=!p2; } } } } C program Predicates Boolean program [Graf, Saidi ’97] [Ball, Rajamani ’01]
Computing Predicate Abstraction How to get predicates for checking a given property? How do we compute the abstraction? Predicate Abstraction is an over- approximation How to refine coarse abstractions?
Counterexample Guided Abstraction Refinement loop Initial Verification Abstraction No error C C or bug found Abstract Abstract Model Program Program model model Checker Property holds Simulation sucessful Abstraction refinement Refinement Simulator Bug found Spurious counterexample
Example Example ( ) { Example ( ) { 1 : do{ 1 : do{ lock(); lock(); lock old = new; old = new; q = q->next; q = q->next; 2 : if (q != NULL){ 2 : if (q != NULL){ unlock 3 : q->data = new; 3 : q->data = new; unlock lock unlock(); unlock(); new ++; new ++; } } 4 : } while(new != old); 4 : } while(new != old); 5 : unlock (); 5 : unlock (); return; return; } }
What a program really is … State Transition pc pc → 3 → 4 3 : unlock(); 3 : unlock(); lock lock → → new++; new++; old old → 5 → 5 4 :} … 4 :} … new new → 5 → 6 q q → 0x133a → 0x133a Example ( ) { Example ( ) { 1 : do{ 1 : do{ lock(); lock(); old = new; old = new; q = q->next; q = q->next; 2 : if (q != NULL){ 2 : if (q != NULL){ 3 : q->data = new; 3 : q->data = new; unlock(); unlock(); new ++; new ++; } } 4 : } while(new != old); 4 : } while(new != old); 5 : unlock (); 5 : unlock (); return;} return;}
The Safety Verification Problem Error Safe Initial Is there a path from an initial to an error state ? Problem: Infinite state graph Solution : Set of states ' logical formula
Idea 1: Predicate Abstraction Predicates on program state: lock old = new States satisfying same predicates are equivalent Merged into one abstract state #abstract states is finite
Abstract States and Transitions State pc pc → 3 → 4 3 : unlock(); 3 : unlock(); lock lock → → new++; new++; old old → 5 → 5 4 :} … 4 :} … new new → 5 → 6 q q → 0x133a → 0x133a lock ! lock old=new ! old=new
Abstraction State pc pc → 3 → 4 3 : unlock(); 3 : unlock(); lock lock → → new++; new++; old old → 5 → 5 4 :} … 4 :} … new new → 5 → 6 q q → 0x133a → 0x133a lock ! lock old=new ! old=new Existential Approximation
Abstraction State pc pc → 3 → 4 3 : unlock(); 3 : unlock(); lock lock → → new++; new++; old old → 5 → 5 4 :} … 4 :} … new new → 5 → 6 q q → 0x133a → 0x133a lock ! lock old=new ! old=new
Analyze Abstraction Analyze finite graph Over Approximate: Safe => System Safe Problem Spurious counterexamples
Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction !
Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction 1. Add predicates to distinguish states across cut 2. Build refined abstraction
Iterative Abstraction-Refinement Solution Use spurious counterexamples to refine abstraction 1. Add predicates to distinguish states across cut 2. Build refined abstraction -eliminates counterexample 3. Repeat search Until real counterexample or system proved safe [Kurshan et al 93] [Clarke et al 00] [Ball-Rajamani 01]
Build-and-Search Example ( ) { Example ( ) { 1 : do{ 1 : do{ lock(); lock(); old = new; ! LOCK 1 old = new; q = q->next; q = q->next; 2 : if (q != NULL){ 2 : if (q != NULL){ 3 : q->data = new; 3 : q->data = new; unlock(); unlock(); new ++; new ++; } } 4 :}while(new != old); 4 :}while(new != old); 5 : unlock (); 5 : unlock (); } } 1 Predicates: LOCK
Build-and-Search Example ( ) { Example ( ) { 1 : do{ 1 : do{ lock(); lock(); old = new; ! LOCK 1 lock() old = new; q = q->next; q = q->next; old = new 2 : if (q != NULL){ 2 : if (q != NULL){ q=q->next 3 : q->data = new; LOCK 2 3 : q->data = new; unlock(); unlock(); new ++; new ++; } } 4 :}while(new != old); 4 :}while(new != old); 5 : unlock (); 5 : unlock (); } } 1 2 Predicates: LOCK
Build-and-Search Example ( ) { Example ( ) { 1 : do{ 1 : do{ lock(); lock(); old = new; ! LOCK 1 old = new; q = q->next; q = q->next; 2 : if (q != NULL){ 2 : if (q != NULL){ 3 : q->data = new; LOCK 2 3 : q->data = new; unlock(); [q!=NULL] unlock(); new ++; new ++; } } 3 LOCK 4 :}while(new != old); 4 :}while(new != old); 5 : unlock (); 5 : unlock (); } } 1 2 3 Predicates: LOCK
Build-and-Search Example ( ) { Example ( ) { 1 : do{ 1 : do{ lock(); lock(); old = new; ! LOCK 1 old = new; q = q->next; q = q->next; 2 : if (q != NULL){ 2 : if (q != NULL){ 3 : q->data = new; LOCK 2 3 : q->data = new; unlock(); unlock(); new ++; new ++; } } 3 LOCK 4 :}while(new != old); q ->data = new 4 :}while(new != old); 5 : unlock (); 5 : unlock (); unlock() } } new++ 4 ! LOCK 4 1 2 3 Predicates: LOCK
Build-and-Search Example ( ) { Example ( ) { 1 : do{ 1 : do{ lock(); lock(); old = new; ! LOCK 1 old = new; q = q->next; q = q->next; 2 : if (q != NULL){ 2 : if (q != NULL){ 3 : q->data = new; LOCK 2 3 : q->data = new; unlock(); unlock(); new ++; new ++; } } 3 LOCK 4 :}while(new != old); 4 :}while(new != old); 5 : unlock (); 5 : unlock (); } } 4 ! LOCK [new==old] ! LOCK 5 5 4 1 2 3 Predicates: LOCK
Build-and-Search Example ( ) { Example ( ) { 1 : do{ 1 : do{ lock(); lock(); old = new; ! LOCK 1 old = new; q = q->next; q = q->next; 2 : if (q != NULL){ 2 : if (q != NULL){ 3 : q->data = new; LOCK 2 3 : q->data = new; unlock(); unlock(); new ++; new ++; } } 3 LOCK 4 :}while(new != old); 4 :}while(new != old); 5 : unlock (); 5 : unlock (); } } 4 ! LOCK ! LOCK 5 5 unlock() 4 ! LOCK 1 2 3 Predicates: LOCK
Analyze Counterexample Example ( ) { Example ( ) { 1 : do{ 1 : do{ lock(); lock(); old = new; ! LOCK 1 lock() old = new; q = q->next; q = q->next; old = new 2 : if (q != NULL){ 2 : if (q != NULL){ q=q->next 3 : q->data = new; LOCK 2 3 : q->data = new; unlock(); unlock(); new ++; [q!=NULL] new ++; } } 3 LOCK 4 :}while(new != old); q ->data = new 4 :}while(new != old); 5 : unlock (); 5 : unlock (); unlock() } } new++ 4 ! LOCK [new==old] ! LOCK 5 unlock() 5 4 ! LOCK 1 2 3 Predicates: LOCK
Analyze Counterexample Example ( ) { Example ( ) { 1 : do{ 1 : do{ lock(); lock(); old = new; : LOCK 1 old = new; q = q->next; q = q->next; old = new 2 : if (q != NULL){ 2 : if (q != NULL){ 3 : q->data = new; LOCK 2 3 : q->data = new; unlock(); unlock(); new ++; new ++; } } 3 LOCK 4 :}while(new != old); 4 :}while(new != old); 5 : unlock (); 5 : unlock (); new++ } } 4 : LOCK [new==old] : LOCK 5 5 Inconsistent 4 : LOCK new == old 1 2 3 Predicates: LOCK
Repeat Build-and-Search Example ( ) { Example ( ) { 1 : do{ 1 : do{ lock(); lock(); old = new; : LOCK 1 old = new; q = q->next; q = q->next; 2 : if (q != NULL){ 2 : if (q != NULL){ 3 : q->data = new; 3 : q->data = new; unlock(); unlock(); new ++; new ++; } } 4 :}while(new != old); 4 :}while(new != old); 5 : unlock (); 5 : unlock (); } } 1 Predicates: LOCK, new==old
Repeat Build-and-Search Example ( ) { Example ( ) { 1 : do{ 1 : do{ lock(); lock(); old = new; ! LOCK 1 old = new; q = q->next; q = q->next; lock() 2 : if (q != NULL){ 2 : if (q != NULL){ 3 : q->data = new; old = new 2 3 : q->data = new; LOCK , new==old unlock(); unlock(); q=q->next new ++; new ++; } } 4 :}while(new != old); 4 :}while(new != old); 5 : unlock (); 5 : unlock (); } } 1 2 Predicates: LOCK, new==old
Repeat Build-and-Search Example ( ) { Example ( ) { 1 : do{ 1 : do{ lock(); lock(); old = new; ! LOCK 1 old = new; q = q->next; q = q->next; 2 : if (q != NULL){ 2 : if (q != NULL){ 3 : q->data = new; 2 3 : q->data = new; LOCK , new==old unlock(); unlock(); new ++; new ++; } } 3 LOCK , new==old 4 :}while(new != old); 4 :}while(new != old); q ->data = new 5 : unlock (); 5 : unlock (); unlock() } } new++ 4 ! LOCK , ! new = old 4 1 2 3 Predicates: LOCK, new==old
Recommend
More recommend
