predicate based model checking
play

Predicate-Based Model Checking Dirk Beyer LMU Munich, Germany Dirk - PowerPoint PPT Presentation

Jul 27, 2023 •38 likes •658 views

Predicate-Based Model Checking Dirk Beyer LMU Munich, Germany Dirk Beyer LMU Munich, Germany 1 / 1 Based on: Dirk Beyer, Matthias Dangl, Philipp Wendler: A Unifying View on SMT-Based Software Verification Journal of Automated Reasoning,

  1. Predicate-Based Model Checking Dirk Beyer LMU Munich, Germany Dirk Beyer LMU Munich, Germany 1 / 1

  2. Based on: Dirk Beyer, Matthias Dangl, Philipp Wendler: A Unifying View on SMT-Based Software Verification Journal of Automated Reasoning, Volume 60, Issue 3, 2018. https://doi.org/10.1007/s10817-017-9432-6 preprint: online on CPAchecker website under “Documentation” Dirk Beyer LMU Munich, Germany 2 / 1

  3. SMT-based Software Model Checking ◮ Predicate Abstraction ( Blast , CPAchecker , Slam , ...) ◮ Impact ( CPAchecker , Impact , Wolverine , ...) ◮ Bounded Model Checking ( Cbmc , CPAchecker , Esbmc , ...) ◮ k -Induction ( CPAchecker , Esbmc , 2ls , ...) Dirk Beyer LMU Munich, Germany 3 / 1

  4. Base: Adjustable-Block Encoding Originally for predicate abstraction: ◮ Abstraction computation is expensive ◮ Abstraction is not necessary after every transition ◮ Track precise path formula between abstraction states ◮ Reset path formula and compute abstraction formula at abstraction states ◮ Large-Block Encoding: abstraction only at loop heads (hard-coded) ◮ Adjustable-Block Encoding: introduce block operator "blk" to make it configurable Dirk Beyer LMU Munich, Germany 4 / 1

  5. Base: Configurable Program Analysis Configurable Program Analysis (CPA): ◮ Beyer, Henzinger, Théoduloz: [CAV’07] ◮ One single unifying algorithm for all algorithms based on state-space exploration ◮ Configurable components: abstract domain, abstract-successor computation, path sensitivity, ... Dirk Beyer LMU Munich, Germany 5 / 1

  6. Using the CPA Framework ◮ CPA Algorithm is a configurable reachability analysis for arbitrary abstract domains Source Parser & Results Code CFA Builder CPA Algorithm Dirk Beyer LMU Munich, Germany 6 / 1

  7. Using the CPA Framework ◮ CPA Algorithm is a configurable reachability analysis for arbitrary abstract domains ◮ Provide Predicate CPA for our predicate-based abstract domain Source Parser & Results Code CFA Builder CPA Algorithm Predicate CPA Dirk Beyer LMU Munich, Germany 6 / 1

  8. Using the CPA Framework ◮ CPA Algorithm is a configurable reachability analysis for arbitrary abstract domains ◮ Provide Predicate CPA for our predicate-based abstract domain ◮ Reuse other CPAs Source Parser & Results Code CFA Builder CPA Algorithm Spec Location Loop-Bound Predicate Spec CPA CPA CPA CPA Dirk Beyer LMU Munich, Germany 6 / 1

  9. Using the CPA Framework ◮ CPA Algorithm is a configurable reachability analysis for arbitrary abstract domains ◮ Provide Predicate CPA for our predicate-based abstract domain ◮ Reuse other CPAs ◮ Built further algorithms on top that make use of reachability analysis k -induction Algorithm CEGAR Source Parser & Results Algorithm Code CFA Builder CPA Algorithm Spec Location Loop-Bound Predicate Spec CPA CPA CPA CPA Dirk Beyer LMU Munich, Germany 6 / 1

  10. Predicate CPA Predicate CPA P D P = merge P stop P prec P Π P � P ( C, E P , [ [ · ] ] P ) Dirk Beyer LMU Munich, Germany 7 / 1

  11. Predicate CPA Predicate CPA P D P = merge P stop P prec P Π P � P fcover P refine P ( C, E P , [ [ · ] ] P ) Dirk Beyer LMU Munich, Germany 7 / 1

  12. Predicate CPA: Abstract Domain ◮ Abstract state: ( ψ, ϕ ) ◮ tuple of abstraction formula ψ and path formula ϕ (for ABE) ◮ conjunctions represents state space ◮ abstraction formula can be a BDD or an SMT formula ◮ path formula is always SMT formula and concrete Dirk Beyer LMU Munich, Germany 8 / 1

  13. Predicate CPA: Abstract Domain ◮ Abstract state: ( ψ, ϕ ) ◮ tuple of abstraction formula ψ and path formula ϕ (for ABE) ◮ conjunctions represents state space ◮ abstraction formula can be a BDD or an SMT formula ◮ path formula is always SMT formula and concrete ◮ Precision: set of predicates (per program location) Dirk Beyer LMU Munich, Germany 8 / 1

  14. Predicate CPA Predicate CPA P D P = merge P stop P prec P Π P � P fcover P refine P ( C, E P , [ [ · ] ] P ) Abstraction-Formula Representation BDD SMT-based Dirk Beyer LMU Munich, Germany 9 / 1

  15. Predicate CPA: CPA Operators ◮ Transfer relation: ◮ computes strongest post ◮ changes only path formula, new abstract state is ( ψ, ϕ ′ ) ◮ purely syntactic, cheap ◮ variety of encodings using different SMT theories possible (different approximations for arithmetic and heap operations) Dirk Beyer LMU Munich, Germany 10 / 1

  16. Predicate CPA: CPA Operators ◮ Transfer relation: ◮ computes strongest post ◮ changes only path formula, new abstract state is ( ψ, ϕ ′ ) ◮ purely syntactic, cheap ◮ variety of encodings using different SMT theories possible (different approximations for arithmetic and heap operations) ◮ Merge operator: ◮ standard for ABE: create disjunctions inside block Dirk Beyer LMU Munich, Germany 10 / 1

  17. Predicate CPA: CPA Operators ◮ Transfer relation: ◮ computes strongest post ◮ changes only path formula, new abstract state is ( ψ, ϕ ′ ) ◮ purely syntactic, cheap ◮ variety of encodings using different SMT theories possible (different approximations for arithmetic and heap operations) ◮ Merge operator: ◮ standard for ABE: create disjunctions inside block ◮ Stop operator: ◮ standard for ABE: check coverage only at block ends Dirk Beyer LMU Munich, Germany 10 / 1

  18. Predicate CPA: CPA Operators ◮ Transfer relation: ◮ computes strongest post ◮ changes only path formula, new abstract state is ( ψ, ϕ ′ ) ◮ purely syntactic, cheap ◮ variety of encodings using different SMT theories possible (different approximations for arithmetic and heap operations) ◮ Merge operator: ◮ standard for ABE: create disjunctions inside block ◮ Stop operator: ◮ standard for ABE: check coverage only at block ends ◮ Precision-adjustment operator: ◮ only active at block ends (as determined by blk) ◮ computes abstraction of current abstract state ◮ new abstract state is ( ψ ′ , true ) Dirk Beyer LMU Munich, Germany 10 / 1

  19. Predicate CPA Predicate CPA P D P = merge P stop P prec P Π P � P fcover P refine P ( C, E P , [ [ · ] ] P ) Abstraction-Formula Strongest Predicate blk Representation Postcondition Abstraction BDD SMT Theory blk SBE Cartesian SMT-based ABVFP blk l Boolean . . . blk lf blk never QF_UFLIRA Dirk Beyer LMU Munich, Germany 11 / 1

  20. Predicate CPA: Refinement Four steps: 1. Reconstruct ARG path to abstract error state 2. Check feasibility of path 3. Discover abstract facts, e.g., ◮ interpolants ◮ weakest precondition ◮ heuristics 4. Refine abstract model ◮ add predicates to precision, cut ARG or ◮ conjoin interpolants to abstract states, recheck coverage relation Dirk Beyer LMU Munich, Germany 12 / 1

  21. Predicate CPA Predicate CPA P D P = merge P stop P prec P Π P � P fcover P refine P ( C, E P , [ [ · ] ] P ) Abstraction-Formula Strongest Refinement Predicate Abstract blk Representation Postcondition Abstraction Facts Strategy BDD SMT Theory blk SBE Cartesian fcover id Interpolants Predicate Path SMT-based ABVFP blk l Boolean fcover Impact Impact Invariants . . . blk lf Unsat Cores Weakest blk never QF_UFLIRA Preconditions Heuristic Predicates Dirk Beyer LMU Munich, Germany 13 / 1

  22. Predicate Abstraction ◮ Predicate Abstraction ◮ [CAV’97, POPL’02, J. ACM’03, POPL’04] ◮ Abstract-interpretation technique ◮ Abstract domain constructed from a set of predicates π ◮ Use CEGAR to add predicates to π (refinement) ◮ Derive new predicates using Craig interpolation ◮ Abstraction formula as BDD Dirk Beyer LMU Munich, Germany 14 / 1

  23. Expressing Predicate Abstraction ◮ Abstraction Formulas: BDDs ◮ Block Size (blk): e.g. blk SBE or blk l or blk lf ◮ Refinement Strategy: add predicates to precision, cut ARG Use CEGAR Algorithm: 1: while true do run CPA Algorithm 2: if target state found then 3: call refine 4: if target state reachable then 5: return false 6: else 7: return true 8: Dirk Beyer LMU Munich, Germany 15 / 1

  24. Predicate CPA Predicate CPA P D P = merge P stop P prec P Π P � P fcover P refine P ( C, E P , [ [ · ] ] P ) Abstraction-Formula Strongest Refinement Predicate Abstract blk Representation Postcondition Abstraction Facts Strategy BDD SMT Theory blk SBE Cartesian fcover id Interpolants Predicate Path SMT-based ABVFP blk l Boolean fcover Impact Impact Invariants . . . blk lf Unsat Cores Weakest blk never QF_UFLIRA Preconditions Heuristic Predicates Dirk Beyer LMU Munich, Germany 16 / 1

  25. Example Program start l 2 int main () { 1 unsigned int x = 0; unsigned int x = 0; l 3 2 unsigned int y = 0; unsigned int y = 0; 3 l 4 while ( x < 2) { 4 [x < 2] x++; l 5 5 x++; [!(x != y)] y++; 6 l 6 ( x != y ) { [!(x < 2)] i f y++; 7 ERROR: 1; l 7 return 8 [x != y] } 9 l 8 } 10 l 11 ERROR: return 1; 0; return 11 return 0; } 12 l 12 Dirk Beyer LMU Munich, Germany 17 / 1

  26. Predicate CPA Predicate CPA P D P = merge P stop P prec P Π P � P fcover P refine P ( C, E P , [ [ · ] ] P ) Abstraction-Formula Strongest Refinement Predicate Abstract blk Representation Postcondition Abstraction Facts Strategy BDD SMT Theory blk SBE Cartesian fcover id Interpolants Predicate Path SMT-based ABVFP blk l Boolean fcover Impact Impact Invariants . . . blk lf Unsat Cores Weakest blk never QF_UFLIRA Preconditions Heuristic Predicates Dirk Beyer LMU Munich, Germany 18 / 1

Recommend

Model Checking and Predicate Abstrac5on CSE 501 Spring

Model Checking and Predicate Abstrac5on CSE 501 Spring

Model Checking and Predicate Abstrac5on CSE 501 Spring 15 1 With slides from Emina Torlak (507) Course Outline Sta5c analysis Language design Program

813 views • 52 slides
Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree Logic Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge

402 views • 25 slides
Bounded Model Checking of MPL Systems via Predicate Abstractions FORMATS 2019 Muhammad Syifaul

Bounded Model Checking of MPL Systems via Predicate Abstractions FORMATS 2019 Muhammad Syifaul

Bounded Model Checking of MPL Systems via Predicate Abstractions FORMATS 2019 Muhammad Syifaul Mufid 1 , 3 Dieky Adzkiya 2 Alessandro Abate 1 1 Department of Computer Science, University of Oxford, UK 2 Department of Mathematics, ITS Surabaya,

1.35k views • 55 slides
SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl

SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl

SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl Joint work with Dirk Beyer University of Passau, Germany SMT-based Software Model Checking Bounded Model Checking ( Cbmc , CPAchecker , Esbmc ,

496 views • 26 slides
Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model

Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model

Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model checking historically not the first symbolic model checking approach scales better than original BDD based techniques mostly incomplete in

521 views • 28 slides
Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking Checking Checking for Timed Automata Timed Automata Coll C l C ll b llabora orators: t ors: Peter Bulychev, Alexandre David Axel Legay, Marius

725 views • 59 slides
Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic

Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic

Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group, University of Cambridge Academic year

972 views • 41 slides
Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic

Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic

Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge Academic year

1.15k views • 48 slides
A Conceptual Model and Predicate Language for Data Selection and Projection Based on Provenance

A Conceptual Model and Predicate Language for Data Selection and Projection Based on Provenance

A Conceptual Model and Predicate Language for Data Selection and Projection Based on Provenance David W. Archer and Lois M. L. Delcambre Department of Computer Science Portland State University 1 Topics Motivation Conceptual Model

866 views • 28 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artifacts Spring 2006 1 CTL Model Checking AG (Start AF Heat)

307 views • 20 slides
CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms

CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms

CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms for ( U ) Counter Examples and witnesses Symbolic Model Checking (Thursday) Binary Decision Trees

740 views • 40 slides
Improved Algorithms for the Automata-based Approach to Model-Checking L. Doyen (EPFL) and J.-F.

Improved Algorithms for the Automata-based Approach to Model-Checking L. Doyen (EPFL) and J.-F.

Improved Algorithms for the Automata-based Approach to Model-Checking L. Doyen (EPFL) and J.-F. Raskin (ULB) TACAS 2007 Braga - Portugal March 28, 2007 Automata-based approach to model-checking Programs and properties are formalized as

812 views • 52 slides
Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software

Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software

Outline Introduction Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software Counterexample-Guided Abstraction Refinement Computing Existential Abstractions of Programs Version 1.0, 2010 Checking the

429 views • 12 slides
Hoare Logic and Model Checking Model Checking But perhaps theres a clever way of

Hoare Logic and Model Checking Model Checking But perhaps theres a clever way of

Hoare Logic and Model Checking Model Checking But perhaps theres a clever way of compiling one into the other? Both have very different models of time How do they compare? We have seen two widely used temporal logics Relative

510 views • 10 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artifacts Spring 2006 1 Formal Verification by Model Checking Domain:

380 views • 13 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 15-413: Introduction to Software Engineering Fall 2005 3 Formal Verification by Model Checking Domain:

289 views • 24 slides
Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL

Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL

Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL Other interesting books: Model Checking by Clarke, Grumberg, and Peled Principles of Model Checking by Baier and Katoen 3 Course

636 views • 11 slides
Kind-AI: When abstract interpretation and SMT-based model-checking meet Pierre-Loc Garoche

Kind-AI: When abstract interpretation and SMT-based model-checking meet Pierre-Loc Garoche

Kind-AI: When abstract interpretation and SMT-based model-checking meet Pierre-Loc Garoche Onera U. of Iowa joint work with T. Kashai and C. Tinelli 04/13/2012 Kind-AI: When abstract interpretation and SMT-based model-checking meet -

652 views • 53 slides
SMT-Based Bounded Model Checking for Embedded ANSI-C Software for Embedded ANSI-C Software

SMT-Based Bounded Model Checking for Embedded ANSI-C Software for Embedded ANSI-C Software

SMT-Based Bounded Model Checking for Embedded ANSI-C Software for Embedded ANSI-C Software Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva b.fischer@ecs.soton.ac.uk Bounded Model Checking (BMC) Basic Idea: check negation of given property

957 views • 33 slides
JPF2: Predicate Abstraction CS 510 / 10 Predicate Abstraction Extract a finite state model from

JPF2: Predicate Abstraction CS 510 / 10 Predicate Abstraction Extract a finite state model from

JPF2: Predicate Abstraction CS 510 / 10 Predicate Abstraction Extract a finite state model from an infinite state system Used to prove assertions or safety properties Successfully applied for verification of C programs SLAM (used in windows

543 views • 42 slides
Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and Extensible Model Checking Framework a Modular and Extensible Model Checking Framework 3rd Estonian Summer School in Computer and System Science

777 views • 31 slides
Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and Extensible Model Checking Framework a Modular and Extensible Model Checking Framework 3rd Estonian Summer School in Computer and System Science

301 views • 8 slides
Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and Extensible Model Checking Framework a Modular and Extensible Model Checking Framework 3rd Estonian Summer School in Computer and System Science

628 views • 34 slides
Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is

Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is

Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is Model Checking? Model checking is an automated technique that, given a finite-state model of a system and a logical property , systematically

484 views • 36 slides

More recommend