Ultimate Referee, Ultimate Automizer, and Incremental Verification - PowerPoint PPT Presentation

Ultimate Referee, Ultimate Automizer, and Incremental Verification Matthias Heizmann University of Freiburg CPAchecker Workshop 2019

Outline ◮ Running Example and Floyd-Hoare Annotations ◮ Ultimate Referee A strict proof checker. ◮ Trace Abstraction The verification approach of Ultimate Automizer ◮ Incremental Verification Using Trace Abstraction

Running Example and Floyd-Hoare Annotation ℓ 0 assume p != 0; ℓ 0 : while(n >= 0) ℓ 1 : p != 0 { ℓ 2 : assert p != 0; ℓ 1 n < 0 ℓ 5 if(n == 0) n >= 0 { p := 0; ℓ 3 : n-- ℓ 2 p == 0 ℓ err } n == 0 ℓ 4 : n--; n != 0 ℓ 3 } p := 0 ℓ 4 pseudocode control flow graph

Running Example and Floyd-Hoare Annotation Definition: ℓ 0 { ϕ } st { ϕ ′ } is valid Hoare triple p != 0 iff if program is in state that satisfies ϕ ℓ 1 n < 0 ℓ 5 and program executes st then program is in a state that satisfies ϕ ′ n >= 0 Example: n-- ℓ 2 p == 0 ℓ err n == 0 { p � = 0 ∨ n = − 1 } n>=0 { p � = 0 } n != 0 ℓ 3 p := 0 is a valid Hoare triple ℓ 4 control flow graph

Running Example and Floyd-Hoare Annotation Definition: A Floyd-Hoare annotation is a map- ping that assigns each location ℓ i a for- true ℓ 0 mula ϕ i such that there is an edge ϕ i ℓ i ℓ j ϕ j st p != 0 true only if the Hoare triple ℓ 1 n < 0 ℓ 5 { ϕ } st { ϕ ′ } p � = 0 ∨ n = − 1 is valid. n >= 0 false Proposition: ℓ 2 ℓ err n-- p == 0 p � = 0 n == 0 Given a program P , if there is a Floyd- n != 0 ℓ 3 Hoare annotation such that n = 0 p := 0 ◮ every initial location is labeled ℓ 4 with true and p � = 0 ∨ n = 0 ◮ every error location is labeled control flow graph with false then P is correct.

Outline ◮ Running Example and Floyd-Hoare Annotations ◮ Ultimate Referee A strict proof checker. ◮ Trace Abstraction The verification approach of Ultimate Automizer ◮ Incremental Verification Using Trace Abstraction

Correctness Witnesses: Control-flow graph annotated by invariants ◮ not required to annoted every location ◮ invariants to not have to be inductive ◮ invariants do not have to be sufficient

Correctness Witnesses: Control-flow graph annotated by invariants ◮ not required to annoted every location ◮ invariants to not have to be inductive ◮ invariants do not have to be sufficient Shortcomings of Ultimate Automizer as Witness validator ◮ Different tools have different notions of a control-flow graph we cannot always match invariants to the intended location.

Obstacles ◮ procedure entry values

Obstacles ◮ procedure entry values ◮ valid memory

Obstacles ◮ procedure entry values ◮ valid memory ◮ programs with gotos

Outline ◮ Running Example and Floyd-Hoare Annotations ◮ Ultimate Referee A strict proof checker. ◮ Trace Abstraction The verification approach of Ultimate Automizer ◮ Incremental Verification Using Trace Abstraction

Trace Abstraction Matthias Heizmann, Jochen Hoenicke, and Andreas Podelski. “Refine- ment of Trace Abstraction”. In: SAS . vol. 5673. Lecture Notes in Com- puter Science. Springer, 2009, pp. 69–85 Matthias Heizmann, Jochen Hoenicke, and Andreas Podelski. “Nested interpolants”. In: POPL . ACM, 2010, pp. 471–482 Matthias Heizmann, Jochen Hoenicke, and Andreas Podelski. “Software Model Checking for People Who Love Automata”. In: CAV . vol. 8044. Lecture Notes in Computer Science. Springer, 2013, pp. 36–52

Trace Abstraction: Basic Notions ◮ trace ℓ 0 sequence of statements p != 0 p != 0 ◮ error trace ℓ 1 ℓ 5 n < 0 labeling along path from initial location to error n >= 0 n >= 0 location ℓ 2 ℓ err n-- p == 0 p == 0 ◮ infeasible trace n == 0 ℓ 3 n != 0 trace π such that Hoare p := 0 triple ℓ 4 program P examples infeasible feasible error trace of P ? p != 0 n >= 0 p == 0 not error trace of P n == 0 n-- n == 0 n >= 0 n-- n == 0

Trace Abstraction: Approach Show that every error trace is infeasible. Decompose infeasible error traces into sets such that there is a “simple” infeasibility proof for each set.

Trace Abstraction: Approach Show that every error trace is infeasible. Decompose infeasible error traces into sets such that there is a “simple” infeasibility proof for each set. ℓ 0 ◮ Reason 1: If we assume that p != 0 p is not 0 and do not modify p then p cannot be 0. ℓ 1 n < 0 ℓ 5 n >= 0 ◮ Reason 2: If we assume that n-- ℓ 2 p == 0 ℓ err n is 0 and we decrement n n == 0 then n cannot be n != 0 ℓ 3 p := 0 non-negative. ℓ 4 program P

Trace Abstraction: Technical Implementation Implementation based on automata theory Set of statements: alphabet of formal language here: Σ = { p != 0 , n >= 0 , n == 0 , p := 0 , n != 0 , p == 0 , n-- , n < 0 } ◮ Set of traces: automaton over the alphabet ℓ 0 of statements p != 0 ◮ Control flow graph: ℓ 1 n < 0 ℓ 5 automaton over the alphabet of statements n >= 0 ◮ Error location: n-- ℓ 2 p == 0 ℓ err accepting state of this n == 0 n != 0 ℓ 3 automaton p := 0 ◮ Error trace of program: word ℓ 4 accepted by this automaton program P

Trace Abstraction: Example ℓ 0 assume p != 0; ℓ 0 : while(n >= 0) ℓ 1 : p != 0 { ℓ 2 : assert p != 0; ℓ 1 n < 0 ℓ 5 if(n == 0) n >= 0 { p := 0; ℓ 3 : n-- ℓ 2 p == 0 ℓ err } n == 0 ℓ 4 : n--; n != 0 ℓ 3 } p := 0 ℓ 4 pseudocode control flow graph

Trace Abstraction: Example ℓ 0 assume p != 0; ℓ 0 : while(n >= 0) ℓ 1 : p != 0 p != 0 { ℓ 2 : assert p != 0; ℓ 1 n < 0 ℓ 5 if(n == 0) n >= 0 n >= 0 { p := 0; ℓ 3 : n-- ℓ 2 p == 0 p == 0 ℓ err } n == 0 ℓ 4 : n--; n != 0 ℓ 3 } p := 0 ℓ 4 pseudocode control flow graph

Trace Abstraction: Example 1. take trace π 1 p != 0 n >= 0 p == 0

Trace Abstraction: Example 1. take trace π 1 2. consider trace as program A 1 p != 0 n >= 0 p == 0 1: assume p != 0; 2: assume n >= 0; 3: assert p != 0; pseudocode of A 1

Trace Abstraction: Example true 1. take trace π 1 2. consider trace as program A 1 p != 0 3. analyze correctness of A 1 p � = 0 n >= 0 p � = 0 p == 0 false � � �

Trace Abstraction: Example true 1. take trace π 1 2. consider trace as program A 1 p != 0 3. analyze correctness of A 1 p � = 0 4. generalize program A 1 ◮ add transitions n >= 0 p � = 0 n-- p == 0 false { p � = 0 } { p � = 0 } is valid Hoare triple n-- � � �

Trace Abstraction: Example true 1. take trace π 1 2. consider trace as program A 1 p != 0 3. analyze correctness of A 1 p � = 0 4. generalize program A 1 ◮ add transitions n >= 0 n != 0 p � = 0 n-- p == 0 false { p � = 0 } { p � = 0 } is valid Hoare triple n-- � � � { p � = 0 } { p � = 0 } is valid Hoare triple n != 0

Trace Abstraction: Example true 1. take trace π 1 2. consider trace as program A 1 p != 0 3. analyze correctness of A 1 p � = 0 4. generalize program A 1 ◮ add transitions n >= 0 n != 0 p � = 0 n-- n >= 0 p == 0 false { p � = 0 } { p � = 0 } is valid Hoare triple n-- � � � { p � = 0 } { p � = 0 } is valid Hoare triple n != 0 { p � = 0 } { p � = 0 } is valid Hoare triple n >= 0

Trace Abstraction: Example true 1. take trace π 1 2. consider trace as program A 1 p != 0 3. analyze correctness of A 1 p � = 0 4. generalize program A 1 ◮ add transitions n >= 0 all \{ p := 0 } p � = 0 p == 0 false � � �

Trace Abstraction: Example true all 1. take trace π 1 2. consider trace as program A 1 p != 0 3. analyze correctness of A 1 p � = 0 all \{ p := 0 } 4. generalize program A 1 ◮ add transitions n >= 0 all \{ p := 0 } p � = 0 p == 0 false all � � �

Trace Abstraction: Example q 0 true Σ 1. take trace π 1 2. consider trace as program A 1 p != 0 3. analyze correctness of A 1 4. generalize program A 1 Σ \{ p := 0 } ◮ add transitions q 1 p � = 0 ◮ merge locations p == 0 q 2 false Σ � � �

Trace Abstraction: Example q 0 ℓ 0 true Σ p != 0 p != 0 ℓ 1 ℓ 5 n < 0 Σ \{ p := 0 } q 1 n >= 0 p � = 0 n-- ℓ 2 p == 0 ℓ err n == 0 p == 0 n != 0 ℓ 3 p := 0 ? � � � q 2 ℓ 4 false Σ program P program A 1

Trace Abstraction: Example q 0 ℓ 0 true Σ p != 0 p != 0 ℓ 1 ℓ 5 n < 0 Σ \{ p := 0 } q 1 n >= 0 p � = 0 n-- ℓ 2 p == 0 ℓ err n == 0 p == 0 n != 0 ℓ 3 p := 0 ? � � � q 2 ℓ 4 false Σ program P program A 1

Trace Abstraction: Example q 0 ℓ 0 true Σ p != 0 p != 0 ℓ 1 ℓ 5 n < 0 Σ \{ p := 0 } q 1 n >= 0 p � = 0 n-- ℓ 2 p == 0 ℓ err n == 0 p == 0 n != 0 ℓ 3 p := 0 ? � � � q 2 ℓ 4 false Σ program P program A 1 Consider P and A 1 as au- A 1 tomata and consider con- struct set theoretic differ- P ence L ( P ) \ L ( A 1 ).

Trace Abstraction: Example q 0 ℓ 0 Σ p != 0 p != 0 ℓ 1 ℓ 5 n < 0 Σ \{ p := 0 } q 1 n >= 0 n-- ℓ 2 p == 0 ℓ err n == 0 p == 0 n != 0 ℓ 3 p := 0 ? � � � q 2 ℓ 4 Σ program P program A 1 Consider P and A 1 as au- A 1 tomata and consider con- struct set theoretic differ- P ence L ( P ) \ L ( A 1 ).