Software Verification with Abstraction-Based...

1Budapest University of Technology and EconomicsDepartment of Measurement and Information Systems

Software Verification withAbstraction-Based Methods

Ákos HajduPhD student

Department of Measurement and Information Systems, Budapest University of Technology and Economics

MTA-BME Lendület Cyber-Physical Systems Research Group

Electrical and Computer Engineering Department, McGill University

2

Background

3

Background – Formal Verification

Formal verification

o Prove or disprove the correctness of a system with respect to a formal property (specification) relyingon sound mathematical basis

Model checking

o Exhaustively enumerate the possible states and transitions (the state space) of the system andcheck if it meets the property

4

Background – Model Checking

Model checking in general

Formal model

Formalized property

Model checking algorithm

Ok Counterexample

Real-life system

An algorithm, a software, a protocol,

a circuit, …

Automata, formulas, state

machines, …

Assertions, temporal logic, reference

automata, …

Explicit, symbolic, abstraction, …

5

Background – Model Checking

This talk: focus on software and abstraction

Formal model

Formalized property

Model checking algorithm

Ok Counterexample

Real-life system

Source code

Control Flow Automata

Assertions

Abstraction + CEGAR

Violating execution

6

Background – Model and Property

Control-Flow Automaton

o Set of control locations (PC)

o Set of edges with operationsover a set of variables• E.g., guard, assignment …

Typical property: “error” location should not be reachable

x : int0: x = 01: while (x < 5) {2: x = x + 1

}3: assert (x <= 5)

7

Background – States and Transitions

State: location + valuation of variables (L, x1, x2, …, xn)

Transition: operations

Problem: state space explosion caused by data variableso E.g., 10 locations and 2 integers: 10·232·232 possible states

Goal: reduce the state space representation by abstraction

8

Counterexample-GuidedAbstraction Refinement (CEGAR)

9

CEGAR – Introduction

Concrete state space Abstraction Abstract state space

Abstract counterexampleSpurious counterexampleRefined state space

Init

Check

OK

Concretize

Counterexample

Refine

Model,property

Abstraction

Property holds

Abstract counterexConcrete

StateTransition

Error state

Abstract state

Over-approximation

10

ConcretizeCheck

OK Counterexample

Refine

Property holds

Abstract counterexConcrete

CEGAR – Initial Abstraction Predicate abstraction

o Track predicates instead of concrete values

o |P| predicates 2|P| possible abstract states

o Label of a state: predicates, e.g. ¬(x > y) Ʌ (y = 3)

(x > y) ¬(x > y)

(y = 3)(x=1, y=3)(x=2, y=3)(x=3, y=3)

¬(y = 3)(x=2, y=1)(x=3, y=1)(x=3, y=2)

(x=1, y=1)(x=1, y=2)(x=2, y=2)

Variables:x, y; Dx = Dy = {1, 2, 3}Predicates:

(x > y), (y = 3)

Init

Model,property

Abstraction

11

Refine

Counterexample

ConcreteConcretizeAbstract counterex

OKProperty holds

Check

CEGAR – Initial Abstraction Explicit value abstraction

o Partition variables: visible / invisible

o Track values for visible variables only

o Label of a state: assignment, e.g. (x = 1) Ʌ (y = 2)

Variables: x, y, zDx = {0, 1} , Dy = {0, 1, 2}, Dz = {0, 1}Visible = {x, y}

x=0 x=1

y=0(x=0, y=0, z=0)(x=0, y=0, z=1)

(x=1, y=0, z=0)(x=1, y=0, z=1)

y=1(x=0, y=1, z=0)(x=0, y=1, z=1)

(x=1, y=1, z=0)(x=1, y=1, z=1)

y=2(x=0, y=2, z=0)(x=0, y=2, z=1)

(x=1, y=2, z=0)(x=1, y=2, z=1)

Init

Model,property

Abstraction

12

Refine

Counterexample

ConcreteConcretize

Init

Model,property

CEGAR – Model Checking

Traverse abstract state space

o Search strategy

Search for error state

Optimizations

o On-the-fly

o Incremental

Check

OK

Abstraction

Property holds

Abstract counterex

13

Refine

OKProperty holds

CheckAbstraction

Init

Model,property

CEGAR – Concretization

Traverse subset of concrete state space

o Concretizable counterexample

o Spurious counterexample• Failure state (Sf)

o Use SMT solver, e.g. Microsoft Z3• S1 Ʌ T1 Ʌ S2 Ʌ T2 Ʌ … Ʌ Tn-1 Ʌ Sn

sf

Concretize

Counterexample

Abstract counterexConcrete

S1 S2 S3 S4T1 T2 T3

14

Counterexample

ConcreteConcretizeAbstract counterex

OKProperty holds

CheckAbstraction

Init

Model,property

CEGAR – Abstraction Refinement

Classify states mapped to the failure state

o D = Dead-end: reachable

o B = Bad: transition to next state

o IR = Irrelevant: others

Goal: finer abstraction mapping D and B to separateabstract states

o SMT solver: interpolation formula φ

o Use φ as predicate or extract its variables

Refine

φ

¬φ

sf

15

CEGAR – Summary

CEGAR is a general concept

o Explore abstract state space

o Refine abstraction if needed

Many variants exist (for various formal models)

o Abstract domains, e.g., predicates, explicit values, zones

o Refinement strategies, e.g., interpolation, unsat cores

o Exploration strategies, e.g., BFS, DFS

Counterexample

ConcreteConcretizeAbstract counterex

OKProperty holds

CheckAbstraction

Init

Model,property

Refine

16

Research Questions

Integrate variants into common framework? Combine?o Theta Verification Framework. http://theta.inf.mit.bme.hu

o A configurable CEGAR framework with interpolation-based refinements. Ákos Hajdu, Tamás Tóth, András Vörös, and István Majzik. FORTE 2016, vol. 9688 of LNCS.

Which variants perform well for given verification tasks? o Exploratory analysis of the performance of a configurable CEGAR framework. Ákos

Hajdu and Zoltán Micskei. PhD Mini-Symposium 2017, BME DMIS.

o Towards evaluating size reduction techniques for software model checking. GyulaSallai, Ákos Hajdu, Tamás Tóth, and Zoltán Micskei. VPT 2017. (Accepted)

Domain specific CEGAR variants?o Exploiting hierarchy in the abstraction-based verification of statecharts using SMT

solvers. Bence Czipó, Ákos Hajdu, Tamás Tóth, and István Majzik. FESCA 2017, vol. 245 of EPTCS.

o New search strategies for the Petri net CEGAR approach. Ákos Hajdu, András Vörös, and Tamás Bartha. ICATPN 2015, vol. 9115 of LNCS.

http://home.mit.bme.hu/~hajdua/publications

17

Theta Verification Framework

18

Theta Verification Framework

ΘTheta

Generic

Various kinds offormal models

Modular

Reusable and combinable modules

Configurable

Different algorithms and strategies

http://theta.inf.mit.bme.hu

19

Formal models and language front-ends

Theta Verification Framework

Architecture

Transition systems Control Flow Automata Timed Automata

C source code UPPAAL XTAAIGER PLC

Verification back-end

SMT solver interface

Abstract domain

Interpreter

States + transitions

CEGAR loop

Abstractor Refiner

20

Theta Verification Framework

Configurability

Abstract domain• Predicate• Explicit value• Zone• Location• Composition

Refinement strategy• Binary interp. forw.• Binary interp. backw.• Sequence interp.• Unsat core

Search strategy• BFS• DFS

Initial precision• Empty• Property-based

Precision granularity• Constant• Location-based

Predicate split• Atoms• Conjuncts• Whole

21

Theta Verification Framework

Evaluation

o Really diverse results

o Current research: data analysis & heuristics

22

Conclusions

23

Conclusions

Formal verification

o Formal model + property

o Model checking

Abstraction-based methods

o CEGAR

Theta Framework

o Generic, modular, configurable

o Evaluation

hajdua@mit.bme.huinf.mit.bme.hu/en/members/hajdua

Formal model

Formalized property

Model checking algorithm

Ok Counterexample

Real-life system

Formalisms and language front-ends

Transition systems Control Flow Automata Timed Automata

C source code UPPAAL XTAAIGER PLC

Analysis back-end

SMT solver interface

Abstract domain

Interpreter

CEGAR loop

Abstractor Refiner