View
221
Download
0
Category
Preview:
Citation preview
Using Statically Computed Invariants Inside the Predicate
Abstraction and Refinement Loop
Himanshu Jain
Franjo Ivančić
Aarti Gupta
Ilya Shlyakhter
Chao Wang
Introduction
Predicate abstraction
Abstracts data by keeping track of certain predicates
Each predicate given a Boolean variable in abstract model
Counterexample Guided Abstraction and Refinement Loop (CEGAR )
PropertyMonitorC programs
Static Analysis
PredicateAbstraction
Model check
Analysis &Refinement
Discovered bug in software
Certified code
F-Soft
Bottlenecks in CEGAR loop
Computing predicate relationships is expensive
Over-approximation leads to refinement iterations
Finding right predicates not always possible
An example
1: x = 100;
2: y = 100;
3. while (x != 0) {
4. x = x – 1;
5. y = y – 1;
6. }
7. if (y != 0)
8. ERROR:;
Weakest pre-condition based refinement:
x=0, y=0 x=1, y=1 ………
x=100, y=100
x = y
Split theorem prover:
Jhala, McMillan [TACAS 2006]
C program
We will discover x=y as
an invariant
Our approach
Use efficiently computable invariants in CEGAR loop
Invariants generated by abstract domains Octagon: ± x ± y ≤ c Polyhedra: a1 x1 ± a2 x2 ± … ± anxn ≤ c Numerous others in ASTRÉE like static analyzers
Combination of abstraction techniques
This work: CEGAR loop + Invariants
PropertyMonitorC programs
Static Analysis
PredicateAbstraction
Model check
Analysis &Refinement
Discovered bug in software
Certified code
+ Invariants from abstract
domains
1. More precise abstractions
2. Fewer refinement iterations
3. Fewer predicates
4. Avoid some convergence problems
Related work
Idea of using invariants during abstraction Bensalem et al. [CAV 1998] Colón et al [CAV 1998] Saïdi et al. [ASE 1999]
Path sensitive data flow analysis Fischer et al. [FSE 2005]
Outline
Introduction
Using Invariants in abstraction-refinement loop
Invariant generation
Invariant selection
Experimental results
Abstraction
1: if (x > y) {
2: y = y + 1;
...
5: z = y;
...
10: if (x < z)
11: ERROR:;
12:}
Abstract
C programNo predicates
available currently
1: if (*) {
2: skip;
...
5: skip;
...
10: if (*)
11: ERROR:;
12:}
Abstract model
Checking the abstract model
Is ERROR reachable?
yes
Abstract model has a
path leading to error state
1: if (*) {
2: skip;
...
5: skip;
...
10: if (*)
11: ERROR:;
12:}
Abstract model
Concretization of abstract counterexample
Concrete trace
1: if (*) {
2: skip;
...
5: skip;
...
10: if (*)
11: ERROR:;
12:}
1: assume (x > y)
2: y = y + 1;
...
5: z = y;
...
10:assume (x < z)
11:
12:
Abstract model
SimulationDoes this
correspond to a real bug?
Spurious trace
Concrete traceSpurious Counterexample
1: assume (x > y)
2: y = y + 1;
...
5: z = y;
...
10:assume (x < z)
11:
12:
Refinement
Spurious Counterexample
Localization of predicates
[Jhala et al., POPL 2004]
[Jain et al., TACAS 2005]
x < z
x < y
x < y + 1
x < y + 1 x > y
1: assume (x > y)
2: y = y + 1;
...
5: z = y;
...
10:assume (x < z)
Refinement
Spurious Counterexample
1: assume (x > y)
2: y = y + 1;
...
5: z = y;
...
10:assume (x < z)
Need to track value of
at least one predicate from
locations 1 to 10
Localization of predicates
[Jhala et al., POPL 2004]
[Jain et al., TACAS 2005]
Using invariants
1: if (x > y) {
2: y = y + 1;
...
5: z = y;
...
10: if (x < z)
11: ERROR:;
12:}
1:
2: x > y
...x ≥ y
5: x ≥ y
...x ≥ y, y = z, x ≥ z
10:x ≥ y, y = z, x ≥ z
11:
12:
C program Two variable invariants
Using invariants during simulation
1:
2: x > y
...x ≥ y
5: x ≥ y
...x ≥ y, y = z, x ≥ z
10:x ≥ y, y = z, x ≥ z
11:
12:
1: assume (x > y)
2: y = y + 1;
...
5: z = y;
...
10:assume (x < z)
infeasible
infeasible
Refinement procedure only needs to look at infeasible trace
Spurious Counterexample Two variable invariants
What has happened so far
1: assume (x > y)
2: y = y + 1;
...
5: z = y;
...
10:assume (x < z)
1: if (*) {
2: skip;
...
5: skip;
...
10: if (*)
11: ERROR:;
1: if (x > y) {
2: y = y + 1;
...
5: z = y;
...
10: if (x < z)
11: ERROR:;
12:}
C program Abstract model
Spurious counterexample
PC=10: x ≥ z
1: if (*) {
2: skip;
...
5: skip;
...
10: if (b)
11: ERROR:;
Boolean b : x < z
(PC=10) →¬b
New abstract model
Strengthened transition relation
Let Tb(V,V’) denote transition relation of basic block b
Let Ib(V) denote the invariants that hold at b
STb(V,V’) := Tb(V,V’) Λ Ib(V)
Replace Tb(V,V’) by STb(V,V’) in CEGAR loop
Outline
Introduction
Using Invariants in abstraction-refinement loop
Invariant generation
Invariant selection
Experimental results
Invariant generation
Octagon abstract domain: ± x ± y ≤ c Due to Antoine Miné Successfully used in ASTRÉE static analyzer Captures commonly occurring variable relationships
Array bound accesses
More expressive abstract domains can be used Eagerly: before CEGAR loop starts Lazily: on-demand as needed by refinement
Octagon packing
Octagon relationships between n variables
Time per transfer function: O(n3)
Memory cost per program location: O(n2)
Octagon packing
Octagon relationships between n variables
Time per transfer function: O(n3)
Memory cost per program location: O(n2)
x1x2
x3
x4
x5
x1000
x999
..
.
.
.
.
.
.
octagon pack
Octagon packing
Basic block based packing Variables appearing in a basic block #octagon packs proportional to #basic blocks
Control flow based packing Associate an octagon pack for each condition Cone of influence computation #octagon packs proportional to #conditions
Outline
Introduction
Using Invariants in abstraction-refinement loop
Invariant generation
Invariant selection
Experimental results
Invariant selection
Use fewer invariants for additional/quicker pruning Avoid overhead in decision procedure calls
Given ERROR label E, basic block b
needed(b, E): variables that need to be tracked at b
Use invariant I at b iff vars(I) needed(b,E)
Outline
Introduction
Using Invariants in abstraction-refinement loop
Invariant generation
Invariant selection
Experimental results
Experimental results (TCAS)Localization of predicates
using weakest pre-conditions [TACAS 2005]
Localization of predicates using Craig Interpolation
[Jhala et al., POPL 2004]
Using octagonal invariants in the Default framework
1. Invariant generation for TCAS took 5 seconds
2. None of the above properties can be verified by octagonal invariants
Experiments on Industry Programs
Several interesting improvements with Octagon invariants Number of unresolved (#None) checks is reduced (here, 0) Provides performance improvement Last example: not much extra cost with Proofs by SAT
KLOC # Checks
# P
by
SA
# P
by SAT
# B
by SAT
#
None
Time
(sec)
# P
by SA w/ Invar
# P
by SAT
# B
by SAT
#
None
Time
(sec)
f1 0.5 64 32 9 0 23 596 64 0 0 0 15
f2 1.1 16 8 6 0 2 564 16 0 0 0 66
f3 1.1 18 8 5 2 3 572 16 0 2 0 104
f4 1.2 22 10 6 3 3 478 18 1 3 0 195
f5 1.2 10 0 0 4 6 584 6 0 4 0 401
f6 1.6 26 8 6 8 4 579 18 0 8 0 197
f7 1.8 28 4 8 4 4 589 12 4 4 0 325
f8 3.6 280 267 13 0 0 144 280 0 0 0 140
Note: #P = # Proofs, #B = # Bugs, # None = unresolved checks
Without Octagon Invariants With Octagon Invariants
Invariant generation results
Control flow based packing leads to invariants
that are more likely to be useful in CEGAR loop
Invariant selection resultsInvariants
generated using control flow
based packing
After invariant selection
Conclusion
Using invariants in abstraction-refinement loop Fewer predicates and refinement iterations Can help when finding right predicates is difficult
Invariant generation and selection Finding useful invariants Right packing strategies
Current/Future work (by co-authors): Generation of Disjunctive invariants [SISG SAS 2006] Applications of invariants during BMC [GG ICCAD 2006]
Recommended