2006-11-30Newton: A tool for generating abstract explanations of infeasibility1 The Problem P (C Program) BP (Boolean Program of P) CFG(P) CFG(BP)

2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 1

The Problem

P (C Program) BP (Boolean Program of P) CFG(P) CFG(BP)


The Problem

P (C Program) BP (Boolean Program of P) CFG(P) CFG(BP)

need refinementWhere do predicates come from?Where do predicates come from?


Generating Abstract Explanation of Spurious Counterexamples in C Programs

Thomas Ball, Sriram K. RajamaniTechnical Report

2006.11.30Yunkyung Ahn

some figures and slides are fromhttp://research.microsoft.com/slam/PLDI03Tutorial.ppt


Goal

P (path program)

Found Buggood explanation (infeasible)

Newton


The SLAM Process

boolean pgm

pathpredicates

pgm P

SLIC rule

slicslic pgm P’

c2bpc2bp

bebopbebop

newtonnewton


Path Program (Example)

do {

KeAcquireSpinLock();

A: KeAcquireSpinLock_return();

nPacketsOld = nPackets;

request = devExt->WLHV;

if(request){

request = request->Next;

KeReleaseSpinLock();

B: KeReleaseSpinLock_return();

nPackets++;

}

C:

} while (nPackets != nPacketsOld);


D: KeReleaseSpinLock_return();

enum { Unlocked=0, Locked=1 }state = Unlocked;void slic_abort() { SLIC_ERROR: ;}void KeAcquireSpinLock_return() { if (state == Locked) slic_abort(); elseE:E: state = Locked;}

void KeReleaseSpinLock_return { if (state == Unlocked) slic_abort(); elseF:F: state = Unlocked;}



do { skip;

A: KeAcquireSpinLock_return();skip;skip; if(*){ skip; skip;

B: KeReleaseSpinLock_return(); skip;}

C:} while (*);

skip;D: KeReleaseSpinLock_return();

decl {state==Locked}, {state==Unlocked};void slic_abort() { SLIC_ERROR: skip;

}void KeAcquireSpinLock_return(){ if ({state==Locked}) slic_abort(); elseE:E: {state==Locked},{state==Unlocked} := T,F;}

void KeReleaseSpinLock_return(){ if ({state == Unlocked}) slic_abort(); else F:F: {state==Locked},{state==Unlocked} := F,T;}



do {

KeAcquireSpinLock();

A: KeAcquireSpinLock_return();

nPacketsOld = nPackets;

request = devExt->WLHV;

if(request){

request = request->Next;


B: KeReleaseSpinLock_return();

nPackets++;

}

C:

} while (nPackets != nPacketsOld);


D: KeReleaseSpinLock_return();

enum { Unlocked=0, Locked=1 }state = Unlocked;void slic_abort() { SLIC_ERROR: ;}void KeAcquireSpinLock_return() { if (state == Locked) slic_abort(); elseE:E: state = Locked;}

void KeReleaseSpinLock_return { if (state == Unlocked) slic_abort(); elseF:F: state = Unlocked;}

nPackets = nPacketsOld;request = devExt->WLHeadVa;nPackets = nPacketsOld;request = devExt->WLHeadVa;assume(!request);assume(nPackets != nPacketsOld);


Example

• p1 is infeasible• condition: e1 = (b > 0) (c = 2b) (a = b - 1)• e1 implies (a c)

• E1 = {(b > 0), (c = 2b), (a = b), (a = b-1)}• an explanation of p1’ infeasibility

1 assume(b>0); 2 c := 2b;3 a := b;4 a := a – 1;5 assume(a<b); 6 assume(a=c);

p1 (path program )

(b > 0)(b > 0), (c=2b)(b > 0), (c=2b), (a=b)(b > 0), (c=2b), (a=b-1)


Example

• Is there a better explanation than E1?• p2 is infeasible

• condition: e2 = (b > 0) (c = 2b) (a < b)

• e2 implies (a c)

• e2 is more abstract (weaker) than e1• e1 = (b > 0) (c = 2b) (a = b - 1)

• e2 = (b > 0) (c = 2b) (a < b)

• e1 e2


p1 (path program )

1 assume(b>0); 2 c := 2b;

5 assume(a<b); 6 assume(a=c);

p2 (path program )


Example

• E1 = {(b > 0), (c = 2b), (a = b), (a = b-1)}• E2 = {(b > 0), (c = 2b), (a < b)}• E1, E2: explanations of p1’s infeasibility• E2 is a better explanation than E1


p1 (path program )

1 assume(b>0); 2 c := 2b;


p2 (path program )


Example - Annotation

• introduce a fresh symbolic constant• in p1 , there is no variable is used without first being

defined


p1

<1,(b = b)>1 b := b


p1’


Semantics of Path

• SP (strongest post condition) in terms of p

• SP maps a context to a new context

• <,,>: a context ,store

represents the current valuation

,condition represents the constraints

,history represents the past valuations


Strongest Postcondition

• Example (Path simulation of p1)

p1’ : store : conditions : history

b := b;

assume(b>0);

c := 2b;

a := b;

a := a – 1;

assume(a<b);

assume(a=c);


b := b; (b, b)

assume(b>0);

c := 2b;

a := b;

a := a – 1;

assume(a<b);

assume(a=c);


b := b; (b, b)

assume(b>0); (b, b) b > 0

c := 2b;

a := b;

a := a – 1;

assume(a<b);

assume(a=c);


b := b; (b, b)


c := 2b; (b, b), (c, 2b) b > 0

a := b; (a, b), (b, b), (c, 2b) b > 0

a := a – 1; (a, b-1), (b, b), (c, 2b) b > 0 (a, b)

assume(a<b); (a, b-1), (b, b), (c, 2b) b > 0, b -1 0, b -1 < b, 2b= b -1 (a, b)


b := b; (b, b)


c := 2b; (b, b), (c, 2b) b > 0

a := b; (a, b), (b, b), (c, 2b) b > 0

a := a – 1; (a, b-1), (b, b), (c, 2b) b > 0 (a, b)

assume(a<b); (a, b-1), (b, b), (c, 2b) b > 0, b -1 0, b -1 < b, 2b= b -1 (a, b)


Example

• How to generate a good explanation

• p1,p2: infeasible paths• p2 is a ICPP (Infeasible Consistent Path Projection) of p1• we can use the ICPP to generate an abstract explanation


1 assume(b>0); 2 c := 2b;


p1 p2


Example

• p2 is a ICPP of p1

1 assume(b>0); 2 c := 2b;3 a := b;4 a := a – 1;5 assume(a<b);

<1,(b, b)>, <5,(a, a)> b := b;1 assume(b>0); 2 c := 2b;3 a := b;4 a := a – 1; a := a;5 assume(a<b);6 assume(a=b);

p2p1

1 assume(b>0); 2 c := 2b;

a := a;5 assume(a<b); 6 assume(a=b);

b := b;1 assume(b>0); 2 c := 2b;

a := a;5 assume(a<b); 6 assume(a=b);


Newton• Newton

• implements SP to check if a path p is infeasible• find an abstract explanation for the infeasibility of p based on co

nstructing ICPPs, if p is infeasible

• Internal state of Newton has 3 components• store (): map from variables to values• condition(): predicates over symbols• history() : past valuations of the store

• Newton function in 3 phases:• Phase1: check feasibility• Phase2: minimize conditions• Phase3: find a explanation


Example

Store Conditions History



Example

Store Conditions HistoryStore

1 b b ()

Conditions

(b > 0) (1)



Example


1 b b ()

Conditions

(b > 0) (1)

Store

1 b b ()

2 c 2 b (1)



Example


1 b b ()

Conditions

(b > 0) (1)

Store

1 b b ()

2 c 2 b (1)

Store

1 b b ()

2 c 2 b (1)

3 a b (1)



Example


1 b b ()

Conditions

(b > 0) (1)

Store

1 b b ()

2 c 2 b (1)

Store

1 b b ()

2 c 2 b (1)

3 a b (1)

Store

1 b b ()

2 c 2 b (1)

4 a b-1 (3)

History

3 a b (1)



Example


1 b b ()

Conditions

(b > 0) (1)

Store

1 b b ()

2 c 2 b (1)

Store

1 b b ()

2 c 2 b (1)

3 a b (1)

Store

1 b b ()

2 c 2 b (1)

4 a b-1 (3)

History

3 a b (1)

Store

1 b b ()

2 c 2 b (1)

5 a a ()

Conditions

(b > 0) (1)

(a 0) (1)

Store

1 b b ()

2 c 2 b (1)

Store

1 b b ()

2 c 2 b (1)

3 a b (1)

Store

1 b b ()

2 c 2 b (1)

4 a b-1 (3)

History

3 a b (1)

Store

1 b b ()

2 c 2 b (1)

5 a a ()

Conditions

(b > 0) (1)

(a 0) (1)

(a 0),(a , <1,(b= b)>}



Experimental Results

• Newton generates a very small explanation.• Every iteration of Newton

• took under a minute • consumed less than 10MB of memory in a 996Mhz Pentium PC

with 256MB RAM


Summary • Symbolic path simulator

• Check conditions for inconsistency using theorem prover(Simplify)

• After detecting inconsistency:• minimize inconsistent conditions• traverse dependencies• obtain predicates

• SLAM = The first CEGAR project• CEGAR = Counter-Example Guided Abstraction• Iterative Abstraction Refinement

Documents

2006-11-30Newton: A tool for generating abstract explanations of infeasibility1 The Problem P (C Program) BP (Boolean Program of P) CFG(P) CFG(BP)