Lazy Abstraction Tom Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre

Lazy Abstraction

Tom HenzingerRanjit JhalaRupak MajumdarGrégoire Sutre

2

Goals

Verification of software safety properties C programs

Application to systems software e.g. Check correct use of locks

3

How?

Model checking Predicate Abstraction

focus on essential properties decision procedures and BDDs

Counterexample driven refinement

4

Outline

Counterexample-driven refinement drawbacks

Predicate Abstraction

Lazy Predicate Abstraction intuitive description, example

Discussion

Is ERROR reachable?

Yes, path p No

model check

Return “No”

66

Is p feasible in P?

No, explanation Yes

refine

don’t know

Return “Yes”, p Return “don’t know”

P

B

Is ERROR reachable?

abstract

Initial predicates

7

Related Work

Microsoft SLAM project Abstractor: C code Boolean programs Model checker for boolean programs Predicate discovery and refinement

[Clarke et al 00] Bandera Project at KSU …

8

Drawbacks

Redo work at each iteration compute a brand new abstraction model-check this new abstraction what if the new inferred predicates

are local?

Does some unnecessary work

No sharing of data structures

9

Our proposal

Integrate the three phases

Construct the abstraction on-the-fly driven by the reachability search

Refine the abstraction on demand Locally, based on bad error paths

Give control to the model checker

10

Outline




Discussion

11

Predicate abstraction

Box: abstract variable valuation Region: cover of boxes

P1 : x = y

P3 : x z+1

P2 : z = t + y

P4 : *u = x

Variable value space

:P1,:P2

P1, P2

P1, :P2

:P1, P2

:P3

:P4

:P3

P4

P3

P4

P3

:P4

12

Abstract state graph

Explicit control locations

Abstract state:(control location, box)

Conservative abstraction:

computed using decision procedures

defined as usual defined as usual

13

Outline




Discussion

14P1, …, Pk P’1, …, P’h

Lazy abstraction

Symbolic model checking predicate abstraction on-the-fly post/pre

Refinement by demand dynamic predicates

Error-free closed sets of states are not checked again.

15

Reachability analysis (1)

Forward symbolic reachability tree

Nodes labeled by: (control location, abstract region)

Edges labeled by program statements

Post computed w.r.t {P1, …, Pk} decision procedure

Refinement: {P1, …, Pk, Pk+1, …, Pk+h}

16Untouched


Refinement

17


Refinement

Unmarked

18


Correctness independent from search order

Optimization: union closed subtrees

Why compute backwards from error? fewer marked nodes are unmarked

General symbolic setting: regions

Q: Is Error Reachable ?

void Example( ) {

1: do {

old = new;

// Get the write lock

AcquireSpinLock(&DevExt writeListLock); [ acq = True]

2: if ( request && request status ) {

3: devExt WriteList = request next;

// Release the lock

ReleaseSpinLock(&DevExt writeListLock); [acq=False]

irp = request irp;

if ( request status > 0 ) {

irp IoStatus.Status = STATUS-SUCCESS;

irp IoStatus.Information = request Status;

} else {

irp IoStatus.Status =STATUS-UNSUCCESS;


}

SmartDevFreeBlock(request);

IoCompleteRequest(irp,DO_NO_INCREMENT);

new++;

4: }

5: } while ( new != old ) ;

// Release the lock

6: ReleaseSpinLock(&DevExt writeListLock);

[ if (acq == False) then ERROR; ]

}

1

2

4

5

6

Error 7

?

?

?

3

old = new;



( request && request status ) ?

devExt WriteList = request next;

// Release the lock


irp = request irp;




} else {



}



new++;

(new == old ) ?

(acq == False ) ?

>1

acq2

3 acq

4 : acq

5 : acq

6 : acq

Err : acq

Phase 1: Forward Search

Set of Predicates: (acq = False) from Spec

Reachability Analysis1

2

4

5

6

Error 7

?

?

?

3

1

2

4

5

6

Error 7

?

?

?

3old = new;


AcquireSpinLock(&DevExt writeListLock);

[ acq = True]

( request && request status ) ?devExt WriteList = request next;

// Release the lock


irp = request irp;




} else {



}



new++;

(new == old ) ?

(acq == False ) ?

{: acq}

{: acq Æ (new = old)}

{acq Æ (new+1 =old)}

{: acq Æ (new = old)}

{acq Æ new+1=old}

{acq Æ new+1=new}

New Predicate for Refinement:

(new=old)

acq

>1

2

3 acq

4 : acq

5 : acq

6 : acq

Err : acq

Reachability AnalysisSet of Predicates: (acq = False) from Spec

Phase 2: CounterEx Guided Refinement

devExt WriteList = request next;

// Release the lock


irp = request irp;




} else {



}



new++;

old = new;



( request && request status ) ?

(new == old ) ?

1

2

4

5

6

Error 7

?

?

?

3

4 : acq Æ : (new=old)

>1

acq Æ (new=old)2

3 acq Æ (new=old)

5: acq Æ : (new=old)

1

: acq Æ : (new=old) µ >

5 acq Æ (new=old)

(new old ) ?

6

?

(new old ) ?

1

?

(new == old ) ?

6 acq Æ (new=old)

(acq == False ) ?Err 7 acq Æ (new=old)

: (acq == False ) ?

Error is not reachable

Reachability AnalysisSet of Predicates: (acq = False) , (new = old)

Phase 1: Forward Search

23

Outcomes

Error2Error1

This lazy approach allows us to share work that we have done before

Once the left part has been searched, we will never look at it again

A different set of predicates, relevant only to the right part, may be used while searching it

24

Predicate discovery

Keep substitutions explicit new variables operations appear explicitly

Ask a proof of unsatisfiability

Pick predicates appearing in the proof

op1

op2

op3

op4

25

Region based Symbolic Model Checking

Region datatype denote possibly infinite sets of values e.g. ({P1, …, Pk}, bdd)

Boolean operations Set Op of operations Symbolic post/pre : R x Op R Focus operation (refinement)

26

Outline




Discussion

27

Tool architecture

Control FlowAutomaton

Regions

Operations Model checker

28

Development roadmap

C program Control Flow Automaton

Regions are predicate valuations BDD representation

Model checker region-based algorithm

Input: regions, pre, post

29

Discussion

Search order: heuristics Pre/Post duality

Acceleration of loops Memory usage: hashing? Application to: (C programs)

timed automata, hybrid systems SDL protocols

Documents

Lazy Abstraction Tom Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre