Lazy Abstraction
Tom HenzingerRanjit JhalaRupak MajumdarGrégoire Sutre
2
Goals
Verification of software safety properties C programs
Application to systems software e.g. Check correct use of locks
3
How?
Model checking Predicate Abstraction
focus on essential properties decision procedures and BDDs
Counterexample driven refinement
4
Outline
Counterexample-driven refinement drawbacks
Predicate Abstraction
Lazy Predicate Abstraction intuitive description, example
Discussion
Is ERROR reachable?
Yes, path p No
model check
Return “No”
66
Is p feasible in P?
No, explanation Yes
refine
don’t know
Return “Yes”, p Return “don’t know”
P
B
Is ERROR reachable?
abstract
Initial predicates
7
Related Work
Microsoft SLAM project Abstractor: C code Boolean programs Model checker for boolean programs Predicate discovery and refinement
[Clarke et al 00] Bandera Project at KSU …
8
Drawbacks
Redo work at each iteration compute a brand new abstraction model-check this new abstraction what if the new inferred predicates
are local?
Does some unnecessary work
No sharing of data structures
9
Our proposal
Integrate the three phases
Construct the abstraction on-the-fly driven by the reachability search
Refine the abstraction on demand Locally, based on bad error paths
Give control to the model checker
10
Outline
Counterexample-driven refinement drawbacks
Predicate Abstraction
Lazy Predicate Abstraction intuitive description, example
Discussion
11
Predicate abstraction
Box: abstract variable valuation Region: cover of boxes
P1 : x = y
P3 : x z+1
P2 : z = t + y
P4 : *u = x
Variable value space
:P1,:P2
P1, P2
P1, :P2
:P1, P2
:P3
:P4
:P3
P4
P3
P4
P3
:P4
12
Abstract state graph
Explicit control locations
Abstract state:(control location, box)
Conservative abstraction:
computed using decision procedures
defined as usual defined as usual
13
Outline
Counterexample-driven refinement drawbacks
Predicate Abstraction
Lazy Predicate Abstraction intuitive description, example
Discussion
14P1, …, Pk P’1, …, P’h
Lazy abstraction
Symbolic model checking predicate abstraction on-the-fly post/pre
Refinement by demand dynamic predicates
Error-free closed sets of states are not checked again.
15
Reachability analysis (1)
Forward symbolic reachability tree
Nodes labeled by: (control location, abstract region)
Edges labeled by program statements
Post computed w.r.t {P1, …, Pk} decision procedure
Refinement: {P1, …, Pk, Pk+1, …, Pk+h}
16Untouched
Reachability analysis (2)
Refinement
17
Reachability analysis (3)
Refinement
Unmarked
18
Reachability analysis (4)
Correctness independent from search order
Optimization: union closed subtrees
Why compute backwards from error? fewer marked nodes are unmarked
General symbolic setting: regions
Q: Is Error Reachable ?
void Example( ) {
1: do {
old = new;
// Get the write lock
AcquireSpinLock(&DevExt writeListLock); [ acq = True]
2: if ( request && request status ) {
3: devExt WriteList = request next;
// Release the lock
ReleaseSpinLock(&DevExt writeListLock); [acq=False]
irp = request irp;
if ( request status > 0 ) {
irp IoStatus.Status = STATUS-SUCCESS;
irp IoStatus.Information = request Status;
} else {
irp IoStatus.Status =STATUS-UNSUCCESS;
irp IoStatus.Information = request Status;
}
SmartDevFreeBlock(request);
IoCompleteRequest(irp,DO_NO_INCREMENT);
new++;
4: }
5: } while ( new != old ) ;
// Release the lock
6: ReleaseSpinLock(&DevExt writeListLock);
[ if (acq == False) then ERROR; ]
}
1
2
4
5
6
Error 7
?
?
?
3
old = new;
// Get the write lock
AcquireSpinLock(&DevExt writeListLock); [ acq = True]
( request && request status ) ?
devExt WriteList = request next;
// Release the lock
ReleaseSpinLock(&DevExt writeListLock); [acq=False]
irp = request irp;
if ( request status > 0 ) {
irp IoStatus.Status = STATUS-SUCCESS;
irp IoStatus.Information = request Status;
} else {
irp IoStatus.Status =STATUS-UNSUCCESS;
irp IoStatus.Information = request Status;
}
SmartDevFreeBlock(request);
IoCompleteRequest(irp,DO_NO_INCREMENT);
new++;
(new == old ) ?
(acq == False ) ?
>1
acq2
3 acq
4 : acq
5 : acq
6 : acq
Err : acq
Phase 1: Forward Search
Set of Predicates: (acq = False) from Spec
Reachability Analysis1
2
4
5
6
Error 7
?
?
?
3
1
2
4
5
6
Error 7
?
?
?
3old = new;
// Get the write lock
AcquireSpinLock(&DevExt writeListLock);
[ acq = True]
( request && request status ) ?devExt WriteList = request next;
// Release the lock
ReleaseSpinLock(&DevExt writeListLock); [acq=False]
irp = request irp;
if ( request status > 0 ) {
irp IoStatus.Status = STATUS-SUCCESS;
irp IoStatus.Information = request Status;
} else {
irp IoStatus.Status =STATUS-UNSUCCESS;
irp IoStatus.Information = request Status;
}
SmartDevFreeBlock(request);
IoCompleteRequest(irp,DO_NO_INCREMENT);
new++;
(new == old ) ?
(acq == False ) ?
{: acq}
{: acq Æ (new = old)}
{acq Æ (new+1 =old)}
{: acq Æ (new = old)}
{acq Æ new+1=old}
{acq Æ new+1=new}
New Predicate for Refinement:
(new=old)
acq
>1
2
3 acq
4 : acq
5 : acq
6 : acq
Err : acq
Reachability AnalysisSet of Predicates: (acq = False) from Spec
Phase 2: CounterEx Guided Refinement
devExt WriteList = request next;
// Release the lock
ReleaseSpinLock(&DevExt writeListLock); [acq=False]
irp = request irp;
if ( request status > 0 ) {
irp IoStatus.Status = STATUS-SUCCESS;
irp IoStatus.Information = request Status;
} else {
irp IoStatus.Status =STATUS-UNSUCCESS;
irp IoStatus.Information = request Status;
}
SmartDevFreeBlock(request);
IoCompleteRequest(irp,DO_NO_INCREMENT);
new++;
old = new;
// Get the write lock
AcquireSpinLock(&DevExt writeListLock); [ acq = True]
( request && request status ) ?
(new == old ) ?
1
2
4
5
6
Error 7
?
?
?
3
4 : acq Æ : (new=old)
>1
acq Æ (new=old)2
3 acq Æ (new=old)
5: acq Æ : (new=old)
1
: acq Æ : (new=old) µ >
5 acq Æ (new=old)
(new old ) ?
6
?
(new old ) ?
1
?
(new == old ) ?
6 acq Æ (new=old)
(acq == False ) ?Err 7 acq Æ (new=old)
: (acq == False ) ?
Error is not reachable
Reachability AnalysisSet of Predicates: (acq = False) , (new = old)
Phase 1: Forward Search
23
Outcomes
Error2Error1
This lazy approach allows us to share work that we have done before
Once the left part has been searched, we will never look at it again
A different set of predicates, relevant only to the right part, may be used while searching it
24
Predicate discovery
Keep substitutions explicit new variables operations appear explicitly
Ask a proof of unsatisfiability
Pick predicates appearing in the proof
op1
op2
op3
op4
25
Region based Symbolic Model Checking
Region datatype denote possibly infinite sets of values e.g. ({P1, …, Pk}, bdd)
Boolean operations Set Op of operations Symbolic post/pre : R x Op R Focus operation (refinement)
26
Outline
Counterexample-driven refinement drawbacks
Predicate Abstraction
Lazy Predicate Abstraction intuitive description, example
Discussion
27
Tool architecture
Control FlowAutomaton
Regions
Operations Model checker
28
Development roadmap
C program Control Flow Automaton
Regions are predicate valuations BDD representation
Model checker region-based algorithm
Input: regions, pre, post
29
Discussion
Search order: heuristics Pre/Post duality
Acceleration of loops Memory usage: hashing? Application to: (C programs)
timed automata, hybrid systems SDL protocols