1 predicate abstraction of ansi-c programs using sat edmund clarke daniel kroening natalia sharygina...

1

Predicate Abstraction of ANSI-C Programs using SAT

Predicate Abstraction ofANSI-C Programs using SAT

Edmund ClarkeDaniel Kroening

Natalia SharyginaKaren Yorav

(modified by Zaher Andraus for presentation in SWERVE only)

2


Abstraction Refinement Loop

ActualProgramActual

ProgramBooleanProgramBooleanProgram

ModelChecker

Abstraction refinement

VerificationInitial

Abstraction

No erroror bug found

Spuriouscounterexample

This talk: How to compute Boolean program from

Actual ANSI-C program

Set of predicates

3


Example

int main() { int i;

i=0;

while(even(i)) i++; }

int main() { int i;

i=0;

while(even(i)) i++; }

+ p1 i=0p2 even(i)

p1 i=0p2 even(i) =

int main() { bool p1, p2;

p1=TRUE; p2=TRUE;

while(p2) { p1=p1?FALSE:nondet(); p2=!p2; } }

int main() { bool p1, p2;

p1=TRUE; p2=TRUE;

while(p2) { p1=p1?FALSE:nondet(); p2=!p2; } }

4


Problem

Abstractionfunction(predicates)

Concrete Transition(basic block) Concrete

next stateConcrete

state

Abstractstate

Abstractnext stateAbstract Transition

(basic block)

5


Background

• How to create the initial predicates for abstraction?– (PVS) Manual! (Graf and Saidi, “Construction of

abstract state graphs with PVS”)– (SLAM) Manual! (Ball, Majumdar, Millstein, Rajamani,

“Automatic Predicate Abstraction of C Programs”)– (Clarke) Control-Driven! (Chaki, Clarke, Groce,

Strichman, “Predicate Abstraction with Minimum Predicates”)


6


Initial Abstract Machine


7


Optimizations

• Eliminate Redundant Predicates (e.g. logically related)

• Dynamic

• Now we got the Predicates, we need to build the abstract machine!


8


Existing Tools

• Basic idea: with n predicates, there are2n £ 2n possible abstract transitions

• Eliminate “obviously wrong” transitions(e.g.: predicate about variable x changes, but basic block does not mention x)

• Try some subset of these possible transitions using a theorem prover

• To be safe, remaining abstract transitions are added Over-approximation

9


Existing Tools: ExamplePredicates

i++;i++;

Basic Block Formula

Current Abstract State Next Abstract State

p1 p2 p3

0 0 0

0 0 1

0 1 0

0 1 1

1 0 0

1 0 1

1 1 0

1 1 1

p’1 p’2 p’3

0 0 0

0 0 1

0 1 0

0 1 1

1 0 0

1 0 1

1 1 0

1 1 1

????Query

10


Existing Tools: ExamplePredicates

i++;i++;

Basic Block Formula

Current Abstract State Next Abstract State

p1 p2 p3

0 0 0

0 0 1

0 1 0

0 1 1

1 0 0

1 0 1

1 1 0

1 1 1

p’1 p’2 p’3

0 0 0

0 0 1

0 1 0

0 1 1

1 0 0

1 0 1

1 1 0

1 1 1

Query

????

… … and so on …and so on …

11


Comment

• This takes care of unreachable abstract states


12


What is the problem?

Problem of existing tools: Large number of expensive theorem prover calls – slow

Over-approximation yields additional,unnecessary spurious counterexamples

Theorem prover works on natural numbers, but ANSI-C uses bit-vectors false positives

Most theorem provers support only few operators(+, -, <, ≤, …), no bitwise operators

Very limited support for pointers,in particular pointer arithmetic

13


Our Solution – use SAT solver!

1. Generate query equation withpredicates as free variables

14


Our SolutionSingle query for Theorem Prover

Query for SAT

15


Queries for Larger Basic Blocks

i++; j=i; i=i*k;

i++; j=i; i=i*k;

Basic Block

Query for SAT

Predicates

++++ i1=i0+1; j1=i1; i2=i1*k0;

i1=i0+1; j1=i1; i2=i1*k0;

16


Our Solution

Use SAT solver!1. Generate query equation with

predicates as free variables

2. Transform equation into CNF using Bit Vector Logic

One satisfying assignment matches one abstract transition

3. Obtain all satisfying assignments= most precise abstract transition relation

Query for SAT

17


Our Solution

This solves two problems:1. Now can do all ANSI-C

integer operators, including *, /, %, <<, etc.

2. Sound with respect to overflow

This solves two problems:1. Now can do all ANSI-C

integer operators, including *, /, %, <<, etc.

2. Sound with respect to overflow

No moreunnecessary spurious

counterexamples!

No moreunnecessary spurious

counterexamples!

Use SAT solver!1. Generate query equation with

predicates as free variables

2. Transform equation into CNF using Bit Vector Logic

One satisfying assignment matches one abstract transition

3. Obtain all satisfying assignments= most precise abstract transition relation

18


PointersSupport for pointer expressions:

1. Address expression is translated into a bit vector with two components:

o Object pointed ato Integer width offset within object (for arrays)

2. Supported operators:o &, *, [i]o Pointer + Integer (increases offset)o Pointer – Pointero Pointer rel Pointer, with rel one of <,>,=, etc.

3. Check for illegal pointer operations added automaticallyo NULL reference, array bounds violation, etc…

19


Pointers: Explanation…

• Paper p. 113-114


20


Control-Flow Statements

• Paper p. 117


21


The Set of Satisfying Assignments

How do we obtain the set of all satisfying assignments?

1. This is a common problem – also needed foro Image computation / hardware verificationo QBF solvers

2. Naïve approach:

1) Run SAT

2) If Satisfying assignment found then• add blocking clause• continue with 1)

1) Run SAT

2) If Satisfying assignment found then• add blocking clause• continue with 1)

22


Performance

How does the performance compare with existing approaches?

1. Runtime potentially exponential

2. Exponential part is inside SAT solver,instead of exponential number ofTheorem Prover calls

3. SAT solver is not re-started; all the learning and pruning done by modern SAT solvers is retained between iterations.

4. All heuristics for “obvious” transitions are still applicable

23


Performance

• Worst case:all possible assignments are satisfying

• Formula includes addition operator

• Runtime uncritical up to 2^14 assignments

24


Performance

• More realistic experiment: two 32-bit variables, plus n predicates

• Various operators: +, <, shifting, xor, or, and, combinations thereof, …

• All predicates are affected by basic block

Compare to 2n £ 2n potential theorem prover calls!

No. of Predicates Runtime(inexpensive)

Runtime(with 32-bit *)

4 0.03 s 0.35 s

8 0.16 s 7.20 s

16 2.76 s 71.16 s

32 6.35 s 512.72 s

25


Performance Improvements

Better than enumerating?

1. Approximation of set cover obtains small set of predicates that is actually required to cover the CNF

2. Analyze literal dependency graph to identify free variables

Both techniques yield a set of abstracttransitions

26


Performance Improvements

Expensive operators

Instead of adding full clause structure for expensive operators such as %, /, *,make it uninterpreted, and add important properties as constraints:

Transitivity Congruence Closure Commutativity Special cases (x/1=x, …) Others: x/y, y>1 x>x/y etc.

27


Future Work

1. Interval abstraction for floating point arithmetic

2. Experiments with full abstraction refinement loop: Evaluate effect of more precise abstraction

3. Try predicate abstraction to actually prove properties of computed values

4. Predicate abstraction for concurrent programs

1 predicate abstraction of ansi-c programs using sat edmund clarke daniel kroening natalia sharygina...

Documents

predicate abstraction

actual ansic program

query slide

initial abstract machine

example predicates

initial predicates

abstract state p1p1

overapproximation slide