localization and register sharing for predicate abstraction himanshu jain franjo ivančić aarti...

Localization and Register Sharing for Predicate Abstraction

Himanshu Jain

Franjo Ivančić

Aarti Gupta

Malay Ganai

Introduction

Predicate abstraction

Abstracts data by keeping track of certain predicates

Each predicate given a boolean variable in abstract model

Scalability depends on choice and usage of predicates

Counterexample Guided Abstraction and Refinement

PropertyMonitorC programs

Static Analysis

Abstraction

Model check(DiVer)

Analysis &Refinement

Discovered bug in software

Certified code

F-Soft

Motivation

Computing predicate relationships is expensive

Localization of predicates

Identify important predicates at each program location

Identify important predicate relationships

Some notation

Spurious trace Infeasible sequence of statements

Predicate relationships Example: (p1 Æ : p2), (p1’ $ p3)

1. x = m;

2. y = m;

3. assume (x != y);

Related work

BLAST uses interpolation to find important predicates at each statement in spurious trace [Jhala et al., 04]

Localization of predicates

Interpolation produces “good” predicates?

Syntactic program transformations for automatic abstraction [Namjoshi et al.]

MAGIC tool [Chaki et al.]

Given a spurious trace s1;….;sk

Use weakest pre-conditions to identify important predicates at each statement si

Most predicate relationships obtained from refinement itself

Our approach

Outline

Introduction

Localization of predicates

Register Sharing

Dedicated State Variables

Experimental results

Abstraction

1: x = ctr;

2: y = ctr + 1;

3: if (x = i-1){

4: if (y != i){

ERROR: }

}

1: skip;

2: skip;

3: if (*){

4: if (*){

ERROR: }

}

Abstract

C program No predicates available currently

Checking the abstract model

1: skip;

2: skip;

3: if (*){

4: if (*){

ERROR: }

}

No predicates available currently

Is ERROR reachable?

yes

Abstract model has a

path leading to error state

Concretization of abstract counterexample

1: x = ctr;

2: y = ctr + 1;

3: assume(x == i-1)

4: assume (y != i)

1: skip;

2: skip;

3: if (*){

4: if (*){

ERROR: }

}

Concrete trace

SimulationDoes this

correspond to a real bug?

Spurious trace

We use a SAT solver

1: x = ctr;

2: y = ctr + 1;

3: assume(x == i-1)

4: assume (y != i)

Concrete traceSpurious Counterexample

Refinement

1: x = ctr;

2: y = ctr + 1;

3: assume(x == i-1)

4: assume (y != i)

Spurious Counterexample

y != i

y != i

ctr + 1 != i

ctr + 1 != i

x == i -1

x == i - 1

ctr == i - 1

Localization information

Predicate relationships

1: x = ctr;

2: y = ctr + 1;

3: assume(x == i-1)

4: assume (y != i)

Spurious Counterexample

y != i

y != i

ctr + 1 != i

ctr + 1 != i

x == i -1

x == i - 1

ctr == i - 1

Localization information

?

1: x = ctr;

2: y = ctr + 1;

3: if (x = i-1){

4: if (y != i){

ERROR: }

}

What happened so far

1: skip;

2: skip;

3: if (*){

4: if (*){

ERROR: }

}

Initial abstraction

1: x = ctr;

2: y = ctr + 1;

3: assume(x == i-1)

4: assume (y != i)

Spurious counterexample

y != i

y != i x == i -1ctr + 1 != i x == i - 1

ctr + 1 != i ctr == i - 1

Localization information

Computing new abstraction

1: x = ctr;

2: y = ctr + 1;

3: if (x = i-1){

4: if (y != i){

ERROR: }

}

Computing new abstraction

1:

2:

3: if ( ){

4: if ( ){

ERROR: }

}

y != i

y != i x == i -1ctr + 1 != i x == i - 1

ctr + 1 != i ctr == i - 1

Localization information

y != i

y != i x == i -1ctr + 1 != i x == i - 1

ctr + 1 != i ctr == i - 1

Localization information

1: x = ctr;

2: y = ctr + 1;

3: if (x = i-1){

4: if (y != i){

ERROR: }

}

Computing new abstraction

1:

2:

3: if ( ){

4: if (b0){

ERROR: }

}

Computing new abstraction

y != i

y != i x == i -1ctr + 1 != i x == i - 1

ctr + 1 != i ctr == i - 1

Localization information

Boolean b0 : y != i

1: x = ctr;

2: y = ctr + 1;

3: if (x = i-1){

4: if (y != i){

ERROR: }

}

Computing new abstraction

1:

2:

3: if (b1){

4: if (b0){

ERROR: }

}

Computing new abstraction

y != i

y != i x == i -1ctr + 1 != i x == i - 1

ctr + 1 != i ctr == i - 1

Localization information

Boolean b1 : x==i-1

Boolean b0 : y != i

1: x = ctr;

2: y = ctr + 1;

3: if (x = i-1){

4: if (y != i){

ERROR: }

}

Computing new abstraction

1:

2: b0 = b2;

3: if (b1){

4: if (b0){

ERROR: }

}

Computing new abstraction

y != i

y != i x == i -1ctr + 1 != i x == i - 1

ctr + 1 != i ctr == i - 1

Localization information

Boolean b2 : ctr+1 != i

Boolean b1 : x == i-1

Boolean b0 : y != i

1: x = ctr;

2: y = ctr + 1;

3: if (x = i-1){

4: if (y != i){

ERROR: }

}

Computing new abstraction

1: b1 = b3;

2: b0 = b2;

3: if (b1){

4: if (b0){

ERROR: }

}

Computing new abstraction

y != i

y != i x == i -1ctr + 1 != i x == i - 1

ctr + 1 != i ctr == i - 1

Localization information

Boolean b3 : ctr == i -1

Boolean b2 : ctr+1 != i

Boolean b1 : x == i - 1

Boolean b0 : y != i

No decision procedure

used so far

1: x = ctr;

2: y = ctr + 1;

3: if (x = i-1){

4: if (y != i){

ERROR: }

}

Computing new abstraction

1: b1 = b3;

2: b0 = b2;

3: if (b1){

4: if (b0){

ERROR: }

}

Computing new abstraction

y != i

y != i x == i -1ctr + 1 != i x == i - 1

ctr + 1 != i ctr == i - 1

Localization information

Boolean b3 : ctr == i -1

Boolean b2 : ctr+1 != i

Boolean b1 : x == i - 1

Boolean b0 : y != i

What about initial values of

b2 and b3?

SAT-based predicate

abstraction

Kroening et al.

Lahiri et al.

?

1: x = ctr;

2: y = ctr + 1;

3: if (x = i-1){

4: if (y != i){

ERROR: }

}

Computing new abstraction

1: b1 = b3;

2: b0 = b2;

3: if (b1){

4: if (b0){

ERROR: }

}

Computing new abstraction

Boolean b3 : ctr == i -1

Boolean b2 : ctr+1 != i

Boolean b1 : x == i - 1

Boolean b0 : y != i

Global constraint:

(b2 $ : b3)

y != i

y != i x == i -1ctr + 1 != i x == i - 1

ctr + 1 != i ctr == i - 1

Localization information

Abstraction without register sharing

1: b1 = b3;

2: b0 = b2;

3: if (b1){

4: if (b0){

ERROR: }

}

Computing new abstraction

Boolean b3 : ctr == i -1

Boolean b2 : ctr+1 != i

Boolean b1 : x == i - 1

Boolean b0 : y != i

Global constraint:

(b2 $ : b3)

Model check

1: b1 = b3;

2: b0 = b2;

3: if (b1){

4: if (b0){

ERROR: }

}

Computing new abstraction

Boolean b3 : ctr == i -1

Boolean b2 : ctr+1 != i

Boolean b1 : x == i - 1

Boolean b0 : y != i

Global constraint:

(b2 $ : b3)

ERROR is not reachable!

What have we covered so far

Localize predicates using weakest pre-conditions

Utilizing weakest pre-condition relationships

Bottleneck Model checking of abstraction without register sharing

Due to localization many predicates are useful only at a few program locations

Reuse state variables for representing other predicates

Similar to register allocation

Register sharing

Abstraction with register sharing

y != i

y != i x == i -1ctr + 1 != i x == i - 1

ctr + 1 != i ctr == i - 1

Localization information

y != i

y != i x == i -1ctr + 1 != i x == i - 1

ctr + 1 != i ctr == i - 1

Localization information

b0

b0

b2

b2

b1

b1

b3

Do we need 4 Boolean variables?

Abstraction with register sharing

y != i

y != i x == i -1ctr + 1 != i x == i - 1

ctr + 1 != i ctr == i - 1

Localization information

y != i

y != i x == i -1ctr + 1 != i x == i - 1

ctr + 1 != i ctr == i - 1

Localization information

c0

c0

c0

c0

c1

c1

c1

1: b1 = b3;

2: b0 = b2;

3: if (b1){

4: if (b0){

ERROR: }

}Global constraint:

(b2 $ : b3)

1: skip;

2: skip;

3: if (c1){

4: if (c0){

ERROR: }

}Local constraint:

(PC = 1) ! (c0 $ : c1)

Without With

b0

b0

b2

b2

b1

b1

b3

Register sharing

Reduces Boolean variables in the abstract model by register sharing

Speeds up model checking of abstractions

What’s next Reducing number of refinement iterations

Problem with register sharing

p

p

L1

L20

L2

L19

b1

b2

= 0

= 1

Spurious

Dedicated state variable

p

p

L1

L20

L2

L19

b

b

Dedicated state variables

Initially each predicate is assigned a Boolean variable, which can be reused

If a predicate is localized at many statements, |{s: p 2 local(s)}| > TH for some threshold TH

p is assigned a dedicated state variable (not reused)

By having a low value of TH, we can discover globally useful predicates early

Why this works?

Experimental Results

TCAS (Traffic Alert and Collision Avoidance System)

Lines of code 1652

We checked 10 different safety properties

Non-trivial number of predicates needed for each property both by F-Soft and BLAST

F-Soft versus BLAST (craig 2 + predH7)

F-Soft

Summary

Localize predicates using weakest pre-conditions Most predicate relationships obtained as by product Faster and less coarse abstractions Comparable to interpolation based techniques

Model checking abstractions Exploit localization information for reducing Boolean

variables

Reducing refinement iterations Predict globally useful predicates early in abstraction

refinement process

Questions?