diagnosing abstraction failure in separation logic-based analyses
DESCRIPTION
Diagnosing Abstraction Failure in Separation Logic-based Analyses. Josh Berdine Samin Ishtiaq Christoph Wintersteiger. Arlen Cox. The Abstraction Refinement Dream. Start Verification. Pick Abstraction. Party!!!. Success. Attempt Proof. Pick New Abstraction. Failure. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/1.jpg)
DIAGNOSINGABSTRACTION FAILUREIN SEPARATION LOGIC-
BASED ANALYSES
Arlen CoxJosh BerdineSamin Ishtiaq
Christoph Wintersteiger
![Page 2: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/2.jpg)
The Abstraction Refinement Dream
StartVerification
Pick Abstraction
AttemptProof
Pick New Abstraction
Success
Fix Bug
Success
FindCounterexampl
e
Failure
Diagnose FailureFailure
![Page 3: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/3.jpg)
State of the ArtSeparation Logic Analysis
StartVerification
Pick Abstraction
AttemptProof
Pick New Abstraction
Success
Fix Bug
Success
FindCounterexampl
e
Failure
Diagnose FailureFailure
Previously Unexplored1
2
![Page 4: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/4.jpg)
Traditional Abstraction Refinement
Not Our Contributio
n
![Page 5: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/5.jpg)
Pick Abstract/Attempt Proof
![Page 6: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/6.jpg)
Proof Fails
![Page 7: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/7.jpg)
Diagnosing Abstraction Failure
WeakestPrecondition
1. An Abstract State2. Concrete State
• Unreachable• Reaches Error• Contained in
Abstract State
![Page 8: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/8.jpg)
Partition the Abstract State
![Page 9: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/9.jpg)
No WP() in Separation Logic
WeakestPrecondition
![Page 10: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/10.jpg)
No WP() in Separation Logic
int* p;
…
*p = 17;PSPACE-
complete*due to aliasing
* Calcagno, C., Yang, H., O’Hearn, P.W.: Computability and complexity results for a spatial assertion language for data structures. In: FSTTCS (2001)
![Page 11: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/11.jpg)
Separation Logic-based Analyses
Restricted Logic• Does not support separating implication ( ),
general negation ( ), general conjunction ( ) Do not support backward reasoning• No weakest precondition
Contribution: A method to use forward analysis to diagnose failures
Contribution: A method for efficiently performing forward counterexample searches
![Page 12: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/12.jpg)
…l
l
Examplel = new ListNode(new Obj(), NULL);while(*) { l = new ListNode(new Obj(), l);}while(l != NULL) { n = l->next; free(l->data); free(l); l = n;}
NULL
![Page 13: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/13.jpg)
Background: Pick Abstraction
StartVerification
Pick Abstraction
AttemptProof
Pick New Abstraction
Success
Fix Bug
Success
FindCounterexampl
e
FailureDiagnose Failure
Failure
![Page 14: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/14.jpg)
Pattern-Based Abstraction…
l
NULL
![Page 15: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/15.jpg)
Pattern-Based Abstraction…
l
NULL
![Page 16: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/16.jpg)
Pattern-Based Abstraction…
l
NULL
![Page 17: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/17.jpg)
Background: Proof Attempt
StartVerification
Pick Abstraction
AttemptProof
Pick New Abstraction
Success
Fix Bug
Success
FindCounterexampl
e
FailureDiagnose Failure
Failure
![Page 18: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/18.jpg)
Proof Search (SLL)
l = new ListNode(new Obj(), NULL);while(*) { l = new ListNode(new Obj(), l);}while(l != NULL) { n = l->next; free(l->data); free(l); l = n;}
![Page 19: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/19.jpg)
Proof Search (SLL)
l = new ListNode(new Obj(), NULL);
l = new ListNode(new Obj(), NULL);while(*) { l = new ListNode(new Obj(), l);}while(l != NULL) { n = l->next; free(l->data); free(l); l = n;}
![Page 20: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/20.jpg)
Proof Search (SLL)
l = new ListNode(new Obj(), NULL);
l = new ListNode(new Obj(), NULL);while(*) { l = new ListNode(new Obj(), l);}while(l != NULL) { n = l->next; free(l->data); free(l); l = n;}
l = new ListNode(new Obj(), l);
![Page 21: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/21.jpg)
Proof Search (SLL)
l = new ListNode(new Obj(), NULL);
l = new ListNode(new Obj(), l);
assume(l != NULL)n = l->next;free(l->data);
l = new ListNode(new Obj(), NULL);while(*) { l = new ListNode(new Obj(), l);}while(l != NULL) { n = l->next; free(l->data); free(l); l = n;}
![Page 22: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/22.jpg)
Counterexamples
StartVerification
Pick Abstraction
AttemptProof
Pick New Abstraction
Success
Fix Bug
Success
FindCounterexampl
e
FailureDiagnose Failure
Failure
![Page 23: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/23.jpg)
Traditional Bounded Model Checking
l = new ListNode(new Obj(), NULL);
l = new ListNode(new Obj(), l);
assume(l != NULL)n = l->next;free(l->data);free(l);l = n;
assume(l == NULL)
1.Unroll Transition System
2.Check Property
3.Repeat- Can explode for deep properties
- Doesn’t help proof process
Not Our Contributio
n
![Page 24: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/24.jpg)
Contribution: BMC Over Abstract Transition System
l = new ListNode(new Obj(), NULL);
l = new ListNode(new Obj(), l);
assume(l != NULL)n = l->next;free(l->data);
1.Unroll Abstract Transition System
2.Check Property3.Repeat+ Restricted
search space+ Finds counter-
examples that caused this proof failure
![Page 25: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/25.jpg)
Contribution: BMC Over Abstract Transition System
![Page 26: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/26.jpg)
Contribution: BMC Over Abstract Transition System
![Page 27: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/27.jpg)
Contribution: BMC Over Abstract Transition System
Must End in Error
![Page 28: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/28.jpg)
Contribution: BMC Over Abstract Transition System
![Page 29: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/29.jpg)
Contribution: BMC Over Abstract Transition System
Unroll up to a bound
![Page 30: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/30.jpg)
Contribution: BMC Over Abstract Transition System
Stay in Error
![Page 31: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/31.jpg)
Contribution: BMC Over Abstract Transition System
Otherwise Transition
According to Program
![Page 32: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/32.jpg)
Contribution: BMC Over Abstract Transition System
Send to SMT solver; quantifiers and all.
![Page 33: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/33.jpg)
Contribution: BMC Over Abstract Transition System
Send to SMT solver; quantifiers and all.
![Page 34: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/34.jpg)
Encoding ofData
Allocated
Size
Address
p = malloc(size);
![Page 35: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/35.jpg)
Data
Allocated
Size
Address
p = malloc(size);q = malloc(size);
Encoding of
![Page 36: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/36.jpg)
Data
Allocated
Size
Address
p = malloc(size);q = malloc(size);
Encoding of
![Page 37: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/37.jpg)
Data
Allocated
Size
Address
p = malloc(size);q = malloc(size);r = p + size;*r = 3; //(no error)
Encoding of
![Page 38: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/38.jpg)
Data
Allocated
Size
Address
p = malloc(size);q = malloc(size);r = p + size;*r = 3; //(error)
Encoding of
![Page 39: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/39.jpg)
Counterexample Search
l = new ListNode(new Obj(), NULL);
assume(l != NULL)n = l->next;free(l->data);
l = new ListNode(new Obj(), l);
![Page 40: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/40.jpg)
Counterexample Search
l = new ListNode(new Obj(), NULL);
assume(l != NULL)n = l->next;free(l->data);
l = new ListNode(new Obj(), l);Just need structure.
Don’t need separation logic
formulas
![Page 41: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/41.jpg)
Counterexample Search
No Error
![Page 42: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/42.jpg)
Counterexample Search
l = new ListNode(new Obj(), NULL);
No Error
l
NULL
![Page 43: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/43.jpg)
Counterexample Search
l = new ListNode(new Obj(), NULL);
l = new ListNode(new Obj(), l);
Error Unreachabl
e
assume(l != NULL)n = l->next;free(l->data);
No Error
NULL
l
![Page 44: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/44.jpg)
Counterexample Search
l = new ListNode(new Obj(), NULL);
l = new ListNode(new Obj(), l);
Error Unreachabl
e
assume(l != NULL)n = l->next;free(l->data);
No Error
NULL
l
![Page 45: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/45.jpg)
Counterexample Search
l = new ListNode(new Obj(), NULL);
l = new ListNode(new Obj(), l);
Error Unreachabl
e
assume(l != NULL)n = l->next;free(l->data);
No Error
Error Unreachabl
e
assume(l != NULL)n = l->next;free(l->data);
NULL
l
l = new ListNode(new Obj(), l);
![Page 46: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/46.jpg)
Counterexample Search Produces concrete counterexamples Contribution: Only explores failed proof• Finds counterexamples that would cause
this particular proof failure Contribution: Relies on SMT solver for
unrolling• Property-guided, intelligent backtracking
Bit-precise memory model
![Page 47: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/47.jpg)
Contribution: Diagnosing Failure
StartVerification
Pick Abstraction
AttemptProof
Pick New Abstraction
Success
Fix Bug
Success
FindCounterexampl
e
FailureDiagnose Failure
Failure
![Page 48: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/48.jpg)
Diagnosing the Failure
l = new ListNode(new Obj(), NULL);
assume(l != NULL)n = l->next;free(l->data);
Was the abstraction here responsible for
failure?
l = new ListNode(new Obj(), l);
![Page 49: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/49.jpg)
Diagnosing the Failure
assume(l != NULL)n = l->next;free(l->data);
Delete Program
Before Join Point
l = new ListNode(new Obj(), l);
![Page 50: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/50.jpg)
Diagnosing the Failurel = NULL
assume(l != NULL)n = l->next;free(l->data);
l = new ListNode(*, l);
Synthesize Program Prefix that Creates
Abstract State Precisely
Error Found!
l = new ListNode(new Obj(), l);
Re-run Counterexam
ple SearchNon-
deterministic data field
![Page 51: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/51.jpg)
Diagnosing the Failure
![Page 52: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/52.jpg)
Diagnosing the Failure
![Page 53: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/53.jpg)
Diagnosing the Failure
![Page 54: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/54.jpg)
Diagnosing the Failure
![Page 55: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/55.jpg)
Diagnosing the Failure
for p in Join_Points(ATS) { ATS’ = Synthesize_Prefix(p, ATS) CEx = Find_Counterexample(ATS’) if(exists CEx) { ATS = Refine(ATS, p, CEx); }}
![Page 56: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/56.jpg)
Picking New Abstraction
StartVerification
Pick Abstraction
AttemptProof
Pick New Abstraction
Success
Fix Bug
Success
FindCounterexampl
e
FailureDiagnose Failure
Failure
![Page 57: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/57.jpg)
Picking New Abstraction Partial order of abstractions Pick next best abstraction
![Page 58: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/58.jpg)
Proof Search with SLL_OBJ
l = new ListNode(new Obj(), NULL);
l = new ListNode(new Obj(), l);
assume(l != NULL)n = l->next;free(l->data);free(l);l = n;
assume(l == NULL)
![Page 59: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/59.jpg)
Conclusions
StartVerification
Pick Abstraction
AttemptProof
Pick New Abstraction
Success
Fix Bug
Success
FindCounterexampl
e
Failure
Diagnose FailureFailure
![Page 60: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/60.jpg)
Conclusions
StartVerification
Pick Abstraction
AttemptProof
Pick New Abstraction
Success
Fix Bug
Success
FindCounterexampl
e
Failure
Diagnose FailureFailure ✔
New BMC Approach• Search abstract
transition system instead of program• Only finds causes for
proof failure• Use monolithic
encoding• Take advantage of
intelligent backtracking
![Page 61: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/61.jpg)
Conclusions
StartVerification
Pick Abstraction
AttemptProof
Pick New Abstraction
Success
Fix Bug
Success
FindCounterexampl
e
Failure
Diagnose FailureFailure ✔
✔
New Approach to Diagnosis• Synthesize program
prefix• Use guided
counterexample search to diagnose• Find failing
abstraction• Find failing concrete
value contained by abstraction
![Page 62: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/62.jpg)
Conclusions
StartVerification
Pick Abstraction
AttemptProof
Pick New Abstraction
Success
Fix Bug
Success
FindCounterexampl
e
Failure
Diagnose FailureFailure ✔
✔
-
![Page 63: Diagnosing Abstraction Failure in Separation Logic-based Analyses](https://reader036.vdocument.in/reader036/viewer/2022062501/56816271550346895dd2e12d/html5/thumbnails/63.jpg)
Questions?