2006-11-30Newton: A tool for generating abstract explanations of infeasibility1 The Problem P (C...
-
Upload
ronald-hutchinson -
Category
Documents
-
view
222 -
download
3
Transcript of 2006-11-30Newton: A tool for generating abstract explanations of infeasibility1 The Problem P (C...
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 1
The Problem
P (C Program) BP (Boolean Program of P) CFG(P) CFG(BP)
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 2
The Problem
P (C Program) BP (Boolean Program of P) CFG(P) CFG(BP)
need refinementWhere do predicates come from?Where do predicates come from?
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 3
Generating Abstract Explanation of Spurious Counterexamples in C Programs
Thomas Ball, Sriram K. RajamaniTechnical Report
2006.11.30Yunkyung Ahn
some figures and slides are fromhttp://research.microsoft.com/slam/PLDI03Tutorial.ppt
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 4
Goal
P (path program)
Found Buggood explanation (infeasible)
Newton
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 5
The SLAM Process
boolean pgm
pathpredicates
pgm P
SLIC rule
slicslic pgm P’
c2bpc2bp
bebopbebop
newtonnewton
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 6
Path Program (Example)
do {
KeAcquireSpinLock();
A: KeAcquireSpinLock_return();
nPacketsOld = nPackets;
request = devExt->WLHV;
if(request){
request = request->Next;
KeReleaseSpinLock();
B: KeReleaseSpinLock_return();
nPackets++;
}
C:
} while (nPackets != nPacketsOld);
KeReleaseSpinLock();
D: KeReleaseSpinLock_return();
enum { Unlocked=0, Locked=1 }state = Unlocked;void slic_abort() { SLIC_ERROR: ;}void KeAcquireSpinLock_return() { if (state == Locked) slic_abort(); elseE:E: state = Locked;}
void KeReleaseSpinLock_return { if (state == Unlocked) slic_abort(); elseF:F: state = Unlocked;}
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 7
Path Program (Example)
do { skip;
A: KeAcquireSpinLock_return();skip;skip; if(*){ skip; skip;
B: KeReleaseSpinLock_return(); skip;}
C:} while (*);
skip;D: KeReleaseSpinLock_return();
decl {state==Locked}, {state==Unlocked};void slic_abort() { SLIC_ERROR: skip;
}void KeAcquireSpinLock_return(){ if ({state==Locked}) slic_abort(); elseE:E: {state==Locked},{state==Unlocked} := T,F;}
void KeReleaseSpinLock_return(){ if ({state == Unlocked}) slic_abort(); else F:F: {state==Locked},{state==Unlocked} := F,T;}
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 8
Path Program (Example)
do {
KeAcquireSpinLock();
A: KeAcquireSpinLock_return();
nPacketsOld = nPackets;
request = devExt->WLHV;
if(request){
request = request->Next;
KeReleaseSpinLock();
B: KeReleaseSpinLock_return();
nPackets++;
}
C:
} while (nPackets != nPacketsOld);
KeReleaseSpinLock();
D: KeReleaseSpinLock_return();
enum { Unlocked=0, Locked=1 }state = Unlocked;void slic_abort() { SLIC_ERROR: ;}void KeAcquireSpinLock_return() { if (state == Locked) slic_abort(); elseE:E: state = Locked;}
void KeReleaseSpinLock_return { if (state == Unlocked) slic_abort(); elseF:F: state = Unlocked;}
nPackets = nPacketsOld;request = devExt->WLHeadVa;nPackets = nPacketsOld;request = devExt->WLHeadVa;assume(!request);assume(nPackets != nPacketsOld);
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 9
Example
• p1 is infeasible• condition: e1 = (b > 0) (c = 2b) (a = b - 1)• e1 implies (a c)
• E1 = {(b > 0), (c = 2b), (a = b), (a = b-1)}• an explanation of p1’ infeasibility
1 assume(b>0); 2 c := 2b;3 a := b;4 a := a – 1;5 assume(a<b); 6 assume(a=c);
p1 (path program )
(b > 0)(b > 0), (c=2b)(b > 0), (c=2b), (a=b)(b > 0), (c=2b), (a=b-1)
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 10
Example
• Is there a better explanation than E1?• p2 is infeasible
• condition: e2 = (b > 0) (c = 2b) (a < b)
• e2 implies (a c)
• e2 is more abstract (weaker) than e1• e1 = (b > 0) (c = 2b) (a = b - 1)
• e2 = (b > 0) (c = 2b) (a < b)
• e1 e2
1 assume(b>0); 2 c := 2b;3 a := b;4 a := a – 1;5 assume(a<b); 6 assume(a=c);
p1 (path program )
1 assume(b>0); 2 c := 2b;
5 assume(a<b); 6 assume(a=c);
p2 (path program )
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 11
Example
• E1 = {(b > 0), (c = 2b), (a = b), (a = b-1)}• E2 = {(b > 0), (c = 2b), (a < b)}• E1, E2: explanations of p1’s infeasibility• E2 is a better explanation than E1
1 assume(b>0); 2 c := 2b;3 a := b;4 a := a – 1;5 assume(a<b); 6 assume(a=c);
p1 (path program )
1 assume(b>0); 2 c := 2b;
5 assume(a<b); 6 assume(a=c);
p2 (path program )
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 12
Example - Annotation
• introduce a fresh symbolic constant• in p1 , there is no variable is used without first being
defined
1 assume(b>0); 2 c := 2b;3 a := b;4 a := a – 1;5 assume(a<b); 6 assume(a=c);
p1
<1,(b = b)>1 b := b
2 assume(b>0); 3 c := 2b;4 a := b;5 a := a – 1;6 assume(a<b); 7 assume(a=c);
p1’
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 13
Semantics of Path
• SP (strongest post condition) in terms of p
• SP maps a context to a new context
• <,,>: a context ,store
represents the current valuation
,condition represents the constraints
,history represents the past valuations
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 14
Strongest Postcondition
• Example (Path simulation of p1)
p1’ : store : conditions : history
b := b;
assume(b>0);
c := 2b;
a := b;
a := a – 1;
assume(a<b);
assume(a=c);
p1’ : store : conditions : history
b := b; (b, b)
assume(b>0);
c := 2b;
a := b;
a := a – 1;
assume(a<b);
assume(a=c);
p1’ : store : conditions : history
b := b; (b, b)
assume(b>0); (b, b) b > 0
c := 2b;
a := b;
a := a – 1;
assume(a<b);
assume(a=c);
p1’ : store : conditions : history
b := b; (b, b)
assume(b>0); (b, b) b > 0
c := 2b; (b, b), (c, 2b) b > 0
a := b; (a, b), (b, b), (c, 2b) b > 0
a := a – 1; (a, b-1), (b, b), (c, 2b) b > 0 (a, b)
assume(a<b); (a, b-1), (b, b), (c, 2b) b > 0, b -1 < b (a, b)
assume(a=c); (a, b-1), (b, b), (c, 2b) b > 0, b -1 < b, 2b= b -1 (a, b)
p1’ : store : conditions : history
b := b; (b, b)
assume(b>0); (b, b) b > 0
c := 2b; (b, b), (c, 2b) b > 0
a := b; (a, b), (b, b), (c, 2b) b > 0
a := a – 1; (a, b-1), (b, b), (c, 2b) b > 0 (a, b)
assume(a<b); (a, b-1), (b, b), (c, 2b) b > 0, b -1 < b (a, b)
assume(a=c); (a, b-1), (b, b), (c, 2b) b > 0, b -1 < b, 2b= b -1 (a, b)
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 15
Example
• How to generate a good explanation
• p1,p2: infeasible paths• p2 is a ICPP (Infeasible Consistent Path Projection) of p1• we can use the ICPP to generate an abstract explanation
1 assume(b>0); 2 c := 2b;3 a := b;4 a := a – 1;5 assume(a<b); 6 assume(a=c);
1 assume(b>0); 2 c := 2b;
5 assume(a<b); 6 assume(a=c);
p1 p2
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 16
Example
• p2 is a ICPP of p1
1 assume(b>0); 2 c := 2b;3 a := b;4 a := a – 1;5 assume(a<b);
<1,(b, b)>, <5,(a, a)> b := b;1 assume(b>0); 2 c := 2b;3 a := b;4 a := a – 1; a := a;5 assume(a<b);6 assume(a=b);
p2p1
1 assume(b>0); 2 c := 2b;
a := a;5 assume(a<b); 6 assume(a=b);
b := b;1 assume(b>0); 2 c := 2b;
a := a;5 assume(a<b); 6 assume(a=b);
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 17
Newton• Newton
• implements SP to check if a path p is infeasible• find an abstract explanation for the infeasibility of p based on co
nstructing ICPPs, if p is infeasible
• Internal state of Newton has 3 components• store (): map from variables to values• condition(): predicates over symbols• history() : past valuations of the store
• Newton function in 3 phases:• Phase1: check feasibility• Phase2: minimize conditions• Phase3: find a explanation
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 18
Example
Store Conditions History
1 assume(b>0); 2 c := 2b;3 a := b;4 a := a – 1;5 assume(a<b); 6 assume(a=c);
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 19
Example
Store Conditions HistoryStore
1 b b ()
Conditions
(b > 0) (1)
1 assume(b>0); 2 c := 2b;3 a := b;4 a := a – 1;5 assume(a<b); 6 assume(a=c);
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 20
Example
Store Conditions HistoryStore
1 b b ()
Conditions
(b > 0) (1)
Store
1 b b ()
2 c 2 b (1)
1 assume(b>0); 2 c := 2b;3 a := b;4 a := a – 1;5 assume(a<b); 6 assume(a=c);
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 21
Example
Store Conditions HistoryStore
1 b b ()
Conditions
(b > 0) (1)
Store
1 b b ()
2 c 2 b (1)
Store
1 b b ()
2 c 2 b (1)
3 a b (1)
1 assume(b>0); 2 c := 2b;3 a := b;4 a := a – 1;5 assume(a<b); 6 assume(a=c);
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 22
Example
Store Conditions HistoryStore
1 b b ()
Conditions
(b > 0) (1)
Store
1 b b ()
2 c 2 b (1)
Store
1 b b ()
2 c 2 b (1)
3 a b (1)
Store
1 b b ()
2 c 2 b (1)
4 a b-1 (3)
History
3 a b (1)
1 assume(b>0); 2 c := 2b;3 a := b;4 a := a – 1;5 assume(a<b); 6 assume(a=c);
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 23
Example
Store Conditions HistoryStore
1 b b ()
Conditions
(b > 0) (1)
Store
1 b b ()
2 c 2 b (1)
Store
1 b b ()
2 c 2 b (1)
3 a b (1)
Store
1 b b ()
2 c 2 b (1)
4 a b-1 (3)
History
3 a b (1)
Store
1 b b ()
2 c 2 b (1)
5 a a ()
Conditions
(b > 0) (1)
(a < b ) (1,5)
1 assume(b>0); 2 c := 2b;3 a := b;4 a := a – 1;5 assume(a<b); 6 assume(a=c);
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 24
Example
Store Conditions HistoryStore
1 b b ()
Conditions
(b > 0) (1)
Store
1 b b ()
2 c 2 b (1)
Store
1 b b ()
2 c 2 b (1)
3 a b (1)
Store
1 b b ()
2 c 2 b (1)
4 a b-1 (3)
History
3 a b (1)
Store
1 b b ()
2 c 2 b (1)
5 a a ()
Conditions
(b > 0) (1)
(a < b ) (1,5)
Conditions
(b > 0) (1)
(a < b ) (1,5)
(a = 2b ) (2,5)
a explanation of infeasibilitya explanation of infeasibility
{(b > 0),(a < b ), (a = 2b )}{<5,(a= a)>, <1,(b= b)>}
1 assume(b>0); 2 c := 2b;3 a := b;4 a := a – 1;5 assume(a<b); 6 assume(a=c);
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 25
Experimental Results
• Newton generates a very small explanation.• Every iteration of Newton
• took under a minute • consumed less than 10MB of memory in a 996Mhz Pentium PC
with 256MB RAM
2006-11-30 Newton: A tool for generating abstract explanations of infeasibility 26
Summary • Symbolic path simulator
• Check conditions for inconsistency using theorem prover(Simplify)
• After detecting inconsistency:• minimize inconsistent conditions• traverse dependencies• obtain predicates
• SLAM = The first CEGAR project• CEGAR = Counter-Example Guided Abstraction• Iterative Abstraction Refinement