Software Verification with Abstraction-Based...
Transcript of Software Verification with Abstraction-Based...
![Page 1: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/1.jpg)
1Budapest University of Technology and EconomicsDepartment of Measurement and Information Systems
Software Verification withAbstraction-Based Methods
Ákos HajduPhD student
Department of Measurement and Information Systems, Budapest University of Technology and Economics
MTA-BME Lendület Cyber-Physical Systems Research Group
Electrical and Computer Engineering Department, McGill University
![Page 2: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/2.jpg)
2
Background
![Page 3: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/3.jpg)
3
Background – Formal Verification
Formal verification
o Prove or disprove the correctness of a system with respect to a formal property (specification) relyingon sound mathematical basis
Model checking
o Exhaustively enumerate the possible states and transitions (the state space) of the system andcheck if it meets the property
![Page 4: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/4.jpg)
4
Background – Model Checking
Model checking in general
Formal model
Formalized property
Model checking algorithm
Ok Counterexample
Real-life system
An algorithm, a software, a protocol,
a circuit, …
Automata, formulas, state
machines, …
Assertions, temporal logic, reference
automata, …
Explicit, symbolic, abstraction, …
![Page 5: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/5.jpg)
5
Background – Model Checking
This talk: focus on software and abstraction
Formal model
Formalized property
Model checking algorithm
Ok Counterexample
Real-life system
Source code
Control Flow Automata
Assertions
Abstraction + CEGAR
Violating execution
![Page 6: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/6.jpg)
6
Background – Model and Property
Control-Flow Automaton
o Set of control locations (PC)
o Set of edges with operationsover a set of variables• E.g., guard, assignment …
Typical property: “error” location should not be reachable
x : int0: x = 01: while (x < 5) {2: x = x + 1
}3: assert (x <= 5)
![Page 7: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/7.jpg)
7
Background – States and Transitions
State: location + valuation of variables (L, x1, x2, …, xn)
Transition: operations
Problem: state space explosion caused by data variableso E.g., 10 locations and 2 integers: 10·232·232 possible states
Goal: reduce the state space representation by abstraction
![Page 8: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/8.jpg)
8
Counterexample-GuidedAbstraction Refinement (CEGAR)
![Page 9: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/9.jpg)
9
CEGAR – Introduction
Concrete state space Abstraction Abstract state space
Abstract counterexampleSpurious counterexampleRefined state space
Init
Check
OK
Concretize
Counterexample
Refine
Model,property
Abstraction
Property holds
Abstract counterexConcrete
StateTransition
Error state
Abstract state
Over-approximation
![Page 10: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/10.jpg)
10
ConcretizeCheck
OK Counterexample
Refine
Property holds
Abstract counterexConcrete
CEGAR – Initial Abstraction Predicate abstraction
o Track predicates instead of concrete values
o |P| predicates 2|P| possible abstract states
o Label of a state: predicates, e.g. ¬(x > y) Ʌ (y = 3)
(x > y) ¬(x > y)
(y = 3)(x=1, y=3)(x=2, y=3)(x=3, y=3)
¬(y = 3)(x=2, y=1)(x=3, y=1)(x=3, y=2)
(x=1, y=1)(x=1, y=2)(x=2, y=2)
Variables:x, y; Dx = Dy = {1, 2, 3}Predicates:
(x > y), (y = 3)
Init
Model,property
Abstraction
![Page 11: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/11.jpg)
11
Refine
Counterexample
ConcreteConcretizeAbstract counterex
OKProperty holds
Check
CEGAR – Initial Abstraction Explicit value abstraction
o Partition variables: visible / invisible
o Track values for visible variables only
o Label of a state: assignment, e.g. (x = 1) Ʌ (y = 2)
Variables: x, y, zDx = {0, 1} , Dy = {0, 1, 2}, Dz = {0, 1}Visible = {x, y}
x=0 x=1
y=0(x=0, y=0, z=0)(x=0, y=0, z=1)
(x=1, y=0, z=0)(x=1, y=0, z=1)
y=1(x=0, y=1, z=0)(x=0, y=1, z=1)
(x=1, y=1, z=0)(x=1, y=1, z=1)
y=2(x=0, y=2, z=0)(x=0, y=2, z=1)
(x=1, y=2, z=0)(x=1, y=2, z=1)
Init
Model,property
Abstraction
![Page 12: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/12.jpg)
12
Refine
Counterexample
ConcreteConcretize
Init
Model,property
CEGAR – Model Checking
Traverse abstract state space
o Search strategy
Search for error state
Optimizations
o On-the-fly
o Incremental
Check
OK
Abstraction
Property holds
Abstract counterex
![Page 13: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/13.jpg)
13
Refine
OKProperty holds
CheckAbstraction
Init
Model,property
CEGAR – Concretization
Traverse subset of concrete state space
o Concretizable counterexample
o Spurious counterexample• Failure state (Sf)
o Use SMT solver, e.g. Microsoft Z3• S1 Ʌ T1 Ʌ S2 Ʌ T2 Ʌ … Ʌ Tn-1 Ʌ Sn
sf
Concretize
Counterexample
Abstract counterexConcrete
S1 S2 S3 S4T1 T2 T3
![Page 14: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/14.jpg)
14
Counterexample
ConcreteConcretizeAbstract counterex
OKProperty holds
CheckAbstraction
Init
Model,property
CEGAR – Abstraction Refinement
Classify states mapped to the failure state
o D = Dead-end: reachable
o B = Bad: transition to next state
o IR = Irrelevant: others
Goal: finer abstraction mapping D and B to separateabstract states
o SMT solver: interpolation formula φ
o Use φ as predicate or extract its variables
Refine
φ
¬φ
sf
![Page 15: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/15.jpg)
15
CEGAR – Summary
CEGAR is a general concept
o Explore abstract state space
o Refine abstraction if needed
Many variants exist (for various formal models)
o Abstract domains, e.g., predicates, explicit values, zones
o Refinement strategies, e.g., interpolation, unsat cores
o Exploration strategies, e.g., BFS, DFS
Counterexample
ConcreteConcretizeAbstract counterex
OKProperty holds
CheckAbstraction
Init
Model,property
Refine
![Page 16: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/16.jpg)
16
Research Questions
Integrate variants into common framework? Combine?o Theta Verification Framework. http://theta.inf.mit.bme.hu
o A configurable CEGAR framework with interpolation-based refinements. Ákos Hajdu, Tamás Tóth, András Vörös, and István Majzik. FORTE 2016, vol. 9688 of LNCS.
Which variants perform well for given verification tasks? o Exploratory analysis of the performance of a configurable CEGAR framework. Ákos
Hajdu and Zoltán Micskei. PhD Mini-Symposium 2017, BME DMIS.
o Towards evaluating size reduction techniques for software model checking. GyulaSallai, Ákos Hajdu, Tamás Tóth, and Zoltán Micskei. VPT 2017. (Accepted)
Domain specific CEGAR variants?o Exploiting hierarchy in the abstraction-based verification of statecharts using SMT
solvers. Bence Czipó, Ákos Hajdu, Tamás Tóth, and István Majzik. FESCA 2017, vol. 245 of EPTCS.
o New search strategies for the Petri net CEGAR approach. Ákos Hajdu, András Vörös, and Tamás Bartha. ICATPN 2015, vol. 9115 of LNCS.
http://home.mit.bme.hu/~hajdua/publications
![Page 17: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/17.jpg)
17
Theta Verification Framework
![Page 18: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/18.jpg)
18
Theta Verification Framework
ΘTheta
Generic
Various kinds offormal models
Modular
Reusable and combinable modules
Configurable
Different algorithms and strategies
http://theta.inf.mit.bme.hu
![Page 19: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/19.jpg)
19
Formal models and language front-ends
Theta Verification Framework
Architecture
Transition systems Control Flow Automata Timed Automata
C source code UPPAAL XTAAIGER PLC
Verification back-end
SMT solver interface
Abstract domain
Interpreter
States + transitions
CEGAR loop
Abstractor Refiner
![Page 20: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/20.jpg)
20
Theta Verification Framework
Configurability
Abstract domain• Predicate• Explicit value• Zone• Location• Composition
Refinement strategy• Binary interp. forw.• Binary interp. backw.• Sequence interp.• Unsat core
Search strategy• BFS• DFS
Initial precision• Empty• Property-based
Precision granularity• Constant• Location-based
Predicate split• Atoms• Conjuncts• Whole
![Page 21: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/21.jpg)
21
Theta Verification Framework
Evaluation
o Really diverse results
o Current research: data analysis & heuristics
![Page 22: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/22.jpg)
22
Conclusions
![Page 23: Software Verification with Abstraction-Based Methodshome.mit.bme.hu/~hajdua/presentations/hajdua_mcgill_2017.pdf · o A configurable CEGAR framework with interpolation-based refinements.](https://reader033.fdocuments.us/reader033/viewer/2022050404/5f8190f9b15a761c6d35aa98/html5/thumbnails/23.jpg)
23
Conclusions
Formal verification
o Formal model + property
o Model checking
Abstraction-based methods
o CEGAR
Theta Framework
o Generic, modular, configurable
o Evaluation
[email protected]/en/members/hajdua
Formal model
Formalized property
Model checking algorithm
Ok Counterexample
Real-life system
Formalisms and language front-ends
Transition systems Control Flow Automata Timed Automata
C source code UPPAAL XTAAIGER PLC
Analysis back-end
SMT solver interface
Abstract domain
Interpreter
CEGAR loop
Abstractor Refiner