Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu...

Using Statically Computed Invariants Inside the Predicate

Abstraction and Refinement Loop

Himanshu Jain

Franjo Ivančić

Aarti Gupta

Ilya Shlyakhter

Chao Wang

Introduction

Predicate abstraction

Abstracts data by keeping track of certain predicates

Each predicate given a Boolean variable in abstract model

Counterexample Guided Abstraction and Refinement Loop (CEGAR )

PropertyMonitorC programs

Static Analysis

PredicateAbstraction

Model check

Analysis &Refinement

Discovered bug in software

Certified code

F-Soft

Bottlenecks in CEGAR loop

Computing predicate relationships is expensive

Over-approximation leads to refinement iterations

Finding right predicates not always possible

An example

1: x = 100;

2: y = 100;

3. while (x != 0) {

4. x = x – 1;

5. y = y – 1;

6. }

7. if (y != 0)

8. ERROR:;

Weakest pre-condition based refinement:

x=0, y=0 x=1, y=1 ………

x=100, y=100

x = y

Split theorem prover:

Jhala, McMillan [TACAS 2006]

C program

We will discover x=y as

an invariant

Our approach

Use efficiently computable invariants in CEGAR loop

Invariants generated by abstract domains Octagon: ± x ± y ≤ c Polyhedra: a1 x1 ± a2 x2 ± … ± anxn ≤ c Numerous others in ASTRÉE like static analyzers

Combination of abstraction techniques

This work: CEGAR loop + Invariants

PropertyMonitorC programs

Static Analysis

PredicateAbstraction

Model check

Analysis &Refinement

Discovered bug in software

Certified code

+ Invariants from abstract

domains

1. More precise abstractions

2. Fewer refinement iterations

3. Fewer predicates

4. Avoid some convergence problems

Related work

Idea of using invariants during abstraction Bensalem et al. [CAV 1998] Colón et al [CAV 1998] Saïdi et al. [ASE 1999]

Path sensitive data flow analysis Fischer et al. [FSE 2005]

Outline

Introduction

Using Invariants in abstraction-refinement loop

Invariant generation

Invariant selection

Experimental results

Abstraction

1: if (x > y) {

2: y = y + 1;

...

5: z = y;

...

10: if (x < z)

11: ERROR:;

12:}

Abstract

C programNo predicates

available currently

1: if (*) {

2: skip;

...

5: skip;

...

10: if (*)

11: ERROR:;

12:}

Abstract model

Checking the abstract model

Is ERROR reachable?

yes

Abstract model has a

path leading to error state

1: if (*) {

2: skip;

...

5: skip;

...

10: if (*)

11: ERROR:;

12:}

Abstract model

Concretization of abstract counterexample

Concrete trace

1: if (*) {

2: skip;

...

5: skip;

...

10: if (*)

11: ERROR:;

12:}

1: assume (x > y)

2: y = y + 1;

...

5: z = y;

...

10:assume (x < z)

11:

12:

Abstract model

SimulationDoes this

correspond to a real bug?

Spurious trace

Concrete traceSpurious Counterexample

1: assume (x > y)

2: y = y + 1;

...

5: z = y;

...

10:assume (x < z)

11:

12:

Refinement

Spurious Counterexample

Localization of predicates

[Jhala et al., POPL 2004]

[Jain et al., TACAS 2005]

x < z

x < y

x < y + 1

x < y + 1 x > y

1: assume (x > y)

2: y = y + 1;

...

5: z = y;

...

10:assume (x < z)

Refinement

Spurious Counterexample

1: assume (x > y)

2: y = y + 1;

...

5: z = y;

...

10:assume (x < z)

Need to track value of

at least one predicate from

locations 1 to 10

Localization of predicates


[Jain et al., TACAS 2005]

Using invariants

1: if (x > y) {

2: y = y + 1;

...

5: z = y;

...

10: if (x < z)

11: ERROR:;

12:}

1:

2: x > y

...x ≥ y

5: x ≥ y

...x ≥ y, y = z, x ≥ z

10:x ≥ y, y = z, x ≥ z

11:

12:

C program Two variable invariants

Using invariants during simulation

1:

2: x > y

...x ≥ y

5: x ≥ y

...x ≥ y, y = z, x ≥ z

10:x ≥ y, y = z, x ≥ z

11:

12:

1: assume (x > y)

2: y = y + 1;

...

5: z = y;

...

10:assume (x < z)

infeasible

infeasible

Refinement procedure only needs to look at infeasible trace

Spurious Counterexample Two variable invariants

What has happened so far

1: assume (x > y)

2: y = y + 1;

...

5: z = y;

...

10:assume (x < z)

1: if (*) {

2: skip;

...

5: skip;

...

10: if (*)

11: ERROR:;

1: if (x > y) {

2: y = y + 1;

...

5: z = y;

...

10: if (x < z)

11: ERROR:;

12:}

C program Abstract model

Spurious counterexample

PC=10: x ≥ z

1: if (*) {

2: skip;

...

5: skip;

...

10: if (b)

11: ERROR:;

Boolean b : x < z

(PC=10) →¬b

New abstract model

Strengthened transition relation

Let Tb(V,V’) denote transition relation of basic block b

Let Ib(V) denote the invariants that hold at b

STb(V,V’) := Tb(V,V’) Λ Ib(V)

Replace Tb(V,V’) by STb(V,V’) in CEGAR loop

Outline

Introduction



Invariant selection



Octagon abstract domain: ± x ± y ≤ c Due to Antoine Miné Successfully used in ASTRÉE static analyzer Captures commonly occurring variable relationships

Array bound accesses

More expressive abstract domains can be used Eagerly: before CEGAR loop starts Lazily: on-demand as needed by refinement

Octagon packing

Octagon relationships between n variables

Time per transfer function: O(n3)

Memory cost per program location: O(n2)

Octagon packing

Octagon relationships between n variables

Time per transfer function: O(n3)

Memory cost per program location: O(n2)

x1x2

x3

x4

x5

x1000

x999

..

.

.

.

.

.

.

octagon pack

Octagon packing

Basic block based packing Variables appearing in a basic block #octagon packs proportional to #basic blocks

Control flow based packing Associate an octagon pack for each condition Cone of influence computation #octagon packs proportional to #conditions

Outline

Introduction



Invariant selection


Invariant selection

Use fewer invariants for additional/quicker pruning Avoid overhead in decision procedure calls

Given ERROR label E, basic block b

needed(b, E): variables that need to be tracked at b

Use invariant I at b iff vars(I) needed(b,E)

Outline

Introduction



Invariant selection


Experimental results (TCAS)Localization of predicates

using weakest pre-conditions [TACAS 2005]

Localization of predicates using Craig Interpolation


Using octagonal invariants in the Default framework

1. Invariant generation for TCAS took 5 seconds

2. None of the above properties can be verified by octagonal invariants

Results from industrial benchmarks

Checked for standard property violations

Experiments on Industry Programs

Several interesting improvements with Octagon invariants Number of unresolved (#None) checks is reduced (here, 0) Provides performance improvement Last example: not much extra cost with Proofs by SAT

KLOC # Checks

# P

by

SA

# P

by SAT

# B

by SAT

#

None

Time

(sec)

# P

by SA w/ Invar

# P

by SAT

# B

by SAT

#

None

Time

(sec)

f1 0.5 64 32 9 0 23 596 64 0 0 0 15

f2 1.1 16 8 6 0 2 564 16 0 0 0 66

f3 1.1 18 8 5 2 3 572 16 0 2 0 104

f4 1.2 22 10 6 3 3 478 18 1 3 0 195

f5 1.2 10 0 0 4 6 584 6 0 4 0 401

f6 1.6 26 8 6 8 4 579 18 0 8 0 197

f7 1.8 28 4 8 4 4 589 12 4 4 0 325

f8 3.6 280 267 13 0 0 144 280 0 0 0 140

Note: #P = # Proofs, #B = # Bugs, # None = unresolved checks

Without Octagon Invariants With Octagon Invariants

Invariant generation results

Control flow based packing leads to invariants

that are more likely to be useful in CEGAR loop

Invariant selection resultsInvariants

generated using control flow

based packing

After invariant selection

Conclusion

Using invariants in abstraction-refinement loop Fewer predicates and refinement iterations Can help when finding right predicates is difficult

Invariant generation and selection Finding useful invariants Right packing strategies

Current/Future work (by co-authors): Generation of Disjunctive invariants [SISG SAS 2006] Applications of invariants during BMC [GG ICCAD 2006]

Questions?

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu...

Documents

Transcript of Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu...