Lazy Abstraction Tom Henzinger Ranjit Jhala Rupak Majumdar
Lazy Abstraction Tom Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre
Goals § Verification of software § safety properties § C programs § Application to systems software § e. g. Check correct use of locks 2
How? § Model checking § Predicate Abstraction § focus on essential properties § decision procedures and BDDs § Counterexample driven refinement 3
Outline § Counterexample-driven refinement § drawbacks § Predicate Abstraction § Lazy Predicate Abstraction § intuitive description, example § Discussion 4
Initial predicates B abstract Is ERROR reachable? model check P Yes, path p Is ERROR reachable? Is p feasible in P? No Return “No” refine No, explanation Yes Return “Yes”, p don’t know Return “don’t know” 6
Related Work § Microsoft SLAM project § Abstractor: C code Boolean programs § Model checker for boolean programs § Predicate discovery and refinement § [Clarke et al 00] § Bandera Project at KSU §… 7
Drawbacks § Redo work at each iteration § compute a brand new abstraction § model-check this new abstraction § what if the new inferred predicates are local? § Does some unnecessary work § No sharing of data structures 8
Our proposal § Integrate three phases § Construct the abstraction on-the-fly § driven by the reachability search § Refine the abstraction on demand § Locally, based on bad error paths Give control to the model checker 9
Outline § Counterexample-driven refinement § drawbacks § Predicate Abstraction § Lazy Predicate Abstraction § intuitive description, example § Discussion 10
Predicate abstraction : P 3 : P 4 : P 3 P 4 P 3 : P 4 : P 1, : P 2 : P 1, P 2 P 1, : P 2 P 1 : x = y P 2 : z = t + y P 3 : x z+1 P 4 : *u = x Variable value space § Box: abstract variable valuation § Region: cover of boxes 11
Abstract state graph § Explicit control locations § Abstract state: (control location, box) § Conservative abstraction: § defined as usual § computed using decision procedures 12
Outline § Counterexample-driven refinement § drawbacks § Predicate Abstraction § Lazy Predicate Abstraction § intuitive description, example § Discussion 13
Lazy abstraction § Symbolic model checking § predicate abstraction § on-the-fly post/pre § Refinement by demand § dynamic predicates P 1, …, Pk P’ 1, …, P’h § Error-free closed sets of states are not checked again. 14
Reachability analysis (1) § Forward symbolic reachability tree § Nodes labeled by: (control location, abstract region) § Edges labeled by program statements § Post computed w. r. t {P 1, …, Pk} § decision procedure § Refinement: {P 1, …, Pk+1, …, Pk+h} 15
Reachability analysis (2) Refinement Untouched 16
Reachability analysis (3) Refinement Unmarked 17
Reachability analysis (4) § Correctness independent from search order § Optimization: union closed subtrees § Why compute backwards from error? § fewer marked nodes are unmarked § General symbolic setting: regions 18
void Example( ) { 1: do { old = new; // Get the write lock Acquire. Spin. Lock(&Dev. Ext write. List. Lock); [ acq = True] 2: 3: 1 if ( request && request status ) { 2 dev. Ext Write. List = request next; // Release the lock Release. Spin. Lock(&Dev. Ext write. List. Lock); [acq=False] irp = request irp; if ( request status > 0 ) { irp Io. Status = STATUS-SUCCESS; irp Io. Status. Information = request Status; } else { irp Io. Status =STATUS-UNSUCCESS; irp Io. Status. Information = request Status; } Smart. Dev. Free. Block(request); Io. Complete. Request(irp, DO_NO_INCREMENT); new++; 4: } 5: } while ( new != old ) ; // Release the lock 6: Release. Spin. Lock(&Dev. Ext write. List. Lock); [ if (acq == False) then ERROR; ] } 3 ? Q: Is Error Reachable ? 4 5 ? 6 ? Error 7 19
Reachability Analysis 1 Set of Predicates: (acq = False) from Spec 2 3 Phase 1: Forward Search ? 1 > 2 acq 4 5 6 Error ? ? 3 7 4 5 6 Err old = new; // Get the write lock Acquire. Spin. Lock(&Dev. Ext write. List. Lock); [ acq = True] ( request && request status ) ? dev. Ext Write. List = request next; acq // Release the lock Release. Spin. Lock(&Dev. Ext write. List. Lock); [acq=False] : acq irp = request irp; if ( request status > 0 ) { irp Io. Status = STATUS-SUCCESS; irp Io. Status. Information = request Status; : acq } else { (new == old ) ? irp Io. Status =STATUS-UNSUCCESS; irp Io. Status. Information = request Status; : acq } Smart. Dev. Free. Block(request); (acq == False ) ? Io. Complete. Request(irp, DO_NO_INCREMENT); new++; : acq 20
Reachability Analysis 1 Set of Predicates: (acq = False) from Spec 2 3 Phase 2: Counter. Ex Guided Refinement ? 1 > {acq Æ new+1=new} old = new; 4 2 5 6 Error ? ? acq {acq Æ new+1=old} // Get the write lock Acquire. Spin. Lock(&Dev. Ext write. List. Lock); [ acq = True] ( request && request status ) ? Write. List = request next; dev. Ext 3 7 acq {acq Æ (new+1 =old)} 4 : acq {: acq Æ (new = old)} 5 : acq {: acq Æ (new = old)} (new == old ) ? 6 : acq {: acq} (acq == False ) ? Err : acq // Release the lock Release. Spin. Lock(&Dev. Ext write. List. Lock); [acq=False] irp = request irp; if ( request status > 0 ) { irp Io. Status = STATUS-SUCCESS; irp Io. Status. Information = request Status; } else { irp Io. Status =STATUS-UNSUCCESS; irp Io. Status. Information = request Status; } Smart. Dev. Free. Block(request); Io. Complete. Request(irp, DO_NO_INCREMENT); new++; New Predicate for Refinement: (new=old) 21
Reachability Analysis 1 Set of Predicates: (acq = False) , (new = old) 2 3 Phase 1: Forward Search ? 1 > 4 5 6 Error ? 2 ? 3 7 4 : acq Æ : (new=old) 5 (new ¹ old ) ? 1 : acq Æ : (new=old) µ > 6 ? old = new; // Get the write lock Acquire. Spin. Lock(&Dev. Ext write. List. Lock); [ acq = True] acq Æ (new=old) Error is not reachable Write. List = request next; ( request && request dev. Ext status )? // Release the lock acq Æ (new=old) Release. Spin. Lock(&Dev. Ext write. List. Lock); [acq=False] irp = request irp; : acq Æ : (new=old) if ( request status > 0 ) { irp Io. Status = STATUS-SUCCESS; irp Io. Status. Information = request Status; } else { 5 acq Æ (new=old) irp Io. Status =STATUS-UNSUCCESS; (new¹== oldold ) ? irp Io. Status. Information = request Status; (new == old ) ? } 1 6 acq Æ Smart. Dev. Free. Block(request); (new=old) Io. Complete. Request(irp, DO_NO_INCREMENT); ? : (acq ==== False ) ? new++; Err 7 acq Æ (new=old) 22
Outcomes § This lazy approach allows us to share work that we have done before § Once the left part has been searched, we will never look at it again Error 1 Error 2 § A different set of predicates, relevant only to the right part, may be used while searching it 23
Predicate discovery § Keep substitutions explicit § new variables § operations appear explicitly § Ask a proof of unsatisfiability § Pick predicates appearing in the proof op 4 op 3 op 2 op 1 24
Region based Symbolic Model Checking § Region datatype § denote possibly infinite sets of values § e. g. ({P 1, …, Pk}, bdd) § § Boolean operations Set Op of operations Symbolic post/pre : R x Op R Focus operation (refinement) 25
Outline § Counterexample-driven refinement § drawbacks § Predicate Abstraction § Lazy Predicate Abstraction § intuitive description, example § Discussion 26
Tool architecture Control Flow Automaton Operations Model checker Regions 27
Development roadmap § C program Control Flow Automaton § Regions are predicate valuations § BDD representation § Model checker § region-based algorithm § Input: regions, pre, post 28
Discussion § Search order: heuristics § Pre/Post duality § Acceleration of loops § Memory usage: hashing? § Application to: (C programs) § timed automata, hybrid systems § SDL protocols 29
- Slides: 28