Property Directed Polyhedral Abstraction Nikolaj Bjrner and Arie
Property Directed Polyhedral Abstraction Nikolaj Bjørner and Arie Gurfinkel VMCAI 2015 © 2015 Carnegie Mellon University
Abstract Interpretation versus Model Checking Abstract Interpretation strength: scalability weakness: precision Model Checking strength: precision weakness: scalability Domain: Convex Polyhedra Domain: QFLRA (quantifier free fragment of FO over linear arithmetic) How to simulate Poly Abstract Interpretation in QFLRA MC Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 3
For the Impatient Polyhedral Abstract Interpration QFLRA Model Checking Convex hull Dual representation Fourier-Motzkin Quantifier Elimination Scales to a few dimensions Simplex Interpolation Farkas Lemma Farkas Consequences Scales to many dimensions “Simulate” Fourier-Motzkin by Simplex and Interpolation Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 4
Abstract Interpretation Background Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 5
Polyhedral Abstract Domain Convex hull of X 2 Qn, CH (X) = { g*x + (1 -g)*y | x, y 2 X, 0 · g · 1} • the smallest convex polyhedron containing X Convex closure CC(X) is a topological closure of CH(X) • e. g. , CC(x=0 Æ y=1 Ç x ¸ 0 Æ x = y) = 0 · x · y · x+1 Polyhedral Abstract Domain • • the domain of convex polyhedra abstraction: ®(X) = CC(X) concretization: °(X) = X join: P 1 t P 2 = CC(P 1[ P 2) meet: P 1 u P 2 = P 1 Å P 2 widening: P 1 r P 2 = {H is a half-space of P 1 | P 2 H} Abstract Transformers • forward: post®(X) = CC (post (X)) backward: pre®(X) = CC (pre (X)) Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 6
Problem 1: Computing Best Abstract Image Assume concrete post is a forward image of a transition relation ½ post(X) = F(X), where F(X) = 9 u. (X(u) Æ ½(u, v)) Ç Init(v) • and, ½(u, v) and Init(v) are in QFLRA Then, post®( X ) = project(u , CC (X Æ ½ (u, v) Ç Init (v) ) ) where, project(u, ) drops variables/dimensions u from How to approximate best abstract image without CC and project? Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 7
Approximating Abstract Image Three Ingredients 1. Interpolation 1. Syntactic Convex Closure 2. Property-Directed Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 8
Craig Interpolation Theorem (Craig 1957) Let A and B be two First Order (FO) formulae such that A ) : B, then there exists a FO formula I, denoted ITP(A, B), such that A)I I ) : B atoms(I) 2 atoms(A) Å atoms(B) A Craig interpolant ITP(A, B) can be effectively constructed from a resolution proof of unsatisfiability of A Æ B In Model Cheching, Craig Interpolation Theorem is used to safely overapproximate the set of (finitely) reachable states Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 9
Craig Interpolation for Linear Arithmetic B I A Useful properties of existing interpolation algorithms [CGS 10] [HB 12] • • I 2 ITP (A, B) then : I 2 ITP (B, A) if A is syntactically convex (a monomial), then I is convex if B is syntactically convex, then I is co-convex (a clause) if A and B are syntactically convex, then I is a half-space Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 10
Syntactic Convex Closure Florence Benoy, Andy King, Frédéric Mesnard: Computing convex hulls with a linear solver. TPLP 5(1 -2): 259 -271 (2005) Definition: Let {Pi(x) = Ai * x · ai} be a set of polyhedra. A syntactic convex closure cc({Pi}) is defined as the following set of constraints: Theorem: Let {Pi(x) = Ai * x · ai} be a set of polyhedra, then CC({Pi}) = 9 V. cc({Pi}) where V = {zi} [ {¾i} Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 11
Syntactic Convex Closure Florence Benoy, Andy King, Frédéric Mesnard: Computing convex hulls with a linear solver. TPLP 5(1 -2): 259 -271 (2005) Definition: Let {Pi(x) = Ai * x · ai} be a set of polyhedra. A syntactic convex closure cc({Pi}) is defined as the following set of constraints: Example of cc() Theorem: cca({x=0 y=1, x ¸ 1 then Æ x = y}) = Let {Pi(x) = Ai * x · ai} be set ofÆ polyhedra, (x 0=0 Æ y 0= ¾ 1) Æ (x 1 ¸ ¾ 2Æ x 1=y 1) CC({Pi}) = 9 V. cc({Pi}) Æ ¾ 1+¾ 2 = 1 Æ (x = x 0 + x 1 Æ y = y 0 where V = {zi} [ {¾i} + y 1) Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 12
Approximating Best Abstract Image Recall, post(X) = F(X), where F(X) = 9 u. (X Æ ½) Ç Init Problem: given X and a syntactically convex set of bad states B, find I 2 Poly such that post®(X) v I and Iu. B=? Solution: let D 1 Ç �Ç Dn be a DNF of (X Æ ½) Ç Init in let A = cc ({D 1, …, Dn}) in ITP (A, B) Claim: The procedure above is sound and complete • A and B are syntactically convex • SAT(A Æ B) $ post®(X) u B A ? ITP(A, B) is a half-space Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 13
CCSAT: An Efficient Implementation Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 14
Programs, Cexs, Invariants A program P = (V, Init, ½, Bad) P is UNSAFE if and only if there exists a number N s. t. P is SAFE if and only if there exists a safe inductive invariant Inv s. t. Inductive Safe Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 15
Mk. Safe IC 3/PDR in Pictures Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 16
Mk. Safe IC 3/PDR in Pictures cex Cex Queue Trace Frame R 0 Frame R 1 lemma Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 17
Propagate IC 3/PDR in Pictures Inductive Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 18
Propagate IC 3/PDR in Pictures PDR Invariants Ri : Bad Ri Ri+1 Init Ri Ri Æ ½ Ri+1 Inductive Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 19
IC 3/PDR Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 20
IC 3/PDR Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 21
![Extending PDR to Arithmetic: APDR Model Based Projection: MBP(v, m, F) [KGC’ 14] •](http://slidetodoc.com/presentation_image_h2/c892168644b13d4dcc8c31934a0e33ca/image-21.jpg "Extending PDR to Arithmetic: APDR Model Based Projection: MBP(v, m, F) [KGC’ 14] •")
Extending PDR to Arithmetic: APDR Model Based Projection: MBP(v, m, F) [KGC’ 14] • generates an implicant of 9 v. F that contains the model m Counter-examples are monomials (conjunction of inequalities) Lemmas are clauses (disjunction of inequalities) APDR computes an (possibly non-convex) QFLRA invariant in CNF Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 22
Kleene Forward Iteration Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 23
FPDR: Simulating Poly Kleene iteration w/ PDR Computed using CCSAT Observations • • Counter-examples are monomials Lemmas are single inequalities (half-spaces) Invariants are conjunction of inequalities (convex) Widening is “simulated” by not generating strongest possible lemmas Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 24
FPDR Properties Theorem 1 (Soundness) If Ri+1 Ri, then post®*(Init) u Bad = ? Theorem 2 (Abstract Completeness) If FPDR returns Abstract. Reachable, then post®N(Init) u Bad A ? Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 25
Chaotic Backward Iteration Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 26
BPDR: Simulating Poly Backward A set instead w/of. PDR a queue Observations • One lemma per frame (each new lemma is stronger than all previous ones) • Lemmas are disjunction of inequalities • Computed invariant is co-convex Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 27
BPDR Properties Theorem 1 (Soundness) If Ri+1 Ri, then pre®*(Init) u Bad = ? Theorem 2 (Abstract Completeness) If BPDR returns Abstract. Reachable, then pre®N(Init) u Bad A ? Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 28
Conclusion We mimic Polyhedral Abstract Interpretation w/ Arithmetic PDR • use syntactic convex closure to decide existence of an abstract image • use interpolation to compute an abstract element • compute convex inductive invariants Works well for small crafted examples • see paper for details • available at https: //z 3. codeplex. com/Source. Control/network/forks/arie/zag Our Forward and Backward PDR rules can be mixed • see paper for details • automatic abstraction refinement – use new abstract rules until counterexample is found – use APDR rules to refine Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 29
? ? Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 30
Contact Information Arie Gurfinkel Senior Researcher SEI / CMU Telephone: +1 412 -268 -5800 Email: arie@sei. cmu. edu U. S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA 15213 -2612 USA Web www. sei. cmu. edu/contact. cfm Customer Relations Email: info@sei. cmu. edu Telephone: +1 412 -268 -5800 SEI Phone: +1 412 -268 -5800 SEI Fax: +1 412 -268 -6257 Poly. PDR Nikolaj Bjørner and Arie Gurfinkel © 2015 Carnegie Mellon University 31
- Slides: 30
