© 2008 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model...

© 2008 Carnegie Mellon University

Combining Predicate and Numeric Abstraction for Software Model Checking

Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213

Arie Gurfinkel and Sagar Chaki

2Combining PA and NA for Soft MCGurfinkel and Chaki


Automated Software Analysis

ProgramAutomated

Analysis

Correct

Incorrect

Software Model Checking with Predicate Abstraction

e.g., Microsoft’s SDV

Abstract Interpretation with Numeric Abstraction

e.g., ASTREE, Polyspace



Predicate and Numeric Abstractions

Predicate Abstraction (PA) (e.g., SDV)

• Typical property: no lock is acquired twice

• Program verification reduced to propositional reasoning with model checker

• Works well for control-driven programs

• Works poorly for data-driven programs

Numeric Abstraction (NA) (e.g, ASTREE)

• Typical property: no arithmetic overflow

• Program verification reduced to arithmetic reasoning

• Works well for data-driven programs

• Works poorly for control-driven programs

How to combine PA and NA to get the best of both?

Pre

cisi

on

Scalability

NA

PA Unrealistic



Outline

Predicate and Numeric Abstract for Program Analysis

• Strength and Weakness

• An “Ideal” Combination

PA+NA Combination

• Abstract Transformers

• Data Structures

Experimental Results

Current and Future Work



Predicate Abstraction: An Example

Concrete Programp1:i=1 p2:i=2

p3:x1>0 p4:x2<0Abstract Program

assume (i=1 || i=2)if (i = 1) x1 := i; else if (i = 2) x2 := -4;

if (i = 1) assert (x1 > 0);else if (i = 2) assert (x2 < 0);

assume (p1 || p2)if (p1) p3 := ch(p1||p2,false); else if (p2) p4 := true

if (p1) assert (p3);else if (p2) assert (p4);

p := ch(tt,ff)

if (tt) p := 1;

else if (ff) p := 0;

else p := *;



Analysis with Predicate Abstraction

p1:i=1 p2:i=2

p3:x1>0 p4:x2<0Abstract Program

assume (p1 || p2)

if (p1) p3 := ch(p1||p2,false); else if (p2) p4 := true

if (p1) assert (p3);else if (p2) assert (p4);

p1 || p2

p1

p1&&p3

!p1&&p2&&p4

p1&&p3

||

!p1&&p2&&p4

!p1&&p2

!p1&&p2&&p4

p1&&p3

Can prove safety



Numeric Abstract Interpretation

Analysis is restricted to a fixed Abstract Domain

Abstract Domain ≡ “a (possibly infinite) set of predicates from a fixed theory” + efficient operations

Examples of Numeric Abstract Domains

• Signs 0 < x, x = 0, x > 0

• Intervals c1 x c2, where c1,c2 are a constants

• Octagons ± x ± y c, where c is a constant

• Polyhedra a1x1 + a2x2 +a3x3 + a4 0, where ai are constants



Numeric Abstraction: An Example

Concrete Program


if (i = 1) assert (x1 > 0);else if (i = 2) assert (x2 < 0);


if (i = 1) assert (x1 > 0);else if (i := 2) assert (x2 < 0);

Abstract Program

Abstraction



Analysis with Intervals NA (1)


if (i = 1) assert (x1 > 0);else if (i := 2) assert (x2 < 0);

1 <= i <= 2i=1

i=1 && x1=1i=2

i=2 && x2=-4

1 <= i <= 2

i=1

i=2

Loss of precision

due to join

Cannot prove safety

Abstract Program



Analysis with Intervals NA (2)

if (3 <= y1 <= 4) { x1 := y1-2; x2 := y1+2; }else if (3 <= y2 <= 4) { x1 := y2-2; x2 := y2+2; }else return;

assert (5 <= x1 + x2 <= 10);

3 <= y1 <= 4 3 <= y1 <= 4

1 <= x1 <= 2

5 <= x2 <= 6

3 <= y2 <= 43 <= y2 <= 4

1 <= x1 <= 2

5 <= x2 <= 6

1<=x1<=2

5<=x2<=6

Using PA expensive!

Abstract Program



Predicates:

p: A[y1+y2]=3

q: A[x1+x2]=3

assume (x1 = x2);if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 &&& q := ch ((x1=y1-2)&&p,f)} else q := false;

if (q) { x1 := x1 + x2; x2 := x2+y1-2; }assert (x1 = x2)

“Ideal” combination of PA + NA

assume (x1 = x2);if (A[y1+y2] = 3) { x1 := y1 – 2; x2 := y2 + 2;

} else A[x1+x2] := 5;

if (A[x1+x2] = 3) { x1 := x1 + x2; x2 := x2+y1-2; }assert (x1 = x2)

Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3

Concrete Program Abstract Program

Abstraction



Abstract with Predicates

p: A[y1+y2]==3

q: A[x1+x2]==3

“Ideal” combination of PA + NA

assume (x1 = x2);if (A[y1+y2] = 3) { x1 := y1 – 2; x2 := y2 + 2;

} else A[x1+x2] := 5;

if (A[x1+x2] = 3) { x1 := x1 + x2; x2 := x2+y1-2; }assert (x1 = x2)

assume (x1 = x2);if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 &&& q := ch ((x1=y1-2)&&p,f)} else q := false;


Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3

Concrete Program Abstract Program

Abstraction

Concrete transformer a.k.a. program statement

Abstract transformer

Parallel composition



Analyzing with PA + NA

assume (x1 = x2);if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 &&& q := ch ((x1+2 = y1)&&p,f)} else q := false;


x1=x2

p && x1=x2

p && x1=y1-2

p && q && x1=y1-2

&& x2=y2+2

!p && !q && x1=x2

p && q &&

x1=y1-2 && x2=y2+2

||

!p && !q &&

x1=x2

p && q && x1=y1-2 &&

x2=y2+2

p && q && x1=y1+y2 &&

x2=y2+2

p && q && x1=y1+y2 &&

x2=y2+y1 && x1=x2 Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3

p && q && x1=y1+y2 &&

x2=y2+y1 && x1=x2

||

!p && !q &&

x1=x2

Abstract Program



NumPredDom Interface

interface NumPredDom(VN,VP) extends AbsDom

VN – numeric variables, VP – predicates, e – conjunctive expression

projP (VP,e) = conjunction of predicates from VP s.t. e projP (VP,e)

projN (VN,e) = conjunction of constraints over VN s.t. e projN (VP,e)

αP : E → A αN : E → A unprime : A → A

reduce : A → A exists : 2VP A → A αPostN : S → (A → A)

Information Sharing between NA and PA: Factored out for

efficiency

Lift numeric-only abstract transformer

Lift propositional-only abstract transformer

Implementation-dependent. Influences precision and scalability.



NumPredDom: Definition of α

α(e1 e2) = meet ( α(e1) , α(e2) )

α(e1 e2) = join ( α(e1) , α(e2) )

α(e) = meet ( αP (projP (VP VP’, e)), αN (projN (VN, e)) )

projectabstractcombine

conjunctions

disjunctions



NumPredDom: Abstract Transformers

v ::= numeric expression

e ::= Boolean expression over predicate and numeric terms

τ ::= τN | τa | τc | τP | τNP | τ || τ | τ ; τ

τNP ::= (e ? τN) &&& τP (numeric + predicate)

τP ::= p := ch (e, e) | τP &&& τP (predicate)

τc ::= e ? τN (conditional)

τa ::= assume (e) (assume)

τN ::= x := v | τN &&& τN (numeric)

sequence

non-detbase-case



Transformer Examples

Predicates: p1:z=&x, p2:z=&y, p3:y=1

Concrete

Transformer

Abstract

Transformer

assume (*z > 0) (p1&&x>0 || p2&&y>0 || !p1&&!p2 )? skip

*z = u + 1

(p1? x := u + 1) ||

(p2 ? y := u+1) ||

(!p1 && !p2 ? skip)

y = x &&& x = (y-1? v : w)(p3 ? x := v || !p3 ? x := w) &&&

p3 := ch (x=1,x!=1)



NumPredDom: Four Implementations

Name Value ExampleNum. Terms

NEXPoint 22^P N (p||q) && (0 <= x <= 5)Explicit

NEX 2P → N (p&& 0<=x<=3) || (!p && (1<=x<=5))

MTBDD 2P → N (p&& 0<=x<=3) || (!p && (1<=x<=5))Symbolic

NDD 2P → 2N (p && (x=0 || x=3)) || (!p && (x=1 || x=5))

Pre

cisi

on



Summary of the Data Structures

Precision Scalability PA alone NA alone Prop Op Num Op

NEXPoint - ++ + + ++ ++

NEX + - + + - ++

MTNDD + - + - + -

NDD ++ + + - ++ --



Tool Implementation

Java Implementation

• Numeric domains implemented on top of Apron library

FrontendSource Annotated CFG +

Initial Node + Target Node

Reachability

Analysis

Report

Fixed point computation with widening

“Simple” automated abstraction-refinement

1. Check is CE is spurious using WP + TP

2. Add new numeric variables in UNSAT core first

3. Add new predicates only if all numeric variables in UNSAT core already present



Experimental Results

Synthetic examples used to validate specific conjectures

• NEX & MTNDD better than NDD when numeric joins are exact

— Since NDD uses exact unions while others use numeric join

• NDD better than others when invariants are propositionally complex

— Since NDD has the most sharing capability

Realistic examples used to gauge overall performance

• Medley: 22 examples: Zitser buffer overflow (3), OpenSSL (2), engine controller (9), Micro-C OS (2), Device drivers (6)



Negative running

time means failure



Experimental Results: Medley (2)

Domain #Exp. Total Gamma Join alphaPost Apply

Numeric 9 2.52 0.43 0.41 0.44 0.38

Predicate 17 333.38 0.05 0.03 0.20 0.06

NEXPoint 21 42.30 0.38 1.13 4.04 8.50

NEX 22 45.17 0.59 2.22 3.99 7.20

MTNDD 22 94.05 0.02 3.71 2.11 56.10

NDD 22 42.15 0.03 0.02 1.96 17.81

(Total # of examples = 22; all times are in seconds)



Negative running

time means failure



Related Work

Abstract Interpretation [CC’92]

• Our domain ≈ reduced direct product of Predicate and Numeric domains

Jain et al. [CAV’06]

• Applies numeric invariants to simplify predicate abstraction

• Weaker than NEXPoint

Fischer et al. [FSE’05], Beyer et al. [CAV’07,CAV’06]

• Predicate abstraction + Abstract Domain

• Similar to NEXPoint, but with simpler transfer functions

Bultan et al. [TOSEM’00]

• MC of programs with Boolean and numeric variables using Omega library

• Similar to NEX, but with simpler transfer functions



Current and Future Work

Augmenting our benchmark suite

Better automated abstraction-refinement for PA + NA

In this work, the abstract domain is treated as a black box. Exploring tighter integration between predicate and numeric domains

• smarter numeric transfer functions,

• smarter DD variable ordering, etc.

We support intervals, octagons and polyhedra. Looking for combinations with other (numeric) domains

© 2008 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model...

Documents

Transcript of © 2008 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model...