1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software...
-
Upload
ruby-bailey -
Category
Documents
-
view
216 -
download
1
Transcript of 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software...
1
Chao Wang
NEC Labs, Princeton, NJ
COS 598d
3/5/2010
SMT and its Application in Software Verification
2
What is SMT?
Satisfiability Modulo Theories (SMT) Decision problem for logic formulas expressed in classical first-
order logic with equality, with respect to combinations of some background theories
It is a generalization of SAT, where some Boolean variables are replaced by predicates from a variety of underlying theories.
3
Boolean Satisfiability (SAT)
or
and
not
or
and
or
.
.
.
p2
p1
pn
Is there an assignment to the p1, p2, …, pn variables such that evaluates to 1?
4
Satisfiability Modulo Theories (SMT)
.
.
.
p2
p1
pn
Is there an assignment to the x, y, z, w variables s.t. evaluates to 1?
x + 2 z <1
x % 26 = v
w & 0xFFFF = x
x = y
or
and
not
or
and
or
5
SMT Solvers: A Brief History
Early work in the late 1970s Nelson and Oppen, Shostak, Boyer and Moore
Modern SMT solvers started in the late 1990s Attempts to build scalable solvers Influenced by SAT solvers (GRASP and Chaff)
Last few years: tremendous progress Efficient SMT solvers
(SMT-LIB benchmarks, SMT-COMP solver competition) Wide-spread applications
6
Many of its Applications
Verification systems HOL, Isabelle, and PVS, etc. ACL2, Caduceus, SAL, UCLID, etc.
Extended static checkers and model checkers Boogie, ESC/Java 2, etc. BLAST, Eureka, MAGIC, SLAM, F-Soft, etc.
Certifying compliers Touchstone, TVOC, etc.
Test case generation DART, EXE, CUTE, PEX, etc.
…
7
Outline
What’s SMT?
Some Useful Theories
Inside SMT Solvers
How to Use It?
Application in Software Verification
8
First-Order Logic (quantifier-free)
Logical Symbols Propositional connectives: AND, OR, NEGATION,etc. Boolean variables: v1, v2, . . .
Non-logical symbols/Parameters Equality: = Functions: +, -, %, bit-wise &, f(), concat, … Predicates: ·, is_substring, … Constant symbols: 0, 1.0, null, …
9
Some Useful Theories
QF_UF: Theory of equality (with uninterpreted functions)
QF_LIA, QF_LIR: Theories of linear arithmetic (over Q or Z)
QF_IDL, QF_RDL: Theories of difference logic (over Q or Z)
QF_BV: Theories of fixed-size bit-vectors
QF_A, QF_AX: Theory of arrays (with and w/o extensionality)
Misc.: Non-linear arithmetic, …
10
Example: QF_UF Formula
(x = y) & (y = z) & (f(x) f(z))
Transitivity:
(x = y) & (y = z) (x = z)
Congruence:
(x = z) (f(x) = f(z))
11
x0x1
x2
xn-1
QF_UF in Processor Verification (datapath)
ALU
x
f
Bit-vectors to Abstract Domain (e.g. Z)
Functional units to Uninterpreted Functions a = x & b = y f(a,b) = f(x,y)
Common Operations
1
0
x
y
p
ITE(p, x, y)
If-then-else
x
y x = y=
Test for equality
…
12
QF_UF in Equivalence Checking
int fun1(int y) { int x, z; z = y; y = x; x = z;
return x*x;}
int fun2(int y) { return y*y;}
SMT formulaSatisfiable not equivalent
( z = y & y1 = x & x1 = z & ret1 = x1*x1) &( ret2 = y*y ) &( ret1 ret2 )
Using SAT to check equivalence (w/ Minisat) 32 bits for y: Did not finish in over 5 hours 16 bits for y: 37 sec. 8 bits for y: 0.5 sec. Using EUF solver: 0.01 sec.
By Sanjit Seshia, UC Berkeley
13
Bit-Vector Arithmetic (QF_BV)
Fixed width data words Can model int, short, long, etc.
Arithmetic operations E.g., add/subtract/multiply/divide & comparisons Two’s complement and unsigned operations
Bit-wise logical operations E.g., and/or/xor, shift/extract and equality
Boolean connectives
(define b1::(bitvector 32))
(define b2::(bitvector 32))
(assert (and (= (bv-add b1 (mk-bv 32 1)) b2)
(/= (bv-add (mk-bv 32 0) (bv-add (mk-bv 32 1) b1)) b2)))
(check)
14
Linear Arithmetic (QF_LRA, QF_LIA)
Boolean combination of linear constraints
(a1 x1 + a2 x2 + … + an xn <= b)
where xi’s could be in Q or Z
Many applications, including: Verification of analog circuits Software verification, e.g., of array bounds
15
Difference Logic (QF_IDL, QF_RDL)
Boolean combination of linear constraints
xi – xj <= cij
where xi, xj, cij, are in Q or Z
Applications: Software verification (most linear constraints are of this form) Processor data-path verification Job shop scheduling
16
Theory of Arrays (QF_AX)
Two interpreted functions: select and store select(A,i) Read from array A at index i store(A,i,d) Write d to array A at index i
Two main axioms: select( store(A,i,d), I ) = d select( store(A,i,d), j ) = select(A,j) for i j
Extentionality axiom: (forall index i. select(A,i) = select(B,i)) (A = B)
17C. Barrett & S. A. Seshia
Example: QF_AX in Equivalence Checking
int fun1(int y) { int x[2]; x[0] = y; y = x[1]; x[1] = x[0];
return x[1]*x[1];}
int fun2(int y) { return y*y;}
SMT formula
x1 = store( x,0,y ) & y1 = select( x1,1 ) & x2 = store( x1,1,select(x1,0) ) & ret1 = sq( select(x2,1) ) & ret2 = sq(y) & ( ret1 ret2 )
18
Outline
What’s SMT?
Some Useful Theories
Inside SMT Solvers
How to Use It?
Application in Software Verification
19
SMT Solvers: “Eager” vs. “Lazy”
Eager approach: Translating input formula into an “equi-satisfable” Boolean formula using enough consequences of the underlying theory
Lazy approach: Writing a dedicated “theory solver” for conjunction of literals in the underlying theory, embedded as a submodule into a Boolean SAT solver
20
Example: Solvers for difference logic
Eager approach Small domain encoding Per constraint encoding
[Pnueli et al. 2002], [Shtrichman et al. 2002][Seshia et al. 2003]
Lazy approach Sateen, Z3, Yices
Top-3 in 2009 competition
input formula in IDL
Equi-SAT Boolean Formula(all transitivity constraints are added)
Boolean SAT
Input formula in IDL
Boolean Abstraction
Boolean SAT
Check theory consistency
Add trans. constraint
inconsistent ?
21
Integer Difference Logic (IDL)
Logic to model systems at the “word-level” Subset of a quantifier-free first-order logic Boolean connectives + predicates like (x – y ≤ c)
Formal verification applications Pipelined processors, timed systems, embedded software e.g., back-end of the UCLID Verifier
22
IDL Preliminaries
Difference logic formula
Difference predicates
Boolean skeleton
Constraint graph for assignment (A,¬B,C,D)
x y
wz
A:2
D:10C:3
¬B:-7
A: ( x – y ≤ 2 ) ¬ B: ( z – x ≤ -7 ) C: ( y - z ≤ 3 ) D: ( w - y ≤ 10 )
A: ( x – y ≤ 2 ), B: ( z – x ≤ -7 )C: ( y - z ≤ 3 ), D: ( w - y ≤ 10 )
23
Theory Solver: minimal requirement
For the theory solver
Input: a conjunction set of literals
Output: consistent or inconsistent
x y
wz
A:2
D:10C:3
¬B:-7
A: ( x – y ≤ 2 ) ¬ B: ( z – x ≤ -7 ) C: ( y - z ≤ 3 ) D: ( w - y ≤ 10 )
24
25
Theory Solver: can be more helpful
Conflict analysis: why inconsistent? Negative weighted cycle Theory conflict add a Lemma or blocking clause trigger a Boolean conflict
A: ( x – y ≤ 2 ) ¬ B: ( z – x ≤ -7 ) C: ( y - z ≤ 3 ) D: ( w - y ≤ 10 )
x y
wz
A:2
D:10C:3
¬B:-7
Lemma learned:
(¬A + B + ¬C)
A:2
C:3
¬B:-7
Conflicting clause: (false + false + false)
26
Theory Solver: can be even more helpful
Deriving Theory Implications: look-ahead If adding an edge creates a negative cycle negated edge is implied Theory implication var assignment Boolean implication (BCP)
A: ( x – y ≤ 2 ) ¬ B: ( z – x ≤ -7 ) C: ( y - z ≤ 3 ) D: ( w - y ≤ 10 )
x y
wz
A:2
D:10C:3
¬B:-7
Theory implication:
A ^ ¬B → (¬C)
C:3
Implied Boolean assignment trigger a series of BCP
27
Theory Solver: other desired features
Model generation
Conflict set generation
Deduction of unassigned literals
Incremental don’t start from scratch for each call
Backtrackable can “undo” steps to a previous state
Deduction of interface equalities (eij-deduction)
…
28
Negative Cycle Detection (standard)
Bellman-Ford shortest-paths algorithm Detect negative cycles as by-product Take O(n*m) time sounds good!
However, inside SMT Theory solver will be invoked many times, Each time on a very similar sub-problem
29
Bellman-Ford Algorithmrelax (u,v) {
if (d[v] > d[u] + w[u,v])
d[v] = d[u] + w[u,v];
}
Bellman_Ford ( ) {
for each node v, initialize d[v] = 0;
for (i=1; i<N; i++) {
for each edge (u,v) relax(u,v);
}
for each edge (u,v)
if ( d[v] > d[u] + w[u,v] )
return NEGATIVE_CYCLE;
return;
}
x y
wz
A:2
D:10C:3
¬B:-7
A: ( x – y ≤ 2 ) ¬ B: ( z – x ≤ -7 ) C: ( y - z ≤ 3 ) D: ( w - y ≤ 10 )
u,v nodes in graphd[u] node score d[v] node score
0
0
30
Incremental Algorithm
//… after adding the edge (u,v)
if ( d[v] > d[u] + w[u,v] ) {
relax (u,v)
enqueue (v)
}
while ( (x=dequeu()) != null) {
for each edge (x,y) {
if (d[y] > d[x] + w[x,y] ) {
relax (x,y)
if (u==x && v==y) return NEGATIVE_CYCLE;
else enqueue (y);
} } }
return;
u
v
Keep relaxing till it stablize…
But before that, if node v is
relaxed again, there is a cycle!
31
0
Incremental conflict detection
Relax (u,v): if (d[v] > d[u]+w[u,v]) { d[v] = d[u]+w[u,v]; pi[v] = u }
x y
wz
2
10
-7
0
-7 0
3
X -4
(z,y) d[y]=-4 pi[y]=z
X 6
(y,w) d[w]=6 pi[w]=y
(y,x) d[x]=-2 pi[x]=y
X -2
(x,z) d[z]=-9 pi[z]=x
X -9
•Add an edge relax, relax, relax, …, till stablization•Remove an edge ???
(z,y) CONFLICT !!!
32
Theory Solver: other desired features
Model generation
Conflict set generation
Deduction of unassigned literals
Incremental
Backtrackable can “undo” steps to a previous state
Deduction of interface equalities (eij-deduction)
…
33
Fast Backtracking (edge removal)
The number of backtracks is very large in practice Should have low runtime overhead can’t start from scratch Should be scalable in terms of memory usage can’t checkpoint
Key Observation { d[v] } remains a solution after removing some edges No need to restore the theory solver’s state
After the edge removal, nothing needs to be done!
Backtracking Cost constant-time!!!
34
Incremental Algorithm: an example[Wang et al. LPAR 2005][Wang et al. DAC 2006]
35
35
Diamonds: with O(2^n) negative cycles
-1
e1 e2
e0
Observations:
With existing predicates (e1,e2,…) exponential number of lemmas
Add new predicates (E1,E2,E3) linear number of lemmas
Previous eager chordal transitivity method used by [Strichmann et al. FMCAD’02]
E1 E2 E3
36
36
Heuristics to add “chordal predicates”
x y wz
Heuristics to choose GOOD predicates (short-cuts)
Nodes that show up frequently in negative cycles
Nodes that are re-convergence points of the graph
E3: x – y <= (d[x] - d[y])
Predicates: E1: x – y < 5 E2: y – x < 5Lemma: ( ! E1 + ! E2 )
37
Outline
What’s SMT?
Some Useful Theories
Inside SMT Solvers The “lazy” approach
The “eager” approach
How to Use It?
Application in Software Verification
38
Remove Functions: QF_UF SAT
Ackermann’s Reduction (1954) For each “function symbol occurrence”, add a new variable xf For each pair (xf1, xf2), add “function consistency constraints”
Input formula: f(a1) & f(a2) & f(a3)
Output formula: xf1 & xf2 & xf3 &
(a1 = a2) (xf1 = xf2) &
(a1 = a3) (xf1 = xf3) &
(a2 = a3) (xf2 = xf3)
39
Remove Functions: QF_UF SAT
Bryant-German-Velev Reduction (2001) Exploits a property of function applications called “positive equality” Eliminate functions using a nested If-Then-Else expressins
Input formula: f(a1) & f(a2) & f(a3)
Output formula: xf1 &
ITE(a2=a1, xf1, xf2) &
ITE(a3=a1, xf1, ITE(a3=a2, xf2, xf3) )
Further Improvement (Lahiri et al. 2004)
40
Small-Domain Encoding: QF_LIA SAT
For Linear Integer Arithmetic
If there is a satisfying solution to a formula, there is one whose size, measured in bits, is polynomially bounded in the problem size
With “bounded” integers, one can translate the LIA formula into a pure Boolean formula
41
Small-Domain Encoding: Example
Equality constraints of the form
(x = y), or (x != y)
For a formula with (n) variables, the solution size (d) is bounded by (n).
42C. Barrett & S. A. Seshia ICCAD 2009 Tutorial42
Summary of Solution Bounds
Logic Solution Bound d
Equality logic n
Difference logic n * ( bmax + 1 )
UTVPI logic (Gen2SAT) 2 * n * ( bmax + 1 )
Full Integer Linear Arithmetic
n *(bmax + 1) * (amaxk * w k)
43
Direct Encoding of Theory Axioms
Alternative to “small-domain” encoding Also called “per-constraint” encoding
For QF_UF (equality logic), Bryant and Velev (2001) Cubic – worst-case formula size
For QF_IDL (difference logic), Strichman et al (2002) Exponential – worst-case formula size
For QF_LIA (integer arithmetic), Strichman (2002) Double-exponential – worst-case formula size
44
Theory Combination: briefly
Problem Statement:
Is it possible to combine theory solvers for several component theories, denoted T1, …, Tn, into a theory solver that decides ground satisfiability modulo their combination?
The answer is negative, in general There are theories with decidable ground satisfiability
problems, whose combination is undecidable…
45
Theory Combination: briefly
Nelson and Oppen (1979,1980):
It is possible, if one imposes some restrictions on the component theories and their combination…
Sufficient conditions (for theories T1 and T2)1. They are signature-disjoint2. They are both “stably infinite”
46
Theory Combination: briefly
DTC: Delayed Theory Combination (2005, 2006) Rely on DPLL Boolean SAT Little requirement for Theory Solver
Eij-Deduction does not need to be complete
Delayed Theory Combination vs. Nelson-Oppen for Satisfiability Modulo Theories: a Comparative Analysis, by Bruttomesso et al. in LPAR 2006
47
Outline
What’s SMT?
Some Useful Theories
Inside SMT Solvers
How to Use It?
Application in Software Verification
48
In Practice: the Yices SMT Solver
Features: Producing models, for satisfiable formulas Producing proofs, for unsatisfiable formulas Identifying UNSAT cores
subset of the original formula that is also UNSAT Retracting clauses, MAX-SAT, etc.
Command-lineyices < file.ys or // native input formatyices --smt < file.smt // smt-lib input formula
API (programming interface)
49
Outline
What’s SMT?
Some Useful Theories
Inside SMT Solvers
How to Use It?
Application in Software Verification
50
Chao Wang NEC Labs, Princeton, NJ
Sudipta Kundu UC San Diego
Malay Ganai NEC Labs, Princeton, NJ
Aarti Gupta NEC Labs, Princeton, NJ
Symbolic Predictive Analysis for Concurrent Programs
Related publications
[Wang et al. FM 2009][Wang et al. FSE 2009][Wang et al. TACAS2010]
51
Main thread
Multithreaded C/C++ ProgramHeap (storing shared objects)
Thread 1 Thread 2 Thread 3
Test Input
POSIX Threads Library
(Pthreads)
Rest of the Linux OS
Your expectation: If the program fails the given test, you want to see the bug
The reality:Even if the program may fail (under a certain schedule), you perhaps won’t see it
Why? Thread scheduling is controlled by the OS and the Pthreads library
What is the Problem?
52
Main thread
Multithreaded C/C++ ProgramHeap (storing shared objects)
Thread 1 Thread 2 Thread 3
Test Input
POSIX Threads Library
(Pthreads)
Rest of the Linux OS
Our Solution
FUSION:
our scheduler/ trace logger /dynamic model
checker
Run the test once, and log the execution trace
Check (symbolically) all alternative interleavings of events of that trace
53
Predictive Analysis
Detecting errors by statically analyzing the recorded execution traces of a concurrent program
without re-running the program…
54
Given a concrete trace (logged during execution) some properties (e.g. embedded assertions)
Checking whether the properties hold in all possible interleavings of events of that trace Symbolically, using a SMT solver
55
C program:
multi-threaded, using Pthreads
Execution trace
“assume( c )” means the (c)-branch is taken
56
Execution trace
CTP (concurrent trace program)
Think of abounded, straight-line,
concurrent program
57
Detecting Violations (symbolically)
Build a SAT formula (in some quantifier-free first-order logic)
F_program : any feasible thread interleaving of CTP
F_property : assertion is violated
Solve
( F_program & F_property )
Sat found a real error
Unsat ……
58
Concurrent Static Single Assignment (CSSA)
F_po: HB(t0,t1) & HB(t1,t2) & HB(t2,t3) & HB(t3,t4) & HB(t4,t5)
HB(t0,t11) & HB(t11,t12) & HB(t12,t13) & HB(t13,t14) & HB(t14,15) & HB(t15,t18) & HB(t18,t5)
HB(t1,t21) & HB(t21,t26) & HB(t26,t27) & HB(t27,t28) & HB(t28,t4)
F_vd: (x0=0) & (y0=0) &
(a1=Y_1) & & (b1 = X_1)
(a1=0) & & (b1 != 0)
(x1=1) & & (y1 = 0)
(a2=X_2) &
(x2=a2)
F_property: (X_3 == Y_2)
F_pi: &( (Y_1=y0) & HB(t11,t27) OR
(Y_1=y1) & HB(t27,t11) )
& ( (X_1=x0) & HB(t21,t13) OR
(X_1=x1) & HB(t13,t21) & HB(t21,t15) OR
(X_1=x2) & HB(t15,t21) )
& (X_2=x1)
& (X_3=x2)
& (Y_2=y1)
59
HB (Happens-Before) Constraints
How is HB(t1,t2) implemented? Event t1 happens strictly before t2
HB(t1,t2) := t1 < t2 where t1,t2 are integer variables
60
Outline
Motivation
Symbolic Predictive Analysis
Related Work
Context Bounding (SAT-based)
Experiments
Conclusions
61
Related Work (predicting errors)
Methods that do not miss errors (over-approximate) Lockset methods: e.g. Eraser, RacerX
Problem: False alarms (sometimes, lots of them)
Methods with no bogus errors (under-approximate) Inspired by Lamport’s happens-before causality Recent causal models
Generalized Predictive Analysis [Sen,Rosu,Agha,2005] Parametric and Sliced Causality [Chen,Rosu,2007] Maximal Causal Model [Serbanuta,Chen,Rosu,2008]
– Subsume other causal models
62
Example (MCM works)counting semaphore: l=1 initiallyshared variables: x=y=0 initially
x:= 1 + a
t1: RD(x) = 0
t2: RD(l)=1,WR(l)=0
t3: WR(x) = 1
t4: WR(l)=1
t5: WR(y)=1
t6: RD(l)=1,WR(l)=0
t7: WR(x)=1
t8: WR(l)=1
t9 :
t10: RD(l)=1,WR(l)=0
t11: RD(x)=1
t12: assert(y==1)
t13: WR(l)=1
The View of Maximal Causal Model
observe “events” instead of “statements”
63
Example (MCM works)counting semaphore: l=1 initiallyshared variables: x=y=0 initially
x:= 1 + a
t1: RD(x) = 0
t2: RD(l)=1,WR(l)=0
t3: WR(x) = 1
t4: WR(l)=1
t5: WR(y)=1
t6: RD(l)=1,WR(l)=0
t7: WR(x)=1
t8: WR(l)=1
t9 :
t10: RD(l)=1,WR(l)=0
t11: RD(x)=1
t12: assert(y==1)
t13: WR(l)=1
Why is it feasible to move t11 ahead of t7?
t11 still reads in the value (x==1)
64
Example (MCM works)
t1: RD(x) = 0
t2: RD(l)=0,WR(l)=1
t3: WR(x) = 1
t4: WR(l)=1
t5: WR(y)=1
t6: RD(l)=0,WR(l)=1
t7: WR(x)=1
t8: WR(l)=0
t9 :
t10: RD(l)=0,WR(l)=1
t11: RD(x)=1
t12: assert(y==1)
t13: WR(l)=0
65
Example (MCM will miss real errors)counting semaphore: l=1 initiallyshared variables: x=y=0 initially
t1: RD(x) = 0
t2: RD(l)=0,WR(l)=1
t3: WR(x) = 2
t4: WR(l)=1
t5: WR(y)=1
t6: RD(l)=0,WR(l)=1
t7: WR(x)=1
t8: WR(l)=0
t9 :
t10: RD(l)=0,WR(l)=1
t11: RD(x)=1
t12: assert(y==1)
t13: WR(l)=0
MCM will miss this real error
x:= 1 + a
66
Using CTP (will catch the real error)
67
Outline
Motivation
Symbolic Predictive Analysis
Related Work
Context Bounding (SAT-based)
Experiments
Conclusions
72
Outline
Motivation
Symbolic Analysis
Related Work
Context Bounding (SAT-based)
Experiments
Conclusions
73
FUSION: runtime analysis + symbolic analysis
Target Program
test input
API
CSV
Online parsing
CTP building
CTP simplify
Symbolic Encoding
cssa …
Calling the SMTSolver
Static Analysis …
symbolic analysis
Dynamic MC(e.g. INSPECT, CHESS,VeriSoft)
Pick and Runa schedule
DPOR backtracking
sleep set, context bound
Search Stack
socket
Consulting CSV
SAT Check Prunecsv2inspect
74
Experiments
Benchmarks Multithreaded C programs (Linux/Pthreads) With embedded assertions
Details Indexer examples from [Flanagan & Godefroid, POPL 2005]
Multiple threads sharing a hash table 11 threads or less, no hash collision 12 threads or more, heavy hash collision
Bank examples from [Farchi, Nir, Ur, PDPS 2003]
Small programs with pointers, arrays, and structures,
75
Experimental Results
MO: run out of 800 MB memory
76
Conclusions
New method: symbolic predictive analysis Coverage: subsumes known causal models (MCM) Efficiency: SAT-based search vs. explicit enumeration
Highlights CTP (Concurrent Trace Program) CSSA (Concurrent Static Single Assignment) SAT-based context bounding
Future work Predicting atomicity violations
77
References
SMT
“Satisfiability Modulo Theories” (book chapter) Clark Barrett, Roberto Sebastiani, Sanjit A. Seshia, and Cesare Tinelli. In the Handbook of Satisfiability, IOS Press, 2009. (available from the authors’ web pages)
Concurrent Software Verification
“Symbolic Predictive Analysis for Concurrent Programs”, FM 2009 Chao Wang, Sudipta Kundu, Malay Ganai, and Aarti Gupta“Trace based Symbolic Analysis for Atomicity Violations”, TACAS 2010 Chao Wang, Rhishikesh Limaye, Malay Ganai, and Aarti Gupta (available from the authors’ web pages)