Automatic Abstraction in SMT-Based Unbounded Software Model Checking

© Anvesh KomuravelliSpacer

Automatic Abstraction in SMT-Based Unbounded Software Model Checking

Anvesh KomuravelliCarnegie Mellon University

Joint work with Arie Gurfinkel, Sagar Chaki and Edmund Clarke

© Anvesh KomuravelliSpacer 2

The Problem

Program P+ Assertions

Automatic analysis for

assertion failures

Safe

Unsafe

Unknown

Software Model Checking

+ Proof

+ Counterexample

+ Partial Proof

reach(P) error(P)

Is it empty?


reach(P) error(P)

Over-approximation Driven (OD)


reach(P) error(P)

Over-approximation driven (OD)


Over-approximation driven (OD)

Key Idea CEGAR based on Predicate Abstraction

Symbolic Method

BDDs for fixed point computation,SMT for new predicates

Tools SLAM, BLAST, SDV, etc.


reach(P)

Under-approximation Driven (UD)

error(P)


Under-approximation driven (UD)

reach(P) error(P)


Under-approximation driven (UD)

Key Idea BMC based Approach

Symbolic Method SMT

Tools IMPACT, UFO, etc.


Key Recent Advancements

2003 Interpolation for Hardware Model Checking McMillan

2006 IMPACT (Path Interpolants) McMillan

2009 Path Interpolants for Hardware Model Checking Grumberg et al.

2010 IC3 (Different way of computing Interpolants, Hardware) Bradley

2011 WOLVERINE (Bit-level Implementation of IMPACT) Kroening et al.

2012 UFO (DAG Interpolation method, Predicate Abstraction + Interpolation) Gurfinkel et al.

2012 VINTA (Abstract Interpretation + Interpolation) Gurfinkel et al.

2011 FunFrog (Interprocedural) Sharygina et al.

2012 μZ (Horn clause solver based on GPDR) Bjorner et al.

2012 Duality (Horn clause solver based on Interpolation) McMillan, Rybalchenko

2012 WHALE (Interprocedural) Gurfinkel et al.


reach(P) error(P)

Our Strategy

Under-approx. Abstract Under-approx.


reach(P) error(P)

Our Strategy

Under-approx. Abstract Under-approx. Refine


error(P)reach(P)

Our Strategy

Under-approx. Abstract Under-approx. Refine Abstract


error(P)reach(P)

Our Strategy

And so on …


error(P)reach(P)

reach(P) is covered

Our Strategy

Abstractions guide the SMT solver to look for general proofs


It’s based on UD

…

…

……

Under-approximations

Abstract


It’s based on UD

…

…

……


Abstract

need not be monotonic


Spacer is based on UD

…

…

……


Abstract

non-trivial abstraction


SpacerProgram

Under-Approximate

Check Safety Feasible?Feasible?

Abstract Refine

Proof-Based Abstraction CEGARNo No

Yes Yes

Safety Proof Counterexample


Why Abstraction?

x = y = z = w = 0;while (*) {

x = *; y = *;assume (0 ≤ y ≤ 100x);if (y > 10w && z ≥ 100x) {

y = −y;}t = 1;w += t; z += 10t;

}assert (0 ≤ y)

only way to fail the assertion


UD Reasoning

x = y = z = w = 0;while (*) {


y = −y;}t = 1;w += t; z += 10t;

}assert (0 ≤ y)

1st Iteration:w = 0, z = 0

y ≤ 100x


UD Reasoning

x = y = z = w = 0;while (*) {


y = −y;}t = 1;w += t; z += 10t;

}assert (0 ≤ y)

2nd Iteration:w = 1, z =10

y ≤ 100x


UD Reasoning

x = y = z = w = 0;while (*) {


y = −y;}t = 1;w += t; z += 10t;

}assert (0 ≤ y)

3rd Iteration:w = 2, z = 20

y ≤ 100x

And so on…


But …

x = y = z = w = 0;while (*) {


y = −y;}t = 1;w += t; z += 10t;

}assert (0 ≤ y)

The value ‘1’ doesn’t matter!


But …

x = y = z = w = 0;while (*) {


y = −y;}t = *;w += t; z += 10t;

}assert (0 ≤ y)


UD Reasoning on the Abstraction

x = y = z = w = 0;while (*) {


y = −y;}t = *;w += t; z += 10t;

}assert (0 ≤ y)

2nd Iteration

w = t, z = 10t

z = 10w

All Iterations

Resolve t away

y ≤ 100x

Redundant


Original Example

x = y = z = w = 0;while (*) {

if (*) {x++; y += 100;}else if (*)

if (x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {

y = −y;}t = 1;w += t; z += 10t;

}assert (!(x ≥ 4 && y ≤ 2))

Source: Automatically Refining Abstract Interpretations, Gulavani, Chakraborty, Nori and Rajamani, TACAS ‘08.

μZ (SMT-Based Model Checker,part of Z3)

Cannot solve in an hour

Spacer (our tool)

Finds a proof in a min.

Solves an abstraction in < 1 sec.

t = *;


What’s the magic?

Focused Proofs

Abstractions guide the SMT solver to look for certain kind of proofs Avoid proofs specific to an under-approximation

How to obtain abstractions?

From proofs of under-approximations! (Proof-Based Abstraction) Hope: What’s sufficient for the under-approximation is sufficient in general Downside: If abstraction is too coarse, need to refine (CEGAR)


SpacerProgram

Under-Approximate


Abstract Refine


Yes Yes



Schematic Example

init_stmt;c = 0;

while (*) {// invar_1, invar_2// invar_3, invar_4assume (c < k1);if (*) {

v1 = e1; v2 = e2;} else {

v3 = e3; v4 = e4;}v5 = e5; v6 = e6;c += 1;

}

assert (safe);

Add Counters

Under-approximate Solve

Loop Invariants


Schematic Example

Under-approximate Solve Feasible?

init_stmt;c = 0;assume (invar_1, invar_2);while (*) {

// invar_1, invar_2// invar_3, invar_4assume (c < k1);if (*) {

v1 = e1; v2 = e2;} else {

v3 = e3; v4 = e4;}v5 = e5; v6 = e6;c += 1;assume (invar_1, invar_2);

}

assert (safe);

Unbounded!

Specific to under-approx.

Treat as guessedunbounded invariants.

Essentially like Houdini [FL’01].

Extract UnboundedInvariants

Strengthenwith

Invariants

[FL’01] Houdini, an annotationassistant for ESC/Java,C. Flanagan and K.R.M. Leino, 2001



// invar_1, invar_2

if (*) {v1 = e1; v2 = e2;

} else {v3 = e3; v4 = e4;

}v5 = e5; v6 = e6;c += 1;assume (invar_1, invar_2);

}

assert (safe);

Does not provethe assertion

Schematic Example

Under-approximate Solve Feasible? NO




v1 = e1; v2 = e2;} else {

v3 = e3; v4 = e4;}v5 = e5; v6 = e6;c += 1;assume (invar_1, invar_2);

}

assert (safe);

Redundantfor the proof

Schematic Example

Under-approximate Solve Feasible? NO Abstract


Schematic Example




v1 = e1; v2 = *;} else {

v3 = e3; v4 = *;}v5 = e5; v6 = *;c += 1;assume (invar_1, invar_2);

}

assert (safe);

Proof-BasedAbstraction



assume (c < k2);if (*) {

v1 = e1; v2 = *;} else {

v3 = e3; v4 = *;}v5 = e5; v6 = *;c += 1;assume (invar_1, invar_2);

}

assert (safe);

Concretize

k2 > k1

Schematic Example


AbstractCounterexample!

Feasible?

Concrete controlpath is infeasible

NO Refine


Schematic Example

Under-approximate Solve Feasible? NO Refine


assume (c < k2);if (*) {

v1 = e1; v2 = e2;} else {

v3 = e3; v4 = e4;}v5 = e5; v6 = *;c += 1;assume (invar_1, invar_2);

}

assert (safe);

CEGAR



// invar_5// invar_6assume (c < k2);if (*) {

v1 = e1; v2 = e2;} else {

v3 = e3; v4 = e4;}v5 = e5; v6 = *;c += 1;assume (invar_1, invar_2);

}

assert (safe);

Unbounded

Schematic Example

Under-approximate Solve Feasible? YES

Invariants


SpacerProgram

Under-Approximate


Abstract Refine


Yes Yes



Detailed Example

x = y = z = w = 0;

while (*) {

if:: x++; y += 100;:: (x ≥ 4) -> x++; y++;:: (y > 10w && z ≥ 100x) -> y = −y;fiw++; z += 10;

}

assert (!(x ≥ 4 && y ≤ 2));

if (nd ()) {x++; y += 100;}else if (nd () && x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {y = −y;}else assume (0);

non-deterministic choice(e.g. as in Promela)

C-like


Detailed Example

x = y = z = w = 0;c = 0;

while (*) {// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1assume (c < 2);if:: x++; y += 100;:: (x ≥ 4) -> x++; y++;:: (y > 10w && z ≥ 100x) -> y = −y;fiw++; z += 10;c += 1;

}

assert (!(x ≥ 4 && y ≤ 2));

Add Counters


Loop Invariants


Detailed Example

x = y = z = w = 0;c = 0;

while (*) {// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1assume (c < 2);if:: x++; y += 100;:: (x ≥ 4) -> x++; y++;:: (y > 10w && z ≥ 100x) -> y = −y;fiw++; z += 10;c += 1;

}

assert (!(x ≥ 4 && y ≤ 2));

Inductive Invariant


Safe


Detailed Example

x = y = z = w = 0;c = 0;assume (y > 10w => z < 100x, z ≤ 100x);while (*) {

// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1assume (c < 2);if:: x++; y += 100;:: (x ≥ 4) -> x++; y++;:: (y > 10w && z ≥ 100x) -> y = −y;fiw++; z += 10;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);

}

assert (!(x ≥ 4 && y ≤ 2));

Under-approximate Solve Feasible?

Preserved!Specific to under-approx.

Depend on counter

Extract UnboundedInvariants

Strengthenwith

Invariants


Detailed Example


// (y > 10w) => (z < 100x), z ≤ 100x,

if:: x++; y += 100;:: (x ≥ 4) -> x++; y++;:: (y > 10w && z ≥ 100x) -> y = −y;fiw++; z += 10;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);

}

assert (!(x ≥ 4 && y ≤ 2));

Under-approximate Solve Feasible? NO

Does not provethe assertion


Detailed Example


// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1assume (c < 2);if:: x++; y += 100;:: (x ≥ 4) -> x++; y++;:: (y > 10w && z ≥ 100x) -> y = −y;fiw++; z += 10;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);

}

assert (!(x ≥ 4 && y ≤ 2));


Redundant


Detailed Example


// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1assume (c < 2);if:: x++; y = *;:: (x ≥ 4) -> x++; y = *;:: (y > 10w && z ≥ 100x) -> y = *;fiw = *; z = *;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);

}

assert (!(x ≥ 4 && y ≤ 2));


Fails Enlarge error


Detailed Example


// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1assume (c < 2);if:: x++; y = *;:: (x ≥ 4) -> x++; y = *;:: (y > 10w && z ≥ 100x) -> y = *;fiw = *; z = *;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);

}

assert (!(x ≥ 4));



Detailed Example


assume (c < 4);if:: x++; y = *;:: (x ≥ 4) -> x++; y = *;:: (y > 10w && z ≥ 100x) -> y = *;fiw = *; z = *;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);

}

assert (!(x ≥ 4));


Counterexample!

Increment x to 4Choose y arbitrarily

Feasible?

Concrete controlpath is infeasible

NO Refine

Concretize


Detailed Example


assume (c < 4);if:: x++; y += 100;:: (x ≥ 4) -> x++; y++;:: (y > 10w && z ≥ 100x) -> y = −y;fiw = *; z = *;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);

}

assert (!(x ≥ 4 && y ≤ 2));

Under-approximate Solve Feasible? NO Refine


Detailed Example


// (y > 10w) => (z < 100x), z ≤ 100x// y > 0, (x > 0) => (y ≥ 100)assume (c < 4);if:: x++; y += 100;:: (x ≥ 4) -> x++; y++;:: (y > 10w && z ≥ 100x) -> y = −y;fiw = *; z = *;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);

}

assert (!(x ≥ 4 && y ≤ 2));

Under-approximate Solve Feasible? YES

Inductive Invariant

Safe

Unbounded


Implementation Details – Unbounded Invariants

Pre-Lemmas Post-LemmasConcrete Counters

Goal Find maximal such that



UNSAT

SAT with true

SAT?

Repeat until fixed point



Maximal subset of true post-lemmasMinimal number of bi’s to be set to falseFixed point Iteration:

Introduce Assumption

variables



Iteration 1

✔

✗

Iteration 2

✗

disableddisabled


Implementation Details – Abstraction

Introduce Assumption

variables



Are all lemmas necessary?



Introduce Assumption variables for

lemmas


Spacer ToolProgram

Under-Approximate


Abstract Refine


Yes Yes



Spacer ToolProgram

Under-Approximate


Abstract Refine


Yes Yes


μZ Horn-Clause Solver(part of Z3)


Spacer ToolProgram

Under-Approximate


Abstract Refine


Yes Yes


Horn-Clause Encoding

μZ Horn-Clause Solver(part of Z3)


Spacer Tool

C Program

Preprocessing UFO Frontend (based on LLVM)Simplification, Large Block Encoding, etc.

Horn Clause Encoding Implemented using UFO Frontend


Results on SV-COMP’13 Benchmarks

0 50 100 1500

50

100

150

UNSAFE Benchmarks

μZ (secs)

Spac

er (s

ecs)

Abstraction did not helpfor UNSAFE

ALSO,not a challenging pool

of benchmarks



0 100 200 300 400 500 600 700 800 9000

100

200

300

400

500

600

700

800

900

SAFE Benchmarks

μZ (secs)

Spac

er (s

ecs)



0 100 200 300 400 500 600 700 800 9000

100

200

300

400

500

600

700

800

900

SAFE Benchmarks

μZ (secs)

Spac

er (s

ecs)

~1 min.Not very meaningful

to compare



0 100 200 300 400 500 600 700 800 9000

100

200

300

400

500

600

700

800

900

SAFE Benchmarks

μZ (secs)

Spac

er (s

ecs)

< 5 min.Mixed

Results



0 100 200 300 400 500 600 700 800 9000

100

200

300

400

500

600

700

800

900

SAFE Benchmarks

μZ (secs)

Spac

er (s

ecs)

Advantage!



0 100 200 300 400 500 600 700 800 9000

100

200

300

400

500

600

700

800

900

SAFE Benchmarks

μZ (secs)

Spac

er (s

ecs)

Advantage!

Time-out

Mem-out


Conclusion

Focused Proofs

Abstractions guide the SMT solver to look for certain kind of proofs Avoid proofs specific to an under-approximation

How to obtain abstractions?

From proofs of under-approximations! (Proof-Based Abstraction) Hope: What’s sufficient for the under-approximation is sufficient in general Downside: If abstraction is too coarse, need to refine (CEGAR)

A framework for automated abstraction in SMT-based Software Model Checking Implementation using an existing SMT-based model checker with practical

advantage

Contributions


Conclusion (contd…)

Post-pruning of Proofs during Abstraction (Local vs. Global Proofs) Non-monotonic abstractions Major role of invariants (exploit the generality of proofs of under-approximations

Visit spacer.bitbucket.org todownload tool and detailed slides!

Why does PBA work?


On-going and Future Work

Observation: Fixed granularity of abstraction – at the program levelObservation: Restricted space of abstractions

Questions: When/How to abstract/refine?

Observation: Proofs too dependent on counter constraints (i.e. underapprox.)

Question: How to use counters only when needed? In general, how to minimize the use of a given set of assumptions?

Observation: Abstraction is done offline, after obtaining a proof of an under-approximation.

Question: How does an on-the-fly abstraction work? When each transition is treated as a recursion-free procedure, it is similar to summarizing procedures on-the-fly. Also, how to handle recursion?


Read our CAV’13 paper for details…

Questions?


Extra Slides


SMT-Based Model Checking

init

error

CFG Loop-Free Unrolling

Possibility 1 : UNSAFE

Possibility 2 : SAFE

Path Interpolants (McMillan ‘06)

Discharge Verification Condition on SMT solver


SMT-Based Model Checking

init

error

CFG

Further Unrolling

Possibility 1 : UNSAFE

Possibility 2 : SAFE

DAG Interpolants [AGC’12]

Continue Until Convergence

Discharge Verification Condition on SMT solver

[AGC’12] : From Under-approximations to Over-approximations and Back,Albarghouthi, Gurfinkel and Chechik, TACAS ‘12

Automatic Abstraction in SMT-Based Unbounded Software Model Checking

Documents

Transcript of Automatic Abstraction in SMT-Based Unbounded Software Model Checking