predicate abstraction of ansi-c programs using sat

Predicate Abstraction of ANSI-C Programs Using SAT

By Edmund Clarke, Daniel Kroening, Natalia Sharygina, Karen Yorav

Presented by Yunho KimProvable Software Lab, KAIST

Contents

Predicate Abstraction of ANSI-C Programs Using SAT, Yunho Kim, Provable Software Lab, KAIST 2/23

• Introduction

• Preparation of C code

• Abstraction using SAT

• Model checking

• Conclusion

• A simple C code has too many states for exhaus-tive analysis

• However, what we really need is ‘x is 0 or not’, not the concrete value of x

Introduction(1/3)


Example(unsigned int x)L1: while(x>1) {L2: if (x%2 == 1)L3: x = 3*x+1; elseL4: x = x/2; }L5: assert(x != 0); Ini-

tial

Value of x0 1 2 …

Pro-gramCounter

L1L2L3L4L5

…

Final

• Predicate is a function which returns a Boolean value– A function π: X→ {true, false} is a predicate on X

• States satisfying same predicates are equivalent

Introduction(2/3)


π = false

Value of x0 1 2 …

ProgramCounter

L1L2L3L4L5

…π=tru

ePredicateAbstraction

π = true

π = false

π ⇔ (x = 0)

Introduction(3/3)


• Overview of predicate abstraction process

PredicateAbstraction

ModelChecking

Predicate Refinement

Spuri-ous?

C programSpec φ

Boolean Program

Spurious Coun-terexample

φ false +

counterexam-ple

φ true

φ

Today’s focus: How to make a Boolean program effectively and effi-cientlyfrom a given C program and a set of predicates

Contents


• Introduction



• Model checking

• Conclusion

Preparation of C code(1/3)


Abstractionfunction(predicates)

Concrete transition(basic block) Concrete

next stateConcrete

state

Abstractstate

Abstractnext stateAbstract transition




• Transform C program into goto-program– Function inlining

• Recursion is not supported– Loop is rewritten using if and goto statements– Side-effects are removed

• x = 5+(++i); i = i+1;x = 5+i;



• goto-program examplegoto-program 1. int global; 2. int x, i; 3. global = 1; 4. i = i+1; 5. x = 5+i; 6. if (!x) goto L1; 7. global = 2; 8. goto L2; 9. L1: global = 3;10. L2:

C program 1. int global; 2. int func(){ 3. global = 1; 4. } 5. 6. int main(){ 7. int x, i; 8. func(); 9. if ((x = 5+(++i))){10. global = 2;11. }12. else{13. global = 3;14. }15. }

Contents


• Introduction



• Model checking

• Conclusion

Abstraction using SAT(1/9)


• Definition– v is the vector of all concrete program vari-

ables v• v is a state of a concrete program• Program counter is considered as a variable

– b denotes the vector of all Boolean variables b• b is a state of a Boolean program• Each predicate πi is associated with a Boolean vari-

able bi

– π denotes the vector of predicates πi• π(v) is called the abstraction function, π(v) = b



• Definition (con’t)– T is a concrete transition relation which maps a

concrete state v into a concrete next state v’– B is an abstract transition relation which maps

an abstract state b into an abstract next state b’




Concrete transition(basic block) Concrete

next stateConcrete

state

Abstractstate

Abstractnext stateAbstract transition


Example(unsigned int x)L1: while(x>1) {L2: if (x%2 == 1)L3: x = 3*x+1; elseL4: x = x/2; }L5: assert(x != 0);

PC=L4, x = 3

PC’=L1, x’ = 1

b = false

π ⇔ (x = 0) π ⇔ (x = 0)

b = false



• First defines the concrete transition rela-tion of a basic block

• Each basic block consists of a sequence of assignments– Therefore do not consider control statements

here

• T denotes the CNF formula representing the concrete transition relation



• Translates a basic block into its Static Sin-gle Assignment(SSA) form

• Each v’ in v’ is the largest numbered SSA variable

Basic blockx = z * x;y = x + 1;x = x + y;

SSA formv[x:=x0, y:=y0, z:=z0]

x1 = z0 * x0;y1 = x1 + 1;x2 = x1 + y1;

v’[x’:=x2, y’:=y1, z’:=z0]

T(v, v’)

CNFformula



• Assignments and arithmetic operations are trans-lated into CNF formula

• Assume that x,y,z are three bits positive inte-gers represented by propositions x0x1x2, y0y1y2, z0z1z2

• C z=x+y (z0(x0⊕y0)⊕( (x1∧y1) ∨ ((x1⊕y1)∧(x2∧y2)))∧ (z1(x1⊕y1)⊕(x2∧y2)) ∧ (z2(x2⊕y2))



• The abstract transition relation B(b, b’) is defined using π as follows:

•



• ExampleBasic block

d = e;e = e+1;

SSA formv[d:=d0, e:=e0]

d1 = e0

e1 = e0+1v’[d’:=d1, e’:=e1]

SAT formula(b1(e0≥0)) (b∧ 2(e0≤100))∧

d1=e0 e∧ 1=e0+1 ∧(b1’=(e1≥0)) (b∧ 2’=(e1≤100))

Predicates:π1 = e ≥ 0π2 = e ≤ 100

b1 b2 b1’

b2’

0 1 0 10 1 1 11 0 0 11 0 1 01 1 1 01 1 1 1

All satisfying assign-ments obtained using SAT solver



• The condition in if statement can be a predicate

Control state-ment

x = 0;if (x<2) x = x+1;

SAT formulab1x0<2 ∧x1=0 ∧

b1’ x1<2 ∧

Predicate:π1 = x < 0

b1’x1<2 ∧x2=x1+1 ∧b1’’ x2<2

┐(b1’x1<2) ∧x2=x1 b∧ 1’’=b1’∨

Contents


• Introduction



• Model checking

• Conclusion

Model checking(1/1)


• Model checker tries to find a counterexample of the generated Boolean program model.

• If no counterexample is found, the concrete pro-gram satisfies given requirements.

• If a counterexample is found, check its feasibility– If the counterexample is infeasible, refine predicates and

re-run predicate abstraction process

Conclusion(1/1)


• Predicate abstraction using SAT performs better than theorem provers

• It can use sound abstraction with the power of SAT solver

References(1/1)


• Predicate abstraction of ANSI-C Programs Using SATby Edmund Clarke, Daniel Kroening, Natasha Sharygina and Karen Yoravin Formal Methods in System Design, Vol. 25, pp. 105-127, 2004

predicate abstraction of ansi-c programs using sat

Documents