towards game-based predicate abstraction

30
Towards Game-Based Predicate Abstraction experiments in compositional model checking Adam Bakewell, University of Birmingham

Upload: vinaya

Post on 16-Jan-2016

34 views

Category:

Documents


0 download

DESCRIPTION

Towards Game-Based Predicate Abstraction. experiments in compositional model checking. Adam Bakewell, University of Birmingham. GAME BASED MODEL CHECKING. MAGE. Compositional (game-based) MC ’ ing works, has benefits, and can be efficient. proof: - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Towards Game-Based Predicate Abstraction

Towards Game-BasedPredicate Abstraction

experiments in compositional model checking

Adam Bakewell, University of Birmingham

Page 2: Towards Game-Based Predicate Abstraction

GAMEBASEDMODEL

CHECKING

Page 3: Towards Game-Based Predicate Abstraction

MAGE

• Compositional (game-based) MC’ing works, has benefits, and can be efficient.

proof: – Take the regular language game model

of IA– Reformulate model as tree of automata– Make model branches be

function/model application– Be lazy: make transitions when

demanded by checker– Be symbolic: don’t build the automata– Do CEGAR: approximate, certify, refine

Page 4: Towards Game-Based Predicate Abstraction

COMO

• Compositional MC’ing can verify real code with competitive efficiency

proof:– Take a C program and process with

CIL– Transform to ALGOL-like

compositional CFG language– Do MAGE better: pre-composed

interaction transitions; bdd; cbv; state compression+random access; etc

Page 5: Towards Game-Based Predicate Abstraction

compositional CFGs

Program ::= (τ f(xi:τi){new yi:τ’i.M})+

M ::= expr | M;M | lval:=expr | goto φ | case expr of {ki->Mi}

φ = path to target from enclosing function root

[[goto φ1]] = jump from state φ0·φ2 to φ0·φ1 where φ2 is the local path to this goto

Page 6: Towards Game-Based Predicate Abstraction

still ill

• Still far too slow • Data approximation is easily outwitted

• Other model checkers do much better with a different kind of approximation….

Page 7: Towards Game-Based Predicate Abstraction

e.g. xx1.c e.g. cc1.c

#include<assert.h>

extern int y;

extern int main () { int x=y; assert(x!=x+1); return(0);}

#include<assert.h>

extern char d;

extern int main () { char c=d; assert(c!=c+1); return(0);}

Page 8: Towards Game-Based Predicate Abstraction

e.g. evenloop.c

#include <assert.h>

extern int y;

int main() { int x = 0; int i = y; while(i-- >= 0) x += 2; assert(x%2==0); return(0);}

Page 9: Towards Game-Based Predicate Abstraction

PREDICATEABSTRACTION

Page 10: Towards Game-Based Predicate Abstraction

evenloop.c CFG model

┴ 0,y

0,y

2,y-1

2,y-1 2y,0

SAFE UNSAFE

x:=0;i=y i--;x+=2 (i--;x+=2)(y-1)

i < 0 i < 0 i < 0

2y,0

assert

state: x,i

Page 11: Towards Game-Based Predicate Abstraction

predicate abstraction (PA)

• P is a seq of predicates over program variables

• PA model is a CFG where• States are #P bit-vectors (P-valuations)• Transitions exist where some basic

block can change state sat. source P-valuation to state sat. target P-valuation

• If #P <#(program state) then checking PA model is much quicker than checking program model

Page 12: Towards Game-Based Predicate Abstraction

e.g. CFG PA model

┴ T

T F

SAFE UNSAFE

x:=0;i=y i--;x+=2

i<0 i<0

F

assert assert

P=[x%2==0]

i--;x+=2

Page 13: Towards Game-Based Predicate Abstraction

PA issues

• P– must be sufficient to prove (un)safety– must be compact for feasibility

(minimization)– derive from program/annotations– infer (e.g. by interpolation)

• modelling and checking– which p’s to update/test (scope)– when to update/test (laziness)

Page 14: Towards Game-Based Predicate Abstraction

PA needs games?

• CFG PA Is not compositional!

• Issues may be addressed elegantly with a compositional, semantic-direct, formulation

• Let’s try it…

Page 15: Towards Game-Based Predicate Abstraction

GAMEBASED

PREDICATEABSTRACTION

Page 16: Towards Game-Based Predicate Abstraction

GBPA v1

• Take COMO architecture• Do a simple p. extraction (assert

invariants!)• Locate each p. in model tree• Replace state model with p. model:(:=) sets p. state(case) tests p. state

Page 17: Towards Game-Based Predicate Abstraction

evenloop.c GBPA model

┴ T,T

T,F

SAFE

UNSAFE

x:=0;i=y

x+=2 tmp>0

tmp≤0

assert

P=[x%2==0,tmp>0]

tmp:=i;i--

T,T

T,F

T,T

T,F

Page 18: Towards Game-Based Predicate Abstraction

PA model formalization

• move: arena + value + p.valuation• [[CELL(x,P)]]

– Binds vars x, abstracted as preds P– states are P-valuation vectors– write move: (x := v|p) goes to state2

if SAT(state2[x’/x] & x’=v & p & state)– read move: (x.x|state) preserves

state; composition with [[case]] does SAT, e.g. SAT(x=v & p)

Page 19: Towards Game-Based Predicate Abstraction

laziness is free

• COMO architecture is built to make model transitions on-demand:

• (:=) SAT calls can be suspended when a valid next state is found

• (case) SAT calls suspend while an alternative is explored

Page 20: Towards Game-Based Predicate Abstraction

•lo

PREDICATELOCATION

Page 21: Towards Game-Based Predicate Abstraction

mind gym

Page 22: Towards Game-Based Predicate Abstraction

mind gym: verify your answer

#include <assert.h>

int main() {

int x = 19;

assert(x==19);

x=((((((((x+x)*2)+5)/3)+3)/2)+6)/7)+2;

assert(x==??);

return(0);

}

Page 23: Towards Game-Based Predicate Abstraction

e.g. multi assignment

int main() { int x = 19; x=x+x; x=x*2; x=x+5; x=x/3; x=x+3; x=x/2; x=x+6; x=x/7; x=x+2; assert(x==5); return(0);}

x!=5 here

x=5 or x!=5 here

assert has spurious failure

Page 24: Towards Game-Based Predicate Abstraction

e.g. manual interpolation

int main() { int x = 19; assert(x==19); x=x+x; assert(x==38); x=x*2; assert(x==76); x=x+5; assert(x==81); x=x/3; assert(x==27);

x=x+3; assert(x==30); x=x/2; assert(x==15); x=x+6; assert(x==21); x=x/7; assert(x==3); x=x+2; assert(x==5); return(0);}

Page 25: Towards Game-Based Predicate Abstraction

e.g. manual interpolation

• 10 assignments• 10 predicates• 10 assertions

• how many SAT calls to prove safety?

Page 26: Towards Game-Based Predicate Abstraction

p location

• GBPA CELL automatically restricts p scope

• Program transform with tighter CELLs will need less SAT calls

Page 27: Towards Game-Based Predicate Abstraction

e.g. manual relocation#include <assert.h>

int gym1(z) { int y=2*z; assert(y==38); y=y*2; assert(y==76); y=y+5; assert(y==81); return(y);}

int gym2(z) { int y=z/3; assert(y==27); y=y+3; assert(y==30); y=y/2; assert(y==15); return(y);}

int gym3(z) { int y=z+6; assert(y==21); y=y/7; assert(y==3); y=y+2; assert(y==5); return(y);}

int main() { int x = 19; assert(x==19); x=gym1(x); assert(x==81); x=gym2(x); assert(x==15); x=gym3(x); assert(x==5); return(0);}

Page 28: Towards Game-Based Predicate Abstraction

e.g. manual relocation

• in main:– 4 p’s to update: 16 SAT per (:=)– 4 asserts test on state size 4 p’s

• in gymi functions:– 3 p’s to update: 8 SAT per (:=)– local state size 3 p’s mostly sufficient– global state size 7 p’s sometimes

used

• total SATs: 68 + 3 * 27 = 149

Page 29: Towards Game-Based Predicate Abstraction

delayed SAT

– An alternative to interpolation:– Allow state updates to be delayed

until the kth– And delay state tests– Generalise CELL strategy s.t. states

also record seq of delayed changes– Refine by increasing k

Page 30: Towards Game-Based Predicate Abstraction

the position

• Game based model checking needs PA• PA fits the games framework• We get lazy PA for free• Tight CELL location offers minimization• delayed/incremental solving needs to be

accommodated