1 / 93

SMT and Its Application in Software Verification (Part II)

SMT and Its Application in Software Verification (Part II). Yu-Fang Chen IIS, Academia Sinica Based on the slides of Barrett, Sanjit , Kroening , Rummer , Sinha , Jhala , and Majumdar , McMillan. L=0. [L!=0]. do{ lock(); old = new; if(*){ unlock(); new++; }

ros
Télécharger la présentation

SMT and Its Application in Software Verification (Part II)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SMT and Its Application in Software Verification (Part II) Yu-Fang Chen IIS, Academia Sinica Based on the slides of Barrett, Sanjit, Kroening , Rummer, Sinha, Jhala, and Majumdar, McMillan

  2. L=0 [L!=0] do{ lock(); old = new; if(*){ unlock(); new++; } } while (new != old); L=1; old=new L=0; new++ [new!=old] program fragment [new==old] control-flow graph Lazy abstraction -- an example

  3. T 0 Unwinding the CFG L=0 [L!=0] L=1; old=new L=0; new++ [new!=old] [new==old] control-flow graph

  4. T 0 L=0 T 1 Unwinding the CFG L=0 [L!=0] L=1; old=new Replace all free occurrences of L in the formula with L’ L=0; new++ [new!=old] [new==old] Compute Post (T, L=0)= T[L/L’] ÆL=0[L/L’] = (L=0) Make Abstraction (L=0)  T Pass control-flow graph

  5. T 0 L=0 T [L!=0] 2 1 Unwinding the CFG L=0 [L!=0] L=1; old=new Compute Post (T, [L!=0])= TÆ(L!=0) = (L!=0) ERROR state reached! L=0; new++ [new!=old] [new==old] control-flow graph

  6. T 0 L=0 T [L!=0] 2 1 Unwinding the CFG T T L=0 L!=0 L=0 [L!=0] L=0 [L!=0] L=1; old=new Compute Post (T, [L!=0])= TÆ(L!=0) = (L!=0) ERROR state reached! L=0; new++ [new!=old] [new==old] control-flow graph

  7. T 0 L=0 T [L!=0] 2 1 Unwinding the CFG T T L=0 L!=0 L=0 [L!=0] L=0 [L!=0] L=1; old=new Compute Post (T, [L!=0])= TÆ(L!=0) = (L!=0) ERROR state reached! L=0; new++ L!=0 [new!=old] [new==old] control-flow graph WPre(L!=0, [L!=0]) = (L!=0)

  8. T 0 L=0 T [L!=0] 2 1 Unwinding the CFG L=0 T L=0 L!=0 L=0 [L!=0] L=0 [L!=0] L=1; old=new Compute Post (T, [L!=0])= TÆ(L!=0) = (L!=0) ERROR state reached! L=0; new++ L!=0 [new!=old] [new==old] control-flow graph Compute Craig Interpolant: (L=0) 1. (L=0)  (L=0) 2. (L=0) Æ (L=0) is UNSAT 3. Use only share var. of (L=0) and (L!=0) WPre(L!=0, [L!=0]) = (L!=0)

  9. T 0 L=0 L=0 [L!=0] 2 1 Unwinding the CFG L=0 T L=0 L!=0 L=0 [L!=0] L=0 [L!=0] F L=1; old=new Compute Post (T, [L!=0])= TÆ(L!=0) = (L!=0) ERROR state reached! L=0; new++ L!=0 [new!=old] [new==old] control-flow graph Compute Craig Interpolant: (L=0) 1. (L=0)  (L=0) 2. (L=0) Æ (L=0) is UNSAT 3. Use only share var. of (L=0) and (L!=0) WPre(L!=0, [L!=0]) = (L!=0)

  10. L=1; old=new L!=0 3 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] Compute Post (L=0, L=1) = (L=0)[L/L’] ÆL=1[L/L’] = (L’=0 ÆL=1) Compute Post (L’=0 ÆL=1, old=new) = (L’=0 ÆL=1)[old/old’] Æ old=new[old/old’] = L’=0 ÆL=1Æold=new Make Abstraction (L’=0 ÆL=1Æold=new)  (L!=0) Pass (L’=0 ÆL=1Æold=new)  (L=0) Not Passed [new==old] control-flow graph

  11. L=1; old=new L!=0 3 L=0; new++ L=0 4 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] Compute Post (L!=0, L=0) = (L!=0)[L/L’] ÆL=0[L/L’] = (L’!=0 ÆL=0) Compute Post (L’!=0 Æ(L=0), new=new+1) = (L’!=0 ÆL=0)[new/new’] Æ new=(new+1)[new/new’] = (L’!=0 ÆL=0 Æ new=new’+1) Make Abstraction (L’!=0 ÆL=0 Æ new=new’+1)  (L!=0) Not Passed (L’!=0 ÆL=0 Æ new=new’+1)  (L=0) Pass control-flow graph

  12. L=1; old=new L!=0 3 L=0; new++ L=0 4 [new!=old] L=0 5 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] Compute Post (L=0, [new!=old]) = (L=0 Æ new!=old) Make Abstraction (L=0 Æ new!=old)  (L!=0) Not Passed (L=0 Æ new!=old)  (L=0) Pass control-flow graph

  13. L=1; old=new L!=0 3 L=0; new++ L=0 4 [new!=old] L=0 5 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] control-flow graph Covering: state 5 is subsumed by state 1. L=1  L=1 Pass

  14. [new==old] L=0 7 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] L=0 5 Compute Post (L=0, [new==old]) = (L=0 Æ new==old) Make Abstraction (L=0 Æ new!=old)  (L!=0) Not Passed (L=0 Æ new!=old)  (L=0) Pass control-flow graph

  15. L!=0 8 [new==old] L=0 7 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] L=0 5 No Actions control-flow graph

  16. L!=0 8 [new==old] L=0 7 9 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph Compute Post (L!=0, [new==old]) = (L!=0 Æ new==old) Make Abstraction (L!=0 Æ new==old)  (L!=0) Pass (L!=0 Æ new==old)  (L=0) Not Passed

  17. L!=0 8 [new==old] [new!=old] L=0 10 7 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph Compute Post (L!=0, [new!=old]) = (L!=0 Æ new!=old) Make Abstraction (L!=0 Æ new!=old)  (L!=0) Pass (L!=0 Æ new!=old)  (L=0) Not Passed

  18. L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph Compute Post (L!=0, [L!=0]) = (L!=0 Æ L!0) ERROR state reached!

  19. L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph L!=0 L!=0 L!=0 L=0 L=1 old=new [L!=0] [new!=old] T L=0 L’=0 Æ L=1Æ old=new L!=0 L!=0 L=0 L!=0 Æ old!=new

  20. L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph L!=0 L!=0 L!=0 L=0 L=1 old=new [L!=0] [new!=old] T L=0 L’=0 Æ L=1Æ old=new L!=0 L!=0 L=0 L!=0 Æ old!=new L!=0 L!=0 Æ old!=new

  21. L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph L!=0 L!=0 L!=0 L=0 L=1 old=new [L!=0] [new!=old] T L=0 L’=0 Æ L=1Æ old=new L!=0 L!=0 L=0 L!=0 Æ old!=new L!=0 L!=0 Æ old!=new L!=0 Æ old!=new L!=0 Æ old!=new

  22. L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph L!=0 L!=0 L!=0 L=0 L=1 old=new [L!=0] [new!=old] T L=0 L’=0 Æ L=1Æ old=new L!=0 L!=0 L=0 L!=0 Æ old!=new L!=0 L!=0 Æ old!=new L!=0 Æ old!=new L!=0 Æ old!=new

  23. L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 Æ old =new 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph L!=0 L!=0 L=0 L!=0 Æ old=new L=1 old=new [L!=0] [new!=old] T L=0 L’=0 Æ L=1Æ old=new L!=0 L!=0 L=0 L!=0 Æ old!=new L!=0 L!=0 Æ old!=new L!=0 Æ old!=new L!=0 Æ old!=new

  24. L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 Remove all of its children L=1; old=new L=1; old=new L!=0 Æ old =new 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph L!=0 L!=0 L=0 L!=0 Æ old=new L=1 old=new [L!=0] [new!=old] T L=0 L’=0 Æ L=1Æ old=new L!=0 L!=0 L=0 L!=0 Æ old!=new L!=0 L!=0 Æ old!=new L!=0 Æ old!=new L!=0 Æ old!=new

  25. L=1; old=new L!=0 Æ old =new 3 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] control-flow graph

  26. L=1; old=new L!=0 Æ old =new 3 L=0; new++ L=0 Æ old !=new 4 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] Compute Post (L!=0 Æ old =new, L=0) = (L!=0 Æ old=new)[L/L’] ÆL=0[L/L’] = (L’!=0 Æ old=new ÆL=0) Compute Post (L’!=0Æ old=new Æ(L=0), new=new+1) = (L’!=0 Æ old=new ÆL=0)[new/new’] Æ new=(new+1)[new/new’] = (L’!=0 Æ old=new’ ÆL=0 Æ new=new’+1) Make Abstraction (L’!=0 Æ old=new’ ÆL=0 Æ new=new’+1)  (L!=0) Not Passed (L’!=0 Æ old=new’ ÆL=0 Æ new=new’+1)  (L=0) Pass (L’!=0 Æ old=new’ ÆL=0 Æ new=new’+1)  (old=new) Not Passed (L’!=0 Æ old=new’ ÆL=0 Æ new=new’+1)  (old!=new) Pass control-flow graph

  27. L=1; old=new L!=0 Æ old=new 3 L=0; new++ L=0 Æ old =new 4 [new!=old] L=0 Æ old!=new 5 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] Compute Post (L=0 Æ old!=new, [new!=old]) = (L=0 Æ new!=old) Make Abstraction (L=0 Æ new!=old)  (L!=0) Not Passed (L=0 Æ new!=old)  (L=0) Pass (L=0 Æ new!=old)  (old=new) Not Passed (L=0 Æ new!=old)  (old!=new) Pass control-flow graph

  28. L=1; old=new L!=0 Æ old=new 3 L=0; new++ L=0 Æ old =new 4 [new!=old] L=0 Æ old!=new 5 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] control-flow graph Covering: state 5 is subsumed by state 1. L=1 Æ old!=new L=1 Pass

  29. [new==old] L=0Æold=new 7 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 Æ old=new 3 L=0; new++ L=0; new++ [new!=old] L=0 Æ old =new 4 [new!=old] [new==old] 5 L=0 Æ old!=new Compute Post (L=0, [new==old]) = (L=0 Æ new=old) Make Abstraction (L=0 Æ new=old)  (L!=0) Not Passed (L=0 Æ new=old)  (L=0) Pass (L=0 Æ new=old)  (new!=old) Not Passed (L=0 Æ new=old)  (new=old) Pass control-flow graph

  30. L!=0 Æ old=new 8 [new==old] 7 L=0 Æ old=new Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 Æ old=new 3 L=0; new++ L=0; new++ [new!=old] L=0 Æ old =new 4 [new!=old] [new==old] 5 L=0 Æ old!=new No Actions control-flow graph

  31. L!=0 Æ old=new 8 [new==old] L!=0 Æ old=new 7 9 L=0 Æ old=new Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 Æ old=new 3 L=0; new++ L=0; new++ [new!=old] L=0 Æ old =new 4 [new!=old] [new==old] [new==old] 5 L=0 Æ old!=new control-flow graph Compute Post (L!=0Ænew=old, [new==old]) = (L!=0 Æ new=old) Make Abstraction (L!=0 Æ new=old)  (L!=0) Pass (L!=0 Æ new=old)  (L=0) Not Passed (L!=0 Æ new=old)  (old=new) Pass (L!=0 Æ new=old)  (old!=new) Not Passed

  32. L!=0 Æ old=new 8 [new==old] [new!=old] L!=0 Æ old=new 10 7 9 F L=0 Æ old=new Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 Æ old=new 3 L=0; new++ L=0; new++ [new!=old] L=0 Æ old =new 4 [new!=old] [new==old] [new==old] 5 L=0 Æ old!=new control-flow graph Compute Post (L!=0Ænew=old, [new!=old]) = (L!=0 Æ new=old Æ new!=old ) = false

  33. Another Approach: The IMPACT method Kenneth L. McMillan: Lazy Abstraction with Interpolants. CAV 2006: 123-136

  34. Interpolation Lemma (Craig,57)

  35. Interpolation Lemma (Craig,57) • Notation: L() is the set of FO formulas over the symbols of 

  36. Interpolation Lemma (Craig,57) • Notation: L() is the set of FO formulas over the symbols of  • If A Ù B = false, there exists an interpolant A' for (A,B) such that: A Þ A' A' Ù B = false A' 2L(A) ÅL(B)

  37. Interpolation Lemma (Craig,57) • Notation: L() is the set of FO formulas over the symbols of  • If A Ù B = false, there exists an interpolant A' for (A,B) such that: A Þ A' A' Ù B = false A' 2L(A) ÅL(B) • Example: • A = p Ù q, B = Øq Ù r, A' = q

  38. Interpolation Lemma (Craig,57) • Notation: L() is the set of FO formulas over the symbols of  • If A Ù B = false, there exists an interpolant A' for (A,B) such that: A Þ A' A' Ù B = false A' 2L(A) ÅL(B) • Example: • A = p Ù q, B = Øq Ù r, A' = q • Interpolants from proofs • in certain quantifier-free theories, we can obtain an interpolant for a pair A,B from a refutation in linear time. [McMillan 05] • in particular, we can have linear arithmetic,uninterpreted functions, and restricted use of arrays

  39. Interpolants for sequences

  40. Interpolants for sequences • Let A1...An be a sequence of formulas

  41. Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when

  42. Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True

  43. Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True • A’i-1Æ Ai) A’i, for i = 1..n

  44. Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True • A’i-1Æ Ai) A’i, for i = 1..n • An = False

  45. Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True • A’i-1Æ Ai) A’i, for i = 1..n • An = False • and finally, A’i2L (A1...Ai) ÅL(Ai+1...An)

  46. ... A1 A2 A3 Ak Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True • A’i-1Æ Ai) A’i, for i = 1..n • An = False • and finally, A’i2L (A1...Ai) ÅL(Ai+1...An)

  47. ... A1 A2 A3 Ak True False ... ) ) ) ) A'1 A'2 A'3 A'k-1 Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True • A’i-1Æ Ai) A’i, for i = 1..n • An = False • and finally, A’i2L (A1...Ai) ÅL(Ai+1...An)

  48. ... A1 A2 A3 Ak True False ... ) ) ) ) A'1 A'2 A'3 A'k-1 Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True • A’i-1Æ Ai) A’i, for i = 1..n • An = False • and finally, A’i2L (A1...Ai) ÅL(Ai+1...An) In other words, the interpolant is a structured refutation of A1...An

  49. Interpolants as Floyd-Hoare proofs

  50. x=y; y++; [x=y] Interpolants as Floyd-Hoare proofs

More Related