320 likes | 468 Vues
SMT-Based Model Checking for Recursive Programs. Anvesh Komuravelli Carnegie Mellon University. Joint work with Arie Gurfinkel and Sagar Chaki. Bounded Model Checking (BMC) for While-Programs. Init (x 0 ). Body (x 0 ,x 1 ). assume ( Init (x)); while (*) x := Body(x); assert (!Error(x)).
E N D
SMT-Based Model Checking forRecursive Programs AnveshKomuravelli Carnegie Mellon University Joint work with ArieGurfinkeland SagarChaki
Bounded Model Checking (BMC) for While-Programs Init(x0) Body(x0,x1) assume (Init(x)); while (*) x := Body(x); assert (!Error(x)) Body(x1,x2) Counterexample for unrolling depth n? Body(x2,x3) … Body(xn-1,xn) Error(xn)
BMC for Recursive Programs Main() { bool b = nd(); Level1(b); Level1(b); assert(b); } Level<i>(bool b) { if(!b) { Level<i+1>(b); Level<i+1>(b); } else { baz(); } b := !b; } Counterexample for recursion/call-stack depth n? Main Level1(b10,b11) Level1(b12,b13) … … … … … Level<n>(bn<l-1>,bn<l>) Level<n>(bn0,bn1) Source: Ball and Rajamani, Bebop: A Symbolic Model Checker for Boolean Programs, 2000
BMC problems can grow exponentially! Main() { bool b = nd(); Level1(b); Level1(b); assert(b); } Level<i>(bool b) { if(!b) { Level<i+1>(b); Level<i+1>(b); } else { baz(); } b := !b; } Unrollinggrows exponentially in n Main Level1(b10,b11) Level1(b12,b13) … … … … … Level<n>(bn<l-1>,bn<l>) Level<n>(bn0,bn1) Source: Ball and Rajamani, Bebop: A Symbolic Model Checker for Boolean Programs, 2000
BMC problems can grow exponentially! Main() { bool b = nd(); Level1(b); Level1(b); assert(b); } Level<i>(bool b) { if(!b) { Level<i+1>(b); Level<i+1>(b); } else { baz(); } b := !b; } Unrollinggrows exponentially in n But, … Safety of Boolean Programs is decidable in poly-time![1,2] [1] Reps, Horwitz, and Sagiv,Precise Interprocedural Dataflow Analysis via Graph Reachability, 1995 [2] Ball and Rajamani, Bebop: A Symbolic Model Checker for Boolean Programs, 2000
BMC can also be done “without unrolling” • Algorithm IC3/PDR performs BMC without unrolling for • hardware circuits[1,2] • Incrementally checks 1-step reachability questions • (among many other things) How does this work for procedural programs? [1] Bradley, SAT-Based Model Checking without Unrolling, 2011 [2] Een, Mischenko, and Brayton, Efficient Implementation of Property Directed Reachability, 2011
BMC “without unrolling” uses Over-approximations x > 0 T F z := x+1 (x≤0 ∨y≥0) is an over-approximating summary of Foo(x,y) y := -x y := z+1 every execution satisfies it Foo(x,y) input output
BMC “without unrolling” for Procedural Programs procP Reachn(xpre,xpost)? call Q call Q call R
BMC “without unrolling” for Procedural Programs over-approximating summaries over pre- and post-variables procP Reachn(xpre,xpost)? assume On-1(Q) NO assume On-1(Q) Refine On(P) (e.g. using Interpolation) assume On-1(R)
BMC “without unrolling” for Procedural Programs procQ procR N Y Reachn-1(z0,z1)? Reachn-1(y0,y1)? updtOn-1(R) xpre procP Reachn(xpre,xpost)? y0 assume On-1(Q) y1 YES, Abstractly z0 assume On-1(R) z1 xpost
Challenges with BMC “without unrolling” procQ Y (A) Potential Recomputation Reachn-1(y0,y1)? xpre procP Reachn(xpre,xpost)? y0 Get away by caching, for Booleans![1] assume On-1(Q) y1 (B) Infinite Domains? z0 w0 assume On-1(R) z1 w1 BMC need not terminate! xpost [1] Hoder and Bjørner, Generalized Property Directed Reachability, 2012
Our Key Ideas • Under-approximating summaries to avoid potential • re-computations • Symbolic reachability queries • Poly-time SAT-based symbolic algorithm for • Boolean Programs • BMC terminates given an SMT oracle • Model-Based Projection for “Lazy” Quantifier Elimination
Under-approximating Summaries x > 0 T Every sat assignment has a corresponding execution F z := x+1 (x>0 ∧ y=x+2) is an under-approximation of Foo(x,y) y := -x y := z+1 Foo(x,y) input output
Inferring Under-approximations procP Reachn(xpre,xpost)? call Q call Q call R
Inferring Under-approximations under-approximating summaries over pre- and post-variables Needs Quantifier Elimination update Un(P) with xpre procP Reachn(xpre,xpost)? y0 assume Un-1(Q) y1 YES assume Un-1(Q) path π z0 assume Un-1(R) z1 xpost
Inferring Over-approximations (as before) procP Reachn(xpre,xpost)? assume On-1(Q) NO assume On-1(Q) Refine On(P) (e.g. using Interpolation) assume On-1(R)
Updating Insufficient Approximations procQ procR N Y Reachn-1(φR)? Reachn-1(φQ)? updtOn-1(R) updtUn-1(Q) xpre procP Reachn(xpre,xpost)? y0 assume On-1(Q) y1 YES, Abstractly z0 assume On-1(R) z1 xpost
Compositional Bounded Safety Bounded Reachability Query Reachable usingUn-1? Yes Reachable, update Un(P) No Unreachable using On-1? Yes Unreachable, update On(P) No create new queries and update approx
Creating Symbolic Queries procQ procR N Y Reachn-1(φR)? Reachn-1(φQ)? updtOn-1(R) updtUn-1(Q) xpre procP Reachn(xpre,xpost)? y0 assume On-1(Q) y1 How to create φQ? z0 assume On-1(R) z1 xpost
Creating Symbolic Queries Too weak over-approx. Too strong under-approx. Reachn(φ)? YES Reachn(φ)? YES Reachn(φ)? NO Reachn(φ)? NO
Creating Symbolic Queries Needs Quantifier Elimination Q(a) Create reachability query at bound (n-1) Reachn(φ)? YES
Compositional Bounded Safety Bounded Reachability Query Reachable usingUn-1? Yes Reachable, update Un(P) BMC terminates guaranteeing overall progress! Poly-time for Boolean Progs No Unreachable using On-1? Yes Unreachable, update On(P) Quantifier Elimination is Expensive! No create new queries and update approx
Model Based Projection Expensive to find a quantifier-free Linear time-and-space MBPs for Linear Arithmetic, using Virtual Substitution[1,2,3] obtain (e.g. specific pre-post pair that needs to be generalized) Models of 2. choose disjunct “covering” N Lazy Quantifier Elimination! [1] Cooper, Theorem Proving in Arithmetic without Multiplication, 1972 [2] Loos and Weispfenning, Applying Linear Quantifier Elimination, 1993 [3] Bjorner, Linear Quantifier Elimination as an Abstract Decision Procedure, 2010
Experimental Evaluation
Spacer Tool C Program LLVM-Based Front-end of UFO[1] (Horn-SMT) Logical Encoding Non-linear Second-order Horn Clauses Spacer Backend (using Z3’s framework) [1]Albarghouthi et al., UFO: Verification with Interpolants and Abstract Interpretation, 2013.
The Boolean Program I showed before with exponential unrolling
Conclusion Compositional Bounded Safety for Recursive Programs Avoid exponential blow up in BMC First poly-time SAT-based symbolic algorithm for Booleans and a semi-decision procedure modulo SMT Model Based Projection for Lazy Quantifier Elimination
Future Work • Different strategies for refinement • top-down, bottom-up, etc. • DFS + BFS • Handle theories not admitting Quantifier Elimination • EUF, theory of arrays • Combine with transition relation abstraction[1] [1]Komuravelli et al., Automatic Abstraction in SMT-Based Software Model Checking, CAV 2013.
Special thanks to Ed Clarke, NikolajBjørner, and CesareTinelli for fruitful discussions Questions?