1 / 31

SMT-Based Model Checking for Recursive Programs

SMT-Based Model Checking for Recursive Programs. Anvesh Komuravelli Carnegie Mellon University. Joint work with Arie Gurfinkel and Sagar Chaki. Bounded Model Checking (BMC) for While-Programs. Init (x 0 ). Body (x 0 ,x 1 ). assume ( Init (x)); while (*) x := Body(x); assert (!Error(x)).

ros
Télécharger la présentation

SMT-Based Model Checking for Recursive Programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SMT-Based Model Checking forRecursive Programs AnveshKomuravelli Carnegie Mellon University Joint work with ArieGurfinkeland SagarChaki

  2. Bounded Model Checking (BMC) for While-Programs Init(x0) Body(x0,x1) assume (Init(x)); while (*) x := Body(x); assert (!Error(x)) Body(x1,x2) Counterexample for unrolling depth n? Body(x2,x3) … Body(xn-1,xn) Error(xn)

  3. BMC for Recursive Programs Main() { bool b = nd(); Level1(b); Level1(b); assert(b); } Level<i>(bool b) { if(!b) { Level<i+1>(b); Level<i+1>(b); } else { baz(); } b := !b; } Counterexample for recursion/call-stack depth n? Main Level1(b10,b11) Level1(b12,b13) … … … … … Level<n>(bn<l-1>,bn<l>) Level<n>(bn0,bn1) Source: Ball and Rajamani, Bebop: A Symbolic Model Checker for Boolean Programs, 2000

  4. BMC problems can grow exponentially! Main() { bool b = nd(); Level1(b); Level1(b); assert(b); } Level<i>(bool b) { if(!b) { Level<i+1>(b); Level<i+1>(b); } else { baz(); } b := !b; } Unrollinggrows exponentially in n Main Level1(b10,b11) Level1(b12,b13) … … … … … Level<n>(bn<l-1>,bn<l>) Level<n>(bn0,bn1) Source: Ball and Rajamani, Bebop: A Symbolic Model Checker for Boolean Programs, 2000

  5. BMC problems can grow exponentially! Main() { bool b = nd(); Level1(b); Level1(b); assert(b); } Level<i>(bool b) { if(!b) { Level<i+1>(b); Level<i+1>(b); } else { baz(); } b := !b; } Unrollinggrows exponentially in n But, … Safety of Boolean Programs is decidable in poly-time![1,2] [1] Reps, Horwitz, and Sagiv,Precise Interprocedural Dataflow Analysis via Graph Reachability, 1995 [2] Ball and Rajamani, Bebop: A Symbolic Model Checker for Boolean Programs, 2000

  6. BMC can also be done “without unrolling” • Algorithm IC3/PDR performs BMC without unrolling for • hardware circuits[1,2] • Incrementally checks 1-step reachability questions • (among many other things) How does this work for procedural programs? [1] Bradley, SAT-Based Model Checking without Unrolling, 2011 [2] Een, Mischenko, and Brayton, Efficient Implementation of Property Directed Reachability, 2011

  7. BMC “without unrolling” uses Over-approximations x > 0 T F z := x+1 (x≤0 ∨y≥0) is an over-approximating summary of Foo(x,y) y := -x y := z+1 every execution satisfies it Foo(x,y) input output

  8. BMC “without unrolling” for Procedural Programs procP Reachn(xpre,xpost)? call Q call Q call R

  9. BMC “without unrolling” for Procedural Programs over-approximating summaries over pre- and post-variables procP Reachn(xpre,xpost)? assume On-1(Q) NO assume On-1(Q) Refine On(P) (e.g. using Interpolation) assume On-1(R)

  10. BMC “without unrolling” for Procedural Programs procQ procR N Y Reachn-1(z0,z1)? Reachn-1(y0,y1)? updtOn-1(R) xpre procP Reachn(xpre,xpost)? y0 assume On-1(Q) y1 YES, Abstractly z0 assume On-1(R) z1 xpost

  11. Challenges with BMC “without unrolling” procQ Y (A) Potential Recomputation Reachn-1(y0,y1)? xpre procP Reachn(xpre,xpost)? y0 Get away by caching, for Booleans![1] assume On-1(Q) y1 (B) Infinite Domains? z0 w0 assume On-1(R) z1 w1 BMC need not terminate! xpost [1] Hoder and Bjørner, Generalized Property Directed Reachability, 2012

  12. Our Algorithm

  13. Our Key Ideas • Under-approximating summaries to avoid potential • re-computations • Symbolic reachability queries • Poly-time SAT-based symbolic algorithm for • Boolean Programs • BMC terminates given an SMT oracle • Model-Based Projection for “Lazy” Quantifier Elimination

  14. Under-approximating Summaries x > 0 T Every sat assignment has a corresponding execution F z := x+1 (x>0 ∧ y=x+2) is an under-approximation of Foo(x,y) y := -x y := z+1 Foo(x,y) input output

  15. Inferring Under-approximations procP Reachn(xpre,xpost)? call Q call Q call R

  16. Inferring Under-approximations under-approximating summaries over pre- and post-variables Needs Quantifier Elimination update Un(P) with xpre procP Reachn(xpre,xpost)? y0 assume Un-1(Q) y1 YES assume Un-1(Q) path π z0 assume Un-1(R) z1 xpost

  17. Inferring Over-approximations (as before) procP Reachn(xpre,xpost)? assume On-1(Q) NO assume On-1(Q) Refine On(P) (e.g. using Interpolation) assume On-1(R)

  18. Updating Insufficient Approximations procQ procR N Y Reachn-1(φR)? Reachn-1(φQ)? updtOn-1(R) updtUn-1(Q) xpre procP Reachn(xpre,xpost)? y0 assume On-1(Q) y1 YES, Abstractly z0 assume On-1(R) z1 xpost

  19. Compositional Bounded Safety Bounded Reachability Query Reachable usingUn-1? Yes Reachable, update Un(P) No Unreachable using On-1? Yes Unreachable, update On(P) No create new queries and update approx

  20. Creating Symbolic Queries procQ procR N Y Reachn-1(φR)? Reachn-1(φQ)? updtOn-1(R) updtUn-1(Q) xpre procP Reachn(xpre,xpost)? y0 assume On-1(Q) y1 How to create φQ? z0 assume On-1(R) z1 xpost

  21. Creating Symbolic Queries Too weak over-approx. Too strong under-approx. Reachn(φ)? YES Reachn(φ)? YES Reachn(φ)? NO Reachn(φ)? NO

  22. Creating Symbolic Queries Needs Quantifier Elimination Q(a) Create reachability query at bound (n-1) Reachn(φ)? YES

  23. Compositional Bounded Safety Bounded Reachability Query Reachable usingUn-1? Yes Reachable, update Un(P) BMC terminates guaranteeing overall progress! Poly-time for Boolean Progs No Unreachable using On-1? Yes Unreachable, update On(P) Quantifier Elimination is Expensive! No create new queries and update approx

  24. Model Based Projection Expensive to find a quantifier-free Linear time-and-space MBPs for Linear Arithmetic, using Virtual Substitution[1,2,3] obtain (e.g. specific pre-post pair that needs to be generalized) Models of 2. choose disjunct “covering” N Lazy Quantifier Elimination! [1] Cooper, Theorem Proving in Arithmetic without Multiplication, 1972 [2] Loos and Weispfenning, Applying Linear Quantifier Elimination, 1993 [3] Bjorner, Linear Quantifier Elimination as an Abstract Decision Procedure, 2010

  25. Experimental Evaluation

  26. Spacer Tool C Program LLVM-Based Front-end of UFO[1] (Horn-SMT) Logical Encoding Non-linear Second-order Horn Clauses Spacer Backend (using Z3’s framework) [1]Albarghouthi et al., UFO: Verification with Interpolants and Abstract Interpretation, 2013.

  27. The Boolean Program I showed before with exponential unrolling

  28. Results on SV-COMP’14 Benchmarks

  29. Conclusion Compositional Bounded Safety for Recursive Programs Avoid exponential blow up in BMC First poly-time SAT-based symbolic algorithm for Booleans and a semi-decision procedure modulo SMT Model Based Projection for Lazy Quantifier Elimination

  30. Future Work • Different strategies for refinement • top-down, bottom-up, etc. • DFS + BFS • Handle theories not admitting Quantifier Elimination • EUF, theory of arrays • Combine with transition relation abstraction[1] [1]Komuravelli et al., Automatic Abstraction in SMT-Based Software Model Checking, CAV 2013.

  31. Special thanks to Ed Clarke, NikolajBjørner, and CesareTinelli for fruitful discussions Questions?

More Related