SMT-Based Model Checking for Recursive Programs Anvesh Komuravelli Carnegie Mellon University
advertisement
SMT-Based Model Checking for
Recursive Programs
Anvesh Komuravelli
Carnegie Mellon University
Joint work with Arie Gurfinkel and Sagar Chaki
Spacer
© Anvesh Komuravelli
Bounded Model Checking (BMC) for While-Programs
Init(x0)
Body(x0,x1)
assume (Init(x));
while (*)
x := Body(x);
assert (!Error(x))
Body(x1,x2)
Counterexample for
unrolling depth n?
Body(x2,x3)
…
Body(xn-1,xn)
Error(xn)
Spacer
© Anvesh Komuravelli
1
BMC for Recursive Programs
Main() {
bool b = nd();
Level1(b);
Level1(b);
assert(b);
}
Main
Level1(b10,b11)
Level1(b12,b13)
…
Level<i>(bool b) {
if(!b) {
Level<i+1>(b);
Level<i+1>(b);
} else {
baz();
}
b := !b;
}
Counterexample for
recursion/call-stack
depth n?
Level<n>(bn0,bn1)
…
…
Level<n>(bn<l-1>,bn<l>)
Source: Ball and Rajamani, Bebop: A Symbolic Model Checker for Boolean Programs, 2000
Spacer
© Anvesh Komuravelli
2
BMC problems can grow exponentially!
Main() {
bool b = nd();
Level1(b);
Level1(b);
assert(b);
}
Main
Level1(b10,b11)
Level1(b12,b13)
…
Level<i>(bool b) {
if(!b) {
Level<i+1>(b);
Level<i+1>(b);
} else {
baz();
}
b := !b;
}
Unrolling grows
exponentially in n
Level<n>(bn0,bn1)
…
…
Level<n>(bn<l-1>,bn<l>)
Source: Ball and Rajamani, Bebop: A Symbolic Model Checker for Boolean Programs, 2000
Spacer
© Anvesh Komuravelli
3
BMC problems can grow exponentially!
Main() {
bool b = nd();
Level1(b);
Level1(b);
assert(b);
}
Level<i>(bool b) {
if(!b) {
Level<i+1>(b);
Level<i+1>(b);
} else {
baz();
}
b := !b;
}
Unrolling grows
exponentially in n
But, …
Safety of Boolean Programs is
decidable in poly-time![1,2]
[1] Reps, Horwitz, and Sagiv, Precise Interprocedural Dataflow Analysis via Graph Reachability, 1995
[2] Ball and Rajamani, Bebop: A Symbolic Model Checker for Boolean Programs, 2000
Spacer
© Anvesh Komuravelli
4
BMC can also be done “without unrolling”
1. Algorithm IC3/PDR performs BMC without unrolling for
hardware circuits[1,2]
2. Incrementally checks 1-step reachability questions
(among many other things)
How does this work for procedural programs?
[1] Bradley, SAT-Based Model Checking without Unrolling, 2011
[2] Een, Mischenko, and Brayton, Efficient Implementation of Property Directed Reachability, 2011
Spacer
© Anvesh Komuravelli
5
BMC “without unrolling” uses Over-approximations
x > 0
T
F
z := x+1
(x≤0 ∨ y≥0) is an over-approximating
summary of Foo(x,y)
y := -x
y := z+1
every execution
satisfies it
Foo(x,y)
input
output
Spacer
© Anvesh Komuravelli
6
BMC “without unrolling” for Procedural Programs
proc P
Reachn(xpre, xpost)?
call Q
call Q
call R
Spacer
© Anvesh Komuravelli
7
BMC “without unrolling” for Procedural Programs
over-approximating
summaries over
pre- and postvariables
proc P
Reachn(xpre, xpost)?
assume On-1(Q)
assume On-1(Q)
NO
Refine On(P)
(e.g. using
Interpolation)
assume On-1(R)
Spacer
© Anvesh Komuravelli
8
BMC “without unrolling” for Procedural Programs
proc Q
proc R
N
Y
updt On-1(R)
xpre
assume On-1(Q)
assume On-1(R)
proc P
y0
Reachn(xpre, xpost)?
y1
YES, Abstractly
z0
z1
xpost
Spacer
© Anvesh Komuravelli
9
Challenges with BMC “without unrolling”
proc Q
Y
(A) Potential
Recomputation
xpre
assume On-1(Q)
Get away
by caching,
for Booleans![1]
assume On-1(R)
proc P
Reachn(xpre, xpost)?
y0
y1
z0
w0
z1
w1
(B) Infinite
Domains?
BMC need
not terminate!
xpost
[1] Hoder and Bjørner, Generalized
Property Directed Reachability, 2012
Spacer
© Anvesh Komuravelli
10
Our Algorithm
Spacer
© Anvesh Komuravelli
11
Our Key Ideas
1. Under-approximating summaries to avoid potential
re-computations
2. Symbolic reachability queries
• Poly-time SAT-based symbolic algorithm for
Boolean Programs
• BMC terminates given an SMT oracle
3. Model-Based Projection for “Lazy” Quantifier Elimination
Spacer
© Anvesh Komuravelli
12
Under-approximating Summaries
x > 0
Every sat assignment has
a corresponding
execution
T
F
z := x+1
(x>0 ∧ y=x+2) is an under-approximation
of Foo(x,y)
y := -x
y := z+1
Foo(x,y)
input
output
Spacer
© Anvesh Komuravelli
13
Inferring Under-approximations
proc P
Reachn(xpre, xpost)?
call Q
call Q
call R
Spacer
© Anvesh Komuravelli
14
Inferring Under-approximations
under-approximating
summaries over
pre- and postvariables
Needs
Quantifier
Elimination
update Un(P)
with
xpre
assume Un-1(Q)
assume Un-1(R)
proc P
Reachn(xpre, xpost)?
y0
y1
assume Un-1(Q)
path π
YES
z0
z1
xpost
Spacer
© Anvesh Komuravelli
15
Inferring Over-approximations (as before)
proc P
Reachn(xpre, xpost)?
assume On-1(Q)
assume On-1(Q)
NO
Refine On(P)
(e.g. using
Interpolation)
assume On-1(R)
Spacer
© Anvesh Komuravelli
16
Updating Insufficient Approximations
proc Q
proc R
N
Y
updt On-1(R)
updt Un-1(Q)
xpre
assume On-1(Q)
assume On-1(R)
proc P
y0
Reachn(xpre, xpost)?
y1
YES, Abstractly
z0
z1
xpost
Spacer
© Anvesh Komuravelli
17
Compositional Bounded Safety
Bounded Reachability Query
Reachable
using Un-1?
Yes
Reachable,
update Un(P)
Yes
Unreachable,
update On(P)
No
Unreachabl
e using On1?
No
create new
queries and
update approx
Spacer
© Anvesh Komuravelli
18
Creating Symbolic Queries
proc Q
proc R
N
Y
updt On-1(R)
updt Un-1(Q)
xpre
assume On-1(Q)
proc P
Reachn(xpre, xpost)?
y0
y1 to create φ ?
How
Q
assume On-1(R)
z0
z1
xpost
Spacer
© Anvesh Komuravelli
19
Creating Symbolic Queries
Too weak
over-approx.
Reachn(φ)? YES
Reachn(φ)? YES
Too strong
under-approx.
Reachn(φ)? NO
Spacer
Reachn(φ)? NO
© Anvesh Komuravelli
20
Creating Symbolic Queries
Needs
Quantifier
Elimination
Q(a)
Create reachability query
at bound (n-1)
Reachn(φ)? YES
Spacer
© Anvesh Komuravelli
21
Compositional Bounded Safety
Bounded Reachability Query
Reachable
using Un-1?
Poly-time for
Boolean Progs
No
Unreachabl
e using On1?
Yes
Reachable,
update Un(P)
BMC terminates
guaranteeing
overall progress!
Yes
Unreachable,
update On(P)
Quantifier Elimination
No is Expensive!
create new
queries and
update approx
Spacer
© Anvesh Komuravelli
22
Model Based Projection
Expensive to find a quantifier-free
Linear time-and-space MBPs
for Linear Arithmetic,
1. obtain
using Virtual Substitution[1,2,3]
(e.g. specific pre-post
pair that needs to be
generalized)
Models of
2. choose disjunct “covering” N
Lazy Quantifier
Elimination!
[1] Cooper, Theorem Proving in Arithmetic without Multiplication, 1972
[2] Loos and Weispfenning, Applying Linear Quantifier Elimination, 1993
[3] Bjorner, Linear Quantifier Elimination as an Abstract Decision Procedure, 2010
Spacer
© Anvesh Komuravelli
23
Experimental
Evaluation
Spacer
© Anvesh Komuravelli
24
Spacer Tool
C Program
LLVM-Based Front-end of UFO[1]
(Horn-SMT) Logical Encoding
Spacer Backend
(using Z3’s framework)
Non-linear
Second-order
Horn Clauses
[1] Albarghouthi et al., UFO: Verification with Interpolants and Abstract Interpretation, 2013.
Spacer
© Anvesh Komuravelli
25
The Boolean Program I showed before with
exponential unrolling
5000
Spacer
Time (secs)
4000
Z3
3000
2000
1000
0
100
200
300
400
Number of Procedures
Spacer
500
© Anvesh Komuravelli
26
Results on SV-COMP’14 Benchmarks
1800
1600
Spacer (secs)
1400
1200
1000
800
600
400
200
0
0
200
400
600
800 1000 1200 1400 1600 1800
Z3 (secs)
Spacer
© Anvesh Komuravelli
27
Conclusion
1. Compositional Bounded Safety for Recursive Programs
2. Avoid exponential blow up in BMC
3. First poly-time SAT-based symbolic algorithm for
Booleans and a semi-decision procedure modulo SMT
4. Model Based Projection for Lazy Quantifier Elimination
Spacer
© Anvesh Komuravelli
28
Future Work
1. Different strategies for refinement
• top-down, bottom-up, etc.
• DFS + BFS
2. Handle theories not admitting Quantifier Elimination
• EUF, theory of arrays
3. Combine with transition relation abstraction[1]
[1] Komuravelli et al., Automatic Abstraction in SMT-Based Software Model Checking, CAV 2013.
Spacer
© Anvesh Komuravelli
29
Special thanks to Ed Clarke, Nikolaj Bjørner, and Cesare Tinelli
for fruitful discussions
Questions?
Spacer
© Anvesh Komuravelli
30
