Synthesizing Safe Bit-Precise Invariants - Arie Gurfinkel

Synthesizing Safe Bit-Precise

Invariants

Arie Gurfinkel (SEI / CMU)

Anton Belov (UCD / Synopsys)

Joao Marques-Silva (UCD)

© 2014 Carnegie Mellon University

Inductive Invariants: Turing / Floyd / Hoare

3

Synthesizing Safe Bit-Precise Invariants

Gurfinkel, Belov, Marques-Silva

3

Programs, Cexs, Invariants

A program P = (V, Init, Tr, Bad)

P is UNSAFE if and only if there exists a number N s.t.

P is SAFE if and only if there exists a safe inductive invariant Inv s.t.

Inductive

Safe




4

Many conferences, techniques, tools …




5

But Bit-Precise Verification is Hard

Bounded Model Checking

• CBMC, Boolector , LLBMC, ESBMC, …

• efficient discovery of counter-examples

• no invariants!

Propositional Verification (Hardware)

• Interpolation, IC3, PDR, ABC, …

• efficient synthesis of propositional invariants

• does not scale to bit-precise verification of software

Linear Arithmetic Verification (Software)

• Impact, UFO, CPAChecker , Duality, Blast, GPDR, …

• efficient synthesis of arithmetic invariants

• not bit-precise (not sound!)

• is often sufficient (e.g., UFO at SVCOMP’13 and ‘14)




6

But aren’t bit-vectors = bit-blasting?




7

Typical Bit-vector Decision Procedure

Simplify

B2P

Bit-blast

SAT

B2P is satisfiability preserving (only!)

Bit-blast (by itself) is not efficient




8

Safety Verification by Bit-Blasting propositional verifier

Bit-blast Verify

Correct, but does not scale




9

Safety Verification by B2P

B2P Verify

Efficient, but…

• B2P only preserves satisfiability

• Original circuit is reduced (abstracted) too much

• Hard to track correspondence between input and output




10

Bit-blasting looses all structure!

Lack of structure makes it difficult to generalize




11

Our Key Idea: Use Generate and Check Alg.

Given an input program P with a safety property



Bad

1.

Generate a candidate invariant Cand by verifying



Bad on a “simpler” approximation P simple of P

2.

Compute the Maximal Inductive Subset Inv of Cand relative to P using bit-precise reasoning

3.

Strengthen Inv using a bit-precise (but possibly slow) verification engine until ( Inv

 

Bad)




12

M ISPER in a Nutshell

Needs

Adapt unsound arithmetic reasoning to guess bit-precise invariants

Program P

+

Property

Yes +

Certificate C

BIT

No + Cex

Unsound

Approximate

BIT Verifier

Invariant I

BIT

No + Cex

Program P

LA

LA Verifier

Candidate C

LA

Adapt using MIS

Sound




13

Approximate Bit-Vectors by Arithmetic

Bit-vector

Bool

Arithmetic

Approximate

Bool

Ignore (i.e., over-approximate) all bit-vector-specific operations

Unsound, but simple and efficient




14

Maximal Inductive Subset

Let L be a set of formulas, P=(V, Init, Tr, Bad) a program

A subset X of L is a maximal inductive subset iff it is the largest subset of X such that

A Maximal Inductive Subset is unique

• inductive invariants are closed under conjunction



15

Minimal Unsatisfiable Subset

Let

 be a formula and A = { a

1

, …, a n

} be atomic propositions occurring negatively in



Assume

 Æ a

1

Æ  Æ a n is UNSAT

A minimal unsatisfiable subset (MUS) of

 is the smallest subset X µ A such that

 Æ X is UNSAT

There are efficient algorithms for computing MUS (a.k.a. UNSAT core) for propositional formulas




16

Solving MIS via MUS

Reduce MIS to multiple calls to MUS called once incremental SAT

SAT MUS incremental SAT




17

Var-Equivalence

Let A and B be two formulas

Let X be a subset of propositional variables of A and B

Definition : A and B are var-equivalent relative to X if and only if for any satisfying assignment ¿ of X , A ¿ and B ¿ are equisatisfiable

Claim

B2P(



) is var-equivalent to

 relative to X = {post i

, pre i

}




18

Implementation

Misper is implemented in Python and relies on many external tools

• LLVM for handling C

• UFO-MUZ for LA invariants

• Boolector for B2P

• MUSer2 for MUS step in MIS

• Z3 for SMT and HORN




19

Results Summary bit width inst.

cnt Z3/PDR

#sol (avg/med)

Misper

#sol (avg/med)

Cand

#sol (avg/med)

MIS

#sol (avg/med)

9 (392/134) all 214 116 (127/8) 174 (28/0.4) 165 (8/0.4)

32 unsol 98 -58 (75/1) 52 (22/0.7) 6 (544/366) all 214 165 (176/8) 182 (69/0.4) 165 (8/0.4) 17 (661/399)

16 unsol 49 -18 (624/376) 6 (50/21) 12 (911/1,094)

214 SAFE benchmarks from SVCOMP’2013

• includes all non-trivial SAFE benchmarks

All times are in seconds




20

Detailed Results (16 bits)




21

FrankenBit

: Bit-Precise Verification w/ Many Bits

M ISPER to synthesize bit-precise invariants

LLBMC to search for counterexamples

Silver and Bronze medals at SV-COMP 2014 http://sv-comp.sosy-lab.org/2014/results/index.php




22

Related Work

Cormac Flanagan, K. Rustan M. Leino: Houdini, an Annotation

Assistant for ESC/Java . FME 2001.

• (the first?) algorithm for computing Maximal Inductive Subset

Randal E. Bryant, Daniel Kroening, Joël Ouaknine, Sanjit A. Seshia,

Ofer Strichman, Bryan A. Brady: Deciding Bit-Vector Arithmetic with

Abstraction . TACAS 2007.

• sound under-approximation of bit-vector formulas by shrinking bit-width

Alberto Griggio: Effective word-level interpolation for software verification . FMCAD 2011.

• mostly sound over-approximation of bit-vector formulas by arithmetic

• but, also uses unsound approximation followed by a sound check




23

Conclusion

Sound reasoning from unsound approximations

• Use Linear Arithmetic to guess good invariants

• Use efficient bit-vector decision procedures to validate invariants

• Use efficient propositional Minimal Unsatisfiable Subset extractor to find

Maximal Inductive Subset

• Use inefficient bit-precise reasoning to complete the proof

Works well on SV-COMP (non bit-vector specific) benchmarks

• probably because the properties are mostly bit-vector agnostic

• e.g., API usage in Linux Device Drivers

Integrated in FrankenBit: http://arieg.bitbucket.org/fbit




24

Future Work

We have just scratched the surface…

CounterExample Guided Approximation-Refinement Loop

• block a counterexample by partial bit-blasting

• partially embed bit-vectors into integer arithmetic

Better approximations

• such as in related work, e.g., Griggio, and Bryant et al.

Adapt lemmas

• account for bit-width, overflow, and upper bound

• e.g., replace x > 0 with x > 0 & x <= INT_MAX

Tighter integration with fixedpoint solver




25




26

Contact Information

Arie Gurfinkel

Senior Researcher

SEI / CMU

Telephone: +1 412-268-5800

Email: info@sei.cmu.edu

Web www.sei.cmu.edu

www.sei.cmu.edu/contact.cfm

U.S. Mail

Software Engineering Institute

Customer Relations

4500 Fifth Avenue

Pittsburgh, PA 15213-2612

USA

Customer Relations

Email: info@sei.cmu.edu

Telephone: +1 412-268-5800

SEI Phone: +1 412-268-5800

SEI Fax: +1 412-268-6257




27

Synthesizing Safe Bit-Precise Invariants - Arie Gurfinkel

But aren’t bit-vectors = bit-blasting?

Simplify

Bit-blast

SAT

FrankenBit

Related documents

Products

Support

Synthesizing Safe Bit-Precise Invariants - Arie Gurfinkel

But aren’t bit-vectors = bit-blasting?

Simplify

Bit-blast

SAT

FrankenBit

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib