lazy abstraction lecture 2: modular analyses ranjit jhala uc san diego with: tom henzinger, rupak...

Post on 21-Dec-2015

212 views

Category:

Documents

Embed Size (px)

TRANSCRIPT

• Slide 1
• Lazy Abstraction Lecture 2: Modular Analyses Ranjit Jhala UC San Diego With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre
• Slide 2
• Program Verification by Lazy Abstraction Ranjit Jhala UC San Diego Lecture 1 With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre
• Slide 3
• Last lecture Lazy Abstraction for Sequential Programs Predicates: Abstract infinite program states Counterexample-guided Refinement: Find predicates tailored to prog, property 1.Abstraction : Expensive Reachability Tree 2.Refinement : Find predicates, use locations Proof of unsat of TF + Interpolation
• Slide 4
• This Lecture: Modular Analyses Procedures - Summaries Concurrency - Thread-Context Reasoning
• Slide 5
• An example main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; }
• Slide 6
• Inline Calls in Reach Tree main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } 1 2 1,2 Initial 2,2 4,2 3,2 4,2 3 3 4 1,4 2,4 4,4 3,4 4,4 5 5
• Slide 7
• Inline Calls in Reach Tree 1 2 1,2 Initial 2,2 4,2 3,2 4,2 3 3 4 1,4 2,4 4,4 3,4 4,4 5 5 Problem -Repeated analysis for inc -Exploding call contexts int x; //global f1(){ 1: x = 0; 2: if(*) f2(); 3: else f2(); 4: if (x a) (sign = 0 rv < a) Q. How to compute, use summaries ?
• Slide 11
• Lazy Abstraction + Procedure Summaries Abstract Refine C Program Safe Trace Yes No Property Q. How to compute, use summaries ?
• Slide 12
• Abstraction with Summaries main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } 1 2 main Predicates: flag=0, y>x, ya, rv
• Slide 13
• Abstraction with Summaries main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } 1 2 1 main 2 4 Predicates: flag=0, y>x, ya, rva Summary: ( : sign=0 rv>a),
• Slide 14
• Summary Successor main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } 1 2 1 main 2 4 Predicates: flag=0, y>x, ya, rva Summary: ( : sign=0 rv>a), 3 a=x sign=flag y>x assume rv>a y=rv
• Slide 15
• Abstraction with Summaries main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } 1 2 1 main 2 4 Predicates: flag=0, y>x, ya, rva Summary: ( : sign=0 rv>a), 3 y>x [y
• Abstraction with Summaries main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } 1 2 1 main 2 4 Predicates: flag=0, y>x, ya, rva Summary: ( : sign=0 rv>a), (sign=0 rvx 3 4 flag=0 a=x sign=flag sign=0 1 2 3 4 rv
• Summary Successor main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } 1 2 1 main 2 4 Predicates: flag=0, y>x, ya, rva Summary: ( : sign=0 rv>a), (sign=0 rvx 3 4 flag=0 1 sign=0 2 3 4 rv
• Abstraction with Summaries main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } 1 2 1 main 2 4 Predicates: flag=0, y>x, ya, rva Summary: ( : sign=0 rv>a), (sign=0 rvx 3 4 flag=0 1 sign=0 2 3 4 rv
• Another Call main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } 6: y1 = inc(z1,1); 7: if (y1a), (sign=0 rvx 3 4 flag=0 1 sign=0 2 3 4 rva, rv
• Another Call main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } 6: y1 = inc(z1,1); 7: if (y1a, rva Summary: ( : sign=0 rv>a), (sign=0 rvx 3 4 flag=0 1 sign=0 2 3 4 rvz1 SAFE Note: Predicates are well-scoped
• Slide 21
• Lazy Abstraction + Procedure Summaries Abstract Refine C Program Safe Trace Yes No Property Q. How to find scoped predicates ?
• Slide 22
• pc 1 : x 1 = 3 pc 2 : assume (x 1 >0) pc 3 : x 3 = f 1 (x 1 ) pc 4 : y 2 = y 1 pc 5 : y 3 = f 2 (y 2 ) pc 6 : z 2 = z 1 +1 pc 7 : z 3 = 2*z 2 pc 8 : return z 3 pc 9 : return y 3 pc 10 : x 4 = x 3 +1 pc 11 : x 5 = f 3 (x 4 ) pc 12 : assume(w 1 5 pc 15 : assume (x 1 =x 3 +2) Traces with Procedure Calls Trace Formula i Trace i Find predicate needed at point i pc 1 : x 1 = 3 pc 2 : assume (x 1 >0) pc 3 : x 3 = f 1 (x 1 ) pc 4 : y 2 = y 1 pc 5 : y 3 = f 2 (y 2 ) pc 6 : z 2 = z 1 +1 pc 7 : z 3 = 2*z 2 pc 8 : return z 3 pc 9 : return y 3 pc 10 : x 4 = x 3 +1 pc 11 : x 5 = f 3 (x 4 ) pc 12 : assume(w 1 5 pc 15 : assume(x 1 =x 3 +2)
• Slide 23
• Interprocedural Analysis Trace Formula i Trace i Require at each point i : Scoped predicates YES: Variables visible at i NO: Callers local variables Find predicate needed at point i YES NO
• Slide 24
• Problems with Cutting Trace Formula i Trace i -- ++ Caller variables common to - and + Unsuitable interpolant: not well-scoped
• Slide 25
• Scoped Cuts Trace Formula i Call begins Trace i
• Slide 26
• Scoped Cuts -- ++ Trace Formula i Call begins Trace i Predicate at pc i = Interpolant from cut i
• Slide 27
• Common Variables Formals Current locals Trace Formula Predicate at pc i = Interpolant from i-cut i Trace i -- ++ Common Variables Formals Well-scoped
• Slide 28
• Example Trace m1: assume(flag!=0) m2: y=inc(x,flag) i1: assume(sign!=0) i2: rv = a+1 i4: return rv m3: assume(y