lazy abstraction lecture 2: modular analyses ranjit jhala uc san diego with: tom henzinger, rupak...

Download Lazy Abstraction Lecture 2: Modular Analyses Ranjit Jhala UC San Diego With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre

Post on 21-Dec-2015

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Slide 1
  • Lazy Abstraction Lecture 2: Modular Analyses Ranjit Jhala UC San Diego With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre
  • Slide 2
  • Program Verification by Lazy Abstraction Ranjit Jhala UC San Diego Lecture 1 With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre
  • Slide 3
  • Last lecture Lazy Abstraction for Sequential Programs Predicates: Abstract infinite program states Counterexample-guided Refinement: Find predicates tailored to prog, property 1.Abstraction : Expensive Reachability Tree 2.Refinement : Find predicates, use locations Proof of unsat of TF + Interpolation
  • Slide 4
  • This Lecture: Modular Analyses Procedures - Summaries Concurrency - Thread-Context Reasoning
  • Slide 5
  • An example main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; }
  • Slide 6
  • Inline Calls in Reach Tree main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } 1 2 1,2 Initial 2,2 4,2 3,2 4,2 3 3 4 1,4 2,4 4,4 3,4 4,4 5 5
  • Slide 7
  • Inline Calls in Reach Tree 1 2 1,2 Initial 2,2 4,2 3,2 4,2 3 3 4 1,4 2,4 4,4 3,4 4,4 5 5 Problem -Repeated analysis for inc -Exploding call contexts int x; //global f1(){ 1: x = 0; 2: if(*) f2(); 3: else f2(); 4: if (x a) (sign = 0 rv < a) Q. How to compute, use summaries ?
  • Slide 11
  • Lazy Abstraction + Procedure Summaries Abstract Refine C Program Safe Trace Yes No Property Q. How to compute, use summaries ?
  • Slide 12
  • Abstraction with Summaries main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } 1 2 main Predicates: flag=0, y>x, ya, rv
  • Slide 13
  • Abstraction with Summaries main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } 1 2 1 main 2 4 Predicates: flag=0, y>x, ya, rva Summary: ( : sign=0 rv>a),
  • Slide 14
  • Summary Successor main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } 1 2 1 main 2 4 Predicates: flag=0, y>x, ya, rva Summary: ( : sign=0 rv>a), 3 a=x sign=flag y>x assume rv>a y=rv
  • Slide 15
  • Abstraction with Summaries main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } 1 2 1 main 2 4 Predicates: flag=0, y>x, ya, rva Summary: ( : sign=0 rv>a), 3 y>x [y
  • Abstraction with Summaries main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } 1 2 1 main 2 4 Predicates: flag=0, y>x, ya, rva Summary: ( : sign=0 rv>a), (sign=0 rvx 3 4 flag=0 a=x sign=flag sign=0 1 2 3 4 rv
  • Summary Successor main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } 1 2 1 main 2 4 Predicates: flag=0, y>x, ya, rva Summary: ( : sign=0 rv>a), (sign=0 rvx 3 4 flag=0 1 sign=0 2 3 4 rv
  • Abstraction with Summaries main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } return; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } inc(int a, int sign){ 1: if (sign){ 2: rv = a+1; } else { 3: rv = a-1; } 4: return rv; } 1 2 1 main 2 4 Predicates: flag=0, y>x, ya, rva Summary: ( : sign=0 rv>a), (sign=0 rvx 3 4 flag=0 1 sign=0 2 3 4 rv
  • Another Call main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } 6: y1 = inc(z1,1); 7: if (y1a), (sign=0 rvx 3 4 flag=0 1 sign=0 2 3 4 rva, rv
  • Another Call main(){ 1: if (flag){ 2: y = inc(x,flag); 3: if (y=z) ERROR; } 6: y1 = inc(z1,1); 7: if (y1a, rva Summary: ( : sign=0 rv>a), (sign=0 rvx 3 4 flag=0 1 sign=0 2 3 4 rvz1 SAFE Note: Predicates are well-scoped
  • Slide 21
  • Lazy Abstraction + Procedure Summaries Abstract Refine C Program Safe Trace Yes No Property Q. How to find scoped predicates ?
  • Slide 22
  • pc 1 : x 1 = 3 pc 2 : assume (x 1 >0) pc 3 : x 3 = f 1 (x 1 ) pc 4 : y 2 = y 1 pc 5 : y 3 = f 2 (y 2 ) pc 6 : z 2 = z 1 +1 pc 7 : z 3 = 2*z 2 pc 8 : return z 3 pc 9 : return y 3 pc 10 : x 4 = x 3 +1 pc 11 : x 5 = f 3 (x 4 ) pc 12 : assume(w 1 5 pc 15 : assume (x 1 =x 3 +2) Traces with Procedure Calls Trace Formula i Trace i Find predicate needed at point i pc 1 : x 1 = 3 pc 2 : assume (x 1 >0) pc 3 : x 3 = f 1 (x 1 ) pc 4 : y 2 = y 1 pc 5 : y 3 = f 2 (y 2 ) pc 6 : z 2 = z 1 +1 pc 7 : z 3 = 2*z 2 pc 8 : return z 3 pc 9 : return y 3 pc 10 : x 4 = x 3 +1 pc 11 : x 5 = f 3 (x 4 ) pc 12 : assume(w 1 5 pc 15 : assume(x 1 =x 3 +2)
  • Slide 23
  • Interprocedural Analysis Trace Formula i Trace i Require at each point i : Scoped predicates YES: Variables visible at i NO: Callers local variables Find predicate needed at point i YES NO
  • Slide 24
  • Problems with Cutting Trace Formula i Trace i -- ++ Caller variables common to - and + Unsuitable interpolant: not well-scoped
  • Slide 25
  • Scoped Cuts Trace Formula i Call begins Trace i
  • Slide 26
  • Scoped Cuts -- ++ Trace Formula i Call begins Trace i Predicate at pc i = Interpolant from cut i
  • Slide 27
  • Common Variables Formals Current locals Trace Formula Predicate at pc i = Interpolant from i-cut i Trace i -- ++ Common Variables Formals Well-scoped
  • Slide 28
  • Example Trace m1: assume(flag!=0) m2: y=inc(x,flag) i1: assume(sign!=0) i2: rv = a+1 i4: return rv m3: assume(y

Recommended

View more >