Predicate Abstraction with SATABS Version 1.0, 2010 Outline - PowerPoint PPT Presentation

Another Property ✔ ✔ x = 2 x = 2 x = 0 y = 0 y = 1 y = 0 p 1 , ¬ p 2 ¬ p 1 , p 2 p 1 , p 2 ✘ x = 1 x = 1 x = 1 y = 0 y = 1 y = 2 ¬ p 1 , ¬ p 2 Property: But: the counterexample is spurious ⇐ ⇒ x > y p 1 Predicate Abstraction with SATABS – http://www.cprover.org/ 20

SLAM ◮ Microsoft blames most Windows crashes on third party device drivers ◮ The Windows device driver API is quite complicated ◮ Drivers are low level C code ◮ SLAM: Tool to automatically check device drivers for certain errors ◮ SLAM is shipped with Device Driver Development Kit ◮ Full detail available at http://research.microsoft.com/slam/ Predicate Abstraction with SATABS – http://www.cprover.org/ 21

SLIC ◮ Finite state language for defining properties ◮ Monitors behavior of C code ◮ Temporal safety properties (security automata) ◮ familiar C syntax ◮ Suitable for expressing control-dominated properties ◮ e.g., proper sequence of events ◮ can track data values Predicate Abstraction with SATABS – http://www.cprover.org/ 22

SLIC Example state { enum { Locked , Unlocked } s = Unlocked ; } acq KeAcquireSpinLock . entry { unlocked locked i f ( s==Locked ) abort ; rel else s = Locked ; } KeReleaseSpinLock . entry { i f ( s==Unlocked ) abort ; else s = Unlocked ; }

SLIC Example state { enum { Locked , Unlocked } s = Unlocked ; } acq KeAcquireSpinLock . entry { unlocked locked i f ( s==Locked ) abort ; rel else s = Locked ; acq rel } error KeReleaseSpinLock . entry { i f ( s==Unlocked ) abort ; else s = Unlocked ; } Predicate Abstraction with SATABS – http://www.cprover.org/ 23

Refinement Example do { KeAcquireSpinLock (); nPacketsOld = nPackets; if (request) { request = request − > Next; KeReleaseSpinLock (); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock (); Predicate Abstraction with SATABS – http://www.cprover.org/ 24

Refinement Example do { KeAcquireSpinLock (); nPacketsOld = nPackets; if (request) { Does this code request = request − > Next; obey the locking KeReleaseSpinLock (); rule? nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock (); Predicate Abstraction with SATABS – http://www.cprover.org/ 24

Refinement Example do { KeAcquireSpinLock (); if ( ∗ ) { KeReleaseSpinLock (); } } while ( ∗ ); KeReleaseSpinLock (); Predicate Abstraction with SATABS – http://www.cprover.org/ 25

Refinement Example do { U KeAcquireSpinLock (); L L if ( ∗ ) { L KeReleaseSpinLock (); U } L U } while ( ∗ ); L U KeReleaseSpinLock (); U E Predicate Abstraction with SATABS – http://www.cprover.org/ 25

Refinement Example do { U U KeAcquireSpinLock (); L L L L if ( ∗ ) { L L KeReleaseSpinLock (); U U } L U U } while ( ∗ ); L U U KeReleaseSpinLock (); U E E Predicate Abstraction with SATABS – http://www.cprover.org/ 25

Refinement Example do { U U KeAcquireSpinLock (); L L L L if ( ∗ ) { L L KeReleaseSpinLock (); U U } L U U } while ( ∗ ); L U U Is this path KeReleaseSpinLock (); concretizable? U E E Predicate Abstraction with SATABS – http://www.cprover.org/ 25

Refinement Example do { U U KeAcquireSpinLock (); L L nPacketsOld = nPackets; L L if (request) { request = request − > Next; L L KeReleaseSpinLock (); U U nPackets++; } L U U } while (nPackets != nPacketsOld); L U U KeReleaseSpinLock (); U E E Predicate Abstraction with SATABS – http://www.cprover.org/ 26

Refinement Example do { U U KeAcquireSpinLock (); L L nPacketsOld = nPackets; L L if (request) { request = request − > Next; L L KeReleaseSpinLock (); U U nPackets++; } L U U } while (nPackets != nPacketsOld); L U U This path is KeReleaseSpinLock (); spurious! U E E Predicate Abstraction with SATABS – http://www.cprover.org/ 26

Refinement Example do { U U KeAcquireSpinLock (); L L nPacketsOld = nPackets; L L if (request) { request = request − > Next; L L KeReleaseSpinLock (); U U nPackets++; } L U U } while (nPackets != nPacketsOld); L U U Let’s add the predicate KeReleaseSpinLock (); nPacketsOld==nPackets U E E Predicate Abstraction with SATABS – http://www.cprover.org/ 26

Refinement Example do { U U KeAcquireSpinLock (); L L nPacketsOld = nPackets; b=true; L L if (request) { request = request − > Next; L L KeReleaseSpinLock (); U U nPackets++; } L U U } while (nPackets != nPacketsOld); L U U Let’s add the predicate KeReleaseSpinLock (); nPacketsOld==nPackets U E E Predicate Abstraction with SATABS – http://www.cprover.org/ 26

Refinement Example do { U U KeAcquireSpinLock (); L L nPacketsOld = nPackets; b=true; L L if (request) { request = request − > Next; L L KeReleaseSpinLock (); U U nPackets++; b=b?false: ∗ ; } L U U } while (nPackets != nPacketsOld); !b L U U Let’s add the predicate KeReleaseSpinLock (); nPacketsOld==nPackets U E E Predicate Abstraction with SATABS – http://www.cprover.org/ 26

Refinement Example do { U KeAcquireSpinLock (); L b=true; L if ( ∗ ) { L KeReleaseSpinLock (); U b=b?false: ∗ ; } L U } while ( !b ); L U KeReleaseSpinLock (); U E Predicate Abstraction with SATABS – http://www.cprover.org/ 27

Refinement Example do { U KeAcquireSpinLock (); L b=true; L b if ( ∗ ) { L KeReleaseSpinLock (); U b=b?false: ∗ ; } L U } while ( !b ); L U KeReleaseSpinLock (); U E Predicate Abstraction with SATABS – http://www.cprover.org/ 27

Refinement Example do { U KeAcquireSpinLock (); L b=true; L b if ( ∗ ) { L KeReleaseSpinLock (); U b=b?false: ∗ ; } L U b } while ( !b ); L U b KeReleaseSpinLock (); U E b Predicate Abstraction with SATABS – http://www.cprover.org/ 27

Refinement Example do { U KeAcquireSpinLock (); L b=true; L b if ( ∗ ) { L b KeReleaseSpinLock (); U b b=b?false: ∗ ; } L U b !b } while ( !b ); L U b KeReleaseSpinLock (); U E b Predicate Abstraction with SATABS – http://www.cprover.org/ 27

Refinement Example do { U KeAcquireSpinLock (); L b=true; L b if ( ∗ ) { L b KeReleaseSpinLock (); U b b=b?false: ∗ ; } L U b !b } while ( !b ); L U b KeReleaseSpinLock (); U E b Predicate Abstraction with SATABS – http://www.cprover.org/ 27

Refinement Example do { U KeAcquireSpinLock (); L b=true; L b if ( ∗ ) { L b KeReleaseSpinLock (); U b b=b?false: ∗ ; } L U b !b } while ( !b ); L U b KeReleaseSpinLock (); The property holds! U E b Predicate Abstraction with SATABS – http://www.cprover.org/ 27

Counterexample-guided Abstraction Refinement ◮ ”CEGAR” ◮ An iterative method to compute a sufficiently precise abstraction ◮ Initially applied in the context of hardware [Kurshan] Predicate Abstraction with SATABS – http://www.cprover.org/ 28

CEGAR Overview C program 1 . ) Compute 2 . ) Check Abstraction Abstraction [no error] OK 4 . ) Refine 3 . ) Check Predicates Feasibility [feasible] report counterexample Predicate Abstraction with SATABS – http://www.cprover.org/ 29

Counterexample-guided Abstraction Refinement Claims: 1. This never returns a false error. 2. This never returns a false proof. 3. This is complete for finite-state models. 4. But: no termination guarantee in case of infinite-state systems Predicate Abstraction with SATABS – http://www.cprover.org/ 30

Computing Existential Abstractions of Programs C program 1 . ) Compute 2 . ) Check Abstraction Abstraction [no error] OK 4 . ) Refine 3 . ) Check Predicates Feasibility [feasible] report counterexample Predicate Abstraction with SATABS – http://www.cprover.org/ 31

Computing Existential Abstractions of Programs void main ( ) { bool p1 , p2 ; int main ( ) { int i ; p1=TRUE; p2=TRUE; i =0; while ( p2 ) { while ( even ( i ) ) p1= p1 ? FALSE : * ; i ++; p2= !p2 ; } } } C Program Predicate Abstraction with SATABS – http://www.cprover.org/ 32

Computing Existential Abstractions of Programs void main ( ) { bool p1 , p2 ; int main ( ) { int i ; p1=TRUE; p2=TRUE; p 1 ⇐ ⇒ i = 0 i =0; + p 2 ⇐ ⇒ even ( i ) while ( p2 ) { while ( even ( i ) ) p1= p1 ? FALSE : * ; i ++; p2= !p2 ; } } } C Program Predicates Predicate Abstraction with SATABS – http://www.cprover.org/ 32

Computing Existential Abstractions of Programs void main ( ) { bool p1 , p2 ; int main ( ) { int i ; p1=TRUE; p2=TRUE; p 1 ⇐ ⇒ i = 0 i =0; + p 2 ⇐ ⇒ even ( i ) while ( p2 ) { while ( even ( i ) ) p1= p1 ? FALSE : * ; i ++; p2= !p2 ; } } } C Program Predicates Boolean Program Predicate Abstraction with SATABS – http://www.cprover.org/ 32

Computing Existential Abstractions of Programs void main ( ) { bool p1 , p2 ; int main ( ) { int i ; p1=TRUE; p2=TRUE; p 1 ⇐ ⇒ i = 0 i =0; + p 2 ⇐ ⇒ even ( i ) while ( p2 ) { while ( even ( i ) ) p1= p1 ? FALSE : * ; i ++; p2= !p2 ; } } } C Program Predicates Boolean Program Minimal? Predicate Abstraction with SATABS – http://www.cprover.org/ 32

Predicate Images Reminder: Image ( X ) = { s ′ ∈ S | ∃ s ∈ X. T ( s, s ′ ) } We need s ′ ∈ ˆ Image ( ˆ � s ∈ ˆ X. ˆ s ′ ) } X ) = { ˆ S | ∃ ˆ T (ˆ s, ˆ Image ( ˆ � X ) is equivalent to s ′ ∈ ˆ S 2 | ∃ s, s ′ ∈ S 2 . α ( s ) = ˆ s ′ ∧ T ( s, s ′ ) } s ∧ α ( s ′ ) = ˆ { ˆ s, ˆ This is called the predicate image of T . Predicate Abstraction with SATABS – http://www.cprover.org/ 33

Enumeration ◮ Let’s take existential abstraction seriously ◮ Basic idea: with n predicates, there are 2 n · 2 n possible abstract transitions ◮ Let’s just check them! Predicate Abstraction with SATABS – http://www.cprover.org/ 34

Enumeration: Example Predicates p 1 ⇐ ⇒ i = 1 p 2 ⇐ ⇒ i = 2 p 3 ⇐ ⇒ even ( i )

Enumeration: Example Predicates Basic Block p 1 ⇐ ⇒ i = 1 p 2 ⇐ ⇒ i = 2 i++; p 3 ⇐ ⇒ even ( i )

Enumeration: Example Predicates Basic Block T p 1 ⇐ ⇒ i = 1 i ′ = i + 1 p 2 ⇐ ⇒ i = 2 i++; p 3 ⇐ ⇒ even ( i )

Enumeration: Example Predicates Basic Block T p 1 ⇐ ⇒ i = 1 i ′ = i + 1 p 2 ⇐ ⇒ i = 2 i++; p 3 ⇐ ⇒ even ( i ) p ′ p ′ p ′ p 1 p 2 p 3 1 2 3 0 0 0 0 0 0 0 0 1 0 0 1 0 1 0 0 1 0 0 1 1 0 1 1 1 0 0 1 0 0 1 0 1 1 0 1 1 1 0 1 1 0 1 1 1 1 1 1

Enumeration: Example Predicates Basic Block T p 1 ⇐ ⇒ i = 1 i ′ = i + 1 p 2 ⇐ ⇒ i = 2 i++; p 3 ⇐ ⇒ even ( i ) p ′ p ′ p ′ p 1 p 2 p 3 1 2 3 ? 0 0 0 0 0 0 0 0 1 0 0 1 0 1 0 0 1 0 0 1 1 0 1 1 1 0 0 1 0 0 1 0 1 1 0 1 1 1 0 1 1 0 1 1 1 1 1 1

Enumeration: Example Predicates Basic Block T p 1 ⇐ ⇒ i = 1 i ′ = i + 1 p 2 ⇐ ⇒ i = 2 i++; p 3 ⇐ ⇒ even ( i ) p ′ p ′ p ′ p 1 p 2 p 3 Query to Solver 1 2 3 ? 0 0 0 0 0 0 i � = 1 ∧ i � = 2 ∧ even ( i ) ∧ 0 0 1 0 0 1 i ′ = i + 1 ∧ 0 1 0 0 1 0 i ′ � = 1 ∧ i ′ � = 2 ∧ even ( i ′ ) 0 1 1 0 1 1 1 0 0 1 0 0 1 0 1 1 0 1 1 1 0 1 1 0 1 1 1 1 1 1 Predicate Abstraction with SATABS – http://www.cprover.org/ 35

Enumeration: Example Predicates Basic Block T p 1 ⇐ ⇒ i = 1 i ′ = i + 1 p 2 ⇐ ⇒ i = 2 i++; p 3 ⇐ ⇒ even ( i ) p ′ p ′ p ′ p 1 p 2 p 3 Query to Solver 1 2 3 ✘ 0 0 0 0 0 0 i � = 1 ∧ i � = 2 ∧ even ( i ) ∧ 0 0 1 0 0 1 i ′ = i + 1 ∧ 0 1 0 0 1 0 i ′ � = 1 ∧ i ′ � = 2 ∧ even ( i ′ ) 0 1 1 0 1 1 1 0 0 1 0 0 1 0 1 1 0 1 1 1 0 1 1 0 1 1 1 1 1 1 Predicate Abstraction with SATABS – http://www.cprover.org/ 35

Enumeration: Example Predicates Basic Block T p 1 ⇐ ⇒ i = 1 i ′ = i + 1 p 2 ⇐ ⇒ i = 2 i++; p 3 ⇐ ⇒ even ( i ) p ′ p ′ p ′ p 1 p 2 p 3 Query to Solver 1 2 3 0 0 0 0 0 0 ? i � = 1 ∧ i � = 2 ∧ even ( i ) ∧ 0 0 1 0 0 1 i ′ = i + 1 ∧ 0 1 0 0 1 0 i ′ � = 1 ∧ i ′ � = 2 ∧ even ( i ′ ) 0 1 1 0 1 1 1 0 0 1 0 0 1 0 1 1 0 1 1 1 0 1 1 0 1 1 1 1 1 1 Predicate Abstraction with SATABS – http://www.cprover.org/ 35

Enumeration: Example Predicates Basic Block T p 1 ⇐ ⇒ i = 1 i ′ = i + 1 p 2 ⇐ ⇒ i = 2 i++; p 3 ⇐ ⇒ even ( i ) p ′ p ′ p ′ p 1 p 2 p 3 Query to Solver 1 2 3 0 0 0 0 0 0 ✔ i � = 1 ∧ i � = 2 ∧ even ( i ) ∧ 0 0 1 0 0 1 i ′ = i + 1 ∧ 0 1 0 0 1 0 i ′ � = 1 ∧ i ′ � = 2 ∧ even ( i ′ ) 0 1 1 0 1 1 1 0 0 1 0 0 1 0 1 1 0 1 1 1 0 1 1 0 1 1 1 1 1 1 Predicate Abstraction with SATABS – http://www.cprover.org/ 35

Enumeration: Example Predicates Basic Block T p 1 ⇐ ⇒ i = 1 i ′ = i + 1 p 2 ⇐ ⇒ i = 2 i++; p 3 ⇐ ⇒ even ( i ) p ′ p ′ p ′ p 1 p 2 p 3 Query to Solver 1 2 3 0 0 0 0 0 0 0 0 1 0 0 1 0 1 0 0 1 0 0 1 1 0 1 1 1 0 0 1 0 0 1 0 1 1 0 1 . . . and so on . . . 1 1 0 1 1 0 1 1 1 1 1 1 Predicate Abstraction with SATABS – http://www.cprover.org/ 35

Predicate Images ✘ Computing the minimal existential abstraction can be way too slow ◮ Use an over-approximation instead ✔ Fast(er) to compute ✘ But has additional transitions ◮ Examples: ◮ Cartesian approximation (SLAM) ◮ FastAbs (SLAM) ◮ Lazy abstraction (Blast) ◮ Predicate partitioning (VCEGAR) Predicate Abstraction with SATABS – http://www.cprover.org/ 36

Checking the Abstract Model C program 1 . ) Compute 2 . ) Check Abstraction Abstraction [no error] OK 4 . ) Refine 3 . ) Check Predicates Feasibility [feasible] report counterexample Predicate Abstraction with SATABS – http://www.cprover.org/ 37

Checking the Abstract Model ◮ No more integers! ◮ But: ◮ All control flow constructs, including function calls ◮ (more) non-determinism ✔ BDD-based model checking now scales Predicate Abstraction with SATABS – http://www.cprover.org/ 38

Finite-State Model Checkers: SMV ① Variables VAR b0 argc ge 1 : boolean ; − − argc > = 1 VAR b1 argc le 2147483646 : boolean ; − − argc < = 2147483646 VAR b2 : boolean ; − − argv [ argc ] == NULL VAR b3 nmemb ge r : boolean ; − − nmemb > = r VAR b4 : boolean ; − − p1 == &array [ 0 ] VAR b5 i ge 8 : boolean ; − − i > = 8 − − i > = s VAR b6 i ge s : boolean ; VAR b7 : boolean ; − − 1 + i > = 8 VAR b8 : boolean ; − − 1 + i > = s VAR b9 s gt 0 : boolean ; − − s > 0 VAR b10 s gt 1 : boolean ; − − s > 1 . . . Predicate Abstraction with SATABS – http://www.cprover.org/ 39

Finite-State Model Checkers: SMV ② Control Flow − − program counter : 56 i s the ” terminating ” PC VAR PC: 0 . . 5 6 ; ASSIGN i n i t (PC) : = 0 ; − − i n i t i a l PC ASSIGN next (PC) : = case PC=0: 1; − − other PC=1: 2; − − other . . . PC=19: case − − goto ( with guard ) guard19 : 26; 1: 20; esac ; . . . Predicate Abstraction with SATABS – http://www.cprover.org/ 40

Finite-State Model Checkers: SMV ③ Data TRANS (PC=0) − > next ( b0 argc ge 1 )= b0 argc ge 1 & next ( b1 argc le 213646 )= b1 argc le 21646 & next ( b2)=b2 & ( ! b30 | b36 ) & ( ! b17 | ! b30 | b42 ) & ( ! b30 | ! b42 | b48 ) & ( ! b17 | ! b30 | ! b42 | b54 ) & ( ! b54 | b60 ) TRANS (PC=1) − > next ( b0 argc ge 1 )= b0 argc ge 1 & next ( b1 argc le 214646 )= b1 argc le 214746 & next ( b2)=b2 & next ( b3 nmemb ge r )= b3 nmemb ge r & next ( b4)=b4 & next ( b5 i ge 8 )= b5 i ge 8 & next ( b6 i ge s )= b6 i ge s . . . Predicate Abstraction with SATABS – http://www.cprover.org/ 41

Finite-State Model Checkers: SMV ④ Property − − the s p e c i f i c a t i o n − − f i l e main . c l i n e 20 column 12 − − function c : : very buggy function SPEC AG ( (PC=51) − > ! b23 ) Predicate Abstraction with SATABS – http://www.cprover.org/ 42

Finite-State Model Checkers: SMV ◮ If the property holds, we can terminate ◮ If the property fails, SMV generates a counterexample with an assignment for all variables, including the PC Predicate Abstraction with SATABS – http://www.cprover.org/ 43

Simulating the Counterexample C program 1 . ) Compute 2 . ) Check Abstraction Abstraction [no error] OK 4 . ) Refine 3 . ) Check Predicates Feasibility [feasible] report counterexample Predicate Abstraction with SATABS – http://www.cprover.org/ 44

Lazy Abstraction ◮ The progress guarantee is only valid if the minimal existential abstraction is used. ◮ Thus, distinguish spurious transitions from spurious prefixes. ◮ Refine spurious transitions separately to obtain minimal existential abstraction ◮ SLAM: Constrain Predicate Abstraction with SATABS – http://www.cprover.org/ 45

Lazy Abstraction ◮ One more observation: each iteration only causes only minor changes in the abstract model ◮ Thus, use “incremental Model Checker”, which retains the set of reachable states between iterations (BLAST) Predicate Abstraction with SATABS – http://www.cprover.org/ 46

Example Simulation int main() { main() { int x, y; bool b0; // y > x y=1; b0=*; x=1; b0=*; if (y > x) if ( b0 ) Predicate: y −− ; y > x b0=*; else else y++; b0=*; assert(y > x); assert( b0 ); } }

Example Simulation int main() { main() { int x, y; bool b0; // y > x y=1; b0=*; x=1; b0=*; if (y > x) if ( b0 ) Predicate: y −− ; y > x b0=*; else else y++; b0=*; assert(y > x); assert( b0 ); } } Predicate Abstraction with SATABS – http://www.cprover.org/ 47

Example Simulation int main() { int x, y; y=1; x=1; if (y > x) y −− ; else y++; assert(y > x); } Predicate Abstraction with SATABS – http://www.cprover.org/ 48

Example Simulation int main() { int x, y; y=1; x=1; if (y > x) We now do a path test, y −− ; so convert to SSA. else y++; assert(y > x); } Predicate Abstraction with SATABS – http://www.cprover.org/ 48

Example Simulation int main() { int x, y; y 1 =1; x 1 =1; if (y 1 > x 1 ) y 2 =y 1 − 1; else y++; assert(y 2 > x 1 ); } Predicate Abstraction with SATABS – http://www.cprover.org/ 49

Example Simulation int main() { y 1 = 1 ∧ int x, y; x 1 = 1 ∧ y 1 =1; ∧ y 1 > x 1 x 1 =1; y 2 = y 1 − 1 ∧ if (y 1 > x 1 ) y 2 =y 1 − 1; else ¬ ( y 2 > x 0 ) y++; assert(y 2 > x 1 ); } Predicate Abstraction with SATABS – http://www.cprover.org/ 49

Example Simulation int main() { y 1 = 1 ∧ int x, y; x 1 = 1 ∧ y 1 =1; ∧ y 1 > x 1 x 1 =1; y 2 = y 1 − 1 ∧ if (y 1 > x 1 ) y 2 =y 1 − 1; else ¬ ( y 2 > x 0 ) y++; This is UNSAT, so assert(y 2 > x 1 ); ˆ π is spurious. } Predicate Abstraction with SATABS – http://www.cprover.org/ 49

Refining the Abstraction C program 1 . ) Compute 2 . ) Check Abstraction Abstraction [no error] OK 4 . ) Refine 3 . ) Check Predicates Feasibility [feasible] report counterexample Predicate Abstraction with SATABS – http://www.cprover.org/ 50

Manual Proof! int main() { int x, y; y=1; x=1; if (y > x) y −− ; else y++; assert(y > x); } Predicate Abstraction with SATABS – http://www.cprover.org/ 51

Manual Proof! int main() { int x, y; y=1; { y = 1 } x=1; if (y > x) y −− ; else y++; assert(y > x); } Predicate Abstraction with SATABS – http://www.cprover.org/ 51

Manual Proof! int main() { int x, y; y=1; { y = 1 } x=1; { x = 1 ∧ y = 1 } if (y > x) y −− ; else y++; assert(y > x); } Predicate Abstraction with SATABS – http://www.cprover.org/ 51

Manual Proof! int main() { int x, y; y=1; { y = 1 } x=1; { x = 1 ∧ y = 1 } if (y > x) y −− ; else { x = 1 ∧ y = 1 ∧ ¬ y > x } y++; assert(y > x); } Predicate Abstraction with SATABS – http://www.cprover.org/ 51

Manual Proof! int main() { int x, y; y=1; { y = 1 } x=1; { x = 1 ∧ y = 1 } This proof uses if (y > x) strongest y −− ; post-conditions else { x = 1 ∧ y = 1 ∧ ¬ y > x } y++; { x = 1 ∧ y = 2 ∧ y > x } assert(y > x); } Predicate Abstraction with SATABS – http://www.cprover.org/ 51

An Alternative Proof int main() { int x, y; y=1; x=1; if (y > x) y −− ; else y++; assert(y > x); } Predicate Abstraction with SATABS – http://www.cprover.org/ 52

An Alternative Proof int main() { int x, y; y=1; x=1; if (y > x) y −− ; else y++; { y > x } assert(y > x); } Predicate Abstraction with SATABS – http://www.cprover.org/ 52