predicate based model checking
play

Predicate-Based Model Checking Dirk Beyer LMU Munich, Germany Dirk - PowerPoint PPT Presentation

Jul 27, 2023 •38 likes •658 views

Predicate-Based Model Checking Dirk Beyer LMU Munich, Germany Dirk Beyer LMU Munich, Germany 1 / 1 Based on: Dirk Beyer, Matthias Dangl, Philipp Wendler: A Unifying View on SMT-Based Software Verification Journal of Automated Reasoning,

  1. Predicate-Based Model Checking Dirk Beyer LMU Munich, Germany Dirk Beyer LMU Munich, Germany 1 / 1

  2. Based on: Dirk Beyer, Matthias Dangl, Philipp Wendler: A Unifying View on SMT-Based Software Verification Journal of Automated Reasoning, Volume 60, Issue 3, 2018. https://doi.org/10.1007/s10817-017-9432-6 preprint: online on CPAchecker website under “Documentation” Dirk Beyer LMU Munich, Germany 2 / 1

  3. SMT-based Software Model Checking ◮ Predicate Abstraction ( Blast , CPAchecker , Slam , ...) ◮ Impact ( CPAchecker , Impact , Wolverine , ...) ◮ Bounded Model Checking ( Cbmc , CPAchecker , Esbmc , ...) ◮ k -Induction ( CPAchecker , Esbmc , 2ls , ...) Dirk Beyer LMU Munich, Germany 3 / 1

  4. Base: Adjustable-Block Encoding Originally for predicate abstraction: ◮ Abstraction computation is expensive ◮ Abstraction is not necessary after every transition ◮ Track precise path formula between abstraction states ◮ Reset path formula and compute abstraction formula at abstraction states ◮ Large-Block Encoding: abstraction only at loop heads (hard-coded) ◮ Adjustable-Block Encoding: introduce block operator "blk" to make it configurable Dirk Beyer LMU Munich, Germany 4 / 1

  5. Base: Configurable Program Analysis Configurable Program Analysis (CPA): ◮ Beyer, Henzinger, Théoduloz: [CAV’07] ◮ One single unifying algorithm for all algorithms based on state-space exploration ◮ Configurable components: abstract domain, abstract-successor computation, path sensitivity, ... Dirk Beyer LMU Munich, Germany 5 / 1

  6. Using the CPA Framework ◮ CPA Algorithm is a configurable reachability analysis for arbitrary abstract domains Source Parser & Results Code CFA Builder CPA Algorithm Dirk Beyer LMU Munich, Germany 6 / 1

  7. Using the CPA Framework ◮ CPA Algorithm is a configurable reachability analysis for arbitrary abstract domains ◮ Provide Predicate CPA for our predicate-based abstract domain Source Parser & Results Code CFA Builder CPA Algorithm Predicate CPA Dirk Beyer LMU Munich, Germany 6 / 1

  8. Using the CPA Framework ◮ CPA Algorithm is a configurable reachability analysis for arbitrary abstract domains ◮ Provide Predicate CPA for our predicate-based abstract domain ◮ Reuse other CPAs Source Parser & Results Code CFA Builder CPA Algorithm Spec Location Loop-Bound Predicate Spec CPA CPA CPA CPA Dirk Beyer LMU Munich, Germany 6 / 1

  9. Using the CPA Framework ◮ CPA Algorithm is a configurable reachability analysis for arbitrary abstract domains ◮ Provide Predicate CPA for our predicate-based abstract domain ◮ Reuse other CPAs ◮ Built further algorithms on top that make use of reachability analysis k -induction Algorithm CEGAR Source Parser & Results Algorithm Code CFA Builder CPA Algorithm Spec Location Loop-Bound Predicate Spec CPA CPA CPA CPA Dirk Beyer LMU Munich, Germany 6 / 1

  10. Predicate CPA Predicate CPA P D P = merge P stop P prec P Π P � P ( C, E P , [ [ · ] ] P ) Dirk Beyer LMU Munich, Germany 7 / 1

  11. Predicate CPA Predicate CPA P D P = merge P stop P prec P Π P � P fcover P refine P ( C, E P , [ [ · ] ] P ) Dirk Beyer LMU Munich, Germany 7 / 1

  12. Predicate CPA: Abstract Domain ◮ Abstract state: ( ψ, ϕ ) ◮ tuple of abstraction formula ψ and path formula ϕ (for ABE) ◮ conjunctions represents state space ◮ abstraction formula can be a BDD or an SMT formula ◮ path formula is always SMT formula and concrete Dirk Beyer LMU Munich, Germany 8 / 1

  13. Predicate CPA: Abstract Domain ◮ Abstract state: ( ψ, ϕ ) ◮ tuple of abstraction formula ψ and path formula ϕ (for ABE) ◮ conjunctions represents state space ◮ abstraction formula can be a BDD or an SMT formula ◮ path formula is always SMT formula and concrete ◮ Precision: set of predicates (per program location) Dirk Beyer LMU Munich, Germany 8 / 1

  14. Predicate CPA Predicate CPA P D P = merge P stop P prec P Π P � P fcover P refine P ( C, E P , [ [ · ] ] P ) Abstraction-Formula Representation BDD SMT-based Dirk Beyer LMU Munich, Germany 9 / 1

  15. Predicate CPA: CPA Operators ◮ Transfer relation: ◮ computes strongest post ◮ changes only path formula, new abstract state is ( ψ, ϕ ′ ) ◮ purely syntactic, cheap ◮ variety of encodings using different SMT theories possible (different approximations for arithmetic and heap operations) Dirk Beyer LMU Munich, Germany 10 / 1

  16. Predicate CPA: CPA Operators ◮ Transfer relation: ◮ computes strongest post ◮ changes only path formula, new abstract state is ( ψ, ϕ ′ ) ◮ purely syntactic, cheap ◮ variety of encodings using different SMT theories possible (different approximations for arithmetic and heap operations) ◮ Merge operator: ◮ standard for ABE: create disjunctions inside block Dirk Beyer LMU Munich, Germany 10 / 1

  17. Predicate CPA: CPA Operators ◮ Transfer relation: ◮ computes strongest post ◮ changes only path formula, new abstract state is ( ψ, ϕ ′ ) ◮ purely syntactic, cheap ◮ variety of encodings using different SMT theories possible (different approximations for arithmetic and heap operations) ◮ Merge operator: ◮ standard for ABE: create disjunctions inside block ◮ Stop operator: ◮ standard for ABE: check coverage only at block ends Dirk Beyer LMU Munich, Germany 10 / 1

  18. Predicate CPA: CPA Operators ◮ Transfer relation: ◮ computes strongest post ◮ changes only path formula, new abstract state is ( ψ, ϕ ′ ) ◮ purely syntactic, cheap ◮ variety of encodings using different SMT theories possible (different approximations for arithmetic and heap operations) ◮ Merge operator: ◮ standard for ABE: create disjunctions inside block ◮ Stop operator: ◮ standard for ABE: check coverage only at block ends ◮ Precision-adjustment operator: ◮ only active at block ends (as determined by blk) ◮ computes abstraction of current abstract state ◮ new abstract state is ( ψ ′ , true ) Dirk Beyer LMU Munich, Germany 10 / 1

  19. Predicate CPA Predicate CPA P D P = merge P stop P prec P Π P � P fcover P refine P ( C, E P , [ [ · ] ] P ) Abstraction-Formula Strongest Predicate blk Representation Postcondition Abstraction BDD SMT Theory blk SBE Cartesian SMT-based ABVFP blk l Boolean . . . blk lf blk never QF_UFLIRA Dirk Beyer LMU Munich, Germany 11 / 1

  20. Predicate CPA: Refinement Four steps: 1. Reconstruct ARG path to abstract error state 2. Check feasibility of path 3. Discover abstract facts, e.g., ◮ interpolants ◮ weakest precondition ◮ heuristics 4. Refine abstract model ◮ add predicates to precision, cut ARG or ◮ conjoin interpolants to abstract states, recheck coverage relation Dirk Beyer LMU Munich, Germany 12 / 1

  21. Predicate CPA Predicate CPA P D P = merge P stop P prec P Π P � P fcover P refine P ( C, E P , [ [ · ] ] P ) Abstraction-Formula Strongest Refinement Predicate Abstract blk Representation Postcondition Abstraction Facts Strategy BDD SMT Theory blk SBE Cartesian fcover id Interpolants Predicate Path SMT-based ABVFP blk l Boolean fcover Impact Impact Invariants . . . blk lf Unsat Cores Weakest blk never QF_UFLIRA Preconditions Heuristic Predicates Dirk Beyer LMU Munich, Germany 13 / 1

  22. Predicate Abstraction ◮ Predicate Abstraction ◮ [CAV’97, POPL’02, J. ACM’03, POPL’04] ◮ Abstract-interpretation technique ◮ Abstract domain constructed from a set of predicates π ◮ Use CEGAR to add predicates to π (refinement) ◮ Derive new predicates using Craig interpolation ◮ Abstraction formula as BDD Dirk Beyer LMU Munich, Germany 14 / 1

  23. Expressing Predicate Abstraction ◮ Abstraction Formulas: BDDs ◮ Block Size (blk): e.g. blk SBE or blk l or blk lf ◮ Refinement Strategy: add predicates to precision, cut ARG Use CEGAR Algorithm: 1: while true do run CPA Algorithm 2: if target state found then 3: call refine 4: if target state reachable then 5: return false 6: else 7: return true 8: Dirk Beyer LMU Munich, Germany 15 / 1

  24. Predicate CPA Predicate CPA P D P = merge P stop P prec P Π P � P fcover P refine P ( C, E P , [ [ · ] ] P ) Abstraction-Formula Strongest Refinement Predicate Abstract blk Representation Postcondition Abstraction Facts Strategy BDD SMT Theory blk SBE Cartesian fcover id Interpolants Predicate Path SMT-based ABVFP blk l Boolean fcover Impact Impact Invariants . . . blk lf Unsat Cores Weakest blk never QF_UFLIRA Preconditions Heuristic Predicates Dirk Beyer LMU Munich, Germany 16 / 1

  25. Example Program start l 2 int main () { 1 unsigned int x = 0; unsigned int x = 0; l 3 2 unsigned int y = 0; unsigned int y = 0; 3 l 4 while ( x < 2) { 4 [x < 2] x++; l 5 5 x++; [!(x != y)] y++; 6 l 6 ( x != y ) { [!(x < 2)] i f y++; 7 ERROR: 1; l 7 return 8 [x != y] } 9 l 8 } 10 l 11 ERROR: return 1; 0; return 11 return 0; } 12 l 12 Dirk Beyer LMU Munich, Germany 17 / 1

  26. Predicate CPA Predicate CPA P D P = merge P stop P prec P Π P � P fcover P refine P ( C, E P , [ [ · ] ] P ) Abstraction-Formula Strongest Refinement Predicate Abstract blk Representation Postcondition Abstraction Facts Strategy BDD SMT Theory blk SBE Cartesian fcover id Interpolants Predicate Path SMT-based ABVFP blk l Boolean fcover Impact Impact Invariants . . . blk lf Unsat Cores Weakest blk never QF_UFLIRA Preconditions Heuristic Predicates Dirk Beyer LMU Munich, Germany 18 / 1

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Model Checking and Predicate Abstrac5on CSE 501 Spring

Model Checking and Predicate Abstrac5on CSE 501 Spring

Model Checking and Predicate Abstrac5on CSE 501 Spring 15 1 With slides from Emina Torlak (507) Course Outline Sta5c analysis Language design Program

813 views • 52 slides
Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree Logic Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge

402 views • 25 slides
Bounded Model Checking of MPL Systems via Predicate Abstractions FORMATS 2019 Muhammad Syifaul

Bounded Model Checking of MPL Systems via Predicate Abstractions FORMATS 2019 Muhammad Syifaul

Bounded Model Checking of MPL Systems via Predicate Abstractions FORMATS 2019 Muhammad Syifaul Mufid 1 , 3 Dieky Adzkiya 2 Alessandro Abate 1 1 Department of Computer Science, University of Oxford, UK 2 Department of Mathematics, ITS Surabaya,

1.35k views • 55 slides
SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl

SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl

SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl Joint work with Dirk Beyer University of Passau, Germany SMT-based Software Model Checking Bounded Model Checking ( Cbmc , CPAchecker , Esbmc ,

496 views • 26 slides
Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model

Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model

Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model checking historically not the first symbolic model checking approach scales better than original BDD based techniques mostly incomplete in

521 views • 28 slides
Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking Checking Checking for Timed Automata Timed Automata Coll C l C ll b llabora orators: t ors: Peter Bulychev, Alexandre David Axel Legay, Marius

725 views • 59 slides
Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic

Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic

Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group, University of Cambridge Academic year

972 views • 41 slides
Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic

Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic

Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge Academic year

1.15k views • 48 slides
A Conceptual Model and Predicate Language for Data Selection and Projection Based on Provenance

A Conceptual Model and Predicate Language for Data Selection and Projection Based on Provenance

A Conceptual Model and Predicate Language for Data Selection and Projection Based on Provenance David W. Archer and Lois M. L. Delcambre Department of Computer Science Portland State University 1 Topics Motivation Conceptual Model

866 views • 28 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artifacts Spring 2006 1 CTL Model Checking AG (Start AF Heat)

307 views • 20 slides
CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms

CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms

CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms for ( U ) Counter Examples and witnesses Symbolic Model Checking (Thursday) Binary Decision Trees

740 views • 40 slides
Improved Algorithms for the Automata-based Approach to Model-Checking L. Doyen (EPFL) and J.-F.

Improved Algorithms for the Automata-based Approach to Model-Checking L. Doyen (EPFL) and J.-F.

Improved Algorithms for the Automata-based Approach to Model-Checking L. Doyen (EPFL) and J.-F. Raskin (ULB) TACAS 2007 Braga - Portugal March 28, 2007 Automata-based approach to model-checking Programs and properties are formalized as

812 views • 52 slides
Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software

Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software

Outline Introduction Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software Counterexample-Guided Abstraction Refinement Computing Existential Abstractions of Programs Version 1.0, 2010 Checking the

429 views • 12 slides
Hoare Logic and Model Checking Model Checking But perhaps theres a clever way of

Hoare Logic and Model Checking Model Checking But perhaps theres a clever way of

Hoare Logic and Model Checking Model Checking But perhaps theres a clever way of compiling one into the other? Both have very different models of time How do they compare? We have seen two widely used temporal logics Relative

510 views • 10 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artifacts Spring 2006 1 Formal Verification by Model Checking Domain:

380 views • 13 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 15-413: Introduction to Software Engineering Fall 2005 3 Formal Verification by Model Checking Domain:

289 views • 24 slides
A Survey of Satisfiability Modulo Theory (for mathematicians) David Monniaux VERIMAG GNCS,

A Survey of Satisfiability Modulo Theory (for mathematicians) David Monniaux VERIMAG GNCS,

A Survey of Satisfiability Modulo Theory (for mathematicians) David Monniaux VERIMAG GNCS, Pescara, February 10, 2017 David Monniaux (VERIMAG) A Survey of Satisfiability Modulo Theory 2017-02-10 1 / 48 STATOR SMT = SAT + theories SAT =

521 views • 48 slides
Sequent Calculi for Normal Update Logics Katsuhiko Sano 1 Minghui Ma 2 1 Graduate School of

Sequent Calculi for Normal Update Logics Katsuhiko Sano 1 Minghui Ma 2 1 Graduate School of

Sequent Calculi for Normal Update Logics Katsuhiko Sano 1 Minghui Ma 2 1 Graduate School of Letters, Hokkaido University, Japan 2 Institute of Logic and Coginition, Sun Yat-Sen University, China. ICLA 2019 @ IIT Delhi, 4th March 2019 Outline

400 views • 23 slides
Machine Checking Proof Theory: an application of logic to logic (Jeremy E Dawson and) Rajeev

Machine Checking Proof Theory: an application of logic to logic (Jeremy E Dawson and) Rajeev

Machine Checking Proof Theory: an application of logic to logic (Jeremy E Dawson and) Rajeev Gor e Logic and Computation Group College of Engineering and Computer Science The Australian National University rajeev.gore@anu.edu.au ICLA 2009:

288 views • 25 slides
Multi-Linear Strategy Extraction for QBF Expansion Proofs via Local Soundness Matthias Schlaipfer

Multi-Linear Strategy Extraction for QBF Expansion Proofs via Local Soundness Matthias Schlaipfer

Multi-Linear Strategy Extraction for QBF Expansion Proofs via Local Soundness Matthias Schlaipfer Friedrich Slivovsky Georg Weissenbacher Florian Zuleger July 6, 2020 Outline 1. Motivation 2. QBF: Semantics and expansion proofs 3. Local

582 views • 41 slides
On the Almost Axisymmetric Flows with Forcing Terms Marc Sedjro joint work with Michael Cullen.

On the Almost Axisymmetric Flows with Forcing Terms Marc Sedjro joint work with Michael Cullen.

On the Almost Axisymmetric Flows with Forcing Terms Marc Sedjro joint work with Michael Cullen. RWTH Aachen University October 7, 2012 Outline Analysis of the Hamiltonian of Almost Axisymmetric Flows. Outline Analysis of the

496 views • 26 slides
E-Matching with Free Variables Philipp Rmmer Uppsala University Sweden FATPA Workshop

E-Matching with Free Variables Philipp Rmmer Uppsala University Sweden FATPA Workshop

E-Matching with Free Variables Philipp Rmmer Uppsala University Sweden FATPA Workshop Belgrade February 3rd 2012 1 / 25 Context: reasoning in first-order logic (FOL) First-order provers SMT solvers Resolution, superposition, DPLL(T) ,

1.01k views • 65 slides
SteveDeitz CrayInc. Anewparallellanguage

SteveDeitz CrayInc. Anewparallellanguage

SteveDeitz CrayInc. Anewparallellanguage UnderdevelopmentatCrayInc. SupportedthroughtheDARPAHPCSprogram AbstracAonsfromZPL,HPF,CrayXMTC,...

620 views • 26 slides
Steve Deitz Cray Inc. A new parallel language Under development at Cray Inc. Supported

Steve Deitz Cray Inc. A new parallel language Under development at Cray Inc. Supported

Steve Deitz Cray Inc. A new parallel language Under development at Cray Inc. Supported through the DARPA HPCS program Goals Improve programmer productivity Improve the programmability of parallel computers Match or

481 views • 35 slides

More recommend