Software Model Checking with Ultimate Jochen Hoenicke - PowerPoint PPT Presentation

Example – Program and Program Automaton A P : ℓ 0 i > 0 � Σ = i > 0 , i <= 0 , i := i-1 , ℓ 1 i == 1 , i != 1 , p := 1 , p := 1 � i > 0 p != 1 p != 0 , p != 1 , p := 0 ℓ 2 ℓ 3 Trace i == 1 ℓ 4 ℓ 5 Word over the alphabet of statements. Example: i != 1 π = i == 1 i := i-1 i == 1 i := i-1 i <= 0 p := 0 ℓ 6 p != 0 ℓ 7 ℓ err Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 13 / 65

Example – Program and Program Automaton A P : ℓ 0 i > 0 � Σ = i > 0 , i <= 0 , i := i-1 , ℓ 1 i == 1 , i != 1 , p := 1 , p := 1 � i > 0 p != 1 p != 0 , p != 1 , p := 0 ℓ 2 ℓ 3 Error Trace i == 1 ℓ 4 ℓ 5 Word accepted by the program automaton. Example: i != 1 π = i > 0 p := 1 i > 0 p != 1 i := i-1 i <= 0 p := 0 ℓ 6 p != 0 ℓ 7 ℓ err Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 13 / 65

Example – Program and Program Automaton A P : ℓ 0 i > 0 � Σ = i > 0 , i <= 0 , i := i-1 , ℓ 1 i == 1 , i != 1 , p := 1 , p := 1 � i > 0 p != 1 p != 0 , p != 1 , p := 0 ℓ 2 ℓ 3 Error Trace i == 1 ℓ 4 ℓ 5 Word accepted by the program automaton. Example: i != 1 π = i > 0 p := 1 i > 0 p != 1 i := i-1 i <= 0 p := 0 ℓ 6 Does π refute correctness of P ? p != 0 ℓ 7 ℓ err Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 13 / 65

Valuations A valuation ν : Var → Value maps variables to some value domain. � i �→ 1 � ν 0 = p �→ 0 Valuation are extended to expressions in a natural way. ν 0 ( i − 1) = ν 0 ( i ) − 1 = 0 The update of a valuation ν [ x := c ] is a copy of valuation ν that maps x to c . � i �→ 0 � ν 0 [ i := 0] = p �→ 0 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 14 / 65

Semantics of Statements The meaning of the statements is given by a transition system. Valuations are the states of the transition system. Transitions are labelled with statements. Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 15 / 65

Semantics of Statements The meaning of the statements is given by a transition system. Valuations are the states of the transition system. Transitions are labelled with statements. x := expr ν ν [ x := ν ( expr )] cond ν ν iff ν ( cond ) = true . Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 15 / 65

Semantics of Statements The meaning of the statements is given by a transition system. Valuations are the states of the transition system. Transitions are labelled with statements. x := expr ν ν [ x := ν ( expr )] cond ν ν iff ν ( cond ) = true . Example: π = i > 0 p := 1 i > 0 p != 1 i > 0 p := 1 i > 0 p != 1 i �→ 1 i �→ 1 i �→ 1 i �→ 1 p �→ 0 p �→ 0 p �→ 1 p �→ 1 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 15 / 65

Transition System The transition system is infinite and has infinitely many initial states. i != 1 i != 1 i == 1 i <= 0 i <= 0 i > 0 p != 0 p != 0 p != 0 p := 1 p := 1 p := 1 i := i-1 i := i-1 i := i-1 i := i-1 i �→ − 1 i �→ 0 i �→ 1 p �→ 1 p �→ 1 p �→ 1 · · · · · · p := 0 p := 1 p := 0 p := 1 i �→ − 1 i �→ 0 i �→ 1 p �→ 0 p �→ 0 p �→ 0 i := i-1 i := i-1 i := i-1 i := i-1 i != 1 i != 1 i == 1 i <= 0 i <= 0 i > 0 p != 1 p != 1 p != 1 p := 0 p := 0 p := 0 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 16 / 65

Feasibility of Traces Intuitively, there is no sequence of valuations for the trace: π = i > 0 p := 1 i > 0 p != 1 . How can we show this? Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 17 / 65

Feasibility of Traces Intuitively, there is no sequence of valuations for the trace: π = i > 0 p := 1 i > 0 p != 1 . How can we show this? SMT Solver! Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 17 / 65

Feasibility of Traces Intuitively, there is no sequence of valuations for the trace: π = i > 0 p := 1 i > 0 p != 1 . How can we show this? SMT Solver! SSA (Single Static Assignment): copy the variable each time it is assigned. i 0 > 0 p 1 := 1 i 0 > 0 p 1 != 1 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 17 / 65

Feasibility of Traces Intuitively, there is no sequence of valuations for the trace: π = i > 0 p := 1 i > 0 p != 1 . How can we show this? SMT Solver! SSA (Single Static Assignment): copy the variable each time it is assigned. i 0 > 0 p 1 := 1 i 0 > 0 p 1 != 1 Replace := by logical equality and conjunct all statements. SSA ( π ) : i 0 > 0 ∧ p 1 = 1 ∧ i 0 > 0 ∧ p 1 � = 1 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 17 / 65

Feasibility of Traces Intuitively, there is no sequence of valuations for the trace: π = i > 0 p := 1 i > 0 p != 1 . How can we show this? SMT Solver! SSA (Single Static Assignment): copy the variable each time it is assigned. i 0 > 0 p 1 := 1 i 0 > 0 p 1 != 1 Replace := by logical equality and conjunct all statements. SSA ( π ) : i 0 > 0 ∧ p 1 = 1 ∧ i 0 > 0 ∧ p 1 � = 1 Ask SMT solver, if there is a solution for the formula: unsat Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 17 / 65

Excursion: SMT Solvers SMT solvers are programs that decide satisfiability. Ultimate uses z3, CVC4, mathsat and our own SMT solver SMTInterpol . Input a formula, for example: i 0 > 0 ∧ p 1 = 1 ∧ i 1 = i 0 − 1 ∧ i 1 ≤ 0 Either sat (satisfiable) and optionally a model: i 0 = 1 , p 1 = 1 , i 1 = 0 or unsat. Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 18 / 65

Demo: SMT Solvers https://ultimate.informatik.uni-freiburg.de/smtinterpol/ (set-option :produce-models true) (set-logic QF_LIA) (declare-const i0 Int) (declare-const p0 Int) (declare-const i1 Int) (declare-const p1 Int) (assert (and (> i0 0) (= p1 1) (= i1 (- i0 1)) (<= i1 0))) (check-sat) (get-model) Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 19 / 65

Na¨ ıve Model Checking Algorithm Build program automaton. Collect error traces. For each error trace ask SMT solver. Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 20 / 65

Na¨ ıve Model Checking Algorithm Build program automaton. Collect error traces. For each error trace ask SMT solver. Problem: There are infinitely many error traces. Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 20 / 65

Example: Error Traces A P : ℓ 0 Some error traces: i > 0 i > 0 p := 1 i > 0 p != 1 ℓ 1 i > 0 p := 1 p := 1 i > 0 i != 1 i := i-1 i > 0 p != 1 ℓ 2 ℓ 3 i > 0 p != 1 i > 0 p := 1 i == 1 i > 0 i != 1 i := i-1 ℓ 4 ℓ 5 i > 0 i != 1 i := i-1 i > 0 p != 1 i != 1 i := i-1 . . i <= 0 p := 0 . ℓ 6 p != 0 ℓ 7 ℓ err Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 21 / 65

Example: Error Traces A P : ℓ 0 Some error traces: i > 0 i > 0 p := 1 i > 0 p != 1 ℓ 1 i > 0 p := 1 p := 1 i > 0 i != 1 i := i-1 i > 0 p != 1 ℓ 2 ℓ 3 i > 0 p != 1 i > 0 p := 1 i == 1 i > 0 i != 1 i := i-1 ℓ 4 ℓ 5 i > 0 i != 1 i := i-1 i > 0 p != 1 i != 1 i := i-1 . . i <= 0 p := 0 . ℓ 6 p != 0 All infeasible for the same reason. ℓ 7 ℓ err Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 21 / 65

Trace Abstraction A P : ℓ 0 i > 0 Observation ℓ 1 Every trace . . . p := 1 . . . p != 1 . . . is infeasible, as long as there is no statement p := 1 i > 0 p != 1 p := 0 in the middle ℓ 2 ℓ 3 i == 1 ℓ 4 ℓ 5 i != 1 i := i-1 i <= 0 p := 0 ℓ 6 p != 0 ℓ 7 ℓ err Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 22 / 65

Trace Abstraction A P : ℓ 0 i > 0 Observation ℓ 1 Every trace . . . p := 1 . . . p != 1 . . . is infeasible, as long as there is no statement p := 1 i > 0 p != 1 p := 0 in the middle ℓ 2 ℓ 3 Traces can be described by a finite automaton: i == 1 ℓ 4 ℓ 5 A 1 : Σ \ { p := 0 } Σ Σ i != 1 i := i-1 p := 1 p != 1 i <= 0 p := 0 ℓ 6 p != 0 ℓ 7 ℓ err Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 22 / 65

Subtracting Finite Automata from Each Other There are algorithm to complement and intersect finite automata. A P ∩ A 1 : i > 0 p := 1 i > 0 i > 0 p != 1 i == 1 i == 1 i <= 0 i <= 0 i != 1 i != 1 i := i-1 i := i-1 p := 0 p := 0 p != 0 p != 0 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 23 / 65

Model Checking with Trace Abstraction 1 Build program automaton. 2 Pick an error traces. If none, program is safe. 3 Ask SMT solver. If sat, program is unsafe. 4 Generalize error trace to an automaton. 5 Subtract from program automaton. 6 Go to step 2. Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 24 / 65

Set Theoretic View of Trace Abstraction set of all traces Σ ∗ traces respecting the control flow of P L ( A P ) Feasible Traces Error Traces Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 25 / 65

Set Theoretic View of Trace Abstraction set of all traces Σ ∗ traces respecting the control flow of P L ( A P ) Feasible Traces Error Traces i > 0 . p := 1 . p != 0 i > 0 p := 1 i > 0 p != 1 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 25 / 65

Set Theoretic View of Trace Abstraction set of all traces Σ ∗ traces respecting the control flow of P L ( A P ) Feasible Traces Error Traces i > 0 . p := 1 . p != 0 i > 0 p := 1 i > 0 p != 1 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 25 / 65

Set Theoretic View of Trace Abstraction set of all traces Σ ∗ traces respecting the control flow of P L ( A P ) Feasible Traces Error Traces i > 0 . p := 1 . p != 0 i > 0 p := 1 i > 0 p != 1 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 25 / 65

Set Theoretic View of Trace Abstraction set of all traces Σ ∗ traces respecting the control flow of P L ( A P ) Feasible Traces Error Traces i > 0 . p := 1 . p != 0 i > 0 p := 1 i > 0 p != 1 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 25 / 65

Set Theoretic View of Trace Abstraction set of all traces Σ ∗ traces respecting the control flow of P L ( A P ) Feasible Traces Error Traces i > 0 . p := 1 . p != 0 i > 0 p := 1 i > 0 p != 1 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 25 / 65

Trace Abstraction Definition (Trace Abstraction) A trace abstraction is given by a tuple of automata ( A 1 , . . . , A n ) such that each A i recognizes a subset of infeasible traces, for i = 1 , . . . , n . We say that the trace abstraction ( A 1 , . . . , A n ) does not admit an error trace if A P ∩ A 1 ∩ . . . ∩ A n is empty. Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 26 / 65

Trace Abstraction Definition (Trace Abstraction) A trace abstraction is given by a tuple of automata ( A 1 , . . . , A n ) such that each A i recognizes a subset of infeasible traces, for i = 1 , . . . , n . We say that the trace abstraction ( A 1 , . . . , A n ) does not admit an error trace if A P ∩ A 1 ∩ . . . ∩ A n is empty. Theorem (Soundness) L ( A P ∩ A 1 ∩ . . . ∩ A n ) = ∅ ⇒ P is correct Theorem (Completeness) If P is correct, there is a trace abstraction ( A 1 , . . . , A n ) such that L ( A P ∩ A 1 ∩ . . . ∩ A n ) = ∅ Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 26 / 65

How to Get a Trace Abstraction? Na¨ ıve Approach: Exclude infeasible error traces. . . . but there are infinitely many. Interpolant Based Approach: Generalize infeasible error traces. Exclude classes of infeasible traces. Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 27 / 65

How to Get a Trace Abstraction? Na¨ ıve Approach: Exclude infeasible error traces. . . . but there are infinitely many. Interpolant Based Approach: Generalize infeasible error traces. Exclude classes of infeasible traces. Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 27 / 65

Interpolants Interpolants for Infeasible Traces Let st 1 ∧ · · · ∧ st n be an infeasible trace. There exists a sequence of predicates I 0 , . . . , I n such that I 0 = true I i ∧ st i +1 ⇒ I i +1 I n = false In particular: st 1 ∧ · · · ∧ st i ⇒ I i ⇒ ¬ ( st i +1 ∧ · · · ∧ st n ) Example: i 0 > 0 p 1 = 1 p 1 = 1 i 0 > 0 p 1 = 1 p 1 � = 1 true true false Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 28 / 65

Interpolants Interpolants for Infeasible Traces Let st 1 ∧ · · · ∧ st n be an infeasible trace. There exists a sequence of predicates I 0 , . . . , I n such that I 0 = true I i ∧ st i +1 ⇒ I i +1 I n = false In particular: st 1 ∧ · · · ∧ st i ⇒ I i ⇒ ¬ ( st i +1 ∧ · · · ∧ st n ) Example: i 0 > 0 p 1 = 1 p 1 = 1 i 0 > 0 p 1 = 1 p 1 � = 1 true true false Interpolants are intermediate assertions in a Hoare proof. Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 28 / 65

Interpolants as Hoare Proofs i 0 > 0 p 1 = 1 p 1 = 1 i 0 > 0 p 1 = 1 p 1 � = 1 true true false Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 29 / 65

Interpolants as Hoare Proofs i 0 > 0 p 1 = 1 p 1 = 1 i 0 > 0 p 1 = 1 p 1 � = 1 true true false { true } { true } i > 0 { true } { p = 1 } p := 1 { p = 1 } { p = 1 } i > 0 { p = 1 } { false } p != 1 This proves that the trace is infeasible: { true } i > 0 p := 1 i > 0 p != 1 { false } Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 29 / 65

Demo: Computing Interpolants with SMTInterpol (set-option :produce-interpolants true) (set-logic QF_LIA) (declare-const i0 Int) (declare-const p0 Int) (declare-const i1 Int) (declare-const p1 Int) (assert (! (> i0 0) :name st1)) (assert (! (= p1 1) :name st2)) (assert (! (> i0 0) :name st3)) (assert (! (not (= p1 1)) :name st4)) (check-sat) (get-interpolants st1 st2 st3 st4) Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 30 / 65

Example – Use Interpolants to Generalize Infeasible Traces p = 1 true false ℓ 0 ℓ 1 ℓ err p := 1 p != 1 i > 0 i > 0 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 31 / 65

Example – Use Interpolants to Generalize Infeasible Traces p = 1 true false ℓ 0 ℓ 1 ℓ err p := 1 p != 1 i > 0 i > 0 i <= 0 { p = 1 } { p = 1 } i <= 0 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 31 / 65

Example – Use Interpolants to Generalize Infeasible Traces p = 1 true false ℓ 0 ℓ 1 ℓ err p := 1 p != 1 i > 0 i > 0 i <= 0 i := i-1 { p = 1 } { p = 1 } { p = 1 } { p = 1 } i <= 0 i := i-1 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 31 / 65

Example – Use Interpolants to Generalize Infeasible Traces p = 1 true false ℓ 0 ℓ 1 ℓ err p := 1 p != 1 i > 0 i > 0 i <= 0 i := i-1 p != 0 { p = 1 } { p = 1 } { p = 1 } { p = 1 } i <= 0 i := i-1 { p = 1 } { p = 1 } p != 0 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 31 / 65

Example – Use Interpolants to Generalize Infeasible Traces p = 1 true false ℓ 0 ℓ 1 ℓ err p := 1 p != 1 i > 0 i > 0 i <= 0 i := i-1 p != 0 p := 1 { p = 1 } { p = 1 } { p = 1 } { p = 1 } i <= 0 i := i-1 { p = 1 } { p = 1 } { p = 1 } { p = 1 } p != 0 p := 1 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 31 / 65

Example – Use Interpolants to Generalize Infeasible Traces p = 1 true false ℓ 0 ℓ 1 ℓ err p := 1 p != 1 Σ Σ i > 0 i <= 0 i := i-1 p != 0 p := 1 { p = 1 } { p = 1 } { p = 1 } { p = 1 } i <= 0 i := i-1 { p = 1 } { p = 1 } { p = 1 } { p = 1 } p != 0 p := 1 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 31 / 65

Interpolant Automata Given: Sequence of interpolants I = I 0 , I 1 , . . . , I n Definition (Interpolant Automaton A I ) A I = � Q I , δ I , Q init I , Q fin I � Q I = I ( I i , st , I j ) ∈ δ I iff { I i } st { I j } holds q 0 := true ∈ Q I Q fin := { false } ⊆ Q I Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 32 / 65

Interpolant Automata Given: Sequence of interpolants I = I 0 , I 1 , . . . , I n Definition (Interpolant Automaton A I ) A I = � Q I , δ I , Q init I , Q fin I � Q I = I ( I i , st , I j ) ∈ δ I iff { I i } st { I j } holds q 0 := true ∈ Q I Q fin := { false } ⊆ Q I Theorem An interpolant automaton A I recognizes a subset of infeasible traces. L ( A I ) ⊆ Infeasible Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 32 / 65

Example – Refinement Using Interpolant Automata set of all traces Σ ∗ traces respecting the control flow of P L ( A P ) Feasible Traces Error Traces i > 0 p := 1 i > 0 p != 1 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 33 / 65

Example – Refinement Using Interpolant Automata set of all traces Σ ∗ traces respecting the control flow of P L ( A P ) Feasible Traces Error Traces L ( A 1 ) A 1 i > 0 p := 1 i > 0 p != 1 q 0 q 1 q 2 p := 1 p != 1 Σ Σ \ p := 0 Σ Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 33 / 65

Remaining Program Automaton i > 0 p := 1 i > 0 i > 0 p != 1 i == 1 i == 1 i <= 0 i <= 0 i := i-1 i != 1 i := i-1 i != 1 p := 0 p := 0 p != 0 p != 0 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 34 / 65

Demo: SMTInterpol i > 0 p := 1 i > 0 i == 1 p := 0 i := i-1 i > 0 p != 1 (set-option :produce-interpolants true) (set-logic QF_LIA) (declare-const i0 Int) (declare-const i1 Int) (declare-const p0 Int) (declare-const p1 Int) (declare-const p2 Int) (assert (! (...) :named st1)) ... (check-sat) (get-interpolants st1 st2 st3 ...) Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 35 / 65

Interpolant Automaton for Second Trace i ≤ 1 i ≤ 0 true false i == 1 i := i-1 i > 0 i > 0 p := 1 p := 0 p != 1 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 36 / 65

Interpolant Automaton for Second Trace i ≤ 1 i ≤ 0 true false i == 1 i := i-1 i > 0 i == 1 Σ Σ Σ Σ Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 36 / 65

Remaining Program Automaton i > 0 p := 1 i > 0 i > 0 p != 1 i == 1 i == 1 i <= 0 i <= 0 i := i-1 i != 1 i := i-1 i != 1 p := 0 p := 0 p != 0 p != 0 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 37 / 65

Remaining Program Automaton i > 0 p := 1 i > 0 i == 1 i <= 0 i <= 0 i := i-1 i != 1 i := i-1 p := 0 p != 0 p != 0 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 37 / 65

Remaining Program Automaton i > 0 p := 1 i > 0 i == 1 i <= 0 i <= 0 i := i-1 i != 1 i := i-1 p := 0 p != 0 p != 0 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 37 / 65

Demo: SMTInterpol i > 0 p := 1 i > 0 i == 1 p := 0 i := i-1 i <= 0 p != 0 (set-option :produce-interpolants true) (set-logic QF_LIA) (declare-const i0 Int) (declare-const i1 Int) (declare-const p0 Int) (declare-const p1 Int) (declare-const p2 Int) (assert (! (...) :named st1)) ... (check-sat) (get-interpolants st1 st2 st3 ...) Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 38 / 65

Demo: SMTInterpol i > 0 p := 1 i > 0 i == 1 p := 0 i := i-1 i <= 0 p != 0 (set-option :produce-interpolants true) (set-logic QF_LIA) (declare-const i0 Int) (declare-const i1 Int) (declare-const p0 Int) (declare-const p1 Int) (declare-const p2 Int) (assert (! (...) :named st1)) ... (check-sat) (get-interpolants st1 st2 st3 ...) ;;(true true true true (= p2 0) (= p2 0) (= p2 0)) Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 38 / 65

Remaining Program Automaton i > 0 p := 1 i > 0 i == 1 i <= 0 i <= 0 i := i-1 i != 1 i := i-1 p := 0 p != 0 p != 0 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 39 / 65

Remaining Program Automaton i > 0 p := 1 i > 0 i <= 0 i := i-1 i != 1 p != 0 Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 39 / 65

CEGAR for Trace Abstraction annotated program P return trace automaton A n +1 such that π ∈ L ( A n +1 ) and n := 0 L ( A n +1 ) ⊆ I NFEASIBLE n := n + 1 yes L ( A P ∩ A 1 ∩ . . . ∩ A n ) = ∅ ? π ∈ I NFEASIBLE ? no yes no return error trace π such that π ∈ L ( A P ∩ A 1 ∩ . . . ∩ A n ) P is correct P is incorrect Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 40 / 65

Recursive Function Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 41 / 65

Example: McCarthy 91 Function int f91(int x) { if (x > 100) return x - 10; else return f91(f91(x + 11)); } Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 42 / 65

Example: McCarthy 91 Function int f91(int x) { if (x > 100) return x - 10; else return f91(f91(x + 11)); } int main(int x) { int res; if (x <= 101) { res = f91(x); //@assert(res == 91); } } Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 42 / 65

McCarthy91 as Automaton ℓ 1 f(x) { x ↑ <=101 call f ℓ 3 : if (x > 100) { ℓ 2 ℓ 4 : res := x - 11 ℓ 3 x<=100 } else { x ↑ := x + 10 ℓ 5 : ℓ 5 ℓ 6 : call f x>100 x ↑ := res ℓ 7 : x ↑ :=x+11 ℓ 8 : call f ℓ 6 } ℓ 9 : return res ℓ 7 ℓ 4 } x ↑ :=res main() { if (x ↑ <= 101) { ℓ 8 ℓ 1 : res:=x-10 ℓ 2 : call f ℓ 10 : assert(res == 91) ℓ 9 } return } res!=91 ℓ 10 ℓ err Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 43 / 65

McCarthy91 as Automaton ℓ 1 f(x) { x ↑ <=101 call f ℓ 3 : if (x > 100) { ℓ 2 ℓ 4 : res := x - 11 ℓ 3 x<=100 } else { x ↑ := x + 10 ℓ 5 : ℓ 5 ℓ 6 : call f x>100 x ↑ := res call f ℓ 7 : x ↑ :=x+11 call f ℓ 8 : call f ℓ 6 } ℓ 9 : return res ℓ 7 ℓ 4 } return ? x ↑ :=res main() { if (x ↑ <= 101) { ℓ 8 ℓ 1 : res:=x-10 ℓ 2 : call f ℓ 10 : assert(res == 91) return ? ℓ 9 } return ? } res!=91 ℓ 10 ℓ err Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 43 / 65

Reminder Push-down Automaton A push-down automaton A = (Σ , Γ , Q , → , q 0 , F ) consists of Σ: a finite alphabet Γ: a stack alphabet Q : a finite set of locations → ⊆ Q × Σ × Op × Q : a transition relation, where Op is a stack operation: ↓ γ (push), ↑ γ (pop), or none. q 0 ∈ Q : the initial location F ⊆ Q : the accepting locations Example: a ↓ y b ↑ y a ↓ x b ↑ y b ↑ x Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 44 / 65

Reminder Push-down Automaton A push-down automaton A = (Σ , Γ , Q , → , q 0 , F ) consists of Σ: a finite alphabet Γ: a stack alphabet Q : a finite set of locations → ⊆ Q × Σ × Op × Q : a transition relation, where Op is a stack operation: ↓ γ (push), ↑ γ (pop), or none. q 0 ∈ Q : the initial location F ⊆ Q : the accepting locations Example: a ↓ y b ↑ y a ↓ x b ↑ y b ↑ x b, ↑ x Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 44 / 65

McCarthy as Push-down Automaton ℓ 1 f(x) { x ↑ <=101 call f ↓ ℓ 2 ℓ 3 : if (x > 100) { ℓ 2 ℓ 4 : res := x - 11 ℓ 3 x<=100 } else { x ↑ := x + 10 ℓ 5 : ℓ 5 ℓ 6 : call f call f ↓ ℓ 8 x>100 x ↑ := res ℓ 7 : x ↑ :=x+11 call f ↓ ℓ 6 ℓ 8 : call f ℓ 6 } ℓ 9 : return res ℓ 7 ℓ 4 } return ↑ ℓ 6 x ↑ :=res main() { if (x ↑ <= 101) { ℓ 8 ℓ 1 : res:=x-10 ℓ 2 : call f ℓ 10 : assert(res == 91) return ↑ ℓ 8 ℓ 9 } return ↑ ℓ 2 } res!=91 ℓ 10 ℓ err Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 45 / 65

Trace Abstraction with Push-down Automaton? Problem Push-down Automata can’t be subtracted/complemented/intersected. Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 46 / 65

Trace Abstraction with Push-down Automaton? Problem Push-down Automata can’t be subtracted/complemented/intersected. Solution: Alur & Madhusudan: Visibly Push-down Languages, 2004 Closed under complementation, intersection The symbol decides whether to push, pop, or do nothing Suitable for call/return statements. Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 46 / 65

Visibly Push-down Automaton A visibly push-down automaton A = (Σ i , Σ c , Σ r Γ , Q , → , q 0 , F ) consists of Σ i , Σ c , Σ r : three distinct finite alphabet for internal, call, and return statements. Γ: a stack alphabet Q : a finite set of locations  Q × Σ i × Q  → ⊆ ∪ Q × Σ c × ↓ Γ × Q  .  ∪ Q × Σ r × ↑ Γ × Q Call statements always push a value, return statements always pop a value, and internal statements do not change stack. q 0 ∈ Q : the initial location F ⊆ Q : the accepting locations Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 47 / 65

Visibly Push-down Automaton A visibly push-down automaton A = (Σ i , Σ c , Σ r Γ , Q , → , q 0 , F ) consists of Σ i , Σ c , Σ r : three distinct finite alphabet for internal, call, and return statements. Γ: a stack alphabet Q : a finite set of locations  Q × Σ i × Q  → ⊆ ∪ Q × Σ c × ↓ Γ × Q  .  ∪ Q × Σ r × ↑ Γ × Q Call statements always push a value, return statements always pop a value, and internal statements do not change stack. q 0 ∈ Q : the initial location F ⊆ Q : the accepting locations Remark Nested word automata have equivalent power, differ only in details. Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 47 / 65

Error Traces ℓ 1 x ↑ <=101 call f ↓ ℓ 2 ℓ 2 ℓ 3 x<=100 ℓ 5 call f ↓ ℓ 8 x>100 x ↑ :=x+11 call f ↓ ℓ 6 ℓ 6 ℓ 7 ℓ 4 return ↑ ℓ 6 x ↑ :=res ℓ 8 res:=x-10 return ↑ ℓ 8 ℓ 9 return ↑ ℓ 2 res!=91 ℓ 10 ℓ err Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 48 / 65

Error Traces ℓ 1 x ↑ <=101 call f ↓ ℓ 2 ℓ 2 ℓ 3 x<=100 ℓ 5 call f ↓ ℓ 8 x>100 x ↑ :=x+11 Error Trace: call f ↓ ℓ 6 ℓ 6 x ↑ <=101 call f x>100 res:=x-10 ℓ 7 ℓ 4 return res!=91 return ↑ ℓ 6 x ↑ :=res ℓ 8 res:=x-10 return ↑ ℓ 8 ℓ 9 return ↑ ℓ 2 res!=91 ℓ 10 ℓ err Jochen Hoenicke (Uni Freiburg) Software Model Checking with Ultimate 3 Jul 2019 48 / 65