UFO: Verification with Interpolants and Abstract Interpretation

Transcription

1 : Verification with Interpolants and Abstract Interpretation and Sagar Chaki Software Engineering Institute Carnegie Mellon University Aws Albarghouthi, Yi i and Marsha Chechik University of Toronto

2 A framework and a tool for software verification Tightly integrates interpolation- and abstraction-based techniques Check it out at: References: [SAS12] Craig Interpretation [CAV12] : A Framework for Abstraction- and Interpolation-based Software Verification [TACAS12] From Under-approximations to Over-approximations and Back [VMCAI12] Whale: An Interpolation-based Algorithm for Interprocedural Verification 2 2

3 Verification with INTERP and AI SAFE (+Invariant) UNSAFE (+CEX) Unsafe Invariant Program Abstract Interpretation Strengthening Refinement Interpolation uses Cutpoint Graph (CPG) maintains an unrolling of CPG computes disjunctive invariants uses novel powerset widening uses SMT to check for CEX DAG Interpolation for Refinement Guided by AI-computed Invs Fills in gaps in AI 3

4 Implementation in Framework C Program with assertions C to VM Optimizer Cutpoint Graph Mathsat Z3 SMT interface ARG Constructor Refinement Strategy Abstract Post Expansion Strategy 4

5 in a Nutshell Iteration 1 E Unlabeled Pred. abs. label Interpolant label 5 5

6 in a Nutshell Iteration 2 Iteration 1 E E Unlabeled Pred. abs. label Interpolant label 6 6

7 in a Nutshell Iteration 2 Iteration 1 E E Imprecise post UD Explore from root OD Unlabeled Pred. abs. label Interpolant label 7 7

8 Secret Sauce Front-End Boxes Abstract Domain DAG Interpolation Parallel 8

9 Front End In principle simple, but in practice very messy CI passes to normalize the code (library functions, uninitialized vars, etc.) llvm-gcc (without optimization) to compile C to VM bitcode llvm opt with many standard, custom, and modified optimizations lower pointers, structures, unions, arrays, etc. to registers constant propagation + many local optimizations difficult to preserve intended semantics of the benchmarks based on very old VM 2.6 (newer version of VM are too smart ) Many benchmarks discharged by front-end alone 1,321 SAFE (out of 1,592) and 19 UNSAFE (out of 380) C Program with assertions C to VM Optimizer Cutpoint Graph 9

10 Boxes Abstract Domain: Semantic View Boxes are finite union of box values (alternatively) Boxes are Boolean formulas over interval constraints 10

11 inear Decision Diagrams in a Nutshell * inear Decision Diagram inear Arithmetic Formula false edge false terminal z < 10 0 x + 2y < 10 1 decision node true edge true terminal (x + 2y < 10) OR (x + 2y 10 AND z < 10) Compact Representation Sharing sub-expressions ocal numeric reductions Dynamic node reordering Operations Propositional (AND, OR, NOT) Existential Quantification * joint work w/ Ofer Strichman 11

12 DAG Interpolants: Solving the Refinement Prob. Given a DAG G = (V, E) and a labeling of edges ¼:E Expr. A DAG Interpolant (if it exists) is a labeling I:V Expr such that for any path v 0,, v n, and 0 < k < n, I(v k ) = ITP (¼(v 0 ) Æ Æ ¼ (v k-1 ), ¼(v k ) Æ Æ ¼(v n )) 8 (u, v) 2 E. (I(u) Æ ¼ (u, v)) ) I(v) I 2 = ITP (¼ 1, ¼ 8 ) I 2 = ITP (¼ 1, ¼ 2 Æ ¼ 3 Æ ¼ 6 Æ ¼ 7 ) ¼ 8 ¼ I 1 I 2 ¼ 2 I 3 ¼ 3 3 ¼ 4 (I 1 Æ ¼ 1 ) ) I 2 (I 2 Æ ¼ 8 ) ) I 7 (I 2 Æ ¼ 2 ) ) I 3 I 7 7 ¼ 7 ¼ 6 6 ¼ 5 I 6 I 4 I

13 Parallel Verification Strategy Run 7 verification strategies in parallel until a solution is found cpredo3 all VM optimizations + Cartesian Predicate Abstraction bpredo3 all VM optimizations + Boolean PA + 20s TO bigwo3 all VM optimizations + BOXES + non-aggressive widening + 10s TO boxeso3 all VM optimizations + BOXES + aggressive widening boxo3 all VM optimizations + BOX + aggressive widening + 20s TO boxeso0 minimal VM optimizations + BOXES + aggressive widening boxbpredo3 all VM opts + BOX + Boolean PA + aggressive widening + 60s TO 13

14 Family Whale [VMCAI12] Interpolation-based interprocedural analysis Interpolants as procedure summaries State/transition interpolation a.k.a. Tree Interpolants [TACAS12] Refinement with DAG interpolants Tight integration of interpolation-based verification with predicate abstraction Vinta [SAS12] Refinement of Abstract Interpretation (AI) AI-guided DAG Interpolation 14

15 Thank You! 15

16 Contact Information Presenter RTSS Telephone: U.S. mail: Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA USA Web: Customer Relations Telephone: SEI Phone: SEI Fax:

17 NO WARRANTY THIS CARNEGIE MEON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIA IS FURNISHED ON AN AS-IS" BASIS. CARNEGIE MEON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPIED, AS TO ANY MATTER INCUDING, BUT NOT IMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABIITY, EXCUSIVITY, OR RESUTS OBTAINED FROM USE OF THE MATERIA. CARNEGIE MEON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the trademark holder. This Presentation may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at This work was created in the performance of Federal Government Contract Number FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at

18 THE END