Significant Diagnostic Counterexamples in Probabilistic Model Checking
Model Checking with Proofs and Counterexamples
description
Transcript of Model Checking with Proofs and Counterexamples
![Page 1: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/1.jpg)
© Anvesh KomuravelliSpacer
Model Checking withProofs and Counterexamples
Anvesh Komuravelli
Carnegie Mellon University
Joint work with Arie Gurfinkel, Sagar Chaki, and Edmund Clarke
![Page 2: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/2.jpg)
© Anvesh KomuravelliSpacer 2
Safety of Programs
Program P
+ Safety Assertions
Automatic verification for
assertion failures
Safe + Proof
Unsafe + Counterexample
0. x := 0;1. while (x < n) {
2. x := x + 1; }3. x := -x;4. assert (x ≤ 0)
// x ≥ 0
Loop Invariant
![Page 3: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/3.jpg)
© Anvesh KomuravelliSpacer 3
Safety of Programs
Program P
+ Safety Assertions
Automatic verification for
assertion failures
Safe + Proof
Unsafe + Counterexample
While-programs(unbounded variables,
no procedure calls,no memory operations)
0. x := 0;1. while (x < n) {2. x := x + 1; }3. x := -x;4. assert (x ≤ -1)
Counterexample Trace:pc=0. x=0, n=0pc=1. else branchpc=3. x=0pc=4. error
![Page 4: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/4.jpg)
© Anvesh KomuravelliSpacer 4
Algorithms for Safety
1. Safety is undecidable!• Reduction from Halting Problem to safety of a 2-counter machine
2. Existing algorithms use heuristics for verifying many programs in practice
3. Two broad classes of model checking algorithms:A. Generalize feasible and safe behaviors (Proof-Based)B. Eliminate infeasible and unsafe behaviors (Counterexample-based)
This talk: Improve (A) based on ideas from (B)
![Page 5: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/5.jpg)
© Anvesh KomuravelliSpacer 5
Backgroundon Proof-Based algorithms
![Page 6: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/6.jpg)
© Anvesh KomuravelliSpacer 6
should never hold
Transition System
Programs as Transition Systems
Variables
Init condition Transition relation
Error condition
0. x := 0;1. while (x < n) {2. x := x + 1; }3. x := -x;4. assert (x ≤ 0)
encodes how data and controlchange after every instruction
“
“
![Page 7: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/7.jpg)
© Anvesh KomuravelliSpacer 7
SAT-Based Model Checking
Counterexample of length 0?Counterexample of length 1?
SAT?SAT?
…Bounded Model Checking, Clarke et al., TACAS 1999
Transition System
1. Boolean SAT is NP-complete, but we have efficient solvers today2. SAT modulo theories (SMT) for handling arithmetic, etc.3. Eg: is unsatisfiable for integers x, y
![Page 8: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/8.jpg)
© Anvesh KomuravelliSpacer 8
SAT-Based Model Checking
…Bounded Model Checking, Clarke et al., TACAS 1999
Transition System
No upper bound on the length of a counterexample!Even for finite-state systems, the upper bound can be huge!
When do we stop?
Are initial states safe?
Are 1 step-reachable states safe?
Keep track of thereachable states!
Counterexample of length 0?Counterexample of length 1?
SAT?SAT?
![Page 9: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/9.jpg)
© Anvesh KomuravelliSpacer 9
…
Keep Track of the Reachable States
err(x)
reach(P)
Initial States
States reachable in
≤1 steps
States reachable in
≤2 steps
Usually Hopeless!
![Page 10: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/10.jpg)
© Anvesh KomuravelliSpacer 10
Reachable states can be diverging!
0. x := 0;1. while (x < n) {2. x := x + 1; }3. x := -x;4. assert (x ≤ 0)
…
reachable statesat (pc=1)
n is a symbolic
input
(diverging)
converged!
![Page 11: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/11.jpg)
© Anvesh KomuravelliSpacer 11
err(x)
Generalize
(Heuristics usingCraig Interpolation[1,2])
Generalize the reachable states!
[1] McMillan, Interpolation and SAT-Based Model Checking, CAV 2003[2] McMillan, Lazy Abstraction with Interpolants, CAV 2006
…
![Page 12: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/12.jpg)
© Anvesh KomuravelliSpacer 12
err(x)
Generalize the reachable states!
…
reach(P)
![Page 13: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/13.jpg)
© Anvesh KomuravelliSpacer 13
Proofs and Invariants
0. x := 0;1. while (x < n) {2. x := x + 1; }3. x := -x;4. assert (x ≤ 0)
…
reachable statesat (pc=1)
(diverging)
x ≥ 0 is aloop invariant!
The actual set of reachable states
is stronger:0 ≤ x ≤ n
Proof of SafetyProof of
“Bounded” Safety
![Page 14: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/14.jpg)
© Anvesh KomuravelliSpacer 14
Many heuristics for generalizations!
err(x)
• No unique generalization!• Today’s best algorithms for hardware verification are SAT-based• Several competitive algorithms exist for software
One possible generalization
Another possible
generalization
![Page 15: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/15.jpg)
© Anvesh KomuravelliSpacer 15
The ProblemGeneralizations are not always sufficient
![Page 16: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/16.jpg)
© Anvesh KomuravelliSpacer 16
Generalizations can suffer from local view
x = y = z = w = 0;while (*) {
// loop invariant:// (x ≥ 4 => y ≥ 100) && (z ≤ 10w)if (*) {x++; y += 100;}else if (*)
if (x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {
y = −y;}t = 1;w += t; z += 10t;
}assert (!(x ≥ 4 && y ≤ 2))
State-of-the-art Tool Z3cannot verify in an hour
Source: Automatically Refining Abstract Interpretations, Gulavani, Chakraborty, Nori and Rajamani, TACAS ‘08.
Proofs ofBounded Safety never connect
z and w
![Page 17: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/17.jpg)
© Anvesh KomuravelliSpacer 17
Abstractions for better generalizations!
x = y = z = w = 0;while (*) {
// loop invariant:// (x ≥ 4 => y ≥ 100) && (z ≤ 10w)if (*) {x++; y += 100;}else if (*)
if (x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {
y = −y;}t = 1;w += t; z += 10t;
}assert (!(x ≥ 4 && y ≤ 2))
State-of-the-art Tool Z3cannot verify in an hour
Source: Automatically Refining Abstract Interpretations, Gulavani, Chakraborty, Nori and Rajamani, TACAS ‘08.
Verifies the abstractionin < 1 sec.
t = *;
Abstractions only add behaviors
![Page 18: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/18.jpg)
© Anvesh KomuravelliSpacer 18
How to obtain helpful abstractions automatically?
1. An abstraction of the program can dramatically improve generalizations!
2. How to obtain helpful abstractions?
3. How to efficiently and automatically maintain abstractions?
![Page 19: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/19.jpg)
© Anvesh KomuravelliSpacer 19
Spurious counterexample
CounterExample-Guided Abstraction
Refinement(CEGAR)[1]
err(x)
[1] Clarke et al., Counterexample-Guided Abstraction Refinement, CAV 2000.
reach(P)
Abstractions are great, but not always!
Reachable states of an abstraction
The second class of
algorithms
![Page 20: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/20.jpg)
© Anvesh KomuravelliSpacer 20
Our algorithm Spacer
![Page 21: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/21.jpg)
© Anvesh KomuravelliSpacer 21
Spacer(Software Proof-based Abstraction with CounterExample-based Refinement)
Program
Fix a Bound
Check Safety
Feasible?Invariants?
Abstract Refine
Proof-Based Abstraction CEGARNo No
Yes Yes
Safety Proof Counterexample
![Page 22: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/22.jpg)
© Anvesh KomuravelliSpacer 22
Program
Fix a Bound
Check Safety
Feasible?Invariants?
Abstract Refine
Proof-Based Abstraction CEGARNo No
Yes Yes
Safety Proof Counterexample
Spacer(Software Proof-based Abstraction with CounterExample-based Refinement)
Proofs from Abstractions
![Page 23: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/23.jpg)
© Anvesh KomuravelliSpacer 23
Spacer(Software Proof-based Abstraction with CounterExample-based Refinement)
Program
Fix a Bound
Check Safety
Feasible?Invariants?
Abstract Refine
Proof-Based Abstraction CEGARNo No
Yes Yes
Safety Proof Counterexample
Refinement using Spurious
Counterexamples
![Page 24: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/24.jpg)
© Anvesh KomuravelliSpacer 24
Program
Fix a Bound
Check Safety
Feasible?Invariants?
Abstract Refine
Proof-Based Abstraction CEGARNo No
Yes Yes
Safety Proof Counterexample
Spacer(Software Proof-based Abstraction with CounterExample-based Refinement)
Proof-Based Abstraction
![Page 25: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/25.jpg)
© Anvesh KomuravelliSpacer 25
Spacer(Software Proof-based Abstraction with CounterExample-based Refinement)
Program
Fix a Bound
Check Safety
Feasible?Invariants?
Abstract Refine
Proof-Based Abstraction CEGARNo No
Yes Yes
Safety Proof Counterexample
![Page 26: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/26.jpg)
© Anvesh KomuravelliSpacer 26
Initial Statesof P Generalization/Proof
err(x)
reach(P)
reach(A1)
Spacer at a high level
Initial Statesof A1
Abstraction
Proof-Based Abstraction
![Page 27: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/27.jpg)
© Anvesh KomuravelliSpacer 27
err(x)
reach(P)
reach(A1)
Reachable states of A1 in ≤1 steps
Spurious counterexample
Spacer at a high level
![Page 28: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/28.jpg)
© Anvesh KomuravelliSpacer 28
err(x)
reach(P)
reach(A2)
Spacer at a high level
Reachable states of A2 in ≤1 steps
Refine A1 to A2 eliminating the
spurious counterexample
Generalization/Proof Reachable states
of P in ≤1 steps
![Page 29: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/29.jpg)
© Anvesh KomuravelliSpacer 29
err(x)
reach(P)
reach(A3)
Spacer at a high level
Reachable states of A3 in ≤1 steps
Reachable states of P in ≤1 steps
Fresh abstraction,to avoid bias
Proof-Based Abstraction
![Page 30: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/30.jpg)
© Anvesh KomuravelliSpacer 30
Key Ideas of Spacer
1. Abstractions help obtain (hopefully) more general proofs
2. First integration of Proof-Based Abstraction with SAT/SMT-Based Model Checking
3. Orthogonal to heuristics for Interpolation/Generalization
Implementation and Experimental Evidence on C Programs
![Page 31: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/31.jpg)
© Anvesh KomuravelliSpacer 31
Abstractions add a new dimension
…
…
……
SAT-Based Model Checking
Abstract
![Page 32: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/32.jpg)
© Anvesh KomuravelliSpacer 32
SAT-Based Model Checking with Abstractions
…
…
……
Under-approximations
Abstract
need not be monotonic
![Page 33: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/33.jpg)
© Anvesh KomuravelliSpacer 33
SAT-Based Model Checking with Abstractions
…
…
……
Under-approximations
Abstract
non-trivial abstraction
![Page 34: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/34.jpg)
© Anvesh KomuravelliSpacer 34
Spacer(Software Proof-based Abstraction with CounterExample-based Refinement)
Program
Fix a Bound
Check Safety
Feasible?Invariants?
Abstract Refine
Proof-Based Abstraction CEGARNo No
Yes Yes
Safety Proof Counterexample
![Page 35: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/35.jpg)
© Anvesh KomuravelliSpacer 35
Spacer on Example
![Page 36: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/36.jpg)
© Anvesh KomuravelliSpacer 36
Spacer on Example
x = y = z = w = 0;c = 0;
while (*) {// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1assume (c < 2);if (*) {x++; y += 100;}else if (* && x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {y = −y;}else assume (false);w++; z += 10;c += 1;
}
assert (!(x ≥ 4 && y ≤ 2));
Add Counters
Bound Solve
Loop Invariants
![Page 37: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/37.jpg)
© Anvesh KomuravelliSpacer 37
Spacer on Example
x = y = z = w = 0;c = 0;
while (*) {// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1assume (c < 2);if (*) {x++; y += 100;}else if (* && x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {y = −y;}else assume (false);w++; z += 10;c += 1;
}
assert (!(x ≥ 4 && y ≤ 2));
Bound Solve Unbounded?
Preserved!Specific to
under-approx.
Depend on counter
Extract UnboundedInvariants
Treat as conjecturedunbounded invariants.
(as in Houdini[1]).
[1] Houdini, an annotationassistant for ESC/Java,C. Flanagan and K.R.M. Leino, 2001
![Page 38: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/38.jpg)
© Anvesh KomuravelliSpacer 38
Spacer on Example
x = y = z = w = 0;c = 0;
while (*) {// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1
if (*) {x++; y += 100;}else if (* && x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {y = −y;}else assume (false);w++; z += 10;c += 1;
}
assert (!(x ≥ 4 && y ≤ 2));
Bound Solve Unbounded? NO
Invariants aretoo weak!
Abstract
✖
![Page 39: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/39.jpg)
© Anvesh KomuravelliSpacer 39
Spacer on Example
x = y = z = w = 0;c = 0;assume (y > 10w => z < 100x, z ≤ 100x);while (*) {
// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1assume (c < 2);if (*) {x++; y += 100;}else if (* && x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {y = −y;}else assume (false);w++; z += 10;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);
}
assert (!(x ≥ 4 && y ≤ 2));
Abstract
Redundant
Bound Solve Unbounded? NO
Strengthenwith
Invariants
![Page 40: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/40.jpg)
© Anvesh KomuravelliSpacer 40
Spacer on Example
x = y = z = w = 0;c = 0;assume (y > 10w => z < 100x, z ≤ 100x);while (*) {
// (y > 10w) => (z < 100x), z ≤ 100x,// x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1assume (c < 2);if (*) {x++; y = *;}else if (* && x ≥ 4) {x++; y = *;}else if (y > 10w && z ≥ 100x) {y = *;}else assume (false);w = *; z = *;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);
}
assert (!(x ≥ 4 && y ≤ 2));
Bound AbstractSolve Unbounded? NO
Proof-BasedAbstraction
![Page 41: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/41.jpg)
© Anvesh KomuravelliSpacer 41
Spacer on Example
x = y = z = w = 0;c = 0;assume (y > 10w => z < 100x, z ≤ 100x);while (*) {
assume (c < 4);if (*) {x++; y = *;}else if (* && x ≥ 4) {x++; y = *;}else if (y > 10w && z ≥ 100x) {y = *;}else assume (false);w = *; z = *;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);
}
assert (!(x ≥ 4 && y ≤ 2));
Bound Solve
Counterexample!
Increment x to 4Choose y arbitrarily
Feasible?
Concrete controlpath is infeasible
NO Refine
Concretize
![Page 42: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/42.jpg)
© Anvesh KomuravelliSpacer 42
Spacer on Example
x = y = z = w = 0;c = 0;assume (y > 10w => z < 100x, z ≤ 100x);while (*) {
assume (c < 4);if (*) {x++; y += 100;}else if (* && x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {y = −y;}else assume (false);w = *; z = *;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);
}
assert (!(x ≥ 4 && y ≤ 2));
Bound Solve Feasible? NO Refine
CEGAR
![Page 43: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/43.jpg)
© Anvesh KomuravelliSpacer 43
Spacer on Example
x = y = z = w = 0;c = 0;assume (y > 10w => z < 100x, z ≤ 100x);while (*) {
// (y > 10w) => (z < 100x), z ≤ 100x// y > 0, (x > 0) => (y ≥ 100)assume (c < 4);if (*) {x++; y += 100;}else if (* && x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {y = −y;}else assume (false);w = *; z = *;c += 1;assume (y > 10w => z < 100x, z ≤ 100x);
}
assert (!(x ≥ 4 && y ≤ 2));
Bound Solve Unbounded? YES
Invariants
![Page 44: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/44.jpg)
© Anvesh KomuravelliSpacer 44
Implementation Details
![Page 45: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/45.jpg)
© Anvesh KomuravelliSpacer 45
Three Key Components
1. Extracting Unbounded Invariants
2. Proof-Based Abstraction
3. Counterexample Analysis and Refinement
How can we efficiently use today’s SAT/SMT solvers?
Focus
![Page 46: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/46.jpg)
© Anvesh KomuravelliSpacer 46
An invariant for the transition systemis a formula that holds for the initial states and after every transition
Extracting Unbounded Invariants
φ is an invariant iff
Given: A set L of conjectures for invariants, each including “initial states”.
Goal: A maximal I L s.t.
(initial)
(transition)
![Page 47: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/47.jpg)
© Anvesh KomuravelliSpacer 47
SAT?
SAT?
Re-start from scratch!
Extracting Unbounded Invariants
unsat sat, making true
…until fixed point
Given: A set L of conjectures for invariants, each including “initial states”.
Goal: A maximal I L s.t.
![Page 48: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/48.jpg)
© Anvesh KomuravelliSpacer 48
Given: A set L of conjectures for invariants, each including “initial states”.
Goal: A maximal I L s.t.
Introduce assumption
variables
Extracting Unbounded Invariants
unsat sat, making true
…
![Page 49: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/49.jpg)
© Anvesh KomuravelliSpacer 49
Proof ofBounded Safety
Not all of is necessary!
Proof-Based Abstraction
A proof of “bounded” safety foris a formula that holds of the initial states and after every transitionup to the given bound, and excludes error states.
(initial)
(transition)
(safety)
![Page 50: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/50.jpg)
© Anvesh KomuravelliSpacer 50
unsat
unsat
Proof-Based Abstraction
unsat UNSAT core
Iteratively minimize
![Page 51: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/51.jpg)
© Anvesh KomuravelliSpacer 51
What have we seen so far?
1. Generalizing reachable states can be hard!
2. Abstractions can really help!
3. Algorithm Spacer that combines abstraction refinement with SAT-based model checking
4. How Spacer can be efficiently automated
![Page 52: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/52.jpg)
© Anvesh KomuravelliSpacer 52
Tool andExperimental Evaluation
![Page 53: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/53.jpg)
© Anvesh KomuravelliSpacer 53
Spacer Tool
C Program
(Horn-SMT) Logical Encoding
Spacer Backend(using Z3’s framework)
Existing Front-end based on LLVM
Proof-Based Abstraction, CEGAR, etc.
Theories handled:Linear Arithmetic
(Rationals and Integers),Bitvectors
![Page 54: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/54.jpg)
© Anvesh KomuravelliSpacer 54
Spacer Tool
Program
Under-Approximate
Check Safety
Feasible?Feasible?
Abstract Refine
Proof-Based Abstraction CEGARNo No
Yes Yes
Safety Proof Counterexample
SMT-BasedModel Checker in Z3
![Page 55: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/55.jpg)
© Anvesh KomuravelliSpacer 55
The hard example mentioned in the beginning
x = y = z = w = 0;while (*) {
if (*) {x++; y += 100;}else if (*)
if (x ≥ 4) {x++; y++;}else if (y > 10w && z ≥ 100x) {
y = −y;}t = 1;w += t; z += 10t;
}assert (!(x ≥ 4 && y ≤ 2))
State-of-the-art Tool Z3cannot verify in an hour
Source: Automatically Refining Abstract Interpretations, Gulavani, Chakraborty, Nori and Rajamani, TACAS ‘08.
Spacerautomatically
verifies in under a minute!
![Page 56: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/56.jpg)
© Anvesh KomuravelliSpacer 56
Results on SV-COMP’13 Benchmarks
0 100 200 300 400 500 600 700 800 9000
100
200
300
400
500
600
700
800
900
No abstraction (secs)
Wit
h a
bst
ract
ion
(se
cs)
Advantage!
Time-out
Mem-out
![Page 57: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/57.jpg)
© Anvesh KomuravelliSpacer 57
Summary
![Page 58: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/58.jpg)
© Anvesh KomuravelliSpacer
Conclusion
Focused Proofs: Abstractions guide Interpolation towards certain generalizations
Combine Proof-Based Abstraction and Counterexample-Guided Refinement
General framework independent of the underlying model checker
Works in practice!
Future Directions
Verification in presence of assumptions
Different kinds of bounding/abstraction
Synthesizing ghost code to help verification
![Page 59: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/59.jpg)
© Anvesh KomuravelliSpacer 59
Questions?
For more details, read our CAV’13 paper!
![Page 60: Model Checking with Proofs and Counterexamples](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813ad6550346895da310c0/html5/thumbnails/60.jpg)
© Anvesh KomuravelliSpacer 60
Concrete:
Abstract:
Counterexample Analysis and Refinement
An “abstract counterexample” is a finite length path consistent with error states
SAT
SAT ?
Feasibility Check