Efficient SAT/BDD-based Efficient SAT/BDD-based Techniques for Techniques for Predicate Abstraction Predicate Abstraction Shuvendu K. Lahiri Joint work with Thomas Ball, Randy Bryant, Byron Cook, Robert Nieuwenhuis, Albert Oliveras Microsoft Research, Redmond
65
Embed
Efficient SAT/BDD-based Techniques for Predicate Abstraction Efficient SAT/BDD-based Techniques for Predicate Abstraction Shuvendu K. Lahiri Joint work.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Efficient SAT/BDD-based Efficient SAT/BDD-based Techniques for Predicate Techniques for Predicate
AbstractionAbstraction
Efficient SAT/BDD-based Efficient SAT/BDD-based Techniques for Predicate Techniques for Predicate
AbstractionAbstraction
Shuvendu K. Lahiri
Joint work withThomas Ball, Randy Bryant, Byron Cook,
Robert Nieuwenhuis, Albert Oliveras
Microsoft Research, Redmond
– 2 –
Program analysis and abstractionProgram analysis and abstraction
Unbounded state spaceUnbounded state space Unbounded integers, arrays, heap State exploration may not terminate
AbstractionAbstraction Construct an overapproximation of program
behavior Abstract domain/operators ensures that the
Symbolic DP for Equality LogicSymbolic DP for Equality Logic
ModificationsModifications Introduce a
Boolean variable [g] for each expression g in GAdd “true” for e
Construct a “shared” expression for the derivations
a = b b = c a c
[a = b] [b = c] true
a = d d = c
[a = d] [d = c]
G = G = {a=b,b=c,a=d,d=c}; {a=b,b=c,a=d,d=c}; e : (a = c)e : (a = c)
– 22 –
Symbolic DP for Equality LogicSymbolic DP for Equality Logic
a = b b = c a c
a = c a c
[a = b] [b = c] true
a = d d = c
[a = d] [d = c]
G = G = {a=b,b=c,a=d,d=c}; {a=b,b=c,a=d,d=c}; e : (a = c)e : (a = c)
ModificationsModifications Introduce a
Boolean variable [g] for each expression g in GAdd “true” for e
Construct a “shared” expression for the derivations
– 23 –
Symbolic DP for Equality LogicSymbolic DP for Equality Logic
ModificationsModifications Introduce a
Boolean variable [g] for each expression g in GAdd “true” for e
Construct a “shared” expression for the derivations
SDP(G,e)SDP(G,e) The expression
representing “” after lg(|G|) steps
a = b b = c a c
a = c
a c
[a = b] [b = c] true
a = d d = c
[a = d] [d = c]
G = G = {a=b,b=c,a=d,d=c}; {a=b,b=c,a=d,d=c}; e : (a = c)e : (a = c)
– 24 –
Symbolic DP for Equality LogicSymbolic DP for Equality Logic
OutputOutput A shared
Boolean expression with [.] variables in the leaves
a = b b = c a c
a = c
a c
[a = b] [b = c] true
a = d d = c
[a = d] [d = c]
G = G = {a=b,b=c,a=d,d=c}; {a=b,b=c,a=d,d=c}; e : (a = c)e : (a = c)
– 25 –
SDP for Equality LogicSDP for Equality Logic
Expression representing “Expression representing “” after ” after lg(|G|) lg(|G|) stepssteps Shared expression for {G’ | G’ G, and DP(G’,e) is
UNSAT}
Shared expression can be computed in Shared expression can be computed in polynomial time polynomial time Derivations repeated for lg(|G|) steps Each step has at most |V|2 atomic expressions
V: number of vars in G
– 26 –
SDP for other theoriesSDP for other theories
Bounded-depth Bounded-depth Saturating Theory Saturating Theory TT Decision procedure
for T can be implemented by saturation
Provide a function Depth: GG Nat, to denote the max. depth to iterate
R
R
R
G G { {ee}}
Contains Yes
UNSATSAT
Depth(G)
No
– 27 –
SDP for other theoriesSDP for other theories
Equality with Uninterpreted Functions (EUF)Equality with Uninterpreted Functions (EUF) Expressions: f(x) = f(g(y)), x = f(z) Depth(G) < 3m
m is the number of terms in G Polynomial Complexity of SDP
Difference Logic (DIFF)Difference Logic (DIFF) Expressions: x y + c Depth(G) < lg(|G|) Pseudo Polynomial Complexity of SDP
Combining SDP for two theoriesCombining SDP for two theories
– 29 –
Combining SDPs for two theoriesCombining SDPs for two theories
Extend Nelson-Oppen method for combining Extend Nelson-Oppen method for combining decision procedures for two theories Tdecision procedures for two theories T11, T, T22 [Nelson, Oppen TOPLAS ’79] The decision procedures communicate via
equalities over shared variables
Given Given SDPSDP11 and and SDPSDP2 2 for theories Tfor theories T11, T, T22
Disjoint signatures, convex theories Each theory generates derivations of all equalities
between variables Complexity of the resultant SDP (for T1T2) only
increases linearly in the number of variables
– 30 –
Combining SDP for two theoriesCombining SDP for two theories
SDP1
SDP2
SDP1
{x=y}
{x=y}
G1
G2
G1
N : number of
sharedvariables
– 31 –
Combining SDP for theoriesCombining SDP for theories
Combined SDP for EUF + DIFFCombined SDP for EUF + DIFF Pseudo Polynomial complexity Important fragment of most program verification
queries (especially in SLAM)
– 32 –
SDP to Predicate AbstractionSDP to Predicate Abstraction
Output of SDP is an Expression DAGOutput of SDP is an Expression DAG Represents FP (e)
Can be used directly to construct Boolean programs (with intermediate variables)
To compute explicit expression for To compute explicit expression for FFP P (e) (e) Construct a Binary Decision Diagram (BDD) from
SDP, and enumerate prime-implicants BDDs crucial for exploiting the shared
representation
– 33 –
EvaluationEvaluation
SLAM benchmarksSLAM benchmarks Generated 665 predicate abstraction queries from
device driver verification Decision Procedure (Zapato) based approach:
27904sec SDP based approach: 273s 100X speedup
– 34 –
ChallengesChallenges
SDP for other interesting theories and SDP for other interesting theories and combinationscombinations Linear arithmetic, non-convex theories
Incremental SDPsIncremental SDPs Useful for combining SDPs
Output sensitive predicate abstraction?Output sensitive predicate abstraction? Complexity is polynomial in the number of
minterms in the output
– 35 –
ConclusionConclusion
Predicate abstraction via symbolic decision Predicate abstraction via symbolic decision proceduresprocedures Polynomial algorithms for useful theories
Modular combination of Symbolic Decision Modular combination of Symbolic Decision Procedures for theoriesProcedures for theories Can design SDP for each theory in isolation
Simple prototype implementationSimple prototype implementation Promising results on SLAM queries
– 36 –
Overview of the talkOverview of the talk
Two approaches to predicate abstractionTwo approaches to predicate abstraction Symbolic Decision Procedures Satisfiability Modulo Theory (SMT) based
unable to finish on most examples > 10,000 theorem prover calls
– 44 –
Lazy SMT techniquesLazy SMT techniques
Integrate a theory T-solver with SAT solverIntegrate a theory T-solver with SAT solver Lazily rule out T-inconsistent Boolean models
using theory solver CVC-Lite, Verifun, MathSAT, Barcelogic,…
Barcelogic ToolBarcelogic Tool R. Nieuwenhuis and A. Oliveras CAV’05 Optimizations (based on DPLL(T))
1. Check partial Boolean models for T-inconsistency2. Upon T-inconsistency, use the explanation as a
conflicting clause and perform backjump3. Theory (unit) propagation to generate implied
facts
– 45 –
Predicate abstraction using lazy methodsPredicate abstraction using lazy methods
Lahiri, Nieuwenhuis, Oliveras CAV’06, using Barcelogic
Enumerate all the models over Enumerate all the models over BB for for
[[ (i (bi Pi)) ]]
whilewhile is T-satisfiableis T-satisfiable dodo
1. M := T-model for using SMT-solver
2. M := project M onto B
3. Consider M as a conflicting clause1. Perform conflict analysis to generate backjump clause
2. Optionally add backjump clause
4. Backjump and continue
return all models over B
– 46 –
Experimental resultsExperimental results
SLAM benchmarksSLAM benchmarks ~5seconds on 665 benchmarks > 100X improvement on SDP based approach
Hardware and protocol benchmarks Hardware and protocol benchmarks [UCLID]
7 set of benchmarks 22X – 143X improvement over Eager-SMT based approach
Linked list verification Linked list verification [Lahiri, Qadeer POPL’06]
4 set of benchmarks 31X – 40X improvement over Eager-SMT based approach
SDP-based technique not applied on the latter two classes Need support for (sound) quantifier-reasoning
– 47 –
Hardware and protocol benchmarksHardware and protocol benchmarks
1.1. Theory propagation crucial for benchmarks with arithmeticTheory propagation crucial for benchmarks with arithmetic E.g. 17X slowdown in OOO without it
2.2. Reusing lemmas and clauses improves 1.5X – 3X on most examplesReusing lemmas and clauses improves 1.5X – 3X on most examples
# cubes: Number of prime-implicants in the BDD for the minterms
– 48 –
ConclusionsConclusions
Relatively easy to turn SMT solver to perform Relatively easy to turn SMT solver to perform predicate abstractionpredicate abstraction Clear benefit from leveraging learned clause and
not restarting the search after each model
Improvements in SMT translate to predicate Improvements in SMT translate to predicate abstraction caseabstraction case
– 49 –
Overview of the talkOverview of the talk
Two approaches to predicate abstractionTwo approaches to predicate abstraction Symbolic Decision Procedures Satisfiability Modulo Theory (SMT) based
Symbolic decision proceduresSymbolic decision procedures Can construct DAG representation of output in
polynomial time for useful theories Modular combination of SDPs Require more optimizations to make it practical
SMT-based proceduresSMT-based procedures Can leverage SMT solvers without much effort ALLSAT using SAT-solvers (Eager) or SMT
solvers (Lazy) Lazy approaches benefit from tighter SAT+theory
reasoning
– 51 –
Challenges for predicate abstraction toolsChallenges for predicate abstraction tools
Predicate abstraction with non-ground formulasPredicate abstraction with non-ground formulas Quantifiers were removed with simple instantiation
techniques for UCLID/List verification benchmarks
Generate partial models during ALLSATGenerate partial models during ALLSAT Should improve the performace when ratio of #minterms : #
cubes is large
Incremental refinement of approximationsIncremental refinement of approximations Construct refined approximation of FP () from coarser
approximations, without repeating work Some initial directions in CAV’06 paper
Refining the abstraction (incrementally) with Refining the abstraction (incrementally) with monotonically increasing set of predicatesmonotonically increasing set of predicates
Combining SDP for two theoriesCombining SDP for two theories
Implementation and ResultsImplementation and Results
Related WorkRelated Work
– 55 –
Zap OverviewZap Overview
[Ball, Lahiri, Musuvathi]
Many automated program analysis tools require Many automated program analysis tools require symbolic reasoningsymbolic reasoning e.g. Unit-testing, model checking, static analysis, …
Support symbolic operations for such tools Support symbolic operations for such tools Support richer operations, apart from validity checking Support useful theories for program analysis Leverage advances in SAT solving and theorem proving
Zaptheorem prover
MUTTunit-testing
Zingmodel checking
Boogiestatic analysis
SLAM/SDV
– 56 –
Symbolic Reasoning for Automated Software AnalysisSymbolic Reasoning for Automated Software Analysis Validity / SatisfiabilityValidity / Satisfiability
Model generationModel generation Useful in test case generation
Quantifier eliminationQuantifier elimination Image operation in model checking
SATQE : Simple extension to Zchaff» Built by Daniel Kroening at CMU
Explicit MethodExplicit Method Algorithm of Das, Dill & Park, CAV’99
Avoids exponential worst case in many cases in practiceUses SVC as a decision procedure
Device Driver Benchmarks from SLAM Toolkit Device Driver Benchmarks from SLAM Toolkit Ball and Rajamani, MSR Queries during C Boolean Program construction
– 63 –
Evaluation on SLAM-benchmarksEvaluation on SLAM-benchmarks
BDD based approach worse than SAT on larger BDD based approach worse than SAT on larger benchmarksbenchmarks