Lazy Abstraction with Interpolants

Lazy Abstraction with Interpolants

Yakir Vizel

(based on the work and slides of K. L. McMillan at CAV06)

Agenda

• Introduction– Model Checking– Abstraction and CEGAR

• Software MC• Lazy Abstraction• Lazy Abstraction with Interpolants

Model Checking

• Given a system, and a specification – does the system satisfies the specification

• There are efficient algorithms that receive a model and a formula and return:– “True” if the system satisfy the specification.– “False” and a counterexample otherwise.

• The problem at hand is Non-Decidable• Suffers from the state-explosion problem

Abstraction

• A way to fight the state explosion problem.• Preserves properties – those that hold in the concrete

model also hold in the abstract model (over approximation).

• An abstract state represents a set of concrete states and transitions defined existentially.

• Types of abstraction: Localization Reduction, Data Abstraction, Predicate Abstraction

CEGAR

• One problem with over approximations is spurious counterexamples.

• The solution: Counter-Example Guided Abstraction Refinement.

• Given an abstract model M’ and a spurious counterexample refine M’ automatically such that a new abstract model is created M’’ ≥ M’ and it does not contain the given spurious counterexample.

CEGAR (cont.)

C is not spuriouscheck spuriouscounterexample

C

stop

M’╞

generatecounterexample C

M’ |=

model check

M’

generate initialabstraction

M and

refinement

Cis spurious

Modeling Programs

• FOL formulas are used to characterize programs.– S is the set of individual variables, constants etc.– A state formula is a formula in L(S) where L(S) is the set of

well-formed formulas over the vocabulary S.– For a non-logical symbol s, s’ represents s in the next time. – s with n primes represent s at n time units in the future.– For a formula f, the notation f(n) denote the addition of n primes

to every symbol in f.– A transition formula is a formula in L(S U S’)

• Example: x’ = x + 1

• Program is usually represented using a Control Flow Graph (CFG).

Modeling Programs (2)

• A program is a tuple (λ, Δ, li,lf) where λ is a finite set of program locations, Δ is a set of actions, li is the initial location and lf is the error location (both in λ). – An action is a triple (l,T,m) where l,m are respectively the entry

and exit locations of the action and T is a transition formula.

• A path π of a program is a sequence of transitions of the form (l0,T0,l1),…,(ln-1,Tn-1,ln).– The unfolding U(π) of path π is the sequence of formulas:

T0(0),T1(1),…,Tn-1(n-1)

– A path π is feasible when ΛU(π) is consistent.

Example

do{ lock(); old = new; if(*){ unlock(); new++; }} while (new != old);

program fragment

L=0

L=1; old=new

[L!=0]

L=0; new++

[new==old]

[new!=old]

control-flow graph

ΛU(π) = L=0 Λ L’=1 Λ old’=new Λ T Λ new = old’

ΛU(π) = L=0 Λ L’=1 Λ old’=new Λ L’’=0 Λ new’ = new + 1 Λ new’ != old’ Λ L’’ != 0

Modeling Programs (3)

• A program is said to be safe if every error path of the program is infeasible.

• An inductive invariant of a program is a map F:λL(S) such that:– F(li) = TRUE

– For every action (l,T,m) in Δ, F(l)/\T implies F(m)’.

• A safety invariant of a program is an inductive invariant such that F(lf) = FALSE.– Existence of a safety invariant of a program implies that the

program is safe.

Program Unwinding

• An unwinding of a program A = (λ, Δ, li,lf) is a quadruple (V,E,Mv,Me), where (V,E) is a directed tree rooted at ε, Mv:V λ is the vertex map, and Me:E Δ is the edge map such that:– Mv(ε) = li– For every non-leaf vertex v in V, for every action (Mv(v),T,m) in

Δ, there exists an edge (v,w) in E such that Mv(w) = m and Me(v,w) = T

• For two vertices v and w of a tree, w < v denotes that w is a proper ancestor of v.

Unwinding the CFG

• An unwinding is a tree with an embedding in the CFG

L=0

L=1; old=new

[L!=0]

L=0; new++

[new==old]

[new!=old]

8

0

12

3

4

L=0

L=1;old=new

[L!=0]

L=0; new++

Mv

Me

Expansion

• Every non-leaf vertex of the unwinding must be fully expanded...

L=00

1

L=0

Mv

Me

If this is not a leaf...

...and this exists... ...then this exists.

...but we allow unexpanded leaves (i.e., we are building afinite prefix of the infinite unwinding)

Program Unwinding (2)

• A labeled unwinding of a program A = (λ, Δ, li,lf) is a triple (U,ψ,C) where– U = (V,E,Mv,Me) is an unwinding of A

– Ψ:VL(S) is called the vertex labeling, and– C is a relation in V x V and is called the covering relation

• A vertex v is said to be covered iff there exists (w,x) in C such that w≤v.

• Unwinding is said to be safe iff for all vertices v in V, Mv(v)=lf implies Ψ(v) ≡ FALSE.

• Unwinding is said to be complete iff every leaf v in V is covered.

Labeled unwinding

• A labeled unwinding is equipped with:– a labeling function : V L(S)

– a covering relation C in V x V

0

12

3

4

5

L=0

L=1;old=new

[L!=0]

L=0; new++

[new!=old]

6[L!=0]

7

[new==old]

T

F L=0

F L=0

L=0

T

T

These two nodes are covered.

(have a ancestor at the tail of a covering arc)

...

...

Program Unwinding (3)

• A labeled unwinding (U,ψ,C) of a program A = (λ, Δ, li,lf) where U = (V,E,Mv,Me), is said to be well-labeled iff:– Ψ(ε) ≡ TRUE, and

– For every edge (v,w) in E, Ψ(v) Λ Me(v,w) implies Ψ(w)’, and

– For all (v,w) in C, Ψ(v) => Ψ(w), and w is not covered

• Main Theorem: If there exists a safe, complete, well-labeled unwinding of program A, then A is safe.

Well-Labeled Unwinding• An unwinding is well-labeled when...

– () = True– every edge is a valid Hoare triple– if (x,y) in C then y is not covered

0

12

3

4

5

L=0

L=1;old=new

[L!=0]

L=0; new++

[new!=old]

6[L!=0]

7

[new==old]

T

F L=0

F L=0

L=0

T

T

Safe and Completesafe if every error vertex is labeled False

complete if every non-terminal leaf is covered

T

10[L!=0]

T

9

[new!=old]

T

8

T

0

12

3

4

5

L=0

L=1;old=new

[L!=0]

L=0; new++

[new!=old]

F L=0

6[L!=0]F L=0

L=0

7

[new==old]

T

old=new

F

old=new

F

T

... ...

Theorem: A CFG with a safe complete unwinding is safe.

9T

Why a Covered Vertex Cannot Cover?• y covers x, w covers v y is covered

(v≤y)– Ψ(x) Ψ(y)

• Every state reachable from x is reachable from y.

– Ψ(v) Ψ(w)• Every state reachable from v is reachable from

w.

• Any state reachable from y should be reachable from w through its descendent z.

• NOT every state reachable from x is also reachable from z.

• z is the only vertex that is not covered.

vw

z y xTT

pp

p

Proof (Main Theorem)• Let U’ be the set of uncovered vertices, and let function

M map location l to \/{ψ(v) | Mv(v) = l, v in U’}

• Let’s show that M is a safety invariant for A:– M(li) = TRUE – Given by the definition well-labeled unwinding

– M(lf) = FALSE – The unwinding is safe.

Proof (2)• Let (l,T,m) be an action:

– For every v in U’ Mv(v) ≠ l M(l) = FALSE M(l) ΛT implies M(m)’

– There is a v in U’ such that Mv(l) = v.

• Let us assume that there is an action (l,T,m) such that M(l) ΛT does not imply M(m)’. For every w in V such that Mv(w) = m, w is covered.

• Let (v,w) be an edge in E. We know: ψ(v) ΛT implies ψ(w)’.

• Let u be the covering vertex of w. Then, ψ(w) ψ(u) and u is NOT covered.

• By adding the assumption that if u covers w then Mv(u) = Mv(w) we get a contradiction. (ψ(v) ΛT implies ψ(u)’ M(l) Λ T implies M(m)’)

Predicate Abstraction

• Predicates are defined over system states– X = Y; counter < 100; etc.– Keeps track of certain predicates on data.– Captures relationship between variables.

• States satisfying the same predicate are equivalent in the abstract model. Merged into the same abstract state.

• Abstract state space is always finite.

Predicate Abstraction (2)

• Calculating strongest post-condition over the given set of predicates.

• Abstract post computation is very expansive. – For N predicates there are possibly 2^2N transitions

• Information computed about predicates may be irrelevant.

PA with CEGAR Loop

Model checkabstraction M’

Choose initial M’

Can extend Cexfrom M’ to M?

Add predicatesto M’

true, done

Cex

yes, Cex

no

• Choose predicates to refute cex's– Generalizes failures

• Still performs expensive deduction without justification– strongest Boolean post-condition

• Fails to learn from past– Start fresh each iteration– Forgets expensive deductions

Lazy Predicate Abstraction

• Unwind the program CFG into a tree– Refine paths as needed to refute errors

ERR!

x=y

x=y

y=0

Add predicates along pathto allow refutation of error

• Refinement is local to an error path• Search continues after refinement

– Do not start fresh -- no big CEGAR loop

• Previously useful predicates applied to new vertices

Lazy Predicate Abstraction (2)• Procedure Expand (v in V)

if v is uncovered leaf thenfor all actions (Mv(v),T,m) in Δ

add a new vertex w to V and a new edge (v,w) to E;Mv(w) = m and ψ(w) = postPA(ψ(v),T)Me(v,w) = T

• Procedure Refine (v in V)if Mv(v) = lf and ψ(v) != FALSE then

let π = (v0,T0,v1)…(vn-1,Tn-1,vn) be the unique path from ε to v.pivot = BackwardCexAnalysis(v, π);if pivot != NULL then

AddNewPredicates(pivot);

else abort (program is unsafe)• Procedure Cover (v,w in V)

if v is uncovered and Mv(v) = Mv(w) and ((v ≤ w)=FALSE) thenif ψ(v) ψ(w) then

add(v,w) to Cdelete all (x,y) in C, s.t. v≤y

Example - Lazy PA

• Error is hit – check if the path is feasible– Backwards CEX analysis (weakest precondition)

• Refinement…

L=0

L=1; old=new

[L!=0]

L=0; new++

[new==old]

[new!=old]

control-flow graph

T

L=0

L=1

L=1

L=1

0

12

3

4

5

L=0

L=1;old=new

[L!=0]

[new!=old]

6[L!=0]

F

L=1

{L=1}

{L=1 /\ new != old}

{L=1 /\ new != old}

{L=0 /\ new != new}

Pivot

Example (2) - Refinement

• A theorem prover is used to do the emptiness check at pivot point.– Path: L’=1 Λ old’=new Λ T Λ

new != old’ Λ L’!=0– R: L=0– Formula: R Λ Path– The result is UnSAT– The reason: old’=new, new!

=old’

• Add the predicate old=new

T

L=0

L=1

L=1

L=1

0

12

3

4

5

L=0

L=1;old=new

[L!=0]

[new!=old]

6[L!=0]

F

L=1

{L=1}

{L=1} /\ new != old

{L=1} /\ new != old

{L=0} /\ new != new

Pivot

Example (3) - MC

F L=0

F

L=0 Λ old!=new

L=1 Λ old=new

F

L=1 Λ old=new

F

T

L=1 Λ old=new

L=0 Λ old!=new

0

12

3

4

5

L=0

L=1;old=new

[L!=0]

L=0; new++

[new!=old]

6[L!=0]

7

[new==old]

... ...

9 10[L!=0]

[new!=old]8

9

F

L=0

L=1; old=new

[L!=0]

L=0; new++

[new==old]

[new!=old]

control-flow graph

LA – Is It Really That Good?

• Predicates are being stored locally according to their relevance to the program location.– Computation of post-condition transformer is less expansive.– Still, computing the strongest post-condition transformer.

• The refinement is local.• No fresh restart after refinement is being done

– Part of the information computed is being used

• LA spends most of its time in predicate image operation.

• The solution…

Interpolants from Proofs

• Given a pair of formulas (A,B) such that A /\ B is inconsistent, an interpolant for (A,B) is a formula Ā with the following properties:– A implies Ā,– Ā /\ B is unsatisfiable, and– Ā is in L(A) ∩ L(B)

• Interpolant always exists for inconsistent formulas in FOL (Craig’s lemma)

Interpolants for Sequences

• We want to handle program paths, therefore a generalization of interpolant is needed.

• Given a sequence of formulas Γ = A1,A2,…,An, we say that Ā 0, Ā 1,…, Ā n is in an interpolant for Γ when:

– Ā 0 = TRUE and Ā n = FALSE,

– For all 1≤i≤n, Ā i-1/\ Ai implies Ā i, and

– For all 1≤i≤n, Ā i is in L(A1,…,Ai)∩L(Ai+1,…,An)

• If Γ is quantifier-free we can derive a quantifier-free interpolant for Γ (from the refutation of Γ )

Interpolants for Sequences (2)

A1 A2 A3 Ak...

Ā1 Ā2 Ā3 Āk-1...True False

• An intuition…

• So this is a structured refutation of A1,…,Ak

Interpolants as Floyd-Hoare proofs

False

x1=y0

True

y1>x1

1. Each formula implies the next

2. Each is over common symbols of prefix and suffix

3. Begins with true, ends with false

Path refinement procedure

SSAsequence Prover

Interpolation

PathRefinement

proof structuredproof

x=y;

y++;

[x=y]

x1= y0

y1=y0+1

x1y1

Lazy PA with Interpolants (2)• Procedure Expand (v in V)

if v is uncovered leaf thenfor all actions (Mv(v),T,m) in Δ

add a new vertex w to V and a new edge (v,w) to E;Mv(w) = m and ψ(w) = T;Me(v,w) = T;

• Procedure Refine (v in V)if Mv(v) = lf and ψ(v) != FALSE then

let π = (v0,T0,v1)…(vn-1,Tn-1,vn) be the unique path from ε to v.if U(π) has an interpolant A’0,…,A’n then

for i=0…n:let Φ = A’i(-i)if ψ does not imply Φ then remove all pairs ( ,vi) from C set ψ(vi) = ψ(vi)Λ Φ

The Example

do{ lock(); old = new; if(*){ unlock(); new++; }} while (new != old);

program fragment

L=0

L=1; old=new

[L!=0]

L=0; new++

[new==old]

[new!=old]

control-flow graph

• Property: lock() is not called if the lock is already being held.

1

L=0

T2

[L!=0]T

Unwinding the CFG

L=0

L=1; old=new

[L!=0]

L=0; new++

[new==old]

[new!=old]

control-flow graph

0T

F L=0

Label error state with false, by refining labels on path

6[L!=0]T

5

[new!=old]

T

4

L=0; new++

T

3

L=1;old=new

T

Unwinding the CFG

L=0

L=1; old=new

[L!=0]

L=0; new++

[new==old]

[new!=old]

control-flow graph

0

12

L=0

[L!=0]F L=0

T

Covering: state 5 is subsumed bystate 1.

F L=0

L=0

old=new

old=new

11[L!=0]

T

10

[new!=old]

T

8

T

Unwinding the CFG

L=0

L=1; old=new

[L!=0]

L=0; new++

[new==old]

[new!=old]

control-flow graph

0

12

3

4

5

L=0

L=1;old=new

[L!=0]

L=0; new++

[new!=old]

F L=0

6[L!=0]F L=0

L=0

7

[new==old]

T

old=new

F

old=new

F

T

Another cover. Unwinding is now complete.

9T

Covering Step

• If (x) (y)...– add covering arc (x, y) to C– remove all (z, w) in C for w descendant of y

x≤y x=y

X

We restrict covers to be descending in a suitable total order on vertices.This prevents covering from diverging.

Covering Step (2)

• Covering one vertex may result in uncovering others.– Applying covering non-deterministically may not terminate.

• A total order is defined ◄ on the vertices.– Respects the ancestor relation.

• v ≤ w v ◄ w

• Can be defined by a preorder traversal of the tree.• Cover is only applied to (v,w) if w ◄ v.

– If by adding (v,w) we remove (x,y) where v ≤ y. By transitivity we get v ◄ x.

– Covering a vertex v can result in uncovering vertices greater then v.

• Therefore, we cannot apply covering infinitely.

Refinement Step

• Label an error vertex False by refining the path to that vertex with an interpolant for that path.• By refining with interpolants, we avoid predicate image computation.

T

T

TT

T

T

T

x = 0

[x=y] [xy]

y++

[y=0]

y=2

x=0

y=0

y0

F

X

Refinement may remove covers

The Complete Algorithm

• A vertex v is said to be closed if either it is covered or no covering arc (v,w) can be added to C (while maintaining well-labeledness).– Procedure Close(v in V)

For all w in V s.t. w ◄ v and Mv(v) = Mv(w):Cover(v,w)

– Procedure DFS(v in V)Close(v)if v is uncovered then

if Mv(v) = lf then Refine(v); for all w ≤ v: Close(w) Expand(v); for all children w of v: DFS(w)

The Complete Algorithm (2)

• Procedure Unwind()V = {ε}, E = Φ, ψ(ε) = True, C = ΦWhile there exists an uncovered leaf v in V:

for all w in V s.t. w ≤ v: Close(w);DFS(v);

• Theorem: If procedure Unwind terminates without aborting on a program A, then A is safe.– Proof: Expand, Refine and Cover alter the unwinding and all

preserve well-labeledness, the resulting unwinding is well-labeled.

– All vertices are refined The unwinding is safe– Terminates when there are no more uncovered leaves

Complete.

Something about Interpolant

• A(X,Y) Λ B(Y,Z) ≡ FALSE– There exists I(Y) such that

• A(X,Y) I(Y)• I(Y) Λ B(Y,Z) ≡ FALSE

• The “best” interpolant:– –

• Interpolantion is an Existential Quantification

)),()(()( YXAXYI )),()((),( YXAXYXA

TRUEYXBYXATRUEZYBYXAX ),(),(),()),()((