1 / 26

Synthesizing Safe Bit-Precise Invariants

Synthesizing Safe Bit-Precise Invariants. Arie Gurfinkel (SEI / CMU) Anton Belov (UCD / Synopsys) Joao Marques- Silva (UCD). Inductive Invariants: Turing / Floyd / Hoare. 3.

rusty
Download Presentation

Synthesizing Safe Bit-Precise Invariants

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Synthesizing Safe Bit-Precise Invariants Arie Gurfinkel (SEI / CMU) Anton Belov (UCD / Synopsys) Joao Marques-Silva (UCD)

  2. Inductive Invariants: Turing / Floyd / Hoare 3 A. M. Turing, Checking a Large Routine. In Report of a Conference on High Speed Automatic Calculating Machines, (1949).

  3. Programs, Cexs, Invariants Inductive Safe A program P = (V, Init, Tr, Bad) Pis UNSAFE if and only if there exists a number Ns.t. Pis SAFE if and only if there exists a safe inductive invariant Invs.t.

  4. Many conferences, techniques, tools …

  5. But Bit-Precise Verification is Hard • Bounded Model Checking • CBMC, Boolector, LLBMC, ESBMC, … • efficient discovery of counter-examples • no invariants! • Propositional Verification (Hardware) • Interpolation, IC3, PDR, ABC, … • efficient synthesis of propositional invariants • does not scale to bit-precise verification of software • Linear Arithmetic Verification (Software) • Impact, UFO, CPAChecker, Duality, Blast, GPDR, … • efficient synthesis of arithmetic invariants • not bit-precise (not sound!) • is often sufficient (e.g., UFO at SV-COMP’13 and ‘14)

  6. But aren’t bit-vectors = bit-blasting?

  7. Typical Bit-vector Decision Procedure B2P B2P is satisfiability preserving (only!) Bit-blast (by itself) is not efficient

  8. Safety Verification by Bit-Blasting propositional verifier Bit-blast Verify Correct, but does not scale

  9. Safety Verification by B2P B2P Verify True • Efficient, but… • B2P only preserves satisfiability • Original circuit is reduced (abstracted) too much • Hard to track correspondence between input and output

  10. Bit-blasting looses all structure! Lack of structure makes it difficult to generalize

  11. Our Key Idea: Use Generate and Check Alg. Given an input program P with a safety property Bad Generate a candidate invariant Candby verifying Badon a “simpler” approximation Psimpleof P Compute the Maximal Inductive Subset Invof Candrelative to P using bit-precise reasoning Strengthen Invusing a bit-precise (but possibly slow) verification engine until (InvBad)

  12. Misper in a Nutshell Needs validation No + Cex Unsound Program PLA LA Verifier Approximate Program P + Property Candidate CLA Invariant IBIT BIT Verifier Adapt using MIS Sound Yes + Certificate CBIT No + Cex Adapt unsound arithmetic reasoning to guess bit-precise invariants

  13. Approximate Bit-Vectors by Arithmetic Bit-vector Bool Approximate Arithmetic Bool Ignore (i.e., over-approximate) all bit-vector-specific operations Unsound, but simple and efficient

  14. Maximal Inductive Subset Cormac Flanagan, K. Rustan M. Leino: Houdini, an Annotation Assistant for ESC/Java. FME 2001: 500-517 • Let L be a set of formulas, P=(V, Init, Tr, Bad) a program • A subset X of L is a maximal inductive subsetiff it is the largest subset of X such that • A Maximal Inductive Subset is unique • inductive invariants are closed under conjunction

  15. Minimal Unsatisfiable Subset Let  be a formula and A = {a1, …, an} be atomic propositions occurring negatively in  Assume Æa1ÆÆan is UNSAT A minimal unsatisfiable subset (MUS) of  is the smallest subset X µA such that Æ X is UNSAT There are efficient algorithms for computing MUS (a.k.a. UNSAT core) for propositional formulas

  16. Solving MIS via MUS fresh propositional variables fresh propositional variables called once incremental SAT SAT MUS incremental SAT Reduce MIS to multiple calls to MUS

  17. Var-Equivalence Let A and B be two formulas Let X be a subset of propositional variables of A and B Definition: A and B are var-equivalent relative to X if and only if for any satisfying assignment ¿ of X, A¿ and B¿ are equisatisfiable Claim B2P() is var-equivalent to  relative to X = {posti, prei}

  18. Implementation • Misper is implemented in Python and relies on many external tools • LLVM for handling C • UFO-MUZ for LA invariants • Boolector for B2P • MUSer2 for MUS step in MIS • Z3 for SMT and HORN

  19. Results Summary • 214 SAFE benchmarks from SVCOMP’2013 • includes all non-trivial SAFE benchmarks • All times are in seconds

  20. Detailed Results (16 bits)

  21. FrankenBit: Bit-Precise Verification w/ Many Bits http://sv-comp.sosy-lab.org/2014/results/index.php Misper to synthesize bit-precise invariants LLBMC to search for counterexamples Silver and Bronze medals at SV-COMP 2014

  22. Related Work • Cormac Flanagan, K. Rustan M. Leino: Houdini, an Annotation Assistant for ESC/Java. FME 2001. • (the first?) algorithm for computing Maximal Inductive Subset • Randal E. Bryant, Daniel Kroening, JoëlOuaknine, Sanjit A. Seshia, OferStrichman, Bryan A. Brady: Deciding Bit-Vector Arithmetic with Abstraction. TACAS 2007. • sound under-approximation of bit-vector formulas by shrinking bit-width • Alberto Griggio: Effective word-level interpolation for software verification. FMCAD 2011. • mostly sound over-approximation of bit-vector formulas by arithmetic • but, also uses unsound approximation followed by a sound check

  23. Conclusion • Sound reasoning from unsound approximations • Use Linear Arithmetic to guess good invariants • Use efficient bit-vector decision procedures to validate invariants • Use efficient propositional Minimal Unsatisfiable Subset extractor to find Maximal Inductive Subset • Use inefficient bit-precise reasoning to complete the proof • Works well on SV-COMP (non bit-vector specific) benchmarks • probably because the properties are mostly bit-vector agnostic • e.g., API usage in Linux Device Drivers • Integrated in FrankenBit: http://arieg.bitbucket.org/fbit

  24. Future Work • We have just scratched the surface… • CounterExample Guided Approximation-Refinement Loop • block a counterexample by partial bit-blasting • partially embed bit-vectors into integer arithmetic • Better approximations • such as in related work, e.g., Griggio, and Bryant et al. • Adapt lemmas • account for bit-width, overflow, and upper bound • e.g., replace x > 0 with x > 0 & x <= INT_MAX • Tighter integration with fixedpointsolver

  25. ? ? ? ? ? ?

  26. Contact Information

More Related