synthesizing safe bit-precise invariants

© 2014 Carnegie Mellon University

Synthesizing Safe Bit-Precise Invariants

Arie Gurfinkel (SEI / CMU)Anton Belov (UCD / Synopsys)Joao Marques-Silva (UCD)

3Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University3

Inductive Invariants: Turing / Floyd / Hoare

A. M. Turing, Checking a Large Routine. In Report of a Conference on High Speed Automatic Calculating Machines, (1949).

4Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

Programs, Cexs, Invariants

A program P = (V, Init, Tr, Bad)P is UNSAFE if and only if there exists a number N s.t.

P is SAFE if and only if there exists a safe inductive invariant Inv s.t.

Inductive

Safe

5Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

Many conferences, techniques, tools …

6Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

But Bit-Precise Verification is Hard

Bounded Model Checking•CBMC, Boolector, LLBMC, ESBMC, …•efficient discovery of counter-examples•no invariants!

Propositional Verification (Hardware)• Interpolation, IC3, PDR, ABC, …•efficient synthesis of propositional invariants•does not scale to bit-precise verification of software

Linear Arithmetic Verification (Software)• Impact, UFO, CPAChecker, Duality, Blast, GPDR, …•efficient synthesis of arithmetic invariants•not bit-precise (not sound!)• is often sufficient (e.g., UFO at SV-COMP’13 and ‘14)

7Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

But aren’t bit-vectors = bit-

blasting?

8Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

Typical Bit-vector Decision Procedure

B2P is satisfiability preserving (only!)

Bit-blast (by itself) is not efficient

SAT

Bit-blast

SimplifyB2P

9Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

Safety Verification by Bit-Blasting

Correct, but does not scale

Bit-blast Verify

propositional verifier

10Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

Safety Verification by B2P

Efficient, but…•B2P only preserves satisfiability•Original circuit is reduced (abstracted) too much•Hard to track correspondence between input and output

B2P Verify

True

11Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

Bit-blasting looses all structure!

Lack of structure makes it difficult to generalize

12Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

Our Key Idea: Use Generate and Check Alg.

Given an input program P with a safety property Bad

1. Generate a candidate invariant Cand by verifying Bad on a “simpler” approximation Psimple of P

2. Compute the Maximal Inductive Subset Inv of Cand relative to P using bit-precise reasoning

3. Strengthen Inv using a bit-precise (but possibly slow) verification engine until (Inv Bad)

13Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

MISPER in a Nutshell

Adapt unsound arithmetic reasoning to guess bit-precise invariants

ApproximateProgram P

+Property

Program PLA

LA Verifier

Adapt using MIS

Candidate CLA

BIT VerifierInvariant IBIT

Yes +Certificate CBIT No + Cex

No + CexUnsound

Needs validation

Sound

14Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

Approximate Bit-Vectors by Arithmetic

Ignore (i.e., over-approximate) all bit-vector-specific operationsUnsound, but simple and efficient

Approximate

BoolBit-vector

Arithmetic Bool

15Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

Maximal Inductive Subset

Let L be a set of formulas, P=(V, Init, Tr, Bad) a programA subset X of L is a maximal inductive subset iff it is the largest subset of X such that

A Maximal Inductive Subset is unique•inductive invariants are closed under conjunction

Cormac Flanagan, K. Rustan M. Leino: Houdini, an Annotation Assistant for ESC/Java. FME 2001: 500-517

16Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

Minimal Unsatisfiable Subset

Let be a formula and A = {a1, …, an} be atomic propositions occurring negatively in

Assume Æ a1 Æ Æ an is UNSAT

A minimal unsatisfiable subset (MUS) of is the smallest subset X µ A such that Æ X is UNSAT

There are efficient algorithms for computing MUS (a.k.a. UNSAT core) for propositional formulas

17Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

Solving MIS via MUS

Reduce MIS to multiple calls to MUS

fresh propositional

variables

fresh propositional

variables

called once

incremental SAT

SAT MUS

incremental SAT

18Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

Var-Equivalence

Let A and B be two formulas

Let X be a subset of propositional variables of A and B

Definition: A and B are var-equivalent relative to X if and only if for any satisfying assignment ¿ of X, A¿ and B¿ are equisatisfiable

Claim

B2P() is var-equivalent to relative to X = {posti, prei}

19Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

Implementation

Misper is implemented in Python and relies on many external tools•LLVM for handling C•UFO-MUZ for LA invariants•Boolector for B2P•MUSer2 for MUS step in MIS •Z3 for SMT and HORN

20Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

Results Summary

214 SAFE benchmarks from SVCOMP’2013• includes all non-trivial SAFE benchmarks

All times are in seconds

bit width

inst. cnt Z3/PDR#sol (avg/med)

Misper#sol (avg/med)

Cand#sol (avg/med)

MIS#sol (avg/med)

32

all 214 116 (127/8) 174 (28/0.4) 165 (8/0.4) 9 (392/134)

unsol 98 -- 58 (75/1) 52 (22/0.7) 6 (544/366)

16

all 214 165 (176/8) 182 (69/0.4) 165 (8/0.4) 17 (661/399)

unsol 49 -- 18 (624/376) 6 (50/21) 12 (911/1,094)

21Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

Detailed Results (16 bits)

22Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

FrankenBit: Bit-Precise Verification w/ Many BitsMISPER to synthesize bit-precise invariantsLLBMC to search for counterexamplesSilver and Bronze medals at SV-COMP 2014

http://sv-comp.sosy-lab.org/2014/results/index.php

23Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

Related Work

Cormac Flanagan, K. Rustan M. Leino: Houdini, an Annotation Assistant for ESC/Java. FME 2001.• (the first?) algorithm for computing Maximal Inductive Subset

Randal E. Bryant, Daniel Kroening, Joël Ouaknine, Sanjit A. Seshia, Ofer Strichman, Bryan A. Brady: Deciding Bit-Vector Arithmetic with Abstraction. TACAS 2007.•sound under-approximation of bit-vector formulas by shrinking bit-width

Alberto Griggio: Effective word-level interpolation for software verification. FMCAD 2011.•mostly sound over-approximation of bit-vector formulas by arithmetic•but, also uses unsound approximation followed by a sound check

24Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

Conclusion

Sound reasoning from unsound approximations•Use Linear Arithmetic to guess good invariants

•Use efficient bit-vector decision procedures to validate invariants

•Use efficient propositional Minimal Unsatisfiable Subset extractor to find Maximal Inductive Subset

•Use inefficient bit-precise reasoning to complete the proofWorks well on SV-COMP (non bit-vector specific) benchmarks•probably because the properties are mostly bit-vector agnostic•e.g., API usage in Linux Device Drivers

Integrated in FrankenBit: http://arieg.bitbucket.org/fbit

25Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

Future Work

We have just scratched the surface…

CounterExample Guided Approximation-Refinement Loop•block a counterexample by partial bit-blasting•partially embed bit-vectors into integer arithmetic

Better approximations•such as in related work, e.g., Griggio, and Bryant et al.

Adapt lemmas•account for bit-width, overflow, and upper bound•e.g., replace x > 0 with x > 0 & x <= INT_MAX

Tighter integration with fixedpoint solver

26Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

? ? ?

? ? ?

27Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University

Contact Information

Arie GurfinkelSenior ResearcherSEI / CMUTelephone: +1 412-268-5800Email: info@sei.cmu.edu

U.S. MailSoftware Engineering InstituteCustomer Relations4500 Fifth AvenuePittsburgh, PA 15213-2612USA

Webwww.sei.cmu.eduwww.sei.cmu.edu/contact.cfm

Customer RelationsEmail: info@sei.cmu.eduTelephone: +1 412-268-5800SEI Phone: +1 412-268-5800SEI Fax: +1 412-268-6257