![Page 1: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/1.jpg)
Predicate Abstraction for Software Verification
Shaz QadeerCompaq Systems Research Center
(joint work with Cormac Flanagan)
![Page 2: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/2.jpg)
Systems software
• OS components– file system, buffer cache manager
• Abstract from low-level to high-level operations– tedious low-level programming detail
• Expected to work – with multiple concurrent clients– in the presence of crashes
![Page 3: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/3.jpg)
Outline
• Background– verification condition– strongest postcondition– loop invariants
• Inferring loop invariants– predicate abstraction– universally-quantified invariants
• Frangipani • Related work
![Page 4: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/4.jpg)
Verification condition
x := a;if (x < b) { x := b;}assert x = max(a,b);
sp(P,true) x a x b
Program P
Check for validity:
![Page 5: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/5.jpg)
Statement S
x := e
A ; B
assume e
A B�
while {I} e do B end
Guarded command language (Dijkstra 76)
Variables have arbitrary values in program’s initial state
if e then A else B end
(assume e ; A)
(� assume e ; B)
![Page 6: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/6.jpg)
Strongest postcondition semantics
sp(S,Q)
y.(Q[xy] x=e[xy])
sp(B,sp(A,Q))
e Q
sp(A,Q) sp(B,Q)
Statement S
x := e
A ; B
assume e
A B�
Denote sp(S, true) by sp(S)
![Page 7: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/7.jpg)
Checking loop invariants
• Given loop
• Need to check– Invariant holds on entry to loop
• sp( C ) I
– Invariant holds at end of every iteration• sp( C; H; assume I e; B) I where H = havoc variables modified in B
C;
{I} while e do B end
![Page 8: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/8.jpg)
Desugaring loops
S = “while {I} e do B end”
H = havoc variables modified in Bdesugar(S) = assert I ; H ; assume I ; ( (assume e ; B; assert I; assume false) � assume e)
![Page 9: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/9.jpg)
Example
assume 0 < a.length; i := 0;
while (i < a.length) { a[i] := 0; i := i + 1;}
assert a[0] = 0;
{ int j; 0 <= j j < i a[j] = 0, 0<=i}
![Page 10: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/10.jpg)
Translationassume 0 < a.length; i := 0;assert int j; 0 <= j j < i a[j] = 0;assert 0 <= i; havoc a[*], i;assume int j; 0 <= j j < i a[j] = 0;assume 0 <= i; ( assume (i < a.length); a[i] := 0; i := i + 1; assert int j; 0 <= j j < i a[j] = 0; assert 0 <= i; assume false;)� assume (i < a.length)assert a[0] = 0;
![Page 11: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/11.jpg)
ESC/Java with loop invariants/*@ loop_invariant i >= 0; loop_invariant 0 <= spot; loop_invariant spot <= MAXDIRENTRY; loop_invariant (\forall int j; 0 <= j && j < i && bdisk[addr].dirEntries[j].inum != DIRENTRY_UNUSED ==>
bdisk[addr].dirEntries[j].name != name); loop_invariant (\forall int j; spot == MAXDIRENTRY && 0 <= j && j < i ==> bdisk[addr].dirEntries[j].inum != DIRENTRY_UNUSED);
loop_invariant spot == MAXDIRENTRY || bdisk[addr].dirEntries[spot].inum == DIRENTRY_UNUSED;
loop_invariant (\forall DirEntry t; t != de ==> t.name == \old(t.name)); loop_invariant (\forall DirEntry t; t != de ==> t.inum == \old(t.inum)); loop_invariant (\forall DirEntry t; t.inum == FS.DIRENTRY_UNUSED ||
(0 <= t.inum && t.inum < FS.IMAX));*/for (i = 0; i < cwd.inode.length; i++) { GetDirEntry(de, addr, i); if (de.inum != DIRENTRY_UNUSED && de.name == name) { return ERROR; } if (de.inum == DIRENTRY_UNUSED && spot == MAXDIRENTRY) { spot = i; }}
![Page 12: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/12.jpg)
Outline
• Background– verification condition– strongest postcondition– loop invariants
• Inferring loop invariants– predicate abstraction– universally-quantified invariants
• Frangipani• Related work
![Page 13: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/13.jpg)
Inferring loop invariants
• Could try
– I0 = sp( C )
– In+1 = In sp( C; H; assume In e; B)
•In is an invariant for first n iterations
• Problem: May not converge
C;
{I} while e do B end
![Page 14: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/14.jpg)
Divergence
State Space
I0 I1 I2 In... ...
![Page 15: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/15.jpg)
Predicate abstraction
• Invariant is boolean combination of predicates
• Split problem into two parts
1 Find a suitable set of predicates
2 Find the boolean combination of these predicates
![Page 16: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/16.jpg)
Predicate abstraction (contd.)
• Predicates over program variables– a = expr1, b = expr2, c = expr3, d = expr4
: boolean expression over {a,b,c,d} formula over program variables
:formula over program variables boolean expression over {a, b, c, d}
(F) = least boolean function G over {a,b,c,d} such that F (G)
![Page 17: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/17.jpg)
Abstract state space• Predicates {a, b, c, d}• They generate an abstract space of size 24 = 16
ab
ab
ab
ab
cd
cd
cd
cd
F
(F)
State Space
![Page 18: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/18.jpg)
Inferring loop invariants
• Compute
– I0 = (sp( C ))
– In+1 = In (sp( C; H; assume E (In); B))
• Converges yielding valid loop invariant
– Best loop invariant for the given predicates
![Page 19: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/19.jpg)
Method 1 (slow!)• Is F a b c d satisfiable? No!
• Can compute (F) by asking 2n such queries
ab
ab
ab
ab
cd
cd
cd
cd
F
(F)X X X X
X
X
XX
X
X X
![Page 20: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/20.jpg)
Method 2 (Das-Dill-Park 99)Order the variables: a < b < c < d a
b
c
Fa
Fab
Fabc
Fab
(F) ab
ab
ab
ab
cd
cd
cd
cd
F
X X X X
X
X
XX
X
X X
•O(2n+1) queries•Sensitive to ordering
![Page 21: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/21.jpg)
Method 3 (Shankar-Saidi 99)
•O(3n) queries•No ordering required
Queries of size 1: Fa, F a, Fb, etc.Number = nC121
Queries of size 2: Fab, Fab, etc.Number = nC222
Queries of size n: . . .Number = nCn2n
.
.
![Page 22: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/22.jpg)
New method• F a b c d ? No!
ab
ab
ab
ab
cd
cd
cd
cd
F
(F)X X X X
X
X
XX
X
X X
• F a c d ? No!• F c d ? No! • Removed 1/4 of state space in 3 queries!
= (c d) (a c) (a b) ( c d)
![Page 23: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/23.jpg)
Universally-quantified loop invariants
/*@ loop_invariant i >= 0; loop_invariant 0 <= spot; loop_invariant spot <= MAXDIRENTRY; loop_invariant (\forall int j; 0 <= j && j < i && bdisk[addr].dirEntries[j].inum != DIRENTRY_UNUSED ==>
bdisk[addr].dirEntries[j].name != name); loop_invariant (\forall int j; spot == MAXDIRENTRY && 0 <= j && j < i ==> bdisk[addr].dirEntries[j].inum != DIRENTRY_UNUSED);
loop_invariant spot == MAXDIRENTRY || bdisk[addr].dirEntries[spot].inum == DIRENTRY_UNUSED;
loop_invariant (\forall DirEntry t; t != de ==> t.name == \old(t.name)); loop_invariant (\forall DirEntry t; t != de ==> t.inum == \old(t.inum)); loop_invariant (\forall DirEntry t; t.inum == FS.DIRENTRY_UNUSED ||
(0 <= t.inum && t.inum < FS.IMAX));*/for (i = 0; i < cwd.inode.length; i++) { GetDirEntry(de, addr, i); if (de.inum != DIRENTRY_UNUSED && de.name == name) { return ERROR; } if (de.inum == DIRENTRY_UNUSED && spot == MAXDIRENTRY) { spot = i; }}
![Page 24: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/24.jpg)
Inferring -quantified loop invariants
assume 0 < a.length; i := 0;
/*@ loop_invariant 0 <= i, int j; 0 <= j j < i a[j] = 0 */while (i < a.length) { a[i] := 0; i := i + 1;}
assert a[0] = 0;
![Page 25: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/25.jpg)
Inferring -quantified loop invariants
assume 0 < a.length; i := 0;
/*@ loop_predicate 0 <= i, int j; 0 <= j j < i a[j] = 0 */while (i < a.length) { a[i] := 0; i := i + 1;}
assert a[0] = 0;
![Page 26: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/26.jpg)
Inferring -quantified loop invariants
assume 0 < a.length; i := 0;
/*@ skolem_constant int j *//*@ loop_predicate 0 <= i, 0 <= j, j < i, a[j] = 0 */while (i < a.length) { a[i] := 0; i := i + 1;}
assert a[0] = 0;
![Page 27: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/27.jpg)
Inferring -quantified loop invariants
I0 = (sp(i := 0))In+1 = In (sp(i := 0; havoc i, a[*]; assume In i < a.length; a[i] := 0; i := i+1))
/*@ loop_predicate 0 <= i, 0 <= j, j < i, a[j] = 0 */
TFTF TFTT TTFF TTFT I0
TTTT
I1
![Page 28: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/28.jpg)
Inferring -quantified loop invariants
/*@ loop_predicate 0 <= i, 0 <= j, j < i, a[j] = 0 */
TFTF TFTT TTFF TTFT
TTTT
I0
I1
0 i (0 j) (j < i) a[j] = 0 0 j j < i
![Page 29: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/29.jpg)
Inferring -quantified loop invariants
/*@ loop_predicate 0 <= i, 0 <= j, j < i, a[j] = 0 */
TFTF TFTT TTFF TTFT
TTTT
I0
I1
0 i int j; 0 j j < i a[j] = 0 int j; 0 j j < i
![Page 30: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/30.jpg)
Outline
• Background– verification condition– strongest postcondition– loop invariants
• Inferring loop invariants– predicate abstraction– universally-quantified invariants
• Frangipani• Related work
![Page 31: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/31.jpg)
Frangipani
• Distributed file system (Thekkath, Mann, Lee 1997)
• Built on top of Petal virtual disk (Lee, Thekkath 1996)
• Implements the file abstraction from the virtual disk block abstraction
• Exports file and directory operations - create, delete, rename etc. - to clients
![Page 32: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/32.jpg)
Verification
• Loop invariant inference built on top of ESC/Java (Detlefs, Leino, Nelson, Saxe 1998)
• ESC/Java uses automatic theorem prover Simplify (Nelson 81)
• Frangipani data structures and “create” modeled abstractly in Java
• Assume – single thread of execution – no crashes
![Page 33: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/33.jpg)
. . .
. . .
. . .
. . .ibusy
idisk
bdisk
bbusy
F T T
T T
F F F
FFFF
Inode { int inum; int addr; int mode; int length;}
Block { int addr; Entry[] entries;}
Entry { String name; int inum;}
addr addr
Data structures on disk:
Data structures in memory:
. . .
. . .
vArray
vbusy T T FFTF
• vArray contains inodes• distinct entries must contain distinct inodes
itov: int int
![Page 34: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/34.jpg)
/*@ invariant int i, j: vbusy[i] ((vArray[i].inum = j) (itov[j] = i));invariant int i: ibusy[i] bbusy[idisk[i].addr];invariant idisk bdisk;invariant int i: idisk[i] null idisk[i].inum = i;..*/
/*@ requires vbusy[num] vArray[num].mode = DIR *//*@ ensures \result = ERROR there is an entry with name s in directory vArray[num] */int create(int num, String s) { . . .}
![Page 35: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/35.jpg)
Main loop in “create”/*@ loop_invariant i >= 0; loop_invariant 0 <= spot; loop_invariant spot <= MAXDIRENTRY; loop_invariant (\forall int j; 0 <= j && j < i && bdisk[addr].dirEntries[j].inum != DIRENTRY_UNUSED ==>
bdisk[addr].dirEntries[j].name != name); loop_invariant (\forall int j; spot == MAXDIRENTRY && 0 <= j && j < i ==> bdisk[addr].dirEntries[j].inum != DIRENTRY_UNUSED);
loop_invariant spot == MAXDIRENTRY || bdisk[addr].dirEntries[spot].inum == DIRENTRY_UNUSED;
loop_invariant (\forall DirEntry t; t != de ==> t.name == \old(t.name)); loop_invariant (\forall DirEntry t; t != de ==> t.inum == \old(t.inum)); loop_invariant (\forall DirEntry t; t.inum == FS.DIRENTRY_UNUSED ||
(0 <= t.inum && t.inum < FS.IMAX));*/for (i = 0; i < cwd.inode.length; i++) { GetDirEntry(de, addr, i); if (de.inum != DIRENTRY_UNUSED && de.name == name) { return ERROR; } if (de.inum == DIRENTRY_UNUSED && spot == MAXDIRENTRY) { spot = i; }}
![Page 36: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/36.jpg)
Performance
Algorithm # queries(worst case)
# queries(on benchmark)
Naive 2n 32768
Das-Dill-Park 2n+1 4026
Saidi-Shankar 3n 2252
New n.2n 473
![Page 37: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/37.jpg)
Related work
• Inferring/computing loop invariants• Predicate abstraction
– Graf-Saidi 97– Bensalem-Lakhnech-Owre 98, Colon-Uribe 98– Saidi-Shankar 99, Das-Dill-Park 99– Ball-Majumdar-Millstein-Rajamani 2001
![Page 38: Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)](https://reader030.vdocuments.us/reader030/viewer/2022032521/56649d595503460f94a393bb/html5/thumbnails/38.jpg)
Future Work
• Heuristics for generating predicates
• Multiple threads
– locks, semaphores, ...
– thread-modular reasoning
• Linked lists, reachability
• Target C