synthesizing safe bit-precise invariants
DESCRIPTION
Synthesizing Safe Bit-Precise Invariants. Arie Gurfinkel (SEI / CMU) Anton Belov (UCD / Synopsys) Joao Marques- Silva (UCD). Inductive Invariants: Turing / Floyd / Hoare. 3. - PowerPoint PPT PresentationTRANSCRIPT
© 2014 Carnegie Mellon University
Synthesizing Safe Bit-Precise Invariants
Arie Gurfinkel (SEI / CMU)Anton Belov (UCD / Synopsys)Joao Marques-Silva (UCD)
3Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University3
Inductive Invariants: Turing / Floyd / Hoare
A. M. Turing, Checking a Large Routine. In Report of a Conference on High Speed Automatic Calculating Machines, (1949).
4Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
Programs, Cexs, Invariants
A program P = (V, Init, Tr, Bad)P is UNSAFE if and only if there exists a number N s.t.
P is SAFE if and only if there exists a safe inductive invariant Inv s.t.
Inductive
Safe
5Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
Many conferences, techniques, tools …
6Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
But Bit-Precise Verification is Hard
Bounded Model Checking•CBMC, Boolector, LLBMC, ESBMC, …•efficient discovery of counter-examples•no invariants!
Propositional Verification (Hardware)• Interpolation, IC3, PDR, ABC, …•efficient synthesis of propositional invariants•does not scale to bit-precise verification of software
Linear Arithmetic Verification (Software)• Impact, UFO, CPAChecker, Duality, Blast, GPDR, …•efficient synthesis of arithmetic invariants•not bit-precise (not sound!)• is often sufficient (e.g., UFO at SV-COMP’13 and ‘14)
7Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
But aren’t bit-vectors = bit-
blasting?
8Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
Typical Bit-vector Decision Procedure
B2P is satisfiability preserving (only!)
Bit-blast (by itself) is not efficient
SAT
Bit-blast
SimplifyB2P
9Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
Safety Verification by Bit-Blasting
Correct, but does not scale
Bit-blast Verify
propositional verifier
10Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
Safety Verification by B2P
Efficient, but…•B2P only preserves satisfiability•Original circuit is reduced (abstracted) too much•Hard to track correspondence between input and output
B2P Verify
True
11Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
Bit-blasting looses all structure!
Lack of structure makes it difficult to generalize
12Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
Our Key Idea: Use Generate and Check Alg.
Given an input program P with a safety property Bad
1. Generate a candidate invariant Cand by verifying Bad on a “simpler” approximation Psimple of P
2. Compute the Maximal Inductive Subset Inv of Cand relative to P using bit-precise reasoning
3. Strengthen Inv using a bit-precise (but possibly slow) verification engine until (Inv Bad)
13Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
MISPER in a Nutshell
Adapt unsound arithmetic reasoning to guess bit-precise invariants
ApproximateProgram P
+Property
Program PLA
LA Verifier
Adapt using MIS
Candidate CLA
BIT VerifierInvariant IBIT
Yes +Certificate CBIT No + Cex
No + CexUnsound
Needs validation
Sound
14Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
Approximate Bit-Vectors by Arithmetic
Ignore (i.e., over-approximate) all bit-vector-specific operationsUnsound, but simple and efficient
Approximate
BoolBit-vector
Arithmetic Bool
15Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
Maximal Inductive Subset
Let L be a set of formulas, P=(V, Init, Tr, Bad) a programA subset X of L is a maximal inductive subset iff it is the largest subset of X such that
A Maximal Inductive Subset is unique•inductive invariants are closed under conjunction
Cormac Flanagan, K. Rustan M. Leino: Houdini, an Annotation Assistant for ESC/Java. FME 2001: 500-517
16Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
Minimal Unsatisfiable Subset
Let be a formula and A = {a1, …, an} be atomic propositions occurring negatively in
Assume Æ a1 Æ Æ an is UNSAT
A minimal unsatisfiable subset (MUS) of is the smallest subset X µ A such that Æ X is UNSAT
There are efficient algorithms for computing MUS (a.k.a. UNSAT core) for propositional formulas
17Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
Solving MIS via MUS
Reduce MIS to multiple calls to MUS
fresh propositional
variables
fresh propositional
variables
called once
incremental SAT
SAT MUS
incremental SAT
18Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
Var-Equivalence
Let A and B be two formulas
Let X be a subset of propositional variables of A and B
Definition: A and B are var-equivalent relative to X if and only if for any satisfying assignment ¿ of X, A¿ and B¿ are equisatisfiable
Claim
B2P() is var-equivalent to relative to X = {posti, prei}
19Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
Implementation
Misper is implemented in Python and relies on many external tools•LLVM for handling C•UFO-MUZ for LA invariants•Boolector for B2P•MUSer2 for MUS step in MIS •Z3 for SMT and HORN
20Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
Results Summary
214 SAFE benchmarks from SVCOMP’2013• includes all non-trivial SAFE benchmarks
All times are in seconds
bit width
inst. cnt Z3/PDR#sol (avg/med)
Misper#sol (avg/med)
Cand#sol (avg/med)
MIS#sol (avg/med)
32
all 214 116 (127/8) 174 (28/0.4) 165 (8/0.4) 9 (392/134)
unsol 98 -- 58 (75/1) 52 (22/0.7) 6 (544/366)
16
all 214 165 (176/8) 182 (69/0.4) 165 (8/0.4) 17 (661/399)
unsol 49 -- 18 (624/376) 6 (50/21) 12 (911/1,094)
21Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
Detailed Results (16 bits)
22Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
FrankenBit: Bit-Precise Verification w/ Many BitsMISPER to synthesize bit-precise invariantsLLBMC to search for counterexamplesSilver and Bronze medals at SV-COMP 2014
http://sv-comp.sosy-lab.org/2014/results/index.php
23Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
Related Work
Cormac Flanagan, K. Rustan M. Leino: Houdini, an Annotation Assistant for ESC/Java. FME 2001.• (the first?) algorithm for computing Maximal Inductive Subset
Randal E. Bryant, Daniel Kroening, Joël Ouaknine, Sanjit A. Seshia, Ofer Strichman, Bryan A. Brady: Deciding Bit-Vector Arithmetic with Abstraction. TACAS 2007.•sound under-approximation of bit-vector formulas by shrinking bit-width
Alberto Griggio: Effective word-level interpolation for software verification. FMCAD 2011.•mostly sound over-approximation of bit-vector formulas by arithmetic•but, also uses unsound approximation followed by a sound check
24Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
Conclusion
Sound reasoning from unsound approximations•Use Linear Arithmetic to guess good invariants
•Use efficient bit-vector decision procedures to validate invariants
•Use efficient propositional Minimal Unsatisfiable Subset extractor to find Maximal Inductive Subset
•Use inefficient bit-precise reasoning to complete the proofWorks well on SV-COMP (non bit-vector specific) benchmarks•probably because the properties are mostly bit-vector agnostic•e.g., API usage in Linux Device Drivers
Integrated in FrankenBit: http://arieg.bitbucket.org/fbit
25Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
Future Work
We have just scratched the surface…
CounterExample Guided Approximation-Refinement Loop•block a counterexample by partial bit-blasting•partially embed bit-vectors into integer arithmetic
Better approximations•such as in related work, e.g., Griggio, and Bryant et al.
Adapt lemmas•account for bit-width, overflow, and upper bound•e.g., replace x > 0 with x > 0 & x <= INT_MAX
Tighter integration with fixedpoint solver
26Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
? ? ?
? ? ?
27Synthesizing Safe Bit-Precise InvariantsGurfinkel, Belov, Marques-Silva© 2014 Carnegie Mellon University
Contact Information
Arie GurfinkelSenior ResearcherSEI / CMUTelephone: +1 412-268-5800Email: [email protected]
U.S. MailSoftware Engineering InstituteCustomer Relations4500 Fifth AvenuePittsburgh, PA 15213-2612USA
Webwww.sei.cmu.eduwww.sei.cmu.edu/contact.cfm
Customer RelationsEmail: [email protected]: +1 412-268-5800SEI Phone: +1 412-268-5800SEI Fax: +1 412-268-6257