Approximating Predicate Images for Bit-Vector Logic

Predicate abstraction refinement is a successful technique for verifying large ANSI-C programs. However, computing the image of the predicates with respect to the transition relation is computationally expensive. Recent results have shown that predicate images can be computed by transforming a proof of a formula over integers into a Boolean formula that is satisfiable if and only if the original formula is satisfiable. However, the existing algorithms compute the closure of the proof rules that are used to axiomatize the logic, and thus, rely on the fact that the set of axioms is small. They are therefore limited to logics of low complexity, such as difference logic. We describe a proof-based algorithm that computes an over-approximation of the predicate image but in turn allows a rich set of axioms. The algorithm can be used to compute images of predicates using a combination of bit-vector logic, the theory of arrays, and pointer arithmetic. The proof-based approach can also be used to refine the image. We quantify the performance of the algorithm in comparison with a Das/Dill-like greedy incremental refinement of the image and a proof-based incremental refinement.

[1]  Stephan Merz,et al.  Model Checking , 2000 .

[2]  Tomás E. Uribe,et al.  Generating Finite-State Abstractions of Reactive Systems Using Decision Procedures , 1998, CAV.

[3]  Daniel Kroening,et al.  Symbolic Model Checking for Asynchronous Boolean Programs , 2005, SPIN.

[4]  Ofer Strichman On Solving Presburger and Linear Arithmetic with SAT , 2002, FMCAD.

[5]  Shuvendu K. Lahiri,et al.  A Symbolic Approach to Predicate Abstraction , 2003, CAV.

[6]  Rolf Drechsler,et al.  RTL-datapath verification using integer linear programming , 2002, Proceedings of ASP-DAC/VLSI Design 2002. 7th Asia and South Pacific Design Automation Conference and 15h International Conference on VLSI Design.

[7]  Patrick Cousot,et al.  Abstract interpretation , 1996, CSUR.

[8]  Daniel Kroening,et al.  SATABS: SAT-Based Predicate Abstraction for ANSI-C , 2005, TACAS.

[9]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[10]  Daniel Kroening,et al.  Predicate Abstraction of ANSI-C Programs Using SAT , 2004, Formal Methods Syst. Des..

[11]  Shuvendu K. Lahiri,et al.  Predicate Abstraction via Symbolic Decision Procedures , 2005, Log. Methods Comput. Sci..

[12]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[13]  Sanjit A. Seshia,et al.  Modeling and Verifying Systems Using a Logic of Counter Arithmetic with Lambda Expressions and Uninterpreted Functions , 2002, CAV.

[14]  Kwang-Ting Cheng,et al.  An efficient finite-domain constraint solver for circuits , 2004, Proceedings. 41st Design Automation Conference, 2004..

[15]  David A. Plaisted,et al.  A Structure-Preserving Clause Form Translation , 1986, J. Symb. Comput..

[16]  Sriram K. Rajamani,et al.  Bebop: A Symbolic Model Checker for Boolean Programs , 2000, SPIN.

[17]  Shuvendu K. Lahiri,et al.  Constructing Quantified Invariants via Predicate Abstraction , 2004, VMCAI.

[18]  Daniel Kroening,et al.  Cogent: Accurate Theorem Proving for Program Verification , 2005, CAV.

[19]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[20]  Sriram K. Rajamani,et al.  Automatically validating temporal safety properties of interfaces , 2001, SPIN '01.

[21]  David L. Dill,et al.  A decision procedure for bit-vector arithmetic , 1998, Proceedings 1998 Design and Automation Conference. 35th DAC. (Cat. No.98CH36175).

[22]  Sergey Berezin,et al.  CVC Lite: A New Implementation of the Cooperating Validity Checker Category B , 2004, CAV.

[23]  Sriram K. Rajamani,et al.  Bebop: a path-sensitive interprocedural dataflow engine , 2001, PASTE '01.

[24]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic , 1981, Logic of Programs.

[25]  William Pugh,et al.  A practical algorithm for exact array dependence analysis , 1992, CACM.

[26]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[27]  Alex Groce,et al.  Predicate Abstraction with Minimum Predicates , 2003, CHARME.

[28]  Shuvendu K. Lahiri,et al.  Zapato: Automatic Theorem Proving for Predicate Abstraction Refinement , 2004, CAV.

[29]  Sriram K. Rajamani,et al.  Refining Approximations in Software Predicate Abstraction , 2004, TACAS.

[30]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[31]  Markus Wedler,et al.  Normalization at the arithmetic bit level , 2005, Proceedings. 42nd Design Automation Conference, 2005..

[32]  Patrick Cousot,et al.  The ASTREÉ Analyzer , 2005, ESOP.

[33]  David L. Dill,et al.  Successive approximation of abstract transition relations , 2001, Proceedings 16th Annual IEEE Symposium on Logic in Computer Science.

[34]  Daniel Kroening,et al.  Word level predicate abstraction and refinement for verifying RTL Verilog , 2005, Proceedings. 42nd Design Automation Conference, 2005..

[35]  Sriram K. Rajamani,et al.  Generating Abstract Explanations of Spurious Counterexamples in C Programs , 2002 .

[36]  Thomas A. Henzinger,et al.  Abstractions from proofs , 2004, POPL.

[37]  David Detlefs,et al.  Simplify: a theorem prover for program checking , 2005, JACM.

[38]  Robert P. Kurshan,et al.  Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach , 2014 .

[39]  Sriram K. Rajamani,et al.  Boolean Programs: A Model and Process for Software Analysis , 2000 .

[40]  William Pugh,et al.  The Omega test: A fast and practical integer programming algorithm for dependence analysis , 1991, Proceedings of the 1991 ACM/IEEE Conference on Supercomputing (Supercomputing '91).