Docstoc

Program Verification using Templates over Predicate Abstraction

Document Sample
Program Verification using Templates over Predicate Abstraction Powered By Docstoc
					Program Verification using Templates
     over Predicate Abstraction


             Saurabh Srivastava
       University of Maryland, College Park
                 Sumit Gulwani
          Microsoft Research, Redmond
    What the technique will let you do!
A. Infer invariants with                        B. Infer weakest preconditions
   arbitrary quantification and
   boolean structure                         Weakest
    ∀ : E.g. Sortedness                     conditions              
                                             on input:
    ∀∃     : E.g. Permutation                                  k1        k2
                                                                               <
                       Selection Sort:
                       for i = 0..n
                       {                               
                           for j = i..n
                           {
                                                            Worst case behavior:
                               find min index               swap every time it can
                           }
                           if (min != i)
                              swap A[i] with A[min]
                       }


                                                     .... j            Aold

∀k1,k2   k1       k2    ..                          k                     Anew
                                         ∀k∃j
       Improves the state-of-art
• Can infer very expressive invariants
     • Quantification
         – E.g. ∀k∃j : (k<n) => (A[k]=B[j] ∧ j<n)
     • Disjunction
         – E.g. ∀k : (k<0 ∨ k>n ∨ A[k]=0)
  – Previous techniques are too specialized to particular
    types of quantification or to quantifier-free disjunction


• Can infer weakest preconditions
     • Good for debugging: can discover worst case inputs
     • Good for analysis: can infer missing precondition facts
  – No satisfactory solutions known
                   Key facilitators
• Templates                                       Unknown holes
                      k : ()  ()
                     k1k2 : ()  ()
   – Task of inferring conjunctive facts for the holes remains
• Predicate Abstraction
     
   – Allows us to efficiently compute solutions for the holes

     Programelements
         array
               variables,                             Limited
                                                     constants
                              x opr (y opa c)
       Relational operator                           Arithmetic operator
            <, ≤, >, ≥ …                                   +, - …

   – E.g., {i<j, i>j, i≤j, i≥j, i<j-1, i>j+1… }

            
                          Outline
• Three fixed-point inference algorithms
                                                (GFP)
   – Iterative fixed-point
      • Greatest Fixed-Point (GFP)
      • Least Fixed-Point (LFP)
   – Constraint-based (CFP)                             (CFP)
                                                (LFP)

• Optimal Solutions
   – Built over a clean theorem proving interface


• Weakest Precondition Generation

• Experimental evaluation
                          Outline
• Three fixed-point inference algorithms
                                       (GFP)
   – Iterative fixed-point
      • Greatest Fixed-Point (GFP)
      • Least Fixed-Point (LFP)
   – Constraint-based (CFP)                    (CFP)
                                       (LFP)
                         Analysis Setup

                                         E.g. Selection Sort:
                  pre
                                                                  true
                                                                            true ∧ i=0 => I1

                     vc(pre,I1)                                 i:=0
                                      I1 ∧ i<n ∧ j=i => I2
                I1                                              I1             if (min != i)
                                                                      i<n          swap A[i], A[min]
vc(I1,post)          vc(I1,I2)                                  j:=i        Find min
                                                                             index
                                                                I2
                I2                                                   j<n
                                                     Sorted
                                                      array
       post          vc(I2,I2)
                             vc(I2,I1)

                                                       I1 ∧ i≥n => sorted array
Loop headers (with invariants) split program
into simple paths. Simple paths induce
program constraints (verification conditions)
                         Analysis Setup

                  pre
                                                                          true ∧ i=0 => I1

                     vc(pre,I1)
                                      I1 ∧ i<n ∧ j=i => I2
                I1

vc(I1,post)          vc(I1,I2)
                                                             Simple FOL
                                                         formulae over I1, I2!
                I2                                       We will exploit this.

       post          vc(I2,I2)
                             vc(I2,I1)

                                                      I1 ∧ i≥n =>
Loop headers (with invariants) split program             ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2]
into simple paths. Simple paths induce
program constraints (verification conditions)
      Iterative Fixed-point: Overview
                                                                        Candidate
                                         Values for                      Solution
               pre                       invariants


                   vc(pre,I1)           <x,y>  { vc(pre,I1),vc(I1,I2) }
                                ✗
              I1                                        VCs that are
                                                        not satisfied
vc(I1,post)        vc(I1,I2)
      ✓                        ✗
              I2

      post         vc(I2,I2)
                    ✓ vc(I2,I1)     ✓
      Iterative Fixed-point: Overview
                                                  Improve
                                                  candidate
               pre
                                                                        Candidate
                                                                     satisfies all VCs
                   vc(pre,I1)
              I1                                                 Set of
                                                               candidates
vc(I1,post)        vc(I1,I2)                                  <x,y>  { … }

                                       Improve candidate
              I2                       – Pick unsat VC
                                       – Use theorem prover to
      post         vc(I2,I2)             compute optimal change
                           vc(I2,I1)   – Results in new candidates

                                                Computable because:
                                                – Templates make ∨ explicit
                                                – Predicate abstraction restricts
                                                  search to finite space
            Backwards Iterative (GFP)

                               Candidate Sols <I1,I2>
            pre
                                Unsat constraints

                                     <⊤, ⊤>  { vc(I1,post) }
             ✓
        ⊤

 ✗           ✓          ✓
        ⊤          ✓
post



Backward:
• Always pick the source invariant
of unsat constraint to improve
• Start with <⊤, …,⊤>
            Backwards Iterative (GFP)
                                                                Optimally
                               Candidate Sols <I1,I2>           strengthen so
            pre
                                Unsat constraints              vc(pre,I1) ok
                                                                unless no soln
                                     <⊤, ⊤>  { vc(I1,post) }
             ✓
       a1                             <a1, ⊤>  { vc(I2,I1) }

  ✓                     ✗
             ✓
        ⊤          ✓
post



Backward:
• Always pick the source invariant
of unsat constraint to improve
• Start with <⊤, …,⊤>
            Backwards Iterative (GFP)
                                                                     Optimally
                               Candidate Sols <I1,I2>                strengthen so
            pre
                                Unsat constraints                   vc(pre,I1) ok
                                                                     unless no soln
                                     <⊤, ⊤>  { vc(I1,post) }
             ✓                                                     Multiple
       a1                             <a1, ⊤>  { vc(I2,I1) }      orthogonal
                                                                   optimal sols
  ✓                     ✗
                                    <a1,b1>  { vc(I2,I2) }
             ✓                 <a1,b2>  { vc(I2,I2),vc(I1,I2) }

       b2          ✗
post



Backward:
• Always pick the source invariant
of unsat constraint to improve
• Start with <⊤, …,⊤>
             Backwards Iterative (GFP)
                                                                     Optimally
                               Candidate Sols <I1,I2>                strengthen so
             pre
                                Unsat constraints                   vc(pre,I1) ok
                                                                     unless no soln
                                     <⊤, ⊤>  { vc(I1,post) }
              ✓                                                    Multiple
        a1                            <a1, ⊤>  { vc(I2,I1) }      orthogonal
                                                                   optimal sols
  ✓                                 <a1,b1>  { vc(I2,I2) }
              ✗        ✓       <a1,b2>  { vc(I2,I2),vc(I1,I2) }
                                     <a1,b1>  { vc(I2,I2) }
       b’2
                   ✓                 <a1,b’2>  { vc(I1,I2) }

post



Backward:
• Always pick the source invariant
of unsat constraint to improve
• Start with <⊤, …,⊤>
              Backwards Iterative (GFP)
                                                                       Optimally
                               Candidate Sols <I1,I2>                  strengthen so
              pre
                                Unsat constraints                     vc(pre,I1) ok
                                                                       unless no soln
                                     <⊤, ⊤>  { vc(I1,post) }
               ✓                                                     Multiple
        a’1                           <a1, ⊤>  { vc(I2,I1) }        orthogonal
                                                                     optimal sols
  ✓                                 <a1,b1>  { vc(I2,I2) }
               ✓        ✓      <a1,b2>  { vc(I2,I2),vc(I1,I2) }
                                     <a1,b1>  { vc(I2,I2) }
       b’2
                    ✓                <a1,b’2>  { vc(I1,I2) }
                                     <a1,b1>  { vc(I2,I2) }
post
                                        <a’1,b’2>  none

                                                          <a’1,b’2> : GFP solution
Backward:
• Always pick the source invariant
of unsat constraint to improve
• Start with <⊤, …,⊤>
 Forward Iterative (LFP)


Forward: Same as GFP except

• Pick the destination invariant
  of unsat constraint to improve

• Start with <⊥,…,⊥>
              Constraint-based over Predicate
                        Abstraction

               pre


                   vc(pre,I1)
              I1

vc(I1,post)        vc(I1,I2)

              I2

     post          vc(I2,I2)
                           vc(I2,I1)
          Constraint-based over Predicate
                    Abstraction



               vc(pre,I1)               pred(I1)

               vc(I1,post        b11,b21…br1        b12,b22…br2     boolean indicators
               )
               vc(I1,I2)
                                    p1,p2…pr        p1,p2…pr        predicates
               vc(I2,I1)         unknown 1              unknown 2
                                       k : ()  ()               template
               vc(I2,I2)

Remember:                                      I1
VCs are FOL                 
  formulae
 over I1, I2
          Constraint-based over Predicate
                    Abstraction
                                       pred(A) : A to unknown
                                             predicate
                                         indicator variables

               vc(pre,I1)   pred(I1)

               vc(I1,post
               )
               vc(I1,I2)

               vc(I2,I1)

               vc(I2,I2)

Remember:
VCs are FOL
  formulae
 over I1, I2
              Constraint-based over Predicate
                        Abstraction
                                  SAT formulae
   Program constraint             over predicate         pred(A) : A to unknown
  to boolean constraint             indicators                 predicate
                                                           indicator variables
 Optimal
 solutions        vc(pre,I1)        boolc(pred(I1))
from SMT
 solver to        vc(I1,post        boolc(pred(I1))
  impose          )                                                              Invariant
  minimal         vc(I1,I2)         boolc(pred(I1), pred(I2))      ∧                soln
constraints
                  vc(I2,I1)         boolc(pred(I2), pred(I1))

                  vc(I2,I2)         boolc(pred(I2))                 Boolean constraint
                                                                     to satisfying soln
   Remember:                                                           (SAT Solver)
   VCs are FOL
     formulae
    over I1, I2

                          Local reasoning               Fixed-Point Computation
                          Outline

                                                (GFP)



                                                        (CFP)
                                                (LFP)

• Optimal Solutions
   – Built over a clean theorem proving interface
                    Optimal Solutions
• Key: Polarity of unknowns in formula Φ
   – Positive or negative:
       • Value of positive unknown stronger => Φ stronger
       • Value of negative unknown stronger => Φ weaker
                                  positive
                                  negative

            Φ = ∀x : ∃y : ( ¬ u1 ∨ u2      ) ∧ u3
                                           positive

• Optimal Soln: Maximally strong positives, maximally weak negatives

• Assume theorem prover interface: OptNegSol
   – Optimal solutions for formula with only negative unknowns
   – Built using a lattice search by querying SMT Solver
                               Optimal Solutions using OptNegSol
                             formula Φ contains unknowns:
                                 u1…uP positive            u1…uN negative
                                                                                               Repeat until
                                                                                                 set stable
                                        OptNegSol
P x Size of predicate set




                              Φ[ a1…aP ]             a1…aP,S1…SN
                              Φ[ a’1…a’P ]           a’1…a’P,S’1…S’N         Merge     Opt
                                                                                       Opt’
                               …



                                                        …
                                              …




                                                                                       …
                                                                                       Opt’’
                             Φ[ a’’1…a’’P ]          a’’1…a’’P,S’’1…S’’N                       Optimal Solutions
                                                                                                for formula Φ
                              P-tuple that assigns
                               a single predicate                          Merge positive tuples
                            to each positive unknown
                                                    Si soln for the
                                                  negative unknowns
                    Outline

                                    (GFP)



                                            (CFP)
                                    (LFP)




• Weakest Precondition Generation
                     Outline

                               (GFP)



                                       (CFP)
                               (LFP)




• Experimental evaluation
                 Implementation

                  Microsoft’s
                Phoenix Compiler
                                                 Verification
 C Program                         CFG
                                                  Conditions

 Templates


Predicate Set                             Iterative              Constraint-
                                         Fixed-point                based
                                          GFP/LFP                Fixed-Point
                                                       Z3 SMT
                                   Candidate            Solver          Boolean
                                   Solutions                           Constraint




                                                   Invariants
                                                  Preconditions
       Verifying Sorting Algorithms
• Benchmarks
   – Considered difficult to verify
   – Require invariants with quantifiers
   – Sorting, ideal benchmark programs

• 5 major sorting algorithms
   – Insertion Sort, Bubble Sort (n2 version and termination checking
     version), Selection Sort, Quick Sort and Merge Sort

• Properties:
   – Sort elements
       • ∀k : 0≤k<n => A[k] ≤A[k+1] --- output array is non-decreasing
   – Maintain permutation, when elements distinct
       • ∀k∃j : 0≤k<n => A[k]=Aold[j] & 0≤j<n --- no elements gained
       • ∀k∃j : 0≤k<n => Aold[k]=A[j] & 0≤j<n --- no elements lost
                                Runtimes: Sortedness
          16



          14                                                                               Tool can prove
                                                                                         sortedness for all
          12                                                                             sorting algorithms!

          10
seconds




                                                                                                                       LFP
           8
                                                                                                                       GFP
                                                                                                                       CFP
           6



           4



           2



           0
               Selection Sort   Insertion Sort   Bubble Sort (n2)   Bubble Sort (flag)       Quick Sort   Merge Sort
                                Runtimes: Permutation
                                94.42




                                   …
          40
                                                                                          …Permutations too!
          35



          30



          25
seconds




                                                                                                                      LFP
          20
                                                                                                                      GFP
                                                                                                                      CFP
          15



          10



           5


                           ∞                                                                             ∞
           0
               Selection Sort    Insertion Sort   Bubble Sort (n2)   Bubble Sort (flag)     Quick Sort   Merge Sort
            Inferring Preconditions
• Given a property (worst case runtime or functional correctness)
  what is the input required for the property to hold

• Tool automatically infers non-trivial inputs/preconditions

• Worst case input (precondition) for sorting:
   – Selection Sort: sorted array except last element is the smallest
   – Insertion, Quick Sort, Bubble Sort (flag): Reverse sorted array


• Inputs (precondition) for functional correctness:
   – Binary search requires sorted input array
   – Merge in Merge sort requires sorted inputs
   – Missing initializers required in various other programs
               Runtimes (GFP): Inferring worst case
                        inputs for sorting
          45


          40                                                         Tool infers worst
                                                                    case inputs for all
          35                                                        sorting algorithms!
          30
seconds




          25

                                                                                         Nothing to infer as all inputs
          20
                                                                                         yield the same behavior
          15


          10


           5


           0
               Selection Sort   Insertion Sort   Bubble Sort (n2)   Bubble Sort (flag)     Quick Sort    Merge Sort
                       Conclusions
• Powerful invariant inference over predicate abstraction
   – Can infer quantifier invariants

• Three algorithms with different strengths
   – Iterative: Least fixed-point and Greatest fixed-point
   – Constraint-based

• Extend to maximally-weak precondition inference
   – Worst case inputs
   – Preconditions for functional correctness

• Techniques builds on SMT Solvers, so exploit their power

• Successfully verified/inferred preconditions
   – All major sorting algorithms
   – Other difficult benchmarks

• Project Webpage: http://www.cs.umd.edu/~saurabhs/pacs

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:4/8/2013
language:Unknown
pages:32