# Program Verification using Templates over Predicate Abstraction

Document Sample

```					Program Verification using Templates
over Predicate Abstraction

Saurabh Srivastava
University of Maryland, College Park
Sumit Gulwani
Microsoft Research, Redmond
What the technique will let you do!
A. Infer invariants with                        B. Infer weakest preconditions
arbitrary quantification and
boolean structure                         Weakest
∀ : E.g. Sortedness                     conditions              
on input:
∀∃     : E.g. Permutation                                  k1        k2
<
Selection Sort:
for i = 0..n
{                               
for j = i..n
{
Worst case behavior:
find min index               swap every time it can
}
if (min != i)
swap A[i] with A[min]
}

                                       .... j            Aold

∀k1,k2   k1       k2    ..                          k                     Anew
∀k∃j
Improves the state-of-art
• Can infer very expressive invariants
• Quantification
– E.g. ∀k∃j : (k<n) => (A[k]=B[j] ∧ j<n)
• Disjunction
– E.g. ∀k : (k<0 ∨ k>n ∨ A[k]=0)
– Previous techniques are too specialized to particular
types of quantification or to quantifier-free disjunction

• Can infer weakest preconditions
• Good for debugging: can discover worst case inputs
• Good for analysis: can infer missing precondition facts
– No satisfactory solutions known
Key facilitators
• Templates                                       Unknown holes
k : ()  ()
k1k2 : ()  ()
– Task of inferring conjunctive facts for the holes remains
• Predicate Abstraction

– Allows us to efficiently compute solutions for the holes

 Programelements
array
variables,                             Limited
constants
x opr (y opa c)
Relational operator                           Arithmetic operator
<, ≤, >, ≥ …                                   +, - …

– E.g., {i<j, i>j, i≤j, i≥j, i<j-1, i>j+1… }


Outline
• Three fixed-point inference algorithms
(GFP)
– Iterative fixed-point
• Greatest Fixed-Point (GFP)
• Least Fixed-Point (LFP)
– Constraint-based (CFP)                             (CFP)
(LFP)

• Optimal Solutions
– Built over a clean theorem proving interface

• Weakest Precondition Generation

• Experimental evaluation
Outline
• Three fixed-point inference algorithms
(GFP)
– Iterative fixed-point
• Greatest Fixed-Point (GFP)
• Least Fixed-Point (LFP)
– Constraint-based (CFP)                    (CFP)
(LFP)
Analysis Setup

E.g. Selection Sort:
pre
true
true ∧ i=0 => I1

vc(pre,I1)                                 i:=0
I1 ∧ i<n ∧ j=i => I2
I1                                              I1             if (min != i)
i<n          swap A[i], A[min]
vc(I1,post)          vc(I1,I2)                                  j:=i        Find min
index
I2
I2                                                   j<n
Sorted
array
post          vc(I2,I2)
vc(I2,I1)

I1 ∧ i≥n => sorted array
Loop headers (with invariants) split program
into simple paths. Simple paths induce
program constraints (verification conditions)
Analysis Setup

pre
true ∧ i=0 => I1

vc(pre,I1)
I1 ∧ i<n ∧ j=i => I2
I1

vc(I1,post)          vc(I1,I2)
Simple FOL
formulae over I1, I2!
I2                                       We will exploit this.

post          vc(I2,I2)
vc(I2,I1)

I1 ∧ i≥n =>
Loop headers (with invariants) split program             ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2]
into simple paths. Simple paths induce
program constraints (verification conditions)
Iterative Fixed-point: Overview
Candidate
Values for                      Solution
pre                       invariants

vc(pre,I1)           <x,y>  { vc(pre,I1),vc(I1,I2) }
✗
I1                                        VCs that are
not satisfied
vc(I1,post)        vc(I1,I2)
✓                        ✗
I2

post         vc(I2,I2)
✓ vc(I2,I1)     ✓
Iterative Fixed-point: Overview
Improve
candidate
pre
Candidate
satisfies all VCs
vc(pre,I1)
I1                                                 Set of
candidates
vc(I1,post)        vc(I1,I2)                                  <x,y>  { … }

Improve candidate
I2                       – Pick unsat VC
– Use theorem prover to
post         vc(I2,I2)             compute optimal change
vc(I2,I1)   – Results in new candidates

Computable because:
– Templates make ∨ explicit
– Predicate abstraction restricts
search to finite space
Backwards Iterative (GFP)

Candidate Sols <I1,I2>
pre
 Unsat constraints

<⊤, ⊤>  { vc(I1,post) }
✓
⊤

✗           ✓          ✓
⊤          ✓
post

Backward:
• Always pick the source invariant
of unsat constraint to improve
Backwards Iterative (GFP)
Optimally
Candidate Sols <I1,I2>           strengthen so
pre
 Unsat constraints              vc(pre,I1) ok
unless no soln
<⊤, ⊤>  { vc(I1,post) }
✓
a1                             <a1, ⊤>  { vc(I2,I1) }

✓                     ✗
✓
⊤          ✓
post

Backward:
• Always pick the source invariant
of unsat constraint to improve
Backwards Iterative (GFP)
Optimally
Candidate Sols <I1,I2>                strengthen so
pre
 Unsat constraints                   vc(pre,I1) ok
unless no soln
<⊤, ⊤>  { vc(I1,post) }
✓                                                     Multiple
a1                             <a1, ⊤>  { vc(I2,I1) }      orthogonal
optimal sols
✓                     ✗
<a1,b1>  { vc(I2,I2) }
✓                 <a1,b2>  { vc(I2,I2),vc(I1,I2) }

b2          ✗
post

Backward:
• Always pick the source invariant
of unsat constraint to improve
Backwards Iterative (GFP)
Optimally
Candidate Sols <I1,I2>                strengthen so
pre
 Unsat constraints                   vc(pre,I1) ok
unless no soln
<⊤, ⊤>  { vc(I1,post) }
✓                                                    Multiple
a1                            <a1, ⊤>  { vc(I2,I1) }      orthogonal
optimal sols
✓                                 <a1,b1>  { vc(I2,I2) }
✗        ✓       <a1,b2>  { vc(I2,I2),vc(I1,I2) }
<a1,b1>  { vc(I2,I2) }
b’2
✓                 <a1,b’2>  { vc(I1,I2) }

post

Backward:
• Always pick the source invariant
of unsat constraint to improve
Backwards Iterative (GFP)
Optimally
Candidate Sols <I1,I2>                  strengthen so
pre
 Unsat constraints                     vc(pre,I1) ok
unless no soln
<⊤, ⊤>  { vc(I1,post) }
✓                                                     Multiple
a’1                           <a1, ⊤>  { vc(I2,I1) }        orthogonal
optimal sols
✓                                 <a1,b1>  { vc(I2,I2) }
✓        ✓      <a1,b2>  { vc(I2,I2),vc(I1,I2) }
<a1,b1>  { vc(I2,I2) }
b’2
✓                <a1,b’2>  { vc(I1,I2) }
<a1,b1>  { vc(I2,I2) }
post
<a’1,b’2>  none

<a’1,b’2> : GFP solution
Backward:
• Always pick the source invariant
of unsat constraint to improve
Forward Iterative (LFP)

Forward: Same as GFP except

• Pick the destination invariant
of unsat constraint to improve

Constraint-based over Predicate
Abstraction

pre

vc(pre,I1)
I1

vc(I1,post)        vc(I1,I2)

I2

post          vc(I2,I2)
vc(I2,I1)
Constraint-based over Predicate
Abstraction

vc(pre,I1)               pred(I1)

vc(I1,post        b11,b21…br1        b12,b22…br2     boolean indicators
)
vc(I1,I2)
p1,p2…pr        p1,p2…pr        predicates
vc(I2,I1)         unknown 1              unknown 2
k : ()  ()               template
vc(I2,I2)

Remember:                                      I1
VCs are FOL                 
formulae
over I1, I2
Constraint-based over Predicate
Abstraction
pred(A) : A to unknown
predicate
indicator variables

vc(pre,I1)   pred(I1)

vc(I1,post
)
vc(I1,I2)

vc(I2,I1)

vc(I2,I2)

Remember:
VCs are FOL
formulae
over I1, I2
Constraint-based over Predicate
Abstraction
SAT formulae
Program constraint             over predicate         pred(A) : A to unknown
to boolean constraint             indicators                 predicate
indicator variables
Optimal
solutions        vc(pre,I1)        boolc(pred(I1))
from SMT
solver to        vc(I1,post        boolc(pred(I1))
impose          )                                                              Invariant
minimal         vc(I1,I2)         boolc(pred(I1), pred(I2))      ∧                soln
constraints
vc(I2,I1)         boolc(pred(I2), pred(I1))

vc(I2,I2)         boolc(pred(I2))                 Boolean constraint
to satisfying soln
Remember:                                                           (SAT Solver)
VCs are FOL
formulae
over I1, I2

Local reasoning               Fixed-Point Computation
Outline

(GFP)

(CFP)
(LFP)

• Optimal Solutions
– Built over a clean theorem proving interface
Optimal Solutions
• Key: Polarity of unknowns in formula Φ
– Positive or negative:
• Value of positive unknown stronger => Φ stronger
• Value of negative unknown stronger => Φ weaker
positive
negative

Φ = ∀x : ∃y : ( ¬ u1 ∨ u2      ) ∧ u3
positive

• Optimal Soln: Maximally strong positives, maximally weak negatives

• Assume theorem prover interface: OptNegSol
– Optimal solutions for formula with only negative unknowns
– Built using a lattice search by querying SMT Solver
Optimal Solutions using OptNegSol
formula Φ contains unknowns:
u1…uP positive            u1…uN negative
Repeat until
set stable
OptNegSol
P x Size of predicate set

Φ[ a1…aP ]             a1…aP,S1…SN
Φ[ a’1…a’P ]           a’1…a’P,S’1…S’N         Merge     Opt
Opt’
…

…
…

…
Opt’’
Φ[ a’’1…a’’P ]          a’’1…a’’P,S’’1…S’’N                       Optimal Solutions
for formula Φ
P-tuple that assigns
a single predicate                          Merge positive tuples
to each positive unknown
Si soln for the
negative unknowns
Outline

(GFP)

(CFP)
(LFP)

• Weakest Precondition Generation
Outline

(GFP)

(CFP)
(LFP)

• Experimental evaluation
Implementation

Microsoft’s
Phoenix Compiler
Verification
C Program                         CFG
Conditions

Templates

Predicate Set                             Iterative              Constraint-
Fixed-point                based
GFP/LFP                Fixed-Point
Z3 SMT
Candidate            Solver          Boolean
Solutions                           Constraint

Invariants
Preconditions
Verifying Sorting Algorithms
• Benchmarks
– Considered difficult to verify
– Require invariants with quantifiers
– Sorting, ideal benchmark programs

• 5 major sorting algorithms
– Insertion Sort, Bubble Sort (n2 version and termination checking
version), Selection Sort, Quick Sort and Merge Sort

• Properties:
– Sort elements
• ∀k : 0≤k<n => A[k] ≤A[k+1] --- output array is non-decreasing
– Maintain permutation, when elements distinct
• ∀k∃j : 0≤k<n => A[k]=Aold[j] & 0≤j<n --- no elements gained
• ∀k∃j : 0≤k<n => Aold[k]=A[j] & 0≤j<n --- no elements lost
Runtimes: Sortedness
16

14                                                                               Tool can prove
sortedness for all
12                                                                             sorting algorithms!

10
seconds

LFP
8
GFP
CFP
6

4

2

0
Selection Sort   Insertion Sort   Bubble Sort (n2)   Bubble Sort (flag)       Quick Sort   Merge Sort
Runtimes: Permutation
94.42

…
40
…Permutations too!
35

30

25
seconds

LFP
20
GFP
CFP
15

10

5

∞                                                                             ∞
0
Selection Sort    Insertion Sort   Bubble Sort (n2)   Bubble Sort (flag)     Quick Sort   Merge Sort
Inferring Preconditions
• Given a property (worst case runtime or functional correctness)
what is the input required for the property to hold

• Tool automatically infers non-trivial inputs/preconditions

• Worst case input (precondition) for sorting:
– Selection Sort: sorted array except last element is the smallest
– Insertion, Quick Sort, Bubble Sort (flag): Reverse sorted array

• Inputs (precondition) for functional correctness:
– Binary search requires sorted input array
– Merge in Merge sort requires sorted inputs
– Missing initializers required in various other programs
Runtimes (GFP): Inferring worst case
inputs for sorting
45

40                                                         Tool infers worst
case inputs for all
35                                                        sorting algorithms!
30
seconds

25

Nothing to infer as all inputs
20
yield the same behavior
15

10

5

0
Selection Sort   Insertion Sort   Bubble Sort (n2)   Bubble Sort (flag)     Quick Sort    Merge Sort
Conclusions
• Powerful invariant inference over predicate abstraction
– Can infer quantifier invariants

• Three algorithms with different strengths
– Iterative: Least fixed-point and Greatest fixed-point
– Constraint-based

• Extend to maximally-weak precondition inference
– Worst case inputs
– Preconditions for functional correctness

• Techniques builds on SMT Solvers, so exploit their power

• Successfully verified/inferred preconditions
– All major sorting algorithms
– Other difficult benchmarks

• Project Webpage: http://www.cs.umd.edu/~saurabhs/pacs

```
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
 views: 0 posted: 4/8/2013 language: Unknown pages: 32
How are you planning on using Docstoc?