1 / 22

From Invariant Checking to Invariant Inference Using Randomized Search

Rahul Sharma and Alex Aiken (Stanford University). From Invariant Checking to Invariant Inference Using Randomized Search. Randomized Search. x = i ; y = j; while y!=0 do x = x-1; y = y-1; if( i ==j ) assert x==0. No! Yes!. Invariants. Heap. Numerical. Arrays. Strings.

fadhila
Download Presentation

From Invariant Checking to Invariant Inference Using Randomized Search

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Rahul Sharma and Alex Aiken (Stanford University) From Invariant Checking to Invariant Inference Using Randomized Search

  2. Randomized Search x = i; y = j; while y!=0 do x = x-1; y = y-1; if( i==j ) assert x==0 • No! • Yes!

  3. Invariants Heap Numerical Arrays Strings

  4. Loop Invariant Inference assume P while B do S assert Q • Find that satisfies Find a valuation of unknown predicates that makes the verification conditions (VCs) valid

  5. Inference as Search • Given a set of candidates • Goal is to find a candidate that satisfies the VCs • This problem is hard! • Effective domain specific approaches • Numerical, arrays, linked lists, etc. Is it possible to have a general search procedure?

  6. C2I • (Domain-specific) Checker + (General) Search = Inference • To obtain an invariant inference engine • Instantiate the search with a search space • An SMT solver to check

  7. Main Contribution • A generally applicable randomized search • Numerical, array, linked lists, and strings • Competitive performance with specialized approaches

  8. MCMC Search • Markov Chain Monte Carlo (MCMC) sampling • The only known tractable solution method for high dimensional irregular search spaces [andrieu 03][chenney 00]

  9. MCMC Overview 37 73 47 17 29 42 23

  10. Search • while( ) • Propose a random modification to • if cost decreased then accept • if cost increased then • with some probability accept anyway • return

  11. Cost Function (First Attempt) • Problems • Throughput < 1000 iterations per second • No incremental feedback

  12. Cost Function (Fixed) • Given sets of concrete states • G: some reachable states • B: some bad states • Z: some implications I s b g t Incremental feedback Efficient to evaluate

  13. Concrete States assume P while B do S assert Q • Reachable state • Pair , • Bad state ,

  14. Overall Algorithm • Given G, Z, and B, for the cost function • Run search until a 0-cost candidate is found • SMT solver checks that satisfies all the VCs • If yes, then done • Update G, Z, or B and repeat • SMT solvers can generate counterexamples • If not then generate from executions

  15. LIA Invariants • Program has integral variables • Search space: • Transformations for MCMC: • Update a • Update a • Update all and of a single inequality

  16. Safety Properties

  17. Non-termination

  18. Arrays • Fluid updates abstraction of DDA (ESOP’10) • Z3 fails to generate counterexamples • MCMC on this search space times out on ~30% • Restrict search space: handle each in under a second

  19. Lists • Search space: Boolean combinations of atoms • Atoms are relations • Reachability relations • Use EPR (CAV’13) for check

  20. Strings • Operations that intermix strings and integers • length(s), indexOf(s1, s2), substr(s1, i1, i2), … • Search space: Boolean combinations of predicates • Z3-Str (FSE’13) for check

  21. Conclusion • Static invariant inference is a hard problem, made easier by separating search and check • Search based techniques can work • Competitive with other methods • Easier to retarget to new domains • Future work, scale MCMC to full program proofs

  22. Related Work • Pranav Garg, ChristofLöding, P. Madhusudan, Daniel Neider: ICE: A Robust Framework for Learning Invariants. CAV 2014 • ShacharItzhaky, NikolajBjørner, Thomas W. Reps, MoolySagiv, Aditya V. Thakur: Property-Directed Shape Analysis. CAV 2014 • Rajeev Alur, RastislavBodík, GarvitJuniwal, Milo M. K. Martin, MukundRaghothaman, Sanjit A. Seshia, Rishabh Singh, Armando Solar-Lezama, EminaTorlak, Abhishek Udupa: Syntax-guided synthesis. FMCAD 2013 • Ashutosh Gupta, RupakMajumdar, Andrey Rybalchenko: From tests to proofs. STTT 15(4) (2013) • Yungbum Jung, Soonho Kong, Bow-Yaw Wang, Kwangkeun Yi: Deriving Invariants by Algorithmic Learning, Decision Procedures, and Predicate Abstraction. VMCAI 2010 • SumitGulwani, NebojsaJojic: Program verification as probabilistic inference. POPL 2007: 277-289

More Related