180 likes | 341 Views
. Motivation. Quantifiers are used in symbolic reasoning techniques like program verificationAxioms about otherwise uninterpreted functionsAxioms about type systemObject invariants, for all objects of a typeQuantifications in user input
E N D
1. A two-tier approach forsupporting quantifiersin a lazily proof-explicating theorem prover K. Rustan M. Leino Microsoft Research, Redmond
Madan Musuvathi Microsoft Research, Redmond
Xinming Ou Princeton University
2. Motivation Quantifiers are used in symbolic reasoning techniques like program verification
Axioms about otherwise uninterpreted functions
Axioms about type system
Object invariants, for all objects of a type
Quantifications in user input
…
3. Example To prove:
(?a,j,x • 0 = j ? j < Length(a) ? read(write(a,j,x), j) = x) ?
0 < Length(b)
?
read(write(b,0,10), 0) = 10
try to satisfy its negation:
(?a,j,x • 0 = j ? j < Length(a) ? read(write(a,j,x), j) = x) ?
0 < Length(b) ?
¬(read(write(b,0,10), 0) = 10)
4. Simplify
5. Lemmas-by-demand architecture
6. Adding quantifiers
7. What to do with instantiation facts Possible design: [Verifun: Flanagan, Joshi, Saxe, 2004]
return facts as lemmas, even though they may not refute M(that is, conjoin instantiations to input formula)
simple
lemmas returned may contain atomic formulas not in input
useful instantiations are automatically reused
pollution from useless instantiations will linger on forever
8. Two-tier approach Let a second SATsolver explore thenew disjunctions
9. CheckMonome(M) theories.Assert(M); theories.Checkpoint();facts := { }; loop { if (¬theories.Consistent(out lemmas)) { facts := facts ? lemmas; } else if (quant.GenerateFacts(out newFacts)) { facts := facts ? newFacts; } else { return satisfiable; } if (¬satSolver.Satisfiable(M ? facts, out monome)) { return smallest subset m of M such that ¬satSolver.Satisfiable(m ? facts); } theories.RestoreCheckpoint(); theories.Assert(monome);}
10. Example
11. Example
12. Example
13. Example
14. Example
15. Example
16. More tiers main design point: number of rounds before starting a new tier
17. Evaluation Implemented in Zap
Not yet enough data to say something conclusive about performance
On hand-produced examples with characteristics of realistic verification conditions, 2-tier approach performs fewer case splits than 1-tier approach, but the gains are counteracted by the rather expensive UnsatCore routine
We expect a long road toward understanding and tuning performance (cf. Simplify for ESC)
18. More fact generators quantifier instantiations
non-convex theories
loop-invariant strengthenings
19. Summary We added support for quantifiers in a lemmas-by-demand theorem prover
Pollution reduction technique
Instantiation facts are generated in a separate tier, lemmas returned are produced from useful facts
Theorem prover can have other fact generators too
Future work: gain more experience