1 / 33

Program Verification using Templates over Predicate Abstraction

Program Verification using Templates over Predicate Abstraction. Saurabh Srivastava University of Maryland, College Park Sumit Gulwani Microsoft Research, Redmond. What the technique will let you do!. A. Infer invariants with arbitrary quantification and boolean structure ∀ ∀∃.

hedwig
Download Presentation

Program Verification using Templates over Predicate Abstraction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Program Verification using Templates over Predicate Abstraction Saurabh Srivastava University of Maryland, College Park SumitGulwani Microsoft Research, Redmond

  2. What the technique will let you do! A. Infer invariants with arbitrary quantification and boolean structure ∀ ∀∃ • B. Infer weakest preconditions k2 k1 < Weakest conditions on input: : E.g. Sortedness • Selection Sort: for i = 0..n { for j = i..n { find min index } if (min != i) swap A[i] with A[min] } : E.g. Permutation Worst case behavior: swap every time it can .. ∀k1,k2 k1 k2 Aold .. j .. k • Anew ∀k∃j

  3. Improves the state-of-art • Can infer very expressive invariants • Quantification • E.g. ∀k∃j : (k<n) => (A[k]=B[j] ∧ j<n) • Disjunction • E.g. ∀k : (k<0 ∨k>n∨A[k]=0) • Previous techniques are too specialized to particular types of quantification or to quantifier-free disjunction • Can infer weakest preconditions • Good for debugging: can discover worst case inputs • Good for analysis: can infer missing precondition facts • No satisfactory solutions known

  4. Key facilitators • Templates • Task of inferring conjunctive facts for the holes remains • Predicate Abstraction • Allows us to efficiently compute solutions for the holes • E.g., {i<j, i>j, i≤j, i≥j, i<j-1, i>j+1… } Unknown holes Limited constants Program variables, array elements Relational operator <, ≤, >, ≥ … Arithmetic operator +, - …

  5. Outline • Three fixed-point inference algorithms • Iterative fixed-point • Greatest Fixed-Point (GFP) • Least Fixed-Point (LFP) • Constraint-based (CFP) • Optimal Solutions • Built over a clean theorem proving interface • Weakest Precondition Generation • Experimental evaluation (GFP) (CFP) (LFP)

  6. Outline • Three fixed-point inference algorithms • Iterative fixed-point • Greatest Fixed-Point (GFP) • Least Fixed-Point (LFP) • Constraint-based (CFP) • Optimal Solutions • Built over a clean theorem proving interface • Weakest Precondition Generation • Experimental evaluation (GFP) (CFP) (LFP)

  7. Analysis Setup E.g. Selection Sort: pre true true ∧i=0 => I1 i:=0 vc(pre,I1) I1 ∧i<n∧ j=i => I2 I1 • if (min != i) • swap A[i], A[min] I1 i<n vc(I1,post) Find min index j:=i vc(I1,I2) I2 I2 j<n Sorted array post vc(I2,I2) vc(I2,I1) I1 ∧i≥n =>sorted array Loop headers (with invariants) split program into simple paths. Simple paths induce program constraints (verification conditions)

  8. Analysis Setup pre true ∧i=0 => I1 vc(pre,I1) I1 ∧i<n∧ j=i => I2 I1 vc(I1,post) vc(I1,I2) Simple FOL formulae over I1, I2! We will exploit this. I2 post vc(I2,I2) vc(I2,I1) I1 ∧i≥n => ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] Loop headers (with invariants) split program into simple paths. Simple paths induce program constraints (verification conditions)

  9. Iterative Fixed-point: Overview Candidate Solution Values for invariants pre <x,y>  { vc(pre,I1),vc(I1,I2)} vc(pre,I1) ✗ I1 VCs that are not satisfied vc(I1,post) vc(I1,I2) ✓ ✗ I2 post vc(I2,I2) ✓ vc(I2,I1) ✓

  10. Iterative Fixed-point: Overview pre vc(pre,I1) I1 vc(I1,post) vc(I1,I2) • Improve candidate • Pick unsat VC • Use theorem prover to compute optimal change • Results in new candidates I2 • Improve • candidate post vc(I2,I2) vc(I2,I1) Candidate satisfies all VCs • Computablebecause: • Templates make ∨ explicit • Predicate abstraction restricts search to finite space Set of candidates <x,y>  { … }

  11. Backwards Iterative (GFP) pre ✓ ⊤ ✗ ✓ ✓ ✓ ⊤ post • Backward: • Always pick the source invariant of unsat constraint to improve • Start with <⊤, …,⊤>

  12. Backwards Iterative (GFP) Optimally strengthen so vc(pre,I1)ok unless no soln pre ✓ a1 ✓ ✗ ✓ ✓ ⊤ post • Backward: • Always pick the source invariant of unsat constraint to improve • Start with <⊤, …,⊤>

  13. Backwards Iterative (GFP) Optimally strengthen so vc(pre,I1)ok unless no soln pre ✓ Multiple orthogonal optimal sols a1 ✓ ✗ ✓ ✗ b2 post • Backward: • Always pick the source invariant of unsat constraint to improve • Start with <⊤, …,⊤>

  14. Backwards Iterative (GFP) Optimally strengthen so vc(pre,I1)ok unless no soln pre ✓ Multiple orthogonal optimal sols a1 ✓ ✓ ✗ b’2 ✓ post • Backward: • Always pick the source invariant of unsat constraint to improve • Start with <⊤, …,⊤>

  15. Backwards Iterative (GFP) Optimally strengthen so vc(pre,I1)ok unless no soln pre ✓ Multiple orthogonal optimal sols a’1 ✓ ✓ ✓ b’2 ✓ post <a’1,b’2> : GFP solution • Backward: • Always pick the source invariant of unsat constraint to improve • Start with <⊤, …,⊤>

  16. Forward Iterative (LFP) Forward: Same as GFP except • Pick the destination invariant of unsat constraint to improve • Start with <⊥,…,⊥>

  17. Constraint-based over Predicate Abstraction pre vc(pre,I1) I1 vc(I1,post) vc(I1,I2) I2 post vc(I2,I2) vc(I2,I1)

  18. Constraint-based over Predicate Abstraction pred(I1) vc(pre,I1) vc(I1,post) b11,b21…br1 b12,b22…br2 boolean indicators vc(I1,I2) p1,p2…pr p1,p2…pr predicates vc(I2,I1) unknown 2 unknown 1 template vc(I2,I2) I1 Remember: VCs are FOL formulae over I1, I2

  19. Constraint-based over Predicate Abstraction pred(I1) vc(pre,I1) vc(I1,post) vc(I1,I2) vc(I2,I1) vc(I2,I2) Remember: VCs are FOL formulae over I1, I2 pred(A) : A to unknown predicate indicator variables

  20. Constraint-based over Predicate Abstraction SAT formulae over predicate indicators Program constraint to boolean constraint Optimal solutions from SMT solver to impose minimal constraints boolc(pred(I1)) vc(pre,I1) boolc(pred(I1)) vc(I1,post) Invariant soln ∧ boolc(pred(I1), pred(I2)) vc(I1,I2) boolc(pred(I2), pred(I1)) vc(I2,I1) boolc(pred(I2)) vc(I2,I2) Boolean constraint to satisfying soln (SAT Solver) Remember: VCs are FOL formulae over I1, I2 pred(A) : A to unknown predicate indicator variables Fixed-Point Computation Local reasoning

  21. Outline • Three fixed-point inference algorithms • Iterative fixed-point • Greatest Fixed-Point (GFP) • Least Fixed-Point (LFP) • Constraint-based (CFP) • Optimal Solutions • Built over a clean theorem proving interface • Weakest Precondition Generation • Experimental evaluation (GFP) (CFP) (LFP)

  22. Optimal Solutions • Key: Polarity of unknowns in formula Φ • Positive or negative: • Value of positive unknown stronger => Φstronger • Value of negative unknown stronger => Φweaker • Optimal Soln: Maximally strong positives, maximally weak negatives • Assume theorem prover interface: OptNegSol • Optimal solutions for formula with only negative unknowns • Built using a lattice search by querying SMT Solver positive positive negative u1 ∨ u2 ) ∧ u3 ( ∀x : ∃y : Φ = ¬

  23. Optimal Solutions using OptNegSol formula Φ contains unknowns: u1…uP positive u1…uN negative Repeat until set stable OptNegSol Φ[ ] Φ[ ] Φ[ ] a1…aP,S1…SN Opt a1…aP Merge a’1…a’P a’1…a’P,S’1…S’N Opt’ … … … … P x Size of predicate set Opt’’ Optimal Solutions for formula Φ a’’1…a’’P,S’’1…S’’N a’’1…a’’P P-tuple that assigns a single predicate to each positive unknown Merge positive tuples Sisoln for the negative unknowns

  24. Outline • Three fixed-point inference algorithms • Iterative fixed-point • Greatest Fixed-Point (GFP) • Least Fixed-Point (LFP) • Constraint-based (CFP) • Optimal Solutions • Built over a clean theorem proving interface • Weakest Precondition Generation • Experimental evaluation (GFP) (CFP) (LFP)

  25. Outline • Three fixed-point inference algorithms • Iterative fixed-point • Greatest Fixed-Point (GFP) • Least Fixed-Point (LFP) • Constraint-based (CFP) • Optimal Solutions • Built over a clean theorem proving interface • Weakest Precondition Generation • Experimental evaluation (GFP) (CFP) (LFP)

  26. Implementation Microsoft’s Phoenix Compiler Verification Conditions C Program CFG Templates Predicate Set Iterative Fixed-point GFP/LFP Constraint- based Fixed-Point Z3 SMT Solver Candidate Solutions Boolean Constraint Invariants Preconditions

  27. Verifying Sorting Algorithms • Benchmarks • Considered difficult to verify • Require invariants with quantifiers • Sorting, ideal benchmark programs • 5 major sorting algorithms • Insertion Sort, Bubble Sort (n2 version and termination checking version), Selection Sort, Quick Sort and Merge Sort • Properties: • Sort elements • ∀k : 0≤k<n => A[k] ≤A[k+1] --- output array is non-decreasing • Maintain permutation, when elements distinct • ∀k∃j : 0≤k<n => A[k]=Aold[j] & 0≤j<n --- no elements gained • ∀k∃j : 0≤k<n => Aold[k]=A[j] & 0≤j<n --- no elements lost

  28. Runtimes: Sortedness Tool can prove sortedness for all sorting algorithms! seconds

  29. Runtimes: Permutation 94.42 …Permutations too! … seconds ∞ ∞

  30. Inferring Preconditions • Given a property (worst case runtime or functional correctness) what is the input required for the property to hold • Tool automatically infers non-trivial inputs/preconditions • Worst case input (precondition) for sorting: • Selection Sort: sorted array except last element is the smallest • Insertion, Quick Sort, Bubble Sort (flag): Reverse sorted array • Inputs (precondition) for functional correctness: • Binary search requires sorted input array • Merge in Merge sort requires sorted inputs • Missing initializers required in various other programs

  31. Runtimes (GFP): Inferring worst case inputs for sorting Tool infers worst case inputs for all sorting algorithms! seconds Nothing to infer as all inputs yield the same behavior

  32. Conclusions • Powerful invariant inference over predicate abstraction • Can infer quantifier invariants • Three algorithms with different strengths • Iterative: Least fixed-point and Greatest fixed-point • Constraint-based • Extend to maximally-weak precondition inference • Worst case inputs • Preconditions for functional correctness • Techniques builds on SMT Solvers, so exploit their power • Successfully verified/inferred preconditions • All major sorting algorithms • Other difficult benchmarks • Project Webpage: http://www.cs.umd.edu/~saurabhs/pacs

More Related