1 / 29

Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation

Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation. Anvesh Komuravelli, CMU Joint work with Ken McMillan. The Problem. Quantified Invariants!. Safe + Proof. Array-Manipulating Program P + Assertions. Automatic analysis for assertion failures.

jens
Download Presentation

Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Quantified Invariants in Rich DomainsusingModel Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken McMillan

  2. The Problem Quantified Invariants! Safe + Proof Array-Manipulating Program P + Assertions Automatic analysis for assertion failures Unsafe + CEX Unknown + Partial Proof

  3. Quantified Invariants, Typically • Specialized Abstract Domains • E.g. Segmentation abstraction, • Indexed Predicate Abstraction, • Points-to Analysis, etc. • Restrictive • False warnings • Unrestricted Model Checking • E.g. Interpolation-based • Hard to find the right quantifiers • Divergence Rich-enough abstract domain?

  4. The abstract domain Quantified variables Abstract Domain Predicate signature i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c) Goal: Find a quantifier-free interpretation of the predicates

  5. Guess-and-check doesn’t work anymore! i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c) Given a guess for P, how to check if it suffices? FOL validity is undecidable! Can we still use existing model checkers?

  6. Let’s look at the VCs i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c)

  7. Let’s look at the VCs Pulled to the outermost scope

  8. Let’s look at the VCs Real challenge! Find a sufficient set of witnesses

  9. Let’s look at the VCs Reduces to quantifier-free invariantgeneration (use an off-the-shelf model checker)

  10. Two Goals Quantified variables Abstract Domain Predicate signature i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c) Goal 1: Find a sufficient set of witnesses for j Goal 2: Find a quantifier-free interpretation of the predicates

  11. A Strategy Eager Syntactic Pattern Matching [BMR13] Guess some witnesses Y Found Proof Check if they suffice using a model checker N • Unguided instantiation • Worst-case unbounded • Grows exponentially with number of quantified vars • May choke the model checker • No fall-back strategy Give up! [BMR13]: On Solving Universally Quantified Horn Clauses, Bjorner, McMillan, Rybalchenko, SAS’13

  12. Our Strategy Guess some witnesses Y Found Proof Check if they suffice using a model checker N CEX Constraint on the witness Refine the guess Guess-and-check, but of the witnesses and not the invariant itself

  13. Obtaining Strong Constraints Generalized Counterexamples  Strong Constraints • Symbolic Counterexamples • Number of variables = O(size) • Constraint solving becomes harder • (easily diverging) Ground Counterexamples + Abstract Interpretation

  14. Note – one witness suffices! May not be expressible! is equivalent to

  15. Concrete vs. Abstract

  16. Concrete vs. Abstract

  17. The algorithm [B] [L] [E]

  18. The algorithm [B] B P(k0,v0,i0,c0) L [L] P(k1,v1,i1,c1) L P(k2,v2,i2,c2) E [E] Instantiate Check

  19. The algorithm B L E L P(k2,v2,i2,c2) P(k0,v0,i0,c0) P(k1,v1,i1,c1) Analyze Instantiate Check

  20. The algorithm B L E L P(0,0,1,0) P(0,0,0,0) P(0,0,2,0) ? ? ? ? ✕ ✕ ✕ ✕ Analyze Instantiate Check

  21. The algorithm B L E L P(0,1,0,0) P(0,0,0,0) P(0,2,0,0) ? ? ? ? ✕ ✕ ✕ ✕ Use k for j Analyze Instantiate Check

  22. The algorithm [B] [L] [E] Instantiate

  23. The algorithm [B] [L] [E] … Instantiate

  24. Finding a new witness Given Constraint local vars Check quantified variable Skolem Template f restrict to linear templates Solve for t using sampling-based approach

  25. Quantifier Alternation using Sampling Quantifier Elimination Pick candidate tc Eliminate arrays (thanks to Nikolaj for the discussion), Cheap QE of integers Y ? Return tc N CEX lc Add lc to existing samples S New candidate tc Source of Divergence! Y N ? CEX S

  26. Abstract Post, in practice 1. Cheap QE tricks, case-split on equalities on j, etc. 2. Under-approximate, otherwise. Solve Generalize models • 1. Cheap QE tricks, case-split on array-index arguments, etc. • 2. Under-approximate, otherwise. • Solve an SMT problem • Generalize models

  27. Experiments • Implemented “qe_array” tactic in Z3 • Prototype in Python using Z3Py interface for witness generation • Automatically generated “sufficient witnesses” for small array-manipulating • programs (BMR13) – array init, find, copy, concatenate, reverse, etc. • Used GPDR engine in Z3 to solve for quantifier-free predicates • Up to two universal quantifiers per predicate • Witness was just a local variable in the VC

  28. Moving forward… • Scalability • Handle large programs (with multiple procedures) • How to pick relevant “set” of witnesses? • Can we synthesize guards to combine them into a single witness? • Implementation-wise • Cache previous AI results • Reuse bounded proofs – Proof-based Abstraction • Lazy QE – postponing to later steps? • Alternatives • Use over-approximations of reachable states • Witness may not exist – need to refine the approximation

  29. Questions?

More Related