program verification using templates over predicate abstraction
Post on 22-Feb-2016
55 Views
Preview:
DESCRIPTION
TRANSCRIPT
Program Verification using Templates over Predicate Abstraction
Saurabh SrivastavaUniversity of Maryland, College Park
Sumit GulwaniMicrosoft Research, Redmond
What the technique will let you do!A. Infer invariants with
arbitrary quantification and boolean structure∀∀∃
j....
Aold
∀k∃j..∀k1,k2 k1 k2
€
≤
for i = 0..n{
for j = i..n{
find min index
}if (min != i) swap A[i] with
A[min]}
Selection Sort:
k1 k2
€
≤
<
: E.g. Sortedness: E.g. Permutation
B. Infer weakest preconditions
Anewk
Worst case behavior: swap every time it can
Weakest conditions on input:
Improves the state-of-art• Can infer very expressive invariants
• Quantification– E.g. ∀k∃j : (k<n) => (A[k]=B[j] ∧ j<n)
• Disjunction– E.g. ∀k : (k<0 ∨ k>n ∨ A[k]=0)
– Previous techniques are too specialized to particular types of quantification or to quantifier-free disjunction
• Can infer weakest preconditions• Good for debugging: can discover worst case inputs• Good for analysis: can infer missing precondition facts
– No satisfactory solutions known
Key facilitators• Templates
– Task of inferring conjunctive facts for the holes remains• Predicate Abstraction
– Allows us to efficiently compute solutions for the holes
– E.g., {i<j, i>j, i≤j, i≥j, i<j-1, i>j+1… }
€
∀k1∃k2 : (−)⇒ (−)
€
∀k : (−)⇒ (−)Unknown
holes
€
x opr (y opa c)Relational operator
<, ≤, >, ≥ …Arithmetic operator
+, - …
Program variables,array elements
Limitedconstants
Outline• Three fixed-point inference algorithms
– Iterative fixed-point• Greatest Fixed-Point (GFP)• Least Fixed-Point (LFP)
– Constraint-based (CFP)
• Optimal Solutions– Built over a clean theorem proving interface
• Weakest Precondition Generation
• Experimental evaluation
(LFP)
(GFP)
(CFP)
Outline• Three fixed-point inference algorithms
– Iterative fixed-point• Greatest Fixed-Point (GFP)• Least Fixed-Point (LFP)
– Constraint-based (CFP)
• Optimal Solutions– Built over a clean theorem proving interface
• Weakest Precondition Generation
• Experimental evaluation
(LFP)
(GFP)
(CFP)
Analysis Setup
post
pre
I1
I2
Loop headers (with invariants) split program into simple paths. Simple paths induce program constraints (verification conditions)
vc(pre,I1)
vc(I1,post) vc(I1,I2)
vc(I2,I2)vc(I2,I1)
true ∧ i=0 => I1
I1 ∧ i≥n => sorted array
I1 ∧ i<n ∧ j=i => I2
Sorted array
i<n
true
j<n
Find min index
if (min != i) swap A[i], A[min]
i:=0
j:=i
I1
I2
E.g. Selection Sort:
I1 ∧ i≥n => ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2]
Analysis Setup
post
pre
I1
I2
Loop headers (with invariants) split program into simple paths. Simple paths induce program constraints (verification conditions)
vc(pre,I1)
vc(I1,post) vc(I1,I2)
vc(I2,I2)vc(I2,I1)
true ∧ i=0 => I1
I1 ∧ i<n ∧ j=i => I2
Simple FOL formulae over I1,
I2!We will exploit this.
Candidate Solution
Iterative Fixed-point: Overview
post
pre
I1
I2
vc(pre,I1)
vc(I1,post) vc(I1,I2)
vc(I2,I2)vc(I2,I1)
{ vc(pre,I1),vc(I1,I2) }
VCs that are not satisfied
✗✓
✓ ✓
✗
Values for invariants
<x,y>
Computable because:– Templates make ∨ explicit– Predicate abstraction
restricts search to finite space
Iterative Fixed-point: Overview
post
pre
I1
I2
vc(pre,I1)
vc(I1,post) vc(I1,I2)
vc(I2,I2)vc(I2,I1)
Improve candidate– Pick unsat VC– Use theorem prover to
compute optimal change– Results in new candidates
<x,y> { … }
Set of candidates
Improve candidate
Candidate satisfies all
VCs
Backwards Iterative (GFP)
post
pre
Backward: • Always pick the source invariant of unsat constraint to improve• Start with <⊤, …,⊤>
Candidate Sols <I1,I2> Unsat
constraints<⊤, ⊤> { vc(I1,post) }
⊤
⊤
✓✓
✓
✗✓
Backwards Iterative (GFP)
post
pre
a1
⊤
✓ ✓
Backward: • Always pick the source invariant of unsat constraint to improve• Start with <⊤, …,⊤>
Candidate Sols <I1,I2> Unsat
constraints<⊤, ⊤> { vc(I1,post) }
<a1, ⊤> { vc(I2,I1) }
✓
Optimally strengthen so vc(pre,I1) ok unless no soln
✗✓
Backwards Iterative (GFP)
post
pre
a1
b2
✓ ✓
Backward: • Always pick the source invariant of unsat constraint to improve• Start with <⊤, …,⊤>
Candidate Sols <I1,I2> Unsat
constraints<⊤, ⊤> { vc(I1,post) }
<a1, ⊤> { vc(I2,I1) }
<a1,b1> { vc(I2,I2) }<a1,b2> { vc(I2,I2),vc(I1,I2) }
Multiple orthogonal optimal sols
✓
Optimally strengthen so vc(pre,I1) ok unless no soln
✗✗
Backwards Iterative (GFP)
post
pre
✓ ✓✓
Backward: • Always pick the source invariant of unsat constraint to improve• Start with <⊤, …,⊤>
Candidate Sols <I1,I2> Unsat
constraints<⊤, ⊤> { vc(I1,post) }
<a1, ⊤> { vc(I2,I1) }
<a1,b1> { vc(I2,I2) }<a1,b2> { vc(I2,I2),vc(I1,I2) }
<a1,b1> { vc(I2,I2) }<a1,b’2> { vc(I1,I2) }
Multiple orthogonal optimal sols
✓
Optimally strengthen so vc(pre,I1) ok unless no soln
✗b’2
a1
Backwards Iterative (GFP)
post
pre
✓ ✓✓
✓
Backward: • Always pick the source invariant of unsat constraint to improve• Start with <⊤, …,⊤>
Candidate Sols <I1,I2> Unsat
constraints<⊤, ⊤> { vc(I1,post) }
<a1, ⊤> { vc(I2,I1) }
<a1,b1> { vc(I2,I2) }<a1,b2> { vc(I2,I2),vc(I1,I2) }
<a1,b1> { vc(I2,I2) }<a1,b’2> { vc(I1,I2) }
<a1,b1> { vc(I2,I2) }<a’1,b’2> none
Multiple orthogonal optimal sols
✓
Optimally strengthen so vc(pre,I1) ok unless no soln
b’2
a’1
<a’1,b’2> : GFP solution
Forward Iterative (LFP)
Forward: Same as GFP except
• Pick the destination invariant of unsat constraint to improve
• Start with <⊥,…,⊥>
Constraint-based over Predicate Abstraction
post
pre
I1
I2
vc(pre,I1)
vc(I1,post) vc(I1,I2)
vc(I2,I2)vc(I2,I1)
Constraint-based over Predicate Abstraction
vc(pre,I1)
vc(I1,post)vc(I1,I2)
vc(I2,I2)
vc(I2,I1)
pred(I1)
€
∀k : (−)⇒ (−) template
p1,p2…pr p1,p2…pr
unknown 1 unknown 2
predicates
b11,b2
1…br
1b1
2,b22…br
2 boolean indicators
I1Remember: VCs are FOL
formulae over I1, I2
Constraint-based over Predicate Abstraction
vc(pre,I1)
vc(I1,post)vc(I1,I2)
vc(I2,I2)
vc(I2,I1)
pred(I1)
pred(A) : A to unknown predicate
indicator variables
Remember: VCs are FOL
formulae over I1, I2
Remember: VCs are FOL
formulae over I1, I2
Constraint-based over Predicate Abstraction
vc(pre,I1)
vc(I1,post)vc(I1,I2)
vc(I2,I2)
vc(I2,I1)
boolc(pred(I1), pred(I2))
Optimal solutions from SMT solver to impose
minimal constrain
ts
pred(A) : A to unknown predicate
indicator variables
boolc(pred(I1))
boolc(pred(I2), pred(I1))
boolc(pred(I2)) Boolean constraintto satisfying soln
(SAT Solver)
Invariant soln∧
boolc(pred(I1))
Program constraintto boolean constraint
SAT formulae over predicate
indicators
Local reasoning Fixed-Point Computation
Outline• Three fixed-point inference algorithms
– Iterative fixed-point• Greatest Fixed-Point (GFP)• Least Fixed-Point (LFP)
– Constraint-based (CFP)
• Optimal Solutions– Built over a clean theorem proving interface
• Weakest Precondition Generation
• Experimental evaluation
(LFP)
(GFP)
(CFP)
Optimal Solutions• Key: Polarity of unknowns in formula Φ
– Positive or negative:• Value of positive unknown stronger => Φ stronger• Value of negative unknown stronger => Φ weaker
• Optimal Soln: Maximally strong positives, maximally weak negatives
• Assume theorem prover interface: OptNegSol– Optimal solutions for formula with only negative unknowns– Built using a lattice search by querying SMT Solver
¬negative
u1
positive∨ u2 ) ∧ u3(
positive∀x : ∃y : Φ =
Optimal Solutions using OptNegSolformula Φ contains unknowns:
Repeat until set stable
Optimal Solutions for formula Φ
OptOpt’
Opt’’
Merge
…
Merge positive tuples
Φ[ ]Φ[ ]
Φ[ ]
u1…uP positive u1…uN negative
…
a1…aPa’1…a’P
a’’1…a’’P
P-tuple that assigns a single predicate
to each positive unknown
a1…aP,S1…SNa’1…a’P,S’1…S’N
…
Si soln for the negative unknowns
a’’1…a’’P,S’’1…S’’N
OptNegSol
…
P x
Size
of p
redi
cate
set
Outline• Three fixed-point inference algorithms
– Iterative fixed-point• Greatest Fixed-Point (GFP)• Least Fixed-Point (LFP)
– Constraint-based (CFP)
• Optimal Solutions– Built over a clean theorem proving interface
• Weakest Precondition Generation
• Experimental evaluation
(LFP)
(GFP)
(CFP)
Outline• Three fixed-point inference algorithms
– Iterative fixed-point• Greatest Fixed-Point (GFP)• Least Fixed-Point (LFP)
– Constraint-based (CFP)
• Optimal Solutions– Built over a clean theorem proving interface
• Weakest Precondition Generation
• Experimental evaluation
(LFP)
(GFP)
(CFP)
Implementation
C Program
Templates
Predicate Set
CFG
InvariantsPreconditions
Microsoft’s Phoenix Compiler Verification
Conditions
IterativeFixed-point
GFP/LFP
Constraint-based
Fixed-Point
Candidate Solutions
Boolean Constraint
Z3 SMT Solver
Verifying Sorting Algorithms• Benchmarks
– Considered difficult to verify– Require invariants with quantifiers– Sorting, ideal benchmark programs
• 5 major sorting algorithms– Insertion Sort, Bubble Sort (n2 version and termination checking
version), Selection Sort, Quick Sort and Merge Sort
• Properties:– Sort elements
• ∀k : 0≤k<n => A[k] ≤A[k+1] --- output array is non-decreasing– Maintain permutation, when elements distinct
• ∀k∃j : 0≤k<n => A[k]=Aold[j] & 0≤j<n --- no elements gained• ∀k∃j : 0≤k<n => Aold[k]=A[j] & 0≤j<n --- no elements lost
Runtimes: Sortedness
Selection Sort Insertion Sort Bubble Sort (n2) Bubble Sort (flag) Quick Sort Merge Sort0
2
4
6
8
10
12
14
16
LFPGFPCFP
seco
nds
Tool can prove sortedness for all
sorting algorithms!
Runtimes: Permutation
Selection Sort Insertion Sort Bubble Sort (n2) Bubble Sort (flag) Quick Sort Merge Sort0
5
10
15
20
25
30
35
40
LFPGFPCFP
∞ ∞
…
94.42
seco
nds
…Permutations too!
Inferring Preconditions• Given a property (worst case runtime or functional
correctness) what is the input required for the property to hold
• Tool automatically infers non-trivial inputs/preconditions
• Worst case input (precondition) for sorting:– Selection Sort: sorted array except last element is the smallest– Insertion, Quick Sort, Bubble Sort (flag): Reverse sorted array
• Inputs (precondition) for functional correctness:– Binary search requires sorted input array– Merge in Merge sort requires sorted inputs– Missing initializers required in various other programs
Runtimes (GFP): Inferring worst case inputs for sorting
seco
nds
Selection Sort Insertion Sort Bubble Sort (n2) Bubble Sort (flag) Quick Sort Merge Sort0
5
10
15
20
25
30
35
40
45
Tool infers worst case inputs for all
sorting algorithms!
Nothing to infer as all inputs yield the same behavior
Conclusions• Powerful invariant inference over predicate abstraction
– Can infer quantifier invariants
• Three algorithms with different strengths– Iterative: Least fixed-point and Greatest fixed-point– Constraint-based
• Extend to maximally-weak precondition inference– Worst case inputs– Preconditions for functional correctness
• Techniques builds on SMT Solvers, so exploit their power
• Successfully verified/inferred preconditions– All major sorting algorithms– Other difficult benchmarks
• Project Webpage: http://www.cs.umd.edu/~saurabhs/pacs
top related