![Page 1: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/1.jpg)
Trace Abstraction
Matthias Heizmann Jochen Hoenicke Andreas Podelski
University of Freiburg, Germany
![Page 2: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/2.jpg)
Trace Abstraction
Interpolant-based software model checkingfor recursive programs
![Page 3: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/3.jpg)
Software model checking
Thomas Ball, Sriram K. Rajamani:
The SLAM project: debugging system software via static analysis. (POPL 2002)
Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, Gregoire Sutre
Lazy abstraction. (POPL 2002)
Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, Kenneth L. McMillan
Abstractions from proofs. (POPL 2004)
program abstract program invariant
theoremproving
modelchecking
Bottleneck: Construction of abstract program
![Page 4: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/4.jpg)
Software model checking
Thomas Ball, Sriram K. Rajamani:
The SLAM project: debugging system software via static analysis. (POPL 2002)
Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, Gregoire Sutre
Lazy abstraction. (POPL 2002)
Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, Kenneth L. McMillan
Abstractions from proofs. (POPL 2004)
program abstract program invariant
theoremproving
modelchecking
Bottleneck: Construction of abstract program
![Page 5: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/5.jpg)
Recent approaches:Avoid classical construction of abstract program
Franjo Ivancic, Ilya Shlyakhter, Aarti Gupta, Malay K. Ganai
Model checking C programs using F-SOFT (ICCD 2005)
Kenneth L. McMillan
Lazy abstraction with interpolants (CAV 2006)
Nels Beckman, Aditya V. Nori, Sriram K. Rajamani, Robert J. Simmons
Proofs from tests (ISSTA 2008)
Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani
Automatically refining abstract interpretations (TACAS 2008)
Klaus Drager, Andrey Kupriyanov, Bernd Finkbeiner, Heike Wehrheim
SLAB: A Certifying Model Checker for Infinite-State Concurrent Systems. (TACAS 2010)
William R. Harris, Sriram Sankaranarayanan, Franjo Ivancic, Aarti Gupta
Program analysis via satisfiability modulo path programs (POPL 2010)
![Page 6: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/6.jpg)
One idea:Use interpolants to avoid construction of the abstract program
program abstract program invariant
theoremproving
modelchecking
interpolating theorem prover
Ranjit Jhala, Kenneth L. McMillan
A practical and complete approach to predicate refinement (TACAS 2006)
Kenneth L. McMillan
Lazy abstraction with interpolants (CAV 2006)
Quantified invariant generation using an interpolating saturation prover (TACAS 2008)
Open: Interpolants in interprocedural analysis
![Page 7: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/7.jpg)
One idea:Use interpolants to avoid construction of the abstract program
program abstract program invariant
theoremproving
modelchecking
interpolating theorem prover
Ranjit Jhala, Kenneth L. McMillan
A practical and complete approach to predicate refinement (TACAS 2006)
Kenneth L. McMillan
Lazy abstraction with interpolants (CAV 2006)
Quantified invariant generation using an interpolating saturation prover (TACAS 2008)
Open: Interpolants in interprocedural analysis
![Page 8: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/8.jpg)
Outline
I Formal setting / Our point of view:A program is a language over the alphabet of statements.
I Excursion: interpolants
I Trace Abstraction with interpolants
I Trace Abstraction for recursive programs
![Page 9: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/9.jpg)
Example – Our Model of a Verification Problem
`0: x:=0
`1: y:=0
`2: while(nondet) {x++}assert x!= -1
assert y!= -1
Example program P
`0
`1
`2
`err
x:=0
y:=0
x++
x==-1y==-1
Control flow graph of P
![Page 10: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/10.jpg)
Statements
Statement
Letter of our alphabet. No further meaning.
In our example:
Σ ={x:=0 , y:=0 , x++ , x==-1 , y==-1
}
Trace
Word over the alphabet of statements.
Example:π = y==-1 . x++ . x++ . x:=0 . x==-1
`0
`1
`2
`err
x:=0
y:=0
x++
x==-1y==-1
Control flow graph of P
![Page 11: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/11.jpg)
Statements
Statement
Letter of our alphabet. No further meaning.
In our example:
Σ ={x:=0 , y:=0 , x++ , x==-1 , y==-1
}
Trace
Word over the alphabet of statements.
Example:π = y==-1 . x++ . x++ . x:=0 . x==-1
`0
`1
`2
`err
x:=0
y:=0
x++
x==-1y==-1
Control flow graph of P
![Page 12: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/12.jpg)
Error Traces
Control Automaton APAutomaton over the set of statements.Encodes a verification problem.
AP = 〈LOC , δ, {`init}, {`err}〉
Error Trace of PTrace accepted by AP
In our exampleπ = x:=0 . y:=0 . x++ . x==-1is an error trace.
`0
`1
`2
`err
x:=0
y:=0
x++
x==-1y==-1
Control automaton AP
![Page 13: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/13.jpg)
Set Theoretic View of Trace Abstraction
set of all traces Σ∗
traces respecting the control flow of P
L(AP)Error Traces
Feasib
leTra
ces
x:=0 . x++ . y==-1x:=0 . y:=0 . x++ . x==-1
![Page 14: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/14.jpg)
Set Theoretic View of Trace Abstraction
set of all traces Σ∗
traces respecting the control flow of P
L(AP)Error Traces
Feasib
leTra
ces
x:=0 . x++ . y==-1x:=0 . y:=0 . x++ . x==-1
![Page 15: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/15.jpg)
Set Theoretic View of Trace Abstraction
set of all traces Σ∗
traces respecting the control flow of P
L(AP)Error Traces
Feasib
leTra
ces
x:=0 . x++ . y==-1x:=0 . y:=0 . x++ . x==-1
![Page 16: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/16.jpg)
Set Theoretic View of Trace Abstraction
set of all traces Σ∗
traces respecting the control flow of P
L(AP)Error Traces
Feasib
leTra
ces
x:=0 . x++ . y==-1x:=0 . y:=0 . x++ . x==-1
![Page 17: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/17.jpg)
Set Theoretic View of Trace Abstraction
set of all traces Σ∗
traces respecting the control flow of P
L(AP)Error Traces
Feasib
leTra
ces
x:=0 . x++ . y==-1x:=0 . y:=0 . x++ . x==-1
![Page 18: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/18.jpg)
Set Theoretic View of Trace Abstraction
set of all traces Σ∗
traces respecting the control flow of P
L(AP)Error Traces
Feasib
leTra
ces
x:=0 . x++ . y==-1x:=0 . y:=0 . x++ . x==-1
![Page 19: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/19.jpg)
Set Theoretic View of Trace Abstraction
set of all traces Σ∗
traces respecting the control flow of P
L(AP)Error Traces
Feasib
leTra
ces
x:=0 . x++ . y==-1x:=0 . y:=0 . x++ . x==-1
![Page 20: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/20.jpg)
Set Theoretic View of Trace Abstraction
set of all traces Σ∗
traces respecting the control flow of P
L(AP)Error Traces
Feasib
leTra
ces
x:=0 . x++ . y==-1x:=0 . y:=0 . x++ . x==-1
![Page 21: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/21.jpg)
Trace Abstraction
Definition (Trace Abstraction)
A trace abstraction is given by a tuple of automata (A1, . . . ,An) suchthat each Ai recognizes a subset of infeasible traces, for i = 1, . . . , n.
We say that the trace abstraction (A1, . . . ,An) does not admit an errortrace if AP ∩ A1 ∩ . . . ∩ An is empty.
![Page 22: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/22.jpg)
Trace Abstraction
Definition (Trace Abstraction)
A trace abstraction is given by a tuple of automata (A1, . . . ,An) suchthat each Ai recognizes a subset of infeasible traces, for i = 1, . . . , n.
We say that the trace abstraction (A1, . . . ,An) does not admit an errortrace if AP ∩ A1 ∩ . . . ∩ An is empty.
Theorem (Soundness)
L(AP ∩ A1 ∩ . . . ∩ An) = ∅ ⇒ P is correct
Theorem (Completeness)
If P is correct, there is a trace abstraction (A1, . . . ,An) such that
L(AP ∩ A1 ∩ . . . ∩ An) = ∅
![Page 23: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/23.jpg)
Example – Exclude an Infeasible Trace
AP :
`0
`1
`2
`err
x:=0
y:=0
x++
x==-1y==-1
A1 :q0 q1 q2 q3 q4
x:=0 y:=0 x++ x==-1
AP ∩ A1 :`0q0
`1q1
`2q2 `2q3 `2qs
`errq4
`errqs
x:=0
y:=0
x++
y==-1 , x==-1
x++
y==-1
x++
y==-1 , x==-1
x==-1
![Page 24: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/24.jpg)
Example – Exclude an Infeasible Trace
AP :
`0
`1
`2
`err
x:=0
y:=0
x++
x==-1y==-1
A1 :q0 q1 q2 q3 q4
x:=0 y:=0 x++ x==-1
qs. . .
. . . . . .
. . .. . .
AP ∩ A1 :`0q0
`1q1
`2q2 `2q3 `2qs
`errq4
`errqs
x:=0
y:=0
x++
y==-1 , x==-1
x++
y==-1
x++
y==-1 , x==-1
x==-1
![Page 25: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/25.jpg)
Example – Exclude an Infeasible Trace
AP :
`0
`1
`2
`err
x:=0
y:=0
x++
x==-1y==-1
A1 :q0 q1 q2 q3 q4
x:=0 y:=0 x++ x==-1
qs. . .
. . . . . .
. . .. . .
AP ∩ A1 :`0q0
`1q1
`2q2 `2q3 `2qs
`errq4
`errqs
x:=0
y:=0
x++
y==-1 , x==-1
x++
y==-1
x++
y==-1 , x==-1
x==-1
![Page 26: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/26.jpg)
Control flow as finite automaton
{>}
`0: x:=0
{x ≥ 0}
`1: y:=0
{x ≥ 0 ∧ y = 0}
`2: while(nondet) {x++}assert x!= -1
assert y!= -1
Example program P
`0
`1
`2
`err
x:=0
y:=0
x++
x==-1y==-1
x ≥ 0 ∧ y =0
Control flow graph of P
Observation: Every transition is related to a Hoare triple!
e.g. ( , y:=0 , )∈ δ post( x ≥ 0 , y:=0 ) ⊆ x ≥ 0 ∧ y =0
![Page 27: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/27.jpg)
Floyd-Hoare proof as finite automaton
{>}
`0: x:=0
{x ≥ 0}
`1: y:=0
{x ≥ 0 ∧ y = 0}
`2: while(nondet) {x++}assert x!= -1
assert y!= -1
Example program P
x:=0
y:=0
x++
x==-1y==-1
true
x ≥ 0
x ≥ 0 ∧ y =0
false
Control flow graph of P
Observation: Every transition is related to a Hoare triple!
e.g. ( , y:=0 , )∈ δ post( x ≥ 0 , y:=0 ) ⊆ x ≥ 0 ∧ y =0
![Page 28: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/28.jpg)
Floyd-Hoare proof as finite automaton
{>}
`0: x:=0
{x ≥ 0}
`1: y:=0
{x ≥ 0 ∧ y = 0}
`2: while(nondet) {x++}assert x!= -1
assert y!= -1
Example program P
x:=0
y:=0
x++
x==-1y==-1
true
x ≥ 0
x ≥ 0 ∧ y =0
false
Control flow graph of P
Observation: Every transition is related to a Hoare triple!
e.g. ( , y:=0 , )∈ δ post( x ≥ 0 , y:=0 ) ⊆ x ≥ 0 ∧ y =0
![Page 29: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/29.jpg)
Interpolant Automata
Given: Sequence of predicates I = I0, I1, . . . , In
Definition (Interpolant Automaton AI)
AI = 〈QI , δI ,Q initI ,Qfin
I 〉 QI = {q0, . . . , qn}
(qi , st, qj) ∈ δI implies post(st, Ii ) ⊆ Ij
qi ∈ Q init implies Ii = true
qi ∈ Qfin implies Ii = false
Theorem
An interpolant automaton AI recognizes a subset of infeasible traces.
L(AI) ⊆ Infeasible
![Page 30: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/30.jpg)
Interpolant Automata
Given: Sequence of predicates I = I0, I1, . . . , In
Definition (Interpolant Automaton AI)
AI = 〈QI , δI ,Q initI ,Qfin
I 〉 QI = {q0, . . . , qn}
(qi , st, qj) ∈ δI implies post(st, Ii ) ⊆ Ij
qi ∈ Q init implies Ii = true
qi ∈ Qfin implies Ii = false
Theorem
An interpolant automaton AI recognizes a subset of infeasible traces.
L(AI) ⊆ Infeasible
![Page 31: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/31.jpg)
Outline
I Formal setting / Our point of view:A program is a language over the alphabet of statements.
I Excursion: interpolants
I Trace Abstraction with interpolants
I Trace Abstraction for recursive programs
![Page 32: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/32.jpg)
Craig interpolants
Craig interpolant - logical formulas
Given: Unsatisfiable conjuction A ∧ B
Interpolant is a formula I such that:
• A implies I and I ∧ B unsatisfiable
• I contains only common symbols of A and B
William Craig
Three uses of the Herbrand-Gentzen theorem in relating model theory and proof theory (
Journal of Sybolic Logic (1957))
![Page 33: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/33.jpg)
Craig interpolants
Craig interpolant - logical formulas
Given: Unsatisfiable conjuction A ∧ B
Interpolant is a formula I such that:
• A implies I and I ∧ B unsatisfiable
• I contains only common symbols of A and B
Example (propositional logic)
unsatisfiable conjuction: p ∧ q ∧ ¬p ∧ r
possible Craig interpolant: p
Example (SMT)
unsatisfiable conjuction: f (x1) = y ∧ x1 = x2 ∧ x2 = x3 ∧ f (x3) 6= y
possible Craig interpolant: y = f (x2)
![Page 34: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/34.jpg)
Interpolants
Interpolant - execution traces
Given: Infeasible trace st1 . . . sti sti+1 . . . stn
Interpolant is assertion I such that:
• post( true , st1 . . . sti ) ⊆ I ⊆ wp( false , sti+1 . . . stn )
• I contains only program variables occuring in both, st1 ... sti and
sti+1 ... stn
Kenneth L. McMillan
Interpolation and SAT-Based Model Checking (CAV 2003)
![Page 35: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/35.jpg)
Interpolants
Interpolant - execution traces
Given: Infeasible trace st1 . . . sti sti+1 . . . stn
Interpolant is assertion I such that:
• post( true , st1 . . . sti ) ⊆ I ⊆ wp( false , sti+1 . . . stn )
• I contains only program variables occuring in both, st1 ... sti and
sti+1 ... stn
Exampleinfeasible trace: x:=0 y:=0 x++ x==-1
possible interpolant: x ≥ 0
![Page 36: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/36.jpg)
Inductive interpolants
Inductive sequence of interpolants
Given: Infeasible trace st1 . . . stn
There exists sequence of assertions I0 . . . In such that:
• post( Ii , sti ) ⊆ Ii+1
• I0 = true and In = false
• Ii contains only variables occuring in both, st1 ... sti and
sti+1 ... stn
Ranjit Jhala, Kenneth L. McMillan
A Practical and Complete Approach to Predicate Refinement (TACAS 2006)
![Page 37: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/37.jpg)
Inductive interpolants
Inductive sequence of interpolants
Given: Infeasible trace st1 . . . stn
There exists sequence of assertions I0 . . . In such that:
• post( Ii , sti ) ⊆ Ii+1
• I0 = true and In = false
• Ii contains only variables occuring in both, st1 ... sti and
sti+1 ... stn
Example
x:=0 y:=0 x++ x==-1
true x ≥ 0 x ≥ 0 x ≥ 0 false
![Page 38: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/38.jpg)
Computation of interpolants - Example
infeasible trace
single static assignment form
inductive sequence of Craig interpolants
inductive sequence of interpolants
x:=0 y:=0 x++ x==-1
x0 = 0 y1 = 0 x2 =x0 +1 x2 = −1∧ ∧ ∧
true
x0 ≥ 0 x0 ≥ 0 x2 ≥ 0 false
true x ≥ 0 x ≥ 0 x ≥ 0 false
![Page 39: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/39.jpg)
Computation of interpolants - Example
infeasible trace
single static assignment form
inductive sequence of Craig interpolants
inductive sequence of interpolants
x:=0 y:=0 x++ x==-1
x0 = 0 y1 = 0 x2 =x0 +1 x2 = −1∧ ∧ ∧
true
x0 ≥ 0 x0 ≥ 0 x2 ≥ 0 false
true x ≥ 0 x ≥ 0 x ≥ 0 false
![Page 40: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/40.jpg)
Computation of interpolants - Example
infeasible trace
single static assignment form
inductive sequence of Craig interpolants
inductive sequence of interpolants
x:=0 y:=0 x++ x==-1
x0 = 0 y1 = 0 x2 =x0 +1 x2 = −1∧ ∧ ∧
true
x0 ≥ 0 x0 ≥ 0 x2 ≥ 0 false
true x ≥ 0 x ≥ 0 x ≥ 0 false
![Page 41: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/41.jpg)
Computation of interpolants - Example
infeasible trace
single static assignment form
inductive sequence of Craig interpolants
inductive sequence of interpolants
x:=0 y:=0 x++ x==-1
x0 = 0 y1 = 0 x2 =x0 +1 x2 = −1∧ ∧ ∧
true x0 ≥ 0
x0 ≥ 0 x2 ≥ 0 false
true x ≥ 0 x ≥ 0 x ≥ 0 false
![Page 42: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/42.jpg)
Computation of interpolants - Example
infeasible trace
single static assignment form
inductive sequence of Craig interpolants
inductive sequence of interpolants
x:=0 y:=0 x++ x==-1
x0 = 0 y1 = 0 x2 =x0 +1 x2 = −1∧ ∧ ∧
true x0 ≥ 0 x0 ≥ 0
x2 ≥ 0 false
true x ≥ 0 x ≥ 0 x ≥ 0 false
![Page 43: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/43.jpg)
Computation of interpolants - Example
infeasible trace
single static assignment form
inductive sequence of Craig interpolants
inductive sequence of interpolants
x:=0 y:=0 x++ x==-1
x0 = 0 y1 = 0 x2 =x0 +1 x2 = −1∧ ∧ ∧
true x0 ≥ 0 x0 ≥ 0 x2 ≥ 0
false
true x ≥ 0 x ≥ 0 x ≥ 0 false
![Page 44: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/44.jpg)
Computation of interpolants - Example
infeasible trace
single static assignment form
inductive sequence of Craig interpolants
inductive sequence of interpolants
x:=0 y:=0 x++ x==-1
x0 = 0 y1 = 0 x2 =x0 +1 x2 = −1∧ ∧ ∧
true x0 ≥ 0 x0 ≥ 0 x2 ≥ 0 false
true x ≥ 0 x ≥ 0 x ≥ 0 false
![Page 45: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/45.jpg)
Computation of interpolants - Example
infeasible trace
single static assignment form
inductive sequence of Craig interpolants
inductive sequence of interpolants
x:=0 y:=0 x++ x==-1
x0 = 0 y1 = 0 x2 =x0 +1 x2 = −1∧ ∧ ∧
true x0 ≥ 0 x0 ≥ 0 x2 ≥ 0 false
true x ≥ 0 x ≥ 0 x ≥ 0 false
![Page 46: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/46.jpg)
SmtInterpol
I SMT-SolverComputes sequences of Craig interpolants for the quantifier freecombined theory of uninterpreted functions and linear arithmeticover rationals and integers.
I Developed by
Jurgen Christ Jochen Hoenicke
I http://swt.informatik.uni-freiburg.de/research/tools/smtinterpol
![Page 47: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/47.jpg)
Outline
I Formal setting / Our point of view:A program is a language over the alphabet of statements.
I Excursion: interpolants
I Trace Abstraction with interpolants
I Trace Abstraction for recursive programs
![Page 48: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/48.jpg)
Example – Use Interpolants to Generalize Infeasible Traces
q0 q1 q2 q3 q4
x:=0 y:=0 x++ x==-1
true x ≥ 0 x ≥ 0 x ≥ 0 false
post( x ≥ 0 , x++ ) = x ≥ 1
⊆
x++
![Page 49: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/49.jpg)
Example – Use Interpolants to Generalize Infeasible Traces
q0 q1 q2 q3 q4
x:=0 y:=0 x++ x==-1
true x ≥ 0 x ≥ 0 x ≥ 0 false
post( x ≥ 0 , x++ ) = x ≥ 1
⊆
x++
![Page 50: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/50.jpg)
Example – Use Interpolants to Generalize Infeasible Traces
q0 q1 q2 q3 q4
x:=0 y:=0 x++ x==-1
true x ≥ 0 x ≥ 0 x ≥ 0 false
`0 `1 `2 `2 `err
post( x ≥ 0 , x++ ) = x ≥ 1
⊆
x++
![Page 51: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/51.jpg)
Schematic Example – Use Interpolants for Generalization
`0 `1 `j−1 `j
`j+1 `i−1
`i+1 `n−1 `nst1 stj
stj+1 sti
sti+1 stn
q0 q1 qj−1 qj
qj+1 qi−1
qi qi+1 qn−1 qnst1 stj
stj+1 sti
sti+1 stn
I0 I1 Ij−1 Ij Ii Ii+1 In−1 In
Ij+1 Ii−1
post(sti , Ii ) ⊆stj+1
![Page 52: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/52.jpg)
Schematic Example – Use Interpolants for Generalization
`0 `1 `j−1 `j
`j+1 `i−1
`i+1 `n−1 `nst1 stj
stj+1 sti
sti+1 stn
q0 q1 qj−1 qj
qj+1 qi−1
qi qi+1 qn−1 qnst1 stj
stj+1 sti
sti+1 stn
I0 I1 Ij−1 Ij Ii Ii+1 In−1 In
Ij+1 Ii−1post(sti , Ii ) ⊆stj+1
![Page 53: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/53.jpg)
Schematic Example – Use Interpolants for Generalization
`0 `1 `j−1 `j
`j+1 `i−1
`i+1 `n−1 `nst1 stj
stj+1 sti
sti+1 stn
q0 q1 qj−1 qj
qj+1 qi−1
qi qi+1 qn−1 qnst1 stj
stj+1 sti
sti+1 stn
I0 I1 Ij−1 Ij Ii Ii+1 In−1 In
Ij+1 Ii−1post(sti , Ii ) ⊆stj+1
![Page 54: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/54.jpg)
Example – Use Interpolants to Generalize Infeasible Traces
q0 q1 q2 q3 q4
x:=0 y:=0 x++ x==-1
true x ≥ 0 x ≥ 0 x ≥ 0 false
Interpolant automatonobtained by merging all states labelled with same interpolant
q0 q1 q2
x:=0
y:=0
x++
x==-1
true x ≥ 0 false
![Page 55: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/55.jpg)
Example – Refinement Using Interpolant Automata
set of all traces Σ∗
traces respecting the control flow of P
L(AP)Error Traces
Feasib
leTra
ces
x:=0 . y:=0 . x++ . x==-1
x:=0 . y:=0 . x++ . y==-1A1
q0 q1 q2
x:=0
y:=0
x++
x==-1
A2q0 q1 q2
x:=0
y:=0
x++
x==-1
![Page 56: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/56.jpg)
Example – Refinement Using Interpolant Automata
set of all traces Σ∗
traces respecting the control flow of P
L(AP)Error Traces
Feasib
leTra
ces
x:=0 . y:=0 . x++ . x==-1
x:=0 . y:=0 . x++ . y==-1
A1q0 q1 q2
x:=0
y:=0
x++
x==-1
L(A1)
A2q0 q1 q2
x:=0
y:=0
x++
x==-1
![Page 57: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/57.jpg)
Example – Refinement Using Interpolant Automata
set of all traces Σ∗
traces respecting the control flow of P
L(AP)Error Traces
Feasib
leTra
ces
x:=0 . y:=0 . x++ . x==-1
x:=0 . y:=0 . x++ . y==-1
A1q0 q1 q2
x:=0
y:=0
x++
x==-1
L(A1)
A2q0 q1 q2
x:=0
y:=0
x++
x==-1
![Page 58: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/58.jpg)
Example – Refinement Using Interpolant Automata
set of all traces Σ∗
traces respecting the control flow of P
L(AP)Error Traces
Feasib
leTra
ces
x:=0 . y:=0 . x++ . x==-1
x:=0 . y:=0 . x++ . y==-1
A1q0 q1 q2
x:=0
y:=0
x++
x==-1
L(A1)
A2q0 q1 q2
x:=0
y:=0
x++
x==-1
L(A2)
![Page 59: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/59.jpg)
CEGAR for Trace Abstraction
annotated program P
P is correct P is incorrect
L(AP ∩ A1 ∩ . . . ∩ An) = ∅ ? π ∈ INFEASIBLE ?
no
return error trace πsuch that
π ∈ L(AP ∩ A1 ∩ . . . ∩ An)
yes
return trace automaton An+1
such thatπ ∈ L(An+1) and
L(An+1) ⊆ INFEASIBLE
n := n + 1
yes no
n := 0
![Page 60: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/60.jpg)
Outline
I Formal setting / Our point of view:A program is a language over the alphabet of statements.
I Excursion: interpolants
I Trace Abstraction with interpolants
I Trace Abstraction for recursive programs
![Page 61: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/61.jpg)
Recursive programs - challange 1: control flow
Problem:Sequence of statements that does not respect call-return-discipline
assume call foo assignment call bar assignment return foo assume return bar assume
Regular languages / finite automata not suitable to model control flow ofrecursive program
Idea: Use context free languages / pushdown automata
Context free languages are not closed under intersection
![Page 62: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/62.jpg)
Recursive programs - challange 1: control flow
Problem:Sequence of statements that does not respect call-return-discipline
main procedure
first called procedure
second called procedure
assume call
foo
assignment call
bar
assignmentreturn
foo assumereturn
bar assume
Regular languages / finite automata not suitable to model control flow ofrecursive program
Idea: Use context free languages / pushdown automata
Context free languages are not closed under intersection
![Page 63: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/63.jpg)
Recursive programs - challange 1: control flow
Problem:Sequence of statements that does not respect call-return-discipline
main procedure
first called procedure
second called procedure
assume call
foo
assignment call
bar
assignmentreturn
foo assumereturn
bar assume
Regular languages / finite automata not suitable to model control flow ofrecursive program
Idea: Use context free languages / pushdown automata
Context free languages are not closed under intersection
![Page 64: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/64.jpg)
Solution 1
Visibly pushdown languages / visibly pushdown automata.
Partition symbols. Type of symbol determines stack behaviour
I Call symbol Must push one element on stack.
I Internal symbol Must not alter stack.
I Return symbol Must pop one element from stack.
Rajeev Alur, P. Madhusudan
Visibly pushdown languages (STOC 2004)
Modelling control flow
I Partition statementsassume call foo assignment call bar assignment return foo assume return bar assume
I Store return address on stack
![Page 65: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/65.jpg)
Solution 2
Nested word languages / nested word automata.
Add call-return dependency explicitely to the wordNested word = word + nesting relation
Rajeev Alur, P. Madhusudan
Adding nesting structure to words (DLT 2006, J. ACM 56(3) 2009)
main procedure
first called procedure
second called procedure
assume call
foo
assignment call
bar
assignmentreturn
bar assumereturn
foo assume
![Page 66: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/66.jpg)
Solution 2
Nested word languages / nested word automata.
Add call-return dependency explicitely to the wordNested word = word + nesting relation
Rajeev Alur, P. Madhusudan
Adding nesting structure to words (DLT 2006, J. ACM 56(3) 2009)
main procedure
first called procedure
second called procedure
assume call
foo
assignment call
bar
assignmentreturn
bar assumereturn
foo assume
visibly pushdown vs. nested word
input devicevisibly pushdown simple complex
automata (stack)nested word complex simple
automata (nesting relation)
![Page 67: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/67.jpg)
Example - control flow as nested word automata
procedure m(x) returns (res)
`0: if x>100
`1: res:=x-10
else
`2: xm := x+11
`3: call m
`4: xm := resm
`5: call m
`6: res := resm
`7: assert (x<=101 -> res=91)return m
McCarthy 91 function
`0
`1
`2
`3
`4
`5
`6
`7
`err
x>100
res:=x-10
x<=100
xm:=x+11 call m
xm:=resm
call m
res:=resm
return m ↑ `3
return m ↑ `5
x≤101∧res6=91
nested word automaton
nested word automaton has 4-ary return relations e.g.(`7 , `5 , return m , `6
)∈ δreturn
![Page 68: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/68.jpg)
Recursive programs - challange 2: interpolants
What is an interpolant for an interprocedural execution?
I state with a stack? locality of interpolant is lost
true xp = 0 xp = 0
x = 0
xp = 0
xp =-1
xp = 0
xp = −1
x = 1
xp = 0
xp =-1
res =-1
xp = 0
resp = -1xp = -1
xp = 0
res = 0
resp = 0xp = 0 false
xp:=0 call p xp:=x-1 call p res:=x return res:=resp-xp return resp < xp
I only local valuations? call/return dependency lost, sequence of interpolants is not a proof
xp:=0 call p xp:=x-1 call p res:=x return res:=resp-xp return resp < xp
true xp =0 true xp =x−1 true res =x ? ? ? ?
![Page 69: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/69.jpg)
Recursive programs - challange 2: interpolants
What is an interpolant for an interprocedural execution?
I state with a stack? locality of interpolant is lost
true xp = 0 xp = 0
x = 0
xp = 0
xp =-1
xp = 0
xp = −1
x = 1
xp = 0
xp =-1
res =-1
xp = 0
resp = -1xp = -1
xp = 0
res = 0
resp = 0xp = 0 false
xp:=0 call p xp:=x-1 call p res:=x return res:=resp-xp return resp < xp
I only local valuations? call/return dependency lost, sequence of interpolants is not a proof
xp:=0 call p xp:=x-1 call p res:=x return res:=resp-xp return resp < xp
true xp =0 true xp =x−1 true res =x ? ? ? ?
![Page 70: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/70.jpg)
Recursive programs - challange 2: interpolants
What is an interpolant for an interprocedural execution?
Idea: “Nested Interpolants”Define sequence of interpolants with respect to nested trace.
xp:=0 call
p
xp:=x-1 call
p
res:=x
return res:=resp-xp
return resp < xp
true xp =0
true xp =x−1
true res =x
resp≥xp res≥x
resp ≥ xp false
Define ternary post operator for return statements
post( res =x , xp =x−1 , return p ) ⊆ resp≥xp
local state
of caller
before call
local state
of callee
before return
local state
of caller
after return
![Page 71: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/71.jpg)
Control flow as nested word automata
procedure m(x) returns (res)
`0: if x>100
`1: res:=x-10
else
`2: xm := x+11
`3: call m
`4: xm := resm
`5: call m
`6: res := resm
`7: assert (x<=101 -> res=91)return m
McCarthy 91 function
`0
`1
`2
`3
`4
`5
`6
`7
`err
x>100
res:=x-10
x<=100
xm:=x+11 call m
xm:=resm
call m
res:=resm
return m ↑ `3
return m ↑ `5
x≤101∧res6=91
nested word automaton
![Page 72: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/72.jpg)
Floyd-Hoare proof as nested word automata
procedure m(x) returns (res){>}
`0: if x>100
{x ≥ 101}
`1: res:=x-10
else
{x ≤ 100}
`2: xm := x+11
{xm ≤ 111}
`3: call m
{resm ≤ 101}
`4: xm := resm{xm ≤ 101}
`5: call m
{resm = 91}
`6: res := resm{res = 91 ∨ (x ≥ 101 ∧ res = x − 10)}
`7: assert (x<=101 -> res=91)return m
McCarthy 91 function
>
x ≥ 101
x ≤ 100
xm ≤ 111
resm ≤ 101
xm ≤ 101
resm = 91
res = 91∨x≥101∧res =x−10
x>100
res:=x-10
x<=100
xm:=x+11 call m
xm:=resm
call m
res:=resm
return m ↑ xm≤111
return m ↑ xm≤101
nested word automaton
e.g. post(x ≤ 100 , xm:=x+11
)⊆ xm ≤ 111
![Page 73: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/73.jpg)
Floyd-Hoare proof as nested word automata
procedure m(x) returns (res){>}
`0: if x>100
{x ≥ 101}
`1: res:=x-10
else
{x ≤ 100}
`2: xm := x+11
{xm ≤ 111}
`3: call m
{resm ≤ 101}
`4: xm := resm{xm ≤ 101}
`5: call m
{resm = 91}
`6: res := resm{res = 91 ∨ (x ≥ 101 ∧ res = x − 10)}
`7: assert (x<=101 -> res=91)return m
McCarthy 91 function
>
x ≥ 101
x ≤ 100
xm ≤ 111
resm ≤ 101
xm ≤ 101
resm = 91
res = 91∨x≥101∧res =x−10
x>100
res:=x-10
x<=100
xm:=x+11 call m
xm:=resm
call m
res:=resm
return m ↑ xm≤111
return m ↑ xm≤101
nested word automaton
e.g. post(x ≤ 100 , xm:=x+11
)⊆ xm ≤ 111
![Page 74: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/74.jpg)
Computation of nested interpolants - Example
true
true
xp:=0 call
p
xp:=x-1 call
p
res:=x
return res:=resp-xp
return resp < xp
![Page 75: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/75.jpg)
Computation of nested interpolants - Example
true xp =0
true
xp:=0 call
p
xp:=x-1 call
p
res:=x
return res:=resp-xp
return resp < xp
![Page 76: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/76.jpg)
Computation of nested interpolants - Example
true xp =0
true
true
xp:=0 call
p
xp:=x-1 call
p
res:=x
return res:=resp-xp
return resp < xp
![Page 77: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/77.jpg)
Computation of nested interpolants - Example
true xp =0
true xp =x−1
true
xp:=0 call
p
xp:=x-1 call
p
res:=x
return res:=resp-xp
return resp < xp
![Page 78: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/78.jpg)
Computation of nested interpolants - Example
true xp =0
true xp =x−1
true
xp:=0 call
p
xp:=x-1 call
p
res:=x
return res:=resp-xp
return resp < xp
![Page 79: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/79.jpg)
Computation of nested interpolants - Example
true xp =0
true xp =x−1
true res =x
xp:=0 call
p
xp:=x-1 call
p
res:=x
return res:=resp-xp
return resp < xp
![Page 80: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/80.jpg)
Computation of nested interpolants - Example
true xp =0
true xp =x−1
true res =x
resp≥xp
xp:=0 call
p
xp:=x-1 call
p
res:=x
return res:=resp-xp
return resp < xp
![Page 81: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/81.jpg)
Computation of nested interpolants - Example
true xp =0
true xp =x−1
true res =x
resp≥xp res≥x
xp:=0 call
p
xp:=x-1 call
p
res:=x
return res:=resp-xp
return resp < xp
![Page 82: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/82.jpg)
Computation of nested interpolants - Example
true xp =0
true xp =x−1
true res =x
resp≥xp res≥x
resp ≥ xpxp:=0 ca
llp
xp:=x-1 call
p
res:=x
return res:=resp-xp
return resp < xp
![Page 83: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/83.jpg)
Computation of nested interpolants - Example
true xp =0
true xp =x−1
true res =x
resp≥xp res≥x
resp ≥ xp falsexp:=0 ca
llp
xp:=x-1 call
p
res:=x
return res:=resp-xp
return resp < xp
![Page 84: Trace Abstraction - uni-freiburg.deheizmann/2010CSA_IIS_Bangalore … · Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically re ning abstract](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f541f7bba6dc5429d5e872d/html5/thumbnails/84.jpg)
Conclusion
Trace Abstraction
I Refine abstraction by using independent underapproximations ofinfeasible traces.
I Use interpolants directly to create a component of the abstraction.Economic use of theorem prover.
I Use nested words to define inductive sequence of interpolants forrecursive programs.
Future Work
I Liveness properties
I Concurrent Programs
I Caching infeasibility: reuse abstractions from one program toanother.
I Guided generation of interpolants (strength of interpolants)