program verification using templates over predicate abstraction

Program Verification using Templates over Predicate Abstraction

Saurabh SrivastavaUniversity of Maryland, College Park

Sumit GulwaniMicrosoft Research, Redmond

What the technique will let you do!A. Infer invariants with

arbitrary quantification and boolean structure∀∀∃

j....

Aold

∀k∃j..∀k1,k2 k1 k2

€

≤

for i = 0..n{

for j = i..n{

find min index

}if (min != i) swap A[i] with

A[min]}

Selection Sort:

k1 k2

€

≤

<

: E.g. Sortedness: E.g. Permutation

B. Infer weakest preconditions

Anewk

Worst case behavior: swap every time it can

Weakest conditions on input:

Improves the state-of-art• Can infer very expressive invariants

• Quantification– E.g. ∀k∃j : (k<n) => (A[k]=B[j] ∧ j<n)

• Disjunction– E.g. ∀k : (k<0 ∨ k>n ∨ A[k]=0)

– Previous techniques are too specialized to particular types of quantification or to quantifier-free disjunction

• Can infer weakest preconditions• Good for debugging: can discover worst case inputs• Good for analysis: can infer missing precondition facts

– No satisfactory solutions known

Key facilitators• Templates

– Task of inferring conjunctive facts for the holes remains• Predicate Abstraction

– Allows us to efficiently compute solutions for the holes

– E.g., {i<j, i>j, i≤j, i≥j, i<j-1, i>j+1… }

€

∀k1∃k2 : (−)⇒ (−)

€

∀k : (−)⇒ (−)Unknown

holes

€

x opr (y opa c)Relational operator

<, ≤, >, ≥ …Arithmetic operator

+, - …

Program variables,array elements

Limitedconstants

Outline• Three fixed-point inference algorithms

– Iterative fixed-point• Greatest Fixed-Point (GFP)• Least Fixed-Point (LFP)

– Constraint-based (CFP)

• Optimal Solutions– Built over a clean theorem proving interface

• Weakest Precondition Generation

• Experimental evaluation

(LFP)

(GFP)

(CFP)

Analysis Setup

post

pre

I1

I2

Loop headers (with invariants) split program into simple paths. Simple paths induce program constraints (verification conditions)

vc(pre,I1)

vc(I1,post) vc(I1,I2)

vc(I2,I2)vc(I2,I1)

true ∧ i=0 => I1

I1 ∧ i≥n => sorted array

I1 ∧ i<n ∧ j=i => I2

Sorted array

i<n

true

j<n

Find min index

if (min != i) swap A[i], A[min]

i:=0

j:=i

I1

I2

E.g. Selection Sort:

I1 ∧ i≥n => ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2]

Analysis Setup

post

pre

I1

I2

Loop headers (with invariants) split program into simple paths. Simple paths induce program constraints (verification conditions)

vc(pre,I1)


vc(I2,I2)vc(I2,I1)

true ∧ i=0 => I1

I1 ∧ i<n ∧ j=i => I2

Simple FOL formulae over I1,

I2!We will exploit this.

Candidate Solution

Iterative Fixed-point: Overview

post

pre

I1

I2

vc(pre,I1)


vc(I2,I2)vc(I2,I1)

{ vc(pre,I1),vc(I1,I2) }

VCs that are not satisfied

✗✓

✓ ✓

✗

Values for invariants

<x,y>

Computable because:– Templates make ∨ explicit– Predicate abstraction

restricts search to finite space

Iterative Fixed-point: Overview

post

pre

I1

I2

vc(pre,I1)


vc(I2,I2)vc(I2,I1)

Improve candidate– Pick unsat VC– Use theorem prover to

compute optimal change– Results in new candidates

<x,y> { … }

Set of candidates

Improve candidate

Candidate satisfies all

VCs

Backwards Iterative (GFP)

post

pre

Backward: • Always pick the source invariant of unsat constraint to improve• Start with <⊤, …,⊤>

Candidate Sols <I1,I2> Unsat

constraints<⊤, ⊤> { vc(I1,post) }

⊤

⊤

✓✓

✓

✗✓


post

pre

a1

⊤

✓ ✓




<a1, ⊤> { vc(I2,I1) }

✓

Optimally strengthen so vc(pre,I1) ok unless no soln

✗✓


post

pre

a1

b2

✓ ✓




<a1, ⊤> { vc(I2,I1) }

<a1,b1> { vc(I2,I2) }<a1,b2> { vc(I2,I2),vc(I1,I2) }

Multiple orthogonal optimal sols

✓


✗✗


post

pre

✓ ✓✓




<a1, ⊤> { vc(I2,I1) }


<a1,b1> { vc(I2,I2) }<a1,b’2> { vc(I1,I2) }


✓


✗b’2

a1


post

pre

✓ ✓✓

✓




<a1, ⊤> { vc(I2,I1) }


<a1,b1> { vc(I2,I2) }<a1,b’2> { vc(I1,I2) }

<a1,b1> { vc(I2,I2) }<a’1,b’2> none


✓


b’2

a’1

<a’1,b’2> : GFP solution

Forward Iterative (LFP)

Forward: Same as GFP except

• Pick the destination invariant of unsat constraint to improve

• Start with <⊥,…,⊥>

Constraint-based over Predicate Abstraction

post

pre

I1

I2

vc(pre,I1)


vc(I2,I2)vc(I2,I1)


vc(pre,I1)

vc(I1,post)vc(I1,I2)

vc(I2,I2)

vc(I2,I1)

pred(I1)

€

∀k : (−)⇒ (−) template

p1,p2…pr p1,p2…pr

unknown 1 unknown 2

predicates

b11,b2

1…br

1b1

2,b22…br

2 boolean indicators

I1Remember: VCs are FOL

formulae over I1, I2


vc(pre,I1)


vc(I2,I2)

vc(I2,I1)

pred(I1)

pred(A) : A to unknown predicate

indicator variables

Remember: VCs are FOL


Remember: VCs are FOL



vc(pre,I1)


vc(I2,I2)

vc(I2,I1)

boolc(pred(I1), pred(I2))

Optimal solutions from SMT solver to impose

minimal constrain

ts

pred(A) : A to unknown predicate

indicator variables

boolc(pred(I1))

boolc(pred(I2), pred(I1))

boolc(pred(I2)) Boolean constraintto satisfying soln

(SAT Solver)

Invariant soln∧

boolc(pred(I1))

Program constraintto boolean constraint

SAT formulae over predicate

indicators

Local reasoning Fixed-Point Computation







(LFP)

(GFP)

(CFP)

Optimal Solutions• Key: Polarity of unknowns in formula Φ

– Positive or negative:• Value of positive unknown stronger => Φ stronger• Value of negative unknown stronger => Φ weaker

• Optimal Soln: Maximally strong positives, maximally weak negatives

• Assume theorem prover interface: OptNegSol– Optimal solutions for formula with only negative unknowns– Built using a lattice search by querying SMT Solver

¬negative

u1

positive∨ u2 ) ∧ u3(

positive∀x : ∃y : Φ =

Optimal Solutions using OptNegSolformula Φ contains unknowns:

Repeat until set stable

Optimal Solutions for formula Φ

OptOpt’

Opt’’

Merge

…

Merge positive tuples

Φ[ ]Φ[ ]

Φ[ ]

u1…uP positive u1…uN negative

…

a1…aPa’1…a’P

a’’1…a’’P

P-tuple that assigns a single predicate

to each positive unknown

a1…aP,S1…SNa’1…a’P,S’1…S’N

…

Si soln for the negative unknowns

a’’1…a’’P,S’’1…S’’N

OptNegSol

…

P x

Size

of p

redi

cate

set







(LFP)

(GFP)

(CFP)

Implementation

C Program

Templates

Predicate Set

CFG

InvariantsPreconditions

Microsoft’s Phoenix Compiler Verification

Conditions

IterativeFixed-point

GFP/LFP

Constraint-based

Fixed-Point

Candidate Solutions

Boolean Constraint

Z3 SMT Solver

Verifying Sorting Algorithms• Benchmarks

– Considered difficult to verify– Require invariants with quantifiers– Sorting, ideal benchmark programs

• 5 major sorting algorithms– Insertion Sort, Bubble Sort (n2 version and termination checking

version), Selection Sort, Quick Sort and Merge Sort

• Properties:– Sort elements

• ∀k : 0≤k<n => A[k] ≤A[k+1] --- output array is non-decreasing– Maintain permutation, when elements distinct

• ∀k∃j : 0≤k<n => A[k]=Aold[j] & 0≤j<n --- no elements gained• ∀k∃j : 0≤k<n => Aold[k]=A[j] & 0≤j<n --- no elements lost

Runtimes: Sortedness

Selection Sort Insertion Sort Bubble Sort (n2) Bubble Sort (flag) Quick Sort Merge Sort0

2

4

6

8

10

12

14

16

LFPGFPCFP

seco

nds

Tool can prove sortedness for all

sorting algorithms!

Runtimes: Permutation


5

10

15

20

25

30

35

40

LFPGFPCFP

∞ ∞

…

94.42

seco

nds

…Permutations too!

Inferring Preconditions• Given a property (worst case runtime or functional

correctness) what is the input required for the property to hold

• Tool automatically infers non-trivial inputs/preconditions

• Worst case input (precondition) for sorting:– Selection Sort: sorted array except last element is the smallest– Insertion, Quick Sort, Bubble Sort (flag): Reverse sorted array

• Inputs (precondition) for functional correctness:– Binary search requires sorted input array– Merge in Merge sort requires sorted inputs– Missing initializers required in various other programs

Runtimes (GFP): Inferring worst case inputs for sorting

seco

nds


5

10

15

20

25

30

35

40

45

Tool infers worst case inputs for all

sorting algorithms!

Nothing to infer as all inputs yield the same behavior

Conclusions• Powerful invariant inference over predicate abstraction

– Can infer quantifier invariants

• Three algorithms with different strengths– Iterative: Least fixed-point and Greatest fixed-point– Constraint-based

• Extend to maximally-weak precondition inference– Worst case inputs– Preconditions for functional correctness

• Techniques builds on SMT Solvers, so exploit their power

• Successfully verified/inferred preconditions– All major sorting algorithms– Other difficult benchmarks

• Project Webpage: http://www.cs.umd.edu/~saurabhs/pacs

http://www.cs.umd.edu/~saurabhs/pacs

http://www.cs.umd.edu/~saurabhs/pacs

program verification using templates over predicate abstraction

Documents