MoCHi: Software Model Checker for a Higher-Order Functional Language Hiroshi Unno University of Tsukuba (Joint work with Naoki Kobayashi and Ryosuke Sato) 2018/9/20

MoCHi Software model checker for a subset of OCaml (cf. SLAM, BLAST) Support integers, recursive data types, exceptions, higher-order functions, and recursion let rec mc x = if x > 100 then x – 10 else mc (mc (x + 11)) in let n = randi() in if n ≤ 101 then assert (mc n = 91) MoCHi Program & Spec. Result Certificate or Counterexample Based on higher-order model checking 2018/9/20

Outline How MoCHi Works? Implementation Summary Function Encoding Predicate Abstraction & CEGAR Implementation Summary 2018/9/20

Outline How MoCHi Works? Implementation Summary Function Encoding Predicate Abstraction & CEGAR Implementation Summary 2018/9/20

How MoCHi Works? 𝜆 → + recursion + recursive data types + exceptions + integers + booleans Functional Program Function Encoding PCF 𝜆 → + recursion + integers + booleans Predicate Abstraction & CEGAR [PLDI’11] 𝜆 → + recursion + booleans Finitary PCF (fPCF) Higher-Order Model Checking [Kobayashi POPL’09, PPDP’09] Sound and complete! 2018/9/20

How MoCHi Works? 𝜆 → + recursion + recursive data types + exceptions + integers + booleans Functional Program Function Encoding PCF 𝜆 → + recursion + integers + booleans Predicate Abstraction & CEGAR [PLDI’11] 𝜆 → + recursion + booleans Finitary PCF (fPCF) Higher-Order Model Checking [Kobayashi POPL’09, PPDP’09] Sound and complete! 2018/9/20

Function Encoding of Lists Encode a list as a pair (len, f), where: len is the length of the list f is a function from an index i to the i-th element e.g., [3;1;4] is encoded as (3, f), where: f(0)=3, f(1)=1, f(2)=4, and undefined otherwise let nil = (0, fun i -> ⊥) let cons a (len, l) = (len + 1, fun i -> if i = 0 then a else l (i - 1)) let hd (len, l) = l 0 let tl (len, l) = (len - 1, fun i -> l (i + 1)) let is_nil (len, l) = len = 0 2018/9/20

Function Encoding of Recursive Data Types Encode a tree of a recursive data type as a function from a node’s path to its label type btree = Leaf of int | Node of btree * btree Node Leaf 3 1 4 A function f, where: f [] = Node f [1] = Leaf f [2] = Node f [1;1] = 3 f [2;1] = Leaf f [2;2] = Leaf f [2;1;1] = 1 f [2;2;1] = 4 2018/9/20

Function Encoding of Exceptions exception NotPos let rec fact n = if n ≤ 0 then raise NotPos else try n × fact (n-1) with NotPos -> 1 let NotPos = 0 let rec fact n k exn = if n ≤ 0 then exn NotPos else fact (n-1) (fun r -> k (n × r)) (fun NotPos -> k 1) CPS Trans. 2018/9/20

How MoCHi Works? 𝜆 → + recursion + recursive data types + exceptions + integers + booleans Functional Program Function Encoding PCF 𝜆 → + recursion + integers + booleans Predicate Abstraction & CEGAR [PLDI’11] 𝜆 → + recursion + booleans Finitary PCF (fPCF) Higher-Order Model Checking [Kobayashi POPL’09, PPDP’09] Sound and complete! 2018/9/20

Predicate Abstraction [Graf & Saidi CAV’97] PCF let f g x = g (x+1) P(x)≡ x ≥0 Q(y)≡y ≥0 Predicate Abstraction Predicates b=true ⇔ P(x) fPCF let f g b = g (if b then true else rndbool) P(x) ⇒ Q(x+1) 2018/9/20

CEGAR [Clarke et al. CAV’00] PCF Predicate Abstraction New Predicates Predicate Discovery fPCF CEGAR Loop infeasible Higher-Order Model Checking [Kobayashi POPL’09] NG Error Trace Feasibility Check OK feasible safe unsafe 2018/9/20

CEGAR [Clarke et al. CAV’00] PCF Predicate Abstraction New Predicates Predicate Discovery fPCF CEGAR Loop infeasible Higher-Order Model Checking [Kobayashi POPL’09] NG Error Trace Feasibility Check OK feasible safe unsafe 2018/9/20

Challenges in Higher-Order Setting Predicate Abstraction How to ensure consistency of abstraction? Predicate Discovery How to find new predicates that can eliminate an infeasible error trace from the abstraction? 2018/9/20

Challenges in Higher-Order Setting Predicate Abstraction How to ensure consistency of abstraction? let sum n k = if n≤0 then k 0 else sum (n-1) (𝜆x’.k (x’+n)) let main m = sum m (𝜆x.assert(x≥m)) ¸x.x≥n ¸x.x≥m 2018/9/20

Our Solution: Abstraction Types let sum n k = if n≤0 then k 0 else sum (n-1) (𝜆x’.k (x’+n)) let main m = sum m (𝜆x.assert(x≥m)) 𝜆x’.x’≥n-1 𝜆x.x≥n 𝜆x.x≥m sum: (n:int[] → (int[𝜆x.x≥n] → ⋆) → ⋆) no predicates for n predicate for the 1st argument of k Unit type 2018/9/20

Example: Predicate Abstraction 𝜆x’.x’≥n-1 let sum n k = if n·0 then k 0 else sum (n-1) (𝜆x’.k (x’+n)) let main m = sum m (𝜆x.assert(x≥m)) n>0 𝜆x.x≥n sum: (n:int[] → (int[𝜆x.x≥n] → ⋆) → ⋆) let sum () k = if * then k true else sum () (𝜆b’.k (if b’ then true else rndbool)) let main () = sum () (𝜆b. assert(b)) x’≥n-1 ∧ n>0 ⇒ x’+n≥n Successfully model checked! 2018/9/20

Type-Directed Predicate Abstraction PCF Term Abstraction Type Γ⊢𝑀:𝜏⇒𝑡 Abstraction Type Environment fPCF Term Γ⊢𝑀: 𝜏 ′ →𝜏⇒s Γ⊢𝑁:𝜏′⇒𝑡 Γ⊢𝑀 𝑁:𝜏⇒𝑠 t Predicate Abstraction Rule for Function Applications 2018/9/20

Challenges in Higher-Order Setting Predicate Abstraction How to ensure consistency of abstraction? Predicate Discovery How to find new predicates that can eliminate an infeasible error trace from the abstraction? 2018/9/20

Challenges in Higher-Order Setting Predicate Abstraction How to ensure consistency of abstraction? Predicate Discovery How to find abstraction types that can eliminate an infeasible error trace from the abstraction? 2018/9/20

Our Solution Reduction to refinement type inference of a straightline higher-order program (SHP) Infeasible Error Trace Refinement Type Inference [Unno & Kobayashi PPDP’09] Straightline Higher-Order Program (SHP) RefinementTypes Abstraction Types 2018/9/20

Example: Abstraction Type Finding (1/2) let sum n k = if n≤0 then k 0 else sum (n-1) (𝜆x’.k (x’+n)) let main m = sum m (𝜆x.assert(x≥m)) Infeasible error trace: main m → sum m (𝜆x.assert(x≥m)) → if m≤0 then (𝜆x.assert(x ≥m)) 0 else … → (¸x.assert(x≥m)) 0 → assert(0≥m) → fail m≤0 0≤m 2018/9/20

Example: Abstraction Type Finding (2/2) let sum n k = if n≤0 then k 0 else sum (n-1) (𝜆x’.k (x’+n)) let main m = sum m (𝜆x.assert(x≥m)) main m → ∗ if m≤0… → ∗ m≤0 assert(0≥m) →0<m fail Straightline Higher-Order Program (SHP): let sum n k = assume(n≤0); k 0 let main m = sum m (𝜆x.assume(x<m); fail) [Unno & Kobayashi PPDP’09] Abstraction Type: sum: (n:int[] → (int[𝜆x.x≥n] → ⋆) → ⋆) Refinement Type of SHP: sum: (n:int → ({x:int|x¸n} → ⋆) → ⋆) 2018/9/20

Example: Abstraction Type Finding (1/2) let rec copy x = if x=0 then 0 else 1 + copy (x-1) let main n = assert (copy n = n) Infeasible error trace: main n → assert (copy n = n) → E[if n=0 then 0 else 1 + copy (n-1)] → E[1 + copy (n-1)] → E[1 + (if n-1=0 then 0 else 1 + copy (n-2))]] → E[1 + 0] → assert (1 = n) → fail n ≠ 0 n-1=0 1 ≠ n 2018/9/20

Example: Abstraction Type Finding (2/2) let rec copy x = if x=0 then 0 else 1 + copy (x-1) let main n = assert (copy n = n) main n → ∗ fail Straightline Higher-Order Program (SHP): let copy1 x = assume (x≠0); 1 + copy2 (x-1) let copy2 x = assume (x=0); 0 let main n = assume (copy1 n≠n); fail [Unno & Kobayashi PPDP’09] Abstraction Types: copy: (x:int → int[𝜆r.r=x]) Refinement Types: copy: (x:int → {r:int|r=x}) 2018/9/20

Refinement Type Inference [Unno & Kobayashi PPDP’09] Constraint Generation Constraint Solving Horn Clauses Refinement Types SHP 2018/9/20

Example: Constraint Generation Straightline Higher-Order Program (SHP): let copy1 x = assume (x≠0); 1 + copy2 (x-1) let copy2 x = assume (x=0); 0 let main n = assume (copy1 n≠n); fail Refinement Type Templates: copy1: (x:int → {r:int|P1(x,r)}) copy2: (x:int → {r:int|P2(x,r)}) Horn Clauses: x=0 ∧ r=0 ⇒ P2(x,r) P2(x-1,s) ∧ x≠0 ∧ r=1+s ⇒ P1(x,r) P1(n,r) ⇒ r=n 2018/9/20

Example: Constraint Solving (1/2) Horn Clauses: x=0 ∧ r=0 ⇒ P2(x,r) P2(x-1,s) ∧ x≠0 ∧ r=1+s ⇒ P1(x,r) P1(n,r) ⇒ r=n Horn Clauses with P2 eliminated: x=1 ∧ s=0 ∧ x≠0 ∧ r=1+s ⇒ P1(x,r) P1(n,r) ⇒ r=n Interpolating Prover Solution: P1(x,r) ≡ r=x 2018/9/20

Interpolating Prover Input: 𝜙 1 , 𝜙 2 such that 𝜙 1 ⇒ 𝜙 2 Output: an interpolant 𝜙 of 𝜙 1 , 𝜙 2 such that: 𝜙 1 ⇒𝜙 𝜙⇒ 𝜙 2 𝐹𝑉 𝜙 ⊆𝐹𝑉 𝜙 1 ∩𝐹𝑉 𝜙 2 Example: r=x is an interpolant of: x=1 ∧ s=0 ∧ x≠0 ∧ r=1+s and r=x 2018/9/20

Example: Constraint Solving (2/2) Horn Clauses: x=0 ∧ r=0 ⇒ P2(x,r) P2(x-1,s) ∧ x≠0 ∧ r=1+s ⇒ P1(x,r) P1(n,r) ⇒ r=n Substitute P1(x,r) with r=x Horn Clauses with P1 substituted: x=0 ∧ r=0 ⇒ P2(x,r) P2(x-1,s) ⇒ (x≠0 ∧ r=1+s ⇒ r=x) Interpolating Prover Solution: P2(x,r) ≡ r=x 2018/9/20

Example: Refinement Type Inference Straightline Higher-Order Program (SHP): let copy1 x = assume (x≠0); 1 + copy2 (x-1) let copy2 x = assume (x=0); 0 let main n = assume (copy1 n≠n); fail Refinement Type Templates: copy1: (x:int → {r:int|P1(x,r)}) copy2: (x:int → {r:int|P2(x,r)}) Refinement Types of SHP: copy1: (x:int → {r:int|r=x}) copy2: (x:int → {r:int|r=x}) 2018/9/20

Outline How MoCHi Works? Implementation Summary Functional Encoding Predicate Abstraction & CEGAR Implementation Summary 2018/9/20

MoCHi: Model Checker for Higher-Order Programs Prototype model checker for OCaml Implemented using: TRecS [Kobayashi PPDP’09] as higher-order model checker CVC3 [Barrett & Tinelli CAV’07] for predicate abstraction CSIsat [Beyer et al. CAV’08] for predicate discovery 2018/9/20

Preliminary Experiments (excerpted) Program CEGAR Loops Time (s.) mc91 2 0.07 ackermann 3 0.15 repeat a-max 5 4.78 a-max-e 0.13 l-zipunzip 0.12 e-fact 0.01 r-file 12 5.23 Encoded by functions: let make n = 𝜆i.assert(0≤i∧i<n); 0 let update i x n a = assert(0≤i ∧ i<n); 𝜆j. if i=j then x else a(i) arrays Eliminated by CPS transformation lists exceptions resource usage analysis Environment: Intel® Xeon® 3GHz + 8GB memory 2018/9/20

Outline How MoCHi Works? Implementation Summary Functional Encoding Predicate Abstraction & CEGAR Implementation Summary 2018/9/20

Summary Software model checker MoCHi for OCaml Support integers, recursive data types, exceptions, higher-order functions, and recursion Reduction to higher-order model checking by: Function encoding of recursive data types & exceptions Predicate abstraction & CEGAR Web interface available from: http://www-kb.is.s.u-tokyo.ac.jp/~ryosuke/mochi/ 2018/9/20