Inferring Simple Solutions to Recursion-free Horn Clauses via Sampling

Slides:

Advertisements

Similar presentations

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

Advertisements

Functional Verification III Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 23.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN

© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.

© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by SRC Contract.

Automating Relatively Complete Verification of Higher-Order Functional Programs Hiroshi Unno (University of Tsukuba) Tachio Terauchi (Nagoya University)

Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.

Relatively Complete Verification of Higher- Order Programs (via Automated Refinement Type Inference) Tachio Terauchi Nagoya University TexPoint fonts used.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

Revisiting Generalizations Ken McMillan Microsoft Research Aws Albarghouthi University of Toronto.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.

Relational Data Mining in Finance Haonan Zhang CFWin /04/2003.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]

1 Path Planning in Expansive C-Spaces D. HsuJ. –C. LatombeR. Motwani Prepared for CS326A, Spring 2003 By Xiaoshan (Shan) Pan.

NUS CS 5247 David Hsu1 Last lecture  Multiple-query PRM  Lazy PRM (single-query PRM)

1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.

Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.

Refinement Type Inference via Horn Constraint Optimization Kodai Hashimoto and Hiroshi Unno (University of Tsukuba, Japan)

A Template-based Approach to Complete Predicate Refinement Tachio Terauchi (Nagoya University) Hiroshi Unno (University of Tsukuba) Naoki Kobayashi (University.

Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.

Rahul Sharma, Aditya V. Nori, Alex Aiken Stanford MSR India Stanford.

Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.

Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.

Proving Non-Termination Gupta, Henzinger, Majumdar, Rybalchenko, Ru-Gang Xu presentation by erkan.

Problem Reduction So far we have considered search strategies for OR graph. In OR graph, several arcs indicate a variety of ways in which the original.

Reasoning about the Behavior of Semantic Web Services with Concurrent Transaction Logic Presented By Dumitru Roman, Michael Kifer University of Innsbruk,

1 Reasoning with Infinite stable models Piero A. Bonatti presented by Axel Polleres (IJCAI 2001,

Chapter 15: Recursion. Objectives In this chapter, you will: – Learn about recursive definitions – Explore the base case and the general case of a recursive.

CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.

Adaptive Shape Analysis Thomas Wies joint work with Josh Berdine Cristiano Calcagno TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Property-Guided Shape Analysis S.Itzhaky, T.Reps, M.Sagiv, A.Thakur and T.Weiss Slides by Tomer Weiss Submitted to TACAS 2014.

Warm-up. Systems of Equations: Substitution Solving by Substitution 1)Solve one of the equations for a variable. 2)Substitute the expression from step.

Verifying Component Substitutability Nishant Sinha Sagar Chaki Edmund Clarke Natasha Sharygina Carnegie Mellon University.

1 Alan Mishchenko Research Update June-September 2008.

Chapter 15: Recursion. Recursive Definitions Recursion: solving a problem by reducing it to smaller versions of itself – Provides a powerful way to solve.

Chapter 15: Recursion. Objectives In this chapter, you will: – Learn about recursive definitions – Explore the base case and the general case of a recursive.

Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets) Cédric Favre(1,2), Hagen Völzer(1), Peter Müller(2)

Counterexample-Guided Abstraction Refinement By Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith Presented by Yunho Kim Provable Software.

PROBABILITY AND COMPUTING RANDOMIZED ALGORITHMS AND PROBABILISTIC ANALYSIS CHAPTER 1 IWAMA and ITO Lab. M1 Sakaidani Hikaru 1.

CS5205: Foundation in Programming Languages Type Reconstruction

Algorithms and Problem Solving

Opeoluwa Matthews, Jesse Bingham, Daniel Sorin

Java 4/4/2017 Recursion.

SMT-Based Verification of Parameterized Systems

Automating Induction for Solving Horn Clauses

B (The language of B-Method )

MoCHi: Software Model Checker for a Higher-Order Functional Language

3-2: Solving Systems of Equations using Substitution

Relatively Complete Refinement Type System for Verification of Higher-Order Non-deterministic Programs Hiroshi Unno (University of Tsukuba) Yuki Satake.

Property Directed Reachability with Word-Level Abstraction

SAT-Based Area Recovery in Technology Mapping

3-2: Solving Systems of Equations using Substitution

Solving Systems of Equations using Substitution

3-2: Solving Systems of Equations using Substitution

All-to-All Pattern A pattern where all (slave) processes can communicate with each other Somewhat the worst case scenario! ITCS 4/5145 Parallel Computing,

Algorithms and Problem Solving

This Lecture Substitution model

Abstraction, Verification & Refinement

3-2: Solving Systems of Equations using Substitution

Predicate Abstraction

3-2: Solving Systems of Equations using Substitution

3-2: Solving Systems of Equations using Substitution

3-2: Solving Systems of Equations using Substitution

3-2: Solving Systems of Equations using Substitution

Presentation transcript:

Inferring Simple Solutions to Recursion-free Horn Clauses via Sampling Hiroshi Unno (University of Tsukuba) Tachio Terauchi (JAIST) 2015/4/13 TACAS 2015

Program Verification with CEGAR Iteratively refine candidate predicate set Δ⊆𝑃𝑟𝑒𝑑𝑠 𝑇 until Δ witnesses the safety of given program 𝑃 background FOL theory (e.g., QFLRA) Check if Δ⊢𝑃 safe Δ≔Δ∪Γ Counterexample path 𝜋∈𝑃𝑎𝑡ℎ𝑠 𝑃 s.t. Δ⊢𝜋 Discover Preds. Γ s.t. Γ⊢𝜋 unsafe How to guarantee convergence of CEGAR? Our talk at ESOP on Thursday 16 How to find “good” solutions achieving faster convergence? This talk Much success for imperative programs (SLAM, BLAST, …) for concurrent programs (Threader, SymmPA, …) for functional programs (Depcegar, MoCHi, …) 2015/4/13 TACAS 2015

Horn Clause Solving as Unified Framework for Predicate Discovery [U Horn Clause Solving as Unified Framework for Predicate Discovery [U.+2009] [Terauchi2010] [Gupta+2011] [Grebenshchikov+2012] [Rümmer+2013] … Generate and solve a set of constraints 𝐻 s.t. 𝐻 has a solution 𝜃⟹Rng(𝜃)⊢𝜋 Recursion-free Horn clause constraint set on predicate variables that represent (over-approx. of) reachable states of (each location in) 𝜋 Substitution for the predicate variables 𝐻= 𝑄 𝑥,𝑦 ⇐ 𝑥≥0∧𝑦≥2∨ 𝑥≥1∧𝑦≥1∨ 𝑥≥2∧𝑦≥0 , ⊥⇐𝑄 𝑥,𝑦 ∧𝑄 −𝑥,−𝑦 𝜃= 𝑄↦𝜆 𝑥,𝑦 . 𝑥+𝑦≥2 2015/4/13 TACAS 2015

Example: Solutions of Recursion-Free Horn Clauses 𝑥+𝑦≥−2 is not a solution because it overlaps with −𝑥 + −𝑦 ≥−2 Example: Solutions of Recursion-Free Horn Clauses Recursion-free Horn clauses: 𝑄 𝑥,𝑦 ⇐ 𝑥≥0∧𝑦≥2∨ 𝑥≥1∧𝑦≥1∨ 𝑥≥2∧𝑦≥0 ⊥⇐𝑄 𝑥,𝑦 ∧𝑄 −𝑥,−𝑦 , 𝑦 2 1 𝑥 Solutions for 𝑄 𝑥,𝑦 : 𝑥+𝑦≥2 𝑥≥0∧𝑦≥2∨ 𝑥≥1∧𝑦≥1∨ 𝑥≥2∧𝑦≥0 … −2 −1 1 2 −1 −2 2015/4/13 TACAS 2015

Simple Preds. aid in Faster Convergence Simple Preds. aid in Faster Convergence? [Hoder+2012] [Albarghouthi+2013] Correct programs tend to be correct for simple reasons, per Occam’s razor Simple predicates often covers emerging patterns 𝑦 𝑦 2 2 1 1 𝑥 𝑥 −2 −1 1 2 −2 −1 1 2 −1 −1 𝑥≥0∧𝑦≥2∨ 𝑥≥1∧𝑦≥1∨ 𝑥≥2∧𝑦≥0 −2 −2 𝑥+𝑦≥2 2015/4/13 TACAS 2015

Contribution New algorithm for finding simple solutions of recursion-free Horn clauses over QFLRA based on Iterative sampling Constraint decomposition for head-joining predicate variables for body-joining predicate variables Solution composition using solution space Implementation and experiments 2015/4/13 TACAS 2015

Contribution New algorithm for finding simple solutions of recursion-free Horn clauses over QFLRA based on Iterative sampling Constraint decomposition for head-joining predicate variables for body-joining predicate variables Solution composition using solution space Implementation and experiments 2015/4/13 TACAS 2015

𝑦≥2 is not a solution of the original Iterative Sampling of Horn Clauses (cf. sampling for interpolation [Albarghouthi+2013]) Original Horn clauses: 𝑄 𝑥,𝑦 ⇐ 𝑥≥0∧𝑦≥2∨ 𝑥≥1∧𝑦≥1∨ 𝑥≥2∧𝑦≥0 , ⊥⇐𝑄 𝑥,𝑦 ∧𝑄 −𝑥,−𝑦 𝑦 2 1 𝑦≥2 is not a solution of the original Sampled conjunctive clauses: 𝑄 𝑥,𝑦 ⇐𝑥≥0∧𝑦≥2, ⊥⇐𝑄 𝑥,𝑦 ∧𝑄 −𝑥,−𝑦 Solution: 𝑦≥2 𝑥 −2 −1 1 2 −1 −2 2015/4/13 TACAS 2015

𝑥+𝑦≥2 is a genuine solution of the original! Iterative Sampling of Horn Clauses (cf. sampling for interpolation [Albarghouthi+2013]) Original Horn clauses: 𝑄 𝑥,𝑦 ⇐ 𝑥≥0∧𝑦≥2∨ 𝑥≥1∧𝑦≥1∨ 𝑥≥2∧𝑦≥0 , ⊥⇐𝑄 𝑥,𝑦 ∧𝑄 −𝑥,−𝑦 𝑦 2 1 𝑥+𝑦≥2 is a genuine solution of the original! Sampled conjunctive clauses: 𝑄 𝑥,𝑦 ⇐𝑥≥0∧𝑦≥2, 𝑄 𝑥,𝑦 ⇐𝑥≥2∧𝑦≥0, ⊥⇐𝑄 𝑥,𝑦 ∧𝑄 −𝑥,−𝑦 Solution: 𝑥+𝑦≥2 𝑥 −2 −1 1 2 −1 −2 2015/4/13 TACAS 2015

How to Solve Sampled Horn Clauses? Key Observation: 𝐻 either has an atomic solution or no solution if 𝐻 is sampled conjunctive Horn clauses without head- and body-joining predicate variables 𝑃 is head-joining if 𝑃 occurs multiple times in heads 𝑃 is body-joining if 𝑃 occurs multiple times in bodies Our Approach: If 𝐻 has head- or body- joining predicate variable 𝑃, Decompose 𝐻 into 𝐻 1 ,…, 𝐻 𝑛 to make 𝑃 non-joining Find simple solutions 𝜃 1 ,…, 𝜃 𝑛 for 𝐻 1 ,…, 𝐻 𝑛 Compose a solution for 𝐻 from 𝜃 1 ,…, 𝜃 𝑛 2015/4/13 TACAS 2015

Contribution New algorithm for finding simple solutions of recursion-free Horn clauses over QFLRA based on Iterative sampling Constraint decomposition for head-joining predicate variables for body-joining predicate variables Solution composition using solution space Implementation and experiments 2015/4/13 TACAS 2015

Contribution New algorithm for finding simple solutions of recursion-free Horn clauses over QFLRA based on Iterative sampling Constraint decomposition for head-joining predicate variables for body-joining predicate variables Solution composition using solution space Implementation and experiments 2015/4/13 TACAS 2015

Lazy Constraint Decomposition for Head-Joining Predicate Variables Sampled conjunctive clauses 𝐻: 𝑹 𝑥,𝑦 ⇐𝑥≥0∧𝑦≥2, 𝑹 𝑥,𝑦 ⇐𝑥≥2∧𝑦≥0, ⊥⇐𝑹 𝑥,𝑦 ∧𝑥≤1∧2⋅𝑦≤3 𝑦 𝑯 has no atomic solution! So, we decompose 𝐻 into 𝐻 1 𝑹 𝑥,𝑦 ⇐𝑥≥0∧𝑦≥2, ⊥⇐𝑹 𝑥,𝑦 ∧𝑥≤1∧2⋅𝑦≤3 and 𝐻 2 𝑹 𝑥,𝑦 ⇐𝑥≥2∧𝑦≥0, ⊥⇐𝑹 𝑥,𝑦 ∧𝑥≤1∧2⋅𝑦≤3 2 1 𝑥 1 2 2015/4/13 TACAS 2015

Contribution New algorithm for finding simple solutions of recursion-free Horn clauses over QFLRA based on Iterative sampling Constraint decomposition for head-joining predicate variables for body-joining predicate variables Solution composition using solution space Implementation and experiments 2015/4/13 TACAS 2015

Eager Constraint Decomposition for Body-Joining Predicate Variables ⋮ ⇓ 𝑷 … 𝑷 … ⇓ 𝑷 … ⇓ ⇓ ⊥ ⋮ ⇓ 𝑷 … 𝜙 ⇓ 𝑷 𝟏 … ⇓ 𝜙 ⇓ 𝑷 𝟐 … ⇓ ⇓ ⊥ 2015/4/13 TACAS 2015

Composed solution 𝜆 𝑥 . 𝜙 1 ∧ 𝜙 2 for 𝑷 may not be the simplest Solution Composition 𝜆 𝑥 . 𝜙 1 ∧ 𝜙 2 ⋮ ⇓ 𝑷 … 𝜙 ⇓ 𝑷 𝟏 … ⇓ 𝜙 ⇓ 𝑷 𝟐 … ⇓ ⇓ ⊥ Iteratively solve each tree component from the root-most one Composed solution 𝜆 𝑥 . 𝜙 1 ∧ 𝜙 2 for 𝑷 may not be the simplest 𝜆 𝑥 . 𝜙 1 𝜆 𝑥 . 𝜙 2 2015/4/13 TACAS 2015

Contribution New algorithm for finding simple solutions of recursion-free Horn clauses over QFLRA based on Iterative sampling Constraint decomposition for head-joining predicate variables for body-joining predicate variables Solution composition using solution space Implementation and experiments 2015/4/13 TACAS 2015

Solution Composition using Solution Space 𝜆 𝑥 . 𝜙 3 ⋮ ⇓ 𝑷 … 𝜙 ⇓ 𝑷 𝟏 … ⇓ 𝜙 ⇓ 𝑷 𝟐 … ⇓ ⇓ ⊥ Iteratively compute a solution space 𝑺 for each tree component from the root-most one using Farkas’ lemma (see paper for details) We get more chance to obtain a simple solution for 𝑷! 𝑃 1 ↦𝜆 𝑥 . 𝜙 1 , 𝑃 2 ↦𝜆 𝑥 . 𝜙 2 ,… ∈𝑆 𝑃 1 ↦𝜆 𝑥 . 𝜙 3 , 𝑃 2 ↦𝜆 𝑥 . 𝜙 3 ,… ∈𝑆 2015/4/13 TACAS 2015

Previous Approaches to Solving Horn Clauses with Body-Joining Pred Previous Approaches to Solving Horn Clauses with Body-Joining Pred. Vars. Iteration-based [U.+2009] [Terauchi2010] Iteratively solve each Horn clause from the root Expansion-based [McMillan+2013] [Rümmer+2013] Eliminate body-joining pred. vars. by expansion ⋮ ⇓ 𝑷 … 𝑷 … ⇓ 𝑷 … ⇓ ⇓ ⊥ 𝑄 𝑅 𝑷 𝟏 … ⇓ 𝑷 𝟐 … ⇓ ⇓ ⊥ ⋮ ⇓ 𝑄 1 𝑅 1 𝑄 2 𝑅 2 2015/4/13 TACAS 2015

Prototype Implementation as Predicate Discovery Engine of MoCHi MoCHi [1]: CEGAR-based safety and termination verifier for higher-order functional programs Our implementation uses: GLPK [2] for operating on solution spaces Z3 [3] for checking candidate solutions [1] MoCHI (http://www-kb.is.s.u-tokyo.ac.jp/~ryosuke/mochi/) [2] GLPK (http://www.gnu.org/software/glpk) [3] Z3 (http://z3.codeplex.com) 2015/4/13 TACAS 2015

Experiment Results: Elapsed Time of Individual Refinement Runs Iteration-based Expansion-based New algorithm New algorithm 327 counterexamples generated from 139 benchmark programs Three refinement algorithms: New algorithm, Iteration-based, and Expansion-based 2015/4/13 TACAS 2015

Experiment Results: Solution Size of Individual Refinement Runs Iteration-based Expansion-based New algorithm New algorithm 327 counterexamples generated from 139 benchmark programs Three refinement algorithms: New algorithm, Iteration-based, and Expansion-based 2015/4/13 TACAS 2015

Experiment Results: Overall Verification Performance Iteration-based Expansion-based New algorithm New algorithm 139 benchmark programs MoCHi with each three refinement process: New algorithm, Iteration-based, and Expansion-based 2015/4/13 TACAS 2015

Summary New algorithm for finding simple solutions of recursion-free Horn clauses over QFLRA based on Iterative sampling Constraint decomposition for head-joining predicate variables for body-joining predicate variables Solution composition using solution space Implementation and experiments as predicate discovery engine of MoCHi 2015/4/13 TACAS 2015