© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken.

Slides:



Advertisements
Similar presentations
Automatic verification of summations K. Rustan M. Leino IFIP WG 2.3 meeting 46 Sydney, Australia 11 January 2007.
Advertisements

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
50.530: Software Engineering
Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.
© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.
Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.
Rahul Sharma, Saurabh Gupta, Bharath Hariharan, Alex Aiken, and Aditya Nori (Stanford, UC Berkeley, Microsoft Research India) Verification as Learning.
Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.
Leonardo de Moura and Nikolaj Bjørner Microsoft Research.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.
Lifting Abstract Interpreters to Quantified Logical Domains Sumit Gulwani, MSR Bill McCloskey, UCB Ashish Tiwari, SRI 1.
1 Constraint Problems in Program Analysis from the sublime to the ridiculous Alex Aiken Stanford University.
Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.
Sanjit A. Seshia and Randal E. Bryant Computer Science Department
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Quantifier Elimination Procedures in Z3 Support for Non-linear arithmetic Fixed-points – features and a preview.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Program Verification using Templates over Predicate Abstraction Saurabh Srivastava University of Maryland, College Park Sumit Gulwani Microsoft Research,
Counterexample Guided Invariant Discovery for Parameterized Cache Coherence Verification Sudhindra Pandav Konrad Slind Ganesh Gopalakrishnan.
Invisible Invariants: Underapproximating to Overapproximate Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
On Solving Presburger and Linear Arithmetic with SAT Ofer Strichman Carnegie Mellon University.
1 First order theories. 2 Satisfiability The classic SAT problem: given a propositional formula , is  satisfiable ? Example:  Let x 1,x 2 be propositional.
1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Deciding a Combination of Theories - Decision Procedure - Changki pswlab Combination of Theories Daniel Kroening, Ofer Strichman Presented by Changki.
From Program Verification to Program Synthesis Saurabh Srivastava * Sumit Gulwani ♯ Jeffrey S. Foster * * University of Maryland, College Park ♯ Microsoft.
By: Pashootan Vaezipoor Path Invariant Simon Fraser University – Spring 09.
A Parametric Segmentation Functor for Fully Automatic and Scalable Array Content Analysis Patrick Cousot, NYU & ENS Radhia Cousot, CNRS & ENS & MSR Francesco.
CMU, Oct 4 DPLL-based Checkers for Satisfiability Modulo Theories Cesare Tinelli Department of Computer Science The University of Iowa Joint work with.
SAT and SMT solvers Ayrat Khalimov (based on Georg Hofferek‘s slides) AKDV 2014.
1 Automatic Non-interference Lemmas for Parameterized Model Checking Jesse Bingham, Intel DEG FMCAD 2008.
1 Automatic Refinement and Vacuity Detection for Symbolic Trajectory Evaluation Orna Grumberg Technion Haifa, Israel Joint work with Rachel Tzoref.
An Algebra for Composing Access Control Policies (2002) Author: PIERO BONATTI, SABRINA DE CAPITANI DI, PIERANGELA SAMARATI Presenter: Siqing Du Date:
Ethan Jackson, Nikolaj Bjørner and Wolfram Schulte Research in Software Engineering (RiSE), Microsoft Research 1. A FORMULA for Abstractions and Automated.
Carnegie Mellon Lecture 14 Loop Optimization and Array Analysis I. Motivation II. Data dependence analysis Chapter , 11.6 Dror E. MaydanCS243:
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
Proving Non-Termination Gupta, Henzinger, Majumdar, Rybalchenko, Ru-Gang Xu presentation by erkan.
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.
1 First order theories (Chapter 1, Sections 1.4 – 1.5) From the slides for the book “Decision procedures” by D.Kroening and O.Strichman.
Daniel Kroening and Ofer Strichman Decision Procedures An Algorithmic Point of View Deciding Combined Theories.
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
1/20 Arrays Changki PSWLAB Arrays Daniel Kroening and Ofer Strichman Decision Procedure.
© Anvesh Komuravelli Spacer Compositional Verification of Procedural Programs using Horn Clauses over Integers and Arrays Anvesh Komuravelli work done.
Verifying Component Substitutability Nishant Sinha Sagar Chaki Edmund Clarke Natasha Sharygina Carnegie Mellon University.
1 Alan Mishchenko Research Update June-September 2008.
© Andrew IrelandDependable Systems Group Increasing Automation for Exception Freedom Proofs Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
© Anvesh Komuravelli Spacer Model Checking with Proofs and Counterexamples Anvesh Komuravelli Carnegie Mellon University Joint work with Arie Gurfinkel,
Certifying and Synthesizing Membership Equational Proofs Patrick Lincoln (SRI) joint work with Steven Eker (SRI), Jose Meseguer (Urbana) and Grigore Rosu.
Induction in CEGAR for Detecting Counterexamples
Solving Constrained Horn Clauses by Property Directed Reachability
SMT-Based Verification of Parameterized Systems
Solving Linear Arithmetic with SAT-based MC
Parametric Symbolic Reachability
Automating Induction for Solving Horn Clauses
Relatively Complete Refinement Type System for Verification of Higher-Order Non-deterministic Programs Hiroshi Unno (University of Tsukuba) Yuki Satake.
Inferring Simple Solutions to Recursion-free Horn Clauses via Sampling
Over-Approximating Boolean Programs with Unbounded Thread Creation
Presentation transcript:

© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken McMillan

© Anvesh Komuravelli The Problem Array-Manipulating Program P + Assertions Array-Manipulating Program P + Assertions Automatic analysis for assertion failures Automatic analysis for assertion failures Safe + Proof Unsafe + CEX Unknown + Partial Proof 1 Quantified Invariants!

© Anvesh Komuravelli Quantified Invariants, Typically 2 Specialized Abstract Domains E.g. Segmentation abstraction, Indexed Predicate Abstraction, Points-to Analysis, etc. Restrictive False warnings Specialized Abstract Domains E.g. Segmentation abstraction, Indexed Predicate Abstraction, Points-to Analysis, etc. Restrictive False warnings Unrestricted Model Checking E.g. Interpolation-based Hard to find the right quantifiers Divergence Unrestricted Model Checking E.g. Interpolation-based Hard to find the right quantifiers Divergence Rich-enough abstract domain?

© Anvesh Komuravelli The abstract domain 3 i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c) Quantified variables Predicate signature Abstract Domain Goal: Find a quantifier-free interpretation of the predicates Goal: Find a quantifier-free interpretation of the predicates

© Anvesh Komuravelli Guess-and-check doesn’t work anymore! 4 i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c) Given a guess for P, how to check if it suffices? FOL validity is undecidable! Can we still use existing model checkers?

© Anvesh Komuravelli Let’s look at the VCs 5 i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c)

© Anvesh Komuravelli Pulled to the outermost scope Let’s look at the VCs 6

© Anvesh Komuravelli Let’s look at the VCs 7 Real challenge! Find a sufficient set of witnesses

© Anvesh Komuravelli Let’s look at the VCs 8 Reduces to quantifier-free invariant generation (use an off-the-shelf model checker) Reduces to quantifier-free invariant generation (use an off-the-shelf model checker)

© Anvesh Komuravelli Two Goals 9 i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c) Quantified variables Predicate signature Abstract Domain Goal 2: Find a quantifier-free interpretation of the predicates Goal 2: Find a quantifier-free interpretation of the predicates Goal 1: Find a sufficient set of witnesses for j Goal 1: Find a sufficient set of witnesses for j

© Anvesh Komuravelli A Strategy 10 Guess some witnesses Check if they suffice using a model checker Y Found Proof N Give up! Eager Syntactic Pattern Matching [BMR13] [BMR13]: On Solving Universally Quantified Horn Clauses, Bjorner, McMillan, Rybalchenko, SAS’13 Unguided instantiation Worst-case unbounded Grows exponentially with number of quantified vars May choke the model checker No fall-back strategy

© Anvesh Komuravelli Our Strategy 11 Guess some witnesses Check if they suffice using a model checker Y Found Proof NCEX Refine the guess Constraint on the witness Guess-and-check, but of the witnesses and not the invariant itself Guess-and-check, but of the witnesses and not the invariant itself

© Anvesh Komuravelli Obtaining Strong Constraints 12 Generalized Counterexamples  Strong Constraints Symbolic Counterexamples Number of variables = O(size) Constraint solving becomes harder (easily diverging) Symbolic Counterexamples Number of variables = O(size) Constraint solving becomes harder (easily diverging) Ground Counterexamples + Abstract Interpretation Ground Counterexamples + Abstract Interpretation

© Anvesh Komuravelli Note – one witness suffices! 13 is equivalent to May not be expressible!

© Anvesh Komuravelli Concrete vs. Abstract 14

© Anvesh Komuravelli Concrete vs. Abstract 15

© Anvesh Komuravelli The algorithm 16 [B] [L] [E]

© Anvesh Komuravelli The algorithm 17 InstantiateCheck [B] [L] [E] P(k 0,v 0,i 0,c 0 ) P(k 1,v 1,i 1,c 1 ) P(k 2,v 2,i 2,c 2 ) B L L E

© Anvesh Komuravelli The algorithm 18 InstantiateCheck P(k 0,v 0,i 0,c 0 ) P(k 1,v 1,i 1,c 1 ) P(k 2,v 2,i 2,c 2 ) BL L E Analyze

© Anvesh Komuravelli The algorithm 19 InstantiateCheck P(0,0,0,0) P(0,0,1,0) P(0,0,2,0) BL L E Analyze ✕ ? ✕ ? ✕ ? ✕ ?

© Anvesh Komuravelli P(0,0,0,0) P(0,1,0,0) P(0,2,0,0) BL L E ✕ ? ✕ ? ✕ ? ✕ ? Use k for j The algorithm 20 InstantiateCheck Analyze

© Anvesh Komuravelli The algorithm 21 Instantiate [B] [L] [E]

© Anvesh Komuravelli The algorithm 22 Instantiate [B] [L] [E] …

© Anvesh Komuravelli Finding a new witness 23 Given Constraint Check local vars quantified variable Skolem Template f Solve for t using sampling-based approach restrict to linear templates restrict to linear templates

© Anvesh Komuravelli Add l c to existing samples S Pick candidate t c Quantifier Alternation using Sampling 24 ? Y Return t c CEX l c ? N CEX S N Y New candidate t c Source of Divergence! Quantifier Elimination Eliminate arrays (thanks to Nikolaj for the discussion), Cheap QE of integers Eliminate arrays (thanks to Nikolaj for the discussion), Cheap QE of integers

© Anvesh Komuravelli Abstract Post, in practice Cheap QE tricks, case-split on equalities on j, etc. 2. Under-approximate, otherwise. Solve Generalize models 1. Cheap QE tricks, case-split on equalities on j, etc. 2. Under-approximate, otherwise. Solve Generalize models 1. Cheap QE tricks, case-split on array-index arguments, etc. 2. Under-approximate, otherwise. Solve an SMT problem Generalize models 1. Cheap QE tricks, case-split on array-index arguments, etc. 2. Under-approximate, otherwise. Solve an SMT problem Generalize models

© Anvesh Komuravelli Experiments 26 Implemented “qe_array” tactic in Z3 Prototype in Python using Z3Py interface for witness generation Implemented “qe_array” tactic in Z3 Prototype in Python using Z3Py interface for witness generation Automatically generated “sufficient witnesses” for small array-manipulating programs (BMR13) – array init, find, copy, concatenate, reverse, etc. Used GPDR engine in Z3 to solve for quantifier-free predicates Up to two universal quantifiers per predicate Witness was just a local variable in the VC Automatically generated “sufficient witnesses” for small array-manipulating programs (BMR13) – array init, find, copy, concatenate, reverse, etc. Used GPDR engine in Z3 to solve for quantifier-free predicates Up to two universal quantifiers per predicate Witness was just a local variable in the VC

© Anvesh Komuravelli Moving forward… 27 Scalability Handle large programs (with multiple procedures) How to pick relevant “set” of witnesses? Can we synthesize guards to combine them into a single witness? Scalability Handle large programs (with multiple procedures) How to pick relevant “set” of witnesses? Can we synthesize guards to combine them into a single witness? Implementation-wise Cache previous AI results Reuse bounded proofs – Proof-based Abstraction Lazy QE – postponing to later steps? Implementation-wise Cache previous AI results Reuse bounded proofs – Proof-based Abstraction Lazy QE – postponing to later steps? Alternatives Use over-approximations of reachable states Witness may not exist – need to refine the approximation Alternatives Use over-approximations of reachable states Witness may not exist – need to refine the approximation

© Anvesh Komuravelli Questions? 28

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.