Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.

Slides:

Advertisements

Similar presentations

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.

Advertisements

Program Verification using Probabilistic Techniques Sumit Gulwani Microsoft Research Invited Talk: VSTTE Workshop August 2006 Joint work with George Necula.

Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.

Program Analysis using Random Interpretation Sumit Gulwani UC-Berkeley March 2005.

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Demand-driven inference of loop invariants in a theorem prover

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Constraint-based Invariant Inference over Predicate Abstraction Sumit Gulwani Ramarathnam Venkatesan Microsoft Research, Redmond Saurabh Srivastava University.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

SPEED: Precise & Efficient Static Estimation of Symbolic Computational Complexity Sumit Gulwani MSR Redmond TexPoint fonts used in EMF. Read the TexPoint.

Satisfiability Modulo Theories (An introduction)

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.

Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.

1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.

Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

Relatively Complete Verification of Higher- Order Programs (via Automated Refinement Type Inference) Tachio Terauchi Nagoya University TexPoint fonts used.

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Simplifying Loop Invariant Generation Using Splitter Predicates.

Discovering Affine Equalities Using Random Interpretation Sumit Gulwani George Necula EECS Department University of California, Berkeley.

Program Verification as Probabilistic Inference Sumit Gulwani Nebojsa Jojic Microsoft Research, Redmond.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Assertion Checking Unified Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.

Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.

Interpolants [Craig 1957] G(y,z) F(x,y)

1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

A Numerical Abstract Domain based on Expression Abstraction + Max Operator with Application in Timing Analysis Sumit Gulwani (MSR Redmond) Bhargav Gulavani.

VS 3 : Verification and Synthesis using SMT Solvers SMT Solvers for Program Verification Saurabh Srivastava * Sumit Gulwani ** Jeffrey S. Foster * * University.

Software Verification Bertrand Meyer Chair of Software Engineering Lecture 2: Axiomatic semantics.

Program Verification using Templates over Predicate Abstraction Saurabh Srivastava University of Maryland, College Park Sumit Gulwani Microsoft Research,

1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.

Describing Syntax and Semantics

Invisible Invariants: Underapproximating to Overapproximate Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.

Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.

TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A Sumit Gulwani Microsoft Research, Redmond, USA

Ofer Strichman, Technion Deciding Combined Theories.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

Deciding a Combination of Theories - Decision Procedure - Changki pswlab Combination of Theories Daniel Kroening, Ofer Strichman Presented by Changki.

C&O 355 Lecture 2 N. Harvey TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A.

From Program Verification to Program Synthesis Saurabh Srivastava * Sumit Gulwani ♯ Jeffrey S. Foster * * University of Maryland, College Park ♯ Microsoft.

Constraint-based Invariant Inference. Invariants Dictionary Meaning: A function, quantity, or property which remains unchanged Property (in our context):

C&O 355 Mathematical Programming Fall 2010 Lecture 4 N. Harvey TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A.

Lazy Annotation for Program Testing and Verification Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang November 26,

Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.

Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University.

Program Verification and Synthesis using Templates over Predicate Abstraction Saurabh Srivastava # Sumit Gulwani * Jeffrey S. Foster # # University of.

Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University.

COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen.

Proving Non-Termination Gupta, Henzinger, Majumdar, Rybalchenko, Ru-Gang Xu presentation by erkan.

11 Counter-Example Based Predicate Discovery in Predicate Abstraction Satyaki Das and David L. Dill Computer Systems Lab Stanford University

13 Aug 2013 Program Verification. Proofs about Programs Why make you study logic? Why make you do proofs? Because we want to prove properties of programs.

Random Interpretation Sumit Gulwani UC-Berkeley. 1 Program Analysis Applications in all aspects of software development, e.g. Program correctness Compiler.

SAT-Based Model Checking Without Unrolling Aaron R. Bradley.

Daniel Kroening and Ofer Strichman Decision Procedures An Algorithmic Point of View Deciding Combined Theories.

1 Proving program termination Lecture 5 · February 4 th, 2008 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A.

CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.

Bounded Model Checking A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic Model Checking without BDDs, TACAS’99 Presented by Daniel Choi Provable Software.

Boolean Programs: A Model and Process For Software Analysis By Thomas Ball and Sriram K. Rajamani Microsoft technical paper MSR-TR Presented by.

Tutorial: Proving termination and liveness

Programming Languages and Compilers (CS 421)

Predicate Transformers

The Zoo of Software Security Techniques

Program correctness Axiomatic semantics

Predicate Abstraction

Presentation transcript:

Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A

Introduction Last decade has witnessed an engineering revolution in constraint solving. We have developed techniques to reduce classic program analysis problems to constraint solving (in the context of linear arithmetic properties). –Program Verification –Inter-procedural Program Analysis –Weakest Precondition Generation –Strongest Postcondition Generation We show applications of these techniques to –Proving termination/Bounds Analysis –Finding preconditions for non-termination –Most-general counterexamples 1

Introduction Last decade has witnessed an engineering revolution in constraint solving. We have developed techniques to reduce classic program analysis problems to constraint solving (in the context of linear arithmetic properties). –Program Verification –Inter-procedural Program Analysis –Weakest Precondition Generation –Strongest Postcondition Generation We show applications of these techniques to –Proving termination/Bounds Analysis –Finding preconditions for non-termination –Most-general counterexamples 2

Program Verification Verify a Hoare triple (Pre, Program, Post) 3 Pre while (c) S Post Pre ) I I Æ : c ) Post (I Æ c)[S] ) I 9 I I 8X8X Second-order satisfiability constraint

Solving second-order satisfiability constraints 9 I 8 X Á 1 (I,X) Second-order to First-order – Assume I has some form, e.g.,  j a j x j ¸ 0 – 9 I 8 X Á 1 (I,X) translates to 9 a j 8 X Á 2 (a j,X) First-order to “only existentially quantified” –Farkas Lemma helps translate 8 to 9 – 8 X ( Æ k (e k ¸ 0) ) e ¸ 0) iff 9 k ¸ 0 8 X (e ´ +  k k e k ) Eliminate X from polynomial equality by equating coefficients. – 9 a j 8 X Á 2 (a j,X) translates to 9 a j 9 ¸ k Á 3 (a j, ¸ k ) “only existentially quantified” to SAT –Bit-vector modeling for integer variables 4

Program Verification: Example 5 [n=1 Æ m=1] x := 0; y := 0; while (x < 100) x := x+n; y := y+m; [y ¸ 100] a 0 + a 1 x + a 2 y + a 3 n + a 4 m ¸ 0 b 0 + b 1 x + b 2 y + b 3 n + b 4 m ¸ 0 y ¸ x m ¸ 1 n · 1 a 2 =b 0 =c 4 =1, a 1 =b 3 =c 0 =-1 a 0 + a 1 x + a 2 y + a 3 n + a 4 m ¸ 0 b 0 + b 1 x + b 2 y + b 3 n + b 4 m ¸ 0 c 0 + c 1 x + c 2 y + c 3 n + c 4 m ¸ 0 y ¸ x m ¸ n a 2 =b 2 =1, a 1 =b 1 =-1 a 0 + a 1 x + a 2 y + a 3 n + a 4 m ¸ 0 Invalid triple or Imprecise Template UNSAT Invariant Template Satisfying Solution Loop Invariant

Outline Program Verification  Weakest Precondition Generation Termination/Bounds Analysis Most-general Counterexamples 6

Weakest Precondition Find “weakest” Pre such that the Hoare triple (Pre, Program, Post) is valid. 7 [m ¸ n] x := 0; y := 0; while (x < 100) x := x+n; y := y+m; [y ¸ 100]

Weakest Precondition: Attempt 1 Find “weakest” Pre such that the Hoare triple (Pre, Program, Post) is valid. 8 Pre while (c) S Post Pre ) I I Æ : c ) Post (I Æ c)[S] ) I 8X8X Precondition Encoding 9 Pre, I VC(Pre) 8 R: If R is weaker than Pre, then : VC(R) 9 Pre, I VC(Pre) “Weakest” Precondition Encoding Unfortunately, Farkas lemma is no longer applicable since the formula is non-linear in universally quantified variables.

Weakest Precondition: Attempt 2 Find “weakest” Pre such that the Hoare triple (Pre, Program, Post) is valid. 9 Pre while (c) S Post Pre ) I I Æ : c ) Post (I Æ c)[S] ) I I 8X8X Precondition Encoding VC(Pre) Pre is weaker than false 9 Pre, I Non-false Precondition Encoding m ¸ n+127 is a satisfying assignment for Pre. However, this is still not “Weakest” Pre. Pre x := 0; y := 0; while (x < 100) x := x+n; y := y+m; [y ¸ 100] 9 Pre, I VC(Pre)

Weakest Precondition: Attempt 3 Find “weakest” Pre such that the Hoare triple (Pre, Program, Post) is valid. 10 Pre while (c) S Post Pre ) I I Æ : c ) Post (I Æ c)[S] ) I I 8X8X Precondition Encoding VC(Pre) Pre is weaker than Previous Pre 9 Pre, I “Weaker then Previous“ Precondition Encoding Seq. m ¸ n+127, m ¸ n+126,…, m ¸ n is admissible. This iterative refinement is too slow. Pre x := 0; y := 0; while (x < 100) x := x+n; y := y+m; [y ¸ 100] 9 Pre, I VC(Pre)

Weakest Precondition: Solution 1 Find “weakest” Pre such that the Hoare triple (Pre, Program, Post) is valid. 11 Pre while (c) S Post Pre ) I I Æ : c ) Post (I Æ c)[S] ) I I 8X8X Precondition Encoding VC(Pre) Pre is weaker then Previous Pre : VC(R 1 ) Æ : VC(R 2 ) … 9 Pre, I Locally-weakest Precondition Encoding 9 Pre, I VC(Pre) where R 1, R 2,… are weaker neighbors of Pre. Pre x := 0; y := 0; while (x < 100) x := x+n; y := y+m; [y ¸ 100]

Weaker Neighborhood Structure Weaker neighbors of e 1 ¸ 0 Æ e 2 ¸ 0 are: e 1 +1 ¸ 0 Æ e 2 ¸ 0 e 1 ¸ 0 Æ e 2 +1 ¸ 0 e 1 +e 2 ¸ 0 Æ e 2 ¸ 0 e 1 ¸ 0 Æ e 2 +e 1 ¸ 0 12 Shift plane e i parallel to itself. Rotate plane e i along its intersection with another plane. Geometric Interpretation

Weakest Precondition: Solution 1 Find “weakest” Pre such that the Hoare triple (Pre, Program, Post) is valid. Pre while (c) S Post Pre ) I I Æ : c ) Post (I Æ c)[S] ) I I 8X8X Precondition Encoding VC(Pre) Æ : VC(R 1 ) Æ : VC(R 2 ) … Pre is weaker than Previous Pre 9 Pre, I Locally-weakest Precondition Encoding 9 Pre, I VC(Pre) Pre x := 0; y := 0; while (x < 100) x := x+n; y := y+m; [y ¸ 100] We directly obtain m ¸ n. –m ¸ n+c is no longer locally-weakest for c>0. In fact, we obtain one more solution: n · 0. Generally, locally weakest  weakest. Iteration may be required.

Outline Program Verification Weakest Precondition Generation  Termination/Bounds Analysis Most-general Counterexample 14

Termination/Bounds Analysis 15 while (c) S i := 0; while (c) i := i+1; Assert(i · F(inputs)); S Transformation introduces a counter to track loop iterations. Then we run “Program Verification” Algorithm. –Besides loop invariant, part F of assertion is also unknown. –Existence of a solution yields a termination proof. –Solution for F gives upper bound on # of loop iterations.

Outline Program Verification Weakest Precondition Generation Termination/Bounds Analysis  Most-general Counterexample 16

Most-general Counterexample x := 0; while (x < n) Assert(x<200); x := x+y; 17 Pre x := 0; err := 0; i := 0; while (x < n) i := i+1; Assert(i · F(n,y)); if (x ¸ 200) err := 1; x := x+y; Assert (err=1) “n=356 and y=12” leads to a bug. However, it is more useful to say “y>0 Æ n ¸ 200+y” leads to a bug. We generate this by: 2-step Transformation –Introduce error variable err to track assertion violation. –Introduce counter i to track loop iterations/termination. Then, we run “weakest” Precondition algorithm.

Experiments: Methodology We ran our tool against academic/small benchmarks used by 10 earlier pieces of work that address a wide variety of program analyses related to linear arithmetic properties. –Inter-procedural analysis, Disjunctive invariant inference, termination/bounds analysis, non-termination, strongest Postcondition generation. Parameters: –Templates: 2 conjuncts/1 disjunct –Bit-vector modeling: 3 bits for unknown coefficients, 6 bits for unknown constants, 1 bit for multipliers ¸ in Farkas lemma –Iteratively increased these quantities. 18

Experiments: Results Clauses generated: 5K to 560K (Most examples < 200K) Time taken: 0.1 sec to 80 sec (Most examples < 5 sec) –comparable; however, demonstrates versatility 19

20 Related Work: Constraint based techniques Invariant discovery Linear [Colon, Sankaranarayanan, Sipma, CAV ‘03] Non-linear [Sankaranarayanan et al, POPL ‘04]; [Kapur, ‘05] Linear arithmetic + uninterpreted fns [Beyer et.al., VMCAI ‘07] This work only addresses linear invariants, but With arbitrary (pre-specified) boolean structure. In an inter-procedural setting. In a weakest precondition generation mode too. Bug Finding SATURN [Xie, Aiken, CAV ‘05]: works with loop-free programs This work only addresses programs with linear assignments, but Finds most-general bugs in programs with loops

21 Conclusion Constraint-based techniques offer 2 advantages over fixed-point computation based techniques: –Goal-directed (may buy efficiency) –Do not require widening (may buy precision) This work showed how to reduce a wide variety of program analysis problems to constraint solving over the domain of linear arithmetic. Future work includes extending these ideas to other domains such as pointers, quantifiers.