Assertion Checking Unified Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.

Slides:

Advertisements

Similar presentations

Model Checking Base on Interoplation

Advertisements

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.

Join Algorithms for the Theory of Uninterpreted Functions Sumit Gulwani Ashish Tiwari George Necula UC-Berkeley SRI UC-Berkeley.

Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.

A Randomized Satisfiability Procedure for Arithmetic and Uninterpreted Function Symbols Sumit Gulwani George Necula EECS Department University of California,

Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,

Program Verification using Probabilistic Techniques Sumit Gulwani Microsoft Research Invited Talk: VSTTE Workshop August 2006 Joint work with George Necula.

Global Value Numbering using Random Interpretation Sumit Gulwani George C. Necula CS Department University of California, Berkeley.

Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Completeness and Expressiveness

Inference Rules Universal Instantiation Existential Generalization

Reasoning About Code; Hoare Logic, continued

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Inference and Reasoning. Basic Idea Given a set of statements, does a new statement logically follow from this. For example If an animal has wings and.

Methods of Proof Chapter 7, second half.. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound)

1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.

Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

Weizmann Institute Deciding equality formulas by small domain instantiations O. Shtrichman The Weizmann Institute Joint work with A.Pnueli, Y.Rodeh, M.Siegel.

Lifting Abstract Interpreters to Quantified Logical Domains Sumit Gulwani, MSR Bill McCloskey, UCB Ashish Tiwari, SRI 1.

Program Verification as Probabilistic Inference Sumit Gulwani Nebojsa Jojic Microsoft Research, Redmond.

Plan for today Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Interpolants [Craig 1957] G(y,z) F(x,y)

Automated Theorem Proving Lecture 4.   Formula := A |  |    A  Atom := b | t = 0 | t < 0 | t  0 t  Term := c | x | t + t | t – t | ct | Select(m,t)

Ofer Strichman, Technion 1 Decision Procedures in First Order Logic Part III – Decision Procedures for Equality Logic and Uninterpreted Functions.

1 Deciding separation formulas with SAT Ofer Strichman Sanjit A. Seshia Randal E. Bryant School of Computer Science, Carnegie Mellon University.

Prof. Necula CS Lecture 121 Decision-Procedure Based Theorem Provers Tactic-Based Theorem Proving Inferring Loop Invariants CS Lecture 12.

Methods of Proof Chapter 7, second half.

Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.

A Numerical Abstract Domain based on Expression Abstraction + Max Operator with Application in Timing Analysis Sumit Gulwani (MSR Redmond) Bhargav Gulavani.

Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.

Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.

A Polynomial-Time Algorithm for Global Value Numbering SAS 2004 Sumit Gulwani George C. Necula.

Ofer Strichman, Technion 1 Decision Procedures in First Order Logic Part II – Equality Logic and Uninterpreted Functions.

CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.

Ofer Strichman, Technion Deciding Combined Theories.

Daniel Kroening and Ofer Strichman 1 Decision Procedures in First Order Logic Decision Procedures for Equality Logic.

1 First order theories. 2 Satisfiability The classic SAT problem: given a propositional formula , is  satisfiable ? Example:  Let x 1,x 2 be propositional.

Deciding a Combination of Theories - Decision Procedure - Changki pswlab Combination of Theories Daniel Kroening, Ofer Strichman Presented by Changki.

From Program Verification to Program Synthesis Saurabh Srivastava * Sumit Gulwani ♯ Jeffrey S. Foster * * University of Maryland, College Park ♯ Microsoft.

1 The Theory of NP-Completeness 2012/11/6 P: the class of problems which can be solved by a deterministic polynomial algorithm. NP : the class of decision.

SAT and SMT solvers Ayrat Khalimov (based on Georg Hofferek‘s slides) AKDV 2014.

NP-Complete Problems. Running Time v.s. Input Size Concern with problems whose complexity may be described by exponential functions. Tractable problems.

Ch. 13 Ch. 131 jcmt CSE 3302 Programming Languages CSE3302 Programming Languages (notes?) Dr. Carter Tiernan.

© Copyright 2008 STI INNSBRUCK Intelligent Systems Propositional Logic.

Nikolaj Bjørner Microsoft Research DTU Winter course January 2 nd 2012 Organized by Flemming Nielson & Hanne Riis Nielson.

1 First order theories (Chapter 1, Sections 1.4 – 1.5) From the slides for the book “Decision procedures” by D.Kroening and O.Strichman.

Random Interpretation Sumit Gulwani UC-Berkeley. 1 Program Analysis Applications in all aspects of software development, e.g. Program correctness Compiler.

This Week Lecture on relational semantics Exercises on logic and relations Labs on using Isabelle to do proofs.

Daniel Kroening and Ofer Strichman Decision Procedures An Algorithmic Point of View Deciding Combined Theories.

1 Combining Abstract Interpreters Mooly Sagiv Tel Aviv University

CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.

Logical Agents Chapter 7. Outline Knowledge-based agents Propositional (Boolean) logic Equivalence, validity, satisfiability Inference rules and theorem.

The Theory of NP-Completeness 1. Nondeterministic algorithms A nondeterminstic algorithm consists of phase 1: guessing phase 2: checking If the checking.

1 A framework for eager encoding Daniel Kroening ETH, Switzerland Ofer Strichman Technion, Israel (Executive summary) (submitted to: Formal Aspects of.

Deciding Combined Theories Presented by Adi Sosnovich Based on presentation from: Decision Procedures An Algorithmic Point of View Daniel Kroening and.

Daniel Kroening and Ofer Strichman 1 Decision Procedures in First Order Logic Decision Procedures for Equality Logic.

Satisfiability Modulo Theories and DPLL(T) Andrew Reynolds March 18, 2015.

Logical Agents. Outline Knowledge-based agents Logic in general - models and entailment Propositional (Boolean) logic Equivalence, validity, satisfiability.

CENG 424-Logic for CS Introduction Based on the Lecture Notes of Konstantin Korovin, Valentin Goranko, Russel and Norvig, and Michael Genesereth.

Lifting Abstract Interpreters to Quantified Logical Domains (POPL’08)

Arithmetic Constraints and Automata

Program correctness Axiomatic semantics

Presentation transcript:

Assertion Checking Unified Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI

Example a := a £ c; b := b £ c; u := u+(a £ c); v := v+(a £ c)+(c £ a); f := f-1; z := z-2; Assert(v = 2u) a := 1; b := 1; z := f+f; Assert(a=b) Assert(z=2w) f  w False True f := w; u := 0; v := 0; * Green assertion requires modeling £ as uninterpreted. Red assertion requires modeling £ as commutative, and reasoning about disequality guard f  w. Blue assertion requires reasoning about equality guard f=w.

Abstract Program Model / Problem Statement Linear Arithmetic e = y | c | e 1 § e 2 | c e Uninterpreted Functions e = y | F(e 1,e 2 ) Combination e = y | c | e 1 § e 2 | c e | F(e 1,e 2 ) Assignment y := e Non-det Conditional * True False Non-det Assignment y := ? Disequality Guard Assume(e 1  e 2 ) Assert(e 1  e 2 )

Summary of Results Unification type of theory of program expressions Disequality Guards Complexity of assertion checking Examples Strict UnitaryNoPTIMELinear Arithmetic (LA) Uninterpreted Fns (UF) BitaryNocoNP-hardLA + UF Commutative (C) Finitary-ConvexYesDecidableLA + UF + C + AC

Outline Unification type of theory Assertion checking algorithm (unitary/finitary theories) coNP-hardness (bitary theories)

Unification Terminology A substitution  is a (acyclic) mapping of some variables to expressions. A substitution  1 is more general than  2 if there exists  such that  1 =  (  2 ). A substitution  is a unifier for an equality e 1 =e 2 if e 1 [  (y)/y] = e 2 [  (y)/y]. Example Consider the equality F(u) + F(v) = F(a) + F(b). {u Ã a, v Ã b} is a unifier for it and so is {u Ã 1, a Ã 1, v Ã b}. The former unifier is more general than the latter.

Unification Terminology Continued … A set of unifiers {  1,…,  k } for e 1 =e 2 is complete if for all unifiers  of e 1 =e 2, 9 i s.t.  i is more general than  Let Unif(e 1 =e 2 ) = Ç Æ y =  i (y) i=1 k y Example Consider the equality F(u) + F(v) = F(a) + F(b). {{u Ã a, v Ã b}, {u Ã b, v Ã a}} is a complete set of unifiers for it. Hence, Unif(F(u)+F(v)=F(a)+F(b)) = (u=a Æ v=b) Ç (u=b Æ v=a).

Unification Type of Theories Unitary: All equalities e 1 =e 2 have a complete set of unifiers that is singleton. Finitary: All equalities e 1 =e 2 have a complete set of unifiers whose cardinality is finite. Bitary: There exists an equality e 1 =e 2 whose complete set of unifiers has 2 unifiers of the form y Ã z 1 and y Ã z 2

Examples of Bitary Theories Bitary: There exists an equality e 1 =e 2 whose complete set of unifiers has 2 unifiers of the form y Ã z 1 and y Ã z 2 Commutative Functions F(F(y,y),F(z 1,z 2 )) = F(F(y,z 1 ),F(y,z 2 )) Combination of Linear Arithmetic + Uninterpreted Functions F(F(y)+F(y)) + F(F(z 1 )+F(z 2 )) = F(F(y)+F(z 1 )) + F(y)+F(z 2 ))

Summary of Results Unification type of theory of program expressions Disequality Guards Complexity of assertion checking Examples Strict UnitaryNoPTIMELinear Arithmetic (LA) Uninterpreted Fns (UF) BitaryNocoNP-hardLA + UF Commutative (C) Finitary-ConvexYesDecidableLA + UF + C + AC

Outline Unification type of theory Assertion checking algorithm (unitary/finitary theories) coNP-hardness (bitary theories)

An assertion e 1 = e 2 holds at a program point  iff the assertion Unif(e 1 =e 2 ) holds at  Connection between Assertion Checking & Unification Example To prove, F(u)+F(v) = F(a)+F(b), we need to prove that (u=a Æ v=b) Ç (u=b Æ v=a) is true.

Assertion Checking Algorithm Backward analysis strengthened with Unification –Perform weakest precondition computation. –At each step replace the formula  by Unif(  ), which is a stronger and simpler formula. Termination (reach fixpoint across loops)? –Yes, because of unifier computations. –PTIME for unitary theories (no disequality guards). Bounded for finitary theories.

Advantage of Backward Analysis with Unification u := F(u); v := F(v); a := F(a); b := F(b); Assert(u+v=a+b) u := a; v := b; u := b; v := a; * Forward Analysis: needs to maintain an infinite number of facts: F i (u) + F i (v) = F i (a) + F i (b) at the first join point. Backward Analysis: does not terminate: F i (u) + F i (v) = F i (a) + F i (b) Backward Analysis with Unification: Terminates in 2 steps: [(u=a Æ v=b) Ç (u=b Æ v=a)] *

Handling equality guards Assume (x  y)   Ç  [x/y] Ç  [y/x] Assume (x  y)   Ç x=y We perform standard weakest precondition computation Standard weakest precondition will lead to disequalities in formulas. Instead we can use heuristics as above. Disequality Guards Equality Guards

Outline Unification type of theory Assertion checking algorithm (unitary/finitary theories) coNP-hardness (bitary theories)

Reducing Unsatisfiability to Assertion Checking  boolean 3-SAT instance with m clauses IsUnsatisfiable(  ) { for j=1 to m c j := F; for i=1 to k do if (*) 8 j s.t. var i occurs positively in clause j, c j := T; else 8 j s.t. var i occurs negatively in clause j, c j := T; Assert (c 1 =F Ç c 2 =F … Ç c m =F); }

Encoding disjunction The check c 1 =F Ç c 2 =F can be encoded by some appropriate assertion e 1 =e 2 in a bitary theory. The above trick can be recursively applied to construct an assertion that encodes c 1 =F Ç c 2 =F Ç … Ç c m =F

Conclusion Complexity of assertion checking depends on the unification type of the theory of program expressions: Unitary (PTIME), Bitary (coNP-hard), Finitary (Decidable) The assertion checking algorithm is based on backward analysis strengthened with unification. –For some infinite-height abstract domains, a (goal- driven) backward analysis is more efficient than forward analysis. –Use of unification is yet another non-trivial use of theorem proving in program analysis.

Proof of Termination At each program point, the proof obligation has the form: Ç Æ y =  i (y) i=1 k y In each successive loop iteration, above formula becomes stronger. We prove this cannot happen indefinitely: –Assign the following measure to the above formula { # of conjuncts representing unifier  i | i=1 to k } –Show this measure decreases in some well-founded ordering.

Discussion The assertion checking algorithm is based on backward analysis strengthened with unification. Backward Analysis vs. Forward Analysis Use of Theorem Proving in Program Analysis –Combining (Forward) Abstract Interpreters [PLDI 06]: using an extension of Nelson-Oppen combination method. –This paper: Backward Analysis using Unification