A Template-based Approach to Complete Predicate Refinement Tachio Terauchi (Nagoya University) Hiroshi Unno (University of Tsukuba) Naoki Kobayashi (University of Tokyo) TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A AA A AA

Software Model Checking Automated Verification of Infinite State Systems Data : Infinite (e.g. Integers) Control : Finite, PDS (aka CFL reachability) – SLAM, BLAST, IMPACT, ARMC, Terminator, etc.

SMC Internals FOL predicate abstraction of infinite data – E.g. “x < y” = set of states ½ where ½ (x) < ½ (y) – Exploits advances in SAT/SMT solving CEGAR to automatically refine abstraction – Inference of appropriate FOL predicates Same design also used in “higher-order SMC”: Depcegar, MoCHi, HMC, etc.

Predicates: x = 0, y = 0, x = yPredicates: x = 0, y = 0 Example x := 0; y := 0; while (x < 100) { x++; y++; } assert (x = y); > x= 0 Æ y = 0 > > > > ) x = y

Predicates: x = 0, y = 0, x = y x= 0 Æ y = 0 Example x := 0; y := 0; while (x < 100) { x++; y++; } assert (x = y); > x = y

Problem A refinement can be any predicates that refute the c.ex. – Not unique in general We got lucky by choosing x = y – Could have chosen x = 1 instead And then choose x = 2, x = 3, … ad infinitum

Predicates: x = 0, y = 0, x = 1 Predicates: x = 0, y = 0 Example failing to converge x := 0; y := 0; while (x < 100) { x++; y++; } assert (x = y); > x= 0 Æ y = 0 > > > > ) x = y

> Predicates: x = 0, y = 0, x = 1Predicates: x = 0, y = 0, x = 1, x = 2 Example failing to converge x := 0; y := 0; while (x < 100) { x++; y++; } assert (x = y); > x= 0 Æ y = 0 > x = 1 > > ) x = y

Solution : Complete SMC Def: Let X be a FOL theory (e.g., X = QF_UFLRA). SMC is said to be complete wrt. X when 9 preds µ X. P ² preds safe, SMC(P) returns “safe”

Complete SMC in CEGAR (1/2) [Jhala,McMillan TACAS’06] Let X be some FOL theory – “theory” : set of (normalized) formulas Let L 0, L 1, … µ X s.t. – Each L i is finite – For each i, L i µ L i+1 –  i 2 ! L i = X E.g., – X = QF_UFLRA – L i = { µ 2 X| atomic terms in µ are of size · i }

Complete SMC in CEGAR (2/2) [Jhala,McMillan TACAS’06] Init L := some L i 2 {L 0, L 1, … } Repeat Run SMC but restricting refinements to L If proved safe, exit with “safe” If fail to prove, let ¼ = counterexample – Find L j s.t. L µ L j and L j contains a refinement for ¼ » Exit with “unsafe” if no such L j exists – Set L := L j and repeat

Challenges 1.Given L and c.ex. ¼, quickly find preds µ L s.t. ¼ ² preds safe 2.Find L j s.t. L µ L j Æ 9 preds µ L j. ¼ ² preds safe – This can be done by existing methods

Challenges 1.Given L and c.ex. ¼, quickly find preds µ L s.t. ¼ ² preds safe Problem is obviously decidable – Because L is finite – “quickly” is the issue Existing method [Jhala,McMillan TACAS’06] only handles limited theory (QF_UFDL)

Overview of c.ex. refinement Refinement reduces to inferring à (y) s.t. µ (x,y) ) à (y), à (y) ) Á (y,z), and µ (x,y), Á (y,z), à (y) 2 X µ (x,y) : “what is true about x,y at the program point” Á (y,z) : “what must hold true about y,z after the point to refute the c.ex.” à (y) : “sufficient fact about y at the point to refute the c.ex.” So, to do complete refinement Just restrict à (y) to the current L when doing this

A Template-based Approach (QF_LRA) Template T: QF_LRA formula with bounded coefficient variables – E.g. c 0 x + c 2 y + c 3 · 0 Æ c 4 x + c 5 y + c 6 · 0 Ç c 5 x + c 6 y + c 7 < 0 Each c is associated with bound B c µ fin Z Idea: Let L = the instances of T and use “increasingly larger” T’s for L 0 µ L 1 µ …

Searching for Refinements in T (1/3) Problem: Decide if 9 c 0 2 B 0,…,c n 2 B n. 8 x 0,…,x m.( µ ) T) Æ (T ) Á ) 9 c 0 2 B 0,…,c n 2 B n. 8 x 0,…,x m. ª (c 0,…,c n,x 0,…,x m ) ª is a non-linear arithmetic formula over rationals – linear on x’s with coefficients on c’s

Searching for Refinements in T (2/3) 9 c 0 2 B 0,…,c n 2 B n. 8 x 0,…,x m. ª (c 0,…,c n,x 0,…,x m ) ª is a non-linear arithmetic formula over rationals – linear on x’s with coefficients on c’s 1.Convert ª to cnf Æ j à j –à j of the form : (Ax · a Æ Bx < b) s.t. a,b,A,B are over c’s 2.Apply Motzkin’s transposition theorem to each à j Ax · a Æ Bx < b is unsatisfiable iff 9 r ¸ 0,p ¸ 0. rA + pB = 0 Æ (ra + pb < 0 Ç (p != 0 Æ ra + pb · 0))

Searching for Refinements in T (3/3) Now, the problem is of the form 9 c 0 2 B 0,…,c n 2 B n,r ¸ 0,p ¸ 0. © (r,p,c 0,…,c n ) Existential formula (i.e., got rid of 8 x 0,…x m ) © is non-linear arithmetic formula – linear on r and p’s with coefficients on c’s Prop: Let Á be a satisfiable QF_LIA formula with n vars, m literals, and coefficients bounded by k Then, there is a solution of Á bounded by 2 log(n+2) + m(log(m) + log(k)) Bit-blast and reduce ① to SAT ①

This is complete for QF_LRA Going beyond QF_LRA – QF_UFLRA – QF_AUFLRA

QF_UFLRA UF – Function symbols f 1, f 2, …, f k – For each f j of arity n 8 x 1 …x n,y 1 …y n. Æ i x i = y i ) f j (x 1 …x n ) = f j (y 1 …y n ) Useful for conservatively modeling operators like :: £

L-restricting UF 1.Incorporate UF terms in templates as follows c 0 f(c 1 x+c 2 y+c 3 +c 4 g(c 5 x + c 6 y+c 7 )) + … 2.Apply Ackermann expansion For each UF subterm f(t) 2 µ, let x f(t) be a fresh var. Let Á = Æ f(t1),f(t2) 2 µ ½ (t1) = ½ (t2) ) x f(t1) = x f(t2) ½ replaces f(t) by x f(t) Prop: QF_UFLRA ² µ iff QF_LRA ² Á ) ½ ( µ ) Idea from [Beyer et al. VMCAI’07]

QF_AUFLRA 8 a,e,i. rd(wr(a,i,e),i) = e 8 a,e,i,j. i != j ) rd(wr(a,i,e),j) = rd(a,j) 8 a,b. a != b ) rd(a,diff(a,b)) != rd(b,diff(a,b)) Useful for modeling pointers – QF_AUFLRA can be reduced to QF_UFLRA See, e.g., [Totla, Wies POPL’13]

This sounds too easy… Does it really scale?

No it doesn’t scale I was oversimplifying the problem – Infer à (y) s.t. µ (x,y) ) à (y) and à (y) ) Á (y,z) c.ex. refinement in reality: – Infer à 1 (y 1 ), à 2 (y 2 ), … à n (y n ) s.t. µ 1 (x 1,y 1 ) ) à 1 (y 1 ) Æ µ 2 (x 2,y 2 ) Æ Ã 1 (x 2 ) ) à 2 (y 2 ) Æ … µ n (x n,y n ) Æ Ã 1 (x n ) ) Á (y n,z)

So, to infer L-restricted refinement Need to restrict à 1 (y 1 ), à 2 (y 2 ), … à n (y n ) to L Lots of templates! T 1, T 2, … T n – Proportional to the size of c.ex. – Lots of non-linear terms in the constraints Doesn’t scale even on state-of-the-art SAT solver (or SMT solver for non-linear real arithmetic)

Solution (Informal) Key Observation: counterexample in SMC (and constraints solved to refute it) is always repetitions of a fixed set of patterns. – Use the observation to L-restrict only a few à ’s and still achieve complete refinement

Example (1/2) c.ex. are of the form µ init (x,y) ) Ã 1 (x 1,y 1 ) Æ Ã 1 (x 1, y 1 ) Æ µ loop (x 1,y 1,x 2,y 2 ) ) Ã 2 (x 2, y 2 ) Æ Ã 2 (x 2, y 2 ) Æ µ loop (x 2,y 2,x 3,y 3 ) ) Ã 3 (x 3, y 3 ) Æ … Ã n (x n,y n ) ) Á (x n,y n ) x := 0; y := 0; while (x < 100) { x++; y++; } assert (x = y); µ init (x,y), x = 0 Æ y = 0 µ loop (x,y,x’,y’), x < 100 Æ x’ = x + 1 Æ y’ = y + 1 Á (x,y), x ¸ 100 Æ x = y

Example (2/2) Theorem: The following strategy is sufficient for complete predicate refinement: 1.Pick some constant k > 0 2.Infer L-restricted refinement for i £ k-th à ’s (i.e., à i £ k ) 3.Infer unrestricted refinement for other à ’s (e.g., via interpolation) This reduces to [Jhala,McMillan TACAS’06] when k = 1 Larger k -> less L-restriction – Proof: On board

Formalization Key Observation: Let P be a program. There exists a set of Horn-clause-like rules R s.t. for any c.ex. ¼ of SMC(P), the set of constraints solved to refute ¼ is an acyclic instance of R − P 1 (x) Æ … Æ P n (x) Æ µ (x,y) ) Q(y) − P 1 (x) Æ … Æ P n (x) Æ µ (x,y) ) Á (x,y) P, Q, … : predicate variables Copies of rules from R with fresh renaming of pred. vars s.t. there is no cycle P ) … ) P

Example x := 0; y := 0; while (x < 100) { x++; y++; } assert (x = y); x = 0 Æ y = 0 ) P(x,y) P(x,y) Æ x < 100 Æ x’ = x+1 Æ y’ = y+1 ) Q(x’,y’) Q(x,y) ) P(x,y) P(x,y) Æ x ¸ 100 ) x = y x = 0 Æ y = 0 ) P 1 (x,y) P 1 (x,y) Æ x < 100 Æ x’ = x+1 Æ y’ = y+1 ) Q 1 (x’,y’) Q 1 (x,y) ) P 2 (x,y) P 2 (x,y) Æ x < 100 Æ x’ = x+1 Æ y’ = y+1 ) Q 2 (x’,y’) Q 2 (x,y) ) P 3 (x,y) P 3 (x,y) Æ x ¸ 100 ) x = y = R E.g. consts( ¼ ) =

Example x := 0; y := 0; while (x < 100) { x++; y++; } assert (x = y); x = 0 Æ y = 0 ) P(x,y) P(x,y) Æ x < 100 Æ x’ = x+1 Æ y’ = y+1 ) Q(x’,y’) Q(x,y) ) P(x,y) P(x,y) Æ x ¸ 100 ) x = y = R The observation also holds for higher-order SMC (e.g., Depcegar, MoCHi, HMC), and SMC for concurrent programs (e.g., Threader) Somewhat more general than [Grebenshchikov et al. PLDI’12] – Only says that c.ex. are instances of the rules

Bounded Patterns Def: Set of bounded patterns A of R is a finite set of acyclic instances of R – Can view each element of A as a “combined” rule Def: Bounded patterns A of R is partitioning if for any acyclic instance G of R, there exists instance A’ of A s.t. G and A’ are isomorphic – E.g., R is a partitioning bounded patterns of R – So is any A [ R where A is a bounded pattern of R

Example x := 0; y := 0; while (x < 100) { x++; y++; } assert (x = y); x = 0 Æ y = 0 ) P(x,y) P(x,y) Æ x < 100 Æ x’ = x+1 Æ y’ = y+1 ) Q(x’,y’) Q(x,y) ) P(x,y) P(x,y) Æ x ¸ 100 ) x = y = R A = R [ {{ P 0 (x,y) Æ x < 100 Æ x’ = x+1 Æ y’ = y+1 ) Q 0 (x’,y’), Q 0 (x,y) ) P 1 (x,y), P 1 (x,y) Æ x < 100 Æ x’ = x+1 Æ y’ = y+1 ) Q 1 (x’,y’), Q 1 (x,y) ) P 2 (x,y), P 2 (x,y) Æ x < 100 Æ x’ = x+1 Æ y’ = y+1 ) Q 2 (x’,y’), Q 2 (x,y) ) P 3 (x,y) }} A’ : On board

L-restriction at Boundaries Def: Let A’ be a partition of c.ex. G by A. Boundaries of partition A’ are predicate variables that appear in more than one element of A’ Theorem: L-restriction at boundaries is sufficient for complete predicate refinement – Proof: Preds at boundaries determine the preds at internal nodes. So, L-restr. at boundaries -> finite # of possible refinements for internals

How to pick bounded partitioning A simple strategy: View G as dag of P’s, L-restrict each i £ k-th P (i.e., P i £ k ) from a root where k is some constant and i = 1,2,3,… Reduces to [Jhala,McMillan TACAS’06] when k = 1 Larger k -> less L-restriction Theorem: above ensures bounded partitioning – Proof: Because there are only a finite # of dags generated by R of path lengths bounded by k

Conclusion Complete predicate refinement for the theory of QF_AUFLRA – Template-based Bounded coefficients allow reduction to SAT – Extends L-restricted refinement [Jhala,McMillan TACAS’06] Exploits the observation that c.ex. are repetitions of some patterns Only L-restrict predicate variables at boundaries of bounded patterns Horn-clause-like rules