Calculus of Data Structures for verification, and synthesis Viktor Kuncak Lab for Automated Reasoning and Analysis EPFL School of Computer and Communication Sciences http: // lara.epfl.ch LARA students here today: Hossein Hojjat Giuliano Losa Ruzica Piskac

Calculus of numbers and functions (studied for centuries in real analysis) two tasks - compute y : F(x) = y ? 5∙ ∙7 + 3 = y sin’(t) = y(t) - solve for x : F(x ? ) = y 5∙x 2 + 2∙x + 3 = 42 f ’(t) = cos(t) arithmetic derivatives algebraic equations differential equations

Calculus of Data Structures Compute both with numbers and with: lists, trees, sets, relations Again two tasks compute the result y : F(x) = y ? –today’s software (imperative and functional) solve for x : F(x ? ) = y –verification: find input that crashes program, or invariants that prove correctness –synthesis: find program that satisfies the spec tomorrow’s software

Motivation we’d like to verify more expressive properties  need to prove more expressive formulas  need new more powerful constraint solvers (decision procedures) Additional motivation: - increase automation of interactive provers - synthesize code from specifications in expressive decidable logics

Verification-Condition Generation Approaches program satisfies the properties error in program (or property) !... void remove(x : Node) { Node prev = null; Node current = root; while (current != null) { if (current = x)... else if (current.data <... else if (current.data >...,,,, x.next.prev = x tree is sorted program properties source code annotated with invariants Program Verifier Tools such as: Chalice, Spec#, VCC, ESC/Java, Jahob, …

Provers in Jahob Verification System large part of Jahob is about proving formulas (dissertions: Kuncak’07, Wies’09, Zee’10, papers: PLDI’08, PLDI’09, POPL’10, …)

Automated Invariant Discovery model checker for Boolean programs Predicate Abstraction [Graf, Saidi’97] SLAM [Ball, Podelski, Rajamani’01], BLAST [Beyer, Henzinger, Jhala, Majumdar’07] ARMC [Podelski, Rybalchenko’07] abstraction engine Boolean program constraint solver formulas formula satisfiability

Bohne Symbolic Shape Analysis symbolic shape analysis Thomas Wies, Andreas Podelski discovers quantified invariants (POPL’10)

Example: linked list class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object x) { List n1 = new List(); n1.next = root; n1.data = x; root = n1; size = size + 1; } next root data x size: 3 4 ensure |{data(n). next*(root,n)}| = |old({data(n). next*(root,n)})| + 1 Set of stored objects: {data(n). next*(root,n)}

Verification condition for addNew  next0*(root0,n1)  x  {data0(n) | next0*(root0,n)}  next=next0[n1:=root0]  data=data0[n1:=x]  |{data(n). next*(n1,n)}| = |{data0(n). next0*(root0,n)}| + 1 Expressing this VC requires a rich logic –transitive closure * (in lists, trees) –images of uninterpreted functions (data, data0) –cardinality operator on sets |... | How to prove such verification conditions? “The number of stored objects has increased by one.”

Our method: constraint solver “in parts” relation images [YPK10] w/ Kuat Yessenov and R. Piskac (VMCAI’10) R. Piskac CAV’08 w/ Thomas Wies, Ruzica Piskac (FroCoS 2009) NP w/ M.Rinard’07 Presburger 1929 (IKEA approach) w/ Philippe Suter POPL’10 totally ordered sets and msets lists with sublists and content w/ P.Suter & T. Wies w/ T. Wies & M.Muniz transitive closure function images

Idea: project complex constraints onto solvable fragments ensure that projections are compatible solve each constraint with a specialized solver

Combining formulas with disjoint signatures (Nelson-Oppen approach, all current tools) decision procedure for integer arithmetic x < y+1 Æ y < x+1 Æ x’=f(x) Æ y’=f(y) Æ x’=y’+1 x < y+1 y < x+1 x’=y’+1 x’=f(x) y’=f(y) x=y x’=y’ 0=1 exchange equalities on demand decision procedure for function symbols

Essence of existing approach is reduction to equalities reduction procedure for integer arithmetic reduction procedure for function symbols x < y+1 Æ y < x+1 Æ x’=f(x) Æ y’=f(y) Æ x’=y’+1 x < y+1 y < x+1 x’=y’+1 x’=f(x) y’=f(y) x=y x=y  x’=y’ x’ ≠ y’ exchange equalities eagerly propositional combination of equalities disjoint signatures  f  (<),(+)

Our method generalizes this idea to sets reduction procedure A reduction procedure B  x. x  A  x  B D = A U {c} D={f(x). x in A} ! (c  B) A µ B unsatisfiable formula about sets |D|  |A| ! (c  B) D = A U {c}  f quantifier elimination

Essence of the reduction is simple  y.  z.  x. ( F(x,y) Æ G(y,z) ) is equivalent to  y. ( (  x.F(x,y)) Æ (  z.G(y,z)) )  y.( F’(y) Æ G’(y) ) Reduction eliminates local symbols x from F, gives formula F’(y) equivalent to  x.F(x,y) Note: quantifiers can be bounded or higher-order! Applies to Nelson-Oppen as well as our approach

Reduction for our list-like example  next,data,k>0,root. 9 A,B. A = {x. next*(root,x)}  B = {y.  x. data(x,y)  x  A}  |B|=k+1 We assume formulas share only: - set variables (sets of uninterpreted elems) individual variables are a special case, {x} (we consider quantifier-free combinations) 1) WS2S 2) C 2 3) BAPA Satisfiability problem expressed in HOL:

 A,B.  next,root. A = {x. next*(root,x)}   data. B = {y.  x. data(x,y)  x  A}   k > 0. |B|=k+1 F WS2S F C2 F BAPA  A,B. |A| > 0  (A={}  B={})  |B| > 1 conjunction of projections is sat ↔ original formula is sat Reduction for our list-like example Satisfiability problem expressed in HOL:

What can a decidable theory say about sets? Disjoint theories share only equalities - result of reduction is theory of equality - has quantifier elimination & finite no of constraints - can be encoded into SAT What is the result of projection onto set variables? What constraints on sets can a decidable logic define? definable relationships  µ (2 D ) n { {(S 1,…,S n ) | F(S 1,…,S n ) } | F in logic } For surprisingly many logics, result is in BAPA

relation images [YPK10] w/ Kuat Yessenov and R. Piskac (VMCAI’10) R. Piskac CAV’08 w/ Thomas Wies, Ruzica Piskac (FroCoS 2009) NP w/ M.Rinard’07 Presburger 1929 (IKEA approach) w/ Philippe Suter POPL’10 totally ordered sets and msets lists with sublists and content w/ P.Suter & T. Wies w/ T. Wies & M.Muniz Boolean Algebra with Presburger Arithmetic

References –fragment without integer variables: Skolem 1919 –sets with equicardinality: Feferman,Vaught 1959 –complexity for full BAPA (like PA, has QE) – JAR’06 –complexity for Q.F.BAPA – CADE’07 Definable sets: unions of Venn regions whose cardinality is semilinear set S ::= V | S 1 [ S 2 | S 1 Å S 2 | S 1 n S 2 T ::= k | C | T 1 + T 2 | T 1 – T 2 | C ¢ T | card(S) A ::= S 1 = S 2 | S 1 µ S 2 | T 1 = T 2 | T 1 < T 2 F ::= A | F 1 Æ F 2 | F 1 Ç F 2 | : F | 9 S.F | 9 k.F

Decision Procedure for Combination 1.Use fresh variables to separate formula into parts for different logics 2.For each part, compute projection onto set variables 3.Check satisfiability of conjunction of projections Definition: Logic is BAPA-reducible iff there is an algorithm that computes projections of formulas onto set variables, and these projections are (quantifier- free) BAPA formulas. Theorems: 1) WS2S, 2) C 2, 3) BSR, 4) (ordered) sets and multisets, 5) relation images, 6) terms + set-content 7) lists with sublists are all BAPA-reducible.

WS2S: Monadic 2 nd Order Logic Weak Monadic 2 nd -order Logic of 2 Successors F ::= x=f1(y) | x=f2(y) | x  S | S  T | 9 S.F | F 1 Æ F 2 | : F - quantification is over finite sets of positions in a tree - transitive closure encoded using set quantification Decision procedure using tree automata (e.g. MONA) f2 f1 f2 f1 f2 f1

WS2S reduces exactly to BAPA WS1S formula for a regular language ((A Æ: B)(B Æ: A))* ( : B Æ: A)* Model of formula F A,B denote sets of positions in the word w.,,, denote Venn regions over A,B Parikh image gives card.s of Venn regions Parikh(w) = {  7,  4,  4,  0} Parikh image of the models of F: Parikh(F) = {(q, p, p, 0) | q,p ¸ 0} projection of F onto A,B: |A Å B c |=|A c Å B| Æ |A Å B|= ABAB } w

C 2 : Two-Variable Logic w/ Counting Two-Variable Logic with Counting F ::= P(v 1,...,v n ) | F 1 Æ F 2 | : F | 9 count v i.F where P : is a predicate symbol v i : is one of the two variable names x,y count : is =k,  k, or  k for nonnegative constants k We can write ( 9  k v i.F) as |{v i.F}|  k We can define 9, 8 and axiomatize total functions: 8 x 9 =1 y.R(x,y)compute images of sets Decidable sat. and fin-sat. (1997), NEXPTIME even for binary-encoded k: Pratt-Hartman ‘05

C 2 reduces exactly to BAPA F expresses “R is bijection between A and B” Consider the C 2 formula Projection of F onto A and B gives Cardinalities, as well as quantified constraints ! BAPA From Pratt-Hartmann’s proof follows that BAPA suffices

So far: Imperative Data Structures relation images [YPK10] w/ Kuat Yessenov and R. Piskac (VMCAI’10) R. Piskac CAV’08 w/ Thomas Wies, Ruzica Piskac (FroCoS 2009) NP w/ M.Rinard’07 Presburger 1929 (IKEA approach) w/ Philippe Suter POPL’10 totally ordered sets and msets lists with sublists and content w/ P.Suter & T. Wies w/ T. Wies & M.Muniz

sealed abstract class Tree case class Node(left: Tree, value: Int, right: Tree) extends Tree case class Leaf() extends Tree object BST { def add(tree: Tree, element: Int): Tree = tree match { case Leaf() ⇒ Node(Leaf(), element, Leaf()) case Node(l, v, r) if v > element ⇒ Node(add(l, element), v, r) case Node(l, v, r) if v < element ⇒ Node(l, v, add(r, element)) case Node(l, v, r) if v == element ⇒ tree } ensuring (result ≠ Leaf()) } (tree = Node(l, v, r) ∧ v > element ∧ result ≠ Leaf()) ⇒ Node(result, v, r) ≠ Leaf() Prove verification conditions for functional programs

sealed abstract class Tree case class Node(left: Tree, value: Int, right: Tree) extends Tree case class Leaf() extends Tree object BST { def add(tree: Tree, element: Int): Tree = tree match { case Leaf() ⇒ Node(Leaf(), element, Leaf()) case Node(l, v, r) if v > element ⇒ Node(add(l, element), v, r) case Node(l, v, r) if v < element ⇒ Node(l, v, add(r, element)) case Node(l, v, r) if v == element ⇒ tree } ensuring (content(result) == content(tree) ∪ { element }) def content(tree: Tree) : Set[Int] = tree match { case Leaf() ⇒ ∅ case Node(l, v, r) ⇒ content(l) ∪ { v } ∪ content(r) }

A consequence: decision procedure for data structure hierarchy bag (multiset) set setof content msetsize 7 setsize treesize 3 tree Supports all natural operations on trees, multisets, sets, and homomorphisms between them

Further Decidable Logics Images of sets under relations (VMCAI’10) –‘description logics with symbolic cardinalities’ –showed NP complexity under sort restrictions –images as multisets (preserve cardinality) Total ordering relation on collection elements –can represent queues, with random access, min, max –inf, sup of arbitrary (possibly infinite) sets Subterm relation in the case of lists

relation images [YPK10] w/ Kuat Yessenov and R. Piskac (VMCAI’10) R. Piskac CAV’08 w/ Thomas Wies, Ruzica Piskac (FroCoS 2009) NP w/ M.Rinard’07 Presburger 1929 (IKEA approach) w/ Philippe Suter POPL’10 totally ordered sets and msets lists with sublists and content w/ P.Suter & T. Wies w/ T. Wies & M.Muniz What to do once we obtain BAPA formula?

BAPA S ::= V | S 1 [ S 2 | S 1 Å S 2 | S 1 n S 2 T ::= k | C | T 1 + T 2 | T 1 – T 2 | C ¢ T | card(S) A ::= S 1 = S 2 | S 1 µ S 2 | T 1 = T 2 | T 1 < T 2 F ::= A | F 1 Æ F 2 | F 1 Ç F 2 | : F Quantifier-Free Full BAPA has quantifier elimination  Q.F. formulas define same relations (properties) Verification conditions often quantifier-free We know NP-completeness for QF BA - reduction to BSR class fragment QF PA - reduction to integer linear programming

Sizes of smallest models card(A 0 ) = 1 Æ card(A 1 ) = 2 card(A 2 ) Æ... Æ card(A n ) = 2 card(A n-1 ) Smallest model: universe with 2 n elements |U|=2 n There are 2^(2 n ) subsets of such universe There are 2^(2 n ) values for A 1,...,A n µ U Considering models directly: NEXPTIME Must look at model representations

Representing sets using their sizes Must introduce 2 n+1 variables for card( Å i A i p_i ) Exponential QF PA formula  NEXPTIME 6 existing approaches in literature all give NEXPTIME complexity of the algorithm (and consume exponential space) Is this the best that can be done? card(A 0 ) = 1 Æ card(A 1 ) = 2 card(A 2 ) Æ... Æ card(A n ) = 2 card(A n-1 )

Isolating the difficulty The difficulty of the general problem reduces to integer linear programming problems with many integer variables but still polynomially many constraints. card(A [ B) = k 1 Æ card(B Å C) = k 2 x 1 + x 2 + x 3 + x 5 + x 6 + x 7 = k 1 Æ x 6 + x 7 = k A B C 5 7 0

Caratheodory theorem Vector v of dimension d is a convex combination of { a 1, …, a n } Then it is a convex combination of a subset { a k(1), …, a k(d+1) } of (d+1) of them

ILP associated w/ formula of size n x 1 + x 2 + x 3 + x 5 + x 6 + x 7 = p... x 6 + x 7 = q n equations 2 n variables Integer linear programming problem: for non-negative x i Are there sparse solutions where O(n k ) variables are non-zero? for reals- yes, matrix rank is O(n) for non-negative reals for non-negative integers - yes, Caratheodory them - Eisenbrand, Shmonin’06 Integer Caratheodory thm. (only when coefficients are bounded)

Multisets What is a multiset? {| a, a, b, b, c |} function m : E  {0,1,2,…} m(e) = number of times e occurs in m What are operations on multisets? Our definition (results in natural language): for each linear arithmetic formula  operation Example: A = B ⊎ C A(e) = B(e) + C(e) (can take min,max,  ) Can have B ⊎ B ⊎ B  ∞ many ‘Venn regions’! Still, it is in NP (VMCAI’08, CAV’08 – ask Ruzica)

 { } LARA MONOLITHIC PROVERS COOPERATING DECISION PROCEDURES BRITLE HEURISTICS DECIDABILITY QUANTIFIERS SETS AND RELATIONS IKEA approach

relation images [YPK10] w/ Kuat Yessenov and R. Piskac (VMCAI’10) R. Piskac CAV’08 w/ Thomas Wies, Ruzica Piskac (FroCoS 2009) NP w/ M.Rinard’07 Presburger 1929 w/ Philippe Suter POPL’10 totally ordered sets and msets lists with sublists and content w/ P.Suter & T. Wies w/ T. Wies & M.Muniz BAPA: a “SAT” of combinations of rich logics

Why BAPA? Reduction to BAPA is possible for a wide range of logics Reduction to BAPA supports –quantified statements over one variable –sharing of such quantified statements (sets) Reduction to q.f. BAPA is sensible, because –BAPA is NP-complete –yet it is not trivially in NP path directly to SAT for those logics much harder new implementation methods needed

Computing with Constraint Solvers Complete Functional Synthesis over unbounded domains Directly specify desired property of the result Add to programming language a statement res = choose(x => F(x,a)); choose x such that F holds How to implement it?

Interpretation-Based Approach Transform x = choose(x => F(x,a)) into F 0 = subst(a, F) find(x, F 0 ) // invoke solver at run-time Generated code contains entire solver repeats the work independent of ‘a’ Can we do better?

Compilation-Based Approach Transform x = choose(x => F(x,a)) into x = t(a) One direction: partial evaluation Another direction: constructive projection obtain t(a) from quantifier elimination that maps 9 x.F(x,a) into F(t(a),a)

Complete Functional Synthesis for BAPA Available as a plugin for Scala language (PLDI 2010, w/ M.Mayer, R.Piskac, P. Suter) witness-term-generating quantifier elimination

How to combine known solvable fragments into user-friendly systems?

EU COST Action IC0901 Application area: reliable computer systems Technique: automated reasoning (broadly) –e.g. theorem proving, verification, synthesis Nature of activities –collaboration on existing national research –framework to obtain further national and international funds –intrinsic results, e.g. common formats Forms of activities 1)meetings 2) mutual visits of researchers

Work Groups 1.Rich Model Language Design, Benchmarks (a unifying activity) Chair: Tobias Nipkow; Vice Chair: Paul Jackson 2.Decision Procedures for Rich Model Language Fragments (key technique) Chair: Maria Paola Bonacina; V.Chair: Armin Biere 3.Analysis of Executable Rich Models large potential for practical impact Chair: Natasha Sharygina 4.Synthesis from Rich Models Chair: Barbara Jobstmann;V.Chair: Roderick Bloem ST Scientific Missions Chair: Andrey Rybalchenko

Next Meeting is at FLoC Synthesis, Verification, and Analysis of Rich Models Satellite workshop of CAV and IJCAR, July Full two-day program (see richmodels.org) (Ras Bodik, Kim Larsen, Alexander Rabinovich, Bernd Finkbeiner, Georg Hofferek, Barbara Jobstmann, Natarajan Shankar, Armin Biere, Tobias Nipkow, Bernhard Beckert,…) We hope to see you there! Next meeting: at FMCAD in Lugano, October

Summary Calculus of data structures for constraint solving, verification, synthesis New decidability and complexity results for sets, multisets, relations, trees New combination technique Unifying activities: –Synthesis, Verification, Analysis of Rich Models with FLoC, July PhD program: Our lab:

Fragment of Insertion into Tree right left right left data p left data

Reduction Method on a Tree Example Conjunction of projections unsatisfiable  so is original formula (or QFBAPA-fun fragment from VMCAI’10)

From collections to stars (joint work with Ruzica Piskac) Check satisfiability of |x|=1 Æ L 1 =L ⊎ x Æ |L 1 |  |L|+|x| (negation of a verification condition) Normal form:|L|= ∑ e L(e) (1,k,k 1 ) = ∑{(x(e),L(e),L 1 (e))| e  E} Æ 8 e. L 1 (e)=L(e)+x(e) Æ k 1  k+1 This is equisatisfiable with k 1  k+1 Æ (1,k,k 1 )  {(x,L,L 1 )| L 1 =L+x}* (Such transformation works in general.)

Integer linear arithmetic with star Decidability: each formula describes semilinear set, i.e. union of sets of the form {a} + {b 1,…,b n }* Semilinear sets are closed under * Computing semilinear sets: NEXPTIME Using sparseness, bounds on a,b, …  NP for multisets (Piskac,Kuncak CAV’ 2008) Subsequently: fractional collections (CSL’08)

Recipe: Examine thy models! Take a decidable logic Characterize the models of formulas Count Venn region sizes for sets in models These numbers can often be described in integer linear arithmetic! If so, then: 1)You can say |{x. : F(x)}|=0 i.e.  x. F(x) 2)You can combine the logic with 7 others, and share such quantified subformulas