Presentation is loading. Please wait.

Presentation is loading. Please wait.

Constraint-based Invariant Inference over Predicate Abstraction Sumit Gulwani Ramarathnam Venkatesan Microsoft Research, Redmond Saurabh Srivastava University.

Published byMaxim Holness Modified over 10 years ago

Similar presentations

Presentation on theme: "Constraint-based Invariant Inference over Predicate Abstraction Sumit Gulwani Ramarathnam Venkatesan Microsoft Research, Redmond Saurabh Srivastava University."— Presentation transcript:

1 Constraint-based Invariant Inference over Predicate Abstraction Sumit Gulwani Ramarathnam Venkatesan Microsoft Research, Redmond Saurabh Srivastava University of Maryland, College Park

2 Introduction Last decade has seen an engineering revolution in SAT solving. Can we bring the technology to program analysis? – This talk shows how to do that for predicate abstraction by using off-the-shelf SAT solvers, e.g. Z3 We have developed constraint-based techniques: – Program Verification – Maximally-weak Precondition Inference – Inter-procedural Summary Computation – Inferring the Maximally-general Counterexamples to Safety (i.e. finding the best descriptions of bugs). 2

3 Introduction Last decade has seen an engineering revolution in SAT solving. Can we bring the technology to program analysis? – This talk shows how to do that for predicate abstraction by using off-the-shelf SAT solvers, e.g. Z3 We have developed constraint-based techniques: – Program Verification – Maximally-weak Precondition Inference – Inter-procedural Summary Computation – Inferring the Maximally-general Counterexamples to Safety (i.e. finding the best descriptions of bugs). 3

4 Predicate Abstraction Given a fixed finite set of n predicates, associate with each predicate p i a boolean indicator b i. Sound over-approximation of the invariant at each program point represented by a boolean expression involving the indicators. ° (exp(b 1,…,b n )) = exp[p 1 /b 1, …, p n /b n ] ® ( Ã ) = Æ {exp(b 1,…,b n )| Ã ) exp[p 1 /b 1, …, p n /b n ]} Boolean expression ® ( Ã ) = Æ i=1…n {b i | Ã ) p i } ® ( Ã ) in general, not computable 4

5 Constraint-based Invariant Inference Guess a DNF template: k disjuncts (…) Ç (…) Ç (…) : k=3 Task: Fill out each disjunct with a boolean monomial (conjunction of indicator literals) Approach: Generate boolean constraints over indicators using the program semantics and directly solve using off-the-shelf solvers. 5

6 Example: Cut-points loop (int m) { assume(m > 0) x:=0; y:=0; while (x<m) { x++; y++; } assert(y = m) } x:=0; y:=0 x++; y++ x<m assume(m > 0) assert(y = m) I Invariants at cut-points* (at loop header) *Cut-set: Set of cut-points such that each cycle in CFG passes through at least one cut-point 6

7 Example: Simple paths and VCs x:=0; y:=0 x++; y++ x<m assume(m > 0) assert(y = m) I 7

8 Example: Simple paths and VCs x:=0; y:=0 x++; y++ x<m assume(m > 0) assert(y = m) I 8

9 Example: Simple paths and VCs x:=0; y:=0 x++; y++ assume(m > 0) assert(y = m) I assume(x ¸ m) assume(x<m) * 9

10 Example: Simple paths and VCs Verification condition induced by each simple path (sequence of stmt) VC computed using standard backwards weakest precondition operator ! : ! (x:=e, Á ) = Á [e/x] ! (assume(p), Á ) = p ) Á ! (assert(p), Á ) = p Æ Á ! ( ¿ 1 ; ¿ 2, Á ) = ! ( ¿ 1, ! ( ¿ 2, Á )) x:=0; y:=0 x++; y++ assume(m > 0) assert(y = m) I assume(x ¸ m) assume(x<m) * 10

11 Example: Simple paths and VCs ! (x:=e, Á ) = Á [e/x] ! (assume(p), Á ) = p ) Á ! (assert(p), Á ) = p Æ Á ! ( ¿ 1 ; ¿ 2, Á ) = ! ( ¿ 1, ! ( ¿ 2, Á ) x:=0; y:=0 x++; y++ assume(m > 0) assert(y = m) I assume(x ¸ m) assume(x<m) * m>0 ) I [y ! 0, x ! 0] I Æ x ¸ m ) y=m I Æ x<m ) I [y ! y+1, x ! x+1] 1 1 2 3 2 3 11

12 Example: Simple paths and VCs m>0 ) I [y ! 0, x ! 0] I Æ x ¸ m ) y=m I Æ x<m ) I [y ! y+1, x ! x+1 1 2 3 12

13 Example: Boolean Constraint Generation m>0 ) I [y ! 0, x ! 0] 1 2 3 I Æ x<m ) I [y ! y+1, x ! x+1] Unknown invariant on the RHS; constrains how strong I can be Unknown invariant on the LHS; constrains how weak I can be Unknown on both sides; combination of above cases I Æ x ¸ m ) y=m 13

14 Example: Boolean Constraint Generation m>0 ) I [y ! 0, x ! 0] 1 Unknown invariant on the RHS; constrains how strong I can be Unknown invariant on the LHS; constrains how weak I can be 2 I Æ x ¸ m ) y=m x · y, x ¸ y, x<y x · m, x ¸ m, x<m y · m, y ¸ m, y<m 0 · 0, 0 ¸ 0, 0<0 0 · m, 0 ¸ m, 0<m : x · y, x ¸ y, x<y x · m, x ¸ m, x<m y · m, y ¸ m, y<m : b x ¸ m Æ : b x<y Æ : b y ¸ m (b x<m ) Ç (b y · m Æ b y ¸ m ) Ç (b x · y Æ b y · m ) y · m Æ y ¸ m x<m x · y Æ y · m 1: 2: 3: Maximally-weak ways of satisfying the constraint using the given preds. (Computed using Predicate Cover) 14

15 ff: rest tt: b y · x ; b y · m ; b x · y SAT Solver (fixed point computation) Example: Solving using SAT : b x ¸ m Æ : b x<y Æ : b y ¸ m (b x<m ) Ç (b y · m Æ b y ¸ m ) Ç (b x · y Æ b y · m ) (b y · m ) (b y<m Ç b y · x )) Æ : b x<m Æ : b y<m loop (int m) { assume(m > 0) x:=0; y:=0; while (x<m) { x++; y++; } assert(y = m) } I: y=x Æ y · m 15 Individual local computations

16 16 Program Verification Maximally-weak Precondition Inference Inter-procedural Summary Computation

17 Maximally-weak preconditions Instead of the precondition true as in PV, treat precondition as an unknown PRE Generate constraints as for PVnow in terms of PRE and the unknowns invariant Is Solving these yields a precondition PRE, but not necessarily the maximally-weakest Iteratively, improve the current precondition T by adding the following constraint: T ) PRE Æ : (PRE ) T) 17

18 Context-sensitive Inter-procedural Analysis Compute context-sensitive procedure summaries as ( A i, B i ) pre/post pairs in assume- guarantee style reasoning Constraint generation – Procedure body (guarantee): – Calls (assume): 18 P(x) { S; return y; } assume(A i ); S; assert(B i ) v = P(u); assert(A i [u/x ]); assume(B i [u/x, t/y]); v:=t

19 Experiments: Overview Our benchmarks are academic/small benchmark programs that demonstrate the feasibility of the technique We ran our tool in two modes: program verification and weakest precondition We are able to easily generate disjunctive invariants for which specialized techniques have been proposed earlier We collected three performance statistics: – Time for verification condition generation (weakest precondition over simple paths) – Time for boolean constraint generation (includes the predicate cover operation) – Time for SAT solving (fixed point computation) 19

20 Experiments: Results VC generation: 0.23sec SAT solving: 0.06sec Boolean formula generation: Overall time for invariant generation is low Predicate cover called on small formulas. Our unoptimised version performs reasonably 20

21 Related Work Constraint-based invariant inference: – Cousot / Sankarnarayanan et.al.: LIA using mathematical solvers – Beyer et.al.: LIA+UFS by compiling away UFS to LIA – Podelski et.al. / Bradley et.al.: Discover ranking functions We describe a reduction over the very successful domain of predicate abstraction Application of SAT to program analysis: – SATURN: bit accurate modeling of loop-free programs with complicated data structures – Bounded model checking etc. Use SAT for validation; in contrast, we use it for inference of invariants that are sound over- approximations 21

22 Conclusions Constraint-based techniques offer two advantages over iterative fixed-point techniques: – Goal directed (may buy efficiency) – Do not require widening (may buy precision) For predicate abstraction, we have shown how to reduce various program analysis problems to constraint solving. In addition to program verification, constraint-based encoding facilitates easy extensions to inter- procedural summary computation, maximally-weak preconditions, counter-examples to safety. 22

23 Future Work We are exploring extensions to quantifiers and other analysis problems as future work. We are exploring the scalability of this technique along two directions: – Encodings that yield simpler SAT instances, e.g. exploiting symmetry information for the case of disjunctive solutions – Reducing programmer burden by automatically inferring predicate sets and templates VS 3 : Verification and Synthesis using SMT Solvers http://www.cs.umd.edu/~saurabhs/pacs/ 23

24 24 Questions?

25 Best Description of Bugs 25 Err (int m) { error := 0; while (x<m) { x++; y++; if (y ¸ m) error:=1; goto L; } L: assert(error = 1) } Err (int m) { while (x<m) { x++; y++; assert (y<m); } Instrument Run maximally-weak precondition x<m Æ y ¸ x (x<m Æ y ¸ x) Ç (error=1 Æ y ¸ x)

Download ppt "Constraint-based Invariant Inference over Predicate Abstraction Sumit Gulwani Ramarathnam Venkatesan Microsoft Research, Redmond Saurabh Srivastava University."

Similar presentations

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.

Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.
Static Analysis of Heap-manipulating Low-level software Sumit GulwaniAshish Tiwari MSR, Redmond SRI International.

Static Analysis of Heap-manipulating Low-level software Sumit GulwaniAshish Tiwari MSR, Redmond SRI International.
Program Verification using Probabilistic Techniques Sumit Gulwani Microsoft Research Invited Talk: VSTTE Workshop August 2006 Joint work with George Necula.

Program Verification using Probabilistic Techniques Sumit Gulwani Microsoft Research Invited Talk: VSTTE Workshop August 2006 Joint work with George Necula.
Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Consequence Generation, Interpolants, and Invariant Discovery Ken McMillan Cadence Berkeley Labs.

Consequence Generation, Interpolants, and Invariant Discovery Ken McMillan Cadence Berkeley Labs.
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Rigorous Software Development CSCI-GA 3033-009 Instructor: Thomas Wies Spring 2013 Lecture 4.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2013 Lecture 4.
Satisfiability Modulo Computable Functions Philippe Suter, Ali Sinan Köksal, and Viktor Kuncak ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE, SWITZERLAND Photo:

Satisfiability Modulo Computable Functions Philippe Suter, Ali Sinan Köksal, and Viktor Kuncak ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE, SWITZERLAND Photo:
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
From Verification to Synthesis Sumit Gulwani Microsoft Research, Redmond August 2013 Marktoberdorf Summer School Lectures: Part 1.

From Verification to Synthesis Sumit Gulwani Microsoft Research, Redmond August 2013 Marktoberdorf Summer School Lectures: Part 1.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
On Solving Presburger and Linear Arithmetic with SAT Ofer Strichman Carnegie Mellon University.

On Solving Presburger and Linear Arithmetic with SAT Ofer Strichman Carnegie Mellon University.
Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.

Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.
CPSC 422, Lecture 21Slide 1 Intelligent Systems (AI-2) Computer Science cpsc422, Lecture 21 Mar, 4, 2015 Slide credit: some slides adapted from Stuart.

CPSC 422, Lecture 21Slide 1 Intelligent Systems (AI-2) Computer Science cpsc422, Lecture 21 Mar, 4, 2015 Slide credit: some slides adapted from Stuart.

Similar presentations

Ads by Google