Presentation is loading. Please wait.

Presentation is loading. Please wait.

MoCHi: Software Model Checker for a Higher-Order Functional Language

Published byAmanda Aro Modified over 6 years ago

Similar presentations

Presentation on theme: "MoCHi: Software Model Checker for a Higher-Order Functional Language"— Presentation transcript:

1 MoCHi: Software Model Checker for a Higher-Order Functional Language
Hiroshi Unno University of Tsukuba (Joint work with Naoki Kobayashi and Ryosuke Sato) 2018/9/20

2 MoCHi Software model checker for a subset of OCaml (cf. SLAM, BLAST)
Support integers, recursive data types, exceptions, higher-order functions, and recursion let rec mc x = if x > 100 then x – 10 else mc (mc (x + 11)) in let n = randi() in if n ≤ 101 then assert (mc n = 91) MoCHi Program & Spec. Result Certificate or Counterexample Based on higher-order model checking 2018/9/20

3 Outline How MoCHi Works? Implementation Summary Function Encoding
Predicate Abstraction & CEGAR Implementation Summary 2018/9/20

4 Outline How MoCHi Works? Implementation Summary Function Encoding
Predicate Abstraction & CEGAR Implementation Summary 2018/9/20

5 How MoCHi Works? 𝜆 → + recursion + recursive data types + exceptions + integers + booleans Functional Program Function Encoding PCF 𝜆 → + recursion + integers + booleans Predicate Abstraction & CEGAR [PLDI’11] 𝜆 → + recursion + booleans Finitary PCF (fPCF) Higher-Order Model Checking [Kobayashi POPL’09, PPDP’09] Sound and complete! 2018/9/20

6 How MoCHi Works? 𝜆 → + recursion + recursive data types + exceptions + integers + booleans Functional Program Function Encoding PCF 𝜆 → + recursion + integers + booleans Predicate Abstraction & CEGAR [PLDI’11] 𝜆 → + recursion + booleans Finitary PCF (fPCF) Higher-Order Model Checking [Kobayashi POPL’09, PPDP’09] Sound and complete! 2018/9/20

7 Function Encoding of Lists
Encode a list as a pair (len, f), where: len is the length of the list f is a function from an index i to the i-th element e.g., [3;1;4] is encoded as (3, f), where: f(0)=3, f(1)=1, f(2)=4, and undefined otherwise let nil = (0, fun i -> ⊥) let cons a (len, l) = (len + 1, fun i -> if i = 0 then a else l (i - 1)) let hd (len, l) = l 0 let tl (len, l) = (len - 1, fun i -> l (i + 1)) let is_nil (len, l) = len = 0 2018/9/20

8 Function Encoding of Recursive Data Types
Encode a tree of a recursive data type as a function from a node’s path to its label type btree = Leaf of int | Node of btree * btree Node Leaf 3 1 4 A function f, where: f [] = Node f [1] = Leaf f [2] = Node f [1;1] = 3 f [2;1] = Leaf f [2;2] = Leaf f [2;1;1] = f [2;2;1] = 4 2018/9/20

9 Function Encoding of Exceptions
exception NotPos let rec fact n = if n ≤ 0 then raise NotPos else try n × fact (n-1) with NotPos -> 1 let NotPos = 0 let rec fact n k exn = if n ≤ 0 then exn NotPos else fact (n-1) (fun r -> k (n × r)) (fun NotPos -> k 1) CPS Trans. 2018/9/20

10 How MoCHi Works? 𝜆 → + recursion + recursive data types + exceptions + integers + booleans Functional Program Function Encoding PCF 𝜆 → + recursion + integers + booleans Predicate Abstraction & CEGAR [PLDI’11] 𝜆 → + recursion + booleans Finitary PCF (fPCF) Higher-Order Model Checking [Kobayashi POPL’09, PPDP’09] Sound and complete! 2018/9/20

11 Predicate Abstraction [Graf & Saidi CAV’97]
PCF let f g x = g (x+1) P(x)≡ x ≥0 Q(y)≡y ≥0 Predicate Abstraction Predicates b=true ⇔ P(x) fPCF let f g b = g (if b then true else rndbool) P(x) ⇒ Q(x+1) 2018/9/20

12 CEGAR [Clarke et al. CAV’00]
PCF Predicate Abstraction New Predicates Predicate Discovery fPCF CEGAR Loop infeasible Higher-Order Model Checking [Kobayashi POPL’09] NG Error Trace Feasibility Check OK feasible safe unsafe 2018/9/20

13 CEGAR [Clarke et al. CAV’00]
PCF Predicate Abstraction New Predicates Predicate Discovery fPCF CEGAR Loop infeasible Higher-Order Model Checking [Kobayashi POPL’09] NG Error Trace Feasibility Check OK feasible safe unsafe 2018/9/20

14 Challenges in Higher-Order Setting
Predicate Abstraction How to ensure consistency of abstraction? Predicate Discovery How to find new predicates that can eliminate an infeasible error trace from the abstraction? 2018/9/20

15 Challenges in Higher-Order Setting
Predicate Abstraction How to ensure consistency of abstraction? let sum n k = if n≤0 then k 0 else sum (n-1) (𝜆x’.k (x’+n)) let main m = sum m (𝜆x.assert(x≥m)) ¸x.x≥n ¸x.x≥m 2018/9/20

16 Our Solution: Abstraction Types
let sum n k = if n≤0 then k 0 else sum (n-1) (𝜆x’.k (x’+n)) let main m = sum m (𝜆x.assert(x≥m)) 𝜆x’.x’≥n-1 𝜆x.x≥n 𝜆x.x≥m sum: (n:int[] → (int[𝜆x.x≥n] → ⋆) → ⋆) no predicates for n predicate for the 1st argument of k Unit type 2018/9/20

17 Example: Predicate Abstraction
𝜆x’.x’≥n-1 let sum n k = if n·0 then k 0 else sum (n-1) (𝜆x’.k (x’+n)) let main m = sum m (𝜆x.assert(x≥m)) n>0 𝜆x.x≥n sum: (n:int[] → (int[𝜆x.x≥n] → ⋆) → ⋆) let sum () k = if * then k true else sum () (𝜆b’.k (if b’ then true else rndbool)) let main () = sum () (𝜆b. assert(b)) x’≥n-1 ∧ n>0 ⇒ x’+n≥n Successfully model checked! 2018/9/20

18 Type-Directed Predicate Abstraction
PCF Term Abstraction Type Γ⊢𝑀:𝜏⇒𝑡 Abstraction Type Environment fPCF Term Γ⊢𝑀: 𝜏 ′ →𝜏⇒s Γ⊢𝑁:𝜏′⇒𝑡 Γ⊢𝑀 𝑁:𝜏⇒𝑠 t Predicate Abstraction Rule for Function Applications 2018/9/20

19 Challenges in Higher-Order Setting
Predicate Abstraction How to ensure consistency of abstraction? Predicate Discovery How to find new predicates that can eliminate an infeasible error trace from the abstraction? 2018/9/20

20 Challenges in Higher-Order Setting
Predicate Abstraction How to ensure consistency of abstraction? Predicate Discovery How to find abstraction types that can eliminate an infeasible error trace from the abstraction? 2018/9/20

21 Our Solution Reduction to refinement type inference of a straightline higher-order program (SHP) Infeasible Error Trace Refinement Type Inference [Unno & Kobayashi PPDP’09] Straightline Higher-Order Program (SHP) RefinementTypes Abstraction Types 2018/9/20

22 Example: Abstraction Type Finding (1/2)
let sum n k = if n≤0 then k else sum (n-1) (𝜆x’.k (x’+n)) let main m = sum m (𝜆x.assert(x≥m)) Infeasible error trace: main m → sum m (𝜆x.assert(x≥m)) → if m≤0 then (𝜆x.assert(x ≥m)) 0 else … → (¸x.assert(x≥m)) 0 → assert(0≥m) → fail m≤0 0≤m 2018/9/20

23 Example: Abstraction Type Finding (2/2)
let sum n k = if n≤0 then k else sum (n-1) (𝜆x’.k (x’+n)) let main m = sum m (𝜆x.assert(x≥m)) main m → ∗ if m≤0… → ∗ m≤0 assert(0≥m) →0<m fail Straightline Higher-Order Program (SHP): let sum n k = assume(n≤0); k 0 let main m = sum m (𝜆x.assume(x<m); fail) [Unno & Kobayashi PPDP’09] Abstraction Type: sum: (n:int[] → (int[𝜆x.x≥n] → ⋆) → ⋆) Refinement Type of SHP: sum: (n:int → ({x:int|x¸n} → ⋆) → ⋆) 2018/9/20

24 Example: Abstraction Type Finding (1/2)
let rec copy x = if x=0 then 0 else 1 + copy (x-1) let main n = assert (copy n = n) Infeasible error trace: main n → assert (copy n = n) → E[if n=0 then 0 else 1 + copy (n-1)] → E[1 + copy (n-1)] → E[1 + (if n-1=0 then 0 else 1 + copy (n-2))]] → E[1 + 0] → assert (1 = n) → fail n ≠ 0 n-1=0 1 ≠ n 2018/9/20

25 Example: Abstraction Type Finding (2/2)
let rec copy x = if x=0 then 0 else 1 + copy (x-1) let main n = assert (copy n = n) main n → ∗ fail Straightline Higher-Order Program (SHP): let copy1 x = assume (x≠0); 1 + copy2 (x-1) let copy2 x = assume (x=0); 0 let main n = assume (copy1 n≠n); fail [Unno & Kobayashi PPDP’09] Abstraction Types: copy: (x:int → int[𝜆r.r=x]) Refinement Types: copy: (x:int → {r:int|r=x}) 2018/9/20

26 Refinement Type Inference [Unno & Kobayashi PPDP’09]
Constraint Generation Constraint Solving Horn Clauses Refinement Types SHP 2018/9/20

27 Example: Constraint Generation
Straightline Higher-Order Program (SHP): let copy1 x = assume (x≠0); 1 + copy2 (x-1) let copy2 x = assume (x=0); 0 let main n = assume (copy1 n≠n); fail Refinement Type Templates: copy1: (x:int → {r:int|P1(x,r)}) copy2: (x:int → {r:int|P2(x,r)}) Horn Clauses: x=0 ∧ r=0 ⇒ P2(x,r) P2(x-1,s) ∧ x≠0 ∧ r=1+s ⇒ P1(x,r) P1(n,r) ⇒ r=n 2018/9/20

28 Example: Constraint Solving (1/2)
Horn Clauses: x=0 ∧ r=0 ⇒ P2(x,r) P2(x-1,s) ∧ x≠0 ∧ r=1+s ⇒ P1(x,r) P1(n,r) ⇒ r=n Horn Clauses with P2 eliminated: x=1 ∧ s=0 ∧ x≠0 ∧ r=1+s ⇒ P1(x,r) P1(n,r) ⇒ r=n Interpolating Prover Solution: P1(x,r) ≡ r=x 2018/9/20

29 Interpolating Prover Input: 𝜙 1 , 𝜙 2 such that 𝜙 1 ⇒ 𝜙 2
Output: an interpolant 𝜙 of 𝜙 1 , 𝜙 2 such that: 𝜙 1 ⇒𝜙 𝜙⇒ 𝜙 2 𝐹𝑉 𝜙 ⊆𝐹𝑉 𝜙 1 ∩𝐹𝑉 𝜙 2 Example: r=x is an interpolant of: x=1 ∧ s=0 ∧ x≠0 ∧ r=1+s and r=x 2018/9/20

30 Example: Constraint Solving (2/2)
Horn Clauses: x=0 ∧ r=0 ⇒ P2(x,r) P2(x-1,s) ∧ x≠0 ∧ r=1+s ⇒ P1(x,r) P1(n,r) ⇒ r=n Substitute P1(x,r) with r=x Horn Clauses with P1 substituted: x=0 ∧ r=0 ⇒ P2(x,r) P2(x-1,s) ⇒ (x≠0 ∧ r=1+s ⇒ r=x) Interpolating Prover Solution: P2(x,r) ≡ r=x 2018/9/20

31 Example: Refinement Type Inference
Straightline Higher-Order Program (SHP): let copy1 x = assume (x≠0); 1 + copy2 (x-1) let copy2 x = assume (x=0); 0 let main n = assume (copy1 n≠n); fail Refinement Type Templates: copy1: (x:int → {r:int|P1(x,r)}) copy2: (x:int → {r:int|P2(x,r)}) Refinement Types of SHP: copy1: (x:int → {r:int|r=x}) copy2: (x:int → {r:int|r=x}) 2018/9/20

32 Outline How MoCHi Works? Implementation Summary Functional Encoding
Predicate Abstraction & CEGAR Implementation Summary 2018/9/20

33 MoCHi: Model Checker for Higher-Order Programs
Prototype model checker for OCaml Implemented using: TRecS [Kobayashi PPDP’09] as higher-order model checker CVC3 [Barrett & Tinelli CAV’07] for predicate abstraction CSIsat [Beyer et al. CAV’08] for predicate discovery 2018/9/20

34 Preliminary Experiments (excerpted)
Program CEGAR Loops Time (s.) mc91 2 0.07 ackermann 3 0.15 repeat a-max 5 4.78 a-max-e 0.13 l-zipunzip 0.12 e-fact 0.01 r-file 12 5.23 Encoded by functions: let make n = 𝜆i.assert(0≤i∧i<n); 0 let update i x n a = assert(0≤i ∧ i<n); 𝜆j. if i=j then x else a(i) arrays Eliminated by CPS transformation lists exceptions resource usage analysis Environment: Intel® Xeon® 3GHz + 8GB memory 2018/9/20

35 Outline How MoCHi Works? Implementation Summary Functional Encoding
Predicate Abstraction & CEGAR Implementation Summary 2018/9/20

36 Summary Software model checker MoCHi for OCaml
Support integers, recursive data types, exceptions, higher-order functions, and recursion Reduction to higher-order model checking by: Function encoding of recursive data types & exceptions Predicate abstraction & CEGAR Web interface available from: 2018/9/20

Download ppt "MoCHi: Software Model Checker for a Higher-Order Functional Language"

Similar presentations

1 Parametric Heap Usage Analysis for Functional Programs Leena Unnikrishnan Scott D. Stoller.

1 Parametric Heap Usage Analysis for Functional Programs Leena Unnikrishnan Scott D. Stoller.
A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
SLD-resolution Introduction Most general unifiers SLD-resolution

SLD-resolution Introduction Most general unifiers SLD-resolution
Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.

Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN 2006 -

Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.

© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.
Automating Relatively Complete Verification of Higher-Order Functional Programs Hiroshi Unno (University of Tsukuba) Tachio Terauchi (Nagoya University)

Automating Relatively Complete Verification of Higher-Order Functional Programs Hiroshi Unno (University of Tsukuba) Tachio Terauchi (Nagoya University)
By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan.

By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan.
Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.

Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Introducing BLAST Software Verification John Gallagher CS4117.

Introducing BLAST Software Verification John Gallagher CS4117.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
Relatively Complete Verification of Higher- Order Programs (via Automated Refinement Type Inference) Tachio Terauchi Nagoya University TexPoint fonts used.

Relatively Complete Verification of Higher- Order Programs (via Automated Refinement Type Inference) Tachio Terauchi Nagoya University TexPoint fonts used.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Similar presentations

Ads by Google