Presentation is loading. Please wait.

Presentation is loading. Please wait.

Back to the Future: Revisiting Precise Program Verification Using SMT Solvers Shuvendu Lahiri Shaz Qadeer Microsoft Research, Redmond Presented earlier.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Back to the Future: Revisiting Precise Program Verification Using SMT Solvers Shuvendu Lahiri Shaz Qadeer Microsoft Research, Redmond Presented earlier."— Presentation transcript:

1 Back to the Future: Revisiting Precise Program Verification Using SMT Solvers Shuvendu Lahiri Shaz Qadeer Microsoft Research, Redmond Presented earlier at POPL’08

2 Select(f1,b) = 5  f2 = Store(f1,a,5)  Select(f2,a) + Select(f2,b) = 10 is valid { b.f = 5 } a.f = 5 { a.f + b.f = 10 } is valid theory of equality: f, = theory of arithmetic: 5, 10, + theory of arrays: Select, Store iff Constraints arising in program verification are mixed! [Nelson & Oppen ’79]

3 Satisfiability-Modulo-Theory (SMT) solvers Boolean satisfiability solving + theory reasoning Ground theories – Equality, arithmetic, Select/Store NP-complete Phenomenal progress in the past few years – Yices [Dutretre&deMoura’06], – Z3 [deMoura&Bjorner’07] Potential to prove properties of real-world programs (ESC-JAVA, Spec#)

4 next prev data next prev data next prev data channel_name file_name logtype struct _logentry log_list.headlog_list.tail LinkNode char * [muh: Internet Relay Chat (IRC) bouncer]

5 LinkNode *iter = log_list.head; while (iter != null) { struct _logentry *entry = iter->data; free (entry->channel_name); free (entry->file_name); free (entry); entry = NULL; iter = iter->next; } For every node x in the list between log_list.head and null: x->data is a unique pointer, and x->data->channel_name is a unique pointer, and x->data->file_name is a unique pointer. Universal quantification Reachability predicate Data structure invariant Ensure absence of double free

6 Challenges in program verification Concise and precise expression of non-aliasing and disjointness of the heap Properties of unbounded collections – Lists, Arrays, Trees …..

7 Limitations of SMT solvers No support for precise reasoning with reachability predicate – Incompleteness in Floyd-Hoare proofs for straight line code Brittle support for quantifiers – Complexity: NP-complete (ground)  undecidable – Leads to unpredictable behavior of verifiers Proof times, proof success rate – Requires user ingenuity to craft axioms/invariants with quantifiers

8 HAVOC Heap Aware Verifier fOr C programs – Modular verifier for C programs – Being developed at MSR Redmond Focus on low-level systems software (file systems, device drivers,..) – Linked lists, nested data structures,..

9 Contribution Expressive and efficient logic for precise program verification with the heap A decision procedure for the logic within SMT solvers

10 Memory model Memory Model – Heap consists of a set of objects (obj) – Each field “f” is a mutable map f: obj  obj

11 next prev data next prev data next prev data yx Btwn next (x,y) Btwn prev (y,x) Reachability predicate: Btwn f

12 next prev data next prev data next prev data yx Inverse of a function: f -1 w data -1 (w) = {x, y}

13 LinkNode *iter = log_list.head; while (iter != null) { struct _logentry *entry = iter->data; free (entry->channel_name); free (entry->file_name); free (entry); entry = NULL; iter = iter->next; } For every node x in the list between log_list.head and null: x->data is a unique pointer, and …. Data structure invariant  x  Btwn f (log_list.head, null) \ {null}. data -1 (data(x)) = {x} ….

14 Expressive logic Express properties of collections  x  Btwn f (f(hd), hd). state(x) = LOCKED //cyclic Arithmetic reasoning on data (e.g. sortedness)  x  Btwn f (hd, null) \ {null}.  y  Btwn f (x, null) \ {null}. d(x)  d(y) Type/object invariants  x  Type -1 (“__logentry”). logtype(x) > 0  file_name(x) != null

15 Precise Given the Floyd-Hoare triple X = {P} S {Q} – P and Q are expressed in our logic – S is a loop-free call-free program We can construct a formula Y in our logic – Y is linear in the size of X – X is valid iff Y is valid Need annotations/abstractions only at procedure/loop boundaries

16 Efficient Decision problem is NP-complete – Can’t expect any better with propositional logic! – Retains the complexity of current SMT logics Provide a decision procedure for the logic on top of state-of-the-art Z3 SMT solver – Leverages powerful ground-theory reasoning (arithmetic, arrays, uninterpreted functions…)

17 Rest of the talk Logic and decision procedure Implementation and experience in HAVOC Related work

18 Ground Logic t  Term ::= c | x | t 1 + t 2 | t 1 - t 2 | f(t) G  GFormula ::= t = t’ | t < t’ | t  Btwn f (t 1, t 2 ) |  G S  Set ::= f -1 (t) | Btwn f (t 1, t 2 ) F   Formula ::=G | F 1  F 2 |F 1  F 2 |  x  S. F Logic

19 Ground decision procedure Provide a set of 10 rewrite rules for Btwn f – Sound, complete and terminating E.g. Transitivity3 t 1  Btwn f (t 0, t 2 ) t  Btwn f (t 0, t 1 ) t  Btwn f (t 0, t 2 ), t 1  Btwn f (t, t 2 )

20 t  Term ::= c | x | t 1 + t 2 | t 1 - t 2 | f(t) G  GFormula ::= t = t’ | t < t’ | t  Btwn f (t 1, t 2 ) |  G S  Set ::= f -1 (t) | Btwn f (t 1, t 2 ) F   Formula ::=G | F 1  F 2 |F 1  F 2 |  x  S. F Logic Bounded quantification over interpreted sets

21 Sort restriction The unsorted logic is undecidable !! Unsorted logic  Sorted logic – Each term has a sort D, each function f has a sort D  E – There is a partial order on the sorts Sort-restriction on  x  S. F – sort(x) should be less than the sort(t[x]) for any term t[x] inside F

22 Sort restriction Sort-restriction on  x  S. F – sort(x) should be less than the sort(t[x]) for any term t[x] inside F Sorts are quite natural – Come from program types Most interesting specifications can be expressed – See paper for exceptions

23 Lazy quantifier instantiation Instantiation rule t  S  x  S. F F[t/x] Lazy instantiation – Instantiate only when a term t belongs to the set S – Substantially reduces the number of terms to instantiate a quantified fact

24 Implementation using triggers E.g. Transitivity3 t 1  Btwn f (t 0, t 2 ) t  Btwn f (t 0, t 1 ) t  Btwn f (t 0, t 2 ), t 1  Btwn f (t, t 2 )  t 0, t 1, t 2, t :: {Btwn f (t 0, t 2, t 1 ), Btwn f (t 0, t 1, t 2 ) } Btwn f (t 0, t 2, t 1 )  Btwn f (t 0, t 1, t 2 )  Btwn f (t 0, t 2, t)  Btwn f (t, t 2, t 1 )

25 Preliminary results Implemented a prototype in HAVOC – Uses Boogie and Z3 Compared with an earlier [TACAS’07] implementation – Unrestricted quantifiers, incomplete axiomatization of reachability, no f -1 – Small to medium sized benchmarks

26 Experience Greatly improved the predictability of the verifier – Reduced runtimes (2X – 100X) – Eliminate need for carefully crafted axioms and invariants – Can handle newer examples Next step: infer annotations – E.g. Interpolants (builds on SMT solver)

27 Related work Ternary reachability predicate – Nelson ‘83, Rakamaric et al. ’07 Decidability with quantifiers (no reachability) – McPeak and Necula ‘05 Separation logic [Berdine et al. ’04] Second-order logic – MONA [Moeller et al. ’01], LRP [Yorsh et al. ’06]

28 Ongoing work HAVOC available for download – www.research.microsoft.com/projects/HAVOC www.research.microsoft.com/projects/HAVOC Extend the logic to other interpreted set constructors – All elements in an array – All pointers of a given type for C

29 Questions

Download ppt "Back to the Future: Revisiting Precise Program Verification Using SMT Solvers Shuvendu Lahiri Shaz Qadeer Microsoft Research, Redmond Presented earlier."

Similar presentations

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.

Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.
A Framework for describing recursive data structures Kenneth Roe Scott Smith.

A Framework for describing recursive data structures Kenneth Roe Scott Smith.
Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Automated Verification with HIP and SLEEK Asankhaya Sharma.

Automated Verification with HIP and SLEEK Asankhaya Sharma.
50.530: Software Engineering

50.530: Software Engineering
Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.

Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.
Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.

Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀

SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.

Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.

Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
1 A Logic of Reachable Patterns in Linked Data-Structures Greta Yorsh joint work with Alexander Rabinovich, Mooly Sagiv Tel Aviv University Antoine Meyer,

1 A Logic of Reachable Patterns in Linked Data-Structures Greta Yorsh joint work with Alexander Rabinovich, Mooly Sagiv Tel Aviv University Antoine Meyer,
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.

Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.

Similar presentations

Ads by Google