Presentation is loading. Please wait.

Presentation is loading. Please wait.

A two-tier approach for supporting quantifiers in a lazily proof-explicating theorem prover K. Rustan M. Leino Microsoft Research, Redmond Madan Musuvathi.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A two-tier approach for supporting quantifiers in a lazily proof-explicating theorem prover K. Rustan M. Leino Microsoft Research, Redmond Madan Musuvathi."— Presentation transcript:

1 A two-tier approach for supporting quantifiers in a lazily proof-explicating theorem prover K. Rustan M. Leino Microsoft Research, Redmond Madan Musuvathi Microsoft Research, Redmond Xinming Ou Princeton University 7 April 2005; TACAS 2005; Edinburgh, Scotland

2 Motivation Quantifiers are used in symbolic reasoning techniques like program verification – Axioms about otherwise uninterpreted functions – Axioms about type system – Object invariants, for all objects of a type – Quantifications in user input – … verification condition generator automatic theorem prover verification condition program with specifications “correct” or list of errors program verifier:

3 Example To prove: (  a,j,x 0 ≤ j  j < Length(a)  read(write(a,j,x), j) = x)  0 < Length(b)  read(write(b,0,10), 0) = 10 try to satisfy its negation: (  a,j,x 0 ≤ j  j < Length(a)  read(write(a,j,x), j) = x)  0 < Length(b)  ¬(read(write(b,0,10), 0) = 10)

4 Simplify [Detlefs, Nelson, Saxe, 2003] 0.do theory reasoning (EUF, linear arithmetic, …) 1.instantiate quantifiers 2.do case split

5 Lemmas-by-demand architecture Verifun, ICS, CVC Lite, … case splits are performed by a SAT solver SAT solver treats each atomic formula as a propositional variable if theories find monome M unsatisfiable, they return a lemma that refutes M example lemma: M  false 0.do case splits 1.do theory reasoning M (f(12)=a ¬(b < 5))  f(12) < a

6 Adding quantifiers 0.do case splits 1.do theory reasoning 2.instantiate quantifiers quantifier module produces facts – example fact: (x f(x)=5)  f(12)=5 – instantiations are chosen from matching triggers (à la Simplify) – such a fact may or may not refute M but what if instantiation contains a disjunction? – example: (x g(x)  f(h(x))) M

7 What to do with instantiation facts Possible design: [Verifun: Flanagan, Joshi, Saxe, 2004] return facts as lemmas, even though they may not refute M (that is, conjoin instantiations to input formula)  simple – lemmas returned may contain atomic formulas not in input  useful instantiations are automatically reused – pollution from useless instantiations will linger on forever 0.do case splits 1.do theory reasoning 2.instantiate quantifiers M

8 Two-tier approach Let a second SAT solver explore the new disjunctions 0.do case splits 1.do theory reasoning 2.instantiate quantifiers M M  M’ Repeat: 0. do case splits 1. do theory reasoning 2. instantiate quantifiers if MM’ is refuted, then let SAT solver pick new M’ if there is no other choice for M’, then M is contradictory if MM’ is satisfiable, then so is M

9 CheckMonome(M) theories.Assert(M); theories.Checkpoint(); facts := { }; loop { if (¬theories.Consistent(out lemmas)) { facts := facts  lemmas; } else if (quant.GenerateFacts(out newFacts)) { facts := facts  newFacts; } else { return satisfiable; } if (¬satSolver.Satisfiable(M  facts, out monome)) { return smallest subset m of M such that ¬satSolver.Satisfiable(m  facts); } theories.RestoreCheckpoint(); theories.Assert(monome); }

10 Example (a,j,x 0 ≤ j  j < Length(a)  read(write(a,j,x), j) = x)  0 < Length(b)  ¬(read(write(b,0,10), 0) = 10)

11 Example (a,j,x 0 ≤ j  j < Length(a)  read(write(a,j,x), j) = x)  0 < Length(b)  ¬(read(write(b,0,10), 0) = 10)   ¬

12 Example (a,j,x 0 ≤ j  j < Length(a)  read(write(a,j,x), j) = x)  0 < Length(b)  ¬(read(write(b,0,10), 0) = 10)  (0 ≤ 0  0 < Length(b)  read(write(b,0,10), 0) = 10)   ¬  (  (   ) new fact:

13 Example (a,j,x 0 ≤ j  j < Length(a)  read(write(a,j,x), j) = x)  0 < Length(b)  ¬(read(write(b,0,10), 0) = 10)  (0 ≤ 0  0 < Length(b)  read(write(b,0,10), 0) = 10)   ¬  (  (   ) arithmetic lemma:   ¬

14 Example (a,j,x 0 ≤ j  j < Length(a)  read(write(a,j,x), j) = x)  0 < Length(b)  ¬(read(write(b,0,10), 0) = 10)  (0 ≤ 0  0 < Length(b)  read(write(b,0,10), 0) = 10)   ¬  (  (   ) unsatisfiable 

15 Example (a,j,x 0 ≤ j  j < Length(a)  read(write(a,j,x), j) = x)  0 < Length(b)  ¬(read(write(b,0,10), 0) = 10)  (0 ≤ 0  0 < Length(b)  read(write(b,0,10), 0) = 10)   ¬  (  (   ) lemma:   ¬ false 

16 More tiers main design point: number of rounds before starting a new tier

17 Evaluation Implemented in Zap Not yet enough data to say something conclusive about performance On hand-produced examples with characteristics of realistic verification conditions, 2-tier approach performs fewer case splits than 1-tier approach, but the gains are counteracted by the rather expensive UnsatCore routine We expect a long road toward understanding and tuning performance (cf. Simplify for ESC)

18 More fact generators quantifier instantiations non-convex theories loop-invariant strengthenings

19 Summary We added support for quantifiers in a lemmas-by- demand theorem prover Pollution reduction technique Instantiation facts are generated in a separate tier, lemmas returned are produced from useful facts Theorem prover can have other fact generators too Future work: gain more experience

Download ppt "A two-tier approach for supporting quantifiers in a lazily proof-explicating theorem prover K. Rustan M. Leino Microsoft Research, Redmond Madan Musuvathi."

Similar presentations

A Randomized Satisfiability Procedure for Arithmetic and Uninterpreted Function Symbols Sumit Gulwani George Necula EECS Department University of California,

A Randomized Satisfiability Procedure for Arithmetic and Uninterpreted Function Symbols Sumit Gulwani George Necula EECS Department University of California,
Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
SMELS: Sat Modulo Equality with Lazy Superposition Christopher Lynch – Clarkson Duc-Khanh Tran - MPI.

SMELS: Sat Modulo Equality with Lazy Superposition Christopher Lynch – Clarkson Duc-Khanh Tran - MPI.
A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,

Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving

Automated Theorem Proving
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.
Knowledge & Reasoning Logical Reasoning: to have a computer automatically perform deduction or prove theorems Knowledge Representations: modern ways of.

Knowledge & Reasoning Logical Reasoning: to have a computer automatically perform deduction or prove theorems Knowledge Representations: modern ways of.
UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.

UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.
Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 

Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 
On Solving Presburger and Linear Arithmetic with SAT Ofer Strichman Carnegie Mellon University.

On Solving Presburger and Linear Arithmetic with SAT Ofer Strichman Carnegie Mellon University.
Automated Reasoning Systems For first order Predicate Logic.

Automated Reasoning Systems For first order Predicate Logic.
Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.

1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
1.7.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Similar presentations

Ads by Google