Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Template-based Approach to Complete Predicate Refinement Tachio Terauchi (Nagoya University) Hiroshi Unno (University of Tsukuba) Naoki Kobayashi (University.

Published byKimberly Hampton Modified over 9 years ago

Similar presentations

Presentation on theme: "A Template-based Approach to Complete Predicate Refinement Tachio Terauchi (Nagoya University) Hiroshi Unno (University of Tsukuba) Naoki Kobayashi (University."— Presentation transcript:

1 A Template-based Approach to Complete Predicate Refinement Tachio Terauchi (Nagoya University) Hiroshi Unno (University of Tsukuba) Naoki Kobayashi (University of Tokyo) TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A AA A AA

2 Software Model Checking Automated Verification of Infinite State Systems Data : Infinite (e.g. Integers) Control : Finite, PDS (aka CFL reachability) – SLAM, BLAST, IMPACT, ARMC, Terminator, etc.

3 SMC Internals FOL predicate abstraction of infinite data – E.g. “x < y” = set of states ½ where ½ (x) < ½ (y) – Exploits advances in SAT/SMT solving CEGAR to automatically refine abstraction – Inference of appropriate FOL predicates Same design also used in “higher-order SMC”: Depcegar, MoCHi, HMC, etc.

4 Predicates: x = 0, y = 0, x = yPredicates: x = 0, y = 0 Example x := 0; y := 0; while (x < 100) { x++; y++; } assert (x = y); > x= 0 Æ y = 0 > > > > ) x = y

5 Predicates: x = 0, y = 0, x = y x= 0 Æ y = 0 Example x := 0; y := 0; while (x < 100) { x++; y++; } assert (x = y); > x = y

6 Problem A refinement can be any predicates that refute the c.ex. – Not unique in general We got lucky by choosing x = y – Could have chosen x = 1 instead And then choose x = 2, x = 3, … ad infinitum

7 Predicates: x = 0, y = 0, x = 1 Predicates: x = 0, y = 0 Example failing to converge x := 0; y := 0; while (x < 100) { x++; y++; } assert (x = y); > x= 0 Æ y = 0 > > > > ) x = y

8 > Predicates: x = 0, y = 0, x = 1Predicates: x = 0, y = 0, x = 1, x = 2 Example failing to converge x := 0; y := 0; while (x < 100) { x++; y++; } assert (x = y); > x= 0 Æ y = 0 > x = 1 > > ) x = y

9 Solution : Complete SMC Def: Let X be a FOL theory (e.g., X = QF_UFLRA). SMC is said to be complete wrt. X when 9 preds µ X. P ² preds safe, SMC(P) returns “safe”

10 Complete SMC in CEGAR (1/2) [Jhala,McMillan TACAS’06] Let X be some FOL theory – “theory” : set of (normalized) formulas Let L 0, L 1, … µ X s.t. – Each L i is finite – For each i, L i µ L i+1 –  i 2 ! L i = X E.g., – X = QF_UFLRA – L i = { µ 2 X| atomic terms in µ are of size · i }

11 Complete SMC in CEGAR (2/2) [Jhala,McMillan TACAS’06] Init L := some L i 2 {L 0, L 1, … } Repeat Run SMC but restricting refinements to L If proved safe, exit with “safe” If fail to prove, let ¼ = counterexample – Find L j s.t. L µ L j and L j contains a refinement for ¼ » Exit with “unsafe” if no such L j exists – Set L := L j and repeat

12 Challenges 1.Given L and c.ex. ¼, quickly find preds µ L s.t. ¼ ² preds safe 2.Find L j s.t. L µ L j Æ 9 preds µ L j. ¼ ² preds safe – This can be done by existing methods

13 Challenges 1.Given L and c.ex. ¼, quickly find preds µ L s.t. ¼ ² preds safe Problem is obviously decidable – Because L is finite – “quickly” is the issue Existing method [Jhala,McMillan TACAS’06] only handles limited theory (QF_UFDL)

14 Overview of c.ex. refinement Refinement reduces to inferring à (y) s.t. µ (x,y) ) à (y), à (y) ) Á (y,z), and µ (x,y), Á (y,z), à (y) 2 X µ (x,y) : “what is true about x,y at the program point” Á (y,z) : “what must hold true about y,z after the point to refute the c.ex.” à (y) : “sufficient fact about y at the point to refute the c.ex.” So, to do complete refinement Just restrict à (y) to the current L when doing this

15 A Template-based Approach (QF_LRA) Template T: QF_LRA formula with bounded coefficient variables – E.g. c 0 x + c 2 y + c 3 · 0 Æ c 4 x + c 5 y + c 6 · 0 Ç c 5 x + c 6 y + c 7 < 0 Each c is associated with bound B c µ fin Z Idea: Let L = the instances of T and use “increasingly larger” T’s for L 0 µ L 1 µ …

16 Searching for Refinements in T (1/3) Problem: Decide if 9 c 0 2 B 0,…,c n 2 B n. 8 x 0,…,x m.( µ ) T) Æ (T ) Á ) 9 c 0 2 B 0,…,c n 2 B n. 8 x 0,…,x m. ª (c 0,…,c n,x 0,…,x m ) ª is a non-linear arithmetic formula over rationals – linear on x’s with coefficients on c’s

17 Searching for Refinements in T (2/3) 9 c 0 2 B 0,…,c n 2 B n. 8 x 0,…,x m. ª (c 0,…,c n,x 0,…,x m ) ª is a non-linear arithmetic formula over rationals – linear on x’s with coefficients on c’s 1.Convert ª to cnf Æ j à j –à j of the form : (Ax · a Æ Bx < b) s.t. a,b,A,B are over c’s 2.Apply Motzkin’s transposition theorem to each à j Ax · a Æ Bx < b is unsatisfiable iff 9 r ¸ 0,p ¸ 0. rA + pB = 0 Æ (ra + pb < 0 Ç (p != 0 Æ ra + pb · 0))

18 Searching for Refinements in T (3/3) Now, the problem is of the form 9 c 0 2 B 0,…,c n 2 B n,r ¸ 0,p ¸ 0. © (r,p,c 0,…,c n ) Existential formula (i.e., got rid of 8 x 0,…x m ) © is non-linear arithmetic formula – linear on r and p’s with coefficients on c’s Prop: Let Á be a satisfiable QF_LIA formula with n vars, m literals, and coefficients bounded by k Then, there is a solution of Á bounded by 2 log(n+2) + m(log(m) + log(k)) Bit-blast and reduce ① to SAT ①

19 This is complete for QF_LRA Going beyond QF_LRA – QF_UFLRA – QF_AUFLRA

20 QF_UFLRA UF – Function symbols f 1, f 2, …, f k – For each f j of arity n 8 x 1 …x n,y 1 …y n. Æ i x i = y i ) f j (x 1 …x n ) = f j (y 1 …y n ) Useful for conservatively modeling operators like :: £

21 L-restricting UF 1.Incorporate UF terms in templates as follows c 0 f(c 1 x+c 2 y+c 3 +c 4 g(c 5 x + c 6 y+c 7 )) + … 2.Apply Ackermann expansion For each UF subterm f(t) 2 µ, let x f(t) be a fresh var. Let Á = Æ f(t1),f(t2) 2 µ ½ (t1) = ½ (t2) ) x f(t1) = x f(t2) ½ replaces f(t) by x f(t) Prop: QF_UFLRA ² µ iff QF_LRA ² Á ) ½ ( µ ) Idea from [Beyer et al. VMCAI’07]

22 QF_AUFLRA 8 a,e,i. rd(wr(a,i,e),i) = e 8 a,e,i,j. i != j ) rd(wr(a,i,e),j) = rd(a,j) 8 a,b. a != b ) rd(a,diff(a,b)) != rd(b,diff(a,b)) Useful for modeling pointers – QF_AUFLRA can be reduced to QF_UFLRA See, e.g., [Totla, Wies POPL’13]

23 This sounds too easy… Does it really scale?

24 No it doesn’t scale I was oversimplifying the problem – Infer à (y) s.t. µ (x,y) ) à (y) and à (y) ) Á (y,z) c.ex. refinement in reality: – Infer à 1 (y 1 ), à 2 (y 2 ), … à n (y n ) s.t. µ 1 (x 1,y 1 ) ) à 1 (y 1 ) Æ µ 2 (x 2,y 2 ) Æ Ã 1 (x 2 ) ) à 2 (y 2 ) Æ … µ n (x n,y n ) Æ Ã 1 (x n ) ) Á (y n,z)

25 So, to infer L-restricted refinement Need to restrict à 1 (y 1 ), à 2 (y 2 ), … à n (y n ) to L Lots of templates! T 1, T 2, … T n – Proportional to the size of c.ex. – Lots of non-linear terms in the constraints Doesn’t scale even on state-of-the-art SAT solver (or SMT solver for non-linear real arithmetic)

26 Solution (Informal) Key Observation: counterexample in SMC (and constraints solved to refute it) is always repetitions of a fixed set of patterns. – Use the observation to L-restrict only a few à ’s and still achieve complete refinement

27 Example (1/2) c.ex. are of the form µ init (x,y) ) Ã 1 (x 1,y 1 ) Æ Ã 1 (x 1, y 1 ) Æ µ loop (x 1,y 1,x 2,y 2 ) ) Ã 2 (x 2, y 2 ) Æ Ã 2 (x 2, y 2 ) Æ µ loop (x 2,y 2,x 3,y 3 ) ) Ã 3 (x 3, y 3 ) Æ … Ã n (x n,y n ) ) Á (x n,y n ) x := 0; y := 0; while (x < 100) { x++; y++; } assert (x = y); µ init (x,y), x = 0 Æ y = 0 µ loop (x,y,x’,y’), x < 100 Æ x’ = x + 1 Æ y’ = y + 1 Á (x,y), x ¸ 100 Æ x = y

28 Example (2/2) Theorem: The following strategy is sufficient for complete predicate refinement: 1.Pick some constant k > 0 2.Infer L-restricted refinement for i £ k-th à ’s (i.e., à i £ k ) 3.Infer unrestricted refinement for other à ’s (e.g., via interpolation) This reduces to [Jhala,McMillan TACAS’06] when k = 1 Larger k -> less L-restriction – Proof: On board

29 Formalization Key Observation: Let P be a program. There exists a set of Horn-clause-like rules R s.t. for any c.ex. ¼ of SMC(P), the set of constraints solved to refute ¼ is an acyclic instance of R − P 1 (x) Æ … Æ P n (x) Æ µ (x,y) ) Q(y) − P 1 (x) Æ … Æ P n (x) Æ µ (x,y) ) Á (x,y) P, Q, … : predicate variables Copies of rules from R with fresh renaming of pred. vars s.t. there is no cycle P ) … ) P

30 Example x := 0; y := 0; while (x < 100) { x++; y++; } assert (x = y); x = 0 Æ y = 0 ) P(x,y) P(x,y) Æ x < 100 Æ x’ = x+1 Æ y’ = y+1 ) Q(x’,y’) Q(x,y) ) P(x,y) P(x,y) Æ x ¸ 100 ) x = y x = 0 Æ y = 0 ) P 1 (x,y) P 1 (x,y) Æ x < 100 Æ x’ = x+1 Æ y’ = y+1 ) Q 1 (x’,y’) Q 1 (x,y) ) P 2 (x,y) P 2 (x,y) Æ x < 100 Æ x’ = x+1 Æ y’ = y+1 ) Q 2 (x’,y’) Q 2 (x,y) ) P 3 (x,y) P 3 (x,y) Æ x ¸ 100 ) x = y = R E.g. consts( ¼ ) =

31 Example x := 0; y := 0; while (x < 100) { x++; y++; } assert (x = y); x = 0 Æ y = 0 ) P(x,y) P(x,y) Æ x < 100 Æ x’ = x+1 Æ y’ = y+1 ) Q(x’,y’) Q(x,y) ) P(x,y) P(x,y) Æ x ¸ 100 ) x = y = R The observation also holds for higher-order SMC (e.g., Depcegar, MoCHi, HMC), and SMC for concurrent programs (e.g., Threader) Somewhat more general than [Grebenshchikov et al. PLDI’12] – Only says that c.ex. are instances of the rules

32 Bounded Patterns Def: Set of bounded patterns A of R is a finite set of acyclic instances of R – Can view each element of A as a “combined” rule Def: Bounded patterns A of R is partitioning if for any acyclic instance G of R, there exists instance A’ of A s.t. G and A’ are isomorphic – E.g., R is a partitioning bounded patterns of R – So is any A [ R where A is a bounded pattern of R

33 Example x := 0; y := 0; while (x < 100) { x++; y++; } assert (x = y); x = 0 Æ y = 0 ) P(x,y) P(x,y) Æ x < 100 Æ x’ = x+1 Æ y’ = y+1 ) Q(x’,y’) Q(x,y) ) P(x,y) P(x,y) Æ x ¸ 100 ) x = y = R A = R [ {{ P 0 (x,y) Æ x < 100 Æ x’ = x+1 Æ y’ = y+1 ) Q 0 (x’,y’), Q 0 (x,y) ) P 1 (x,y), P 1 (x,y) Æ x < 100 Æ x’ = x+1 Æ y’ = y+1 ) Q 1 (x’,y’), Q 1 (x,y) ) P 2 (x,y), P 2 (x,y) Æ x < 100 Æ x’ = x+1 Æ y’ = y+1 ) Q 2 (x’,y’), Q 2 (x,y) ) P 3 (x,y) }} A’ : On board

34 L-restriction at Boundaries Def: Let A’ be a partition of c.ex. G by A. Boundaries of partition A’ are predicate variables that appear in more than one element of A’ Theorem: L-restriction at boundaries is sufficient for complete predicate refinement – Proof: Preds at boundaries determine the preds at internal nodes. So, L-restr. at boundaries -> finite # of possible refinements for internals

35 How to pick bounded partitioning A simple strategy: View G as dag of P’s, L-restrict each i £ k-th P (i.e., P i £ k ) from a root where k is some constant and i = 1,2,3,… Reduces to [Jhala,McMillan TACAS’06] when k = 1 Larger k -> less L-restriction Theorem: above ensures bounded partitioning – Proof: Because there are only a finite # of dags generated by R of path lengths bounded by k

36 Conclusion Complete predicate refinement for the theory of QF_AUFLRA – Template-based Bounded coefficients allow reduction to SAT – Extends L-restricted refinement [Jhala,McMillan TACAS’06] Exploits the observation that c.ex. are repetitions of some patterns Only L-restrict predicate variables at boundaries of bounded patterns Horn-clause-like rules

37

Download ppt "A Template-based Approach to Complete Predicate Refinement Tachio Terauchi (Nagoya University) Hiroshi Unno (University of Tsukuba) Naoki Kobayashi (University."

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
Inference Rules Universal Instantiation Existential Generalization

Inference Rules Universal Instantiation Existential Generalization
SLD-resolution Introduction Most general unifiers SLD-resolution

SLD-resolution Introduction Most general unifiers SLD-resolution
Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.

UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.
© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken.

© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken.
Automating Relatively Complete Verification of Higher-Order Functional Programs Hiroshi Unno (University of Tsukuba) Tachio Terauchi (Nagoya University)

Automating Relatively Complete Verification of Higher-Order Functional Programs Hiroshi Unno (University of Tsukuba) Tachio Terauchi (Nagoya University)
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.

Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.
Relatively Complete Verification of Higher- Order Programs (via Automated Refinement Type Inference) Tachio Terauchi Nagoya University TexPoint fonts used.

Relatively Complete Verification of Higher- Order Programs (via Automated Refinement Type Inference) Tachio Terauchi Nagoya University TexPoint fonts used.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Probabilistic CEGAR* Björn Wachter Joint work with Holger Hermanns, Lijun Zhang TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Probabilistic CEGAR* Björn Wachter Joint work with Holger Hermanns, Lijun Zhang TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Similar presentations

Ads by Google