Download presentation
Presentation is loading. Please wait.
Published byNoreen Brown Modified over 8 years ago
1
© Anvesh Komuravelli Spacer Compositional Verification of Procedural Programs using Horn Clauses over Integers and Arrays Anvesh Komuravelli work done at Carnegie Mellon University Joint work with Nikolaj Bjørner, Arie Gurfinkel, and Kenneth McMillan
2
© Anvesh Komuravelli Spacer In essence… 1 Efficiently under-approximating projections, in presence of array quantifiers.
3
© Anvesh Komuravelli Spacer Why projections? 2 Image computation Computing weakest preconditions (e.g., in IC3 style reasoning) Computing must summaries for procedural programs
4
© Anvesh Komuravelli Spacer SAT assignments to x 3 But, Quantifier Elimination is expensive! Under-approximate the Projection! Model-based Projection (MBP)
5
© Anvesh Komuravelli Spacer MBP for Propositional Logic 4 u 1 0 u 2 1 x 1 0 x 2 0 x 3 1 Model M substitute 0/u 1, 1/u 2 (under-approximates)
6
© Anvesh Komuravelli Spacer MBP for Linear (Real) Arithmetic 5 Infinite space of models – Substitution Method does not work! Loos-Weispfenning’s equivalence: Pick a disjunct based on the model
7
© Anvesh Komuravelli Spacer What if we have array variables? 6 Arrays are common for modeling heap memory In presence of procedures, can’t get rid off them easily! Inlining procedure calls and (hopefully) lowering arrays to registers bloats the program size exponentially Recursive procedures cannot be inlined MBP for the (extensional) theory of arrays?
8
© Anvesh Komuravelli Spacer 7 Eliminating Array Quantifiers
9
© Anvesh Komuravelli Spacer Eliminating array quantifiers can introduce quantifiers of index/value sort! 8 (Ackermann Reduction)
10
© Anvesh Komuravelli Spacer ArrayQE basically has 3 steps 9 1.Eliminate Writes 2.Eliminate (Partial) Equalities/Disequalities 3.Eliminate Reads (aka Ackermann Reduction) (the result can have quantifiers of index/value sorts) 1.Eliminate Writes 2.Eliminate (Partial) Equalities/Disequalities 3.Eliminate Reads (aka Ackermann Reduction) (the result can have quantifiers of index/value sorts)
11
© Anvesh Komuravelli Spacer ArrayQE Example 10 Eliminate Writes
12
© Anvesh Komuravelli Spacer ArrayQE Example 11 Eliminate Writes Partial Equality
13
© Anvesh Komuravelli Spacer ArrayQE Example 12 Eliminate Writes Eliminate Equalities and Disequalities substitute
14
© Anvesh Komuravelli Spacer ArrayQE Example 13 Eliminate Writes Eliminate Equalities and Disequalities Eliminate Reads
15
© Anvesh Komuravelli Spacer 14 MBP for the Theory of Arrays (ARR)
16
© Anvesh Komuravelli Spacer ArrayMBP amounts to picking disjuncts from ArrayQE 15 Eliminate Writes
17
© Anvesh Komuravelli Spacer ArrayMBP Example 16 Eliminate Writes
18
© Anvesh Komuravelli Spacer substitute ArrayMBP Example 17 Eliminate Writes Eliminate Equalities and Disequalities substitute
19
© Anvesh Komuravelli Spacer ArrayMBP Example 18 Eliminate Writes Eliminate Equalities and Disequalities Eliminate Reads
20
© Anvesh Komuravelli Spacer ArrayMBP Example 19 Eliminate Writes Eliminate Equalities and Disequalities Eliminate Reads
21
© Anvesh Komuravelli Spacer 20 MBP for the combination LIA + ARR
22
© Anvesh Komuravelli Spacer In 2 steps: 21 1.Eliminate array quantifiers using ArrayMBP ( which can introduce integer quantifiers ) 2.Eliminate integer quantifiers using MBP for LIA 1.Eliminate array quantifiers using ArrayMBP ( which can introduce integer quantifiers ) 2.Eliminate integer quantifiers using MBP for LIA
23
© Anvesh Komuravelli Spacer Caveat: Integer quantifiers cannot always be eliminated! 22 has no equivalent quantifier-free formula! Fall-back to the substitution method
24
© Anvesh Komuravelli Spacer Equality Resolution to avoid the Substitution Method 23
25
© Anvesh Komuravelli Spacer May SummariesMust Summaries Over-approximate QE with Interpolation Under-approximate QE with MBP Ideas are implemented in our tool Spacer 24 IC3-style compositional reasoning for Procedural Programs MBP for under-approximating weakest precondition Two kinds of procedure summaries
26
© Anvesh Komuravelli Spacer Substitution method can lead to diverging interpolants! 25 … … Weakest Precondition Under-approx
27
© Anvesh Komuravelli Spacer Heuristically privilege array (dis-)equalities 26
28
© Anvesh Komuravelli Spacer 27 Experimental Evaluation
29
© Anvesh Komuravelli Spacer Compare Spacer with and without inlining 28 The SeaHorn front-end has an option to inline procedure calls Inlining gets rid off most of the array variables, for Device Drivers category of SV-COMP’15. (Spacer minus ArrayMBP) can only handle a small fraction of the non-inlined programs The SeaHorn front-end has an option to inline procedure calls Inlining gets rid off most of the array variables, for Device Drivers category of SV-COMP’15. (Spacer minus ArrayMBP) can only handle a small fraction of the non-inlined programs
30
© Anvesh Komuravelli Spacer Compare Spacer with and without inlining 29 lots of time-outs
31
© Anvesh Komuravelli Spacer Conclusion 30 Model-based Projection (MBP) for the extensional theory of arrays Quantifiers of index and value sort cannot always be eliminated Heuristics to avoid the model substitution method Practical advantage over SV-COMP’15 benchmarks Adapt the ideas to obtain Quantified Invariants? Model-based Projection (MBP) for the extensional theory of arrays Quantifiers of index and value sort cannot always be eliminated Heuristics to avoid the model substitution method Practical advantage over SV-COMP’15 benchmarks Adapt the ideas to obtain Quantified Invariants?
33
© Anvesh Komuravelli Spacer 32 Questions?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.