Software Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)

int min_index(int [] a){ r = 0; n = a.length; for (i = 0; i < n; i++){ if (a[i] < a[r]) r = i; } return r; } Software Verification

int min_index(int [] a){ r = 0; n = a.length; for (i = 0; i < n; i++){ if (a[i] < a[r]) r = i; } return r; } Example: Memory Safety Access In Array Bounds ?

int min_index(int [] a){ r = 0; n = a.length; for (i = 0; i < n; i++){ if (a[i] < a[r]) r = i; } return r; } Example: Memory Safety How to prove assert ? assert (0<=r && r<n)

int min_index(int [] a){ r = 0; n = a.length; //@invariant: 0 · i Æ 0 · r Æ r<n for (i = 0; i < n; i++){ if (a[i] < a[r]) r = i; } return r; } Example: Memory Safety

int min_index(int [] a){ r = 0; n = a.length; //@invariant: 0 · i Æ 0 · r Æ r<n for (i = 0; i < n; i++){ if (a[i] < a[r]) r = i; } return r; } Invariants By Man [Floyd-Hoare] Or Machine [Cousot-Cousot]

But, what of … Closures Collections Polymorphism Data Structures …?

H-O Logics? Quantifiers? Induction? But, what of …

Automation

H-O Logics? Quantifiers? Induction? A Solution: Types

Part I Part II Part III Types and Invariants Closures, Collections, Generics Induction for Data Structures

Part I Types and Invariants

Part I Refinement Types [Zenger ’97, Owre-Rushby-Shankar ’98, Xi-Pfenning ’98]

let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 min_index: a:int array -> int

min_index: {a:int array|0 ≺ a.len} -> {v:int|0 ≼ v ≺ a.len} Type Refinement let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0

min_index: {a:int array|0 ≺ a.len} -> {v:int|0 ≼ v ≺ a.len} “Requires” let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0

min_index: {a:int array|0 ≺ a.len} -> {v:int|0 ≼ v ≺ a.len} “Ensures” let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0

{r:int|0 ≼ r ≺ a.len}->{i:int|0 ≼ i}->{v:int|0 ≼ v ≺ a.len} loop: let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0

{r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} loop: let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0

{r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} “Requires” loop: let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0

{r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} “Ensures” loop: let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0

Part I Refinement Types 1. Type-checking 2. Refine-checking 3. Refine-Inference

let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 loop : r:int -> i:int -> int Assume 1 loop : … r : int i : int Prove output is int r “subtype-of” int ⊢

let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 loop : r:int -> i:int -> int Assume 1 loop : … r : int i : int Prove output is int r <: int ⊢

loop : r:int -> i:int -> int Assume 1 2 let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 loop : … r : int i : int Prove index is int ⊢ i <: int

loop : r:int -> i:int -> int Assume 1 3 let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 2 loop : … i : int r : int r': int i': int Prove input is int ⊢ r' <: int

loop : r:int -> i:int -> int Assume loop r' i' <: int Prove output is int 1 3 4 let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 2 loop : … i : int r : int r': int i': int ⊢

loop : r:int -> i:int -> int AssumeProve input is int 1 3 4 let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 2 5 loop : … i : int r : int r': int i': int ⊢ 0 <: int

let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 loop {r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} min_index {a:0 ≺ a.len}->{v:0 ≼ v ≺ a.len}

r :0 ≼ r ≺ a.len i :0 ≼ i Assume 1 let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 Prove output is ensured loop: {r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} 3 4 2 5 [i ≽ a.len]

r :0 ≼ r ≺ a.len i :0 ≼ i [i ≽ a.len] Assume 1 let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 Prove output is ensured ⊢ {v=r} <: {0 ≼ v ≺ a.len} loop: {r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len}

Assume 1 let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 Prove output is ensured ⊢ {v=r} <: {0 ≼ v ≺ a.len} loop: {r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} 0 ≼ r ≺ a.len ⋀ 0 ≼ i ⋀ i ≽ a.len

Assume 1 let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 Prove output is ensured {v=r} <: {0 ≼ v ≺ a.len} loop: {r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} 0 ≼ r ≺ a.len ⋀ 0 ≼ i ⋀ i ≽ a.len ⋀

Assume 1 let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 Prove output is ensured loop: {r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} 0 ≼ r ≺ a.len ⋀ 0 ≼ i ⋀ i ≽ a.len ⋀ ⇒ v=r 0 ≼ v ≺ a.len

1 let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 loop: {r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} v=r 0 ≼ v ≺ a.len ⋀ 0 ≼ r ≺ a.len ⋀ 0 ≼ i ⋀ i ≽ a.len Is Valid? Yes. ⇒

Assume let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 r :0 ≼ r ≺ a.len i :0 ≼ i [i ≺ a.len] Prove index in bounds ⊢ {v=i} <: {0 ≼ v ≺ a.len} loop: {r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} 1 3 4 2 5 [i ≺ a.len]

let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 loop: {r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} ⇒ v=i 0 ≼ v ≺ a.len ⋀ 0 ≼ r ≺ a.len ⋀ 0 ≼ i ⋀ i ≺ a.len Is Valid? Yes. 2

let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 Prove input as required ⊢ {v=r'} <: {0 ≼ v ≺ a.len} loop: {r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} 1 3 4 2 5

Assume let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 r :0 ≼ r ≺ a.len i :0 ≼ i [i ≺ a.len] i':i'=i+1 Prove input as required ⊢ {v=r'} <: {0 ≼ v ≺ a.len} loop: {r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} 3 r':r'=i ∨ r'=r

let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 loop: {r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} 3 ⇒ v=r' 0 ≼ v ≺ a.len ⋀ Is Valid? Yes! 0 ≼ r ≺ a.len ⋀ 0 ≼ i ⋀ i ≺ a.len ⋀ r'=i ∨ r'=r ⋀ i'=i+1

let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 Prove output is ensured ⊢ {0 ≼ v ≺ a.len}<: {0 ≼ v ≺ a.len} loop: {r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} 1 3 4 2 5 Trivial.

Assume let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 a :0 ≺ a.len Prove input as required ⊢ {v=0}<: {0 ≼ v ≺ a.len} loop: {r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} 1 3 4 2 5

⇒ ⋀ let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 v=0 0 ≼ v ≺ a.len loop: {r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} 5 Is Valid? Indeed. 0 ≺ a.len

let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 loop {r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} min_index {a:0 ≺ a.len}->{v:0 ≼ v ≺ a.len}

loop {r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} min_index {a:0 ≺ a.len}->{v:0 ≼ v ≺ a.len} Writing Types is Hard Work!

Automatic Refinement Inference Writing Types is Hard Work! loop: ???

Automatic Refinement Inference 1. Templates 2. Constraints 3. Fixpoint [MC/AI] loop: ???

Automatic Refinement Inference 1. Templates 2. Constraints 3. Fixpoint [MC/AI] loop : r:int -> i:int -> int

Automatic Refinement Inference 1. Templates 2. Constraints 3. Fixpoint [MC/AI] loop : {r:int| ? } -> {i:int| ? } -> {v:int| ? }

Automatic Refinement Inference 1. Templates 2. Constraints 3. Fixpoint [MC/AI] loop :{r:int| X r } -> {i:int| X i } -> {v:int| X out } Types + X for unknown refinements

Automatic Refinement Inference 1. Templates 2. Constraints 3. Fixpoint [MC/AI] loop :{r:int| X r } -> {i:int| X i } -> {v:int| X out }

Automatic Refinement Inference 1. Templates 2. Constraints 3. Fixpoint [MC/AI] Type Checking, but with Templates

r : X r i : X i [i ≽ a.len] Assume 1 let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 Prove output is ensured 3 4 2 5 loop :{r:int| X r } -> {i:int| X i } -> {v:int| X out } ⊢ {v=r} <: { X out }

1 let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 loop :{r:int| X r } -> {i:int| X i } -> {v:int| X out } ⋀ X r ⋀ X i ⋀ i ≽ a.len Is Valid? ⇒ v=r X out “It is too soon to say. ”

1 let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 3 4 2 5 loop :{r:int| X r } -> {i:int| X i } -> {v:int| X out } X r ⋀ X i ⋀ i ≽ a.len ⋀ v=r ⇒ X out Constraint 1

Assume let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 Prove index in bounds ⊢ {v=i} <: {0 ≼ v ≺ a.len} 1 3 4 2 5 loop :{r:int| X r } -> {i:int| X i } -> {v:int| X out } r : X r i : X i [i ≺ a.len]

let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 loop: {r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} 2 X r ⋀ X i ⋀ i ≺ a.len ⋀ v=i ⇒ 0 ≼ v ≺ a.len Constraint 2

let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 Prove input as required ⊢ {v:v=r'} <: {r:int| X r } 1 3 4 2 5 loop :{r:int| X r } -> {i:int| X i } -> {v:int| X out } Assume r : X r i : X i [i ≺ a.len] r':r'=i ∨ r'=r i':i'=i+1

let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 loop: {r:0 ≼ r ≺ a.len}->{i:0 ≼ i}->{v:0 ≼ v ≺ a.len} Constraint 3 X r ⋀ X i ⋀ i ≺ a.len ⋀ (r'=i ∨ r'=r) ⋀ v=r' X r [v/r ] ⇒

let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 Prove output is ensured 1 3 4 2 5 loop :{r:int| X r } -> {i:int| X i } -> {v:int| X out } Constraint 4 X r ⋀ X i ⋀ i ≺ a.len ⋀ (r'=i ∨ r'=r) ⋀ X out X out ⇒

let min_index a = let rec loop r i = if i >= a.length then r else let r' = a[i] < a[r] ? i : r let i' = i + 1 loop r' i' loop 0 0 Prove input as required 1 3 4 2 5 loop :{r:int| X r } -> {i:int| X i } -> {v:int| X out } Constraint 5 0 ≺ a.len ⋀ v=0 X r [v/r ] ⇒

Automatic Refinement Inference 1. Templates 2. Constraints 3. Fixpoint [MC/AI] Type Checking, but with Templates

Automatic Refinement Inference 1. Templates 2. Constraints 3. Fixpoint [MC/AI] 0 ≺ a.len ⋀ v=0 ⇒ X r [v/r ] 1 X r ⋀ X i ⋀ i ≺ a.len ⋀ (r'=i ∨ r'=r) ⋀ X out ⇒ X out X r ⋀ X i ⋀ i ≺ a.len ⋀ (r'=i ∨ r'=r) ⋀ v=r' ⇒ X r [v/r ] X r ⋀ X i ⋀ i ≺ a.len ⋀ v=i ⇒ 0 ≼ v ≺ a.len X r ⋀ X i ⋀ i ≽ a.len ⋀ v=r ⇒ X out 2 3 4 5

Automatic Refinement Inference 1. Templates 2. Constraints 3. Fixpoint [MC/AI] X r ⋀ X i ⋀ i ≺ a.len ⋀ (r'=i ∨ r'=r) ⋀ X out ⇒ X out 4 ⋀ X i ⋀ P ⇒ X

Automatic Refinement Inference 1. Templates 2. Constraints 3. Fixpoint [MC/AI] 0 ≺ a.len ⋀ v=0 ⇒ X r [v/r ] 1 X r ⋀ X i ⋀ i ≺ a.len ⋀ (r'=i ∨ r'=r) ⋀ X out ⇒ X out X r ⋀ X i ⋀ i ≺ a.len ⋀ (r'=i ∨ r'=r) ⋀ v=r' ⇒ X r [v/r ] X r ⋀ X i ⋀ i ≽ a.len ⋀ v=r ⇒ X out 2 3 4 5 X r ⋀ X i ⋀ i ≺ a.len ⋀ v=i ⇒ 0 ≼ v ≺ a.len ⋀ X i ⋀ P ⇒ Q

Automatic Refinement Inference 1. Templates 2. Constraints 3. Fixpoint [MC/AI] ⋀ X i ⋀ P ⇒ Q ⋀ X i ⋀ P ⇒ X (Post*) (Safe)

Automatic Refinement Inference 1. Templates 2. Constraints 3. Fixpoint [MC/AI] ⋀ X i ⋀ P ⇒ X ⋀ X i ⋀ P ⇒ Q

Automatic Refinement Inference Fixpoint Solution ⋀ X i ⋀ P ⇒ X ⋀ X i ⋀ P ⇒ Q “Horn Clauses”

Automatic Refinement Inference Fixpoint Solution ⋀ X i ⋀ P ⇒ X ⋀ X i ⋀ P ⇒ Q “Positive Implications”

Automatic Refinement Inference Fixpoint Solution ⋀ X i ⋀ P ⇒ X ⋀ X i ⋀ P ⇒ Q “Non-Linear Implications”

Automatic Refinement Inference Fixpoint Solution ⋀ X i ⋀ P ⇒ X ⋀ X i ⋀ P ⇒ Q 1. Reduce to simple “first-order” program Reuse any abs-interpreter, model-checker e.g. Interproc, SLAM, BLAST, ARMC [CAV 11]

Automatic Refinement Inference Fixpoint Solution ⋀ X i ⋀ P ⇒ X ⋀ X i ⋀ P ⇒ Q 2. Monomial Predicate Abstraction (“Houdini”) Input : Candidates Q = {q 1 … q n } Output : X ↦ ⋀ q j satisfying constraints

Automatic Refinement Inference Fixpoint Solution ⋀ X i ⋀ P ⇒ X ⋀ X i ⋀ P ⇒ Q 2. Monomial Predicate Abstraction (“Houdini”) Input : Q = { ⋆≼ v, v ≼ ⋆, v ≺ ⋆, v ≺ ⋆.len } ⋆ = any variable or constant

Automatic Refinement Inference Fixpoint Solution ⋀ X i ⋀ P ⇒ X ⋀ X i ⋀ P ⇒ Q 2. Monomial Predicate Abstraction (“Houdini”) Input : Q = { ⋆≼ v, v ≼ ⋆, v ≺ ⋆, v ≺ ⋆.len } Output : X r = 0 ≼ v ⋀ v ≺ a.len X i = 0 ≼ v X out = 0 ≼ v ⋀ v ≺ a.len

2. Monomial Predicate Abstraction (“Houdini”) Input : Q = { ⋆≼ v, v ≼ ⋆, v ≺ ⋆, v ≺ ⋆.len } Output : X r = 0 ≼ v ⋀ v ≺ a.len X i = 0 ≼ v X out = 0 ≼ v ⋀ v ≺ a.len Automatic Refinement Inference Plug Solution In Template loop: {r:int| X r } -> {i:int| X i } -> {v:int| X out }

2. Monomial Predicate Abstraction (“Houdini”) Input : Q = { ⋆≼ v, v ≼ ⋆, v ≺ ⋆, v ≺ ⋆.len } Output : X r = 0 ≼ v ⋀ v ≺ a.len X i = 0 ≼ v X out = 0 ≼ v ⋀ v ≺ a.len Automatic Refinement Inference Plug Solution In Template loop: {r:int|0 ≼ r ≺ a.len}->{i:int|0 ≼ i}->{v:int|0 ≼ v ≺ a.len}

Automatic Refinement Inference loop: {r:int|0 ≼ r ≺ a.len}->{i:int|0 ≼ i}->{v:int|0 ≼ v ≺ a.len} Inferred Refinement Type

Automatic Refinement Inference loop: {r:int|0 ≼ r ≺ a.len}->{i:int|0 ≼ i}->{v:int|0 ≼ v ≺ a.len} Liquid Type of loop

Recap Program Templates Constraints AI, MC, PA … {i:int| X i } -> {v:int| X o } ⋀ X i ⋀ P ⇒ X

Part I Part II Part III Liquid Types Closures, Collections, Generics Induction for Data Structures

Part I Part II Part III Refinement Types Closures, Collections, Generics Induction for Data Structures

Closures / Higher-Order Functions let rec ffor l u f = if l < u then f l; ffor (l+1) u f

let rec ffor l u f = if l < u then ( f l; ffor (l+1) u f ) Type of f int ! unit

let rec ffor l u f = if l < u then ( f l; ffor (l+1) u f ) Template of f {v:int| X 1 } ! unit

let rec ffor l u f = if l < u then ( f l; ffor (l+1) u f ) Template of f {v:int| X 1 } ! unit Check: input l as required by f

let rec ffor l u f = if l < u then ( f l; ffor (l+1) u f ) Template of f {v:int| X 1 } ! unit l ≺ u ⊢ {v:int | v=l} <: {v:int |X 1 } l ≺ u Æ v=l ) X 1 Solution X 1 = l ≼ v Æ v ≺ u Reduces to

let rec ffor l u f = if l < u then ( f l; ffor (l+1) u f ) Template of f {v:int| X 1 } ! unit Solution X 1 = l ≼ v Æ v ≺ u Liquid Type of f {v:int|l ≼ v Æ v ≺ u} ! unit

Closures / Higher-Order Functions let rec ffor l u f = if l < u then f l; ffor (l+1) u f Liquid Type of ffor l:int ! u:int ! ( {v:int | l ≼ v ≺ u} ! unit ) ! unit Liquid Type of f {v:int|l ≼ v Æ v ≺ u} ! unit

let rec ffor l u f = if l < u then f l; ffor (l+1) u f let min_index a = let r = ref 0 ffor 0 a.len (fun i -> if a.(i) < a.(!r) then r := i ); !r Min-Index Revisited

Liquid Type of ffor l:int ! u:int ! ( {v:int | l ≼ v ≺ u} ! unit ) ! unit let min_index a = let r = ref 0 ffor 0 a.len (fun i -> if a.(i) < a.(!r) then r:= i) !r

Liquid Type of ffor 0 u:int ! ( {v:int | 0 ≼ v ≺ u} ! unit ) ! unit let min_index a = let r = ref 0 ffor 0 a.len (fun i -> if a.(i) < a.(!r) then r:= i) !r

Liquid Type of ffor 0 a.len ( {v:int | 0 ≼ v ≺ a.len} ! unit ) ! unit let min_index a = let r = ref 0 ffor 0 a.len (fun i -> if a.(i) < a.(!r) then r:= i) !r

Liquid Type of ffor 0 a.len ( {v:int | 0 ≼ v ≺ a.len} ! unit ) ! unit Template of (fun i ->...) {v:int| X i } ! unit let min_index a = let r = ref 0 ffor 0 a.len (fun i -> if a.(i) < a.(!r) then r:= i) !r

Liquid Type of ffor 0 a.len ( {v:int | 0 ≼ v ≺ a.len} ! unit ) ! unit Template of (fun i ->...) {v:int| X i } ! unit let min_index a = let r = ref 0 ffor 0 a.len (fun i -> if a.(i) < a.(!r) then r:= i) !r Check: input ( fun i... ) as required by ffor

Liquid Type of ffor 0 a.len ( {v:int | 0 ≼ v ≺ a.len} ! unit ) ! unit Template of (fun i ->...) {v:int| X i } ! unit { X i } ! unit <:{0 ≼ v ≺ a.len} ! unit Check: input ( fun i... ) as required by ffor

{0 ≼ v ≺ a.len} unit {Xi}{Xi} { X i } ! unit <:{0 ≼ v ≺ a.len} ! unit {0 ≼ v ≺ a.len} <: { X i } unit <: unit Trivial Function Subtyping Splits Into

{ X i } ! unit <:{0 ≼ v ≺ a.len} ! unit 0 ≼ v ≺ a.len ) X i

Solution X i = 0 ≼ v ≺ a.len

Template of (fun i ->...) {v:int| X i } ! unit

Solution X i = 0 ≼ v ≺ a.len Liquid Type of (fun i ->...) {v:int | 0 ≼ v ≺ a.len} ! unit

let min_index a = let r = ref 0 ffor 0 a.len (fun i -> if a.(i) < a.(!r) then r:= i) !r Liquid Type of r {v:int | 0 ≼ v ≺ a.len} ref Liquid Type of (fun i ->...) {v:int | 0 ≼ v ≺ a.len} ! unit

let min_index a = let r = ref 0 ffor 0 a.len (fun i -> if a.(i) < a.(!r) then r:= i) !r Liquid Type of r {v:int | 0 ≼ v ≺ a.len} ref Access Safe

let min_index a = let r = ref 0 ffor 0 a.len (fun i -> if a.(i) < a.(!r) then r:= i) !r Liquid Type of r {v:int | 0 ≼ v ≺ a.len} ref Liquid Type of min_index a:int array ! {v:int | 0 ≼ v ≺ a.len}

let rec range l u = if l < u then l :: (range (l+1) u) else [] Collections (e.g. Lists) Type of range l:int ! u:int ! int list

let rec range l u = if l < u then l :: (range (l+1) u) else [] Collections (e.g. Lists) Template of range l:int ! u:int ! {v:int| X out } list

let rec range l u = if l < u then l :: (range (l+1) u) else [] Template of range l:int ! u:int ! {v:int| X out } list Template of “ then ”: {v:int| X out } list

let rec range l u = if l < u then l :: (range (l+1) u) else [] Check: “head” and “tail” as required Template of “ then ”: {v:int| X out } list

let rec range l u = if l < u then l :: (range (l+1) u) else [] Check: “head” and “tail” as required l ≺ u ⊢ “head” <: {v:int |X out } Template of “ then ”: {v:int| X out } list

let rec range l u = if l < u then l :: (range (l+1) u) else [] Check: “head” and “tail” as required l ≺ u ⊢ “head” <: {v:int |X out } l ≺ u ⊢ “tail” <: {v:int |X out } list Template of “ then ”: {v:int| X out } list

let rec range l u = if l < u then l :: (range (l+1) u) else [] Check: “head” and “tail” as required l ≺ u ⊢ “head” <: {v:int |X out }

let rec range l u = if l < u then l :: (range (l+1) u) else [] l ≺ u Æ v=l ) X out Reduces To (1) Check: “head” and “tail” as required l ≺ u ⊢ {v:int | v=l} <: {v:int |X out }

let rec range l u = if l < u then l :: (range (l+1) u) else [] Check: “head” and “tail” as required l ≺ u ⊢ “tail” <: {v:int |X out } list

let rec range l u = if l < u then l :: (range (l+1) u) else [] Check: “head” and “tail” as required l ≺ u ⊢ { X out [l+1/l]} list <: { X out } list By List-Subtyping, Reduces To l ≺ u ⊢ { X out [l+1/l]} <: { X out }

Check: “head” and “tail” as required l ≺ u ⊢ { X out [l+1/l]} list <: { X out } list Reduces To (2) l ≺ u Æ X out [l+1/l] ) X out

(2) (1) Solution X out = l ≼ v ≺ u l ≺ u Æ v=l ) X out l ≺ u Æ X out [l+1/l] ) X out

let rec range l u = if l < u then l :: (range (l+1) u) else [] Collections (e.g. Lists) Template of range l:int ! u:int ! {v:int| X out } list Solution X out = l ≼ v ≺ u

let rec range l u = if l < u then l :: (range (l+1) u) else [] Collections (e.g. Lists) Liquid Type of range l:int ! u:int ! {v:int|l ≼ v ≺ u} list Solution X out = l ≼ v ≺ u

let rec range l u = if l < u then l :: (range (l+1) u) else [] Generics/Polymorphism

let rec range l u = if l < u then l :: (range (l+1) u) else [] let min_index a = let indices = range 0 a.len fold_left (fun r i -> if a.(i) < a.(r) then i else r) 0 indices Generics/Polymorphism

Instance Type a = int b = int Generic Type of fold_left (a ! b ! a) ! a ! b list ! a let min_index a = let indices = range 0 a.len fold_left (fun r i -> if a.(i) < a.(r) then i else r ) 0 indices

Generic Type of fold_left (a ! b ! a) ! a ! b list ! a Instance Template a = {v:int| X a } b = {v:int| X b } let min_index a = let indices = range 0 a.len fold_left (fun r i -> if a.(i) < a.(r) then i else r ) 0 indices

Instance Template of fold_left ( { X a } ! { X b } ! { X a } ) ! { X a } ! { X b }list ! { X a } Instance Template a = {v:int| X a } b = {v:int| X b } let min_index a = let indices = range 0 a.len fold_left (fun r i -> if a.(i) < a.(r) then i else r ) 0 indices

let min_index a = let indices = range 0 a.len fold_left (fun r i -> if a.(i) < a.(r) then i else r ) 0 indices Instance Template of fold_left ( { X a } ! { X b } ! { X a } ) ! { X a } ! { X b }list ! { X a } Template of r {v:int | X a }

let min_index a = let indices = range 0 a.len fold_left (fun r i -> if a.(i) < a.(r) then i else r ) 0 indices Instance Template of fold_left ( { X a } ! { X b } ! { X a } ) ! { X a } ! { X b }list ! { X a } Template of i {v:int | X b }

let min_index a = let indices = range 0 a.len fold_left (fun r i -> if a.(i) < a.(r) then i else r ) 0 indices Instance Template of fold_left ( { X a } ! { X b } ! { X a } ) ! { X a } ! { X b }list ! { X a } Template of min_index a:int array ! {v:int | X a }

let min_index a = let indices = range 0 a.len fold_left (fun r i -> if a.(i) < a.(r) then i else r ) 0 indices Instance Template of fold_left ( { X a } ! { X b } ! { X a } ) ! { X a } ! { X b }list ! { X a } Check: args as required

let min_index a = let indices = range 0 a.len fold_left (fun r i -> if a.(i) < a.(r) then i else r ) 0 indices Instance Template of fold_left ( { X a } ! { X b } ! { X a } ) ! { X a } ! { X b }list ! { X a } Check: args as required 1

let min_index a = let indices = range 0 a.len fold_left (fun r i -> if a.(i) < a.(r) then i else r ) 0 indices Instance Template of fold_left ( { X a } ! { X b } ! { X a } ) ! { X a } ! { X b }list ! { X a } Check: args as required 1 2

let min_index a = let indices = range 0 a.len fold_left (fun r i -> if a.(i) < a.(r) then i else r ) 0 indices Instance Template of fold_left ( { X a } ! { X b } ! { X a } ) ! { X a } ! { X b }list ! { X a } Check: args as required 1 2 3

let min_index a = let indices = range 0 a.len fold_left (fun r i -> if a.(i) < a.(r) then i else r ) 0 indices Constraints 1 2 3 r:int ! i:int ! {v=i ∨ v=r} <: { X a } ! { X b } ! { X a } {v:int | v=0} <: {v:int | X a } {v:int | 0 ≼ v ≺ a.len} list <: {v:int | X b } list 1 2 3

let min_index a = let indices = range 0 a.len fold_left (fun r i -> if a.(i) < a.(r) then i else r ) 0 indices Subtyping Reduces To Implications 1 2 3 r:int ! i:int ! {v=i ∨ v=r} <: { X a } ! { X b } ! { X a } {v:int | v=0} <: {v:int | X a } {v:int | 0 ≼ v ≺ a.len} list <: {v:int | X b } list X a [r/v] Æ X b [i/v] Æ ( v=i ∨ v=r ) ) X a v=0 ) X a 0 ≼ v ≺ a.len ) X b 1 2 3

let min_index a = let indices = range 0 a.len fold_left (fun r i -> if a.(i) < a.(r) then i else r ) 0 indices Solution X a, X b = 0 ≼ v ≺ a.len

let min_index a = let indices = range 0 a.len fold_left (fun r i -> if a.(i) < a.(r) then i else r ) 0 indices Solution X a, X b = 0 ≼ v ≺ a.len Templates r : {v:int| X a } i : {v:int| X b }

let min_index a = let indices = range 0 a.len fold_left (fun r i -> if a.(i) < a.(r) then i else r ) 0 indices Solution X a, X b = 0 ≼ v ≺ a.len Liquid Types r : {v:int| 0 ≼ v ≺ a.len} i : {v:int| 0 ≼ v ≺ a.len}

let min_index a = let indices = range 0 a.len fold_left (fun r i -> if a.(i) < a.(r) then i else r ) 0 indices Solution X a, X b = 0 ≼ v ≺ a.len Liquid Types r : {v:int| 0 ≼ v ≺ a.len} i : {v:int| 0 ≼ v ≺ a.len} Safe

let min_index a = let indices = range 0 a.len fold_left (fun r i -> if a.(i) < a.(r) then i else r ) 0 indices Solution X a, X b = 0 ≼ v ≺ a.len Template of min_index a:int array ! {v:int | X a }

let min_index a = let indices = range 0 a.len fold_left (fun r i -> if a.(i) < a.(r) then i else r ) 0 indices Solution X a, X b = 0 ≼ v ≺ a.len Liquid Type of min_index a:int array ! {v:int | 0 ≼ v ≺ a.len}

Data (Structure) Properties Piggyback Predicates On Types

[] :: {x:int|0<x} listint list 0<x Describes all elements x : int Representation

[] :: 0<x x : int Type Unfolding [] :: 0<h h : int [] :: 0<x x : int HeadTailEmpty PositiveProperty holds recursively List of positive integers

[] :: 0<x Describes all elements x : int x<v v Describes tail elements Representation

[] :: x<v x : int Type Unfolding [] :: h : int [] :: x<v x : int HeadTailEmpty Elements larger than head Property holds recursively List of sorted integers h<v Push Edge Predicate Into NodeRename Variable h<x

Piggyback Predicates On Types Data (Structure) Properties

[] :: x : int Unfold :: h : int [] :: x : int l:sorted listh:intt:sorted list & {h<x} list Instantiate tl match l with h :: t x<V h<x Quantifier Instantiation

Piggyback Predicates On Types Data (Structure) Properties

[] :: x : int Fold h : int [] :: x : int :: l:sorted listh:intt:sorted list & {h<x} list Generalize tl let l = h :: t in x<V h<x Quantifier Generalization

Another Example: Trees Leaf Node x : int x<V V<x

Node Leaf Node x : int Leaf Node x : int Node Leaf x<V V<x x<V V<x r<V V<r Another Example: Trees r : int Unfold

< RHS nodesLHS nodes < root Node Leaf Node x : int Leaf Node x : int Node Leaf x<V V<x x<V V<x r<x x<r Another Example: Trees r : int Push Edge Predicates Invariant: Binary Search Trees

Demo isort,bst

Piggyback Predicates On Types (Data) Structure Properties

measure len = | [] -> 0 | x::xs -> 1 + len xs Representation: List Length

8 l,x,xs. len([]) = 0 len(x::xs) = 1+len(xs)

l:’a list h:’a t:’a list len(l)=1+len(t) Instantiate match l with h :: t Quantifier Instantiation 8 l,x,xs. len([]) = 0 len(x::xs) = 1+len(xs)

h:’a t:’a list Quantifier Generalization 8 l,x,xs. len([]) = 0 len(x::xs) = 1+len(xs) Generalize let l = h :: t in h:’a t:’a list l:’a list len(l)=1+len(t)

Demo listlen, msortb

Leaf l r l = Left subtree r = Right subtree treeHeight H l = Left subtree’s height H r = Right subtree’s height measure H = | Leaf = 0 | Node(x,l,r) = 1 + max (H l) (H r) Height Balanced Tree | Hl–Hr |< 2 Node Height difference bounded at each node

Demo eval

Refinement Type Inference By Predicate Abstraction

0<x [] :: x : int x<v Automatic Inference Predicates Determine Invariant Let X 1, X 2,... = Unknown Predicates Complex Subtyping Between data types X1X1 X2X2 Reduces To Simple Implications Between X 1, X 2,... Solved by Predicate Abstraction Over atoms 0< ⋆, ⋆ <v,...

Program (ML)Verified Safety Properties List-based SortingSorted, Outputs Permutation of Input Finite MapBalance, BST, Implements a Set Red-Black TreesBalance, BST, Color StablesortSorted Extensible VectorsBalance, Bounds Checking, … Binary HeapsHeap, Returns Min, Implements Set Splay HeapsBST, Returns Min, Implements Set MallocUsed and Free Lists Are Accurate BDDsVariable Order Union FindAcyclicity Bitvector UnificationAcyclicity

Finite Maps (ML) 5: ‘cat’ 3: ‘cow’ 8: ‘tic’ 1: ‘doc’ 4: ‘hog’ 7: ‘ant’ 9: ‘emu’ From Ocaml Standard Library Implemented as AVL Trees Rotate/Rebalance on Insert/Delete Verified Invariants Binary Search Ordered Height Balanced Keys Implement Set

Binary Decision Diagrams (ML) X1X1 X2X2 X2X2 X3X3 X4X4 X4X4 1 Graph-Based Boolean Formulas [Bryant 86] X 1  X 2  X 3  X 4 Efficient Formula Manipulation Memoizing Results on Subformulas Verified Invariant Variables Ordered Along Each Path

Vec: Extensible Arrays (317 LOC) “Python-style” extensible arrays for Ocaml find, insert, delete, join etc. Efficiency via balanced trees Balanced Height difference between siblings ≤ 2 Dsolve found balance violation

Debugging via Inference Using Dsolve we found Where imbalance occurred (specific path conditions) How imbalance occurred (left tree off by up to 4) Leading to test and fix

Take Home Lessons Why is Verification difficult? Complex “Invariants” How to represent invariants? Factor into liquid type How to infer liquid type? Subtyping + Predicate Abstraction

“Back-End” Logic Constraint Solving Rich Decidable Logics Predicate Discovery… Much Work Remains…

“Front-End” Types Destructive Update Concurrency Objects & Classes Dynamic Languages… Much Work Remains…

User Interface The smarter your analysis, the harder to tell why it fails! Much Work Remains…

Details Ocaml (Pure functional) [PLDI 08] “Liquid Types” [PLDI 09] “Type-based Data-Structure Verification” Constraint Solving [CAV 11] “Hindley-Milner-Cousots” C (Pointers/Arithmetic, Aliasing, Mutation) [POPL 10] “Low-level Liquid Types”

POPL Lightning Talk/Demo Ocaml (Pure functional) [PLDI 08] “Liquid Types” [PLDI 09] “Type-based Data-Structure Verification” Constraint Solving [CAV 11] “Hindley-Milner-Cousots” C (Pointers/Arithmetic, Aliasing, Mutation) [POPL 10] “Low-level Liquid Types” Patrick Rondon (PhD ’12) Demo + Lightning Talk

http://goto.ucsd.edu/liquid source, papers, demo, etc.

ProgramLines DML Annot. Liquid Annot. Liquid Time(s) dotprod 730 0.3 bsearch 2430 0.5 queens 3070 0.7 insersort 33120 0.9 tower 3681 3.3 matmult 43100 1.8 heapsort 84110 0.5 fft 107131 9.1 simplex 118330 7.7 gauss 142221 3.1 Total 6321253 27.9 Evaluation: Array Bounds Checking

DML @ 20% LOC vs. Liquid @ 0.5% LOC

The end

let rec range l u = if l < u then l :: (range (l+1) u) else [] Template of “ then ”-expression {v:int| X out } list Check: “head” and “tail” as required l ≺ u ⊢ “head” <: {v:int |X out } l ≺ u ⊢ “tail” <: {v:int |X out } list

let rec range l u = if l < u then l :: (range (l+1) u) else [] Check: “head” as required l ≺ u ⊢ {v:int | v=l} <: {v:int |X out } l ≺ u Æ v=l ) X out Reduces To 1

let rec range l u = if l < u then l :: (range (l+1) u) else [] Check: “tail” as required Template of range l:int ! u:int ! {v:int| X out } list

let rec range l u = if l < u then l :: (range (l+1) u) else [] Check: “tail” as required Template of range (l+1) u:int ! {v:int| X out [l+1/l]} list

let rec range l u = if l < u then l :: (range (l+1) u) else [] Check: “tail” as required Template of range (l+1) u {v:int| X out [l+1/l][u/u]} list

let rec range l u = if l < u then l :: (range (l+1) u) else [] Check: “tail” as required Template of range (l+1) u {v:int| X out [l+1/l]} list { X out [l+1/l]} list <: then-“tail”

let rec range l u = if l < u then l :: (range (l+1) u) else [] Check: “tail” as required { X out [l+1/l]} list <: then-“tail” Template of “ then ”-expression {v:int| X out } list

let rec range l u = if l < u then l :: (range (l+1) u) else [] Check: “tail” as required { X out [l+1/l]} list <: { X out } list Template of “ then ”-expression {v:int| X out } list

let rec range l u = if l < u then l :: (range (l+1) u) else [] Check: “tail” as required { X out [l+1/l]} list <: { X out } list Template of range l:int ! u:int ! {v:int| X out } list

let rec range l u = if l < u then l :: (range (l+1) u) else [] Check: “tail” as required { X out [l+1/l]} list <: { X out } list Template of “ then ”-expression {v:int| X out } list

Software Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)

Similar presentations

Presentation on theme: "Software Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Software Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)

Similar presentations

Presentation on theme: "Software Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)"— Presentation transcript:

Similar presentations

About project

Feedback