Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken.

Published byMaribel Springfield Modified over 9 years ago

Similar presentations

Presentation on theme: "© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken."— Presentation transcript:

1 © Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken McMillan

2 © Anvesh Komuravelli The Problem Array-Manipulating Program P + Assertions Array-Manipulating Program P + Assertions Automatic analysis for assertion failures Automatic analysis for assertion failures Safe + Proof Unsafe + CEX Unknown + Partial Proof 1 Quantified Invariants!

3 © Anvesh Komuravelli Quantified Invariants, Typically 2 Specialized Abstract Domains E.g. Segmentation abstraction, Indexed Predicate Abstraction, Points-to Analysis, etc. Restrictive False warnings Specialized Abstract Domains E.g. Segmentation abstraction, Indexed Predicate Abstraction, Points-to Analysis, etc. Restrictive False warnings Unrestricted Model Checking E.g. Interpolation-based Hard to find the right quantifiers Divergence Unrestricted Model Checking E.g. Interpolation-based Hard to find the right quantifiers Divergence Rich-enough abstract domain?

4 © Anvesh Komuravelli The abstract domain 3 i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c) Quantified variables Predicate signature Abstract Domain Goal: Find a quantifier-free interpretation of the predicates Goal: Find a quantifier-free interpretation of the predicates

5 © Anvesh Komuravelli Guess-and-check doesn’t work anymore! 4 i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c) Given a guess for P, how to check if it suffices? FOL validity is undecidable! Can we still use existing model checkers?

6 © Anvesh Komuravelli Let’s look at the VCs 5 i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c)

7 © Anvesh Komuravelli Pulled to the outermost scope Let’s look at the VCs 6

8 © Anvesh Komuravelli Let’s look at the VCs 7 Real challenge! Find a sufficient set of witnesses

9 © Anvesh Komuravelli Let’s look at the VCs 8 Reduces to quantifier-free invariant generation (use an off-the-shelf model checker) Reduces to quantifier-free invariant generation (use an off-the-shelf model checker)

10 © Anvesh Komuravelli Two Goals 9 i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c) Quantified variables Predicate signature Abstract Domain Goal 2: Find a quantifier-free interpretation of the predicates Goal 2: Find a quantifier-free interpretation of the predicates Goal 1: Find a sufficient set of witnesses for j Goal 1: Find a sufficient set of witnesses for j

11 © Anvesh Komuravelli A Strategy 10 Guess some witnesses Check if they suffice using a model checker Y Found Proof N Give up! Eager Syntactic Pattern Matching [BMR13] [BMR13]: On Solving Universally Quantified Horn Clauses, Bjorner, McMillan, Rybalchenko, SAS’13 Unguided instantiation Worst-case unbounded Grows exponentially with number of quantified vars May choke the model checker No fall-back strategy

12 © Anvesh Komuravelli Our Strategy 11 Guess some witnesses Check if they suffice using a model checker Y Found Proof NCEX Refine the guess Constraint on the witness Guess-and-check, but of the witnesses and not the invariant itself Guess-and-check, but of the witnesses and not the invariant itself

13 © Anvesh Komuravelli Obtaining Strong Constraints 12 Generalized Counterexamples  Strong Constraints Symbolic Counterexamples Number of variables = O(size) Constraint solving becomes harder (easily diverging) Symbolic Counterexamples Number of variables = O(size) Constraint solving becomes harder (easily diverging) Ground Counterexamples + Abstract Interpretation Ground Counterexamples + Abstract Interpretation

14 © Anvesh Komuravelli Note – one witness suffices! 13 is equivalent to May not be expressible!

15 © Anvesh Komuravelli Concrete vs. Abstract 14

16 © Anvesh Komuravelli Concrete vs. Abstract 15

17 © Anvesh Komuravelli The algorithm 16 [B] [L] [E]

18 © Anvesh Komuravelli The algorithm 17 InstantiateCheck [B] [L] [E] P(k 0,v 0,i 0,c 0 ) P(k 1,v 1,i 1,c 1 ) P(k 2,v 2,i 2,c 2 ) B L L E

19 © Anvesh Komuravelli The algorithm 18 InstantiateCheck P(k 0,v 0,i 0,c 0 ) P(k 1,v 1,i 1,c 1 ) P(k 2,v 2,i 2,c 2 ) BL L E Analyze

20 © Anvesh Komuravelli The algorithm 19 InstantiateCheck P(0,0,0,0) P(0,0,1,0) P(0,0,2,0) BL L E Analyze ✕ ? ✕ ? ✕ ? ✕ ?

21 © Anvesh Komuravelli P(0,0,0,0) P(0,1,0,0) P(0,2,0,0) BL L E ✕ ? ✕ ? ✕ ? ✕ ? Use k for j The algorithm 20 InstantiateCheck Analyze

22 © Anvesh Komuravelli The algorithm 21 Instantiate [B] [L] [E]

23 © Anvesh Komuravelli The algorithm 22 Instantiate [B] [L] [E] …

24 © Anvesh Komuravelli Finding a new witness 23 Given Constraint Check local vars quantified variable Skolem Template f Solve for t using sampling-based approach restrict to linear templates restrict to linear templates

25 © Anvesh Komuravelli Add l c to existing samples S Pick candidate t c Quantifier Alternation using Sampling 24 ? Y Return t c CEX l c ? N CEX S N Y New candidate t c Source of Divergence! Quantifier Elimination Eliminate arrays (thanks to Nikolaj for the discussion), Cheap QE of integers Eliminate arrays (thanks to Nikolaj for the discussion), Cheap QE of integers

26 © Anvesh Komuravelli Abstract Post, in practice 25 1. Cheap QE tricks, case-split on equalities on j, etc. 2. Under-approximate, otherwise. Solve Generalize models 1. Cheap QE tricks, case-split on equalities on j, etc. 2. Under-approximate, otherwise. Solve Generalize models 1. Cheap QE tricks, case-split on array-index arguments, etc. 2. Under-approximate, otherwise. Solve an SMT problem Generalize models 1. Cheap QE tricks, case-split on array-index arguments, etc. 2. Under-approximate, otherwise. Solve an SMT problem Generalize models

27 © Anvesh Komuravelli Experiments 26 Implemented “qe_array” tactic in Z3 Prototype in Python using Z3Py interface for witness generation Implemented “qe_array” tactic in Z3 Prototype in Python using Z3Py interface for witness generation Automatically generated “sufficient witnesses” for small array-manipulating programs (BMR13) – array init, find, copy, concatenate, reverse, etc. Used GPDR engine in Z3 to solve for quantifier-free predicates Up to two universal quantifiers per predicate Witness was just a local variable in the VC Automatically generated “sufficient witnesses” for small array-manipulating programs (BMR13) – array init, find, copy, concatenate, reverse, etc. Used GPDR engine in Z3 to solve for quantifier-free predicates Up to two universal quantifiers per predicate Witness was just a local variable in the VC

28 © Anvesh Komuravelli Moving forward… 27 Scalability Handle large programs (with multiple procedures) How to pick relevant “set” of witnesses? Can we synthesize guards to combine them into a single witness? Scalability Handle large programs (with multiple procedures) How to pick relevant “set” of witnesses? Can we synthesize guards to combine them into a single witness? Implementation-wise Cache previous AI results Reuse bounded proofs – Proof-based Abstraction Lazy QE – postponing to later steps? Implementation-wise Cache previous AI results Reuse bounded proofs – Proof-based Abstraction Lazy QE – postponing to later steps? Alternatives Use over-approximations of reachable states Witness may not exist – need to refine the approximation Alternatives Use over-approximations of reachable states Witness may not exist – need to refine the approximation

29 © Anvesh Komuravelli Questions? 28

Download ppt "© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken."

Similar presentations

Automatic verification of summations K. Rustan M. Leino IFIP WG 2.3 meeting 46 Sydney, Australia 11 January 2007.

Automatic verification of summations K. Rustan M. Leino IFIP WG 2.3 meeting 46 Sydney, Australia 11 January 2007.
Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
50.530: Software Engineering

50.530: Software Engineering
Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.

Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.

Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.
© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.

© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.
Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.

Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.

© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.
Rahul Sharma, Saurabh Gupta, Bharath Hariharan, Alex Aiken, and Aditya Nori (Stanford, UC Berkeley, Microsoft Research India) Verification as Learning.

Rahul Sharma, Saurabh Gupta, Bharath Hariharan, Alex Aiken, and Aditya Nori (Stanford, UC Berkeley, Microsoft Research India) Verification as Learning.
Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.

Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.
Leonardo de Moura and Nikolaj Bjørner Microsoft Research.

Leonardo de Moura and Nikolaj Bjørner Microsoft Research.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

Similar presentations

Ads by Google