# © Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken.

## Presentation on theme: "© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken."— Presentation transcript:

© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken McMillan

© Anvesh Komuravelli The Problem Array-Manipulating Program P + Assertions Array-Manipulating Program P + Assertions Automatic analysis for assertion failures Automatic analysis for assertion failures Safe + Proof Unsafe + CEX Unknown + Partial Proof 1 Quantified Invariants!

© Anvesh Komuravelli Quantified Invariants, Typically 2 Specialized Abstract Domains E.g. Segmentation abstraction, Indexed Predicate Abstraction, Points-to Analysis, etc. Restrictive False warnings Specialized Abstract Domains E.g. Segmentation abstraction, Indexed Predicate Abstraction, Points-to Analysis, etc. Restrictive False warnings Unrestricted Model Checking E.g. Interpolation-based Hard to find the right quantifiers Divergence Unrestricted Model Checking E.g. Interpolation-based Hard to find the right quantifiers Divergence Rich-enough abstract domain?

© Anvesh Komuravelli The abstract domain 3 i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c) Quantified variables Predicate signature Abstract Domain Goal: Find a quantifier-free interpretation of the predicates Goal: Find a quantifier-free interpretation of the predicates

© Anvesh Komuravelli Guess-and-check doesn’t work anymore! 4 i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c) Given a guess for P, how to check if it suffices? FOL validity is undecidable! Can we still use existing model checkers?

© Anvesh Komuravelli Let’s look at the VCs 5 i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c)

© Anvesh Komuravelli Pulled to the outermost scope Let’s look at the VCs 6

© Anvesh Komuravelli Let’s look at the VCs 7 Real challenge! Find a sufficient set of witnesses

© Anvesh Komuravelli Let’s look at the VCs 8 Reduces to quantifier-free invariant generation (use an off-the-shelf model checker) Reduces to quantifier-free invariant generation (use an off-the-shelf model checker)

© Anvesh Komuravelli Two Goals 9 i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c) Quantified variables Predicate signature Abstract Domain Goal 2: Find a quantifier-free interpretation of the predicates Goal 2: Find a quantifier-free interpretation of the predicates Goal 1: Find a sufficient set of witnesses for j Goal 1: Find a sufficient set of witnesses for j

© Anvesh Komuravelli A Strategy 10 Guess some witnesses Check if they suffice using a model checker Y Found Proof N Give up! Eager Syntactic Pattern Matching [BMR13] [BMR13]: On Solving Universally Quantified Horn Clauses, Bjorner, McMillan, Rybalchenko, SAS’13 Unguided instantiation Worst-case unbounded Grows exponentially with number of quantified vars May choke the model checker No fall-back strategy

© Anvesh Komuravelli Our Strategy 11 Guess some witnesses Check if they suffice using a model checker Y Found Proof NCEX Refine the guess Constraint on the witness Guess-and-check, but of the witnesses and not the invariant itself Guess-and-check, but of the witnesses and not the invariant itself

© Anvesh Komuravelli Obtaining Strong Constraints 12 Generalized Counterexamples  Strong Constraints Symbolic Counterexamples Number of variables = O(size) Constraint solving becomes harder (easily diverging) Symbolic Counterexamples Number of variables = O(size) Constraint solving becomes harder (easily diverging) Ground Counterexamples + Abstract Interpretation Ground Counterexamples + Abstract Interpretation

© Anvesh Komuravelli Note – one witness suffices! 13 is equivalent to May not be expressible!

© Anvesh Komuravelli Concrete vs. Abstract 14

© Anvesh Komuravelli Concrete vs. Abstract 15

© Anvesh Komuravelli The algorithm 16 [B] [L] [E]

© Anvesh Komuravelli The algorithm 17 InstantiateCheck [B] [L] [E] P(k 0,v 0,i 0,c 0 ) P(k 1,v 1,i 1,c 1 ) P(k 2,v 2,i 2,c 2 ) B L L E

© Anvesh Komuravelli The algorithm 18 InstantiateCheck P(k 0,v 0,i 0,c 0 ) P(k 1,v 1,i 1,c 1 ) P(k 2,v 2,i 2,c 2 ) BL L E Analyze

© Anvesh Komuravelli The algorithm 19 InstantiateCheck P(0,0,0,0) P(0,0,1,0) P(0,0,2,0) BL L E Analyze ✕ ? ✕ ? ✕ ? ✕ ?

© Anvesh Komuravelli P(0,0,0,0) P(0,1,0,0) P(0,2,0,0) BL L E ✕ ? ✕ ? ✕ ? ✕ ? Use k for j The algorithm 20 InstantiateCheck Analyze

© Anvesh Komuravelli The algorithm 21 Instantiate [B] [L] [E]

© Anvesh Komuravelli The algorithm 22 Instantiate [B] [L] [E] …

© Anvesh Komuravelli Finding a new witness 23 Given Constraint Check local vars quantified variable Skolem Template f Solve for t using sampling-based approach restrict to linear templates restrict to linear templates

© Anvesh Komuravelli Add l c to existing samples S Pick candidate t c Quantifier Alternation using Sampling 24 ? Y Return t c CEX l c ? N CEX S N Y New candidate t c Source of Divergence! Quantifier Elimination Eliminate arrays (thanks to Nikolaj for the discussion), Cheap QE of integers Eliminate arrays (thanks to Nikolaj for the discussion), Cheap QE of integers

© Anvesh Komuravelli Abstract Post, in practice 25 1. Cheap QE tricks, case-split on equalities on j, etc. 2. Under-approximate, otherwise. Solve Generalize models 1. Cheap QE tricks, case-split on equalities on j, etc. 2. Under-approximate, otherwise. Solve Generalize models 1. Cheap QE tricks, case-split on array-index arguments, etc. 2. Under-approximate, otherwise. Solve an SMT problem Generalize models 1. Cheap QE tricks, case-split on array-index arguments, etc. 2. Under-approximate, otherwise. Solve an SMT problem Generalize models

© Anvesh Komuravelli Experiments 26 Implemented “qe_array” tactic in Z3 Prototype in Python using Z3Py interface for witness generation Implemented “qe_array” tactic in Z3 Prototype in Python using Z3Py interface for witness generation Automatically generated “sufficient witnesses” for small array-manipulating programs (BMR13) – array init, find, copy, concatenate, reverse, etc. Used GPDR engine in Z3 to solve for quantifier-free predicates Up to two universal quantifiers per predicate Witness was just a local variable in the VC Automatically generated “sufficient witnesses” for small array-manipulating programs (BMR13) – array init, find, copy, concatenate, reverse, etc. Used GPDR engine in Z3 to solve for quantifier-free predicates Up to two universal quantifiers per predicate Witness was just a local variable in the VC

© Anvesh Komuravelli Moving forward… 27 Scalability Handle large programs (with multiple procedures) How to pick relevant “set” of witnesses? Can we synthesize guards to combine them into a single witness? Scalability Handle large programs (with multiple procedures) How to pick relevant “set” of witnesses? Can we synthesize guards to combine them into a single witness? Implementation-wise Cache previous AI results Reuse bounded proofs – Proof-based Abstraction Lazy QE – postponing to later steps? Implementation-wise Cache previous AI results Reuse bounded proofs – Proof-based Abstraction Lazy QE – postponing to later steps? Alternatives Use over-approximations of reachable states Witness may not exist – need to refine the approximation Alternatives Use over-approximations of reachable states Witness may not exist – need to refine the approximation