Presentation is loading. Please wait.

Presentation is loading. Please wait.

Avoiding Exponential Explosion: Generating Compact Verification Conditions Cormac Flanagan and James B. Saxe Compaq Systems Research Center With help from.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Avoiding Exponential Explosion: Generating Compact Verification Conditions Cormac Flanagan and James B. Saxe Compaq Systems Research Center With help from."— Presentation transcript:

1 Avoiding Exponential Explosion: Generating Compact Verification Conditions Cormac Flanagan and James B. Saxe Compaq Systems Research Center With help from our ESC colleagues: Rustan Leino, Mark Lillibridge, Greg Nelson, Shaz Qadeer, Raymie Stata

2 Software QA via Testing u Useful (the dominant methodology), but.. u Costly l half of development cost is testing l finds errors late in development cycle u Incomplete l often fails to ensure needed reliability l hard to test all configurations

3 Software QA via Static Checking u Statically verify many correctness properties u Type systems catch many errors l e.g. “Cannot multiply a number and a string” u Would like to catch additional errors l e.g. “Array index out of bounds at line 10” u And verify other correctness properties l assertions l object invariants l lightweight method specifications

4 Extended Static Checker Architecture Java method + annotations Counterexamples  x.  y.(x > y ==> … ) Verification Condition VC Generator Decision Procedure Index out of bounds on line 218 Method does not preserve object invariant on line 223

5 Extended Static Checker Architecture Java method + annotations Guarded Command Counterexamples Front End Verification Condition VC Generator Decision Procedure Index out of bounds on line 218 Method does not preserve object invariant on line 223 Intermediate representation assume preconditions assume preconditions assume object invariants assume object invariants... translated body...... translated body... assert postconditions assert postconditions assert object invariants assert object invariants

6 private int scanPunctuation(int nextchr) { try { boolean possibleFloatingPointNumber = (nextchr == '.'); text[0] = (char)nextchr; textlen = 1; m_in.mark(); // All paths out of the try must unmark the stream!! PunctuationPrefixTree prefix = punctuationTable; PunctuationPrefixTree lastPunctuation = prefix; int lastPunctuationLength = 0; int index = nextchr - '!'; if (index < 0 || PunctuationPrefixTree.CHILDLEN <= index) prefix = null; else prefix = prefix.children[nextchr - '!']; nextchr = m_in.read(); if (possibleFloatingPointNumber && Character.isDigit((char)nextchr)) { m_in.clearMark(); return finishFloatingPointLiteral(nextchr); } this.append(nextchr); if (prefix != null && prefix.code != TagConstants.NULL) { lastPunctuation = prefix; lastPunctuationLength = textlen - 1; m_in.mark(); } while(prefix != null) { index = nextchr - '!'; if (index < 0 || PunctuationPrefixTree.CHILDLEN <= index) prefix = null; else prefix = prefix.children[nextchr - '!']; nextchr = m_in.read(); this.append(nextchr); if (prefix != null && prefix.code != TagConstants.NULL) { lastPunctuation = prefix; lastPunctuationLength = textlen - 1; m_in.mark(); } m_in.reset(); textlen = lastPunctuationLength; endingLoc = m_in.getLocation(); ttype = lastPunctuation.code; if (ttype != TagConstants.C_COMMENT&& ttype != TagConstants.EOL_COMMENT) nextchr = m_in.read(); return ttype; } catch (IOException e) { m_in.clearMark(); ErrorSet.fatal(m_in.getLocation(), e.toString()); return TagConstants.NULL; // Dummy }

7 Extended Static Checker Architecture Java method + annotations Guarded Command Counterexamples Exponential in size of GC Front End Verification Condition VC Generator Decision Procedure Index out of bounds on line 218 Method does not preserve object invariant on line 223 Weakest preconditions Strongest postconditions Symbolic forward execution

8 Statement S x := e A ; B assert e assume e A B while {I} e do S end {exceptions} Guarded Command Language Variables have arbitrary values in program’s initial state if e then A else B end  (assume e ; A) (assume  e ; B)

9 Weakest Precondition Semantics wp.S.Q Q(x  e) wp.A.(wp.B.Q) e  Q e  Q wp.A.Q  wp.B.Q Statement S x := e A ; B assert e assume e A B

10 Blow-up from assignment rule wp.(x := e).Q = Q(x  e)  Q(x  e) may contain many copies of e u Sequential composition of assignment statements may yield exponentially large VC, e.g. wp.( b=a+a ; c=b+b ;... ; z=y+y).(z>0)

11 Blow-up from Choice Statements wp.(A B).Q = wp.A.Q  wp.B.Q  The postcondition Q of a choice statement occurs twice in weakest precondition  Copies of Q modified due to assignment statements in A and B u Sequential composition of choice statements may yield exponentially large VC

12 Key Insight u Assignment statements are the culprit! l They cause problems both by themselves l And through their interaction with choice statements u Let’s get rid of them!

13 VC Generator for Passive Form Two-Stage VC Generation Alg. Passive Form Compact Verification Condition Guarded Command Passify Translation Remove Assignments

14 Basic Passify Translation u To passify an assignment statement x := e  Introduce a fresh variable, say x’ u Replace assignment statement by assume x’ = e  Subsequently use x’ instead of x

15 Passify for Choice Statements u To passify a choice statement A B  Let A’ and B’ be passive forms of A and B  Suppose x resides in xa after A’ and x resides in xb after B’  Introduce a fresh variable, say x’ u Replace the choice statement by ( A’; assume x’=xa) (B’; assume x’=xb)  Subsequently use x’ instead of x  Introduce a fresh variable, say x’ u Replace assignment statement by assume x’ = e  Subsequently use x’ instead of x

16 VC Generator for Passive Form Two-Stage VC Gen. Results (I) Passive Form Compact Verification Condition Guarded Command Passify Translation Remove Assignments At most quadratic in size of GC

17 Generating VCs for Passive Form u Execution of a passive statement l Cannot affect the program state (!) l Can only choose among the two possible outcomes Normal termination Going wrong u Semantics of a passive statement S can be completely captured by two outcome predicates N.S - initial states from which S may terminate normally W.S - initial states from which S may go wrong

18 Outcome Predicates Semantics N.S e N.A  N.B N.A  N.B Statement S assume e assert e A B A ; B W.S false  e W.A  W.B W.A  (N.A  W.B) Normal outcome Wrong outcome

19 Size of Outcome Predicates  The size of N.S is linear in the size of S  The size of W.S is quadratic in the size of S W.(A;B;C) = W.A  (N.A  W.B)  (N.A  N.B  W.C) = let t = N.A in W.A  (t  W.B)  (t  N.B  W.C)

20 VC Generator for Passive Form Two-Stage VC Gen. Results (II) Passive Form Compact Verification Condition  (W.P) Guarded Command Passify Translation Remove Assignments At most quadratic in size of GC At most n^4 (without lets) n^4 (without lets) quadratic (with lets) quadratic (with lets) in size of GC

21 Results in Practice u Benchmark: ESC/Java front-end, 20 KLOC u Passify increases code size by ~30% on average u For “simple” methods l VC size 60% - 70% of original l proof time roughly the same u For “complex” methods l VC size 0.1% - 10% of original l proof time 2% - 50% of original u Can now verify all methods in benchmark

22 private int scanPunctuation(int nextchr) { try { boolean possibleFloatingPointNumber = (nextchr == '.'); text[0] = (char)nextchr; textlen = 1; m_in.mark(); // All paths out of the try must unmark the stream!! PunctuationPrefixTree prefix = punctuationTable; PunctuationPrefixTree lastPunctuation = prefix; int lastPunctuationLength = 0; int index = nextchr - '!'; if (index < 0 || PunctuationPrefixTree.CHILDLEN <= index) prefix = null; else prefix = prefix.children[nextchr - '!']; nextchr = m_in.read(); if (possibleFloatingPointNumber && Character.isDigit((char)nextchr)) { m_in.clearMark(); return finishFloatingPointLiteral(nextchr); } this.append(nextchr); if (prefix != null && prefix.code != TagConstants.NULL) { lastPunctuation = prefix; lastPunctuationLength = textlen - 1; m_in.mark(); } while(prefix != null) { index = nextchr - '!'; if (index < 0 || PunctuationPrefixTree.CHILDLEN <= index) prefix = null; else prefix = prefix.children[nextchr - '!']; nextchr = m_in.read(); this.append(nextchr); if (prefix != null && prefix.code != TagConstants.NULL) { lastPunctuation = prefix; lastPunctuationLength = textlen - 1; m_in.mark(); } m_in.reset(); textlen = lastPunctuationLength; endingLoc = m_in.getLocation(); ttype = lastPunctuation.code; if (ttype != TagConstants.C_COMMENT&& ttype != TagConstants.EOL_COMMENT) nextchr = m_in.read(); return ttype; } catch (IOException e) { m_in.clearMark(); ErrorSet.fatal(m_in.getLocation(), e.toString()); return TagConstants.NULL; // Dummy }

23 Current Status of ESC u Scales well to complex methods u Ready for educational/research use? Yes! l http://research.compaq.com/SRC/esc/ u Ready for commercial use? Not really. l annotation overhead significant l annotations increase program size by 10% l requires 1 programmer-hour to annotate 300 lines of code

24 Future Directions u Annotation Inference l Houdini annotation inference system Infer annotations via whole-program analysis (up to 40 KLOC) “Generate and test” strategy leverages ESC l Loop invariant inference via predicate abstraction Infers universally-quantified loop invariants, e.g. (\forall int j; spot == MAXDIRENTRY && 0 <= j && j < i ==> bdisk[addr].dirEntries[j].inum != UNUSED ) u Full verification of systems software l Frangipani distributed file system

Download ppt "Avoiding Exponential Explosion: Generating Compact Verification Conditions Cormac Flanagan and James B. Saxe Compaq Systems Research Center With help from."

Similar presentations

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,

Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.

1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Abstraction of Source Code (from Bandera lectures and talks)

Abstraction of Source Code (from Bandera lectures and talks)
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
CS 355 – Programming Languages

CS 355 – Programming Languages

Similar presentations

Ads by Google