VS 3 : Verification and Synthesis using SMT Solvers SMT Solvers for Program Verification Saurabh Srivastava * Sumit Gulwani ** Jeffrey S. Foster * * University of Maryland, College Park ** Microsoft Research, Redmond Saurabh Srivastava * Sumit Gulwani ** Jeffrey S. Foster * * University of Maryland, College Park ** Microsoft Research, Redmond

What VS 3 will let you do! A. Discover invariants with arbitrary quantification and boolean structure – ∀ : E.g. Sortedness – ∀∃ : E.g. Permutation.. ∀ k 1,k 2 k1k1 k2k2 j j.. A old ∀k∃j∀k∃j A new k Selection Sort: for i = 0…n { for j = i…n { find min index } if (min ≠ i) swap A[min], A[i] } for i = 0…n { for j = i…n { find min index } if (min ≠ i) swap A[min], A[i] }

Selection Sort: What VS 3 will let you do! A. Discover invariants with arbitrary quantification and boolean structure – ∀ : E.g. Sortedness – ∀∃ : E.g. Permutation.. ∀ k 1,k 2 k1k1 k2k2 j j.. A old ∀k∃j∀k∃j A new k Output array i<n j<n Find min index if (min != i) swap A[i], A[min] i:=0 j:=i

Selection Sort: Output array i<n j<n Find min index if (min != i) swap A[i], A[min] i:=0 j:=i Verification: Proving Programs Correct I outer I inner Sortedness Permutation Sortedness Permutation Output state true Input state The difficult task is program state (invariant) inference: I inner, I outer, Input state, Output state

Selection Sort: Output array i<n j<n Find min index if (min != i) swap A[i], A[min] i:=0 j:=i Verification: Proving Programs Correct Sortedness Permutation Sortedness Permutation Output state true Input state The difficult task is program state (invariant) inference: I inner, I outer, Input state, Output state ∀ k 1,k 2 : 0≤k 1 A[k 1 ] ≤A[k 2 ] i < j i ≤ min < n ∀ k 2 : 0≤k 2 ∧ i≤k 2 A[min] ≤A[k 2 ] ∀ k 1,k 2 : 0≤k 1 A[k 1 ] ≤A[k 2 ]

Selection Sort: Output array i<n j<n Find min index if (min != i) swap A[i], A[min] i:=0 j:=i Verification: Proving Programs Correct Sortedness Permutation Sortedness Permutation Output state true Input state The difficult task is program state (invariant) inference: I inner, I outer, Input state, Output state ∀ k 1,k 2 : 0≤k 1 A[k 1 ] ≤A[k 2 ] i < j i ≤ min < n ∀ k 1,k 2 : 0≤k 1 A[k 1 ] ≤A[k 2 ] ∀ k 2 : 0≤k 2 ∧ i≤k 2 A[min] ≤A[k 2 ] ∀ k 2 : ( ) => A[min] ≤A[k 2 ] ∀ k 1,k 2 : ( ) => A[k 1 ] ≤A[k 2 ] ( ) ∀ k 1,k 2 : ( ) => A[k 1 ] ≤A[k 2 ]

Selection Sort: Output array i<n j<n Find min index if (min != i) swap A[i], A[min] i:=0 j:=i Verification: Proving Programs Correct Sortedness Permutation Sortedness Permutation Output state true Input state The difficult task is program state (invariant) inference: I inner, I outer, Input state, Output state ∀ k 1,k 2 : 0≤k 1 A[k 1 ] ≤A[k 2 ] ∀ k 2 : ( ) => A[min] ≤A[k 2 ] ∀ k 1,k 2 : ( ) => A[k 1 ] ≤A[k 2 ] ( ) ∀ k 1,k 2 : ( ) => A[k 1 ] ≤A[k 2 ] ∀ k 2 : ( ) => A[min] ≤A[k 2 ] ( )

Bubble Sort: Output array i>0 j<i if (a[j] > a[j+1]) swap A[j], A[j+1] i:=n-1 j:=0 Verification: Proving Programs Correct ∀ k 1,k 2 : 0≤k 1 A[k 1 ] ≤A[k 2 ] ∀ k 1,k 2 : ( ) => A[k 1 ] ≤A[k 2 ] ∀ k 1,k 2 : ( ) => A[k 1 ] ≤A[k 2 ] ( ) ∀ k 1,k 2 : ( ) => A[k 1 ] ≤A[k 2 ] ∀ k 1,k 2 : ( ) => A[k 1 ] ≤A[k 2 ] ( )

User Input:Templates and Predicates Templates – Intuitive and simple Depending on the property being proved; form straight-forward Limited to the quantification and disjunction Unknown holes Relational operator, ≥ … Relational operator, ≥ … Program variables, array elements Program variables, array elements – E.g., {i j, i≤j, i≥j… } – Enumerate predicates of the form Predicate Abstraction

Tool architecture C Program Templates for invariants Predicate Sets CFG Cut-Set Preconditions Postconditions Invariants Preconditions Postconditions Invariants Microsoft’s Phoenix Compiler VS3 SMT Solver Verification Conditions Iterative Fixed-point GFP/LFP Constraint- based Fixed-Point Candidate Solutions Boolean Constraint SAT Solver

Fixed-point Computation Constraint-based (VMCAI’09) – Separately encode each VC as SAT constraint Local constraints  SAT clauses – Use SAT solver to do fixed-point computation – Compare against trivial approach: 1.6e14 minutes Iterative (PLDI’09) – Facts do not form a lattice, but power-set does – We ensure that if there exists an invariant we find it – Intelligent lattice search: SMT solver for tx-functions

Weakest Preconditions k1k1 k2k2 < Weakest conditions on input? Output array i<n j<n Find min index if (min != i) swap A[i], A[min] i:=0 j:=i Worst case behavior: swap every time it can

Example analyses Tool can verify: – Sorting algorithms: Selection, Insertion, Bubble, Quick, Merge Sort – Properties Output is Sorted Output contains all and only elements from the input Tool can infer preconditions: – Worst case input (precondition) for sorting: Reverse sorted array, all but Selection Sort Selection Sort: sorted array except last elem is smallest – Inputs for functional correctness: Binary search requires sorted array Merge in merge sort expect sorted inputs Missing initializers

Selection Sort: Output array i<n j<n Find min index if (min != i) swap A[i], A[min] i:=0 j:=i Demo: Selection Sort Sortedness Permutation Sortedness Permutation Output state true Input state The difficult task is program state (invariant) inference: I inner, I outer, Input state, Output state ∀ k 1,k 2 : 0≤k 1 A[k 1 ] ≤A[k 2 ] i < j i ≤ min < n ∀ k 2 : 0≤k 2 ∧ i≤k 2 A[min] ≤A[k 2 ] ∀ k 1,k 2 : 0≤k 1 A[k 1 ] ≤A[k 2 ]

Demo: Program

Demo: Output

Conclusions VS 3 : Verification tool over predicate abstraction Verification – Can infer quantified invariants Maximally-weak preconditions Builds on SMT Solvers, so exploits their power Project Webpage Future work

Recent extension: Synthesis Verification tool for quantified invariants – Reasoning about full functional specifications possible What if we had missing program fragments? – Still possible to verify if we allow the tool to plug-in equality predicates over program variables – Equality predicates translated to statements We can synthesize – Strassen’s Matrix Multiplication! – Sorting algorithms!