Presentation is loading. Please wait.

Presentation is loading. Please wait.

Prof. Necula CS 294-8 Lecture 121 Decision-Procedure Based Theorem Provers Tactic-Based Theorem Proving Inferring Loop Invariants CS 294-8 Lecture 12.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Prof. Necula CS 294-8 Lecture 121 Decision-Procedure Based Theorem Provers Tactic-Based Theorem Proving Inferring Loop Invariants CS 294-8 Lecture 12."— Presentation transcript:

1 Prof. Necula CS 294-8 Lecture 121 Decision-Procedure Based Theorem Provers Tactic-Based Theorem Proving Inferring Loop Invariants CS 294-8 Lecture 12

2 Prof. Necula CS 294-8 Lecture 122 Review Source language VCGen FOLTheories Sat. proc 1 Sat. proc n Goal-directed proving … ?

3 Prof. Necula CS 294-8 Lecture 123 Combining Satisfiability Procedures Consider a set of literals F –Containing symbols from two theories T 1 and T 2 We split F into two sets of literals –F 1 containing only literals in theory T 1 –F 2 containing only literals in theory T 2 –We name all subexpressions: p 1 (f 2 (E)) is split into f 2 (E) = n Æ p 1 (n) We have: unsat (F 1 Æ F 2 ) iff unsat(F) –unsat(F 1 ) Ç unsat(F 2 ) ) unsat(F) –But the converse is not true So we cannot compute unsat(F) with a trivial combination of the sat. procedures for T 1 and T 2

4 Prof. Necula CS 294-8 Lecture 124 Combining Satisfiability Procedures. Example Consider equality and arithmetic f(f(x) - f(y))  f(z)x  yy + z  x0  z false f(x) = f(y) y  x x = y 0 = z f(x) - f(y) = z f(f(x) - f(y)) = f(z)

5 Prof. Necula CS 294-8 Lecture 125 Combining Satisfiability Procedures Combining satisfiability procedures is non trivial And that is to be expected: –Equality was solved by Ackerman in 1924, arithmetic by Fourier even before, but E + A only in 1979 ! Yet in any single verification problem we will have literals from several theories: –Equality, arithmetic, lists, … When and how can we combine separate satisfiability procedures?

6 Prof. Necula CS 294-8 Lecture 126 Nelson-Oppen Method (1) 1.Represent all conjuncts in the same DAG f(f(x) - f(y))  f(z) Æ y ¸ x Æ x ¸ y + z Æ z ¸ 0 f - ff y x ¸ z0 ¸ + f ¸

7 Prof. Necula CS 294-8 Lecture 127 Nelson-Oppen Method (2) 2.Run each sat. procedure Require it to report all contradictions (as usual) Also require it to report all equalities between nodes f - ff y x ¸ z0 ¸ + f ¸

8 Prof. Necula CS 294-8 Lecture 128 Nelson-Oppen Method (3) 3.Broadcast all discovered equalities and re-run sat. procedures Until no more equalities are discovered or a contradiction arises f - ff y x ¸ z0 ¸ + f ¸ x Contradiction

9 Prof. Necula CS 294-8 Lecture 129 What Theories Can be Combined? Only theories without common interpreted symbols –But Ok if one theory takes the symbol uninterpreted Only certain theories can be combined –Consider ( Z, +, · ) and Equality –Consider: 1 · x · 2 Æ a = 1 Æ b = 2 Æ f(x)  f(a) Æ f(x)  f(b) –No equalities and no contradictions are discovered –Yet, unsatisfiable A theory is non-convex when a set of literals entails a disjunction of equalities without entailing any single equality

10 Prof. Necula CS 294-8 Lecture 1210 Handling Non-Convex Theories Many theories are non-convex Consider the theory of memory and pointers –It is not-convex: true ) A = A’ Ç sel(upd(M, A, V), A’) = sel(M, A’) (neither of the disjuncts is entailed individually) For such theories it can be the case that –No contradiction is discovered –No single equality is discovered –But a disjunction of equalities is discovered We need to propagate disjunction of equalities …

11 Prof. Necula CS 294-8 Lecture 1211 Propagating Disjunction of Equalities To propagate disjunctions we perform a case split: If a disjunction E 1 Ç … Ç E n is discovered: Save the current state of the prover for i = 1 to n { broadcast E i if no contradiction arises then return “satisfiable” restore the saved prover state } return “unsatisfiable”

12 Prof. Necula CS 294-8 Lecture 1212 Handling Non-Convex Theories Case splitting is expensive –Must backtrack (performance --) –Must implement all satisfiability procedures in incremental fashion (simplicity --) In some cases the splitting can be prohibitive: –Take pointers for example. upd(upd(…(upd(m, i 1, x), …, i n-1, x), i n, x) = upd(…(upd(m, j 1, x), …, j n-1, x) Æ sel(m, i 1 )  x Æ … Æ sel(m, i n )  x entails Ç j  k i j  i k (a conjunction of length n entails n 2 disjuncts)

13 Prof. Necula CS 294-8 Lecture 1213 Forward vs. Backward Theorem Proving

14 Prof. Necula CS 294-8 Lecture 1214 Forward vs. Backward Theorem Proving The state of a prover can be expressed as: H 1 Æ … Æ H n ) ? G –Given the hypotheses H i try to derive goal G A forward theorem prover derives new hypotheses, in hope of deriving G –If H 1 Æ … Æ H n ) H then move to state H 1 Æ … Æ H n Æ H ) ? G –Success state: H 1 Æ … Æ G Æ … H n ) ? G A forward theorem prover uses heuristics to reach G –Or it can exhaustively derive everything that is derivable !

15 Prof. Necula CS 294-8 Lecture 1215 Forward Theorem Proving Nelson-Oppen is a forward theorem prover: –The state is L 1 Æ … Æ L n Æ : L ) ? false –If L 1 Æ … Æ L n Æ : L ) E (an equality) then –New state is L 1 Æ … Æ L n Æ : L Æ E ) ? false (add the equality) –Success state is L 1 Æ … Æ L Æ … Æ : L Æ … L n ) ? false Nelson-Oppen provers exhaustively produce all derivable facts hoping to encounter the goal Case splitting can be explained this way too: –If L 1 Æ … Æ L n Æ : L ) E Ç E’ (a disjunction of equalities) then –Two new states are produced (both must lead to success) L 1 Æ … Æ L n Æ : L Æ E ) ? false L 1 Æ … Æ L n Æ : L Æ E’ ) ? false

16 Prof. Necula CS 294-8 Lecture 1216 Backward Theorem Proving A backward theorem prover derives new subgoals from the goal –The current state is H 1 Æ … Æ H n ) ? G –If H 1 Æ … Æ H n Æ G 1 Æ … Æ G n ) G (G i are subgoals) –Produce “n“ new states (all must lead to success): H 1 Æ … Æ H n ) ? G i Similar to case splitting in Nelson-Oppen: –Consider a non-convex theory: H 1 Æ … Æ H n ) E Ç E’ is same as H 1 Æ … Æ H n Æ : E Æ : E’ ) false (thus we have reduced the goal “false” to subgoals : E Æ : E’ )

17 Prof. Necula CS 294-8 Lecture 1217 Programming Theorem Provers Backward theorem provers most often use heuristics If it useful to be able to program the heuristics Such programs are called tactics and tactic-based provers have this capability –E.g. the Edinburgh LCF was a tactic based prover whose programming language was called the Meta-Language (ML) A tactic examines the state and either: –Announces that it is not applicable in the current state, or –Modifies the proving state

18 Prof. Necula CS 294-8 Lecture 1218 Programming Theorem Provers. Tactics. State = Formula list £ Formula –A set of hypotheses and a goal Tactic = State ! (State !  ) ! (unit !  ) !  –Continuation passing style –Given a state will invoke either the success continuation with a modified state or the failure continuation Example: a congruence-closure based tactic cc (h, g) c f = let e 1, …, e n new equalities in the congruence closure of h c (h [ {e 1, …, e n }, g) –A forward chaining tactic

19 Prof. Necula CS 294-8 Lecture 1219 Programming Theorem Provers. Tactics. Consider an axiom: 8 x. a(x) ) b(x) –Like the clause b(x) :- a(x) in Prolog This could be turned into a tactic clause (h, g) c f = if unif(g, b) =  then s (h,  (a)) else f () –A backward chaining tactic

20 Prof. Necula CS 294-8 Lecture 1220 Programming Theorem Provers. Tacticals. Tactics can be composed using tacticals Examples: THEN : tactic ! tactic ! tactic THEN t 1 t 2 = s. c. f. let newc s’ = t 2 s’ c f in t 1 s newc f REPEAT : tactic ! tactic REPEAT t = THEN t (REPEAT t) ORELSE : tactic ! tactic ! tactic ORELSE t 1 t 2 = s. c. f. let newf x = t 2 s c f in t 1 s c newf

21 Prof. Necula CS 294-8 Lecture 1221 Programming Theorem Provers. Tacticals Prolog is just one possible tactic: –Given tactics for each clause: c 1, …, c n –Prolog : tactic Prolog = REPEAT (c 1 ORLESE c 2 ORELSE … ORELSE c n ) Nelson-Oppen can also be programmed this way –The result is not as efficient as a special-purpose implementation This is a very powerful mechanism for semi-automatic theorem proving –Used in: Isabelle, HOL, and many others

22 Prof. Necula CS 294-8 Lecture 1222 Techniques for Inferring Loop Invariants

23 Prof. Necula CS 294-8 Lecture 1223 Inferring Loop Invariants Traditional program verification has several elements: –Function specifications and loop invariants –Verification condition generation –Theorem proving Requiring specifications from the programmer is often acceptable Requiring loop invariants is not acceptable –Same for specifications of local functions

24 Prof. Necula CS 294-8 Lecture 1224 Inferring Loop Invariants A set of cutpoints is a set of program points : –There is at least one cutpoint on each circular path in CFG –There is a cutpoint at the start of the program –There is a cutpoint before the return Consider that our function uses n variables x: We associate with each cutpoint an assertion I k (x) If  is a path from cutpoint k to j then : –R  (x) : Z n ! Z n expresses the effect of path  on the values of x at j as a function of those at k –P  (x) : Z n ! B is a path predicate that is true exactly of those values of x at k that will enable the path 

25 Prof. Necula CS 294-8 Lecture 1225 Cutpoints. Example. p 01 = true r 01 = { A Ã A, K Ã 0, L Ã len(A), S Ã 0,  Ã  } p 11 = K + 1 < L r 11 = { A Ã A, K Ã K + 1, L Ã L, S Ã S + sel( , A + K),  Ã  } p 12 = K + 1 ¸ L r 12 = r 11 Easily obtained through sym. eval. L = len(A) K = 0 S = 0 S = S + A[K] K ++ K < L return S 0 1 2

26 Prof. Necula CS 294-8 Lecture 1226 Equational Definition of Invariants A set of assertions is a set of invariants if: –The assertion for the start cutpoint is the precondition –The assertion for the end cutpoint is the postcondition –For each path from i to j we have 8 x. I i (x) Æ P ij (x) ) I j (R ij (x)) Now we have to solve a system of constraints with the unknowns I 1, …, I n-1 –I 0 and I n are known We will consider the simpler case of a single loop –Otherwise we might want to try solving the inner/last loop first

27 Prof. Necula CS 294-8 Lecture 1227 Invariants. Example. 1.I 0 ) I 1 (r 0 (x)) The invariant I 1 is established initially 2.I 1 Æ K+1 < L ) I 1 (r 1 (x)) The invariant I 1 is preserved in the loop 3.I 1 Æ K+1 ¸ L ) I 2 (r 1 (x)) The invariant I 1 is strong enough (i.e. useful)h L = len(A) K = 0 S = 0 S = S + A[K] K ++ K < L return S 0 1 2 roro r1r1

28 Prof. Necula CS 294-8 Lecture 1228 The Lattice of Invariants A few predicates satisfy condition 2 –Are invariant –Form a lattice true false Weak predicates satisfy the condition 1 –Are satisfied initially Strong predicates satisfy condition 3 –Are useful

29 Prof. Necula CS 294-8 Lecture 1229 Finding The Invariant Which of the potential invariants should we try to find ? We prefer to work backwards –Essentially proving only what is needed to satisfy I n –Forward is also possible but sometimes wasteful since we have to prove everything that holds at any point

30 Prof. Necula CS 294-8 Lecture 1230 Finding the Invariant Thus we do not know the “precondition” of the loop The weakest invariant that is strong enough has most chances of holding initially This is the one that we’ll try to find –And then check that it is weak enough true false

31 Prof. Necula CS 294-8 Lecture 1231 Induction Iteration Method Equation 3 gives a predicate weaker than any invariant I 1 Æ K+1 ¸ L ) I 2 (r 1 (x)) I 1 ) ( K+1 ¸ L ) I 2 (r 1 (x))) W 0 = K+1 ¸ L ) I 2 (r 1 (x)) Equation 2 suggest an iterative computation of the invariant I 1 I 1 ) (K+1 < L ) I 1 (r 1 (x))) false true

32 Prof. Necula CS 294-8 Lecture 1232 Induction Iteration Method Define a family of predicates W 0 = K+1 ¸ L ) I 2 (r 1 (x)) W j = W 0 Æ K+1 < L ) W j-1 (r 1 (x)) Properties of W j –W j ) W j-1 ) … ) W 0 (they form a strengthening chain) –I 1 ) W j (they are weaker than any invariant) –If W j-1 ) W j then W j is an invariant (satisfies both equations 2 and 3): W j ) K+1 < L ) W j (r 1 (x)) W j is the weakest invariant (recall domain theory, predicates form a domain, and we use the fixed point theorem to obtain least solutions to recursive equations)

33 Prof. Necula CS 294-8 Lecture 1233 Induction Iteration Method W = K+1 ¸ L ) I 2 (r 1 (x)) // This is W 0 W’ = true while (not (W’ ) W)) { W’ = W W = (K+1 ¸ L ) I 2 (r 1 (x))) Æ (K + 1 < L ) W’(r 1 (x))) } The only hard part is to check whether W’ ) W –We use a theorem prover for this purpose

34 Prof. Necula CS 294-8 Lecture 1234 Induction Iteration. The sequence of W j approaches the weakest invariant from above The predicate W j can quickly become very large –Checking W’ ) W becomes harder and harder This is not guaranteed to terminate false true W0W0 W2W2 W3W3 W1W1

35 Prof. Necula CS 294-8 Lecture 1235 Induction Iteration. Example. Consider that the strength condition is: I 1 ) K ¸ 0 Æ K < len(A) (array bounds) We compute the W’s: W 0 = K ¸ 0 Æ K < len(A) W 1 = W 0 Æ K+1<L ) K+1 ¸ 0 Æ K+1<len(A) W 2 = W 0 Æ K+1 < L ) (K + 1 ¸ 0 Æ K + 1 < len(A) Æ K+2< L ) K+2 ¸ 0 Æ K+2 < len(A))) … L = len(A) K = 0 S = 0 S = S + A[K] K ++ K < L return S 0 1 2 roro r1r1

36 Prof. Necula CS 294-8 Lecture 1236 Induction Iteration. Strengthening. We can try to strengthen the inductive invariant Instead of: W j = W 0 Æ K+1 < L ) W j-1 (r 1 (x)) we compute: W j = strengthen (W 0 Æ K+1 < L ) W j-1 (r 1 (x))) where strengthen(P) ) P We still have W j ) W j-1 and we stop when W j-1 ) W j –The result is still an invariant that satisfies 2 and 3

37 Prof. Necula CS 294-8 Lecture 1237 Strengthening Heuristics One goal of strengthening is simplification: –Drop disjuncts: P 1 Ç P 2 ! P 1 –Drop implications: P 1 ) P 2 ! P 2 A good idea is to try to eliminate variables changed in the loop body: –If W j does not depend on variables changed by r 1 (e.g. K, S) –W j+1 = W 0 Æ K+1 < L ) W j (r 1 (x)) = W 0 Æ K+1 < L ) W j –Now W j ) W j+1 and we are done !

38 Prof. Necula CS 294-8 Lecture 1238 Induction Iteration. Strengthening We are still in the “strong- enough” area We are making bigger steps And we might overshoot then weakest invariant We might also fail to find any invariant But we do so quickly false true W0W0 W2W2 W3W3 W1W1 W’ 2 W’ 1

39 Prof. Necula CS 294-8 Lecture 1239 One Strengthening Heuristic for Integers Rewrite W j in conjunctive normal form W 1 = K ¸ 0 Æ K < len(A) Æ (K + 1 < L ) K + 1 ¸ 0 Æ K + 1 < len(A)) = K ¸ 0 Æ K < len(A) Æ (K + 1 ¸ L Ç K + 1 < len(A)) Take each disjunction containing arithmetic literals –Negate it and obtain a conjunction of arithmetic literals K+1 < L Æ K+1 ¸ len(A) –Weaken the result by eliminating a variable (preferably a loop-modified variable) E.g., add the two literals: L > len(A) –Negate the result and get another disjunction: L · len(A) W 1 = K ¸ 0 Æ K < len(A) Æ L · len(A) (check that W 1 ) W 2 )

40 Prof. Necula CS 294-8 Lecture 1240 Induction Iteration We showed a way to compute invariants algoritmically –Similar to fixed point computation in domains –Similar to abstract interpretation on the lattice of predicates Then we discussed heuristics that improve the termination properties –Similar to widening in abstract interpretation

41 Prof. Necula CS 294-8 Lecture 1241 Theorem Proving. Conclusions. Theorem proving strengths –Very expressive Theorem proving weaknesses –Too ambitious A great toolbox for software analysis –Symbolic evaluation –Decision procedures Related to program analysis –Abstract interpretation on the lattice of predicates

Download ppt "Prof. Necula CS 294-8 Lecture 121 Decision-Procedure Based Theorem Provers Tactic-Based Theorem Proving Inferring Loop Invariants CS 294-8 Lecture 12."

Similar presentations

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Some Prolog Prolog is a logic programming language

Some Prolog Prolog is a logic programming language
Computer Science CPSC 322 Lecture 25 Top Down Proof Procedure (Ch 5.2.2)

Computer Science CPSC 322 Lecture 25 Top Down Proof Procedure (Ch 5.2.2)
Inference Rules Universal Instantiation Existential Generalization

Inference Rules Universal Instantiation Existential Generalization
Dana Nau: Lecture slides for Automated Planning Licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License:

Dana Nau: Lecture slides for Automated Planning Licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License:
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Inference and Reasoning. Basic Idea Given a set of statements, does a new statement logically follow from this. For example If an animal has wings and.

Inference and Reasoning. Basic Idea Given a set of statements, does a new statement logically follow from this. For example If an animal has wings and.
Methods of Proof Chapter 7, second half.. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound)

Methods of Proof Chapter 7, second half.. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound)
Methods of Proof Chapter 7, Part II. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound) generation.

Methods of Proof Chapter 7, Part II. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound) generation.
Logic.

Logic.
CPSC 422, Lecture 21Slide 1 Intelligent Systems (AI-2) Computer Science cpsc422, Lecture 21 Mar, 4, 2015 Slide credit: some slides adapted from Stuart.

CPSC 422, Lecture 21Slide 1 Intelligent Systems (AI-2) Computer Science cpsc422, Lecture 21 Mar, 4, 2015 Slide credit: some slides adapted from Stuart.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
CS 355 – Programming Languages

CS 355 – Programming Languages
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

Similar presentations

Ads by Google