1 / 39

VS 3 : V erification and S ynthesis using S MT S olvers SMT Solvers for Program Verification

VS 3 : V erification and S ynthesis using S MT S olvers SMT Solvers for Program Verification. Saurabh Srivastava * Sumit Gulwani ** Jeffrey S. Foster * * University of Maryland, College Park ** Microsoft Research, Redmond. What VS 3 will let you do! .

miyo
Download Presentation

VS 3 : V erification and S ynthesis using S MT S olvers SMT Solvers for Program Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. VS3: Verification and Synthesis usingSMT SolversSMT Solvers for Program Verification Saurabh Srivastava * Sumit Gulwani ** Jeffrey S. Foster * * University of Maryland, College Park ** Microsoft Research, Redmond

  2. What VS3 will let you do! A. Discover invariants with arbitrary quantification and boolean structure • ∀: E.g. Sortedness • ∀∃: E.g. Permutation • Selection Sort: for i = 0…n { for j = i…n { find min index } if (min ≠ i) swap A[min], A[i] } .. ∀k1,k2 k1 k2 Aold .. j .. k • Anew ∀k∃j

  3. What VS3 will let you do! A. Discover invariants with arbitrary quantification and boolean structure • ∀: E.g. Sortedness • ∀∃: E.g. Permutation • Selection Sort: i:=0 i<n j:=i j<n Output array Find min index .. • if (min != i) • swap A[i], A[min] ∀k1,k2 k1 k2 Aold .. j .. k • Anew ∀k∃j

  4. Verification: Proving Programs Correct Input state true • Selection Sort: i:=0 Iouter i<n j:=i Output state Iinner j<n Sortedness Permutation Output array Find min index The difficult task is program state (invariant) inference: Iinner, Iouter, Input state, Output state • if (min != i) • swap A[i], A[min]

  5. Verification: Proving Programs Correct Input state true • Selection Sort: ∀k1,k2 : 0≤k1<k2<n∧ k1<i => A[k1] ≤A[k2] i:=0 i < j i ≤ min < n i<n j:=i ∀k1,k2 : 0≤k1<k2<n∧ k1<i => A[k1] ≤A[k2] Output state ∀k2 : 0≤k2∧i≤k2<j => A[min] ≤A[k2] j<n Sortedness Permutation Output array Find min index The difficult task is program state (invariant) inference: Iinner, Iouter, Input state, Output state ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] • if (min != i) • swap A[i], A[min]

  6. Verification: Proving Programs Correct Input state true • Selection Sort: ∀k1,k2 : 0≤k1<k2<n∧ k1<i => A[k1] ≤A[k2] ∀k1,k2 : 0≤k1<k2<n∧ k1<i => A[k1] ≤A[k2] ∀k1,k2 : (----------------) => A[k1] ≤A[k2] i:=0 (-------------------) i < j i ≤ min < n i<n j:=i ∀k1,k2 : 0≤k1<k2<n∧ k1<i => A[k1] ≤A[k2] ∀k1,k2 : (---------------) => A[k1] ≤A[k2] Output state ∀k2 : 0≤k2∧i≤k2<j => A[min] ≤A[k2] ∀k2 : (-----------) => A[min] ≤A[k2] j<n Sortedness Permutation Output array Find min index The difficult task is program state (invariant) inference: Iinner, Iouter, Input state, Output state ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] • if (min != i) • swap A[i], A[min]

  7. Verification: Proving Programs Correct Input state true • Selection Sort: (-------------------) ∀k1,k2 : (----------------) => A[k1] ≤A[k2] ∀k2 : (-----------) => A[min] ≤A[k2] i:=0 (-------------------) i<n j:=i ∀k1,k2 : (---------------) => A[k1] ≤A[k2] Output state ∀k2 : (-----------) => A[min] ≤A[k2] j<n Sortedness Permutation Output array Find min index The difficult task is program state (invariant) inference: Iinner, Iouter, Input state, Output state ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] • if (min != i) • swap A[i], A[min]

  8. Verification: Proving Programs Correct • Bubble Sort: (-------------------) ∀k1,k2 : (----------------) => A[k1] ≤A[k2] ∀k1,k2 : (----------) => A[k1] ≤A[k2] i:=n-1 (-------------------) i>0 j:=0 ∀k1,k2 : (---------------) => A[k1] ≤A[k2] ∀k1,k2 : (----------) => A[k1] ≤A[k2] j<i Output array • if (a[j] > a[j+1]) • swap A[j], A[j+1] ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2]

  9. User Input:Templates and Predicates • Templates • Intuitive and simple • Depending on the property being proved; form straight-forward • Limited to the quantification and disjunction Unknown holes • Predicate Abstraction Program variables, array elements • Enumerate predicates of the form Relational operator <, ≤, >, ≥ … • E.g., {i<j, i>j, i≤j, i≥j… }

  10. Tool architecture Microsoft’s Phoenix Compiler Cut-Set VS3 Verification Conditions C Program CFG Templates for invariants Iterative Fixed-point GFP/LFP Constraint- based Fixed-Point Predicate Sets SMT Solver Candidate Solutions Boolean Constraint SAT Solver Preconditions Postconditions Invariants

  11. Fixed-point Computation • Constraint-based (VMCAI’09) • Separately encode each VC as SAT constraint • Local constraints  SAT clauses • Use SAT solver to do fixed-point computation • Compare against trivial approach: 1.6e14 minutes • Iterative (PLDI’09) • Facts do not form a lattice, but power-set does • We ensure that if there exists an invariant we find it • Intelligent lattice search: SMT solver for tx-functions

  12. Weakest Preconditions Weakest conditions on input? k2 k1 < i:=0 i<n j:=i j<n Output array Worst case behavior: swap every time it can Find min index • if (min != i) • swap A[i], A[min]

  13. Example analyses • Tool can verify: • Sorting algorithms: • Selection, Insertion, Bubble, Quick, Merge Sort • Properties • Output is Sorted • Output contains all and only elements from the input • Tool can infer preconditions: • Worst case input (precondition) for sorting: • Reverse sorted array, all but Selection Sort • Selection Sort: sorted array except last elem is smallest • Inputs for functional correctness: • Binary search requires sorted array • Merge in merge sort expect sorted inputs • Missing initializers

  14. Demo: Selection Sort Input state true • Selection Sort: ∀k1,k2 : 0≤k1<k2<n∧ k1<i => A[k1] ≤A[k2] i:=0 i < j i ≤ min < n i<n j:=i ∀k1,k2 : 0≤k1<k2<n∧ k1<i => A[k1] ≤A[k2] Output state ∀k2 : 0≤k2∧i≤k2<j => A[min] ≤A[k2] j<n Sortedness Permutation Output array Find min index The difficult task is program state (invariant) inference: Iinner, Iouter, Input state, Output state ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] • if (min != i) • swap A[i], A[min]

  15. Demo: Program

  16. Demo: Output

  17. Conclusions • VS3: Verification tool over predicate abstraction • Verification • Can infer quantified invariants • Maximally-weak preconditions • Builds on SMT Solvers, so exploits their power • Project Webpage http://www.cs.umd.edu/~saurabhs/pacs Future work

  18. Recent extension: Synthesis • Verification tool for quantified invariants • Reasoning about full functional specifications possible • What if we had missing program fragments? • Still possible to verify if we allow the tool to plug-in equality predicates over program variables • Equality predicates translated to statements • We can synthesize • Strassen’s Matrix Multiplication! • Sorting algorithms!

  19. Constraint-based over Predicate Abstraction pre vc(pre,I1) I1 vc(I1,post) vc(I1,I2) I2 post vc(I2,I2) vc(I2,I1)

  20. Constraint-based over Predicate Abstraction If we find assignments bji= T/F Then we are done! pred(I1) vc(pre,I1) vc(I1,post) b11,b21…br1 b12,b22…br2 boolean indicators vc(I1,I2) p1,p2…pr p1,p2…pr predicates vc(I2,I1) unknown 2 unknown 1 template vc(I2,I2) I1 VCs are FOL formulae over unknowns I1, I2

  21. Constraint-based over Predicate Abstraction pred(I1) vc(pre,I1) vc(I1,post) vc(I1,I2) vc(I2,I1) vc(I2,I2) VCs are FOL formulae over unknowns I1, I2 pred(A) : A to unknown predicate indicator variables

  22. Constraint-based over Predicate Abstraction SAT formulae over predicate indicators Program VC to boolean constraint boolc(pred(I1)) vc(pre,I1) boolc(pred(I1)) vc(I1,post) Invariant soln ∧ boolc(pred(I1), pred(I2)) vc(I1,I2) boolc(pred(I2), pred(I1)) vc(I2,I1) boolc(pred(I2)) vc(I2,I2) Boolean constraint to satisfying soln (SAT Solver) VCs are FOL formulae over unknowns I1, I2 pred(A) : A to unknown predicate indicator variables Fixed-Point Computation Local reasoning

  23. VC to Boolean Constraint ( I1 ∧i≥n ) => ( sorted array ) i:=0 I1 i<n j:=i I2 j<n Output sorted array Find min index • if (min != i) • swap A[i], A[min]

  24. VC to Boolean Constraint ( I1 ∧i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] ) i:=0 I1 i<n j:=i I2 j<n Output sorted array Find min index • if (min != i) • swap A[i], A[min]

  25. VC to Boolean Constraint ( I1 ∧i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] ) template ✗ Φ : (∀k1,k2 : ??1 => ??2 ∧i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] ) Trivial search: k x 2|Predicates| queries positive negative p1 p2 Predicates …

  26. VC to Boolean Constraint ( I1 ∧i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] ) template Φ : (∀k1,k2 : ??1 => ??2 ∧i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] ) positive negative p1 Φ[ ] ⊤ p2 Predicates N1 … N1’’ N1’ … Query the SMT solver for the maximally weakest value of negative unknown ??2 There might be multiple maximally weakest Φ[p1 ]contains only negative unknowns ⊥

  27. VC to Boolean Constraint ( I1 ∧i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] ) template Φ : (∀k1,k2 : ??1 => ??2 ∧i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] ) positive negative p1 Φ[ Φ[ ] ] N1, N1’, N1’’… p2 Predicates N2, N2’, N2’’… … …

  28. VC to Boolean Constraint ( I1 ∧i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] ) template Φ : (∀k1,k2 : ??1 => ??2 ∧i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] ) positive negative p1 bp1 N1, N1’, N1’’… => bN1 ∨ bN1’∨ bN1’’ ∨… p2 Predicates N2, N2’, N2’’… … …

  29. VC to Boolean Constraint ( I1 ∧i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] ) template Φ : (∀k1,k2 : ??1 => ??2 ∧i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] ) positive negative p1 bp1 N1, N1’, N1’’… => bN1 ∨ bN1’∨ bN1’’ ∨… p2 Predicates N2, N2’, N2’’… bp2 => bN2 ∨ bN2’∨ bN2’’ ∨… … …

  30. VC to Boolean Constraint ( I1 ∧i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] ) template Φ : (∀k1,k2 : ??1 => ??2 ∧i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] ) positive negative p1 bp1 N1, N1’, N1’’… => bN1 ∨ bN1’∨ bN1’’ ∨… p2 Predicates N2, N2’, N2’’… bp2 => bN2 ∨ bN2’∨ bN2’’ ∨… Boolean SAT formula … … …

  31. Constraint-based over Predicate Abstraction SAT formulae over predicate indicators Program VC to boolean constraint ✓ boolc(pred(I1)) vc(pre,I1) boolc(pred(I1)) vc(I1,post) Invariant soln ∧ boolc(pred(I1), pred(I2)) vc(I1,I2) boolc(pred(I2), pred(I1)) vc(I2,I1) boolc(pred(I2)) vc(I2,I2) Boolean constraint to satisfying soln (SAT Solver) VCs are FOL formulae over unknowns I1, I2 pred(A) : A to unknown predicate indicator variables Fixed-Point Computation Local reasoning

  32. Engineering: Interface to SMT Solvers Explicit skolemization functions • Solvers are not very good at handling ∀x∃y:f(x,y) queries • In program verification such queries have specific forms • Easy to find explicit skolemization functions:skl • Convert ∀x∃y:f(x,y) ∀x:f(x,skl(x)) Tool SMT query SMT Solver Axiomatic support, e.g. reachability for lists

  33. Engineering: Interface to SMT Solvers Explicit skolemization functions • Induction facts arise in program verification • E.g. ∀x : x>0 => f(x)=>f(x+1) • SMT solvers can’t handle • Lift to induction result: ∀x : x>0 => f(1)=>f(x) Lift inductive facts Tool SMT query SMT Solver Axiomatic support, e.g. reachability for lists

  34. Engineering: Interface to SMT Solvers Explicit skolemization functions • For efficient SMT solving it is advisable to provide patterns for quantified facts • E.g. ∀x : x>0 => f(x)<f(x+1) • If possible say, pattern set { x>0, f(x)<f(x+1) } • Easy to heuristically find relevant patterns for verif. Lift inductive facts Tool SMT query Domain specific patterns SMT Solver Axiomatic support, e.g. reachability for lists

  35. Engineering: Interface to SMT Solvers Explicit skolemization functions Lift inductive facts Tool SMT query Domain specific patterns SMT Solver Axiomatic support, e.g. reachability for lists

  36. Runtimes: Sortedness Tool can prove sortedness for all sorting algorithms! seconds

  37. Runtimes: Permutation 94.42 … no loss/no gain part of permutation too! … seconds ∞ ∞

  38. Runtimes (GFP): Inferring worst case inputs for sorting Tool infers worst case inputs for all sorting algorithms! seconds Nothing to infer as all inputs yield the same behavior

More Related