Array Abstractions from Proofs Ranjit Jhala With T
Array Abstractions from Proofs Ranjit Jhala (With T. Henzinger, R. Majumdar, K. Mc. Millan)
The Safety Verification Problem 0: x = i; y = i; 1: while(x != 0) {x--; y--; } 2: assert (y == 0); How to automatically prove assertion?
The Safety Verification Problem Program 0: x = i; y = i; 1: while(x != 0) {x--; y--; } 2: assert (y == 0); x 0 Æ x’ = x - 1 Æ y’ = y - 1 x’ = i y’ = i x=0 Æx’=x Æy’= y y 0 Æx’=x Æy’= y
The Safety Verification Problem Error (assertion is false) Safe Initial Is there a path from an initial to an error state ? Problem: Infinite state graph Solution : Set of states ' logical formula
Predicate Abstraction • Predicates on program state: b 1 : x=y b 2 : y=0 • States satisfying same predicates are equivalent Merged into abstract state • #abstract states is finite – Boolean state variables bi [Misra-Agerwala 78] [Graf-Saidi 97]
Abstract States and Transitions x 0 Æx’=x-1 Æy’=y-1 b 2 : b 2 b 1 i 97 x 3 y 3 i 97 x 2 y 2 b 1: b 2 : b 1 Abstract State Space b 1 : x=y b 2 : y=0 x=y : y=0 Existential Lifting [Cousot-Cousot 77] [Clarke-Grumberg-Long 94] x=y : y=0
Abstract States and Transitions x 0 Æx’=x-1 Æy’=y-1 b 2 : b 2 b 1 i 97 x 1 y 1 i 97 x 0 y 0 b 1: b 2 b 1 b 2 : b 1 Abstract State Space b 1 : x=y b 2 : y=0 x=y : x=0 Existential Lifting [Cousot-Cousot 77] [Clarke-Grumberg-Long 94] x=y y=0
Abstract States and Transitions b 2 : b 2 x 0 Æx’=x-1 Æy’=y-1 b 1 : b 1 Abstract State Space b 1 : x=y b 2 : y=0 Existential Lifting [Cousot-Cousot 77] [Clarke-Grumberg-Long 94]
Predicate Abstraction Abstract Transitions • using Decision Procedures Existential Lifting [Cousot-Cousot 77] [Clarke-Grumberg-Long 94]
Analyze Finite Abstraction Overapproximate: Abs. Safe ) Program Safe
Analyze Finite Abstraction Program Abstract Program b 1 : x=y x 0 Æ x’ = x - 1 Æ y’ = y - 1 x’ = i y’ = i x=0 y 0 b 2 : y=0 True x=y : y=0 x=y, y=0 Safe x=y : y=0
Analyze Finite Abstraction Program Abstract Program b 1 : x=y x 0 Æ x’ = x - 1 Æ y’ = y - 1 x’ = i y’ = i b 2 : y=0 True x=y How to find good abstractions (predicates) x=0 : x=0 y 0 x=y, x=0 Safe : x=0
Counterexample-Guided Refinement Start with seed abstraction Problem Spurious counterexamples Solution Use spurious counterexamples to refine abstraction
Counterexample-Guided Refinement Solution Use spurious counterexamples to refine abstraction Imprecision due to merge 1. Add predicates to distinguish states across cut
Counterexample-Guided Refinement Solution Use spurious counterexamples to refine abstraction Imprecision due to merge 1. Add predicates to distinguish states across cut 2. Build refined abstraction - eliminates counterexample [Kurshan et al 93] [Clarke et al 00] [Ball-Rajamani 01]
Property Guided Reasoning (CEGAR) C Program Check Safety Infeasible: Relevant Facts Assertions Yes Safe No: Abstract Error Path Refine Error Feasible [Kurshan et al 93] [Clarke et al 00] [Ball-Rajamani 01]
Problem 1: Predicate Refinement Program Infeasible Path True x 0 Æ x’ = x - 1 Æ y’ = y - 1 x’ = i Æ y’ = i True x=0 x 0 Æ x’ = x - 1 Æ y’ = y – 1 True x=0 y 0 True y 0 Predicates True
Problem 1: Predicate Refinement New Predicates Relevant Facts x=y, y=0 Infeasible Path True x’ = i Æ y’ = i x=y True x 0 Æ x’ = x - 1 Æ y’ = y – 1 x=y True How to find relevant facts from paths ? x=0 y=0 True y 0 True
Problem 2: Complete Refinement New Predicates Relevant Facts x=i, y=i, x=i-1, y=i-1, i=1 Infeasible Path x’ = i Æ y’ = i x=i Æ y=i x 0 Æ x’ = x - 1 Æ y’ = y – 1 x=i-1Æy=i-1 x=0 i=1Æy=0 y 0
Problem 2: Complete Refinement Program Infeasible Path True x 0 Æ x’ = x - 1 Æ y’ = y - 1 x=0 y 0 x=i Æ y=i x=i-1 Æ y=i-1 x’ = i Æ y’ = i x 0 Æ x’ = x - 1 Æ y’ = y – 1 True x=0 True y 0
Problem 2: Complete Refinement New Predicates Relevant Facts x=i, y=i, x=i-1, y=i-1, i=1 x=i Æ y=i x=i-2, y=i-2, i=2 How to x=i-1Æy=i-1 find facts so x=i-2Æy=i-2 Diverges… i=2 Æ y=0 Infeasible Path True x=i Æ y=i x=i-1 Æ y=i-1 x’ = i Æ y’ = i x 0 Æ x’ = x - 1 Æ y’ = y – 1 analysis terminates? x 0 Æ x’ = x - 1 Æ y’ = y – 1 True x=0 True y 0
Problem 3: Expressive Refinement Relevant Facts for(i=0; i!=n; i++) How to find facts All that cellsexpress from 0 to i equal 0 M[i]=0; complex properties of data ? All cells from 0 to n equal 0 for(j=0; j!=n; j++) assert(M[j]==0); All cells from j to n equal 0
Plan Infeasible Path Motivation: CEGAR 1. Predicate Refinement [POPL 04] 2. Complete Refinement [TACAS 06] 3. Expressive Refinement [CAV 07] Relevant Preds
Abstractions from Infeasible Paths Relevant Facts Infeasible Error Path Over current values of vars F 0 x’ = i Æ y’ = i F 1 x 0 Æ x’ = x - 1 Æ y’ = y – 1 x=0 F 2 F 3 y 0 F 4 Initial state arbitrary
Abstractions from Infeasible Paths Relevant Facts Infeasible Error Path Over current values of vars F 0 x’ = i Æ y’ = i F 1 x 0 Æ x’ = x - 1 Æ y’ = y – 1 x=0 F 2 F 3 y 0 F 4 Initial state arbitrary From Fk-1 exec Opk yields Fk
Abstractions from Infeasible Paths Relevant Facts Infeasible Error Path Over current values of vars F 0 x’ = i Æ y’ = i F 1 x 0 Æ x’ = x - 1 Æ y’ = y – 1 x=0 F 2 F 3 y 0 F 4 Initial state arbitrary From Fk-1 exec Opk yields Fk
Abstractions from Infeasible Paths Relevant Facts Infeasible Error Path Over current values of vars F 0 x’ = i Æ y’ = i F 1 x 0 Æ x’ = x - 1 Æ y’ = y – 1 x=0 F 2 F 3 y 0 F 4 Initial state arbitrary From Fk-1 exec Opk yields Fk
Abstractions from Infeasible Paths Relevant Facts Infeasible Error Path Over current values of vars F 0 x’ = i Æ y’ = i F 1 x 0 Æ x’ = x - 1 Æ y’ = y – 1 x=0 F 2 F 3 y 0 F 4 Initial state arbitrary From Fk-1 exec Opk yields Fk
Abstractions from Infeasible Paths Relevant Facts Infeasible Error Path Over current values of vars F 0 x’ = i Æ y’ = i F 1 x 0 Æ x’ = x - 1 Æ y’ = y – 1 x=0 F 2 F 3 y 0 F 4 Initial state arbitrary From Fk-1 exec Opk yields Fk Final location unreachable
Abstractions from Infeasible Paths Relevant Facts Infeasible Error Path 1. Path Constraints [SSA] Over current values of vars F 0 x’ = i Æ y’ = i F 1 x 0 Æ x’ = x - 1 Æ y’ = y – 1 x=0 F 2 F 3 y 0 F 4 Initial state arbitrary From Fk-1 exec Opk yields Fk Final location unreachable
Abstractions from Infeasible Paths Relevant Facts Infeasible Error Path 1. Path Constraints [SSA] Over current values of vars F 0 = i yÆ y’ =i x 0 = ix’ 0 Æ 0 = i 0 0 Æ=x x’ =-1 x -Æ 1Æ x 0Æx y 1 y’=y=0 y-– 11 1 0 x=0 x 1 = 0 y 1 y 00 F 1 F 2 F 3 F 4 Unsatisfiable iff Path Infeasible Initial state arbitrary From Fk-1 exec Opk yields Fk Final location unreachable
Abstractions from Infeasible Paths Relevant Facts Infeasible Error Path 1. Path Constraints [SSA] Over current values of vars F 0 x 0 = i 0 Æ y 0 = i 0 x 0 0Æx 1=x 0 -1 Æ y 1=y 0 - 1 x 1 = 0 y 1 0 Unsatisfiable F 1 F 2 F 3 F 4 Initial state arbitrary From Fk-1 exec Opk yields Fk Final location unreachable
Abstractions from Infeasible Paths Relevant Facts Infeasible Error Path 1. Path Constraints [SSA] V(Fk) current = V(C 1…C …Cn) Over values of kvars k-1)ÅV(C F 0 x 0 = i 0 Æ y 0 = i 0 x 0 0Æx 1=x 0 -1 Æ y 1=y 0 - 1 x 1 = 0 y 1 0 Unsatisfiable F 1 Initial state arbitrary From Fk-1 exec Opk yields Fk Final location unreachable F 2 F 3 F 4 Require: F 2 over x 1, y 1, i 0 • not over “stale” x 0, y 0
Abstractions from Infeasible Paths Relevant Facts Infeasible Error Path 1. Path Constraints [SSA] V(Fk) current = V(C 1…C …Cn) Over values of kvars k-1)ÅV(C F 0 x 0 = i 0 Æ y 0 = i 0 x 0 0Æx 1=x 0 -1 Æ y 1=y 0 - 1 x 1 = 0 y 1 0 Unsatisfiable F 1 F 2 F 3 F 4 Initial F 0 = True state arbitrary From Fk-1 exec Opk yields Fk Final location unreachable
Abstractions from Infeasible Paths Relevant Facts Infeasible Error Path 1. Path Constraints [SSA] V(Fk) current = V(C 1…C …Cn) Over values of kvars k-1)ÅV(C F 0 x 0 = i 0 Æ y 0 = i 0 x 0 0Æx 1=x 0 -1 Æ y 1=y 0 - 1 F 2 x 1 = 0 y 1 0 Unsatisfiable F 3 F 4 Initial F 0 = True state arbitrary From Fk-1 and Fk-1 Ckexec implies Opk Fyields Fk k Final location unreachable
Abstractions from Infeasible Paths Relevant Facts Infeasible Error Path 1. Path Constraints [SSA] V(Fk) current = V(C 1…C …Cn) Over values of kvars k-1)ÅV(C F 0 x 0 = i 0 Æ y 0 = i 0 x 0 0Æx 1=x 0 -1 Æ y 1=y 0 - 1 F 2 x 1 = 0 y 1 0 Unsatisfiable F 3 F 4 Initial F 0 = True state arbitrary From Fk-1 and Fk-1 Ckexec implies Opk Fyields Fk k Final Fn = False location unreachable
Abstractions from Infeasible Paths 2. Relevant Craig Interpolants Facts Relevant Facts Infeasible Error Path 1. Path Constraints [SSA] V(Fk) current = V(C 1…C …Cn) Over values of kvars k-1)ÅV(C F 0 x 0 = i 0 Æ y 0 = i 0 x 0 0Æx 1=x 0 -1 Æ y 1=y 0 - 1 F 1 Initial F 0 = True state arbitrary From Fk-1 and Fk-1 Ckexec implies Opk Fyields Fk k Final Fn = False location unreachable F 2 x 1 = 0 y 1 0 Unsatisfiable F 3 F 4 How to find F 0…Fn+1 ?
Abstractions from Infeasible Paths 2. Craig Interpolants Infeasible Error Path 1. Path Constraints [SSA] V(Fk) current = V(C 1…C …Cn) Over values of kvars k-1)ÅV(C F 0 True x 0 = i 0 Æ y 0 = i 0 x 0 0Æx 1=x 0 -1 Æ y 1=y 0 - 1 x 0 F=y 10 x 1 F=y 21 x 1 = 0 y 1 0 Unsatisfiable y 1 F=0 3 False F 4 Initial F 0 = True state arbitrary From Fk-1 and Fk-1 Ckexec implies Opk Fyields Fk k Final Fn = False location unreachable
Abstractions from Infeasible Paths 2. Craig Interpolants Infeasible Error Path 1. Path Constraints [SSA] True x 0 = i 0 Æ y 0 = i 0 Rename x 0=y 0 x 0 0Æx 1=x 0 -1 Æ y 1=y 0 - 1 x 1=y 1 x 1 = 0 y 1 0 Unsatisfiable y 1=0 False 3. Relevant Facts x=y, y=0
Predicate Localization Use predicates needed at program location - #Preds grows, but #Preds per location is small Interpolant Loc. Predicate Map True x 0=y 0 x=y x 1=y 1 y=0 y 1=0 False
Predicate Localization Local Predicate use #States = Linear Global Predicate use #States = Exponential Verification scales …
Results: NTDDK IRP Handler Property start NP SKIP 1 Call. Driver SKIP 2 Skip Call. Driver MPR 3 synch ed turn e r g NP in MPR end p t o n. Call. Driver completion MPR 1 MPR 2 prop completion PPC no prop completion start P MPR 3 synch d rne u t g re Mark Pending Skip Call. Driver Complete request Call. Driver in MPR end p t o n. Call. Driver completion MPR 1 MPR 2 return not Pend SKIP 1 Call. Driver N/A SKIP 2 Call. Driver NP DC synch N/A IRP accessible IPC return child status prop completion PPC no prop completion N/A IPC Call. Driver Complete request return Pending DC Call. Driver [Fahndrich]
Results: NTDDK IRP Handler Property Program Lines* BLAST-old Time(secs) BLAST-ITP Time(secs) Localized Predicates Total Average kbfiltr 12 k 60 27 72 6. 5 floppy 17 k 420 63 240 7. 7 diskprf 14 k 300 32 140 10 cdaudio 18 k 1200 70 256 7. 8 parport 61 k DNF 128 753 8. 1 parclss 138 k DNF 210 382 7. 2 * Pre-processed = 4 -5 x orig. LOC
Plan Infeasible Path Motivation: CEGAR SSA Constraints 1. Predicate Refinement [POPL 04] 2. Complete Refinement ? [TACAS 06] 3. Expressive Refinement [CAV 07] Interpolants Rename Relevant Preds
Unsatisfiable Constraints to Interpolants ? Interpolants Unsat Constraints 1: C 1 2: C 2 n: Cn F 0 F 1 Fn-1 Fn V(Fk) = V(C 1…Ck-1)ÅV(Ck…Cn) F 0 = True Fk-1 and Ck implies Fk Fn = False Propositional Constraints ! Propositional Interpolants • [Pudlak 97][Krajicek 98][Mc. Millan 03] First-order theories: EUF, Arithmetic, Arrays, … ? • Reduce to propositional via Scoped Proofs of Unsat.
Plan Infeasible Path Motivation: CEGAR SSA Constraints 1. Predicate Refinement [POPL 04] 2. Complete Refinement ? Scoped Proof [TACAS 06] 3. Expressive Refinement [CAV 07] Interpolants Rename Relevant Preds
Proofs of Unsatisfiability Constraints 1: 2: 3: 4: x= 0 y= x z= y z 0 • Roots = Input Constraints • Vertices = Axiom Instances z=y y=x x=0 y=0 z=0 Axiom : Transitivity A=B B=C A=C
Proofs of Unsatisfiability Constraints 1: 2: 3: 4: x= 0 y= x z= y z 0 z=y y=x x=0 y=0 z=0 False • Roots = Input Constraints • Vertices = Axiom Instances • Sink = False Axiom : Disequality A=B A B False
Proofs of Unsatisfiability Constraints 1: 2: 3: 4: x= 0 y= x z= y z 0 z=y y=x y=0 z=0 False • Roots = Input Constraints • Vertices = Axiom Instances • Sink = False x=0
Scoped Proofs of Unsatisfiability 4: Constraints Scope 1: 2: 3: 4: x= 0 y= x z= y z 0 3: z=y x y 3: z 2: y=x 2: y=0 z=0 4: False • Well-Scoped • Vertices: p variables in scope at i i: • Edges: p variables in scope at j j: … p 1: x=0
Scoped Proofs of Unsatisfiability 4: Constraints Scope 1: 2: 3: 4: • • x= 0 y= x z= y z 0 3: z=y x y 3: z 4: False Roots = Input Constraints Vertices = Axiom Instance Sink = False Well-scoped z=0 2: y=x 2: y=0 1: x=0
Plan Infeasible Path Motivation: CEGAR SSA Constraints 1. Predicate Refinement [POPL 04] 2. Complete Refinement [TACAS 06] 3. Expressive Refinement [CAV 07] Scoped Proof ? Interpolants Rename Relevant Preds
Scoped Proofs to Prop. Constraints 1: 2: 3: 4: x= 0 y= x z= y z 0 Prop. Constraints 1: b 1 2: b 2Æ (: b 1Ç: b 2Ç b 5) 3: b 3Æ (: b 3Ç: b 5Ç b 6) 4: b 4Æ (: b 4Ç: b 6) 4: b 4 z 0 3: b 3 z=y 2: b 2 2: 3: b 6 z=0 b 5 y=x y=0 1: x=0 b 1 4: False Propositional Variables: • Deduced facts Constraints at i: • Hypotheses at i • Axiom instances at i
Propositional Constraint to Interpolant Constraints Prop. Constraints 1: 2: 3: 4: 1: b 1 2: b 2Æ (: b 1Ç: b 2Ç b 5) 3: b 3Æ (: b 3Ç: b 5Ç b 6) 4: b 4Æ (: b 4Ç: b 6) x= 0 y= x z= y z 0 4: b 4 z 0 3: b 3 3: b 6 4: False z=y 2: b 2 2: z=0 b 5 y=x y=0 Prop. Itp True b 1 x=0 b 5 y=0 b 6 z=0 False 1: x=0 b 1
Propositional Constraint to Interpolant Itp Interpolant atoms = scoped proof facts True x=0 y=0 z=0 False 4: z 0 3: 4: False z=y z=0 2: y=x 2: y=0 1: x=0
Plan Infeasible Path Motivation: CEGAR SSA Constraints 1. Predicate Refinement [POPL 04] 2. Complete Refinement [TACAS 06] 3. Expressive Refinement [CAV 07] ? Scoped Proof Propositional Interpolation Interpolants Rename Relevant Preds
Scoped Proof Generation 4: Constraints Scope 1: 2: 3: 4: x= 0 y= x z= y z 0 3: z=y 2: ? z=x x y z Scoped Saturation: facts = C 0 [ … [ Cn y=x 1: x=0 Not Scoped! Axiom: Transitivity repeat: hyps, axiom = choose(facts, axioms) newfact = apply(axiom , hyps ) if scoped(newfact): facts += newfact until saturated(axioms, facts) Ç (false in facts)
Scoped Proof Generation 4: Constraints Scope 1: 2: 3: 4: x= 0 y= x z= y z 0 3: z=y x y 3: z Scoped Saturation: facts = C 0 [ … [ Cn 2: y=x 2: y=0 z=0 4: False repeat: hyps, axiom = choose(facts, axioms) newfact = apply(axiom , hyps ) if scoped(newfact) then facts += newfact until saturated(axioms, facts) Ç (false in facts) 1: x=0
Plan Infeasible Path Motivation: CEGAR SSA Constraints 1. Predicate Refinement [POPL 04] 2. Complete Refinement [TACAS 06] 3. Expressive Refinement [CAV 07] Scoped Saturation Scoped Proof Propositional Interpolation Interpolants Rename Relevant Preds
Completeness of CEGAR Predicate Abstraction: • L = set of quantifier-free FO predicates (QF) • Compute strongest inductive invariant in L Abstraction-Refinement Heuristic: chooses sequence of sublanguages (predicate sets) P 0 µ , P 1 µ P 2 µ. . . from a broader language L Heuristic is complete for language L iff always eventually chooses a sublanguage P µ L containing a safety invariant whenever L contains a safety invariant.
Completeness of CEGAR Trivially Complete Heuristic: • L = set of quantifier-free FO predicates (QF) • Enumerate predicates sets in L … impractical Heuristic is complete for language L iff always eventually chooses a sublanguage P µ L containing a safety invariant whenever L contains a safety invariant.
Divergence Previous refinement heuristics are incomplete – Infinite refines even though safety invariant in L x = i; y = i; while(x != 0) {x--; y--; } assert (y == 0); Good Predicates y=0, x=y Bad Predicates x=i, y=i, x=i-1, y=i-1, x=i-2, y=i-2, … x=0, y=0, x=1, y=1, x=2, y=2, … Diverges Interpolant-based Refinement WP-based Refinement
Enforcing completeness Heirarchy of sublanguages L 1. Stratify L to finite langs L 0µL 1µL µ L L 1 x=1 L 0 x=0 L L x=2 L L L 2 L . . . 2. Refine counterexample at lowest possible stratum x=y If inv. in L, then inv. in some Lk Refinement never exits Lk As Lk finite, refinement converges
Finding predicates in Lk By finding Interpolants in Lk • Interpolant atoms = Proof facts • Restrict scoped proofs to Lk Scoped Saturation(Lk): facts = C 0 [ … [ Cn repeat: hyps, axiom = choose(facts, axioms) newfact = apply(axiom , hyps ) if scoped(newfact) and newfact in Lk then facts+= newfact until saturated(axioms, facts) Ç (false in facts)
How to Stratify Language Intuition: invariants have small constants Lk = predicates with – constants upto k – UIF nesting depth k x = i; y = i; while(x != 0) {x--; y--; } assert (y == 0); Good Predicates y=0, x=y L 0 Stratification + Restriction: Forces termination at L 0
Some "trivial" benchmarks example: substring copy main(){ char x[*], z[*]; int from, to, i, j, k; i = from; j = 0; while(x[i] != 0 && i < to){ z[j] = x[i]; i++; j++; } /* forall k. 0 <=k && k < j => z[k]=0 */ assert !(0 <= k && k < j && z[k] == 0); }
Results Program Sat. Abs Magic BLAST (L-Restriction) simple loop X X array copy X two loops X X array fill (increment) X array fill (fixed size) X X zero fill X X scan for zero X X string overflow X X string concat (size) X string concat (ovfl) X X TO string copy X X substring (size) X X substring (ovfl) X X X = refine fail, = bug, = diverge, TO = timeout, = verified safe
Plan Infeasible Path Motivation: CEGAR SSA Constraints 1. Predicate Refinement [POPL 04] 2. Complete Refinement [TACAS 06] 3. Expressive Refinement [CAV 07] L-Restriction Scoped Saturation Scoped Proof Propositional Interpolation Interpolants Rename Relevant Preds
Problem 3: Expressive Refinement Relevant Facts for(i=0; i!=n; i++) M[i]=0; All cells from 0 to i equal 0 All cells from 0 to n equal 0 for(j=0; j!=n; j++) assert(M[j]==0); All cells from j to n equal 0 How to infer complex facts over structures ? 1. Specialized abstractions for facts 2. Specialized axioms for proof generation
Abstraction: Range Predicates For all cells ® from t 1 to t 2 property p holds p p … t 1+1 ® t 2 RP(t 1, t 2, p) = p[t 1/®]Æ(t 1+1=t 2 Ç RP(t 1+1, t 2, p))
Range Predicates : Example For all cells ® from 0 to i property M[®]=0 holds M[®] =0 0 … M[®] =0 i RP(0, i, M[®]=0)
Range Predicates : Example For all cells ® from 0 to n property M[®]¸ 0 holds M[®]¸ 0 0 … M[®]¸ 0 n RP(0, n, M[®] ¸ 0)
Range Predicates : Example Sorted: For all cells ® from i to n: M[®]· M[®+1] M[®]·M[®+1] i … M[®]·M[®+1] n RP(i, n, M[®] · M[® + 1])
Verification with Range Predicates for(i=0; i!=n; i++) M[i]=0; Relevant Facts All (0, cells RP i, from M[®] 0 = to 0) i equal 0 All cells to n equal 0 RP(0, n, from M[®] 0 = 0) for(j=0; j!=n; j++) assert(M[j]==0); All cells from =j 0) to n equal 0 RP(j, n, M[®] Range Predicates from infeasible paths ?
Range Predicate Axioms For all cells ® from t 1 to t 2 property p holds p … t 1 p t 2 High-level reasoning for array segments: • Create (Generalize), Use (Instantiate) • Extend, Shrink, Join • Preserve (after update)
Axiom: Create (Generalize) Axiom: Generalize p P t hyps conseq p t RP(t, t+1, P[®/t]) M[i]=0 t+1 RP(i, i+1, M[®]=0)
Axiom: Use (Instantiate-Left) Axiom: Inst-Left p … t 1 RP(t 1, t 2, P) t 2 p t 1 hyps conseq P[t 1/®] RP(j, n, M[®]=0) M[j]=0
Axiom: Extend-Left p p … t 1+1 p … t 1 Axiom: Extend-Left P[t 1/®] RP(t 1+1, t 2, P) t 2 hyps conseq RP(t 1, t 2, P) M[i]=0 t 2 RP(i+1, n, M[®]=0 RP(i, n, M[®]=0)
CEGAR using Range Predicates Program for(i=0; i!=n; i++) M[i]=0; for(j=0; j!=n; j++) assert(M[j]==0); i nÆ M’=UPD(M, i, 0) Æ i’ = i + 1 i’ = 0 i=n j’=0 j nÆ M[j] = 0 Æ j’ = j + 1 j nÆ M[j] 0
CEGAR using Range Predicates Program Infeasible Error Path i’ = 0 i nÆ M’=UPD(M, i, 0) Æ i’ = i + 1 i’ = 0 i=n j’=0 j nÆ M[j]=0 Æ j’ = j + 1 j nÆ M[j] 0 i n Æ M’=UPD(M, i, 0) Æ i’ = i + 1 i=n j’=0 j n Æ M[j] = 0 Æ j’ = j + 1 j n Æ M[j] 0
CEGAR using Range Predicates 2. Interpolants 1. Path Constraints [SSA] 0: i 1 = =0 0 i’ 1: i i 1 n n ÆÆM M’=UPD(M, i, 0) Æ Æi i’ 2==ii 1++1 1 1=UPD(M 0, i 1, 0) n ÆÆM M’=UPD(M, i, 0) Æ Æi i’ 3==ii 2++1 1 2: i i 2 n 2=UPD(M 1, i 2, 0) 3: i 3 i = =n n 4: j 1 j’=0 =0 5: j 1 j nÆM [j 1] ==00 ÆÆjj’ +1 1 n Æ2 M[j] 2 ==jj 1 + 6: j 2 j n nÆÆMM[j] 0 0 2[j 2] i 1=0 RP(0, i 2, M 1[®]=0) RP(0, i 3, M 2[®]=0) RP(0, n, M 2[®]=0) RP(j 1, n, M 2[®]=0) RP(j 2, n, M 2[®]=0) L-Restriction prevents: M[0]=0, M[1]=0, M[2]=0, …
CEGAR using Range Predicates 1. Path Constraints [SSA] i 1=0 2. Interpolants Rename RP(0, i 2, M 1[®]=0) RP(0, i 3, M 2[®]=0) RP(0, n, M 2[®]=0) RP(j 1, n, M 2[®]=0) RP(j 2, n, M 2[®]=0) 3. Relevant Facts i=0, RP(0, i, M[®]=0), RP(0, n, M[®]=0), RP(j, n, M[®]=0)
Verification with Range Predicates for(i=0; i!=n; i++) M[i]=0; Relevant Facts All (0, cells RP i, from M[®] 0 = to 0) i equal 0 All cells to n equal 0 RP(0, n, from M[®] 0 = 0) for(j=0; j!=n; j++) assert(M[j]==0); All cells from =j 0) to n equal 0 RP(j, n, M[®]
Results Program Time Predicates Iterations initialize 1 s 18 7 vararg 2 s 14 8 copy 4 s 29 11 copy-prop 10 s 38 17 find 2 s 20 12 partition 8 s 37 14 partial-init 5 s 32 12 producer 45 s 39 41 insert 90 s 74 36 scull 9 s 36 14
Find spot = M_len; for(i=0; i != M_len; i++) Relevant Facts if (spot==M_len&& M[i]!=0) RP(0, i, M[®] = 0) {spot = i; break; } RP(0, spot, M[®] = 0) for (j=0; j!=spot; j++){ assert(M[j]==0); RP(j, spot, M[®] = 0)
Vararg n=0; Relevant Facts while(argv[n] != NULL){ RP(0, n, argv[®] != NULL) n++; RP(0, n, argv[®] != NULL) } RP(0, j, argv[®] = 0) for(j=n; n!=0; j--) assert(argv[j]!=NULL);
Partial-Initialize k = 0; for (i=0; i != n; i++) if (X[i] == 0) {Z[k] = i; k++; } for (j=0; j != k; j++) assert (X[Z[j]] == 0); Relevant Facts RP(0, k, X[Z[®]] = 0) RP(j, k, X[Z[®]] = 0)
Producer-Consumer head=0; tail=0; while(1){ if(? ){ //produce buf[head]=data[head]; prod_ctr++; head++; } else { //consume if (head!=tail) assert(buf[tail]==data[head]); cons_ctr++; tail++ } } Relevant Facts RP(tail, head, buf[®]=data[®])
Plan Infeasible Path Motivation: CEGAR SSA Constraints 1. Predicate Refinement [POPL 04] 2. Complete Refinement [TACAS 06] 3. Expressive Refinement [CAV 07] L-Restriction Scoped Axioms Saturation Scoped Proof Propositional Interpolation Interpolants Rename Relevant Preds
Discussion: Benefits Lazy • Localized, relevant facts • Tailored to program and property Complete • Language stratification + L-Restriction Extensible • Just add axioms • Avoids abstract transf. /transfer functions • Plays well w/ other theories: EUF, Arith, …
Discussion: Drawbacks Lazy: • Many proofs: “right” proof ! “right” facts • Short counterexamples yield “wrong” facts • Delay convergence, state-space explosion • e. g. insertion-sort Future work: • Bias solver to “better” proofs • Axioms for data structures • Accelerated proofs, refute multiple paths
Conclusion ? Infeasible Path Motivation: CEGAR 1. Predicate Refinement [POPL 04] 2. Complete Refinement L-Restriction Axioms Scoped Proof [TACAS 06] 3. Expressive Refinement [CAV 07] Relevant Preds
- Slides: 92