Post on 23-Feb-2016
description
© Anvesh Komuravelli
Quantified Invariants in Rich Domainsusing
Model Checking and Abstract Interpretation
Anvesh Komuravelli, CMU
Joint work with Ken McMillan
© Anvesh Komuravelli 2
The Problem
Array-Manipulating Program P
+ Assertions
Automatic analysis for
assertion failures
Safe + Proof
Unsafe + CEX
Unknown + Partial Proof
Quantified Invariants!
© Anvesh Komuravelli 3
Quantified Invariants, Typically
Specialized Abstract Domains
E.g. Segmentation abstraction,Indexed Predicate
Abstraction,Points-to Analysis, etc.
• Restrictive• False warnings
Unrestricted Model Checking
E.g. Interpolation-based
• Hard to find the right quantifiers• Divergence
Rich-enough abstract domain?
© Anvesh Komuravelli 4
The abstract domain
i := 0;while (i < n) {
//a[i] := c;i++;
}
assume (0 ≤ k < n)assert (a[k] = c)
Quantified variables
Predicate signature
AbstractDomain
Goal: Find a quantifier-free interpretationof the predicates
© Anvesh Komuravelli 5
Guess-and-check doesn’t work anymore!
i := 0;while (i < n) {
//a[i] := c;i++;
}
assume (0 ≤ k < n)assert (a[k] = c)
Given a guess for P, how to check if it suffices?
FOL validity is undecidable!
Can we still use existing model checkers?
© Anvesh Komuravelli 6
Let’s look at the VCs
i := 0;while (i < n) {
//a[i] := c;i++;
}
assume (0 ≤ k < n)assert (a[k] = c)
© Anvesh Komuravelli 7
Pulled to the outermost
scope
Let’s look at the VCs
© Anvesh Komuravelli 8
Let’s look at the VCs
Real challenge!
Find a sufficient set of witnesses
© Anvesh Komuravelli 9
Let’s look at the VCs
Reduces to quantifier-freeinvariant generation
(use an off-the-shelfmodel checker)
© Anvesh Komuravelli 10
Two Goals
i := 0;while (i < n) {
//a[i] := c;i++;
}
assume (0 ≤ k < n)assert (a[k] = c)
Quantified variables
Predicate signature
AbstractDomain
Goal 2: Find a quantifier-free interpretationof the predicates
Goal 1: Find a sufficient set ofwitnesses for j
© Anvesh Komuravelli 11
A Strategy
Guess some witnesses
Check if they suffice using a model checker Y Found Proof
N
Give up!
Eager Syntactic Pattern Matching
[BMR13]
[BMR13]: On Solving Universally Quantified Horn Clauses,Bjorner, McMillan, Rybalchenko, SAS’13
• Unguided instantiation• Worst-case unbounded• Grows exponentially with
number of quantified vars• May choke the model checker• No fall-back strategy
© Anvesh Komuravelli 12
Our Strategy
Guess some witnesses
Check if they suffice using a model checker Y Found Proof
N CEX
Refine the guessConstraint
on the witness
Guess-and-check,but of the witnesses and
not the invariant itself
© Anvesh Komuravelli 13
Obtaining Strong Constraints
Generalized Counterexamples Strong Constraints
Symbolic Counterexamples
• Number of variables = O(size)• Constraint solving becomes harder
(easily diverging)
Ground Counterexamples+
Abstract Interpretation
© Anvesh Komuravelli 14
Note – one witness suffices!
is equivalent to
May not be expressible!
© Anvesh Komuravelli 15
Concrete vs. Abstract
© Anvesh Komuravelli 16
Concrete vs. Abstract
© Anvesh Komuravelli 17
The algorithm[B]
[L]
[E]
© Anvesh Komuravelli 18
The algorithm
Instantiate Check
[B]
[L]
[E]
P(k0,v0,i0,c0)
P(k1,v1,i1,c1)
P(k2,v2,i2,c2)
B
L
L
E
© Anvesh Komuravelli 19
The algorithm
Instantiate Check
P(k0,v0,i0,c0) P(k1,v1,i1,c1) P(k2,v2,i2,c2)B L L E
Analyze
© Anvesh Komuravelli 20
The algorithm
Instantiate Check
P(0,0,0,0) P(0,0,1,0) P(0,0,2,0)B L L E
Analyze
✕? ✕? ✕? ✕?
© Anvesh Komuravelli 21
P(0,0,0,0) P(0,1,0,0) P(0,2,0,0)B L L E
✕? ✕? ✕? ✕?
Use k for j
The algorithm
Instantiate Check Analyze
© Anvesh Komuravelli 22
The algorithm
Instantiate
[B]
[L]
[E]
© Anvesh Komuravelli 23
The algorithm
Instantiate
[B]
[L]
[E]
…
© Anvesh Komuravelli 24
Finding a new witness
Given Constraint
Checklocal vars
quantified variable
Skolem Template f
Solve for t using sampling-based approachrestrict to
linear templates
© Anvesh Komuravelli 25
Add lc to existing samples S
Pick candidate tc
Quantifier Alternation using Sampling
?Y
Return tc
CEX lc
?
N
CEX SNY
Newcandidate
tc
Source of Divergence!
Quantifier Elimination
Eliminate arrays(thanks to Nikolaj for
the discussion),
Cheap QE of integers
© Anvesh Komuravelli 26
Abstract Post, in practice
1. Cheap QE tricks, case-split on equalities on j, etc.2. Under-approximate, otherwise.
SolveGeneralize models
1. Cheap QE tricks, case-split on array-index arguments, etc.2. Under-approximate, otherwise.
Solve an SMT problemGeneralize models
© Anvesh Komuravelli 27
Experiments
Implemented “qe_array” tactic in Z3 Prototype in Python using Z3Py interface for witness generation
Automatically generated “sufficient witnesses” for small array-manipulatingprograms (BMR13) – array init, find, copy, concatenate, reverse, etc. Used GPDR engine in Z3 to solve for quantifier-free predicates Up to two universal quantifiers per predicate Witness was just a local variable in the VC
© Anvesh Komuravelli 28
Moving forward…
Scalability
Handle large programs (with multiple procedures) How to pick relevant “set” of witnesses? Can we synthesize guards to combine them into a single witness?
Implementation-wise
Cache previous AI results Reuse bounded proofs – Proof-based Abstraction Lazy QE – postponing to later steps?
Alternatives
Use over-approximations of reachable states Witness may not exist – need to refine the approximation
© Anvesh Komuravelli 29
Questions?