Post on 22-Feb-2016
description
VS3: Verification and Synthesis usingSMT Solvers
SMT Solvers for Program Verification
Saurabh Srivastava *Sumit Gulwani ** Jeffrey S. Foster *
* University of Maryland, College Park** Microsoft Research, Redmond
What VS3 will let you do!
A. Discover invariants with arbitrary quantification and boolean structure– ∀: E.g. Sortedness
– ∀∃: E.g. Permutation
..∀k1,k2 k1 k2
€
≤
j....
Aold
∀k∃jAnew
k
Selection Sort:
for i = 0…n { for j = i…n { find min index } if (min ≠ i) swap A[min], A[i] }
Selection Sort:
What VS3 will let you do!
A. Discover invariants with arbitrary quantification and boolean structure– ∀: E.g. Sortedness
– ∀∃: E.g. Permutation
..∀k1,k2 k1 k2
€
≤
j....
Aold
∀k∃jAnew
k
Outputarray
i<n
j<n
Find min index
if (min != i) swap A[i], A[min]
i:=0
j:=i
Selection Sort:
Outputarray
i<n
j<n
Find min index
if (min != i) swap A[i], A[min]
i:=0
j:=i
Verification: Proving Programs Correct
Iouter
IinnerSortednessPermutatio
n
Output state
trueInput state
The difficult task is program state
(invariant) inference:
Iinner, Iouter, Input state, Output state
Selection Sort:
Outputarray
i<n
j<n
Find min index
if (min != i) swap A[i], A[min]
i:=0
j:=i
Verification: Proving Programs Correct
SortednessPermutatio
n
Output state
trueInput state
The difficult task is program state
(invariant) inference:
Iinner, Iouter, Input state, Output state
∀k1,k2 : 0≤k1<k2<n ∧ k1<i => A[k1] ≤A[k2]
i < j i ≤ min < n
∀k2 : 0≤k2∧i≤k2<j => A[min] ≤A[k2]
∀k1,k2 : 0≤k1<k2<n ∧ k1<i => A[k1] ≤A[k2]
∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2]
Selection Sort:
Outputarray
i<n
j<n
Find min index
if (min != i) swap A[i], A[min]
i:=0
j:=i
Verification: Proving Programs Correct
SortednessPermutatio
n
Output state
trueInput state
The difficult task is program state
(invariant) inference:
Iinner, Iouter, Input state, Output state
∀k1,k2 : 0≤k1<k2<n ∧ k1<i => A[k1] ≤A[k2]
∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2]
∀k1,k2 : 0≤k1<k2<n ∧ k1<i => A[k1] ≤A[k2]
i < j i ≤ min < n
∀k1,k2 : 0≤k1<k2<n ∧ k1<i => A[k1] ≤A[k2]
∀k2 : 0≤k2∧i≤k2<j => A[min] ≤A[k2] ∀k2 : (-----------) => A[min] ≤A[k2]
∀k1,k2 : (---------------) => A[k1] ≤A[k2]
(-------------------)
∀k1,k2 : (----------------) => A[k1] ≤A[k2]
Selection Sort:
Outputarray
i<n
j<n
Find min index
if (min != i) swap A[i], A[min]
i:=0
j:=i
Verification: Proving Programs Correct
SortednessPermutatio
n
Output state
trueInput state
The difficult task is program state
(invariant) inference:
Iinner, Iouter, Input state, Output state
∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2]
∀k2 : (-----------) => A[min] ≤A[k2]
∀k1,k2 : (---------------) => A[k1] ≤A[k2]
(-------------------)
∀k1,k2 : (----------------) => A[k1] ≤A[k2]∀k2 : (-----------) => A[min] ≤A[k2]
(-------------------)
Bubble Sort:
Outputarray
i>0
j<i
if (a[j] > a[j+1]) swap A[j], A[j+1]
i:=n-1
j:=0
Verification: Proving Programs Correct
∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2]
∀k1,k2 : (----------) => A[k1] ≤A[k2]
∀k1,k2 : (---------------) => A[k1] ≤A[k2]
(-------------------)
∀k1,k2 : (----------------) => A[k1] ≤A[k2]∀k1,k2 : (----------) => A[k1] ≤A[k2]
(-------------------)
User Input:Templates and Predicates• Templates
– Intuitive and simple• Depending on the property being proved; form straight-forward• Limited to the quantification and disjunction€
∀k1∃k2 : (−)⇒ (−)
€
∀k1,k2 : (−)⇒ (−)Unknown
holes
€
x opr yRelational operator
<, ≤, >, ≥ …
Program variables,array elements
– E.g., {i<j, i>j, i≤j, i≥j… }
– Enumerate predicates of the form• Predicate Abstraction
Tool architecture
C Program
Templates for invariants
Predicate Sets
CFG
Cut-Set
PreconditionsPostconditions
Invariants
Microsoft’s Phoenix Compiler VS3
SMT Solver
Verification Conditions
IterativeFixed-point
GFP/LFP
Constraint-based
Fixed-Point
Candidate Solutions
Boolean Constraint
SAT Solver
Fixed-point Computation• Constraint-based (VMCAI’09)
– Separately encode each VC as SAT constraint• Local constraints SAT clauses
– Use SAT solver to do fixed-point computation– Compare against trivial approach: 1.6e14 minutes
• Iterative (PLDI’09)– Facts do not form a lattice, but power-set does– We ensure that if there exists an invariant we find it– Intelligent lattice search: SMT solver for tx-functions
Weakest Preconditions
k1 k2
€
≤
<
Weakest conditions on input?
Outputarray
i<n
j<n
Find min index
if (min != i) swap A[i], A[min]
i:=0
j:=i Worst case behavior: swap every time it can
Example analyses• Tool can verify:
– Sorting algorithms: • Selection, Insertion, Bubble, Quick, Merge Sort
– Properties• Output is Sorted• Output contains all and only elements from the input
• Tool can infer preconditions:– Worst case input (precondition) for sorting:
• Reverse sorted array, all but Selection Sort• Selection Sort: sorted array except last elem is smallest
– Inputs for functional correctness:• Binary search requires sorted array• Merge in merge sort expect sorted inputs• Missing initializers
Selection Sort:
Outputarray
i<n
j<n
Find min index
if (min != i) swap A[i], A[min]
i:=0
j:=i
Demo: Selection Sort
SortednessPermutatio
n
Output state
trueInput state
The difficult task is program state
(invariant) inference:
Iinner, Iouter, Input state, Output state
∀k1,k2 : 0≤k1<k2<n ∧ k1<i => A[k1] ≤A[k2]
i < j i ≤ min < n
∀k2 : 0≤k2∧i≤k2<j => A[min] ≤A[k2]
∀k1,k2 : 0≤k1<k2<n ∧ k1<i => A[k1] ≤A[k2]
∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2]
Demo: Program
Demo: Output
Conclusions• VS3: Verification tool over predicate abstraction
• Verification– Can infer quantified invariants
• Maximally-weak preconditions
• Builds on SMT Solvers, so exploits their power
• Project Webpage http://www.cs.umd.edu/~saurabhs/pacs
Future work
Recent extension: Synthesis
• Verification tool for quantified invariants– Reasoning about full functional specifications possible
• What if we had missing program fragments?– Still possible to verify if we allow the tool to plug-in
equality predicates over program variables– Equality predicates translated to statements
• We can synthesize – Strassen’s Matrix Multiplication!– Sorting algorithms!
Constraint-based over Predicate Abstraction
post
pre
I1
I2
vc(pre,I1)
vc(I1,post) vc(I1,I2)
vc(I2,I2)vc(I2,I1)
Constraint-based over Predicate Abstraction
vc(pre,I1)
vc(I1,post)vc(I1,I2)
vc(I2,I2)
vc(I2,I1)
pred(I1)
€
∀k : (−)⇒ (−) template
p1,p2…pr p1,p2…pr
unknown 1 unknown 2
predicates
b11,b2
1…br
1b1
2,b22…br
2 boolean indicators
I1VCs are FOL formulae over unknowns I1,
I2
If we find assignments
bji = T/F
Then we are done!
Constraint-based over Predicate Abstraction
vc(pre,I1)
vc(I1,post)vc(I1,I2)
vc(I2,I2)
vc(I2,I1)
pred(I1)
pred(A) : A to unknown predicate
indicator variables
VCs are FOL formulae over unknowns I1,
I2
Constraint-based over Predicate Abstraction
vc(pre,I1)
vc(I1,post)vc(I1,I2)
vc(I2,I2)
vc(I2,I1)
boolc(pred(I1), pred(I2))
pred(A) : A to unknown predicate
indicator variables
boolc(pred(I1))
boolc(pred(I2), pred(I1))
boolc(pred(I2)) Boolean constraintto satisfying soln
(SAT Solver)
Invariant soln∧
boolc(pred(I1))
Program VCto boolean constraint
SAT formulae over predicate
indicators
Local reasoning Fixed-Point Computation
VCs are FOL formulae over unknowns I1,
I2
( I1 ∧ i≥n ) => ( sorted array )
Outputsortedarray
i<n
j<n
Find min index
if (min != i) swap A[i], A[min]
i:=0
j:=i
VC to Boolean Constraint
I1
I2
( I1 ∧ i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] )
Outputsortedarray
i<n
j<n
Find min index
if (min != i) swap A[i], A[min]
i:=0
j:=i
VC to Boolean Constraint
I1
I2
VC to Boolean Constraint( I1 ∧ i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] )
€
∀k1,k2 : (−)⇒ (−)template
(∀k1,k2 : ??1 => ??2
∧ i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] ) Trivial search:
k x 2|Predicates| queries✗
p1
p2
…
Pred
icate
s
positive negativeΦ :
VC to Boolean Constraint( I1 ∧ i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] )
€
∀k1,k2 : (−)⇒ (−)template
(∀k1,k2 : ??1 => ??2
∧ i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] )
positive negativep1
p2
…
Pred
icate
s
Φ :
Φ[ ]
Query the SMT solver for the
maximally weakest value of negative
unknown ??2
There might be multiple
maximally weakest
N1 N1’N1’’…
⊤
⊥
Φ[p1 ] contains only negative
unknowns
VC to Boolean Constraint( I1 ∧ i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] )
€
∀k1,k2 : (−)⇒ (−)template
(∀k1,k2 : ??1 => ??2
∧ i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] )
positive negativep1
p2
…
Pred
icate
s
Φ :
Φ[ ] N1, N1’, N1’’…
…
N2, N2’, N2’’…Φ[ ]
VC to Boolean Constraint( I1 ∧ i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] )
€
∀k1,k2 : (−)⇒ (−)template
(∀k1,k2 : ??1 => ??2
∧ i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] )
positive negativep1
p2
…
N1, N1’, N1’’…
…
N2, N2’, N2’’…
bp1 bN1 ∨ bN1’ ∨ bN1’’ ∨… =>
Pred
icate
s
Φ :
VC to Boolean Constraint( I1 ∧ i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] )
€
∀k1,k2 : (−)⇒ (−)template
(∀k1,k2 : ??1 => ??2
∧ i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] )
positive negativep1
p2
…
N1, N1’, N1’’…
…
N2, N2’, N2’’…
bp1 bN1 ∨ bN1’ ∨ bN1’’ ∨… =>
bp2 bN2 ∨ bN2’ ∨ bN2’’ ∨… =>
Pred
icate
s
Φ :
Boolean SAT
formula
VC to Boolean Constraint( I1 ∧ i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] )
€
∀k1,k2 : (−)⇒ (−)template
(∀k1,k2 : ??1 => ??2
∧ i≥n ) => ( ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] )
positive negativep1
p2
…
N1, N1’, N1’’…
…
N2, N2’, N2’’…
bp1 bN1 ∨ bN1’ ∨ bN1’’ ∨… =>
bp2 bN2 ∨ bN2’ ∨ bN2’’ ∨… =>
…Pred
icate
s
Φ :
Constraint-based over Predicate Abstraction
vc(pre,I1)
vc(I1,post)vc(I1,I2)
vc(I2,I2)
vc(I2,I1)
boolc(pred(I1), pred(I2))
pred(A) : A to unknown predicate
indicator variables
boolc(pred(I1))
boolc(pred(I2), pred(I1))
boolc(pred(I2)) Boolean constraintto satisfying soln
(SAT Solver)
Invariant soln∧
boolc(pred(I1))
Program VCto boolean constraint
SAT formulae over predicate
indicators
Local reasoning Fixed-Point Computation
VCs are FOL formulae over unknowns I1,
I2
✓
Engineering: Interface to SMT Solvers
SMT Solver
Axiomatic support, e.g.
reachability for lists
Tool SMT query
Explicit skolemization functions
• Solvers are not very good at handling ∀x∃y:f(x,y) queries
• In program verification such queries have specific forms
• Easy to find explicit skolemization functions: skl
• Convert ∀x∃y:f(x,y) ∀x:f(x,skl(x))
Engineering: Interface to SMT Solvers
SMT Solver
Axiomatic support, e.g.
reachability for lists
Tool SMT query
Explicit skolemization functions
• Induction facts arise in program verification
• E.g. ∀x : x>0 => f(x)=>f(x+1)
• SMT solvers can’t handle• Lift to induction result:
∀x : x>0 => f(1)=>f(x)
Lift inductive facts
Engineering: Interface to SMT Solvers
SMT Solver
Axiomatic support, e.g.
reachability for lists
Tool SMT query
Explicit skolemization functions
• For efficient SMT solving it is advisable to provide patterns for quantified facts
• E.g. ∀x : x>0 => f(x)<f(x+1) • If possible say, pattern set
{ x>0, f(x)<f(x+1) }• Easy to heuristically find
relevant patterns for verif.
Lift inductive facts
Domain specific patterns
Engineering: Interface to SMT Solvers
SMT Solver
Axiomatic support, e.g.
reachability for lists
Tool SMT query
Explicit skolemization functions
Lift inductive facts
Domain specific patterns
Runtimes: Sortedness
Selection Sort Insertion Sort Bubble Sort (n2) Bubble Sort (flag) Quick Sort Merge Sort0
2
4
6
8
10
12
14
16
LFPGFPCFP
seco
nds
Tool can prove sortedness for all
sorting algorithms!
Runtimes: Permutation
Selection Sort Insertion Sort Bubble Sort (n2) Bubble Sort (flag) Quick Sort Merge Sort0
5
10
15
20
25
30
35
40
LFPGFPCFP
∞ ∞
…
94.42
seco
nds
… no loss/no gain part of
permutation too!
Runtimes (GFP): Inferring worst case inputs for sorting
seco
nds
Selection Sort Insertion Sort Bubble Sort (n2) Bubble Sort (flag) Quick Sort Merge Sort0
5
10
15
20
25
30
35
40
45
Tool infers worst case inputs for all
sorting algorithms!
Nothing to infer as all inputs yield the same behavior