Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR...
-
Upload
clarence-harvey -
Category
Documents
-
view
223 -
download
3
Transcript of Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR...
Program Analysis as Constraint Solving
Sumit Gulwani(MSR Redmond)
Ramarathnam Venkatesan
(MSR Redmond)
Saurabh Srivastava(Univ. of Maryland)
Introduction
• Last decade has witnessed an engineering revolution in constraint solving.
• We have developed techniques to reduce classic program analysis problems to constraint solving (in the context of linear arithmetic properties).– Program Verification– Inter-procedural Program Analysis– Weakest Precondition Generation– Strongest Postcondition Generation
• We show applications of these techniques to– Proving termination/Bounds Analysis– Finding preconditions for non-termination– Most-general counterexamples
2
Introduction
• Last decade has witnessed an engineering revolution in constraint solving.
• We have developed techniques to reduce classic program analysis problems to constraint solving
(in the context of linear arithmetic properties).– Program Verification– Inter-procedural Program Analysis– Weakest Precondition Generation– Strongest Postcondition Generation
• We show applications of these techniques to– Proving termination/Bounds Analysis– Finding preconditions for non-termination– Most-general counterexamples 3
Program Verification
Verify a Hoare triple (Pre, Program, Post)
4
Prewhile (c) SPost
Pre ) II Æ :c ) Post(I Æ c)[S] ) I
9 II 8X
Second-order satisfiability constraint
Solving second-order satisfiability constraints
9I 8X Á1(I,X)
• Second-order to First-order– Assume I has some form, e.g., j ajxj ¸ 0– 9I 8X Á1(I,X) translates to 9aj 8X Á2(aj,X)
• First-order to “only existentially quantified”– Farkas Lemma helps translate 8 to 9– 8X (Æk(ek¸0) ) e¸0) iff 9k¸0 8X (e ´ + kkek)
• Eliminate X from polynomial equality by equating coefficients.
– 9aj 8X Á2(aj,X) translates to 9aj 9¸k Á3(aj,¸k)
• “only existentially quantified” to SAT– Bit-vector modeling for integer variables 5
Program Verification: Example
6
[n=1 Æ m=1]x := 0; y := 0;while (x < 100) x := x+n; y := y+m;[y ¸ 100]
a0 + a1x + a2y + a3n + a4m ¸ 0b0 + b1x + b2y + b3n + b4m ¸ 0
y ¸ x m ¸ 1n · 1
a2=b0=c4=1, a1=b3=c0=-1
a0 + a1x + a2y + a3n + a4m ¸ 0b0 + b1x + b2y + b3n + b4m ¸ 0c0 + c1x + c2y + c3n + c4m ¸ 0
y ¸ x m ¸ n
a2=b2=1, a1=b1=-1
a0 + a1x + a2y + a3n + a4m ¸ 0
Invalid triple or Imprecise Template
UNSAT
Invariant Template Satisfying Solution Loop Invariant
Outline
• Program Verification
Weakest Precondition Generation
• Termination/Bounds Analysis
• Most-general Counterexamples
7
Weakest Precondition
Find “weakest” Pre such that the Hoare triple (Pre, Program, Post) is valid.
8
[m ¸ n]x := 0; y := 0;while (x < 100) x := x+n; y := y+m;[y ¸ 100]
Weakest Precondition: Attempt 1
Find “weakest” Pre such that the Hoare triple (Pre, Program, Post) is valid.
9
Prewhile (c) SPost
Pre ) II Æ :c ) Post(I Æ c)[S] ) I
I 8X
Precondition Encoding
9 Pre, I
VC(Pre)8R: If R is weaker than Pre, then :VC(R)
9 Pre, I
VC(Pre)
“Weakest” Precondition Encoding
Unfortunately, Farkas lemma is no longer applicable since the formula is non-linear in universally quantified variables.
Weakest Precondition: Attempt 2
Find “weakest” Pre such that the Hoare triple (Pre, Program, Post) is valid.
10
Prewhile (c) SPost
Pre ) II Æ :c ) Post(I Æ c)[S] ) I
I 8X
Precondition Encoding
VC(Pre)Pre is weaker than false
9 Pre, I
Non-false Precondition Encoding
• m¸n+127 is a satisfying assignment for Pre.• However, this is still not “Weakest” Pre.
Prex := 0; y := 0;while (x < 100) x := x+n; y := y+m;[y ¸ 100]
9 Pre, I
VC(Pre)
Weakest Precondition: Attempt 3
Find “weakest” Pre such that the Hoare triple (Pre, Program, Post) is valid.
11
Prewhile (c) SPost
Pre ) II Æ :c ) Post(I Æ c)[S] ) I
I 8X
Precondition Encoding
VC(Pre)Pre is weaker than Previous Pre
9 Pre, I
“Weaker then Previous“ Precondition Encoding
• Seq. m¸n+127, m¸n+126,…, m¸n is admissible.• This iterative refinement is too slow.
Prex := 0; y := 0;while (x < 100) x := x+n; y := y+m;[y ¸ 100]
9 Pre, I
VC(Pre)
Weakest Precondition: Solution 1
Find “weakest” Pre such that the Hoare triple (Pre, Program, Post) is valid.
12
Prewhile (c) SPost
Pre ) II Æ :c ) Post(I Æ c)[S] ) I
I 8X
Precondition Encoding
VC(Pre)Pre is weaker then Previous Pre:VC(R1) Æ :VC(R2) …
9 Pre, I
Locally-weakest Precondition Encoding
V
k
V
k^
k
9 Pre, I
VC(Pre)
where R1, R2,… are weaker neighbors of Pre.
Prex := 0; y := 0;while (x < 100) x := x+n; y := y+m;[y ¸ 100]
Weaker Neighborhood Structure
Weaker neighbors of e1¸0 Æ e2¸0 are:
• e1+1¸0 Æ e2¸0
• e1¸0 Æ e2+1¸0
• e1+e2¸0 Æ e2¸0
• e1¸0 Æ e2+e1¸0
13
Shift plane ei parallel to itself.
Rotate plane ei along its intersection with another plane.
Geometric Interpretation
Weakest Precondition: Solution 1
Find “weakest” Pre such that the Hoare triple (Pre, Program, Post) is valid.
Prewhile (c) SPost
Pre ) II Æ :c ) Post(I Æ c)[S] ) I
I 8X
Precondition Encoding
VC(Pre) Æ :VC(R1) Æ :VC(R2) …
Pre is weaker than Previous Pre9 Pre, I
Locally-weakest Precondition Encoding
V
k
V
k^
k
9 Pre, I
VC(Pre)
Prex := 0; y := 0;while (x < 100) x := x+n; y := y+m;[y ¸ 100]
• We directly obtain m¸n.– m¸n+c is no longer locally-weakest for c>0.
• In fact, we obtain one more solution: n·0.• Generally, locally weakest weakest. Iteration may be
required.
Outline
• Program Verification
• Weakest Precondition Generation
Termination/Bounds Analysis
• Most-general Counterexample
15
Termination/Bounds Analysis
16
while (c) S
i := 0;while (c) i := i+1; Assert(i· F(inputs)); S
• Transformation introduces a counter to track loop iterations.
• Then we run “Program Verification” Algorithm.– Besides loop invariant, part F of assertion is also
unknown.– Existence of a solution yields a termination proof. – Solution for F gives upper bound on # of loop
iterations.
Outline
• Program Verification
• Weakest Precondition Generation
• Termination/Bounds Analysis
Most-general Counterexample
17
Most-general Counterexample
x := 0;while (x < n) Assert(x<200); x := x+y;
18
Prex := 0; err := 0; i := 0; while (x < n) i := i+1; Assert(i·F(n,y)); if (x¸200) err := 1; x := x+y;Assert (err=1)
• “n=356 and y=12” leads to a bug. However, it is more useful to say “y>0 Æ n¸200+y” leads to a bug. We generate this by:
• 2-step Transformation– Introduce error variable err to track assertion
violation.– Introduce counter i to track loop
iterations/termination.• Then, we run “weakest” Precondition algorithm.
Experiments: Methodology
• We ran our tool against academic/small benchmarks used by 10 earlier pieces of work that address a wide variety of program analyses related to linear arithmetic properties.– Inter-procedural analysis, Disjunctive invariant inference,
termination/bounds analysis, non-termination, strongest Postcondition generation.
• Parameters:– Templates: 2 conjuncts/1 disjunct– Bit-vector modeling: 3 bits for unknown coefficients, 6 bits
for unknown constants, 1 bit for multipliers ¸ in Farkas lemma
– Iteratively increased these quantities. 19
Experiments: Results
• Clauses generated: 5K to 560K (Most examples < 200K)
• Time taken: 0.1 sec to 80 sec (Most examples < 5 sec)– comparable; however, demonstrates versatility
20
0 100 200 300 400 500 6000
10
20
30
40
50
60
70
80
Clauses (K)
Tim
e (
s)
21
Related Work: Constraint based techniques
Invariant discovery• Linear [Colon, Sankaranarayanan, Sipma, CAV ‘03]• Non-linear [Sankaranarayanan et al, POPL ‘04]; [Kapur, ‘05] • Linear arithmetic + uninterpreted fns [Beyer et.al., VMCAI ‘07]
This work only addresses linear invariants, but • With arbitrary (pre-specified) boolean structure.• In an inter-procedural setting.• In a weakest precondition generation mode too.
Bug Finding• SATURN [Xie, Aiken, CAV ‘05]: works with loop-free programs
This work only addresses programs with linear assignments, but
• Finds most-general bugs in programs with loops
22
Conclusion
• Constraint-based techniques offer 2 advantages over fixed-point computation based techniques:– Goal-directed (may buy efficiency)– Do not require widening (may buy precision)
• This work showed how to reduce a wide variety of program analysis problems to constraint solving over the domain of linear arithmetic.
• Future work includes extending these ideas to other domains such as pointers, quantifiers.