Simplifying Loop Invariant Generation Using Splitter Predicates. Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University

Similar documents
Lecture 6. Abstract Interpretation

Verifying the Safety of Security-Critical Applications

VS 3 : SMT Solvers for Program Verification

Invariant Generation in Vampire

Inductive Invariant Generation via Abductive Inference

Functor abstract domain by example

Lingva: Generating and Proving Program Properties using Symbol Elimination

Reasoning About Loops Using Vampire

The Apron Library. Bertrand Jeannet and Antoine Miné. CAV 09 conference 02/07/2009 INRIA, CNRS/ENS

Decomposition Instead of Self- Composition for Proving the Absence of Timing Channels

Overview. Verification with Functions and Pointers. IMP with assertions and assumptions. Proof rules for Assert and Assume. IMP+: IMP with functions

Program Verification using Templates over Predicate Abstraction. Saurabh Srivastava and Sumit Gulwani

Interval Polyhedra: An Abstract Domain to Infer Interval Linear Relationships

Tree Interpolation in Vampire

Minimum Satisfying Assignments for SMT. Işıl Dillig, Tom Dillig Ken McMillan Alex Aiken College of William & Mary Microsoft Research Stanford U.

Abstract Interpretation

Symbolic Heap Abstraction with Demand- Driven Axiomatization of Memory Invariants

Widening Operator. Fixpoint Approximation with Widening. A widening operator 2 L ˆ L 7``! L is such that: Correctness: - 8x; y 2 L : (y) v (x y)

Program Verification using Templates over Predicate Abstraction

Lecture 4. First order logic is a formal notation for mathematics which involves:

Lectures 20, 21: Axiomatic Semantics

Programming Languages Third Edition

Small Formulas for Large Programs: On-line Constraint Simplification In Scalable Static Analysis

Hierarchical Shape Abstraction of Dynamic Structures in Static Blocks

SLR: Path-Sensitive Analysis through Infeasible-Path Detection and Syntactic Language Refinement.

Symbolic Execution and Proof of Properties

DySy: Dynamic Symbolic Execution for Invariant Inference

Profile-Guided Program Simplification for Effective Testing and Analysis

Softwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24

Relational Abstract Domains for the Detection of Floating-Point Run-Time Errors

Finding heap-bounds for hardware synthesis

A Parametric Segmentation Functor for Fully Automatic and Scalable Array Content Analysis

A Parametric Segmentation Functor for Fully Automatic and Scalable Array Content Analysis

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

Abstraction Refinement for Quantified Array Assertions

Chapter 3. Describing Syntax and Semantics ISBN

Algebraic Program Analysis

Lecture Notes on Linear Search

Lecture 4 Searching Arrays

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

Predicate Abstraction of Java Programs with Collections. Pavel Parízek, Ondřej Lhoták

TVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS*

Lecture 5 - Axiomatic semantics

Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories. ACSys Seminar

Static Analysis by A. I. of Embedded Critical Software

A Gentle Introduction to Program Analysis

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

Sendmail crackaddr - Static Analysis strikes back

The Rule of Constancy(Derived Frame Rule)

Hoare Logic: Proving Programs Correct

Interactively Verifying Absence of Explicit Information Flows in Android Apps

Abstract Acceleration of General Linear Loops

Behavioral Requirements

Automatic Analysis of Open Objects in Dynamic Language Programs

Symbolic Execution, Dynamic Analysis

Basic Verification Strategy

Effectively-Propositional Modular Reasoning about Reachability in Linked Data Structures CAV 13, POPL 14 Shachar Itzhaky

Program Static Analysis. Overview

Predicate Refinement Heuristics in Program Verification with CEGAR

Separation Logic 2: project: Annotation Assistant for Partially Specified Programs plus some high-level observations. Hengle Jiang & John-Paul Ore

Verification Conditions. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

Embedded Software Verification Challenges and Solutions. Static Program Analysis

Verifying Data Structure Invariants in Device Drivers

SMT-Style Program Analysis with Value-based Refinements

COSC252: Programming Languages: Semantic Specification. Jeremy Bolton, PhD Adjunct Professor

Principles of Program Analysis. Lecture 1 Harry Xu Spring 2013

PreInfer: Automatic Inference of Preconditions via Symbolic Analysis

Finding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar

Template-based Program Verification and Program Synthesis

Certified Memory Usage Analysis

Recap. Juan Pablo Galeotti,Alessandra Gorla, Software Engineering Chair Computer Science Saarland University, Germany

The Verification Grand Challenge and Abstract Interpretation

Software Model Checking with Abstraction Refinement

Term Algebras with Length Function and Bounded Quantifier Elimination

Applying Data Refinement for Monadic Programs to Hopcroft s Algorithm

Using widenings to infer loop invariants inside an SMT solver, or: A theorem prover as abstract domain

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Why does ASTRÉE scale up?

Rely-Guarantee References for Refinement Types over Aliased Mutable Data

The Reachability-Bound Problem

An Annotated Language

Duet: Static Analysis for Unbounded Parallelism

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Program Verification. Aarti Gupta

Alternation for Termination

Fluid Updates: Beyond Strong vs. Weak Updates

An Abstract Domain for Analyzing Heap-Manipulating Low-Level Software

Automated Debugging with Error Invariants

Resource Usage Analysis and its Application to Resource Certification (Part I)

Static Analysis of Programs with Probabilities. Sriram Sankaranarayanan University of Colorado, Boulder, USA.

Static Program Analysis

A Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm

Assertions & Verification & Example Loop Invariants Example Exam Questions

Static Error Detection using Semantic Inconsistency Inference

Automated Error Diagnosis Using Abductive Inference

Outline for Today CSE 142. CSE142 Wi03 G-1. withdraw Method for BankAccount. Class Invariants

Code Contracts. Pavel Parízek. CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics

Module 6. Knowledge Representation and Logic (First Order Logic) Version 2 CSE IIT, Kharagpur

A New Abstraction Framework for Affine Transformers

FreePascal changes: user documentation

Transcription:

Simplifying Loop Invariant Generation Using Splitter Predicates Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University

Loops and Loop Invariants Loop Head x = 0; while( x <= 49 ) { Loop Body } x = x + 1;

Loops and Loop Invariants Loop Head Key problem Software verification Is undecidable Loop Body

Conjunctive Invariants x = 0; y = 50; while( x <= 49 ) { x = x + 1; } x <= 50 && y = 50 && x >= 0

Conjunctive Invariants Mature techniques for discovering these Cousot and Halbwachs, 1978 Abstract interpretation-based technique (Interproc) Keep estimate of reachable states StInG and InvGen Assume an invariant template (a.x + b.y <= c) Solve (non-linear) constraints to instantiate template

Disjunctive Invariants Some loops require disjunctive invariants Some very involved techniques: Probabilistic inference, predicate abstraction, Difficult to characterize their behavior Most are not fully automatic

Disjunctive Invariants Some loops require disjunctive invariants Some very involved techniques: Probabilistic inference, predicate abstraction, Difficult to characterize their behavior Most are not fully automatic Can we reduce disjunctive to conjunctive?

A Small Study About 10% of loops require disjunctive invariants (OpenSSH 9/95) Of these about 90% are multi-phase (OpenSSH 8/9)

Loops Requiring Disjunctive Invariants Digikam for(int i = 0; i < num; i++) { } if( i == 0 ) { delete w[i]; continue; } w[i-1] = w[i];

Loops Requiring Disjunctive Invariants OpenSSH for(int i=0; i< size; i++) { } if( i == size-1 ) a[i] = NULL; else a[i] = malloc(...);

Multi-phase Loops x = 0; y = 50; while( x < 100 ) { x = x + 1; if( x > 50 ) y = y + 1; } assert( y == 100); (x<=50 && y=50) (50<=x<=100 && y=x)

Multi-phase Loops x = 0; y = 50; while( x < 100 ) { x = x + 1; if( x > 50 ) y = y + 1; } assert( y == 100); (x<=50 && y=50) (50<=x<=100 && y=x) x = 0, x = 1,, x = 49

Multi-phase Loops x = 0; y = 50; while( x < 100 ) { x = x + 1; if( x > 50 ) y = y + 1; } assert( y == 100); (x<=50 && y=50) (50<=x<=100 && y=x) x = 0, x = 1,, x = 49 x = 50, x = 51,, x = 99

Multi-phase Loops Continued Phase transition C : predicate of if inside loop Phase: contiguous iterations with C constant Transition: C changes value Restrict to 2-phase loops C transitions from false to true

Basic Idea x = 0; y = 50; while( x < 100 ) { x = x + 1; if( x > 50 ) y = y + 1; } assert( y == 100);

Basic Idea Disjunctive Invariant x = 0; y = 50; while( x < 100 ) { } x = x + 1; if( x > 50 ) y = y + 1; assert( y == 100); (x<=50 && y=50) (50<=x<=100 && y=x)

Basic Idea Disjunctive Invariant x = 0; y = 50; while( x < 100 ) { } x = x + 1; if( x > 50 ) y = y + 1; assert( y == 100); (x<=50 && y=50) (50<=x<=100 && y=x) x = 0; y = 50; while( x <= 49 ) { x = x + 1; } while( x < 100 && x > 49) { x = x + 1; y = y + 1; } assert( y == 100);

Basic Idea Disjunctive Invariant Conjunctive Invariants! x = 0; y = 50; while( x < 100 ) { } x = x + 1; if( x > 50 ) y = y + 1; assert( y == 100); (x<=50 && y=50) (50<=x<=100 && y=x) x = 0; y = 50; while( x <= 49 ) { } x = x + 1; while( x < 100 && x > 49) { } x = x + 1; y = y + 1; assert( y == 100); x<=50 && y=50 50<=x<=100 && y=x

Our Goal Reduce the problem of inferring disjunctive invariants for a multi-phase loop to inferring conjunctive invariants for a sequence of loops

Our Approach Identify multi-phase loops Split the multi-phase loops Use standard invariant generation technique Infer conjunctive invariants

Example Before Splitting x = 0; y = 50; while( x < 100 ) { x = x + 1; if( x > 50 ) y = y + 1; } assert( y == 100); After Splitting x = 0; y = 50; while( x<100 && x <= 49 ) { x = x + 1; if( false ) y = y + 1; } while( x < 100 && x > 49 ) { x = x + 1; if( true ) y = y + 1; } assert( y == 100);

Splitter Predicate (Q) while (P) { B [C] } } while (P &&!Q) { B [false] } while (P && Q) { B [true] }

Last Notational Hurdle x = 0; y = 50; while( x < 100 ) { x = x + 1; if( x > 50 ) y = y + 1; } assert( y == 100); B: Code present Inside the loop body Before control reaches C

Properties of Splitter Predicates Theorem: For a loop while P { B[C] }, if Q satisfies these three properties then it is a splitter predicate. 1. {Q} B {C} 2. { Q} B { C} 3. {P Q} B[C] {Q P}

Splitter Predicate while (P) { B [C] } } while (P &&!Q) { B [C] } while (P && Q) { B [C] }

Splitter Predicate while (P) { B [C] } } while (P &&!Q) { B [false] } while (P && Q) { B [C] }

Splitter Predicate while (P) { B [C] } } while (P &&!Q) { B [false] } while (P && Q) { B [true] }

Algorithm For each condition if ρ ( C ) of loop body Q = WP ( B, C ) Check conditions If Q is a splitter predicate then Split the multi-phase loop Replace if ρ ( C ) by if ρ ( false ) and if ρ ( true )

Example Revisited Before Splitting x = 0; y = 50; while( x < 100 ) { x = x + 1; if( x > 50 ) y = y + 1; } assert( y == 100); Q = WP ( x = x + 1, x > 50 ) Q = x > 49

Example Revisited Before Splitting x = 0; y = 50; while( x < 100 ) { } x = x + 1; if( x > 50 ) y = y + 1; assert( y == 100); After Splitting x = 0; y = 50; while( x<100 && x <= 49 ) { x = x + 1; if( false ) y = y + 1; } while( x < 100 && x > 49 ) { x = x + 1; if( true ) y = y + 1; } assert( y == 100);

Optimizations Simplify precondition computation Process if top down For nested loops, process inside out

Optimizations Simplify precondition computation Process if top down For nested loops, process inside out B[C 1, C 2 ]!C 1 C 1!C 2 C 2

Optimizations Simplify precondition computation Process if top down For nested loops, process inside out B[C 1, C 2 ]!C 1 C 1 }B!C 2 C 2

Optimizations Simplify precondition computation Process if top down For nested loops, process inside out B[C 1, C 2 ]!C 1 C 1!C 1 C 1!C 2 C 2!C 2 C 2!C 2 C 2

Optimizations Simplify precondition computation Process if top down For nested loops, process inside out

Optimizations Simplify precondition computation Process if top down For nested loops, process inside out B i [C 1 ] B o [C 2 ]!C 1 C 1!C 2 C 2

Optimizations Simplify precondition computation Process if top down For nested loops, process inside out B i [C 1 ] B o [C 2 ]!C 1 C 1!C 2 C 2

Optimizations Simplify precondition computation Process if top down For nested loops, process inside out B i [C 1 ] B o [C 2 ]!C 1 C 1!C 2 C 2

Optimizations Simplify precondition computation Process if top down For nested loops, process inside out B i [C 1 ] B o [C 2 ]!C 1 C 1 }B!C 2 C 2

Optimizations Simplify precondition computation Process if top down For nested loops, process inside out B i [C 1 ] B o [C 2 ]!C 1!C 1 C 1 C 1!C 2 C 2!C 2 C 2

Optimizations Simplify precondition computation Process if top down For nested loops, process inside out B i [C 1 ] B o [C 2 ]!C 1 C 1!C 1 S 1!C 2 C 2 C 1!C 2 C 2 S 2!C 2 C 2

Experimental Framework Interproc Abstract interpretation-based InvGen Constraint solving-based Our implementation in C++ MISTRAL for precondition and constraint solving

Experiments : verification succeeded; : verification failed + : better invariants; : incomparable; = : exactly same

Experiments : verification succeeded; : verification failed + : better invariants; : incomparable; = : exactly same

Experiments : verification succeeded; : verification failed + : better invariants; : incomparable; = : exactly same

Experiments : verification succeeded; : verification failed + : better invariants; : incomparable; = : exactly same

Experiments : verification succeeded; : verification failed + : better invariants; : incomparable; = : exactly same

Experiments : verification succeeded; : verification failed + : better invariants; : incomparable; = : exactly same

Experiments : verification succeeded; : verification failed + : better invariants; : incomparable; = : exactly same

Experiments : verification succeeded; : verification failed + : better invariants; : incomparable; = : exactly same

Experiments : verification succeeded; : verification failed + : better invariants; : incomparable; = : exactly same

Experiments : verification succeeded; : verification failed + : better invariants; : incomparable; = : exactly same

Experiments : verification succeeded; : verification failed + : better invariants; : incomparable; = : exactly same

Conclusion Static analysis to identify phase transitions Decompose multi-phase loops Preserve semantics Benefit standard invariant generation tools Better invariants Handle more loops Simple, easy to implement, and can be integrated with any invariant generation tool

References Balakrishnan, G., Sankaranarayanan, S., Ivancic, F., Gupta, A.: Refining the control structure of loops using static analysis. In: EMSOFT (2009), pp. 49-58. Gulwani, S., Jain, S., Koskinen, E.: Control-flow refinement and progress invariants for bound analysis. In: PLDI (2009), pp. 375-385. Mauborgne, L., Rival, X.: Trace partitioning in abstract interpretation based static analyzers. In: ESOP (2005), pp. 5-20. Gopan, D., Reps, T.: Guided static analysis. In: SAS (2007), pp. 349-365.

References Balakrishnan, G., Sankaranarayanan, S., Ivancic, F., Gupta, A.: Refining the control structure of loops using static analysis. In: EMSOFT (2009), pp. 49-58. Gulwani, S., Jain, S., Koskinen, E.: Control-flow refinement and progress invariants for bound analysis. In: PLDI (2009), pp. 375-385. Mauborgne, L., Rival, X.: Trace partitioning in abstract interpretation based static analyzers. In: ESOP (2005), pp. 5-20. Gopan, D., Reps, T.: Guided static analysis. In: SAS (2007), pp. 349-365.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback