Program Verification using Templates over Predicate Abstraction. Saurabh Srivastava and Sumit Gulwani

Similar documents
VS 3 : SMT Solvers for Program Verification

Program Verification using Templates over Predicate Abstraction

Assertions. Assertions - Example

6.0 ECTS/4.5h VU Programm- und Systemverifikation ( ) June 22, 2016

Runtime Checking and Test Case Generation for Python

Assertions & Verification & Example Loop Invariants Example Exam Questions

Assertions & Verification Example Exam Questions

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 10/14/2004 1

Exam Review. CSE 331 Section 10 12/6/12. Slides by Kellen Donohue with material from Mike Ernst

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

Efficient Incremental Dynamic Invariant Detection

Verification Conditions. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

Chapter 3. Describing Syntax and Semantics ISBN

Specifications. Prof. Clarkson Fall Today s music: Nice to know you by Incubus

Hoare Logic: Proving Programs Correct

Abstract Interpretation

Incremental Proof Development in Dafny

Symbolic Execution and Proof of Properties

Tree Interpolation in Vampire

Course Summary! What have we learned and what are we expected to know?

Finding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar

Template-based Program Verification and Program Synthesis

A proof-producing CSP solver: A proof supplement

Inductive Invariant Generation via Abductive Inference

Automatic Generation of Program Specifications

Hardware versus software

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

AXIOMS OF AN IMPERATIVE LANGUAGE PARTIAL CORRECTNESS WEAK AND STRONG CONDITIONS. THE AXIOM FOR nop

Simplifying Loop Invariant Generation Using Splitter Predicates. Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University

LOGIC AND DISCRETE MATHEMATICS

Self-checking software insert specifications about the intent of a system

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

Announcements. Specifications. Outline. Specifications. HW1 is due Thursday at 1:59:59 pm

3 No-Wait Job Shops with Variable Processing Times

6.170 Lecture 6 Procedure specifications MIT EECS

Automated Debugging with Error Invariants

Violations of the contract are exceptions, and are usually handled by special language constructs. Design by contract

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

From Program Verification to Program Synthesis

Lecture Notes on Linear Search

_Synthesis Of Dynamic Programming Algorithms. Yewen (Evan) Pu Rastislav Bodik Saurabh Srivastava

Comparing procedure specifications

STABILITY AND PARADOX IN ALGORITHMIC LOGIC

Christoph Csallner, University of Texas at Arlington (UTA)

MSO Lecture Design by Contract"

CSC Advanced Object Oriented Programming, Spring Specification

Lecture 4: Procedure Specifications

Software Model Checking. Xiangyu Zhang

6. Hoare Logic and Weakest Preconditions

Lecture Notes on Ints

Specifications. CSE 331 Spring 2010

Validating Plans with Durative Actions via Integrating Boolean and Numerical Constraints

Type Assisted Synthesis of Programs with Algebraic Data Types

4/24/18. Overview. Program Static Analysis. Has anyone done static analysis? What is static analysis? Why static analysis?

Type Hierarchy. Lecture 6: OOP, autumn 2003

Goal. Overflow Checking in Firefox. Sixgill. Sixgill (cont) Verifier Design Questions. Sixgill: Properties 4/8/2010

Advances in Programming Languages

Testing, Debugging, and Verification

Specification tips and pitfalls

Software Engineering Testing and Debugging Testing

DPLL(Γ+T): a new style of reasoning for program checking

Lecture 2: Algorithm Analysis

Searching for Program Invariants using Genetic Programming and Mutation Testing

Arguing for program correctness and writing correct programs

A Combination Framework for Tracking Partition Sizes

Reachability Analysis for Annotated Code

Softwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24

Softwaretechnik. Program verification. Software Engineering Albert-Ludwigs-University Freiburg. June 30, 2011

Push-button verification of Files Systems via Crash Refinement

6.046 Recitation 1: Proving Correctness Bill Thies, Fall 2004 Outline

CS 510/13. Predicate Abstraction

Chapter 3 (part 3) Describing Syntax and Semantics

Reasoning About Imperative Programs. COS 441 Slides 10

Uncertain Data Models

Reasoning about programs

ESC/Java2 vs. JMLForge. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

Last time. Reasoning about programs. Coming up. Project Final Presentations. This Thursday, Nov 30: 4 th in-class exercise

Chapter 6 INTRODUCTION TO DATA STRUCTURES AND ALGORITHMS

Basic Verification Strategy

CS 220: Discrete Structures and their Applications. Loop Invariants Chapter 3 in zybooks

Invariant Based Programming

Data-Driven Precondition Inference with Learned Features

Top Down Design vs. Modularization

A Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm

Data-Driven Precondition Inference with Learned Features

CS 161 Computer Security

Separation Logic 2: project: Annotation Assistant for Partially Specified Programs plus some high-level observations. Hengle Jiang & John-Paul Ore

Runtime Checking for Program Verification Systems

17. Assertions. Outline. Built-in tests. Built-in tests 3/29/11. Jelle Slowack, Bart Smets, Glenn Van Loon, Tom Verheyen

Synthesis using Variable Elimination

Summary of Course Coverage

A short manual for the tool Accumulator

17. Assertions. Jelle Slowack, Bart Smets, Glenn Van Loon, Tom Verheyen

Program Static Analysis. Overview

Chapter 3. Describing Syntax and Semantics ISBN

Chapter 3. Describing Syntax and Semantics

Extended Static Checking for Java

Small Formulas for Large Programs: On-line Constraint Simplification In Scalable Static Analysis

Lecture 4 Searching Arrays

Transcription:

Program Verification using Templates over Predicate Abstraction Saurabh Srivastava and Sumit Gulwani

ArrayInit(Array A, int n) i := 0; while (i < n) A[i] := 0; i := i + 1; Assert( j: 0 j<n sel(a,j)=0);

Invariant Templates Instead of supplying concrete invariants, supply invariant templates with holes for predicates.

ArrayInit(Array A, int n) true i := 0; j:?? sel(a,j)=0 while (i < n) A[i] := 0; i := i + 1; j: 0 j<n sel(a,j)=0

ArrayInit(Array A, int n) true i := 0; j:?? sel(a,j)=0 while (i < n) A[i] := 0; i := i + 1; j: 0 j<n sel(a,j)=0?? = subset of {j op x x {0,i,n}, op {=,<,,>, }}

Invariant Templates Instead of supplying concrete invariants, supply invariant templates with holes for predicates. Example predicates: i 0, sel(a,j)=x, j>k Template Language: Holes are conjunctions of predicates, usually notated as a set

1. true i := 0; j: v sel(a,j)=0 2. j: v sel(a,j)=0 Assume(i n); j: 0 j<n sel(a,j)=0 3. j: v sel(a,j)=0 Assume(i < n); A' := upd(a,i,0); i' := i + 1; j: v sel(a,j)=0

Algorithm for Least (Greatest) Fixed Point Start with maximally strong (weak) guess for assignment of holes to predicates. Until you have a valid candidate assignment, repeat: Choose one of the guesses and one path (a path is a precondition, post-condition, and section of straight-line code) Replace the guess with new guesses that have weaker postconditions (stronger preconditions) for that path.

1. true i := 0; j: v sel(a,j)=0 2. j: v sel(a,j)=0 Assume(i n); j: 0 j<n sel(a,j)=0 3. j: v sel(a,j)=0 Assume(i < n); A' := upd(a,i,0); i' := i + 1; j: v sel(a,j)=0 Initial: Guess: v={}

1. true i := 0; j: true sel(a,j)=0 2. j: true sel(a,j)=0 Assume(i n); j: 0 j<n sel(a,j)=0 3. j: true sel(a,j)=0 Assume(i < n); A' := upd(a,i,0); i' := i + 1; j: true sel(a,j)=0 Initial: Guess: v={}

1. true i := 0; j: true sel(a,j)=0 2. j: true sel(a,j)=0 Assume(i n); j: 0 j<n sel(a,j)=0 3. j: true sel(a,j)=0 Assume(i < n); A' := upd(a,i,0); i' := i + 1; j: true sel(a,j)=0 Initial: Guess: v={} Select initial guess and inconsistent path (1).

1. true i := 0; j: true sel(a,j)=0 2. j: true sel(a,j)=0 Assume(i n); j: 0 j<n sel(a,j)=0 3. j: true sel(a,j)=0 Assume(i < n); A' := upd(a,i,0); i' := i + 1; j: true sel(a,j)=0 Initial: Guess: v={} Select initial guess and inconsistent path (1). Update with 4 new optimal guesses: v={0 < j, j i}; v={0 j, j < i}; v={i < j, j 0}, v={i j, j < 0}

1. true i := 0; j: 0 j<i sel(a,j)=0 2. j: 0 j<i sel(a,j)=0 Assume(i n); j: 0 j<n sel(a,j)=0 3. j: 0 j<i sel(a,j)=0 Assume(i < n); A' := upd(a,i,0); i' := i + 1; j: 0 j<i sel(a,j)=0 Initial: Guess: v={} Select initial guess and inconsistent path (1). Update with 4 new optimal guesses: v={0 < j, j i}; v={0 j, j < i}; v={i < j, j 0}, v={i j, j < 0} One of these is valid (v={0 j, j < i}), so we re done.

Optimal Guesses A valid solution (assignment of holes to sets of predicates) for a particular path is optimal if removing (adding) predicates to any negative (positive) hole results in an invalid solution. Naïve search extremely expensive They use a complex algorithm (including an SMT solver) to find these in practice.

Maximally strong initial guess Weaken precondition Maximally weak initial guess Strengthen Postcondition

3 rd Algorithm: Encode as SMT Boolean variables for every hole-predicate pair. Formulae for whether a particular path is valid for each guess Need some tricks to avoid explosion of clauses

1. true i := 0; j: v sel(a,j)=0 2. j: v sel(a,j)=0 Assume(i n); j: 0 j<n sel(a,j)=0 3. j: v sel(a,j)=0 Assume(i < n); A' := upd(a,i,0); i' := i + 1; j: v sel(a,j)=0

Contributions Can handle invariants Multiple algorithms each with separate strengths Technique to infer maximally weak preconditions

Discussion Scalability to larger programs Difficulty of creating templates Difficulty of producing specification

Daikon dynamic detection of likely invariants

What invariants are detected? x.field > abs(y) y = 2*x+3 array a is sorted for all list objects lst, lst.next.prev = lst for all treenode objects n, n.left.value < n.right.value p!= null => p.content in myarray

Variables pre-state values results of side-effect-free methods derived variables introduced in subsequent pass after inference is performed on existing variables unary (e.g., length, min, max, sum) binary (e.g., subscript, concat, intersection) ternary (only arbitrary subsequence)

Where are they detected? procedure boundaries object invariants what limitations does this place on the analysis? Do we care?

How are they detected? checks potential invariants against runtime values computes probability observation would occur by chance appears to not always do this in practice influenced by provided traces when is this acceptable (even preferred)? when is this insufficient?

How does this scale? Reduce redundancy (improves performance) avoid introducing redundant derived variables suppress weaker invariants no theorem proving, just templates Prune output (user experience) some redundant invariants are caught afterwards abstract data types

Who wants this? Wide array of uses Highly extensible What was convincing?

Comparative Discussion What are the relative strengths of each approach? Who wants to use each approach?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback