quantified invariants in rich domains using model checking and abstract interpretation
DESCRIPTION
Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation. Anvesh Komuravelli, CMU Joint work with Ken McMillan. The Problem. Quantified Invariants!. Safe + Proof. Array-Manipulating Program P + Assertions. Automatic analysis for assertion failures. - PowerPoint PPT PresentationTRANSCRIPT
© Anvesh Komuravelli
Quantified Invariants in Rich Domainsusing
Model Checking and Abstract Interpretation
Anvesh Komuravelli, CMU
Joint work with Ken McMillan
© Anvesh Komuravelli 2
The Problem
Array-Manipulating Program P
+ Assertions
Automatic analysis for
assertion failures
Safe + Proof
Unsafe + CEX
Unknown + Partial Proof
Quantified Invariants!
© Anvesh Komuravelli 3
Quantified Invariants, Typically
Specialized Abstract Domains
E.g. Segmentation abstraction,Indexed Predicate
Abstraction,Points-to Analysis, etc.
• Restrictive• False warnings
Unrestricted Model Checking
E.g. Interpolation-based
• Hard to find the right quantifiers• Divergence
Rich-enough abstract domain?
© Anvesh Komuravelli 4
The abstract domain
i := 0;while (i < n) {
//a[i] := c;i++;
}
assume (0 ≤ k < n)assert (a[k] = c)
Quantified variables
Predicate signature
AbstractDomain
Goal: Find a quantifier-free interpretationof the predicates
© Anvesh Komuravelli 5
Guess-and-check doesn’t work anymore!
i := 0;while (i < n) {
//a[i] := c;i++;
}
assume (0 ≤ k < n)assert (a[k] = c)
Given a guess for P, how to check if it suffices?
FOL validity is undecidable!
Can we still use existing model checkers?
© Anvesh Komuravelli 6
Let’s look at the VCs
i := 0;while (i < n) {
//a[i] := c;i++;
}
assume (0 ≤ k < n)assert (a[k] = c)
© Anvesh Komuravelli 7
Pulled to the outermost
scope
Let’s look at the VCs
© Anvesh Komuravelli 8
Let’s look at the VCs
Real challenge!
Find a sufficient set of witnesses
© Anvesh Komuravelli 9
Let’s look at the VCs
Reduces to quantifier-freeinvariant generation
(use an off-the-shelfmodel checker)
© Anvesh Komuravelli 10
Two Goals
i := 0;while (i < n) {
//a[i] := c;i++;
}
assume (0 ≤ k < n)assert (a[k] = c)
Quantified variables
Predicate signature
AbstractDomain
Goal 2: Find a quantifier-free interpretationof the predicates
Goal 1: Find a sufficient set ofwitnesses for j
© Anvesh Komuravelli 11
A Strategy
Guess some witnesses
Check if they suffice using a model checker Y Found Proof
N
Give up!
Eager Syntactic Pattern Matching
[BMR13]
[BMR13]: On Solving Universally Quantified Horn Clauses,Bjorner, McMillan, Rybalchenko, SAS’13
• Unguided instantiation• Worst-case unbounded• Grows exponentially with
number of quantified vars• May choke the model checker• No fall-back strategy
© Anvesh Komuravelli 12
Our Strategy
Guess some witnesses
Check if they suffice using a model checker Y Found Proof
N CEX
Refine the guessConstraint
on the witness
Guess-and-check,but of the witnesses and
not the invariant itself
© Anvesh Komuravelli 13
Obtaining Strong Constraints
Generalized Counterexamples Strong Constraints
Symbolic Counterexamples
• Number of variables = O(size)• Constraint solving becomes harder
(easily diverging)
Ground Counterexamples+
Abstract Interpretation
© Anvesh Komuravelli 14
Note – one witness suffices!
is equivalent to
May not be expressible!
© Anvesh Komuravelli 15
Concrete vs. Abstract
© Anvesh Komuravelli 16
Concrete vs. Abstract
© Anvesh Komuravelli 17
The algorithm[B]
[L]
[E]
© Anvesh Komuravelli 18
The algorithm
Instantiate Check
[B]
[L]
[E]
P(k0,v0,i0,c0)
P(k1,v1,i1,c1)
P(k2,v2,i2,c2)
B
L
L
E
© Anvesh Komuravelli 19
The algorithm
Instantiate Check
P(k0,v0,i0,c0) P(k1,v1,i1,c1) P(k2,v2,i2,c2)B L L E
Analyze
© Anvesh Komuravelli 20
The algorithm
Instantiate Check
P(0,0,0,0) P(0,0,1,0) P(0,0,2,0)B L L E
Analyze
✕? ✕? ✕? ✕?
© Anvesh Komuravelli 21
P(0,0,0,0) P(0,1,0,0) P(0,2,0,0)B L L E
✕? ✕? ✕? ✕?
Use k for j
The algorithm
Instantiate Check Analyze
© Anvesh Komuravelli 22
The algorithm
Instantiate
[B]
[L]
[E]
© Anvesh Komuravelli 23
The algorithm
Instantiate
[B]
[L]
[E]
…
© Anvesh Komuravelli 24
Finding a new witness
Given Constraint
Checklocal vars
quantified variable
Skolem Template f
Solve for t using sampling-based approachrestrict to
linear templates
© Anvesh Komuravelli 25
Add lc to existing samples S
Pick candidate tc
Quantifier Alternation using Sampling
?Y
Return tc
CEX lc
?
N
CEX SNY
Newcandidate
tc
Source of Divergence!
Quantifier Elimination
Eliminate arrays(thanks to Nikolaj for
the discussion),
Cheap QE of integers
© Anvesh Komuravelli 26
Abstract Post, in practice
1. Cheap QE tricks, case-split on equalities on j, etc.2. Under-approximate, otherwise.
SolveGeneralize models
1. Cheap QE tricks, case-split on array-index arguments, etc.2. Under-approximate, otherwise.
Solve an SMT problemGeneralize models
© Anvesh Komuravelli 27
Experiments
Implemented “qe_array” tactic in Z3 Prototype in Python using Z3Py interface for witness generation
Automatically generated “sufficient witnesses” for small array-manipulatingprograms (BMR13) – array init, find, copy, concatenate, reverse, etc. Used GPDR engine in Z3 to solve for quantifier-free predicates Up to two universal quantifiers per predicate Witness was just a local variable in the VC
© Anvesh Komuravelli 28
Moving forward…
Scalability
Handle large programs (with multiple procedures) How to pick relevant “set” of witnesses? Can we synthesize guards to combine them into a single witness?
Implementation-wise
Cache previous AI results Reuse bounded proofs – Proof-based Abstraction Lazy QE – postponing to later steps?
Alternatives
Use over-approximations of reachable states Witness may not exist – need to refine the approximation
© Anvesh Komuravelli 29
Questions?