texpoint fonts used in emf. read the texpoint manual before you delete this box.: a a
DESCRIPTION
The Fixpoint Brush in The Art of Invariant Generation. Sumit Gulwani Microsoft Research, Redmond, USA [email protected]. Workshop on Invariant Generation, Floc 2010. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/1.jpg)
Sumit GulwaniMicrosoft Research, Redmond, USA
The Fixpoint Brushin
The Art of Invariant Generation
Workshop on Invariant Generation, Floc 2010
![Page 2: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/2.jpg)
1. Program Transformations– Reduce need for sophisticated invariant generation.– E.g., control-flow refinement (PLDI ‘09), loop-flattening/peeling (PLDI ‘10/POPL ’08) non-standard cut-points (PLDI ‘08) quantitative attributes instrumentation (POPL ’10).
2. Colorful Logic– Language of Invariants.– E.g., arithmetic, uninterpreted fns, lists/arrays.
3. Fixpoint Brush– Automatic generation of invariants in some shade of
logic (such as conjunctive/k-disjunctive/predicate abstraction).
– E.g., Iterative, Template/Constraint based, Proof rules.2
Art of Invariant Generation
![Page 3: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/3.jpg)
Fixpoint Brush
• Iterative and monotonic Forward – Backward
• Template/Constraint based
• Proof rules
• Iterative, but non-monotonic– Probabilistic Inference– Learning
3
![Page 4: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/4.jpg)
Start with Precondition and propagate facts forward using Existential elimination operator until fixpoint.
• Data-flow analysis– Join at merge points– Finite abstract domains
• Abstract Interpretation– Join at merge pointsJoin(1 , 2) = strongest s.t. 1 ) and 2 ) – Widening for infinite height abstract domains.
• Model Checking– Analyze all paths precisely without join at merge
points.– Finite abstractions (e.g., boolean abstraction)
required• Counterexample guided abstraction refinement• BDD based data-structures for efficiency
4
Iterative Forward: Examples
![Page 5: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/5.jpg)
Difference Constraints
• Abstract element: – conjunction of xi-xj · cij – can be represented using matrix M, where M[i]
[j]=cij
• Decide(M):1. M’ := Saturate(M);
• Saturation means closure with deductions of form: x-y ≤ c1 and y-z ≤ c2 implies x-z ≤ c1 +c2
2. Declare unsat iff 9i: M’[i][i] < 0
• Join(M1, M2): 1. M’1 := Saturate(M1); M’2 := Saturate(M2);
2. Let M3 be s.t. M3[i][j] = Max { M’1[i][j], M’2[i][j] }
3. return M3 5
![Page 6: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/6.jpg)
1·y<51 Æ z=y+2
Example: Abstract Interpretation using Difference Constraints
y < 50
y := 0; z := 2;
y++; z++;
y=0, z=2
y=1 Æ z=3
?
?
?
?
true
y=0 Æ z=2
y=0 Æ z=2
0·y·1 Æ z=y+2
0·y·1 Æ z=y+2
1·y·2 Æ z=y+2
0·y·2 Æ z=y+20·y Æ z=y+2
0·y<50 Æ z=y+2
0·y<51 Æ z=y+2
y=50 Æ z=y+2
FalseTrue
Assert (z=52)
6
![Page 7: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/7.jpg)
y=F(a)a=ha,bi
z=a-1a=ha,bi
y=F(b)b=ha,bi
z=b-1b=ha,bi
z=a-1 Æ y=F(a)
z=b-1 Æ y=F(b)
ha,bi=1+z
y=F(ha,bi)
JoinlaJoinuf
Eliminateuf+la
y=F(1+z)
{ ha,bi }
Joinla+u
f
Combination: Example of Join Algorithm
7
![Page 8: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/8.jpg)
• Uninterpreted Functions– A Polynomial-Time Algorithm for Global Value Numbering;
Gulwani, Necula; SAS ‘04 • Linear Arithmetic + Uninterpreted Functions
– Combining Abstract Interpreters; Gulwani, Tiwari; PLDI ’06
• Theory of Arrays/Lists – Quantified Abstract Domains
• Lifting Abstract Interpreters to Quantified Logical Domains; Gulwani, McCloskey, Tiwari; POPL ‘08
• Discovering Properties about Arrays in Simple Programs; Halbwachs, Péron; PLDI ‘08
– Shape Analysis• Parametric Shape Analysis via 3-Valued Logic;
Sagiv, Reps, Wilhelm; POPL ‘99, TOPLAS ‘028
Iterative Forward: References
![Page 9: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/9.jpg)
• Theory of Arrays/Lists – Combination of Shape Analysis + Arithmetic
• A Combination Framework for tracking partition sizes; Gulwani, Lev-Ami, Sagiv; POPL ’09
• Non-linear Arithmetic– User-defined axioms + Expression Abstraction
• A Numerical Abstract Domain Based on Expression Abstraction and Max Operator with Application in Timing Analysis; Gulavani, Gulwani; CAV ’08
– Polynomial Equalities• An Abstract Interpretation Approach for Automatic
Generation of Polynomial Invariants; Rodriguez-Carbonell, Kapur; SAS ‘04
9
Iterative Forward: References
![Page 10: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/10.jpg)
Fixpoint Brush
• Iterative and monotonic– Forward Backward
• Template/Constraint based
• Proof-rules
• Iterative, but non-monotonic– Probabilistic Inference– Learning
10
![Page 11: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/11.jpg)
• Comparison with Iterative Forward– Positives: Can compute preconditions, Goal-directed– Negatives: Requires assertions or template assertions.
• Transfer Function for Assignment Node is easier.– Substitution takes role of existential elimination.
• Transfer Function for Conditional Node is challenging.– Requires abductive reasoning/under-approximations.
• Abduct(,g) = weakest ’ s.t. ’Æg ) • Case-split reasoning as opposed to Saturation based, and
hence typically not closed under conjunctions.• Optimally weak solutions for negative unknowns as
opposed to optimally strong solutions for positive unknowns.
11
Iterative Backward
![Page 12: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/12.jpg)
• Program Verification using Templates over Predicate Abstraction;
Srivastava, Gulwani; PLDI ‘09• Assertion Checking Unified; Gulwani, Tiwari; VMCAI ‘07• Computing Procedure Summaries for Interprocedural
Analysis; Gulwani, Tiwari; ESOP ‘07
12
Iterative Backward: References
![Page 13: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/13.jpg)
Fixpoint Brush
• Iterative and monotonic– Forward– Backward
Template/Constraint based
• Proof rules
• Iterative, but non-monotonic– Probabilistic Inference– Learning
13
![Page 14: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/14.jpg)
Template-based Invariant Generation• Goal-directed invariant generation for
verification of a Hoare triple (Pre, Program, Post)
14
Prewhile (c) SPost
Pre ) II Æ :c ) Post(I Æ c)[S] ) I
9 II 8X
Verification Constraint(Second-order)
Base CasePrecisionInductive
Case
VCGen
• Key Idea: Reduce the second-order verification constraint to a first-order satisfiability constraint that can be solved using off-the-shelf SAT/SMT solvers– Choose a template for I (specific color/shade in some
logic).– Convert 8 into 9.
![Page 15: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/15.jpg)
Trick for converting 8 to 9 is known for following domains:
• Linear Arithmetic– Farkas Lemma
• Linear Arithmetic + Uninterpreted Fns.– Farkas Lemma + Ackerman’s Reduction
• Non-linear Arithmetic– Grobner Basis
• Predicate Abstraction– Boolean indicator variables + Cover Algorithm
(Abduction)• Quantified Predicate Abstraction
– Boolean indicator variables + More general Abduction15
Key Idea in reducing 8 to 9 for various Domains
![Page 16: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/16.jpg)
• Linear Arithmetic– Constraint-based Linear-relations analysis; Sankaranarayanan, Sipma, Manna; SAS ’04– Program analysis as constraint solving; Gulwani, Srivastava, Venkatesan; PLDI ‘08
• Linear Arithmetic + Uninterpreted Fns.– Invariant synthesis for combined theories; Beyer, Henzinger, Majumdar, Rybalchenko; VMCAI ‘07
• Non-linear Arithmetic– Non-linear loop invariant generation using Gröbner bases;
Sankaranarayanan, Sipma, Manna; POPL ’04• Predicate Abstraction
– Constraint-based invariant inference over predicate abstraction; Gulwani, Srivastava, Venkatesan; VMCAI ’09
• Quantified Predicate Abstraction– Program verification using templates over predicate
abstraction; Srivastava, Gulwani; PLDI ‘0916
Template-based Invariant Generation: References
![Page 17: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/17.jpg)
Linear Arithmetic• Linear Arithmetic + Uninterpreted Fns.• Non-linear Arithmetic• Predicate Abstraction• Quantified Predicate Abstraction
17
Template-based Invariant Generation
![Page 18: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/18.jpg)
Farkas Lemma
8X Æk(ek¸0) ) e¸0
iff 9k¸0 8X (e ´ + kkek)
Example • Let’s find Farkas witness ,1,2 for the implication
x¸2 Æ y¸3 ) 2x+y¸6• 9 ,1,2¸0 s.t. 8x,y [2x+y-6 ´ + 1(x-2) + 2(y-3)]• Equating coefficients of x,y and constant terms, we
get: 2=1 Æ 1=2 Æ -6=-21-32
which implies =1, 1=2, 2=1.18
![Page 19: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/19.jpg)
Solving 2nd order constraints using Farkas Lemma
9I 8X 1(I,X)
• Second-order to First-order– Assume I has some form, e.g., j ajxj ¸ 0– 9I 8X 1(I,X) translates to 9aj 8X 2(aj,X)
• First-order to “only existentially quantified”– Farkas Lemma helps translate 8 to 9– 8X (Æk(ek¸0) ) e¸0) iff 9k¸0 8X (e ´ + kkek)
• Eliminate X from polynomial equality by equating coefficients.
– 9aj 8X 2(aj,X) translates to 9aj 9¸k 3(aj,¸k)
• “only existentially quantified” to SAT– Bit-vector modeling for integer variables 19
![Page 20: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/20.jpg)
Example
[n=1 Æ m=1]x := 0; y := 0;while (x <
100) x := x+n; y := y+m;[y ¸ 100]
a0 + a1x + a2y + a3n + a4m ¸ 0b0 + b1x + b2y + b3n + b4m ¸ 0
y ¸ x m ¸ 1n · 1
a2=b0=c4=1, a1=b3=c0=-1
a0 + a1x + a2y + a3n + a4m ¸ 0b0 + b1x + b2y + b3n + b4m ¸ 0c0 + c1x + c2y + c3n + c4m ¸ 0
y ¸ x m ¸ n
a2=b2=1, a1=b1=-1
a0 + a1x + a2y + a3n + a4m ¸ 0
Invalid triple or Imprecise Template
UNSAT
Invariant Template Satisfying Solution Loop Invariant
I
n=m=1 Æ x=y=0 ) I
I Æ x¸100 ) y¸100
I Æ x<100 ) I[xÃx+n, yÃy+m]
VCGen
![Page 21: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/21.jpg)
• Linear Arithmetic• Linear Arithmetic + Uninterpreted Fns.• Non-linear Arithmetic Predicate Abstraction• Quantified Predicate Abstraction
21
Template-based Invariant Generation
![Page 22: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/22.jpg)
Solving 2nd order constraints using Boolean Indicator Variables + Cover Algorithm
9I 8X 1(I,X)
• Second-order to First-order (Boolean indicator variables)– Assume I has the form P1 Ç P2, where P1, P2 µ P Let bi,j denote presence of pj2P in Pi
Then, I can be written as (Æj b1,j)pj) Ç (Æj b2,j)pj) 9I 8X 1(I,X) translates to 9bi,j 8X 2(bi,j,X)– Can generalize to k disjuncts
• First-order to “only existentially quantified”– Cover Algorithm helps translate 8 to 9– 9bi,j 8X 2(bi,j,X) translates to SAT formula 9bi,j 3(bi,j)
22
![Page 23: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/23.jpg)
Example
[m > 0]x := 0; y :=
0;while (x <
m) x :=
x+1; y :=
y+1;[y=m]
I m>0 ) I[xÃ0, yÃ0] I Æ x¸m ) y=m I Æ x<m ) I[xÃx+1, yÃy+1]
VCGen
x·y, x¸y, x<yx·m, x¸m, x<my·m, y¸m, y<m
Suppose P = and k = 1
Then, I has the form P1, where P1 µ P m>0 ) P1[xÃ0, yÃ0] (1)P1 Æ x¸m ) y=m (2)P1 Æ x<m ) P1[xÃx+1, yÃy+1] (3)
![Page 24: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/24.jpg)
Example
x·y, x¸y, x<yx·m, x¸m, x<my·m, y¸m, y<m
0·0, 0¸0, 0<00·m, 0¸m, 0<m0·m, 0¸m, 0<m
(1) m>0 ) P1 [xÃ0, yÃ0]
Hence, (1) ´ P1 doesn’t contain x<y, x¸m, y¸m ´ :bx¸m Æ :bx<y Æ :by¸m
xÃ0, yÃ0
(2) P1 Æ x¸m ) y=m There are 3 maximally-weak choices for P1
(computed using Predicate Cover Algorithm)
Hence, (2) ´ P1 contains at least one of above combinations ´ (bx<m) Ç (by·m Æ by¸m)Ç (bx·y Æ by·m)
(i) y·m Æ y¸m(ii) x<m(iii) x·y Æ y·m
![Page 25: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/25.jpg)
Example
(1) :bx¸m Æ :bx<y Æ :by¸m
(2) (bx<m)Ç (by·mÆby¸m)Ç (bx·y Æ by·m)
(3) (by·m ) (by<mÇby·x))Æ:bx<mÆ:by<m
by·x , by·m , bx·y : true
rest: false
SAT Solver
I: (y=x Æ y·m)
[m > 0]x := 0; y :=
0;while (x < m) x := x+1; y := y+1;[y=m]
I
Obtained from solvinglocal/small SMT queries
![Page 26: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/26.jpg)
Going beyond Invariant Generation with Constraint-based techniques…
26
Bonus Material
Where can we go?
![Page 27: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/27.jpg)
Postcondition: The best fit line shouldn’t deviate more than half a pixel from the real line, i.e., |y – (Y/X)x| · 1/2
27
Example: Bresenham’s Line Drawing Algorithm
[0<Y·X]v1:=2Y-X; y:=0; x:=0;while (x · X) out[x] := y; if (v1<0) v1:=v1+2Y; else v1:=v1+2(Y-X); y++;return out;[8k (0·k·X ) |out[k]–(Y/X)k| · ½)]
![Page 28: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/28.jpg)
28
Transition System Representation
[0<Y·X]v1:=2Y-X; y:=0; x:=0;while (x·X) v1<0: out’=Update(out,x,y) Æ v’1=v1+2Y Æ y’=y Æ
x’=x+1 v1¸0: out’=Update(out,x,y) Æ v1=v1+2(Y-X) Æ
y’=y+1Æ x’=x+1[8k (0·k·X ) |out[k]–(Y/X)k| · ½)] [Pre]
sentry;while (gloop) gbody1: sbody1; gbody2: sbody2;[Post]
Where, gbody1: v1<0gbody2: v1¸0gloop: x·Xsentry: v1’=2Y-X Æ y’=0 Æ x’=0sbody1: out’=Update(out,x,y) Æ v’1=v1+2Y Æ x’=x+1 Æ
y’=ysbody2: out’=Update(out,x,y) Æ v’1=v1+2(Y-X) Æ x’=x+1
Æ y’=y+1
Or, equivalently,
![Page 29: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/29.jpg)
29
Verification Constraint Generation & SolutionPre Æ sentry ) I’I Æ gloop Æ gbody1 Æ sbody1 )
I’I Æ gloop Æ gbody2 Æ sbody2 )
I’I Æ :gloop ) Post
0<Y·X Æ v1=2(x+1)Y-(2y+1)X Æ 2(Y-X)·v1·2Y Æ 8k(0·k·x ) |out[k]–(Y/X)k| · ½)
Given Pre, Post, gloop, gbody1, gbody2, sbody1, sbody2, we can find solution for I using constraint-based techniques.
Verification Constraint:
I:
![Page 30: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/30.jpg)
30
The Surprise!
Verification Constraint:
Pre Æ sentry ) I’I Æ gloop Æ gbody1 Æ sbody1 )
I’I Æ gloop Æ gbody2 Æ sbody2 )
I’I Æ :gloop ) Post
• What if we treat each g and s as unknowns like I?• We get a solution that has gbody1 = gbody2 = false.
– This doesn’t correspond to a valid transition system.– We can fix this by encoding gbody1 Ç gbody2 = true.
• We now get a solution that has gloop = true.
– This corresponds to a non-terminating loop.– We can fix this by encoding existence of a ranking
function.• We now discover each g and s along with I.
– We have gone from Invariant Synthesis to Program Synthesis.
![Page 31: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/31.jpg)
Fixpoint Brush
• Iterative and monotonic– Forward– Backward
• Template/Constraint based
Proof rules
• Iterative, but non-monotonic– Probabilistic Inference– Learning
31
![Page 32: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/32.jpg)
• Problem specific.
• Requires understanding of commonly used design patterns.
• Can provide the most scalable solution, if applicable.
Case Study: Ranking function computation for estimating loop bounds.
32
Proof Rules
![Page 33: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/33.jpg)
Consider the loop while (cond) X := F(X)Transition system representation s: cond Æ
X’=F(X)
Example: Transition system representation of the loop while (x < n) {x++; n--;} is x<n Æ x’=x+1 Æ n’=n-1
An integer valued function r is a ranking function for transition s if
s ) (r>0) s ) r[X’/X]·r-1We denote this by Rank(r,s).
33
Ranking Function
![Page 34: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/34.jpg)
• Iterative Forward– Instrument counter c and find an upper bound n.
n-c is a ranking function. (Gulwani, Mehra, Chilimbi, POPL ‘09)
• Constraint-based– Assume a template a0 + iaixi for the ranking function r
and then solve for ai’s in the constraint
9ai (s ) (r>0 Æ r[X’/X]·r-1) using Farkas lemma– Goal directed– Complete PTIME method for synthesis of linear ranking
fns.• Podelski, Rybalchenko; VMCAI ‘04
• Proof Rules– “The Reachability Bound Problem”, Gulwani, Zuleger,
PLDI ‘1034
Finding Ranking Functions
![Page 35: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/35.jpg)
If s ) (e>0 Æ e[X’/X] < e), then Rank(e,s).Candidates for e: e1-e2, for any conditionals e1 >
e2 in s
• n>0 Æ n’·n Æ A[n]A[n’] – Ranking function: n
If s ) (e¸1 Æ e[X’/X] · e/2), then Rank(log e,s).Candidates for e: e1/e2 for any conditionals e1 > e2
in s
• i’=i/2 Æ i>1– Ranking function: log (i)
• i’=2£i Æ i>0 Æ n>i Æ n’=n – Ranking function: log (n/i)
35
Arithmetic Iteration Patterns
![Page 36: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/36.jpg)
If s ) (RSB(e’) < RSB(e) Æ e0), then Rank(RSB(e),s)Candidates for e: all bitvector variables x in s• x’=x&(x-1) Æ x0
– Ranking function: x•
– Ranking function: RSB(x)/2
RSB: Position of rightmost significant 1-bit
36
Bit-vector Iteration Pattern
Input: bitvector b while (BitScanForward(&id1,b)) b := b | ((1 << id1)-1); if (BitScanForward(&id2,~x)
break; b := b & (~((1 << id2)-1);
![Page 37: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/37.jpg)
Let Rank(r1,s1) and Rank(r2,s2).Non-Interference NI(s1,s2,r2):• Non-enabling condition: s1 ± s2 = false• Rank preserving condition: s1 ) r2[x’/x] · r2
If NI(s1,s2,r2) and NI(s2,s1,r1), then Max(0,r1) + Max(0,r2) is a ranking fn for s1 Ç s2.
If NI(s1,s2,r2) then (r1,r2) is a lexicographic ranking fn for s1 Ç s2.
37
Composing ranking functions
![Page 38: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/38.jpg)
Useful for backward symbolic execution across loops.
If s ) e’ ≤ e + c, then eafter ≤ ebefore + c£Rank(s)
38
Relating values before/after a loop
n := mwhile (e) { …… n :=
n+3; ……}
nafter · nbefore + 3£Rank(s)
![Page 39: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/39.jpg)
Fixpoint Brush
• Iterative and monotonic– Forward– Backward
• Template/Constraint based
• Proof-rules
• Iterative, but non-monotonic– Probabilistic Inference– Learning
39
![Page 40: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/40.jpg)
Undergraduate Textbook on Algorithms by Cormen, Leiserson, Rivest, Stein describes 3 fundamental methods for recurrence solving:
• Iteration Method– Expands/unfolds the recurrence relation
40
Recurrence Solving Techniques
![Page 41: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/41.jpg)
Expand (unfold) the recurrence and express it as a summation of terms.
Consider the recurrence:T(n) = n + 3T(n/4)
T(n) = n + 3(n/4) + 9 T(n/16) = n + 3(n/4) + 9(n/16) + 27 T(n/64) ≤ n + 3(n/4) + 9(n/16) + 27(n/64) + … + 3log
4n θ(1)
≤ [n ∑i≥0 (3/4)i]+ θ(3log4n)
= 4n + o(n) = O(n)
41
Iteration Method
![Page 42: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/42.jpg)
Undergraduate Textbook on Algorithms by Cormen, Leiserson, Rivest, Stein describes 3 fundamental methods for recurrence solving:
Example of a recurrence: T(n)=T(n-1)+2n Æ T(0)=0
• Iteration Method– Expands/unfolds the recurrence relation– Similar to Iterative approach
• Substitution Method– Assumes a template for a closed-form
42
Recurrence Solving Techniques vs. Our Fixpoint Brush
Recurrence Solving Techniques vs. Our Fixpoint Brush
![Page 43: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/43.jpg)
Involves guessing the form of the solution and then substituting it in the equations to find the constants.
Consider the recurrence: T(n)=T(n-1)+2n Æ T(0)=0
• Let T(n) ≤ an2 + bn + c for some a,b,c• T(n) ≤ a(n-1)2+b(n-1)+c + 2n = an2 + (b-2a+2)n
+ (a+c-b) This implies (b-2a+2) ≤ b and (a+c-b) ≤ c• T(0) = c This implies c=0• Hence, b ≥ a ≥ 1
43
Substitution Method
![Page 44: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/44.jpg)
Undergraduate Textbook on Algorithms by Cormen, Leiserson, Rivest, Stein describes 3 fundamental methods for recurrence solving:
Example of a recurrence: T(n)=T(n-1)+2n Æ T(0)=0
• Iteration Method– Expands/unfolds the recurrence relation– Similar to Iterative approach
• Substitution Method– Assumes a template for a closed-form– Similar to Template/Constraint-based approach
• Master’s Method– Provides a cook-book solution for T(n)=aT(n/b)
+f(n) 44
Recurrence Solving Techniques vs. Our Fixpoint Brush
Recurrence Solving Techniques vs. Our Fixpoint Brush
![Page 45: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/45.jpg)
Provides a cook-book method for solving recurrences of the form T(n) = aT(n/b)+f(n), where a≥1 and b>1.
• If f(n) = O(nlogba – є) for some constant є > 0,
then T(n) = θ(nlogba).
• If f(n) = θ(nlogba), then T(n) = θ(nlog
ba lg n).
• If f(n) = O(nlogba + є) for some constant є > 0,
and if a f(n/b) ≤ c f(n) for some constant c < 1 and all sufficiently large n, then T(n) = θ(f(n)).
Requires memorization of three cases, but then the solution of many recurrences can be determined quite easily, often with pencil and paper.
45
Master’s Method
![Page 46: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/46.jpg)
Undergraduate Textbook on Algorithms by Cormen, Leiserson, Rivest, Stein describes 3 fundamental methods for recurrence solving:
Example of a recurrence: T(n)=T(n-1)+2n Æ T(0)=0
• Iteration Method– Expands/unfolds the recurrence relation– Similar to Iterative approach
• Substitution Method– Assumes a template for a closed-form– Similar to Template/Constraint-based approach
• Master’s Method– Provides a cook-book solution for T(n)=aT(n/b)
+f(n)– Similar to Proof-rules approach
46
Recurrence Solving Techniques vs. Our Fixpoint Brush
Recurrence Solving Techniques vs. Our Fixpoint Brush
![Page 47: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/47.jpg)
Fixpoint Brush
• Iterative and monotonic– Forward– Backward
• Template/Constraint based
• Proof-rules
• Iterative, but non-monotonic (Distance to fixed-point decreases in each iteration).
Probabilistic Inference– Learning
47
![Page 48: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/48.jpg)
Prog. Point
Invariant
entry x=0
1 x=0 Æ y=50
2 x·50 )y=50 Æ 50·x )x=y Æ x·100
3 x·50 )y=50 Æ 50·x )x=y Æ x<100
4 x<50 Æ y=50
5 x·50 Æ y=50
6 50·x<100 Æ x=y
7 50<x·100 Æ x=y
8 x·50 )y=50 Æ 50·x )x=y Æ x·100
exit y=100
Example
y := 50;
y = 100
False
x := x+1; x := x+1;y := y+1;
x < 50
x<100
True
True False
1
2
3
4
5
6
7
8
x = 0 Proof of Validity
entry
exit
48
![Page 49: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/49.jpg)
Probabilistic Inference for Program Verification
• Initialize invariants at all program points to any element (from an abstract domain over which the proof exists)
• Pick a program point (randomly) whose invariant is locally inconsistent & update it to make it less inconsistent.
49
![Page 50: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/50.jpg)
Consistency of an invariant I at program point
I is consistent at iff Post() ) I Æ I ) Pre()• Post() is the strongest postcondition of “the invariants at
the predecessors of ” at • Pre() is the weakest precondition of “the invariants at
the successors of ” at • Example:
I
Q
2
P
R
c
1
3 4
• Post(2) = StrongestPost(P,s)
• Pre(2) = (c ) Q) Æ (: c ) R)
s
50
![Page 51: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/51.jpg)
Measuring Inconsistency of an invariant I at
Local inconsistency of invariant I at program point =
IM(Post(), I) + IM(I, Pre())
Where the inconsistency measure IM(1, 2) is some approximation of the number of program states that violate 1 ) 2
51
![Page 52: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/52.jpg)
Example of an inconsistency measure IM
Consider the abstract domain of Boolean formulas (with the usual implication as the partial order).
Let 1 ´ a1 Ç … Ç an in DNF
and 2 ´ b1 Æ … Æ bm in CNF
IM(1, 2) = (ai,bj)
where (ai,bj) = 0, if ai ) bj
= 1, otherwise
52
![Page 53: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/53.jpg)
• Program Verification as Probabilistic Inference; Gulwani, Jojic; POPL ’07
• Learning Regular Sets from Queries and Counterexamples;
Angluin; Information and Computing ‘87– Learning Synthesis of interface specifications for Java
classes; Alur, Madhusudan, Nam; POPL ‘05. – Learning meets verification;
Leucker; FMCO ‘06
• May/Must Analyses?
• Game-theoretic Analyses?
53
Iterative but non-monotonic: References
![Page 54: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A](https://reader030.vdocument.in/reader030/viewer/2022032709/5681329d550346895d993bb8/html5/thumbnails/54.jpg)
Fixpoint Brush: Summary
• Iterative and monotonic– Forward
• Requires method for Join, Existential Elimination– Backward
• Requires method for Abduct
• Template/Constraint based– Works well for small code-fragments– Requires a method to convert 8 to 9
• Proof rules– Scalable– Requires understanding of design patterns
• Iterative, but non-monotonic– Perhaps better for dealing with noisy systems.
54