using Model Checking and Abstract Interpretation Anvesh Komuravelli CMU Joint work with Ken McMillan The Problem ArrayManipulating Program P Assertions Automatic analysis for assertion failures ID: 377681
Download Presentation The PPT/PDF document "Quantified Invariants in Rich Domains" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Quantified Invariants in Rich DomainsusingModel Checking and Abstract Interpretation
Anvesh Komuravelli, CMU
Joint work with Ken McMillanSlide2
The Problem
Array-Manipulating Program
P
+ Assertions
Automatic analysis forassertion failures
Safe + Proof
Unsafe + CEX
Unknown + Partial Proof
1
Quantified Invariants!Slide3
Quantified Invariants, Typically2
Specialized Abstract Domains
E.g. Segmentation abstraction,
Indexed Predicate Abstraction,
Points-to Analysis, etc.RestrictiveFalse warnings
Unrestricted Model CheckingE.g. Interpolation-based
Hard to find the right quantifiersDivergence
Rich-enough abstract domain?Slide4
The abstract domain3
i
:= 0;
while (
i < n) { //
a[i] := c; i++;
}assume (0 ≤ k < n)assert (a[k] = c)
Quantified variables
Predicate signature
Abstract
Domain
Goal: Find a quantifier-free interpretation
of the predicatesSlide5
Guess-and-check doesn’t work anymore!4
i
:= 0;
while (
i < n) { //
a[i] := c; i++;
}assume (0 ≤ k < n)assert (a[k] = c)
Given a guess for
P, how to check if it suffices?
FOL validity is undecidable!
Can we still use existing model checkers?Slide6
Let’s look at the VCs5
i
:= 0;
while (
i < n) { //
a[i] := c; i++;
}assume (0 ≤ k < n)assert (a[k] = c)Slide7
Pulled to the outermost scope
Let’s look at the VCs
6Slide8
Let’s look at the VCs
7
Real challenge!
Find a sufficient set of witnessesSlide9
Let’s look at the VCs
8
Reduces to quantifier-free
invariant
generation
(use an off-the-shelfmodel checker)Slide10
Two Goals9
i
:= 0;
while (
i < n) { //
a[i] := c; i++;
}assume (0 ≤ k < n)assert (a[k] = c)
Quantified variables
Predicate signature
Abstract
Domain
Goal 2: Find a quantifier-free interpretation
of the predicates
Goal 1: Find a sufficient set of
witnesses for
jSlide11
A Strategy10
Guess some witnesses
Check if they suffice using a model checker
Y
Found Proof
N
Give up!
Eager Syntactic Pattern Matching
[
BMR13]
[BMR13]:
On Solving Universally Quantified Horn Clauses
,
Bjorner
, McMillan,
Rybalchenko
, SAS’13
Unguided instantiation
Worst-case unbounded
Grows exponentially with number of quantified
vars
May choke the model checker
No
fall-back
strategySlide12
Our Strategy11
Guess some witnesses
Check if they suffice using a model checker
Y
Found Proof
N
CEX
Refine the guess
Constraint on the witness
Guess-and-check,
but of the witnesses and
not the invariant itselfSlide13
Obtaining Strong Constraints12
Generalized Counterexamples
Strong Constraints
Symbolic Counterexamples
Number of variables = O(size)Constraint solving becomes harder (easily diverging)
Ground Counterexamples
+Abstract InterpretationSlide14
Note – one witness suffices!13
is equivalent to
May not be expressible!Slide15
Concrete vs. Abstract14Slide16
Concrete vs. Abstract15Slide17
The algorithm
16
[B]
[L]
[E]Slide18
The algorithm17
Instantiate
Check
[B]
[L]
[E]
P(k
0
,v0
,i0,c0)
P(k1,v1,i1
,c1)P(k
2,v2,i2
,c
2
)
B
L
L
ESlide19
The algorithm18
Instantiate
Check
P(k
0
,v0,i0,c
0)P(k1,v
1,i1,c1)
P(k2,v2,i2,c2)
B
L
LE
AnalyzeSlide20
The algorithm19
Instantiate
Check
P(0,0,0,0)
P(
0,0,1,0
)P(0,0,2,0)
B
LL
EAnalyze
✕
?
✕
?
✕
?
✕
?Slide21
P(0,0,0,0)P(0,1,0,0)
P(0,2,0,0)
B
L
L
E
✕
?
✕
?
✕
?
✕
?
Use
k
for
j
The algorithm
20
Instantiate
Check
AnalyzeSlide22
The algorithm21
Instantiate
[B]
[L]
[E]Slide23
The algorithm22
Instantiate
[B]
[L]
[E]
…Slide24
Finding a new witness23
Given
Constraint
Check
local
vars
quantified variable
Skolem
Template
f
Solve for
t
using sampling-based approach
restrict to
linear templatesSlide25
Add
l
c
to existing samples S
Pick candidate
t
c
Quantifier Alternation using Sampling
24
?
Y
Return
t
c
CEX
l
c
?
N
CEX
S
N
Y
New
candidate
t
c
Source of Divergence!
Quantifier Elimination
Eliminate arrays
(thanks to
Nikolaj
for
the discussion),
Cheap QE of integersSlide26
Abstract Post, in practice25
1. Cheap QE tricks, case-split on equalities on
j
, etc.
2. Under-approximate, otherwise.
Solve Generalize models
1. Cheap QE tricks, case-split on array-index arguments, etc.
2. Under-approximate, otherwise.Solve an SMT problemGeneralize modelsSlide27
Experiments26
Implemented “
qe_array
” tactic in Z3
Prototype in Python using Z3Py interface for witness generation
Automatically generated “sufficient witnesses” for small array-manipulatingprograms (BMR13) – array init, find, copy, concatenate, reverse, etc.Used GPDR engine in Z3 to solve for quantifier-free predicates
Up to two universal quantifiers per predicateWitness was just a local variable in the VCSlide28
Moving forward…27
Scalability
Handle large programs (with multiple procedures)
How to pick relevant “set” of witnesses?
Can we synthesize guards to combine them into a single witness?
Implementation-wiseCache previous AI resultsReuse bounded proofs – Proof-based Abstraction
Lazy QE – postponing to later steps?
AlternativesUse over-approximations of reachable statesWitness may not exist – need to refine the approximationSlide29
Questions?
28