program verification Cristian Gherghina Joint work with Wei Ngan Chin Razvan Voicu Quang Loc Le Florin Craciun Shengchao Qin TexPoint fonts used in EMF ID: 316133
Download Presentation The PPT/PDF document "A specialization calculus for" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
A specialization calculus for program verification
Cristian GherghinaJoint work with: Wei-Ngan Chin, Razvan Voicu, Quang Loc Le Florin Craciun, Shengchao Qin
TexPoint fonts used in EMF.
Read the TexPoint manual before you delete this box.:
A
ASlide2
Focus
Logics with inductive predicates provide an expressive abstraction mechanism Becoming popular in the field of program analysisTricky to efficiently reason with2Slide3
Folding/Unfolding
Given a predicate definition
Unfolding performance
loss
Unfolded states are costlier due to disjunctions
3
Unfolding
F
oldingSlide4
Proposal
We introduce a sound and complete calculus to support pruning of infeasible disjunctsUse predicate specialization.Benefits:eagerly discards unsatisfiable disjunctsstate in abstracted form
4Slide5
OverviewMotivating example
Informal description of the calculusPredicate SpecializationAnnotation inferenceExperiments5Slide6
Motivating Example6Slide7
Consider the entailment:
The LHS unfolds to:
Motivation
7Slide8
Performance penaltiesUnfold operations are followed by
costly satisfiability checksThe remaining satisfiable disjuncts expose considerable information Detailed information not always neededReasoning with larger formulas is inherently costly8Slide9
Overview
Motivating exampleInformal description of the calculusPredicate SpecializationCorrectnessExperiments9Slide10
Predicate definition changes
10
Invariant family
Pruning conditions
Slide11
The previous entailment with annotations
Predicate
specialization
, for list x
Pruning
Invariant
enrichment
Entailment - revisited
11Slide12
Predicate specialization,
for list yPruning
Invariant enrichment
Entailment - revisited
12Slide13
Overview
Motivating exampleInformal description of the calculusPredicate SpecializationAnnotation inferenceExperiments
13Slide14
Predicate Specialization Convention:We will use the term context ( C ) to denote the pure part of the formula
The rationale is that C will be the context in which predicate specialization takes place14Slide15
Predicate Specialization
Predicate specialization Aims forfewer viable branches : L2L1 fewer possible pruning conditions : R2
R
1
stronger context :
C
1 C2 15Slide16
Given
Pick a pruning condition
Drop the infeasible branches
from L
Enrich the context
Drop irrelevant pruning conditions
Predicate
Specialization
16Slide17
L={1,2} ; C :
;
From
pick:
Contradicts with C :
-> such checks can be syntactic
Drop infeasible branches :
Add the invariant of
to C
C
1
:
Drop
irrelevant pruning conditions
17Slide18
Irrelevant pruning conditions
Given:C : L : {1}
Result:
18Slide19
Predicate specialization gains Simple implication checks (mostly syntactic)
Considerable drop in formula size after an unfoldIncrease in formula information without an unfold19Slide20
Overview
Motivating exampleInformal description of the calculusPredicate SpecializationAnnotation inferenceExperiments
20Slide21
Annotation inferenceWe need a mechanism for computing
Invariant family Pruning conditions21Slide22
Inferring the invariant family
Given a predicate definition Compute fixpoint for the predicate definitionFor each possible set of branches compute a conjunctive invariant22Slide23
Inferring the invariant family (for dll)
Replace recursive points with , the fixpoint of
For each possible subset of the branches:
23
Branch
{1}
{2}
{1,2}
Pick the pure part of the
branches
root=null
(
root=null
)
∨
Pick the pure part of the
branches
Transform to simple constraints
root=null
(
root=null
) ∨
(
)
Transform to simple constraints
Approximate to a conjunction
root=null
Approximate to a conjunction Slide24
Inferring the pruning conditionsGiven a predicate definition and the invariant families
Compute an approximation of the closure of branch invariantsFor each atomic constraint in all closures construct the list of branches in which it appears (by which it is implied)24Slide25
Inferring the pruning conditionsCompute an approximation of the transitive closure of each branch invariant
Group all branches that imply an atomic constraint25
Branch
b
ranch invariant
Transitive
closure
{1} root=null
root=null{2}
{1,2}
Branch
b
ranch invariant
Transitive
closure
{1}
{2}
{1,2}
Guard
Branches
Guard
Branches
Guard
Branches
{1}
Guard
Branches
{1}
Guard
Branches
Guard
BranchesSlide26
Overview
Motivating exampleInformal description of the calculusPredicate SpecializationAnnotation inferenceExperiments
26Slide27
ExperimentsAdded the calculus to a program verifier (HIP)Verified functional correctness for small and medium-sized programs with moderate complexity.
A benchmark of 17 small programs (7% faster) Singly, doubly, sorted and circular linked lists, selection-sort, insertion- sort, methods for handling heaps an perfect treesComplex shapes and invariants (12-90% faster)Red black trees, balanced binary trees, quick sort, merge sort 27Slide28
28
Changes
Formula size
13%
Disjuncts
per formula
36%
Total verification time15%Slide29
ConclusionsP
resented an effective, sound and complete calculus for predicate specializationApplication of the calculus benefits in two ways:Keep abstraction, where possibleImprove verification performance byPruning unsatisfiable disjunctsPropagate invariant constraintsVarious optimization techniques (details in paper).
29Slide30
Questions?Thank you!
30Slide31
Specialization correctness theorems
Soundness : (Only unsatisfiable disjuncts have been pruned) If
then
Completeness :
(All
unsatisfiable
disjuncts
have been pruned
)
Given that
the set of pruning conditions satisfy the strongest closure property
Given
satisfiable
context C, predicate instance
if
then
is
satisfiable
Where D
i
is the p predicate branch with label i
31Slide32
Annotate predicate instances
Add a list of possibly satisfiable predicate branchesAdd a list of feasible pruning conditionsFor example: dll(x,p,n,S)@ {1,2}#{} Indicates that both branches are possibly satisfiable
Only
could still be used to prune predicate branches
Predicate instance changes
32