A n v e s h K o murave l l i work done at Carnegie Mellon University Joint work with Nikolaj Bjørner Arie Gurfinkel and Kenneth McMillan In essence 1 Efficiently underapproximating projections ID: 407785
Download Presentation The PPT/PDF document "Compositional Verification of Procedural..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Compositional Verification of Procedural Programs using Horn Clauses over Integers and Arrays
Anvesh Komuravelliwork done at Carnegie Mellon University
Joint work with
Nikolaj
Bjørner
,
Arie
Gurfinkel
, and Kenneth McMillanSlide2
In essence…1
Efficiently under-approximating projections,in presence of array quantifiers.Slide3
Why projections?2
Image computationComputing weakest preconditions (e.g., in IC3 style reasoning)Computing must summaries for procedural programsSlide4
SAT assignments to
x
3
But, Quantifier Elimination is expensive!
Under-approximate the
Projection!
Model-based Projection (MBP)Slide5
MBP for Propositional Logic4
u1 0u2 1x1 0x2 0x3 1
Model
M
substitute 0/
u
1
, 1/
u
2
(under-approximates)Slide6
MBP for Linear (Real) Arithmetic
5Infinite space of models – Substitution Method does not work!Loos-Weispfenning’s equivalence:
Pick a
disjunct
based on the modelSlide7
What if we have array variables?6
Arrays are common for modeling heap memoryIn presence of procedures, can’t get rid off them easily!Inlining procedure calls and (hopefully) lowering arrays to registers bloats the program size exponentiallyRecursive procedures cannot be inlinedMBP for the (extensional) theory of arrays?Slide8
7
Eliminating Array QuantifiersSlide9
Eliminating array quantifiers can introduce quantifiers of index/value sort!
8(Ackermann Reduction)Slide10
ArrayQE basically has 3 steps9
Eliminate WritesEliminate (Partial) Equalities/DisequalitiesEliminate Reads (aka Ackermann Reduction)(the result can have quantifiers of index/value sorts)Slide11
ArrayQE Example10
Eliminate WritesSlide12
ArrayQE
Example11
Eliminate Writes
Partial
EqualitySlide13
ArrayQE Example12
Eliminate WritesEliminate Equalitiesand Disequalities
substitute
substituteSlide14
ArrayQE Example13
Eliminate Writes
Eliminate
Equalities
and
Disequalities
Eliminate ReadsSlide15
14
MBP for the Theory of Arrays(ARR)Slide16
ArrayMBP amounts to picking disjuncts from ArrayQE
15
Eliminate WritesSlide17
ArrayMBP
Example16
Eliminate WritesSlide18
substitute
ArrayMBP Example
17
Eliminate Writes
Eliminate
Equalities
and
Disequalities
substitute Slide19
ArrayMBP Example18
Eliminate Writes
Eliminate
Equalities
and
Disequalities
Eliminate ReadsSlide20
ArrayMBP Example19
Eliminate Writes
Eliminate
Equalities
and
Disequalities
Eliminate ReadsSlide21
20
MBP for the combinationLIA + ARRSlide22
In 2 steps:21
Eliminate array quantifiers using ArrayMBP (which can introduce integer quantifiers)Eliminate integer quantifiers using MBP for LIASlide23
Caveat: Integer quantifiers cannot always be eliminated!
22has no equivalent quantifier-free formula!Fall-back to the substitution methodSlide24
Equality Resolution to avoid the Substitution Method
23Slide25
May Summaries
Must SummariesOver-approximate QE withInterpolationUnder-approximate QE withMBPIdeas are implemented in our tool Spacer
24
IC3-style compositional reasoning for Procedural Programs
MBP
for under-approximating weakest precondition
Two kinds of procedure summariesSlide26
Substitution method can lead to diverging interpolants!
25
…
…
Weakest Precondition
Under-
approxSlide27
Heuristically privilege array (dis-)equalities26Slide28
27
Experimental EvaluationSlide29
Compare Spacer with and without inlining
28The SeaHorn front-end has an option to inline procedure callsInlining gets rid off most of the array variables, for Device Drivers category of SV-COMP’15.(Spacer minus ArrayMBP) can only handle a small fraction of the non-inlined programs Slide30
Compare
Spacer with and without inlining29lots oftime-outsSlide31
Conclusion30
Model-based Projection (MBP) for the extensional theory of arraysQuantifiers of index and value sort cannot always be eliminatedHeuristics to avoid the model substitution methodPractical advantage over SV-COMP’15 benchmarksAdapt the ideas to obtain Quantified Invariants?Slide32
Available postdoctoral positions
What: development and application of SeaHorn
Where: CMU/NASA Silicon Valley Campus
Contact:
Temegshen
Kahsai
temesghen.kahsaiazene
@
nasa.gov
Arie Gurfinkel
arie@cmu.eduSlide33
32
Questions?