Rahul Sharma and Alex Aiken Stanford University 1 Randomized Search x i y j while y0 do x x1 y y1 if i j assert x0 No Yes 2 Invariants ID: 675242
Download Presentation The PPT/PDF document "From Invariant Checking to Invariant Inf..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
From Invariant Checking to Invariant Inference Using Randomized Search
Rahul Sharma and Alex Aiken (Stanford University)
1Slide2
Randomized Search
x
=
i
;y = j;while y!=0 do x = x-1; y = y-1;if( i==j ) assert x==0
No!Yes!
2Slide3
Invariants
Numerical
Arrays
Heap
StringsPLDI08-1PLDI08-2PLDI08-3PLDI08-4synergy-1synergy-2TACAS06NECLA-1
NECLA-2NECLA-3SVCOMP-1SVCOMP-2SVCOMP-3SVCOMP-4monniauxnested
initinit-ncinit
-pinit-e2darraycopy
copy-pcopy-oreverse
swap
d-swap
strcpy
strlen
memcpy
find
find-n
append
merge
alloc-falloc-nf
deletedelete-allfindfilterlastreverse
lengthreplaceindexsubstring
3Slide4
Loop Invariant Inference
assume P
while B do
Sassert QFind that satisfies
Find a valuation of unknown predicates that makes the verification conditions (VCs) valid
4Slide5
Inference as Search
Given a set
of candidates
Goal is to find a candidate that satisfies the VCs
This problem is hard! Effective domain specific approachesNumerical, arrays, linked lists, etc. Is it possible to have a general search procedure?
5Slide6
C2I
(Domain-specific) Checker + (General) Search =
Inference
To obtain an invariant inference engine
Instantiate the search with a search spaceAn SMT solver to check 6Slide7
Main Contribution
A generally applicable randomized searchNumerical, array, linked lists, and strings
Competitive performance with specialized approaches
7Slide8
MCMC Search
Markov Chain Monte Carlo (MCMC) sampling
The
only known tractable solution method for high
dimensional irregular search spaces [andrieu 03][chenney 00] 8Slide9
MCMC Overview
9
73
47
42
29
37
17
23Slide10
Search
while(
)
Propose a random modification to if cost decreased then accept if cost increased then with some probability accept anywayreturn
10Slide11
Cost Function (First Attempt)
Problems
Throughput < 1000 iterations per second
No incremental feedback
11Slide12
Cost Function (Fixed)
Given sets of concrete states
G:
some reachable states
B: some bad statesZ: some implications
I
g
b
s
t
Efficient to evaluate
Incremental feedback
12Slide13
Concrete States
assume P
while B do
Sassert Q
Reachable state
Pair
,
Bad state
,
13Slide14
Overall Algorithm
Given G
,
Z
, and B, for the cost functionRun search until a 0-cost candidate is foundSMT solver checks that satisfies all the VCsIf yes, then doneUpdate G, Z, or
B and repeatSMT solvers can generate counterexamplesIf not then generate from executions 14Slide15
LIA Invariants
Program has integral variables
Search space:
Transformations for MCMC:
Update a
Update a Update all and of a single inequality
15Slide16
Safety Properties
16Slide17
Non-termination
17Slide18
Arrays
Fluid updates abstraction of DDA (ESOP’10)
Z3 fails to generate counterexamples
MCMC on this search space times out on ~30%Restrict search space: handle each in under a second 18Slide19
Lists
Search space: Boolean combinations of atomsAtoms are relations
Reachability relations
Use EPR (CAV’13) for check
19Slide20
Strings
Operations that intermix strings and integerslength(s), indexOf(s1, s2),
substr
(s1, i1, i2), …
Search space: Boolean combinations of predicatesZ3-Str (FSE’13) for check20Slide21
Conclusion
Static invariant inference is a hard problem,
made
easier by separating search and checkSearch based techniques can workCompetitive with other methodsEasier to retarget to new domainsFuture work, scale MCMC to full program proofs21Slide22
Related Work
Pranav Garg, Christof Löding
, P.
Madhusudan
, Daniel Neider: ICE: A Robust Framework for Learning Invariants. CAV 2014Shachar Itzhaky, Nikolaj Bjørner, Thomas W. Reps, Mooly Sagiv, Aditya V. Thakur: Property-Directed Shape Analysis. CAV 2014Rajeev Alur, Rastislav Bodík, Garvit Juniwal, Milo M. K. Martin, Mukund Raghothaman, Sanjit A. Seshia, Rishabh Singh, Armando Solar-Lezama, Emina Torlak, Abhishek Udupa: Syntax-guided synthesis. FMCAD 2013Ashutosh Gupta, Rupak Majumdar, Andrey Rybalchenko: From tests to proofs. STTT 15(4) (2013)Yungbum Jung, Soonho Kong, Bow-Yaw Wang, Kwangkeun Yi: Deriving Invariants by Algorithmic Learning, Decision Procedures,
and Predicate Abstraction. VMCAI 2010Sumit Gulwani, Nebojsa Jojic: Program verification as probabilistic inference. POPL 2007: 277-289 22