Umang Mathur P Madhusudan Mahesh Viswanathan Existing Decidable Classes Program Verification Unnatural program models Undecidable In general verification over infinite domains is undecidable ID: 785108
Download The PPT/PDF document "Decidable Verification of Uninterpreted ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Decidable Verification of Uninterpreted Programs
Umang Mathur
P. Madhusudan
Mahesh Viswanathan
Slide2Existing Decidable Classes
Program Verification
Unnatural program models
Undecidable
In general, verification over infinite domains is undecidable
Requires manual effort - contracts, loop invariants
Finite domain (Boolean programs)
Slide3Uninterpreted Programs
Programs with constants, functions and predicates that are completely uninterpreted
Interpretations are given by data modelSatisfies a post-condition
φ if φ holds in all data models
Slide4Contributions
Verification of uninterpreted programs is undecidable
Coherent and k-Coherent programs – Admit Decidable Verification
First
class of programs with
infinite domain
to admit
decidable
verification
Decidable with recursive function calls
Maximally decidable
- simple extensions become undecidable
PSPACE
without recursion
EXPTIME with
recursion
Slide5Uninterpreted Programs
<post-condition>
:= x
= y R(z1, z
2
, …,
z
k
) ¬
<post-condition> <post-condition>
∨
<post-condition>
Post-conditions
<prog>
:= <stmt> <post-condition>
<
stmt> :=
x
←
y
x
←
f(z
1
, z
2
, …,
z
k
)
if
<
cond> then <stmt> else <stmt> while <cond> <stmt> skip assume(<cond>) <stmt>;<stmt>
<cond> := x = y R(z1, z2, …, zk) ¬<cond> <cond> ∨ <cond>
Program Syntax
Slide6Uninterpreted Programs
Verification
(
P ⊨ φ)
P
⊨
φ
, if
for
every data model M (interpretation for constants, functions and relations in P), and
for every execution
ρ of P that is
feasible in M,
φ holds in M at the end of
ρ
Slide7Check if
for all interpretations of n and key
,and for all initial values of x,
y, b, r
and
k
the following formula holds at the end of each execution
b=T ⇒ key(r)=k
This is a
coherent
program and we can verify it without loop invariants !
Uninterpreted Programs
b
← F;while(x ≠
y){
if(
key(x)
=
k
)
then
{
b
←
T
;
r
←
x
;
}
x ← n(x);}@post: b=T ⇒ key(r)=k Search key k in list segment from x to y
Slide8Al
gebraic View of Program Executions
Sequence of basic statements
x ← y
x
←
f(z
1, z2
, …, zk)
assume(
x = y)
assume(
x ≠ y)
Algebraic view of executions:Compute terms using constants and function symbols
Accumulate assumptions involving terms
Slide9Algebraic
View of Program Executions
Sequence of basic statementsx
← y
x
←
f(z1
, z2, …, z
k)
assume(x
= y)
assume(x ≠
y)Algebraic
view of executions:Compute terms using constants and function symbolsAccumulate assumptions involving terms
Slide10Algebraic
View of Program Executions
assume(T
≠ F)
b
←
F
;
while(
x ≠ y){
d
← key(x);
if(
d = k)
then { b ← T;
}
x ← n(
x
);
}
Terms
Assumptions
Slide11Algebraic
View of Program Executions
assume(T ≠
F)b
←
F
;
while
(
x ≠ y){
d
← key(x);
if(d =
k) then
{ b ← T; }
x
← n(x);
}
x
0
d
0
F
0
y
0
T
0
b
0
x
d
y
F
T
b
Terms
Assumptions
k
0
k
Slide12Algebraic
View of Program Executions
assume(T
≠ F)
b
←
F
;
while
(x ≠ y
){
d ← key(x)
; if
(d = k
) then { b ← T;
} x ←
n
(
x
);
}
T
0
≠ F
0
Terms
Assumptions
x
0
d
0
F
0
y
0
T0
b
0
x
d
y
F
T
b
k
0
k
Slide13Algebraic
View of Program Executions
T
0 ≠ F
0
Terms
Assumptions
x
0
d
0
F
0
y
0
T
0
b
0
x
d
y
F
T
k
0
k
b
assume
(
T
≠
F
)
b
←
F
;
while
(
x
≠
y
){
d
←
key(x)
;
if
(
d
=
k
)
then
{
b
←
T
;
}
x
←
n
(
x
);
}
Slide14Algebraic
View of Program Executions
assume(T
≠ F)
b
←
F
;
while(
x ≠ y
){
d ← key(x);
if(
d = k)
then { b ← T;
}
x ← n
(
x
);
}
T
0
≠ F
0
x
0
≠ y
0
Terms
Assumptions
x
0
d
0
F
0y0
T
0
b
0
x
d
F
T
k
0
b
y
k
Slide15Algebraic
View of Program Executions
assume(T
≠ F)
b
←
F
;
while(
x ≠ y){
d
← key(x);
if(
d = k)
then { b ← T;
}
x ← n
(
x
);
}
T
0
≠ F
0
x
0
≠ y
0
Terms
Assumptions
x
0
d
0
F
0y0
T
0
b
0
x
F
T
k
0
b
y
k
key(x
0
)
d
Slide16Algebraic
View of Program Executions
assume(T
≠ F)
b
←
F
;
while(
x ≠ y){
d
← key(x);
if(
d = k)
then { b ← T;
}
x ← n
(
x
);
}
T
0
≠ F
0
x
0
≠ y
0
Terms
Assumptions
x
0
d
0
F
0y0
T
0
b
0
x
F
T
k
0
b
y
k
key(x
0
)
d
key(x
0
) ≠ k
0
Slide17Algebraic
View of Program Executions
key(x
0) ≠ k
0
T
0
≠ F
0
x
0
≠ y0
Terms
Assumptions
x
0
d
0
F
0
y
0
T
0
b
0
F
T
k
0
b
y
k
key(x
0
)
d
n(x
0
)
x
assume
(
T
≠
F
)
b
←
F
;
while
(
x
≠
y
){
d
←
key(x)
;
if
(
d
=
k
)
then
{
b
←
T
;
}
x
←
n
(
x
);
}
Slide18Algebraic
View of Program Executions
assume(T
≠ F)
b
←
F
;
while(
x ≠ y
){
d ← key(x);
if(
d = k)
then { b ← T;
}
x ← n
(
x
);
}
key(x
0
) ≠ k
0
T
0
≠ F
0
x
0
≠ y
0
n(x
0
) ≠ y0TermsAssumptions
x0d0F0
y
0
T
0
b
0
F
T
k
0
b
y
k
key(x
0
)
d
n(x
0
)
x
Slide19Algebraic
View of Program Executions
key(x
0) ≠ k
0
T
0
≠ F
0
x
0
≠ y0
n(x0
) ≠ y0
TermsAssumptions
x
0
d
0
F
0
y
0
T
0
b
0
F
T
k
0
b
y
k
key(x
0
)
n(x
0
)
x
assume
(
T
≠
F
)
b
←
F
;
while
(
x
≠
y
){
d
←
key(x)
;
if
(
d
=
k
)
then
{
b
←
T
;
}
x
←
n
(
x
);
}
key(n(x
0
))
d
Slide20Algebraic
View of Program Executions
assume(T
≠ F)
b
←
F
;
while(
x ≠ y){
d
← key(x);
if(
d = k)
then { b ← T;
}
x ← n
(
x
);
}
key(x
0
) ≠ k
0
T
0
≠ F
0
x
0
≠ y
0
n(x
0
) ≠ y0key(n(x0)) = k0Terms
Assumptionsx0d0
F
0
y
0
T
0
b
0
F
T
k
0
b
y
k
key(x
0
)
n(x
0
)
x
key(n(x
0
))
d
Slide21Algebraic
View of Program Executions
key(x
0) ≠ k
0
T
0
≠ F
0
x
0
≠ y0
n(x0
) ≠ y0
key(n(x0)) = k0
Terms
Assumptions
x
0
d
0
F
0
y
0
T
0
b
0
F
T
k
0
y
k
key(x
0
)
n(x
0
)
x
key(n(x
0
))
d
assume
(
T
≠
F
)
b
←
F
;
while
(
x
≠
y
){
d
←
key(x)
;
if
(
d
=
k
)
then
{
b
←
T
;
}
x
←
n
(
x
);
}
b
Slide22Algebraic
View of Program Executions
key(x
0) ≠ k
0
T
0
≠ F
0
x
0
≠ y0
n(x0
) ≠ y0
key(n(x0)) = k0
Terms
Assumptions
x
0
d
0
F
0
y
0
T
0
b
0
F
T
k
0
y
k
key(x
0
)
n(x
0
)
key(n(x
0
))
d
b
assume
(
T
≠
F
)
b
←
F
;
while
(
x
≠
y
){
d
←
key(x)
;
if
(
d
=
k
)
then
{
b
←
T
;
}
x
←
n
(
x
);
}
n(n(x
0
))
x
Slide23Coherence
Memoizing
=
+
Early Assumes
Coherence
A program execution is
coherent
if it is
memoizing
, and has
early assumes
Slide24Memoizing
Early Assumes
Don’t recompute terms.
If a term is recomputed, it must already be present in some variable
Make equality assumptions early.
Make equality assumptions between terms before forgetting a computed
superterm
Coherence
Slide25Coherence
Memoizing
If a term is
recomputed, then it must already be present in some variable
Let
𝞼
·
”
x ← f
(y)” be an execution such that t =
f(y)
was computed earlier in 𝞼.
Then some program variable z must store t
after 𝞼.
d d
Slide26Coherence
If a term is
recomputed, then it must already be present in some variableLet 𝞼
· ”x ← f
(y)
”
be an execution such that
t =
f(y)
or some t’~
t
was computed earlier in 𝞼.
Then some program variable z must store t
or some t” ~
t after 𝞼.
Memoizing
Equivalent according the assumptions seen so far in
𝞼
d
d
Slide27Coherence
Memoizing
assume
(
T
≠
F
)
b ←
F;
while(
x ≠ y){
d ←
key(x); if
(d = k) then {
b
← T;
}
x
←
n
(
x
);
}
All executions of this program are
memoizing
Slide28Memoizing
Early Assumes
Don’t recompute terms.
If a term is recomputed, it must already be present in some variable
Make equality assumptions early.
Make equality assumptions between terms before forgetting a computed
superterm
Coherence
Slide29Coherence
If two terms are assumed to be equal, make the assumption early
Let 𝞼 · ”
assume(x = y)
”
be an execution.
If
s
, a superterm
of the term stored in either x or y
(modulo ~
)has been computed in 𝞼,
then some program variable z must store a term equivalent to s at the end of
𝞼.
Early Assumes
Slide30Verification of Coherent Programs
A program is
coherent if all its executions are coherent
Verification of coherent programs is decidable
PSPACE-complete
for coherent programs without recursion
EXPTIME-complete
for recursive coherent programs
First
class of
infinite domain programs to admit decidable verification
Maximally decidable
– relaxing either memoizing
or early assumes leads to undecidability
Slide31Verification of Coherent Programs
Streaming Congruence Closure
Key Idea
Slide32Streaming Co
ngruence Closure
Constant memory streaming algorithm for analyzing executions
Maintain congruence closure of the set of terms corresponding only to current values of the program variables
Coherence
makes such an algorithm possible
Bounded Path decomposition
Slide33Streaming Co
ngruence Closure
Automaton A for streaming congruence closure accepting executions not satisfying postcondition
φStates of A
are
(~, d, P)
Equalities between variables
Dis-equalities between variables
Functional relationship between variables
x
=
y
x
≠
w
b
=
f(a)
Slide34Streaming Co
ngruence Closure
P ⊨ φ
if and only if Executions(P) ∩ L(
A
)
= ∅
For while programs, both Executions(
P) and L(A
) are regular - decidable.For recursive programs, both Executions(P) and L(
A) are visibly pushdown languages - decidable.
Slide35Verification of Coherent Programs
A program is
coherent if all its executions are coherent
Verification of coherent programs is decidable
PSPACE-complete
for coherent programs without recursion
EXPTIME-complete
for recursive coherent programs
Checking
if a program is coherent is also decidable
Slide36Non-coherent
assume(
x ≠ NIL);
y
←
n(x)
;
assume(y ≠
NIL);
y
← n(y);
while(y ≠
NIL){x ← n(x);
y ←
n(y); }
Coherent
1-coherent
assume
(
x
≠
NIL
);
y
←
n(x)
;
g
←
y; assume(y ≠ NIL); y ← n(y); while(y ≠
NIL){x ← n(x);g ← y;y ← n(y); }Add 1 ghost variablek-Coherence
Slide37Given
k ∈ ℕ,
the problem of
checking if P is k-coherent program is decidable in PSPACE
verification of k-coherent
programs is
PSPACE-complete
(EXPTIME-complete with recursion)
k
-Coherence
A program is
k-coherent if it can be made coherent by adding
k ∈ ℕ extra (write-only) ghost variables.
Slide38Concluding Remarks
Coherent and
k-Coherent programsCompletely automatic verification
First natural decidable class over infinite domain
Efficiently decidable
PSPACE for non-recursive
EXPTIME for recursive
Checking coherence and k-coherence is decidable
Evaluation as a program verifier (see
EUForia
, VMCAI’19
)Theories and axioms
Trace abstraction [Heizmann et al]
Summary
Future Work