Rahul Sharma and Alex Aiken (Stanford University) 1 x = i; y = j; while y!=0 do x = x-1; y = y-1; if( i==j ) assert x==0 ๏ก ๏ก ๐ฅ=0 ๐ฅ+๐ฆ =0 โฎ ๏ก ๐+๐ฆ =๐ฅ+๐ ๏ก ๏ก No! Yes! 2 Numerical Arrays Heap delete PLDI08-1 NECLA-2 init d-swap delete-all PLDI08-2 NECLA-3 init-nc strcpy find PLDI08-3 SVCOMP-1 init-p strlen filter PLDI08-4 SVCOMP-2 init-e memcpy last synergy-1 SVCOMP-3 2darray find reverse synergy-2 SVCOMP-4 copy find-n TACAS06 monniaux copy-p append Strings NECLA-1 nested copy-o merge length reverse alloc-f replace swap alloc-nf index substring 3 assume P while B do S assert Q ๏ก Find ๐ผ that satisfies ๏ก ๐โ๐ผ ๏ก ๐ผ โง ๐ต ๐ {๐ผ} ๏ก ๐ผ โง ¬๐ต โ ๐ Find a valuation of unknown predicates that makes the verification conditions (VCs) valid 4 ๏ก Given a set ๐ of candidates ๏ง Goal is to find a candidate that satisfies the VCs ๏ก This problem is hard! ๏ก Effective domain specific approaches ๏ง Numerical, arrays, linked lists, etc. ๏กIs it possible to have a general search procedure? 5 ๏ก (Domain-specific) Checker + (General) Search = Inference ๏ก To obtain an invariant inference engine ๏ง Instantiate the search with a search space ๏ง An SMT solver to check 6 ๏ก A generally applicable randomized search ๏ก Numerical, array, linked lists, and strings ๏ก Competitive performance with specialized approaches 7 ๏ก Markov Chain Monte Carlo (MCMC) sampling ๏ก The only known tractable solution method for high dimensional irregular search spaces [andrieu 03][chenney 00] 8 37 73 47 17 29 42 23 9 1. 2. 3. 4. 5. 6. 7. ๐ถ โ ๐ก๐๐ข๐ while( ๐๐๐ ๐ก ๐ถ โ 0 ) Propose a random modification to ๐ถ if cost decreased then accept if cost increased then with some probability accept anyway return ๐ถ 10 ๏ก ๐๐๐ ๐ก ๐ถ = ๏ก Problems 0 1 if ๐ถ makes VCs valid if ๐ถ is not an invariant ๏ง Throughput < 1000 iterations per second ๏ง No incremental feedback 11 ๏ก Given sets of concrete states ๏ง G: some reachable states ๏ง B: some bad states b g ๏ง Z: some implications ๏ก ๐๐๐ ๐ก(๐ถ) = ๐โ๐บ ¬๐ถ(๐) ๐โ๐ต ๐ถ(๐) ๐ ,๐ก โฆ + s I t Incremental feedback + โ๐ ๐ถ ๐ โง ¬๐ถ(๐ก) + Efficient to evaluate 12 ๏ก ๐โ๐ถ ๏ก Reachable state ๐, ๐ผ ๐ = true ๏ง ๐ถ ๐ = false ๏ก ๐ถ โง ๐ต ๐ {๐ถ} ๏ก ๏ก ๏ง ๐ถ ๐ โง ¬๐ถ ๐ก = true ๐ถ โง ¬๐ต โ ๐ assume P while B do S assert Q Pair (๐ , ๐ก), ๐ผ ๐ โ ๐ผ(๐ก) ๏ก Bad state ๐, ๐ผ ๐ = false ๏ง ๐ถ ๐ = true 13 ๏ก Given G, Z, and B, for the cost function ๏ก Run search until a 0-cost candidate ๐ถ is found ๏ก ๐ถโ๐๐๐ ๐ถ, ๐๐ถ ๏ง SMT solver checks that ๐ถ satisfies all the VCs ๏ง If yes, then done ๏ก Update G, Z, or B and repeat ๏ง SMT solvers can generate counterexamples ๏ง If not then generate from executions 14 ๏ก Program has integral variables ๐ฅ1 โฆ ๐ฅ๐ ๏ก Search space: ๏ก Transformations for MCMC: 10 ๐=1 10 ๐=1 ๐,๐ ๐ ๐ค ๐=1 ๐ ๐ฅ๐ โค ๐๐,๐ ๏ง Update a ๐ค ๏ง Update a ๐ ๏ง Update all ๐ค โฒ ๐ and ๐ of a single inequality 15 16 17 ๏ก Fluid updates abstraction of DDA (ESOPโ10) ๏ง โ๐ข, ๐ฃ. ๐ ๐ฅ1 , โฆ , ๐ฅ๐ , ๐ข, ๐ฃ โ ๐ ๐ข = ๐[๐ฃ] ๏ก Z3 fails to generate counterexamples ๏ก MCMC on this search space times out on ~30% ๏ง Restrict search space: handle each in under a second 18 ๏ก Search space: Boolean combinations of atoms ๏ง Atoms are relations ๐ (๐ฅ1 , โฆ , ๐ฅ๐ ) ๏ง Reachability relations ๏ก Use EPR (CAVโ13) for check 19 ๏ก Operations that intermix strings and integers ๏ง length(s), indexOf(s1, s2), substr(s1, i1, i2), โฆ ๏ก Search space: Boolean combinations of predicates ๏ก Z3-Str (FSEโ13) for check 20 ๏ก Static invariant inference is a hard problem, made easier by separating search and check ๏ก Search based techniques can work ๏ง Competitive with other methods ๏ง Easier to retarget to new domains ๏ก Future work, scale MCMC to full program proofs 21 ๏ก Pranav Garg, Christof Löding, P. Madhusudan, Daniel Neider: ICE: A Robust Framework for Learning Invariants. CAV 2014 ๏ก Shachar Itzhaky, Nikolaj Bjørner, Thomas W. Reps, Mooly Sagiv, Aditya V. Thakur: Property-Directed Shape Analysis. CAV 2014 ๏ก Rajeev Alur, Rastislav Bodík, Garvit Juniwal, Milo M. K. Martin, Mukund Raghothaman, Sanjit A. Seshia, Rishabh Singh, Armando Solar-Lezama, Emina Torlak, Abhishek Udupa: Syntax-guided synthesis. FMCAD 2013 ๏ก Ashutosh Gupta, Rupak Majumdar, Andrey Rybalchenko: From tests to proofs. STTT 15(4) (2013) ๏ก Yungbum Jung, Soonho Kong, Bow-Yaw Wang, KwangkeunYi: Deriving Invariants by Algorithmic Learning, Decision Procedures, and Predicate Abstraction. VMCAI 2010 ๏ก Sumit Gulwani, Nebojsa Jojic: Program verification as probabilistic inference. POPL 2007: 277-289 22
© Copyright 2025