Program Verification via Machine Learning Aditya V. Nori - PowerPoint PPT Presentation

Program Verification via Machine Learning Aditya V. Nori Programming Languages and Tools group Microsoft Research India Joint work with Alex Aiken, Rahul Sharma (Stanford University)

Software validation problem I hope some hacker cannot steal all my money, publish all my I hope it doesn’t email on the web! crash! Does the software work? I hope this version still interoperates with other software! I hope it can handle my peak transaction load!

Possible solution: Testing • The “ old-fashioned ” and practical method of validating software • Generate test inputs and see if we can find a test that violates the assertion

What’s wrong with testing? If we view testing as a “black - box” activity, Dijkstra is right! After executing many tests, we still don’t know if there is another test that can violate the assertion

Program verification The algorithmic discovery of properties of a program by inspection of the source text - Manna and Pnueli , “Algorithmic Verification” Also known as: static analysis, static program analysis, formal methods , …. 6

The problem • Given • a sequential program 𝑄 with input 𝐽 (say, written in C, C#, Java …) • an assertion “ 𝑏𝑡𝑡𝑓𝑠𝑢(𝑓) ” (or a set of assertions) • Questions • Bug: Does there exist an execution of the program 𝑄 for some input 𝐽 such that the assertion is violated? • Proof: Does the assertion hold for all possible inputs?

Proving correctness 1: x = y = 0; 𝑞𝑑 = 2 ⇒ 𝑦 = 𝑧 2: while (*) 𝑞𝑑 = 3 ⇒ 𝑦 = 𝑧 3: x++; y++; 𝑞𝑑 = 4 ⇒ 𝑦 = 𝑧 4: while (x != 0) 𝑞𝑑 = 5 ⇒ 𝑦 = 𝑧 5: x--; y--; 𝑞𝑑 = 6 ⇒ 𝑦 = 0 ∧ 𝑧 = 0 6: assert(y == 0);

Program verification 1: x = y = 0; 1: gcd(int x, int y) 2: while (*) 2: { 3: x++; y++; 3: assume(x>0 && y>0); 4: while (x != 0) 4: while (x !=y ) { 5: x--; y--; 5: if (x > y) x = x-y; 6: assert (y == 0); 6: if (y > x) y = y-x; Safet ety 7: } Is the assertion satisfied for 8: return x; all possible inputs? 9 } Terminati rmination on Does gcd terminate for all inputs 𝑦 , 𝑧 ?

Current state of the affairs Safety ety Termin rminat ation ion • SLAM , Yogi (device • Terminator (device drivers) drivers) • O , P , LR , LF … • ASTREE (avionics • Technology: abstract software) interpretation, transition invariants, • Technology: predicate ranking functions … abstraction, abstract interpretation …

Question • Most applications are associated with test suites, primarily used for regression or random testing • Can we use these test suites for proving program correctness?

This talk Analyze data to infer 𝜌 Validate 𝜌 • using PA Guess Use failures to • generate 𝑢 program 𝑢 𝜌 Check • Proving safety: Guess=Classification, 𝜌 =loop invariant • Proving termination: Guess = Regression, 𝜌 =loop bound

Proving correctness 1: x = y = 0; 𝑞𝑑 = 2 ⇒ 2𝑧 ≤ 2𝑦 + 1 ∧ 2𝑧 ≥ 2𝑦 − 1 2: while (*) 𝑞𝑑 = 3 ⇒ 2𝑧 ≤ 2𝑦 + 1 ∧ 2𝑧 ≥ 2𝑦 − 1 3: x++; y++; 𝑞𝑑 = 4 ⇒ 2𝑧 ≤ 2𝑦 + 1 ∧ 2𝑧 ≥ 2𝑦 − 1 4: while (x != 0) 𝑞𝑑 = 5 ⇒ 2𝑧 ≤ 2𝑦 + 1 ∧ 2𝑧 ≥ 2𝑦 − 1 5: x--; y--; 𝑞𝑑 = 6 ⇒ 𝑦 = 0 ∧ 𝑧 = 0 6: assert(y == 0); Invariants riants

Partial correctness of programs • 𝐵 𝑑{𝐶} :  executing a command 𝑑 in a state satisfying 𝐵 leads to a state that satisfies 𝐶 , or 𝑑 does not terminate  𝐵 is the precondition  𝐶 is the postcondition • Example  𝑧 ≤ 𝑦 𝑨 ≔ 𝑦; 𝑨 ≔ 𝑨 + 1 𝑧 < 𝑨  Hoare triple or Hoare assertion

Checking assertions • Deciding 𝐵 𝑑 𝐶 1. Run program starting from all states satisfying 𝐵 2. Check that each final state satisfies 𝐶 • Is this possible?

Derivations • ⊢ 𝐵 : when we can prove assertion 𝐵 • ⊢ 𝐵 𝑑 𝐶 : when we can prove/derive assertion 𝐵 𝑑{𝐶}

Derivation rules for assertions Natural deduction style axioms: ⊢𝐵 ⊢𝐶 ⊢𝐵⇒𝐶 ⊢𝐵 ⊢𝐵∧𝐶 , • ,… ⊢𝐶

Derivation rules for Hoare triples • ⊢ 𝐵 𝑑 𝐶 : if this can be derived using derivation rules • One derivation rule for each command in the language • Together with a rule of consequence ⊢𝐵 ′ ⇒𝐵 ⊢𝐶⇒𝐶 ′ ⊢ 𝐵 𝑑 𝐶  ⊢ 𝐵 ′ 𝑑{𝐶 ′ }

Derivation rules for Hoare logic  ⊢ 𝐵 𝑡𝑙𝑗𝑞{𝐵} ⊢ 𝐵 𝑑 1 𝐶 ⊢ 𝐶 𝑑 2 {𝐷}  ⊢ 𝐵 𝑑 1 ;𝑑 2 {𝐷} ⊢ 𝐵∧𝑐 𝑑 1 𝐶 ⊢{𝐵∧¬𝑐}  ⊢ 𝐵 𝑗𝑔 𝑐 𝑢ℎ𝑓𝑜 𝑑 1 𝑓𝑚𝑡𝑓 𝑑 2 {𝐶} ⊢ 𝐵∧𝑐 𝑑{𝐵}  ⊢ 𝐵 𝑥ℎ𝑗𝑚𝑓 𝑐 𝑒𝑝 𝑑{𝐵∧¬𝑐}

Proving correctness 1: x = y = 0; 𝑞𝑑 = 2 ⇒ 2𝑧 ≤ 2𝑦 + 1 ∧ 2𝑧 ≥ 2𝑦 − 1 2: while (*) 𝑞𝑑 = 3 ⇒ 2𝑧 ≤ 2𝑦 + 1 ∧ 2𝑧 ≥ 2𝑦 − 1 3: x++; y++; 𝑞𝑑 = 4 ⇒ 2𝑧 ≤ 2𝑦 + 1 ∧ 2𝑧 ≥ 2𝑦 − 1 4: while (x != 0) 𝑞𝑑 = 5 ⇒ 2𝑧 ≤ 2𝑦 + 1 ∧ 2𝑧 ≥ 2𝑦 − 1 5: x--; y--; 𝑞𝑑 = 6 ⇒ 𝑦 = 0 ∧ 𝑧 = 0 6: assert(y == 0); Invariants riants

Example … • 𝐵 ∧ 𝐶 =⊥ • 𝐽 𝑦, 𝑧 ≡ 2𝑧 ≤ 2𝑦 + 1 ∧ 2𝑧 ≥ 2𝑦 − 1 1: x = y = 0; 𝐵 2: if (*) 3: x++; y++; • 𝐵 ≡ 𝑦 1 = 0 ∧ 𝑧 1 = 0 ∧ 𝑗𝑢𝑓(𝑐, 𝑦 = 𝑦 1 + 4: 1 ∧ 𝑧 = 𝑧 1 + 1, 𝑦 = 𝑦 1 ∧ 𝑧 = 𝑧 1 ) 5: if (x != 0) 6: x--; y--; 𝐶 • 𝐶 ≡ 𝑗𝑢𝑓(𝑦 ≠ 0, 𝑦 2 = 𝑦 − 1 ∧ 𝑧 2 = 𝑧 − 7: if (x == 0) 1, 𝑦 2 = 𝑦 ∧ 𝑧 2 = 𝑧) ∧ 𝑦 2 = 0 ∧ 𝑧 2 ≠ 0 8: assert (y == 0);

Interpolants (simple invariants) • 𝐵 = 𝑦 ≥ 𝑧 y • 𝐶 = 𝑧 ≥ 𝑦 + 1 • 𝐽 = 2𝑦 + 1 ≥ 2𝑧 x • 𝐵 ⇒ 𝐽 • 𝐽 ∧ 𝐶 =⊥ • 𝑤𝑏𝑠𝑡 𝐽 ⊆ 𝑤𝑏𝑠𝑡 𝐵 ∩ 𝑤𝑏𝑠𝑡 𝐶

Existing work • Interpolants used in tools  BLAST , IMPACT … • Based on symbolic techniques  Interpolants from proofs ( Krajícek [‘97] , Pudlák [‘97] , McMillan[‘05], …)  Interpolants from constraint solving ( Rybalchenko et al. [‘07])

Interpolants (simple invariants) classifier • 𝐵 = 𝑦 ≥ 𝑧 y • 𝐶 = 𝑧 ≥ 𝑦 + 1 • 𝐽 = 2𝑦 + 1 ≥ 2𝑧 x

Binary classification • Input: a set of points 𝑌 with labels 𝑚 ∈ +1, −1 • Goal: find a classifier 𝐷: X → {𝑢𝑠𝑣𝑓, 𝑔𝑏𝑚𝑡𝑓} such that: • 𝐷 𝑏 = 𝑢𝑠𝑣𝑓, ∀𝑏 ∈ 𝑌 . 𝑚𝑏𝑐𝑓𝑚 𝑏 = +1 , and • 𝐷 𝑐 = 𝑔𝑏𝑚𝑡𝑓, ∀𝑐 ∈ X . 𝑚𝑏𝑐𝑓𝑚 𝑐 = −1

Binary classification Training data • Input: a set of points 𝑌 with labels 𝑚 ∈ +1, −1 Training • Goal: find a classifier 𝐷: X → {𝑢𝑠𝑣𝑓, 𝑔𝑏𝑚𝑡𝑓} such that: • 𝐷 𝑏 = 𝑢𝑠𝑣𝑓, ∀𝑏 ∈ 𝑌 . 𝑚𝑏𝑐𝑓𝑚 𝑏 = +1 , and • 𝐷 𝑐 = 𝑔𝑏𝑚𝑡𝑓, ∀𝑐 ∈ X . 𝑚𝑏𝑐𝑓𝑚 𝑐 = −1 Also , 𝐷 should be predictive

Interpolants as classifiers • 𝐵 ⇒ 𝜌 ? • 𝜌 ∧ 𝐶 =⊥ ? • If check fails add counterexamples to 𝑢 Classifier program 𝑢 𝜌 Check  Interpolants as Classifiers. Sharma, Nori, Aiken, Computer- Aided Verification (CAV 2012)

Example 1: x = y = 0; 2: while (*) 3: x++; y++; 4: while (x != 0) 5: x--; y--; 6: assert (y == 0);

Example • 𝐵 ≡ 𝑦 1 = 0 ∧ 𝑧 1 = 0 ∧ 1: x = y = 0; 𝑗𝑢𝑓(𝑐, 𝑦 = 𝑦 1 + 1 ∧ 𝑧 = 𝑧 1 + 2: if (*) 1, 𝑦 = 𝑦 1 ∧ 𝑧 = 𝑧 1 ) 3: x++; y++; 4: 5: if (x != 0) • 𝐶 ≡ 𝑗𝑢𝑓(𝑦 ≠ 0, 𝑦 2 = 𝑦 − 1 ∧ 6: x--; y--; 𝑧 2 = 𝑧 − 1, 𝑦 2 = 𝑦 ∧ 𝑧 2 = 𝑧) ∧ 7: if (x == 0) 𝑦 2 = 0 ∧ 𝑧 2 ≠ 0 8: assert (y == 0); • 𝐵 ∧ 𝐶 =⊥ , 𝐽 𝑦, 𝑧 ≡ 𝑦 = 𝑧

Example y • 𝐵 ≡ 𝑦 1 = 0 ∧ 𝑧 1 = 0 ∧ 𝑗𝑢𝑓(𝑐, 𝑦 = 𝑦 1 + 1 ∧ 𝑧 = 𝑧 1 + 1, 𝑦 = 𝑦 1 ∧ 𝑧 = 𝑧 1 ) (1,1) • 𝐶 ≡ 𝑗𝑢𝑓(𝑦 = 0, 𝑦 2 = 𝑦 − 1 ∧ 𝑧 2 = 𝑧 − 1, 𝑦 2 = 𝑦 ∧ 𝑧 2 = 𝑧) ∧ 𝑦 2 = 0 ∧ 𝑧 2 ≠ 0 x (0,0) • 𝐽 𝑦, 𝑧 ≡ 2𝑧 ≤ 2𝑦 + 1

The Basic algorithm 𝐶𝑏𝑡𝑗𝑑(𝐵, 𝐶) 𝑤𝑏𝑠𝑡 := Common variables of 𝐵 and 𝐶 ; Add 𝑇𝑏𝑛𝑞𝑚𝑓𝑡(𝑤𝑏𝑠𝑡, 𝐵) to 𝑌 + ; Add 𝑇𝑏𝑛𝑞𝑚𝑓𝑡(𝑤𝑏𝑠𝑡, 𝐶) to 𝑌 − ; 𝑡𝑓𝑞 := 𝐶𝑗𝑜𝑏𝑠𝑧𝐷𝑚𝑏𝑡𝑡𝑗𝑔𝑓𝑠(𝑌 + , 𝑌 − ); ℎ ≔𝐷𝑝𝑜𝑢𝑏𝑗𝑜𝑗𝑜𝑕𝑄𝑠𝑓𝑒(𝑡𝑓𝑞, 𝑌 + ) ; 𝑠𝑓𝑢𝑣𝑠𝑜 ℎ

Problems with Basic 1. Data is not linearly separable 2. The candidate interpolant might not an y interpolant x

No separating inequality? • For each 𝑦 ∈ 𝑌 − y ℎ 𝑦 = 𝐶𝐷(𝑌 + , {𝑦}) return 𝑦 ℎ 𝑦 (0,1) (1,1) x (1,0) (0,0) 𝐽 ≡ 2𝑧 ≤ 2𝑦 + 1 ∧ 2𝑧 ≥ 2𝑦 − 1