proving and inferring invariants
play

Proving and inferring invariants David Monniaux CNRS / VERIMAG - PowerPoint PPT Presentation

Aug 19, 2023 •251 likes •956 views

Proving and inferring invariants David Monniaux CNRS / VERIMAG Grenoble, France December 13, 2013 David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 1 / 54 Grenoble David Monniaux (CNRS / VERIMAG) Proving

  1. Proving and inferring invariants David Monniaux CNRS / VERIMAG Grenoble, France December 13, 2013 David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 1 / 54

  2. Grenoble David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 2 / 54

  3. VERIMAG VERIMAG is a joint research laboratory of CNRS, Universit´ e Joseph Fourier (Grenoble-1) and Grenoble-INP David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 3 / 54

  4. Plan Safety properties 1 Inductive invariants 2 Policy iteration 3 Min-policy iteration Max-policy iteration Implicit graphs Unknown template shape 4 Conclusion 5 David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 4 / 54

  5. Safety properties Proving properties of programs : safety : the program never enters an undesirable state (crash, variable too large for specification, assertion violation. . . ) liveness : the program progresses (no entering into deadlocks or neverending loops) David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 5 / 54

  6. Safety properties Proving properties of programs : safety : the program never enters an undesirable state (crash, variable too large for specification, assertion violation. . . ) liveness : the program progresses (no entering into deadlocks or neverending loops) In this talk, focus on safety (liveness often uses safety properties). David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 5 / 54

  7. Proofs on programs A program written in a real programmming language ⇓ Its semantics : its “meaning” in mathematical terms David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 6 / 54

  8. Proofs on programs A program written in a real programmming language ⇓ Its semantics : its “meaning” in mathematical terms For real languages (C, C++, PHP. . . ), very difficult and fraught with errors. We’ll bravely assume the problem solved and suppose a toy language with well-defined mathematical semantics. David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 6 / 54

  9. Properties to prove A property in natural language (e.g. “the program sorts the array”) ⇓ A mathematical property (e.g. definition of the total order on array elements, the output is sorted, it is a permutation of the input. . . ) David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 7 / 54

  10. Properties to prove A property in natural language (e.g. “the program sorts the array”) ⇓ A mathematical property (e.g. definition of the total order on array elements, the output is sorted, it is a permutation of the input. . . ) Again, fraught with errors. We’ll bravely assume mathematically defined properties. David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 7 / 54

  11. The setting A set C of control points : instructions heads of control blocks lines of program Memory state as a vector of variables in S (can be Z n (or Q n , or B m × Q n where B = { 0 , 1 } Booleans) For i , j ∈ C , a transition relation τ i , j ⊆ S × S (often expressed with x , y , . . . variables before and x ′ , y ′ , . . . after) A starting state q 0 ∈ C and a “bad” state q B ∈ C . David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 8 / 54

  12. Concrete example j = 0; for ( int i=0; i<100; i++) { j = j+2; } i ≥ 100 i ′ = 0 i ′ = i j ′ = 0 j ′ = j q 0 q 1 q 2 i < 100 i ′ = i + 1 j ′ = j + 2 David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 9 / 54

  13. Concrete example with an assertion j = 0; for ( int i=0; i<100; i++) { j = j+2; } assert(j < 210); i ′ = i i ≥ 100 i ′ = 0 i ′ = i j ′ = j j ′ = 0 j ′ = j j < 210 q 0 q 1 q 2 q 3 i ′ = i j ′ = j q B j ≥ 210 i < 100 i ′ = i + 1 j ′ = j + 2 David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 10 / 54

  14. Proving safety Whether q B is reachable. . . David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 11 / 54

  15. Proving safety Whether q B is reachable. . . Is an undecidable problem ( halting problem ) David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 11 / 54

  16. Plan Safety properties 1 Inductive invariants 2 Policy iteration 3 Min-policy iteration Max-policy iteration Implicit graphs Unknown template shape 4 Conclusion 5 David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 12 / 54

  17. Floyd-Hoare-like proofs (Ideas dating back to at least Robert Floyd and C.A.R Hoare, late 1960s, and even to Turing): Adorn each state q i in the automaton with a formula φ i Show that these formulas are inductive : if φ i ( x ) and τ i , j ( x , x ′ ) then φ j ( x ) Check that the formula φ 0 for q 0 (initial state) is “true” Check that the formula φ B for q B (bad state) is “false” David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 13 / 54

  18. Floyd-Hoare-like proofs (Ideas dating back to at least Robert Floyd and C.A.R Hoare, late 1960s, and even to Turing): Adorn each state q i in the automaton with a formula φ i Show that these formulas are inductive : if φ i ( x ) and τ i , j ( x , x ′ ) then φ j ( x ) Check that the formula φ 0 for q 0 (initial state) is “true” Check that the formula φ B for q B (bad state) is “false” By induction on the length of the computation, the system state ( c , x ) ∈ S × S can never exit the φ i “invariant”: For any reachable ( c , x ), x satifies φ c . David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 13 / 54

  19. Direct induction does not necessarily work Program initialization: − 1 ≤ x ≤ 1 ∧ y = 0 Operation: ( x ′ , y ′ ) = rotate (( x , y ) , 45) − 1 ≤ x ≤ 1 ∧ − 1 ≤ y ≤ 1 is always true. . . David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 14 / 54

  20. Direct induction does not necessarily work Program initialization: − 1 ≤ x ≤ 1 ∧ y = 0 Operation: ( x ′ , y ′ ) = rotate (( x , y ) , 45) − 1 ≤ x ≤ 1 ∧ − 1 ≤ y ≤ 1 is always true. . . But not by induction! Need some stronger inductive property e.g. x 2 + y 2 ≤ 1. David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 14 / 54

  21. With invariants j = 0; for ( int i=0; i<100; i++) { j = j+2; } assert(j < 210); i ′ = i i ≥ 100 i ′ = 0 i ′ = i j ′ = j j ′ = 0 j ′ = j j < 210 i = j i = 100 true true j = 200 i ≤ 100 i ′ = i j ′ = j i < 100 false i ′ = i + 1 j ≥ 210 j ′ = j + 2 David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 15 / 54

  22. Checking inductive invariants A tool requires the user to provide invariants, and checks that they are inductive. Possible if the invariants φ i and the transition relations τ i , j are within a decidable theory : Check that φ i ∧ τ i , j ∧ ¬ φ j is unsatisfiable for all i , j . Various degrees of automation Tools : Frama-C, Why, B-Method, Frama-C. . . David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 16 / 54

  23. Inferring inductive invariants More ambitious: complete automation! The problem: exhibit φ c at all control state c ∈ C so that the φ c are inductive and φ 0 is “true” and φ B is “false” But what is φ c ? An arbitrary first-order formula? David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 17 / 54

  24. Abstract domains So as to automatize the task: look for φ c in a particular class (or domain ) of properties: e.g. propositional formulas over the Boolean variables conjunctions of linear inequalities over rational/integer variables ( convex polyhedra ) intervals over rational/integer variables David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 18 / 54

  25. Example of an inductive polyhedron David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 19 / 54

  26. Abstract interpretation in convex polyhedra j = 0; for ( int i=0; i<100; i++) { j = j+2; } David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 20 / 54

  27. Abstract interpretation in convex polyhedra j = 0; for ( int i=0; i<100; i++) { j = j+2; } David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 20 / 54

  28. Abstract interpretation in convex polyhedra j = 0; for ( int i=0; i<100; i++) { j = j+2; } David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 20 / 54

  29. Abstract interpretation in convex polyhedra j = 0; for ( int i=0; i<100; i++) { j = j+2; } David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 20 / 54

Recommend

Daikon: Dynamic Analysis for Inferring Likely Invariants Reading: Dynamically Discovering Likely

Daikon: Dynamic Analysis for Inferring Likely Invariants Reading: Dynamically Discovering Likely

Daikon: Dynamic Analysis for Inferring Likely Invariants Reading: Dynamically Discovering Likely Program Invariants to Support Program Evolution 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich What is an Invariant? A

361 views • 22 slides
GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification

GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification

GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification Inductive invariants are easy to prove Provable by SAT for finite state machines In ACL2, can use GL. Downsides:

596 views • 12 slides
Inferring and Asserting Distributed System Invariants https://bitbucket.org/bestchai/dinv Stewart

Inferring and Asserting Distributed System Invariants https://bitbucket.org/bestchai/dinv Stewart

Inferring and Asserting Distributed System Invariants https://bitbucket.org/bestchai/dinv Stewart Grant , Hendrik Cech , Ivan Beschastnikh University of British Columbia , University of Bamberg 1 Distributed Systems are pervasive

943 views • 59 slides
Proving invariants: how many times a program should be unfolded ? Paul Caspi, Jan Mik

Proving invariants: how many times a program should be unfolded ? Paul Caspi, Jan Mik

Proving invariants: how many times a program should be unfolded ? Paul Caspi, Jan Mik VERIMAG Grenoble Problem definition 1 A closed system state space S initial state I is a predicate on S transition relation T is a predicate on S

161 views • 13 slides
Daikon: Dynamic Analysis for Inferring Likely Invariants Reading:

Daikon: Dynamic Analysis for Inferring Likely Invariants Reading:

Daikon: Dynamic Analysis for Inferring Likely Invariants Reading:

650 views • 17 slides
On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies Internet Routing Policies Feng Wang Lixin Gao Department of Electrical and Computer Engineering University of Massachusetts, Amherst MA 01002, USA 1

450 views • 18 slides
Better termination proving through cooperation Marc Brockschmidt 1 Byron Cook 2 , 3 Carsten Fuhs 3

Better termination proving through cooperation Marc Brockschmidt 1 Byron Cook 2 , 3 Carsten Fuhs 3

Better termination proving through cooperation Marc Brockschmidt 1 Byron Cook 2 , 3 Carsten Fuhs 3 1 RWTH Aachen University 2 Microsoft Research Cambridge 3 University College London Deduktionstreffen 2013 Termination Analysis: Invariants and Rank

538 views • 37 slides
Searching for Program Invariants using Genetic Programming and Mutation Testing Sam Ratcliff,

Searching for Program Invariants using Genetic Programming and Mutation Testing Sam Ratcliff,

Searching for Program Invariants using Genetic Programming and Mutation Testing Sam Ratcliff, David R. White and John A. Clark. The 13th CREST Open Workshop Thursday 12 May 2011 Outline Invariants Using GP to find Invariants Identifying

417 views • 38 slides
GENERATING INVARIANTS IN POSITIVE CHARACTERISTIC VISU MAKAM Abstract. The ring of invariants for a

GENERATING INVARIANTS IN POSITIVE CHARACTERISTIC VISU MAKAM Abstract. The ring of invariants for a

GENERATING INVARIANTS IN POSITIVE CHARACTERISTIC VISU MAKAM Abstract. The ring of invariants for a rational representation of a reductive group is finitely generated by the results of Hilbert, Nagata and Haboush. However, the proof is not

482 views • 3 slides
On Theorem Proving for Program Checking Historical perspective and recent developments Maria

On Theorem Proving for Program Checking Historical perspective and recent developments Maria

Outline Introduction Where is theorem proving in program checking Inside theorem proving Big and little engines together: a new theorem proving style Decision procedures with speculative inferences Current and future challenges On Theorem

944 views • 69 slides
Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without

Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without

Interactive Theorem Proving, Nancy August 22, 2016 Joachim Breitner Karlsruhe Institute of Technology University of Pennsylvania, Philadelphia Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without Syntax

579 views • 43 slides
Local invariants of maps between 3-manifolds Victor Goryunov University of Liverpool Conference

Local invariants of maps between 3-manifolds Victor Goryunov University of Liverpool Conference

Introduction Generic critical value sets Integer invariants mod2 invariants Local invariants of maps between 3-manifolds Victor Goryunov University of Liverpool Conference Legacy of Vladimir Arnold Fields Institute, Toronto 25 November

1.37k views • 84 slides
Learning theorem proving through self-play Stanisaw Purga Overview AlphaZero Proving

Learning theorem proving through self-play Stanisaw Purga Overview AlphaZero Proving

Learning theorem proving through self-play Stanisaw Purga Overview AlphaZero Proving game adjusting MCTS for proving game some results 2019-10 1 Neural black box game state S move policy expected outcome R n v

455 views • 45 slides
Loop invariants &lt;precondition: n&gt;0&gt; int i = 0; while (i &lt; n){ i = i+1; We want to

Loop invariants &lt;precondition: n&gt;0&gt; int i = 0; while (i &lt; n){ i = i+1; We want to

4/23/16 Loop invariants as a way of reasoning about the state of your program Loop invariants &lt;precondition: n&gt;0&gt; int i = 0; while (i &lt; n){ i = i+1; We want to prove: } i==n right after the loop &lt;post condition: i==n&gt;

80 views • 7 slides
Cheeger-Gromov L 2 -invariants of 3-manifolds Geunho Lim Indiana University Bloomington

Cheeger-Gromov L 2 -invariants of 3-manifolds Geunho Lim Indiana University Bloomington

Cheeger-Gromov L 2 -invariants of 3-manifolds Geunho Lim Indiana University Bloomington limg@iu.edu L 2 -invariants Topological Definition of L 2 -invariants, (2) (M, ) M is a closed (4k-1)-manifold. : 1 ( M) G is

806 views • 3 slides
4.5: Proving the Correctness of Grammars In this section, we consider techniques for proving the

4.5: Proving the Correctness of Grammars In this section, we consider techniques for proving the

4.5: Proving the Correctness of Grammars In this section, we consider techniques for proving the correctness of grammars, i.e., for proving that grammars generate the languages we want them to. 1 / 21 Definition of Suppose G is a grammar and

324 views • 21 slides
Groundwater Contamination Litigation: Proving Groundwater Contamination Litigation: Proving And

Groundwater Contamination Litigation: Proving Groundwater Contamination Litigation: Proving And

Presenting a live 90 minute webinar with interactive Q&amp;A Groundwater Contamination Litigation: Proving Groundwater Contamination Litigation: Proving And Defending Against Liability for Clean Up Costs Demonstrating Nexus, Causation and

940 views • 62 slides
Data Invariants, Abstraction and Refinement Liam OConnor University of Edinburgh LFCS (and

Data Invariants, Abstraction and Refinement Liam OConnor University of Edinburgh LFCS (and

Data Invariants and ADTs Validation Data Refinement Administrivia Software System Design and Implementation Data Invariants, Abstraction and Refinement Liam OConnor University of Edinburgh LFCS (and UNSW) Term 2 2020 1 Data Invariants

1.07k views • 68 slides
Integrable and chaotic mappings of the plane with polygon invariants. Tim Zolkin 1 Sergei

Integrable and chaotic mappings of the plane with polygon invariants. Tim Zolkin 1 Sergei

1. Definitions, historical remarks and tools we need 2. Periodic integer maps with polygon invariants 3. Maps with polygon invariants Integrable and chaotic mappings of the plane with polygon invariants. Tim Zolkin 1 Sergei Nagaitsev 1 , 2 1

691 views • 65 slides
Characterizing Algebraic Invariants by Differential Radical Invariants Khalil Ghorbal Carnegie

Characterizing Algebraic Invariants by Differential Radical Invariants Khalil Ghorbal Carnegie

Characterizing Algebraic Invariants by Differential Radical Invariants Khalil Ghorbal Carnegie Mellon university Joint work with Andr e Platzer CMACS AVACS November 21st, 2013 K. Ghorbal (CMU) CMACS AVACS 1 CMACS 1 / 31 Introduction

575 views • 33 slides
K-theoretic Gromov-Witten invariants and derived algebraic geometry Marco Robalo (IMJ-PRG, UPMC)

K-theoretic Gromov-Witten invariants and derived algebraic geometry Marco Robalo (IMJ-PRG, UPMC)

K-theoretic Gromov-Witten invariants and derived algebraic geometry Marco Robalo (IMJ-PRG, UPMC) Summary 1 Introduction: GW invariants 2 Brane Actions and Correspondences Introduction - GW-invariants Results in this talk: collaboration with E.

2.05k views • 125 slides
Proving In fi nite Satis fi ability Peter Baumgartner Joshua Bax Goal Theorem Proving in

Proving In fi nite Satis fi ability Peter Baumgartner Joshua Bax Goal Theorem Proving in

Proving In fi nite Satis fi ability Peter Baumgartner Joshua Bax Goal Theorem Proving in Hierarchic Combinations of Speci fi cations Dis Background theory linear integer arithmetic Data structures ? Conjecture list axioms/arrays

443 views • 15 slides
Automated Theorem Proving 1/4: Introduction and Propositional Theorem Proving A.L. Lamprecht

Automated Theorem Proving 1/4: Introduction and Propositional Theorem Proving A.L. Lamprecht

Automated Theorem Proving 1/4: Introduction and Propositional Theorem Proving A.L. Lamprecht Course Program Semantics and Verfication 2020, Utrecht University September 21, 2020 Lecture Notes Automated Reasoning by Gerard A.W. Vreeswijk.

609 views • 40 slides
Automated Theorem Proving 2/4: First-Order Theorem Proving A.L. Lamprecht Course Program

Automated Theorem Proving 2/4: First-Order Theorem Proving A.L. Lamprecht Course Program

Automated Theorem Proving 2/4: First-Order Theorem Proving A.L. Lamprecht Course Program Semantics and Verfication 2020, Utrecht University September 23, 2020 Lecture Notes Automated Reasoning by Gerard A.W. Vreeswijk. Available for

1.03k views • 54 slides

More recommend