Symbolic Computation and Theorem Proving in Program Analysis Laura - PowerPoint PPT Presentation

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov´ acs Chalmers

Specification Program Loop Assertions Verification Conditions Proving Proving

Specification Program Loop Assertions Theorem Proving Computer Algebra Verification Conditions Proving Proving

Assertion Synthesis — Example: Array Partition Program Loop Assertions Polynomial Equalities and Inequalities, Quantified FO properties a = b + c a := 0 ; b := 0 ; c := 0 ; while ( a < N ) do a ≥ 0 ∧ b ≥ 0 ∧ c ≥ 0 if A [ a ] ≥ 0 a ≤ N ∨ N ≤ 0 then B [ b ] := A [ a ]; b := b + 1 else C [ c ] := A [ a ]; c := c + 1 ; a := a + 1 ; ( ∀ p )( p ≥ b → B [ p ] = B 0 [ p ]) end do ( ∀ p )( 0 ≤ p < b → B [ p ] ≥ 0 ∧ ( ∃ i )( 0 ≤ i < a ∧ A [ a ] = B [ p ]))

Assertion Synthesis — Example: Array Partition Program Loop Assertions Polynomial Equalities and Inequalities, Quantified FO properties a = b + c a := 0 ; b := 0 ; c := 0 ; while ( a < N ) do a ≥ 0 ∧ b ≥ 0 ∧ c ≥ 0 if A [ a ] ≥ 0 a ≤ N ∨ N ≤ 0 then B [ b ] := A [ a ]; b := b + 1 else C [ c ] := A [ a ]; c := c + 1 ; a := a + 1 ; ( ∀ p )( p ≥ b → B [ p ] = B 0 [ p ]) end do ( ∀ p )( 0 ≤ p < b → B [ p ] ≥ 0 ∧ ( ∃ i )( 0 ≤ i < a ∧ A [ a ] = B [ p ]))

Our Approach Loop Assertions

Our Approach Extend language with extra symbols: Loop Loop Properties Assertions loop cnt, array update predicates

Our Approach: S YMBOL E LIMINATION Extend language with extra symbols: Eliminate symbols Loop Loop Properties Assertions loop cnt, array update predicates

Our Approach: S YMBOL E LIMINATION Gr¨ obner Basis Recurrence Solving Extend language with extra symbols: Eliminate symbols Loop Loop Properties Assertions loop cnt, array update predicates Monotonicity Properties of Scalars Array Update Properties Consequence Finding

Outline Part 1: Weakest Precondition for Program Analysis and Verification Part 2: Polynomial Invariant Generation (TACAS’08, LPAR’10) Part 3: Quantified Invariant Generation (FASE’09, MICAI’11) Part 4: Invariants, Interpolants and Symbol Elimination (CADE’09, POPL ’12, APLAS’12)

Part 3: Quantified Invariant Generation Symbol Elimination by First-Order Theorem Proving Quantified Invariant Example Quantified Invariant Generation by Symbol Elimination Symbol Elimination in the Vampire First-Order Theorem Prover Conclusions

Outline Quantified Invariant Example Quantified Invariant Generation by Symbol Elimination Symbol Elimination in the Vampire First-Order Theorem Prover Conclusions

Example: Array Partition partition.c A : -1 -3 -1 -5 -8 -0 -2 a := 0; b := 0; c := 0; a = 0 while ( a ≤ k ) do if A [ a ] ≥ 0 B : - * - * - * - * - * - * - * then B [ b ] := A [ a ] ; b := b + 1; b = 0 else C [ c ] := A [ a ] ; c := c + 1; a := a + 1; C : - * - * - * - * - * - * - * end do c = 0

Example: Array Partition partition.c A : -1 -3 -1 -5 -8 -0 -2 a := 0; b := 0; c := 0; a = 7 while ( a ≤ k ) do if A [ a ] ≥ 0 B : -1 -3 -8 -0 - * - * - * then B [ b ] := A [ a ] ; b := b + 1; b = 4 else C [ c ] := A [ a ] ; c := c + 1; a := a + 1; C : -1 -5 -2 - * - * - * - * end do c = 3

Example: Array Partition partition.c A : -1 -3 -1 -5 -8 -0 -2 a := 0; b := 0; c := 0; a = 7 while ( a ≤ k ) do if A [ a ] ≥ 0 B : -1 -3 -8 -0 - * - * - * then B [ b ] := A [ a ] ; b := b + 1; b = 4 else C [ c ] := A [ a ] ; c := c + 1; a := a + 1; C : -1 -5 -2 - * - * - * - * end do c = 3 Invariants with ∀ ∃ ◮ Each of B [ 0 ] , . . . , B [ b − 1 ] is non-negative and equal to one of A [ 0 ] , . . . , A [ a − 1 ] . ( ∀ p )( 0 ≤ p < b → B [ p ] ≥ 0 ∧ ( ∃ i )( 0 ≤ i < a ∧ A [ i ] = B [ p ]))

Example: Array Partition partition.c A : -1 -3 -1 -5 -8 -0 -2 a := 0; b := 0; c := 0; a = 7 while ( a ≤ k ) do if A [ a ] ≥ 0 B : -1 -3 -8 -0 - * - * - * then B [ b ] := A [ a ] ; b := b + 1; b = 4 else C [ c ] := A [ a ] ; c := c + 1; a := a + 1; C : -1 -5 -2 - * - * - * - * end do c = 3 Invariants with ∀ ∃ ◮ Each of B [ 0 ] , . . . , B [ b − 1 ] is non-negative and equal to one of A [ 0 ] , . . . , A [ a − 1 ] . ( ∀ p )( 0 ≤ p < b → B [ p ] ≥ 0 ∧ ( ∃ i )( 0 ≤ i < a ∧ A [ i ] = B [ p ]))

Example: Array Partition partition.c A : -1 -3 -1 -5 -8 -0 -2 a := 0; b := 0; c := 0; a = 7 while ( a ≤ k ) do if A [ a ] ≥ 0 B : -1 -3 -8 -0 - * - * - * then B [ b ] := A [ a ] ; b := b + 1; b = 4 else C [ c ] := A [ a ] ; c := c + 1; a := a + 1; C : -1 -5 -2 - * - * - * - * end do c = 3 Invariants with ∀ ∃ ◮ Each of B [ 0 ] , . . . , B [ b − 1 ] is non-negative and equal to one of A [ 0 ] , . . . , A [ a − 1 ] . ◮ Each of C [ 0 ] , . . . , C [ c − 1 ] is negative and equal to one of A [ 0 ] , . . . , A [ a − 1 ] . Invariants with ∀ ◮ For every p ≥ b , the value of B [ p ] is equal to its initial value. ◮ For every p ≥ c , the value of C [ p ] is equal to its initial value.

Example: Array Partition - Some Experiments a := 0; b := 0; c := 0; while ( a ≤ k ) do if A [ a ] ≥ 0 then B [ b ] := A [ a ] ; b := b + 1; else C [ c ] := A [ a ] ; c := c + 1; a := a + 1; end do 1. B doesn’t change at positions after final value of b (1 s ): ∀ p ( p ≥ b → B [ p ] = B 0 [ p ]) 2. Each B [ 0 ] , . . . , B [ b − 1 ] is a positive value in { A [ 0 ] , . . . , A [ a − 1 ] } (1 s ): ∀ p ( b > p ∧ p ≥ 0 → B [ p ] ≥ 0 ∧ ∃ k ( a > k ∧ k ≥ 0 ∧ A [ k ] = B [ p ])

Outline Quantified Invariant Example Quantified Invariant Generation by Symbol Elimination Symbol Elimination in the Vampire First-Order Theorem Prover Conclusions

Overview of the Method ◮ Given loop L ; ◮ Extend L to L ′ ; ◮ Extract a set P of loop properties in L ′ ; ◮ Generate loop property p in L s.t. P → p .

Overview of the Method ◮ Given loop L ; ◮ Extend L to L ′ ; ◮ Extract a set P of loop properties in L ′ ; ◮ Generate loop property p in L s.t. P → p .

Overview of the Method ◮ Given loop L ; ◮ Extend L to L ′ ; ◮ Extract a set P of loop properties in L ′ ; ◮ Generate loop property p in L s.t. P → p . ← Symbol elimination!

a := 0; b := 0; c := 0; while ( a ≤ k ) do if A [ a ] ≥ 0 Invariant Generation - The Method then B [ b ] := A [ a ] ; b := b + 1; else C [ c ] := A [ a ] ; c := c + 1; a := a + 1; 1. Extend the language L to L ′ : end do ( ∀ i )( i ∈ iter ⇔ 0 ≤ i ∧ i < n ) ◮ variables as functions of n : v ( i ) with 0 ≤ i < n upd B ( i , p ) ⇔ i ∈ iter ∧ p = b ( i ) ∧ A [ a ( i ) ] ≥ 0 ◮ predicates as loop properties: upd B ( i , p , x ) ⇔ upd B ( i , p ) ∧ x = A [ a ( i ) ] iter , upd V ( i , p ) , upd V ( i , p , x ) a = b + c , a ≥ 0 , b ≥ 0 , c ≥ 0 ( ∀ i ∈ iter )( a ( i + 1 ) > a ( i ) ) ( ∀ i ∈ iter )( b ( i + 1 ) = b ( i ) ∨ b ( i + 1 ) = b ( i ) + 1 ) ( ∀ i ∈ iter )( a ( i ) = a ( 0 ) + i ) ( ∀ j , k ∈ iter )( k ≥ j → b ( k ) ≥ b ( j ) ) ( ∀ j , k ∈ iter )( k ≥ j → b ( j ) + k ≥ b ( k ) + j ) ( ∀ p )( b ( 0 ) ≤ p < b ( n ) → ( ∃ i ∈ iter )( b ( i ) = p ∧ A [ a ( i ) ] ≥ 0 )) ( ∀ i ) ¬ upd B ( i , p ) → B ( n ) [ p ] = B ( 0 ) [ p ] upd B ( i , p , x ) ∧ ( ∀ j > i ) ¬ upd B ( j , p ) → B ( n ) [ p ]= x ( ∀ i ∈ iter )( A [ a ( i ) ] ≥ 0 → B ( i + 1 ) [ b ( i ) ] = A [ a ( i ) ] ∧ b ( i + 1 ) = b ( i ) + 1 ∧ c ( i + 1 ) = c ( i ) )

a := 0; b := 0; c := 0; while ( a ≤ k ) do if A [ a ] ≥ 0 Invariant Generation - The Method then B [ b ] := A [ a ] ; b := b + 1; else C [ c ] := A [ a ] ; c := c + 1; a := a + 1; 1. Extend the language L to L ′ : end do ( ∀ i )( i ∈ iter ⇔ 0 ≤ i ∧ i < n ) ◮ variables as functions of n : v ( i ) with 0 ≤ i < n upd B ( i , p ) ⇔ i ∈ iter ∧ p = b ( i ) ∧ A [ a ( i ) ] ≥ 0 ◮ predicates as loop properties: upd B ( i , p , x ) ⇔ upd B ( i , p ) ∧ x = A [ a ( i ) ] iter , upd V ( i , p ) , upd V ( i , p , x ) a = b + c , a ≥ 0 , b ≥ 0 , c ≥ 0 - upd V ( i , p ) : at iteration i , V is updated at position p ; ( ∀ i ∈ iter )( a ( i + 1 ) > a ( i ) ) ( ∀ i ∈ iter )( b ( i + 1 ) = b ( i ) ∨ b ( i + 1 ) = b ( i ) + 1 ) - upd V ( i , p , x ) : at iteration i , V is updated at position p by value x . ( ∀ i ∈ iter )( a ( i ) = a ( 0 ) + i ) ( ∀ j , k ∈ iter )( k ≥ j → b ( k ) ≥ b ( j ) ) ( ∀ j , k ∈ iter )( k ≥ j → b ( j ) + k ≥ b ( k ) + j ) ( ∀ p )( b ( 0 ) ≤ p < b ( n ) → ( ∃ i ∈ iter )( b ( i ) = p ∧ A [ a ( i ) ] ≥ 0 )) ( ∀ i ) ¬ upd B ( i , p ) → B ( n ) [ p ] = B ( 0 ) [ p ] upd B ( i , p , x ) ∧ ( ∀ j > i ) ¬ upd B ( j , p ) → B ( n ) [ p ]= x ( ∀ i ∈ iter )( A [ a ( i ) ] ≥ 0 → B ( i + 1 ) [ b ( i ) ] = A [ a ( i ) ] ∧ b ( i + 1 ) = b ( i ) + 1 ∧ c ( i + 1 ) = c ( i ) )