Synthesis of Ranking Functions and Synthesis of Inductive - PowerPoint PPT Presentation

Synthesis of Ranking Functions and Synthesis of Inductive Invariants and Synthesis of Recurrence Sets via Constraint Solving Andreas Podelski January 17, 2012 1

Program Verification and Constraints • Reasoning about program computations • Computation is a sequence of program states • Sequences generated by transition relation • Transition relation defined by assume & update statements • Assume & update statements = transition constraints 2

Program Properties • Non-reachability: given state is not reachable • Termination: no infinite computation exists • Linear-time properties (LTL): reduced to reachability and termination (in automata-theoretic approach) 3

Verification = finding auxiliary assertions • Proving reachability = finding inductive invariant • Proving termination = finding ranking relation (ranking relation defined by ranking function, i.e., an expression over program variables which bounds number of steps) 4

Running Example main(int x, int y, int z) { assume(y >= z); while (x < y) { x++; } assert(x >= z); } • for constraint solving, treat x, y, and z as rationals 5

CFG and Transition Relations main(int x, int y, int z) { assume(y >= z); while (x < y) { x++; } ⇢ 1 = ( y ≥ z ∧ x 0 = x ∧ y 0 = y ∧ z 0 = z ) assert(x >= z); } ⇢ 2 = ( x + 1 ≤ y ∧ x 0 = x + 1 ∧ y 0 = y ∧ z 0 = z ) ⇢ 3 = ( x ≥ y ∧ x 0 = x ∧ y 0 = y ∧ z 0 = z ) ⇥ 1 � 1 ⇢ 4 = ( x ≥ z ∧ x 0 = x ∧ y 0 = y ∧ z 0 = z ) � 2 ⇥ 2 ⇢ 5 = ( x + 1 ≤ z ∧ x 0 = x ∧ y 0 = y ∧ z 0 = z ) � 3 ⇥ 3 � 4 � 5 ⇥ 4 ⇥ 5 6

Transition Constraint => Matrix ρ 2 = ( x + 1 ≤ y ∧ x � = x + 1 ∧ y � = y ) ≤ ∧ ∧ = ( x − y ≤ − 1 ∧ − x + x � ≤ 1 ∧ x − x � ≤ − 1 ∧ − y + y � ≤ 0 ∧ y − y � ≤ 0) ⇤ ⌅ ⇤ ⌅ − ≤ − ∧ − ≤ ∧ − ⇤ ⌅ ⇤ ⌅ 1 − 1 0 0 − 1 ⇤ ⌅ x − 1 0 1 0 1 ⌥ � ⌥ � y ⌥ � ⌥ � ⌥ � = 1 0 − 1 0 − 1 ⌃ ≤ ⌥ � ⌥ � ⌥ � x � ⌥ � ⌥ � ⇧ 0 − 1 0 1 0 ⇧ ⌃ ⇧ ⌃ y � 0 1 0 − 1 0 7

Ranking Functions • Ranking function, say f , maps states to distance until terminating state while (x < y) { � 2 ⇥ 2 x++; } • f ( x , y ) = ( y - x ) • decrease at each step • bounded from below 8

Ranking Function Constraint ∃∀ • ranking function f ( x , y ) = f x x + f y y • lower bound δ 0 • decrease amount δ ∀ ∀ ∀ δ ≥ 1 ∧ ∃ ∃ ∃ � 2 ⇥ 2 ∀ x ∀ y ∀ x � ∀ y � : ρ 2 → ( f x x + f y y ≥ δ 0 ∧ ≥ ∧ f x x � + f y y � ≤ f x x + f y y − δ ) 9

Quantifier Alternation ∃∀ ∃ f x ∃ f y ∃ δ 0 ∃ δ ∀ x ∀ y ∀ x � ∀ y � : δ ≥ 1 ∧ ρ 2 → ( f x x + f y y ≥ δ 0 ∧ f x x � + f y y � ≤ f x x + f y y − δ ) 10

Farkas’ Lemma • implied inequalities are derivable as weighted ≥ 0 sums ( ∃ x : Ax ≤ b ) ∧ ( ∀ x : Ax ≤ b → cx ≤ δ ) iff ∃ λ : λ ≥ 0 ∧ λ A = c ∧ λ b ≤ δ 11

Transition Constraint => Matrix ρ 2 = ( x + 1 ≤ y ∧ x � = x + 1 ∧ y � = y ) ≤ ∧ ∧ = ( x − y ≤ − 1 ∧ − x + x � ≤ 1 ∧ x − x � ≤ − 1 ∧ − y + y � ≤ 0 ∧ y − y � ≤ 0) ⇤ ⌅ ⇤ ⌅ − ≤ − ∧ − ≤ ∧ − ⇤ ⌅ ⇤ ⌅ 1 − 1 0 0 − 1 ⇤ ⌅ x − 1 0 1 0 1 ⌥ � ⌥ � y ⌥ � ⌥ � ⌥ � = 1 0 − 1 0 − 1 ⌃ ≤ ⌥ � ⌥ � ⌥ � x � ⌥ � ⌥ � ⇧ 0 − 1 0 1 0 ⇧ ⌃ ⇧ ⌃ y � 0 1 0 − 1 0 12

Eliminating ∀ -Quantifier (1) � ⌥ � ⇧ ⌃ ⇧ ⌃ 1 − 1 0 0 − 1 ⇧ ⌃ x − 1 0 1 0 1 ⌦ ⌦ y ⌦ ⌦ ⌦ ρ 2 = 1 0 − 1 0 − 1 � ≤ ⌦ ⌦ ⌦ x � ⌦ ⌦ ⌥ 0 − 1 0 1 0 ⌥ � ⌥ � y � 0 1 0 − 1 0 implies ⇧ ⌃ x y ⌦ � ⇥ f x x + f y y ≥ δ 0 = − f x − f y 0 0 � ≤ − δ 0 ⌦ x � ⌥ y � ⇧ ⌃ 13

Eliminating ∀ -Quantifier (2) ∀ x ∀ y ∀ x � ∀ y � : ρ 2 → f x x + f y y ≥ δ 0 iff (by Farkas’ lemma) ⇧ ⌃ ⇧ ⌃ 1 − 1 0 0 − 1 − 1 0 1 0 1 ⌦ ⌦ ⌦ ⌦ � − f x − f y 0 0 ⇥ ∃ λ : λ ≥ 0 ∧ λ 1 0 − 1 0 = − 1 ∧ λ ≤ − δ 0 ⌦ ⌦ ⌦ ⌦ 0 − 1 0 1 0 ⌥ � ⌥ � 0 1 0 − 1 0 14

Ranking Function Constraint ∃ • Find solution for f x , f y , δ 0 , and δ ∀ ∀ ∀ ≥ ∧ δ ≥ 1 ∧ ∃ λ ∃ µ : ⇧ ⌃ ⇧ ⌃ 1 − 1 0 0 − 1 − 1 0 1 0 1 ⌦ ⌦ ⌦ ⌦ � ⇥ 1 0 − 1 0 − f x − f y 0 0 − 1 λ ≥ 0 ∧ λ = ∧ λ ≤ − δ 0 ∧ ⌦ ⌦ ⌦ ⌦ 0 − 1 0 1 0 ⌥ � ⌥ � 0 1 0 − 1 0 ⇧ ⌃ ⇧ ⌃ 1 − 1 0 0 − 1 − 1 0 1 0 1 ⌦ ⌦ ⌦ ⌦ � ⇥ µ ≥ 0 ∧ µ 1 0 − 1 0 = − 1 − f x − f y f x f y ≤ − δ ∧ µ ⌦ ⌦ ⌦ ⌦ 0 − 1 0 1 0 ⌥ � ⌥ � 0 1 0 − 1 0 ranking function f ( x , y ) = f x x + f y y with bound δ 0 , and gap δ 15

Ranking Function Constraint Solved • solution for f x , f y , δ 0 , and δ λ = (1 0 0 0 0) µ = (0 0 1 1 0) while (x < y) { f x = − 1 x++; f y = 1 } δ 0 = 1 δ = 1 • Ranking function f ( x , y ) = ( − 1 x + 1 y ) = y − x 16

Ranking Function Algorithm � ⇥ v • Input ρ ( v , v � ) = R ≤ r v � • Defining constraint ∃ f ∃ δ 0 ∃ δ ∀ v ∀ v � : δ ≥ 1 ∧ ρ ( v , v � ) → ( fv ≥ δ 0 ∧ fv � ≤ fv − δ ) . • Linear constraint to solve ∃ f ∃ δ 0 ∃ δ ∃ λ ∃ µ : δ ≥ 1 ∧ λ ≥ 0 ∧ λ R = ( − f 0) ∧ λ r ≤ − δ 0 ∧ µ ≥ 0 ∧ µ R = ( − f f ) ∧ µ r ≤ − δ 17

Invariants • Invariant for each control location: l 1 : (0 ≤ 0) l 2 : ( z ≤ y ) l 3 : ( z ≤ x ) ⇥ 1 l 4 : (0 ≤ 0) y ≥ z ... l 5 : (1 ≤ 0) x + 1 ≤ y ∧ x 0 = x + 1 ... ⇥ 2 x ≥ y ... ⇥ 3 x ≥ z ... x + 1 ≤ z ... ⇥ 4 ⇥ 5 • Inductiveness l 2 : ( z ≤ y ) ∧ ( x +1 ≤ y ∧ x ′ = x +1 ∧ y ′ = y ) ⇒ ( z ′≤ y ′ ) 18

Example Program main(int x, int y, int z) { assume(y >= z); while (x < y) { x++; } ⇢ 1 = ( y ≥ z ∧ x 0 = x ∧ y 0 = y ∧ z 0 = z ) assert(x >= z); } ⇢ 2 = ( x + 1 ≤ y ∧ x 0 = x + 1 ∧ y 0 = y ∧ z 0 = z ) ⇢ 3 = ( x ≥ y ∧ x 0 = x ∧ y 0 = y ∧ z 0 = z ) ⇥ 1 � 1 ⇢ 4 = ( x ≥ z ∧ x 0 = x ∧ y 0 = y ∧ z 0 = z ) � 2 ⇥ 2 ⇢ 5 = ( x + 1 ≤ z ∧ x 0 = x ∧ y 0 = y ∧ z 0 = z ) � 3 ⇥ 3 � 4 � 5 ⇥ 4 ⇥ 5 19

Invariant Constraint ∃∀ • Find invariant at l 2 of the form p x x + p y y + p z z ≤ p 0 and invariant at l 3 of the form q x x + q y y + q z z ≤ q 0 • inductiveness of invariant at l 3 entails non-reachability of l 5 ∃ ∃ ∃ ∃ ∃ ∃ ∃ ∀ x ∀ y ∀ z ∀ x � ∀ y � ∀ z � : ( � 1 → p x x � + p y y � + p z z � ≤ p 0 ) ∧ → ≤ ∧ (( p x x + p y y + p z z ≤ p 0 ∧ � 2 ) → p x x � + p y y � + p z z � ≤ p 0 ) ∧ ≤ ∧ → ≤ ∧ (( p x x + p y y + p z z ≤ p 0 ∧ � 3 ) → q x x � + q y y � + q z z � ≤ q 0 ) ∧ ≤ ∧ → (( q x x + q y y + q z z ≤ p 0 ∧ � 4 ) → 0 ≤ 0) ∧ ≤ ∧ → ≤ ∧ (( q x x + q y y + q z z ≤ p 0 ∧ � 5 ) → 0 ≤ − 1) 20

Quantifier Alternation ∃∀ • use matrix form � x ⇥ v = y z ρ 1 = R 1 ( v v � ) ≤ r 1 ... ρ 5 = R 5 ( v v � ) ≤ r 5 • eliminate ∀ by applying Farkas’ lemma 21

Invariant Constraint ∃ • Find invariant at l 2 of the form p x x + p y y + p z z ≤ p 0 and invariant at l 3 of the form q x x + q y y + q z z ≤ q 0 ∃ ∃ ∃ ∃ ∃ ∃ ∃ ∃ λ 1 ∃ λ 2 ∃ λ 3 ∃ λ 4 ∃ λ 5 : λ 1 ≥ 0 ∧ λ 1 R 1 = (0 p x p y p z ) ∧ λ 1 r 1 ≤ p 0 ∧ � p x p y p z 0 ⇥ � p 0 ⇥ λ 2 ≥ 0 ∧ λ 2 = (0 p x p y p z ) ∧ λ 2 ≤ p 0 ∧ R 2 r 2 � p x p y p z 0 ⇥ � p 0 ⇥ λ 3 ≥ 0 ∧ λ 3 = (0 q x q y q z ) ∧ λ 3 ≤ q 0 ∧ R 3 r 3 � q x q y q z 0 ⇥ � q 0 ⇥ λ 4 ≥ 0 ∧ λ 4 = 0 ∧ λ 4 ≤ 0 ∧ R 4 r 4 � q x q y q z 0 ⇥ � q 0 ⇥ λ 5 ≥ 0 ∧ λ 5 = 0 ∧ λ 5 ≤ − 1 R 5 r 5 22

Invariant Constraint Solved • Find l 2 : p x x + p y y + p z z ≤ p 0 and l 3 : q x x + q y y + q z z ≤ q 0 � 1 = (1 1 1 1) � 2 = (1 0 1 1 1) p x = 0 p y = − 1 p z = 1 p 0 = 0 � 3 = (1 1 1 1 1) q x = − 1 q y = 0 q z = 1 q 0 = 0 � 4 = (0 0 0 0 0) � 5 = (1 1 0 0 0) • Invariant at l 2 : 0 x +( − 1) y +1 z ≤ 0 and l 3 : (-1) x +0 y +1 z ≤ 0 l 2 : z ≤ y and l 3 : z ≤ x 23

Proving Non-Termination ` 1 main(int x, int y, int z) { assume(y >= z); ⇢ 1 while (x < y) { ⇢ 2 ` 2 x=x+1+z; ⇢ 3 } } ` 3 • Non-terminating execution ( − 1, 0, − 1), ( − 1, 0, − 1), ... • Recurrence set S is reachable and can always reach itself • Example recurrence set S = (x+1 ≤ y /\ z ≤ − 1) 24

Recurrence Set Constraint ∃∀∃ • Recurrence set Sv ≤ s is reachable and ` 1 can always reach itself ⇢ 1 • Let v = ( x y z ) ⇢ 2 ` 2 • Find ( Sv ≤ s ) = ( p x x + p y y + p z z ≤ p 0 ∧ ⇢ 3 q x x + q y y + q z z ≤ q 0 ) ` 3 ∃ S ∃ s : ( ∃ v ∃ v � : ρ 1 ( v , v � ) ∧ Sv � ≤ s ) ∧ ∃ ∃ ∧ ≤ ∧ ( ∀ v ∃ v � : Sv ≤ s → ( ρ 2 ( v , v � ) ∧ Sv � ≤ s )) 25