Transcript Program Verification using Templates over Predicate Abstraction Saurabh Srivastava University of Maryland, College Park Sumit Gulwani Microsoft Research, Redmond.

Program Verification using Templates
over Predicate Abstraction
Saurabh Srivastava
University of Maryland, College Park
Sumit Gulwani
Microsoft Research, Redmond
What the technique will let you do!
A. Infer invariants with
arbitrary quantification and
boolean structure
∀ : E.g. Sortedness
: E.g. Permutation
∀∃
B. Infer weakest preconditions
Weakest
conditions
on input:

k1
k2
<
Selection Sort:
for i = 0..n
{
for j = i..n
{
find min index
}
if (min != i)
swap A[i] with A[min]
}

∀k1,k2
k1
k2
..

Worst case behavior:
swap every time it can
.... j
k
∀k∃j
Aold
Anew
Improves the state-of-art
• Can infer very expressive invariants
• Quantification
– E.g. ∀k∃j : (k<n) => (A[k]=B[j] ∧ j<n)
• Disjunction
– E.g. ∀k : (k<0 ∨ k>n ∨ A[k]=0)
– Previous techniques are too specialized to particular
types of quantification or to quantifier-free disjunction
• Can infer weakest preconditions
• Good for debugging: can discover worst case inputs
• Good for analysis: can infer missing precondition facts
– No satisfactory solutions known
Key facilitators
• Templates
k : ()  ()
k1k 2 : ()  ()
Unknown holes
– Task of inferring conjunctive facts for the holes remains
• Predicate Abstraction

– Allows us to efficiently compute solutions for the holes
 Program variables,
array elements
x opr (y opa c)
Relational operator
<, ≤, >, ≥ …
– E.g., {i<j, i>j, i≤j, i≥j, i<j-1, i>j+1… }

Limited
constants
Arithmetic operator
+, - …
Outline
• Three fixed-point inference algorithms
– Iterative fixed-point
(GFP)
• Greatest Fixed-Point (GFP)
• Least Fixed-Point (LFP)
– Constraint-based (CFP)
(CFP)
(LFP)
• Optimal Solutions
– Built over a clean theorem proving interface
• Weakest Precondition Generation
• Experimental evaluation
Outline
• Three fixed-point inference algorithms
– Iterative fixed-point
(GFP)
• Greatest Fixed-Point (GFP)
• Least Fixed-Point (LFP)
– Constraint-based (CFP)
(CFP)
(LFP)
Analysis Setup
E.g. Selection Sort:
pre
vc(pre,I1)
I1
vc(I1,post)
true
I1 ∧ i<n ∧ j=i => I2
I2
post
vc(I2,I2)
vc(I2,I1)
Loop headers (with invariants) split program
into simple paths. Simple paths induce
program constraints (verification conditions)
i:=0
I1
i<n
j:=i
vc(I1,I2)
I2
Sorted
array
true ∧ i=0 => I1
if (min != i)
swap A[i], A[min]
Find min
index
j<n
I1 ∧ i≥n => sorted array
Analysis Setup
pre
true ∧ i=0 => I1
vc(pre,I1)
I1
vc(I1,post)
I1 ∧ i<n ∧ j=i => I2
vc(I1,I2)
I2
post
Simple FOL
formulae over I1, I2!
We will exploit this.
vc(I2,I2)
vc(I2,I1)
Loop headers (with invariants) split program
into simple paths. Simple paths induce
program constraints (verification conditions)
I1 ∧ i≥n =>
∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2]
Iterative Fixed-point: Overview
Values for
invariants
pre
vc(pre,I1)
I1
vc(I1,post)
✓
post
vc(I1,I2)
I2
Candidate
Solution
<x,y>  { vc(pre,I1),vc(I1,I2) }
✗
VCs that are
not satisfied
✗
vc(I2,I2)
✓ vc(I2,I1)
✓
Iterative Fixed-point: Overview
pre
Improve
candidate
Candidate
satisfies all VCs
vc(pre,I1)
I1
vc(I1,post)
Set of
candidates
vc(I1,I2)
I2
post
vc(I2,I2)
vc(I2,I1)
<x,y>  { … }
Improve candidate
– Pick unsat VC
– Use theorem prover to
compute optimal change
– Results in new candidates
Computable because:
– Templates make ∨ explicit
– Predicate abstraction restricts
search to finite space
Backwards Iterative (GFP)
Candidate Sols <I1,I2>
 Unsat constraints
pre
✓
<⊤, ⊤>  { vc(I1,post) }
⊤
✗
✓
✓
⊤
✓
post
Backward:
• Always pick the source invariant
of unsat constraint to improve
• Start with <⊤, …,⊤>
Backwards Iterative (GFP)
Candidate Sols <I1,I2>
 Unsat constraints
pre
✓
✓
<⊤, ⊤>  { vc(I1,post) }
a1
<a1, ⊤>  { vc(I2,I1) }
✗
✓
⊤
✓
post
Backward:
• Always pick the source invariant
of unsat constraint to improve
• Start with <⊤, …,⊤>
Optimally
strengthen so
vc(pre,I1) ok
unless no soln
Backwards Iterative (GFP)
Candidate Sols <I1,I2>
 Unsat constraints
pre
✓
✓
<⊤, ⊤>  { vc(I1,post) }
a1
<a1, ⊤>  { vc(I2,I1) }
✗
✓
b2
<a1,b1>  { vc(I2,I2) }
<a1,b2>  { vc(I2,I2),vc(I1,I2) }
✗
post
Backward:
• Always pick the source invariant
of unsat constraint to improve
• Start with <⊤, …,⊤>
Optimally
strengthen so
vc(pre,I1) ok
unless no soln
Multiple
orthogonal
optimal sols
Backwards Iterative (GFP)
Candidate Sols <I1,I2>
 Unsat constraints
pre
✓
✓
<⊤, ⊤>  { vc(I1,post) }
a1
<a1, ⊤>  { vc(I2,I1) }
✓
✗
b’2
<a1,b1>  { vc(I2,I2) }
<a1,b2>  { vc(I2,I2),vc(I1,I2) }
✓
post
Backward:
• Always pick the source invariant
of unsat constraint to improve
• Start with <⊤, …,⊤>
<a1,b1>  { vc(I2,I2) }
<a1,b’2>  { vc(I1,I2) }
Optimally
strengthen so
vc(pre,I1) ok
unless no soln
Multiple
orthogonal
optimal sols
Backwards Iterative (GFP)
Candidate Sols <I1,I2>
 Unsat constraints
pre
✓
✓
<⊤, ⊤>  { vc(I1,post) }
a’1
<a1, ⊤>  { vc(I2,I1) }
✓
✓
b’2
<a1,b1>  { vc(I2,I2) }
<a1,b2>  { vc(I2,I2),vc(I1,I2) }
✓
post
Backward:
• Always pick the source invariant
of unsat constraint to improve
• Start with <⊤, …,⊤>
Optimally
strengthen so
vc(pre,I1) ok
unless no soln
Multiple
orthogonal
optimal sols
<a1,b1>  { vc(I2,I2) }
<a1,b’2>  { vc(I1,I2) }
<a1,b1>  { vc(I2,I2) }
<a’1,b’2>  none
<a’1,b’2> : GFP solution
Forward Iterative (LFP)
Forward: Same as GFP except
• Pick the destination invariant
of unsat constraint to improve
• Start with <⊥,…,⊥>
Constraint-based over Predicate
Abstraction
pre
vc(pre,I1)
I1
vc(I1,post)
vc(I1,I2)
I2
post
vc(I2,I2)
vc(I2,I1)
Constraint-based over Predicate
Abstraction
pred(I1)
vc(pre,I1)
vc(I1,post
)
vc(I1,I2)
b11,b21…br1
p1,p2…pr
vc(I2,I1)
boolean indicators
p1,p2…pr
predicates
unknown 2
unknown 1
k : ()  ()
vc(I2,I2)
Remember:
VCs are FOL
formulae
over I1, I2
b12,b22…br2

I1
template
Constraint-based over Predicate
Abstraction
pred(A) : A to unknown
predicate
indicator variables
vc(pre,I1)
vc(I1,post
)
vc(I1,I2)
vc(I2,I1)
vc(I2,I2)
Remember:
VCs are FOL
formulae
over I1, I2
pred(I1)
Constraint-based over Predicate
Abstraction
SAT formulae
over predicate
indicators
Program constraint
to boolean constraint
Optimal
solutions
from SMT
solver to
impose
minimal
constraints
pred(A) : A to unknown
predicate
indicator variables
vc(pre,I1)
boolc(pred(I1))
vc(I1,post
)
vc(I1,I2)
boolc(pred(I1))
vc(I2,I1)
boolc(pred(I2), pred(I1))
vc(I2,I2)
boolc(pred(I1), pred(I2))
boolc(pred(I2))
Remember:
VCs are FOL
formulae
over I1, I2
Local reasoning
∧
Invariant
soln
Boolean constraint
to satisfying soln
(SAT Solver)
Fixed-Point Computation
Outline
(GFP)
(CFP)
(LFP)
• Optimal Solutions
– Built over a clean theorem proving interface
Optimal Solutions
• Key: Polarity of unknowns in formula Φ
– Positive or negative:
• Value of positive unknown stronger => Φ stronger
• Value of negative unknown stronger => Φ weaker
positive
negative
Φ = ∀x : ∃y : ( ¬ u1 ∨ u2
) ∧ u3
positive
• Optimal Soln: Maximally strong positives, maximally weak negatives
• Assume theorem prover interface: OptNegSol
– Optimal solutions for formula with only negative unknowns
– Built using a lattice search by querying SMT Solver
Optimal Solutions using OptNegSol
formula Φ contains unknowns:
u1…uN negative
Repeat until
set stable
OptNegSol
Φ[ a’’1…a’’P ]
a’’1…a’’P,S’’1…S’’N
P-tuple that assigns
a single predicate
to each positive unknown
Si soln for the
negative unknowns
Merge
Opt
Opt’
…
…
…
a1…aP,S1…SN
a’1…a’P,S’1…S’N
Φ[ a1…aP ]
Φ[ a’1…a’P ]
…
P x Size of predicate set
u1…uP positive
Opt’’
Optimal Solutions
for formula Φ
Merge positive tuples
Outline
(GFP)
(CFP)
(LFP)
• Weakest Precondition Generation
Outline
(GFP)
(CFP)
(LFP)
• Experimental evaluation
Implementation
Microsoft’s
Phoenix Compiler
C Program
Verification
Conditions
CFG
Templates
Predicate Set
Iterative
Fixed-point
GFP/LFP
Candidate
Solutions
Constraintbased
Fixed-Point
Z3 SMT
Solver
Invariants
Preconditions
Boolean
Constraint
Verifying Sorting Algorithms
• Benchmarks
– Considered difficult to verify
– Require invariants with quantifiers
– Sorting, ideal benchmark programs
• 5 major sorting algorithms
– Insertion Sort, Bubble Sort (n2 version and termination checking
version), Selection Sort, Quick Sort and Merge Sort
• Properties:
– Sort elements
• ∀k : 0≤k<n => A[k] ≤A[k+1] --- output array is non-decreasing
– Maintain permutation, when elements distinct
• ∀k∃j : 0≤k<n => A[k]=Aold[j] & 0≤j<n --- no elements gained
• ∀k∃j : 0≤k<n => Aold[k]=A[j] & 0≤j<n --- no elements lost
Runtimes: Sortedness
16
Tool can prove
sortedness for all
sorting algorithms!
14
12
seconds
10
LFP
8
GFP
CFP
6
4
2
0
Selection Sort
Insertion Sort
Bubble Sort (n2)
Bubble Sort (flag)
Quick Sort
Merge Sort
Runtimes: Permutation
…
94.42
40
…Permutations too!
35
30
seconds
25
LFP
20
GFP
CFP
15
10
5
0
∞
Selection Sort
∞
Insertion Sort
Bubble Sort (n2)
Bubble Sort (flag)
Quick Sort
Merge Sort
Inferring Preconditions
• Given a property (worst case runtime or functional correctness)
what is the input required for the property to hold
• Tool automatically infers non-trivial inputs/preconditions
• Worst case input (precondition) for sorting:
– Selection Sort: sorted array except last element is the smallest
– Insertion, Quick Sort, Bubble Sort (flag): Reverse sorted array
• Inputs (precondition) for functional correctness:
– Binary search requires sorted input array
– Merge in Merge sort requires sorted inputs
– Missing initializers required in various other programs
Runtimes (GFP): Inferring worst case
inputs for sorting
45
Tool infers worst
case inputs for all
sorting algorithms!
40
35
seconds
30
25
Nothing to infer as all inputs
yield the same behavior
20
15
10
5
0
Selection Sort
Insertion Sort
Bubble Sort (n2)
Bubble Sort (flag)
Quick Sort
Merge Sort
Conclusions
• Powerful invariant inference over predicate abstraction
– Can infer quantifier invariants
• Three algorithms with different strengths
– Iterative: Least fixed-point and Greatest fixed-point
– Constraint-based
• Extend to maximally-weak precondition inference
– Worst case inputs
– Preconditions for functional correctness
• Techniques builds on SMT Solvers, so exploit their power
• Successfully verified/inferred preconditions
– All major sorting algorithms
– Other difficult benchmarks
• Project Webpage: http://www.cs.umd.edu/~saurabhs/pacs