290 likes | 388 Vues
Explore the challenge of quantified invariants in program analysis, focusing on automated methods like model checking and abstract interpretation to ensure program safety and correctness by enforcing assertions and proof. Discover specialized abstract domains that handle complex problems efficiently without generating false warnings. Learn to find a quantifier-free interpretation of predicates for effective assertion checking and witness generation in programs. Enhance your understanding of automated techniques and strategies for quantified invariants in rich domains.
E N D
Quantified Invariants in Rich DomainsusingModel Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken McMillan
The Problem Quantified Invariants! Safe + Proof Array-Manipulating Program P + Assertions Automatic analysis for assertion failures Unsafe + CEX Unknown + Partial Proof
Quantified Invariants, Typically • Specialized Abstract Domains • E.g. Segmentation abstraction, • Indexed Predicate Abstraction, • Points-to Analysis, etc. • Restrictive • False warnings • Unrestricted Model Checking • E.g. Interpolation-based • Hard to find the right quantifiers • Divergence Rich-enough abstract domain?
The abstract domain Quantified variables Abstract Domain Predicate signature i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c) Goal: Find a quantifier-free interpretation of the predicates
Guess-and-check doesn’t work anymore! i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c) Given a guess for P, how to check if it suffices? FOL validity is undecidable! Can we still use existing model checkers?
Let’s look at the VCs i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c)
Let’s look at the VCs Pulled to the outermost scope
Let’s look at the VCs Real challenge! Find a sufficient set of witnesses
Let’s look at the VCs Reduces to quantifier-free invariantgeneration (use an off-the-shelf model checker)
Two Goals Quantified variables Abstract Domain Predicate signature i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c) Goal 1: Find a sufficient set of witnesses for j Goal 2: Find a quantifier-free interpretation of the predicates
A Strategy Eager Syntactic Pattern Matching [BMR13] Guess some witnesses Y Found Proof Check if they suffice using a model checker N • Unguided instantiation • Worst-case unbounded • Grows exponentially with number of quantified vars • May choke the model checker • No fall-back strategy Give up! [BMR13]: On Solving Universally Quantified Horn Clauses, Bjorner, McMillan, Rybalchenko, SAS’13
Our Strategy Guess some witnesses Y Found Proof Check if they suffice using a model checker N CEX Constraint on the witness Refine the guess Guess-and-check, but of the witnesses and not the invariant itself
Obtaining Strong Constraints Generalized Counterexamples Strong Constraints • Symbolic Counterexamples • Number of variables = O(size) • Constraint solving becomes harder • (easily diverging) Ground Counterexamples + Abstract Interpretation
Note – one witness suffices! May not be expressible! is equivalent to
The algorithm [B] [L] [E]
The algorithm [B] B P(k0,v0,i0,c0) L [L] P(k1,v1,i1,c1) L P(k2,v2,i2,c2) E [E] Instantiate Check
The algorithm B L E L P(k2,v2,i2,c2) P(k0,v0,i0,c0) P(k1,v1,i1,c1) Analyze Instantiate Check
The algorithm B L E L P(0,0,1,0) P(0,0,0,0) P(0,0,2,0) ? ? ? ? ✕ ✕ ✕ ✕ Analyze Instantiate Check
The algorithm B L E L P(0,1,0,0) P(0,0,0,0) P(0,2,0,0) ? ? ? ? ✕ ✕ ✕ ✕ Use k for j Analyze Instantiate Check
The algorithm [B] [L] [E] Instantiate
The algorithm [B] [L] [E] … Instantiate
Finding a new witness Given Constraint local vars Check quantified variable Skolem Template f restrict to linear templates Solve for t using sampling-based approach
Quantifier Alternation using Sampling Quantifier Elimination Pick candidate tc Eliminate arrays (thanks to Nikolaj for the discussion), Cheap QE of integers Y ? Return tc N CEX lc Add lc to existing samples S New candidate tc Source of Divergence! Y N ? CEX S
Abstract Post, in practice 1. Cheap QE tricks, case-split on equalities on j, etc. 2. Under-approximate, otherwise. Solve Generalize models • 1. Cheap QE tricks, case-split on array-index arguments, etc. • 2. Under-approximate, otherwise. • Solve an SMT problem • Generalize models
Experiments • Implemented “qe_array” tactic in Z3 • Prototype in Python using Z3Py interface for witness generation • Automatically generated “sufficient witnesses” for small array-manipulating • programs (BMR13) – array init, find, copy, concatenate, reverse, etc. • Used GPDR engine in Z3 to solve for quantifier-free predicates • Up to two universal quantifiers per predicate • Witness was just a local variable in the VC
Moving forward… • Scalability • Handle large programs (with multiple procedures) • How to pick relevant “set” of witnesses? • Can we synthesize guards to combine them into a single witness? • Implementation-wise • Cache previous AI results • Reuse bounded proofs – Proof-based Abstraction • Lazy QE – postponing to later steps? • Alternatives • Use over-approximations of reachable states • Witness may not exist – need to refine the approximation