1 / 18

VS 3 : V erification and S ynthesis using S MT S olvers SMT Solvers for Program Verification

VS 3 : V erification and S ynthesis using S MT S olvers SMT Solvers for Program Verification. Saurabh Srivastava * Sumit Gulwani ** Jeffrey S. Foster * * University of Maryland, College Park ** Microsoft Research, Redmond. What VS 3 will let you do! .

sokanon
Télécharger la présentation

VS 3 : V erification and S ynthesis using S MT S olvers SMT Solvers for Program Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. VS3: Verification and Synthesis usingSMT SolversSMT Solvers for Program Verification Saurabh Srivastava * Sumit Gulwani ** Jeffrey S. Foster * * University of Maryland, College Park ** Microsoft Research, Redmond

  2. What VS3 will let you do! A. Discover invariants with arbitrary quantification and boolean structure • ∀: E.g. Sortedness • ∀∃: E.g. Permutation • Selection Sort: for i = 0…n { for j = i…n { find min index } if (min ≠ i) swap A[min], A[i] } .. ∀k1,k2 k1 k2 Aold .. j .. k • Anew ∀k∃j

  3. What VS3 will let you do! A. Discover invariants with arbitrary quantification and boolean structure • ∀: E.g. Sortedness • ∀∃: E.g. Permutation • Selection Sort: i:=0 i<n j:=i j<n Output array Find min index .. • if (min != i) • swap A[i], A[min] ∀k1,k2 k1 k2 Aold .. j .. k • Anew ∀k∃j

  4. Verification: Proving Programs Correct Input state true • Selection Sort: i:=0 Iouter i<n j:=i Output state Iinner j<n Sortedness Permutation Output array Find min index The difficult task is program state (invariant) inference: Iinner, Iouter, Input state, Output state • if (min != i) • swap A[i], A[min]

  5. Verification: Proving Programs Correct Input state true • Selection Sort: ∀k1,k2 : 0≤k1<k2<n∧ k1<i => A[k1] ≤A[k2] i:=0 i < j i ≤ min < n i<n j:=i ∀k1,k2 : 0≤k1<k2<n∧ k1<i => A[k1] ≤A[k2] Output state ∀k2 : 0≤k2∧i≤k2<j => A[min] ≤A[k2] j<n Sortedness Permutation Output array Find min index The difficult task is program state (invariant) inference: Iinner, Iouter, Input state, Output state ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] • if (min != i) • swap A[i], A[min]

  6. Verification: Proving Programs Correct Input state true • Selection Sort: ∀k1,k2 : 0≤k1<k2<n∧ k1<i => A[k1] ≤A[k2] ∀k1,k2 : 0≤k1<k2<n∧ k1<i => A[k1] ≤A[k2] ∀k1,k2 : (----------------) => A[k1] ≤A[k2] i:=0 (-------------------) i < j i ≤ min < n i<n j:=i ∀k1,k2 : 0≤k1<k2<n∧ k1<i => A[k1] ≤A[k2] ∀k1,k2 : (---------------) => A[k1] ≤A[k2] Output state ∀k2 : 0≤k2∧i≤k2<j => A[min] ≤A[k2] ∀k2 : (-----------) => A[min] ≤A[k2] j<n Sortedness Permutation Output array Find min index The difficult task is program state (invariant) inference: Iinner, Iouter, Input state, Output state ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] • if (min != i) • swap A[i], A[min]

  7. Verification: Proving Programs Correct Input state true • Selection Sort: (-------------------) ∀k1,k2 : (----------------) => A[k1] ≤A[k2] ∀k2 : (-----------) => A[min] ≤A[k2] i:=0 (-------------------) i<n j:=i ∀k1,k2 : (---------------) => A[k1] ≤A[k2] Output state ∀k2 : (-----------) => A[min] ≤A[k2] j<n Sortedness Permutation Output array Find min index The difficult task is program state (invariant) inference: Iinner, Iouter, Input state, Output state ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] • if (min != i) • swap A[i], A[min]

  8. Verification: Proving Programs Correct • Bubble Sort: (-------------------) ∀k1,k2 : (----------------) => A[k1] ≤A[k2] ∀k1,k2 : (----------) => A[k1] ≤A[k2] i:=n-1 (-------------------) i>0 j:=0 ∀k1,k2 : (---------------) => A[k1] ≤A[k2] ∀k1,k2 : (----------) => A[k1] ≤A[k2] j<i Output array • if (a[j] > a[j+1]) • swap A[j], A[j+1] ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2]

  9. User Input:Templates and Predicates • Templates • Intuitive and simple • Depending on the property being proved; form straight-forward • Limited to the quantification and disjunction Unknown holes • Predicate Abstraction Program variables, array elements • Enumerate predicates of the form Relational operator <, ≤, >, ≥ … • E.g., {i<j, i>j, i≤j, i≥j… }

  10. Tool architecture Microsoft’s Phoenix Compiler Cut-Set VS3 Verification Conditions C Program CFG Templates for invariants Iterative Fixed-point GFP/LFP Constraint- based Fixed-Point Predicate Sets SMT Solver Candidate Solutions Boolean Constraint SAT Solver Preconditions Postconditions Invariants

  11. Fixed-point Computation • Constraint-based (VMCAI’09) • Separately encode each VC as SAT constraint • Local constraints  SAT clauses • Use SAT solver to do fixed-point computation • Compare against trivial approach: 1.6e14 minutes • Iterative (PLDI’09) • Facts do not form a lattice, but power-set does • We ensure that if there exists an invariant we find it • Intelligent lattice search: SMT solver for tx-functions

  12. Weakest Preconditions Weakest conditions on input? k2 k1 < i:=0 i<n j:=i j<n Output array Worst case behavior: swap every time it can Find min index • if (min != i) • swap A[i], A[min]

  13. Example analyses • Tool can verify: • Sorting algorithms: • Selection, Insertion, Bubble, Quick, Merge Sort • Properties • Output is Sorted • Output contains all and only elements from the input • Tool can infer preconditions: • Worst case input (precondition) for sorting: • Reverse sorted array, all but Selection Sort • Selection Sort: sorted array except last elem is smallest • Inputs for functional correctness: • Binary search requires sorted array • Merge in merge sort expect sorted inputs • Missing initializers

  14. Demo: Selection Sort Input state true • Selection Sort: ∀k1,k2 : 0≤k1<k2<n∧ k1<i => A[k1] ≤A[k2] i:=0 i < j i ≤ min < n i<n j:=i ∀k1,k2 : 0≤k1<k2<n∧ k1<i => A[k1] ≤A[k2] Output state ∀k2 : 0≤k2∧i≤k2<j => A[min] ≤A[k2] j<n Sortedness Permutation Output array Find min index The difficult task is program state (invariant) inference: Iinner, Iouter, Input state, Output state ∀k1,k2 : 0≤k1<k2<n => A[k1] ≤A[k2] • if (min != i) • swap A[i], A[min]

  15. Demo: Program

  16. Demo: Output

  17. Conclusions • VS3: Verification tool over predicate abstraction • Verification • Can infer quantified invariants • Maximally-weak preconditions • Builds on SMT Solvers, so exploits their power • Project Webpage http://www.cs.umd.edu/~saurabhs/pacs Future work

  18. Recent extension: Synthesis • Verification tool for quantified invariants • Reasoning about full functional specifications possible • What if we had missing program fragments? • Still possible to verify if we allow the tool to plug-in equality predicates over program variables • Equality predicates translated to statements • We can synthesize • Strassen’s Matrix Multiplication! • Sorting algorithms!

More Related