Nested Interpolants. Matthias Heizmann Jochen Hoenicke Andreas Podelski POPL University of Freiburg, Germany

Transcription

1 Nested Interpolants Matthias Heizmann Jochen Hoenicke Andreas Podelski University of Freiburg, Germany POPL 2010

2

3 Result Interpolant-based software model checking for recursive programs avoid construction of an abstract program Hoare logic nested words

4 Software model checking Thomas Ball, Sriram K. Rajamani: The SLAM project: debugging system software via static analysis. (POPL 2002) Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, Grégoire Sutre Lazy abstraction. (POPL 2002) Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, Kenneth L. McMillan Abstractions from proofs. (POPL 2004) theorem model proving checking program abstract program invariant

5 Software model checking Thomas Ball, Sriram K. Rajamani: The SLAM project: debugging system software via static analysis. (POPL 2002) Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, Grégoire Sutre Lazy abstraction. (POPL 2002) Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, Kenneth L. McMillan Abstractions from proofs. (POPL 2004) theorem model proving checking program abstract program invariant Bottleneck: Construction of abstract program

6 Recent approaches: Avoid construction of abstract program Franjo Ivancic, Ilya Shlyakhter, Aarti Gupta, Malay K. Ganai Model checking C programs using F-SOFT (ICCD 2005) Kenneth L. McMillan Lazy abstraction with interpolants (CAV 2006) Nels Beckman, Aditya V. Nori, Sriram K. Rajamani, Robert J. Simmons Proofs from tests (ISSTA 2008) Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically refining abstract interpretations (TACAS 2008)

7 One idea: Use interpolants to avoid construction of the abstract program theorem model proving checking program abstract program invariant interpolating theorem prover

8 One idea: Use interpolants to avoid construction of the abstract program theorem model proving checking program abstract program invariant interpolating theorem prover Ranjit Jhala, Kenneth L. McMillan A practical and complete approach to predicate refinement (TACAS 2006) Kenneth L. McMillan Lazy abstraction with interpolants (CAV 2006) Quantified invariant generation using an interpolating saturation prover (TACAS 2008) Open: Interpolants in interprocedural analysis

9 Interprocedural static analysis - motivation Recursive Programs?

10 Interprocedural static analysis - motivation Modularity! Recursive Programs?

11 Interprocedural static analysis - motivation Modularity! Recursive Programs? Interprocedural analysis, a classical topic in programming languages Micha Sharir, Amir Pnueli Two approaches to interprocedural data flow analysis (1981) Thomas W. Reps, Susan Horwitz, Shmuel Sagiv Precise interprocedural dataflow analysis via graph reachability (POPL 1995) Shaz Qadeer, Sriram K. Rajamani, Jakob Rehof Summarizing procedures in concurrent programs (POPL 2004)

12 Interpolants Interpolant - for a proof Given: Proof A B Interpolation: A I B.... automatically generated by SMT solver (Craig interpolation)

13 Interpolants Interpolant - for a proof Given: Proof A B Interpolation: A I B.... automatically generated by SMT solver (Craig interpolation) Interpolant - for an execution traces Given: Infeasible trace st 1... st i st i+1... st n Interpolation: post( true, st 1... st i ) I wp( st i+1... st n, false )... can be new formula, not contained in program

14 Inductive interpolants Construct sequence of interpolants I 0... I n inductively post( I i, st i ) I i+1 suitable Hoare annotation to prove infeasibility of program slice

15 Inductive interpolants Construct sequence of interpolants I 0... I n inductively post( I i, st i ) I i+1 suitable Hoare annotation to prove infeasibility of program slice What if execution trace contains procedure calls?

16 Interpolants for interprocedural analysis What is an interpolant for an interprocedural execution?

17 Interpolants for interprocedural analysis What is an interpolant for an interprocedural execution? state with a stack? locality of interpolant is lost

18 Interpolants for interprocedural analysis What is an interpolant for an interprocedural execution? state with a stack? locality of interpolant is lost only local valuations? call/return dependency lost, sequence of interpolants is not a proof

19 Our gordian knot How can we keep track of the call/return dependency in a sequence of states without a stack?

20

21 Nested words Idea: Add call/return dependency explicitly to the word Rajeev Alur Marrying words and trees (PODS 2007) Rajeev Alur, P. Madhusudan Adding nesting structure to words (DLT 2006, J. ACM 56(3) 2009) Rajeev Alur, Swarat Chaudhuri Temporal reasoning for procedural programs (VMCAI 2010)

22 Nested words Idea: Add call/return dependency explicitly to the word Rajeev Alur Marrying words and trees (PODS 2007) Rajeev Alur, P. Madhusudan Adding nesting structure to words (DLT 2006, J. ACM 56(3) 2009) Rajeev Alur, Swarat Chaudhuri Temporal reasoning for procedural programs (VMCAI 2010)

23 Nested interpolants What is a sequence of interpolants for an interprocedural execution? Idea: Define sequence interpolants with respect to nested trace

24 Nested interpolants What is a sequence of interpolants for an interprocedural execution? Idea: Define sequence interpolants with respect to nested trace ( ) post I i, I k, return I i+1

25 Control flow as nested word automata procedure m(x) returns (res) l 0: if x>100 x<=100 l0 l 1: res:=x-10 else l2 xm:=x+11 x>100 l 2: x m := x+11 l3 l 3: l4 xm:=resm return m l3 l1 l 4: x m := res m l5 l 5: l6 res:=resm res:=x-10 l 6: res := res m l 7: assert (x<=101 -> res=91) return m McCarthy 91 function l7 return m l5 x 101 res 91 lerr nested word automaton

26 Floyd-Hoare proof as nested word automata procedure m(x) returns (res) { } l 0: if x>100 l 1: {x 101} res:=x-10 else {x 100} l 2: x m := x+11 l 3: {xm 111} {resm 101} l 4: x m := res m l 5: l 6: {xm 101} {resm = 91} res := res m {res = 91 (x 101 res = x 10)} l 7: assert (x<=101 -> res=91) return m McCarthy 91 function x 100 xm 111 resm 101 xm 101 resm = 91 x<=100 xm:=x+11 xm:=resm return m xm 101 res:=resm return m xm 111 res = 91 x 101 res = x 10 nested word automaton x>100 res:=x-10 x 101

27 Floyd-Hoare proof as nested word automata procedure m(x) returns (res) { } l 0: if x>100 l 1: {x 101} res:=x-10 else {x 100} l 2: x m := x+11 l 3: {xm 111} {resm 101} l 4: x m := res m l 5: l 6: {xm 101} {resm = 91} res := res m {res = 91 (x 101 res = x 10)} l 7: assert (x<=101 -> res=91) return m McCarthy 91 function x 100 xm 111 resm 101 xm 101 resm = 91 x<=100 xm:=x+11 xm:=resm return m xm 101 res:=resm return m xm 111 res = 91 x 101 res = x 10 nested word automaton x>100 res:=x-10 x 101 e.g. post ( x 100, x m:=x+11 ) x m 111

28 Constructing a proof of correctness Compute sequence of nested interpolants x<=100 ϕ0 : x I0 : I1 : x 100 xm:=x+11 ϕ1 : x 1 m =x ϕ2 : x 2 =x 1 m I2 : xm 111 I3 : x>100 ϕ3 : x 2 >100 I4 : res:=x-10 ϕ4 : res 4 =x 2 10 return m ϕ5 : res 5 m =res 4 I6 : resm 101 I5 : res x 10 xm:=resm ϕ6 : x 6 m =res 5 m ϕ7 : x 7 =x 6 m I7 : xm 101 I8 : x>100 ϕ8 : x 7 >100 I9 : x 101 res:=x-10 ϕ9 : res 9 =x 7 10 return m ϕ10 : res 10 m =res 9 I11 : resm = 91 I10 : x 101 res = x 10 res:=resm ϕ11 : res 11 =res m 10 I12 : res = 91 x 101 res 91) ϕ12 : x res I13 : infeasible nested trace π SSA of π sequence of interpolants for π

29 Constructing a proof of correctness Nested interpolant automaton I0 : q0 I1 : x 100 x<=100 q1 x<=100 xm:=x+11 x<=100 I2 : xm 111 I3 : q2 q3 x>100 I4 : q4 res:=x-10 I6 : resm 101 I5 : res x 10 q6 return m q2 q5 xm:=resm I7 : xm 101 I8 : q7 q8 x>100 I9 : x 101 return m q2 q9 res:=x-10 I11 : resm = 91 I10 : x 101 res = x 10 q11 return m q7 q10 res:=resm I12 : res = 91 q12 return m q7 x 101 res 91) I13 : sequence of interpolants for π q13 nested interpolant automaton

30 Constructing a proof of correctness Nested interpolant automaton I0 : x<=100 I1 : x 100 q0 x<=100 q1 x<=100 xm:=x+11 I2 : xm 111 I3 : x>100 xm:=x+11 q2 x<=100 q3 x>100 I4 : q4 res:=x-10 res:=x-10 I6 : resm 101 return m I5 : res x 10 q6 return m q2 q5 xm:=resm xm:=resm I7 : xm 101 I8 : q7 q8 x>100 x>100 I9 : x 101 return m q2 q9 res:=x-10 res:=x-10 I11 : resm = 91 return m I10 : x 101 res = x 10 q11 return m q7 q10 res:=resm I12 : res = 91 res:=resm q12 return m q7 x 101 res 91) x 101 res 91) I13 : sequence of interpolants for π q13 nested interpolant automaton

31 Constructing a proof of correctness CEGAR recursive program P start with A such that L(A) L(A Σ ) return refined abstraction A := A A I where A I is a nested interpolant automaton such that π L(A I ) no L(A) L(A P ) =? π L(A Σ )? no yes return nested error trace π such that π L(A) L(A P ) yes P is correct P is incorrect

32 Conclusion Interpolant-based software model checking for recursive programs avoid construction of an abstract program Hoare logic nested words