Constraint-Based Static Analysis of Programs

Size: px

Start display at page:

Download "Constraint-Based Static Analysis of Programs"

Molly Tyler
6 years ago
Views:

1 Constraint-Based Static Analysis of Programs Joint work with Michael Colon, Sriram Sankaranarayanan, Aaron Bradley and Zohar Manna Henny Sipma Stanford University Master Class Seminar at Washington University at St Louis, 2006 Henny Sipma, November 16, 2006 Washington University at St Louis - p 1/66

2 Overflows Division by Zero Deadlock Freedom Traditional Approach Forward Propagation Problems Common Solution - step 1 - step 2 - step 3 - step 4 Constraint-Based Henny Sipma, November 16, 2006 Washington University at St Louis - p 2/66

3 Motivation Overflows Division by Zero Deadlock Freedom Traditional Approach Forward Propagation Problems Common Solution - step 1 - step 2 - step 3 - step 4 Constraint-Based Objective: To extract information about the program behavior from the program text invariants termination temporal properties Henny Sipma, November 16, 2006 Washington University at St Louis - p 3/66

4 Trivial Example Overflows Division by Zero Deadlock Freedom Traditional Approach Forward Propagation Problems Common Solution - step 1 - step 2 - step 3 - step 4 Constraint-Based integer i, j where i=2 j=0 l 0 : while () do if () then i := i+4 else (i, j) := (i+2, j+1) i 2, j 0, and i 2j 2 are invariants Objective: To obtain such invariants automatically Henny Sipma, November 16, 2006 Washington University at St Louis - p 4/66

5 Buffer Overflow Analysis Overflows Division by Zero Deadlock Freedom Traditional Approach Forward Propagation Problems Common Solution - step 1 - step 2 - step 3 - step 4 Constraint-Based 0 i<n? 1: int *a = malloc( sizeof(int) * n); 2: int i,j,k; 3: for(i=0; i<n; ++i) 4: for(j=0;2*j<=i;++j) 5: if (a[i] <= a[2*j+1]) 6: 7: Check bounds for each array access 0 2j+1<n? Henny Sipma, November 16, 2006 Washington University at St Louis - p 5/66

6 Division by Zero Overflows Division by Zero Deadlock Freedom Traditional Approach Forward Propagation Problems Common Solution - step 1 - step 2 - step 3 - step 4 Constraint-Based c+b 1>0 1: double a,b,c 2: 3: while ( b > 0 c >= 0 ) { 4: a = a + b/(c+b-1); 5: 6: } Prove every divisor non-zero Henny Sipma, November 16, 2006 Washington University at St Louis - p 6/66

7 Deadlock Freedom x 7 x 13 Overflows Division by Zero Deadlock Freedom x 6 x 9 x 14 x 18 x 21 x 23 Traditional Approach x 15 x 19 Forward Propagation Problems x 1 x 2 x 3 x 25 Common Solution x 10 x 16 - step 1 - step 2 - step 3 x 5 x 8 x 11 x 17 x 20 x 22 - step 4 Constraint-Based x 4 x 12 x 24 Is this Petri net deadlock free? [Zhou et al : 1992] Henny Sipma, November 16, 2006 Washington University at St Louis - p 7/66

8 Preliminaries: Transition Systems Overflows Division by Zero Deadlock Freedom Traditional Approach Forward Propagation Problems Common Solution - step 1 - step 2 - step 3 - step 4 Constraint-Based integer i, j where i=2 j=0 l 0 : while true do i := i+4 or (i, j) := (i+2, j+1) Transition system: L :{l 0 }, V : { i, j },T:{τ 1,τ 2 },Θ : (i=2 j=0), L 0 : l 0 } {{ }} {{ }} {{ }} {{ }}{{} with locations variables transitions initial condition τ 1 = l 0, l 0,ρ τ1 : (i = i+4 j = j) τ 2 = l 0, l 0,ρ τ2 : (i = i+2 j = j+1) } {{ } transition relation initial location Henny Sipma, November 16, 2006 Washington University at St Louis - p 8/66

9 Transition System: Execution Overflows Division by Zero Deadlock Freedom Traditional Approach Forward Propagation Problems Common Solution - step 1 - step 2 - step 3 - step 4 Constraint-Based Computation: Infinite sequence of states l i, x i such that Initial Condition satisfied l 0, x 0 τ 1 l 1, x 1 τ 2 l 2, x 2 l 0 = L 0 Θ(x 0 ) Consecutive states l i, x i l i+1, x i+1 satisfy some transition τ k : li,l i+1,ρ τk (x i, x i+1 ) Henny Sipma, November 16, 2006 Washington University at St Louis - p 9/66

10 Static Analysis: Traditional Approach Overflows Division by Zero Deadlock Freedom Traditional Approach Forward Propagation Problems Common Solution - step 1 - step 2 - step 3 - step 4 Constraint-Based Symbolic forward simulation to obtain an overapproximation of the reachable state space (ie invariants) B Θ F 1 F 2 reachable states Henny Sipma, November 16, 2006 Washington University at St Louis - p 10/66

11 Forward Propagation Overflows Division by Zero Deadlock Freedom Traditional Approach Forward Propagation Problems Common Solution - step 1 - step 2 - step 3 - step 4 Constraint-Based until with F 0 : Θ F 1 : F 0 ( τ T post τ (F 0 ) ) F 2 : F 1 ( τ T post τ (F 1 ) ) post τ (ϕ) : V 0 F i+1 F i (ϕ(v 0 ) ρ τ (V 0, V)) Henny Sipma, November 16, 2006 Washington University at St Louis - p 11/66

12 Problems Overflows Division by Zero Deadlock Freedom Traditional Approach Forward Propagation Problems Common Solution - step 1 - step 2 - step 3 - step 4 Constraint-Based 1 May not converge in finite time Example: We never reach: x 0 integer i where i=0 while true do x := x+1 F 0 : i=0 F 1 : i=0 i=1 F 2 : i=1 i=1 i=2 2 May not be able to detect convergence F n+1 F n Henny Sipma, November 16, 2006 Washington University at St Louis - p 12/66

13 Common Solution Overflows Division by Zero Deadlock Freedom Traditional Approach Forward Propagation Problems Common Solution - step 1 - step 2 - step 3 - step 4 Constraint-Based Abstract Interpretation [Cousot&Cousot,77]: perform the symbolic simulation in an abstract domain: Domain converges? Reference Linear equalities yes Karr 76 Müller-Olm,Seidl, 04 Gulwani+Necula 03 Linear inequalities no Cousot,Halbwachs 79 Intervals no Cousot,Cousot 76 Octagons no Mine 01 Octahedra no Clarisó,Cortadella 04 TCM no SSM 04 Use widening operator to force convergence Henny Sipma, November 16, 2006 Washington University at St Louis - p 13/66

14 Example: Forward Propagation Overflows Division by Zero Deadlock Freedom Traditional Approach Forward Propagation Problems Common Solution - step 1 - step 2 - step 3 - step 4 Constraint-Based integer i, j where i=2 j=0 l 0 : while true do i := i+4 or (i, j) := (i+2, j+1) Abstract Domain: Linear Inequalities over Reals Henny Sipma, November 16, 2006 Washington University at St Louis - p 14/66

15 Step 1: Iteration Overflows Division by Zero Deadlock Freedom Traditional Approach Forward Propagation Problems Common Solution - step 1 - step 2 - step 3 - step 4 Constraint-Based η 0 : (j=0) (i=2) post(η 0,τ 1 ) : (j=0) (i=6) post(η 0,τ 2 ) : (j=1) (i=4) η 1 : (0 j 1) (i 2j 2) (i+2j 6) η 0 τ 2 (4, 1) j τ 1 (2, 0) (6, 0) i Henny Sipma, November 16, 2006 Washington University at St Louis - p 15/66

16 Step 2: Iteration Overflows Division by Zero Deadlock Freedom Traditional Approach Forward Propagation Problems Common Solution - step 1 - step 2 - step 3 - step 4 Constraint-Based η 1 : (0 j 1) (i 2j 2) (i+2j 6) post(η 1,τ 1 ) : (0 j 1) (i 2j 6) (i+2j 10) post(η 1,τ 2 ) : (1 j 2) (i 2j 2) (i+2j 10) η 2 : (0 j 2) (i 2j 2) (i+2j 10) j (6, 2) (4, 1) τ 2 (8, 1) τ 1 η 1 (2, 0) (6, 0) (10, 0) i Henny Sipma, November 16, 2006 Washington University at St Louis - p 16/66

17 Step 3: Widening Iteration Overflows Division by Zero Deadlock Freedom Traditional Approach Forward Propagation Problems Common Solution - step 1 - step 2 - step 3 - step 4 Constraint-Based η 1 : (0 j 1) (i 2j 2) (i+2j 6) η 2 : (0 j 2) (i 2j 2) (i+2j 10) η 3 : (0 j 3) (i 2j 2) (i+2j 14) η 3 =η 2 η 3 : (0 j) (i 2j 2) (4, 1) (6, 2) η 3 j (2, 0) (6, 0) (10, 0) i Henny Sipma, November 16, 2006 Washington University at St Louis - p 17/66

18 Iteration: Step 4 Overflows Division by Zero Deadlock Freedom Traditional Approach Forward Propagation Problems Common Solution - step 1 - step 2 - step 3 - step 4 Constraint-Based post(η 3,τ 1) : (0 j) (i 2j 2) post(η 3,τ 2) : (0 j) (i 2j 2) η 4 =η 3 post(η 3,{τ 1,τ 2 }) : (0 j) (i 2j 2) j (2, 0) η 3 i Note: Termination of iteration,η 4 =η 3 The final invariants are 0 j 2 i 2j Henny Sipma, November 16, 2006 Washington University at St Louis - p 18/66

19 Outline Overflows Division by Zero Deadlock Freedom Traditional Approach Forward Propagation Problems Common Solution - step 1 - step 2 - step 3 - step 4 Constraint-Based Computing linear invariants Computing linear ranking functions Computing polynomial invariants Related Work Conclusions Henny Sipma, November 16, 2006 Washington University at St Louis - p 19/66

20 Henny Sipma, November 16, 2006 Washington University at St Louis - p 20/66

21 1 Fix the type and shape of the desired property Examples: linear invariant, linear ranking function polynomial invariant 2 Provide the conditions for the property to hold 3 Encode the conditions on the property as a system of constraints 4 Solve the constraints 5 Every solution is a property of the desired type and shape Henny Sipma, November 16, 2006 Washington University at St Louis - p 21/66

22 1 Fix type and shape 2 Example Farkas Lemma 3Encode Initiation 3Encode Consecution 4 Solve the constraints 4 Example Pros and Cons Henny Sipma, November 16, 2006 Washington University at St Louis - p 22/66

23 1 Fix type and shape Type: Invariant 1 Fix type and shape 2 Example Farkas Lemma 3Encode Initiation 3Encode Consecution 4 Solve the constraints 4 Example Pros and Cons Shape: where and c 1 x 1 + c 2 x 2 ++c n x n + d 0 {x 1,,x n } are the program variables {c 1,,c n, d} are unknown coefficients Henny Sipma, November 16, 2006 Washington University at St Louis - p 23/66

24 2 Property Conditions 1 Fix type and shape 2 Example Farkas Lemma 3Encode Initiation 3Encode Consecution 4 Solve the constraints 4 Example Pros and Cons The property ψ : c 1 x 1 + c 2 x 2 ++c n x n + d 0 is an invariant of transition system Φ : V :{x 1,,x n },Θ,T :{τ 1,,τ k } if Θ = ψ (initiation) ψ ρ τ1 = ψ (consecution) ψ ρ τk = ψ that is, if it is implied by the initial condition, and it is preserved by all transitions of the system Henny Sipma, November 16, 2006 Washington University at St Louis - p 24/66

25 Property Conditions: Example 1 Fix type and shape 2 Example Farkas Lemma 3Encode Initiation 3Encode Consecution 4 Solve the constraints 4 Example Pros and Cons integer i, j where i=2 j=0 l 0 : while true do i := i+4 or (i, j) := (i+2, j+1) Target invariant: ψ : c 1 i+c 2 j+d 0 Conditions: i=2 j=0 } {{ } Θ = c 1 i+c 2 j+d 0 } {{ } c 1 i+c 2 j+d 0 i = i+4 j = j = c 1 i + c 2 j + d 0 c 1 i+c 2 j+d 0 i = i+2 j = j+1 = c 1 i + c 2 j + d 0 } {{ }} {{ }} {{ } ψ ρ τ1,ρ τ2 ψ ψ Henny Sipma, November 16, 2006 Washington University at St Louis - p 25/66

26 Farkas Lemma 1 Fix type and shape 2 Example Farkas Lemma 3Encode Initiation 3Encode Consecution 4 Solve the constraints 4 Example Pros and Cons Let S be a system of linear inequalities over real-valued variables x 1,,x n, a 11 x a 1n x n + b 1 0 S : and ψ a linear inequality, a m1 x a mn x n + b m 0 ψ : c 1 x 1 + +c n x n + d 0 If S is satisfiable, S =ψiff there exist real multipliers λ 1,,λ m 0 such that: c 1 = m λ i a i1 c n = i=1 m λ i a in i=1 d ( m λ i b i ) i=1 Henny Sipma, November 16, 2006 Washington University at St Louis - p 26/66

27 3 Encode the conditions: Initiation 1 Fix type and shape 2 Example Farkas Lemma 3Encode Initiation 3Encode Consecution 4 Solve the constraints 4 Example Pros and Cons Initiation:Θ = c 1 x 1 + +c n x n + d 0is encoded by λ θ,1 θ 11 x θ 1n x n + θ 1,n+1 0 λ θ,m θ m1 x θ mn x n + θ m,n+1 0 c 1 x c n x n + d 0 which produces the constraints S Θ : (λ θ,1 λ θ,m 0) c 1 = m i=1 λ θ,iθ i1 c n = m i=1 λ θ,iθ in d ( m i=1 λ θ,iθ i,n+1 ) Θ Henny Sipma, November 16, 2006 Washington University at St Louis - p 27/66

28 Example:Encoding Initiation 1 Fix type and shape 2 Example Farkas Lemma 3Encode Initiation 3Encode Consecution 4 Solve the constraints 4 Example Pros and Cons Initial ConditionΘ: i=2 j=0 Constraints: λ λ 1 i 2 0 λ 2 i 2 0 λ 3 j 0 λ 4 j 0 c 1 i + c 2 j + d 0 ψ ( λ 0,,4 0) [λ 1 λ 2 = c 1 λ 3 λ 4 = c 2 λ 0 2λ 1 + 2λ 2 = d] Eliminateλ 0,λ 4 : S Θ : 2c 1 + d 0 Henny Sipma, November 16, 2006 Washington University at St Louis - p 28/66

29 3 Encode the Conditions: Consecution 1 Fix type and shape 2 Example Farkas Lemma 3Encode Initiation 3Encode Consecution 4 Solve the constraints 4 Example Pros and Cons Consecution: c 1 x 1 + +c n x n + d 0 ρ τi is encoded by = c 1 x 1 + c nx n+ d 0 µτ i c 1 x 1 + +cnxn + d 0 λ τi,1 τ i,11 x 1 + +τ i,1n xn + τ i,11 x 1 ++τ i,1n x n + τ i,1,n+1 0 λτ i,m τ i,m1 x 1 + +τ i,mn xn + τ i,m1 x 1 ++τ i,mn x n + τ i,m,n+1 0 which produces the constraints S τi : (µ τi,λ τi,1,,λ τi,m 0) c 1 x 1 ++c nx n + d 0 µτ i c 1 + mj=1 λ τi,j τ i,j1 = 0 ρτ i µτ i cn + mj=1 λ τi,j τ i,jn = 0 mj=1 λ τi,j τ i,j1 = c 1 µτ i d + mj=1 λ τi,j τ i,jn = c n mj=1 λ τi,j τ i,j,n+1 d Henny Sipma, November 16, 2006 Washington University at St Louis - p 29/66

30 Example:Encoding Consecution forτ 1 Transition relationρ τ1 : i = i+4 j = j 1 Fix type and shape 2 Example Farkas Lemma 3Encode Initiation 3Encode Consecution 4 Solve the constraints 4 Example Pros and Cons λ µ 1 c 1 i + c 2 j + d 0 ψ } λ 1 i i + 4 = 0 λ2 j j = 0 Constraints: ( λ 0,µ 1 0)( λ 1,λ 2 ) Eliminateλ 0,,λ 2,µ 1 : c 1 i + c 2 j + d 0 ψ ρ τ1 µ 1 c 1 +λ 1 = 0 µ 2 c 2 +λ 2 = 0 λ 1 = c 1 λ 2 = c 2 λ 0 +µ 1 d+4λ 1 = d S τ1 : (c 1 0) (c 1 = 0 c 2 = 0) Henny Sipma, November 16, 2006 Washington University at St Louis - p 30/66

31 Example: Combined Constraint 1 Fix type and shape 2 Example Farkas Lemma 3Encode Initiation 3Encode Consecution 4 Solve the constraints 4 Example Pros and Cons The overall constraint is: which simplifies to (2c 1 + d 0) Initiation (c 1 0) (c 1 = 0 c 2 = 0) τ 1 consecution (2c 1+ c 2 0) (c 1 = 0 c 2 = 0) τ 2 consecution 2c 1 + d 0 c 1 0 2c 1 + c 2 0 Henny Sipma, November 16, 2006 Washington University at St Louis - p 31/66

32 4 Solve the constraints 1 Fix type and shape 2 Example Farkas Lemma 3Encode Initiation 3Encode Consecution 4 Solve the constraints 4 Example Pros and Cons Solve the constraint systems for{c 1,,c n, d} S Θ S τ1 S τk Henny Sipma, November 16, 2006 Washington University at St Louis - p 32/66

33 Example: Solving the Constraints 1 Fix type and shape 2 Example Farkas Lemma 3Encode Initiation 3Encode Consecution 4 Solve the constraints 4 Example Pros and Cons The basic solutions of are 2c 1 + d 0 c 1 0 2c 1 + c 2 0 c 1 c 2 d c 1 i+c 2 j+d j i+2j+2 0 which corresponds to the inductive invariants j 0 and i 2j 2 Henny Sipma, November 16, 2006 Washington University at St Louis - p 33/66

34 5 Solutions The property c 1 x 1 ++c n x n + d 0 1 Fix type and shape 2 Example Farkas Lemma 3Encode Initiation 3Encode Consecution 4 Solve the constraints 4 Example Pros and Cons is an invariant for all solutions of{c 1,,c n, d} Good news: The method is complete for linear systems: The solutions of{c 1,,c n } represent all linear inductive inequalities of the given shape But: Requires individual inductiveness Henny Sipma, November 16, 2006 Washington University at St Louis - p 34/66

35 1 Fix type and shape 2 Example Farkas Lemma 3Encode Initiation 3Encode Consecution 4 Solve the constraints 4 Example Pros and Cons 1 Fix a target property with unknown coefficients, c 1 i+c 2 j+d 0 2 Encode the property conditions 3 Compute constraints on the unknown coefficients, 4 Solve these constraints 2c 1 + d 0 c 1 0 2c 1 + c 2 0 c 1, c 2, d = 0, 1, 0 c 1, c 2, d = 1, 2, 2 5 Generate the invariants 0, 1, 0 0i 1j+0 0 1, 2, 2 1i+2j+2 0 Invariants: j 0 and i 2j 2 Henny Sipma, November 16, 2006 Washington University at St Louis - p 35/66

36 Pros and Cons 1 Fix type and shape 2 Example Farkas Lemma 3Encode Initiation 3Encode Consecution 4 Solve the constraints 4 Example Pros and Cons Advantages: No widening necessary All inductive invariants are generated (or obtained as consequences) System structure can be exploited to obtain linear constraints: Petri nets Disadvantages: The constraint systems S τ1,,s τk hard to solve Tools: QEPCAD are nonlinear and may be But: S τ1,,s τk are parametric linear More efficient solution methods: factorization, polynomial root finding Tool: REDLOG [Weispfennig; Dolzmann,Sturm] Henny Sipma, November 16, 2006 Washington University at St Louis - p 36/66

37 1Fix type and shape 3Encode Bounded 3Encode Ranking 4 Solve the constraints Computing Henny Sipma, November 16, 2006 Washington University at St Louis - p 37/66

38 1 Fix type and shape Type: Ranking function 1Fix type and shape 3Encode Bounded 3Encode Ranking 4 Solve the constraints Shape: where and c 1 x 1 + c 2 x 2 ++c n x n + d {x 1,,x n } are the program variables {c 1,,c n, d} are unknown coefficients Henny Sipma, November 16, 2006 Washington University at St Louis - p 38/66

39 2 Property Conditions 1Fix type and shape 3Encode Bounded 3Encode Ranking 4 Solve the constraints The function δ : c 1 x 1 + c 2 x 2 ++c n x n + d is a ranking function of a loop Φ : V :{x 1,,x n },Θ,T :{τ 1,,τ k } if ρ τ1 =δ 0 bounded ρ τk =δ 0 ρ τ1 =δ δ > 0 ranking ρ τk =δ δ > 0 that is, if it is bounded from below, and it is decreased by each transition Henny Sipma, November 16, 2006 Washington University at St Louis - p 39/66

40 3 Encode the conditions: Bounded 1Fix type and shape 3Encode Bounded 3Encode Ranking 4 Solve the constraints Bounded: is encoded by ρ τi =δ 0 λ τi,1 τ i,11 x 1 + +τ i,1n xn + τ i,11 x 1 ++τ i,1n x n + τ i,1,n+1 0 λτ i,m τ i,m1 x 1 + +τ i,mn xn + τ i,m1 x 1 ++τ i,mn x n + τ i,m,n+1 0 c 1 x 1 cnxn + d 0 which produces the constraints mj=1 λ τi,j τ i,j1 = c 1 ρτ i mj=1 λ τi,j τ i,jn = cn B τi : (λ τi,1,,λ τi,m 0) mj=1 λ τi,j τ i,j1 mj=1 λ τi,j τ i,jn = 0 = 0 m j=1 λ τi,j τ i,j,n+1 d Henny Sipma, November 16, 2006 Washington University at St Louis - p 40/66

41 3 Encode the conditions: Ranking 1Fix type and shape 3Encode Bounded 3Encode Ranking 4 Solve the constraints Ranking: is encoded by ρ τi = δ δ > 0 λ τi,1 τ i,11 x 1 + +τ i,1n xn + τ i,11 x 1 ++τ i,1n x n + τ i,1,n+1 0 λτ i,m τ i,m1 x 1 + +τ i,mn xn + τ i,m1 x 1 ++τ i,mn x n + τ i,m,n+1 0 c 1 x 1 cnxn + c 1 x 1 ++c nx n ǫ 0 which produces the constraints mj=1 λ τi,j τ i,j1 = c 1 ρτ i mj=1 λ τi,j τ i,jn = cn R τi : (λ τi,1,,λ τi,m 0) mj=1 λ τi,j τ i,j1 mj=1 λ τi,j τ i,jn = c 1 = cn m j=1 λ τi,j τ i,j,n+1 ǫ Henny Sipma, November 16, 2006 Washington University at St Louis - p 41/66

42 4 Solve the constraints 1Fix type and shape 3Encode Bounded 3Encode Ranking 4 Solve the constraints Solve the constraint systems for{c 1,,c n, d} B τ1 B τk R τ1 R τk Henny Sipma, November 16, 2006 Washington University at St Louis - p 42/66

43 5 Solutions The function c 1 x 1 + c 2 x 2 ++c n x n + d 1Fix type and shape 3Encode Bounded 3Encode Ranking 4 Solve the constraints is a ranking function for all solutions of{c 1,,c n, d} Good news: The method is complete for linear systems: The solutions represent all linear ranking functions of the given (uninitialized) loop Good news:constraints are all linear: can be solved efficiently Bad news: Most ranking functions require invariants to prove boundedness Henny Sipma, November 16, 2006 Washington University at St Louis - p 43/66

44 1 Fix type and shape Gröbner Basis Theorem 3Encode Initiation 3Encode Consecution 4 Solve the constraints Computing Henny Sipma, November 16, 2006 Washington University at St Louis - p 44/66

45 1 Fix type and shape Type: Invariant Shape: 1 Fix type and shape Gröbner Basis Theorem 3Encode Initiation 3Encode Consecution 4 Solve the constraints where and c 1 x 3 + c 2 x 2 y+c 3 x 2 z+c 4 xy 2 + c 5 xyz+c 6 xz 2 + c 7 y 3 + c 8 y 2 z+c 9 yz 2 + c 10 z 3 = 0 {x, y, z} are the program variables {c 1,,c 10 } are unknown coefficients Henny Sipma, November 16, 2006 Washington University at St Louis - p 45/66

46 2 Property Conditions 1 Fix type and shape Gröbner Basis Theorem 3Encode Initiation 3Encode Consecution 4 Solve the constraints The property p=0with p : c 1 x 3 + c 2 x 2 y+c 3 x 2 z+c 4 xy 2 + c 5 xyz+c 6 xz 2 + c 7 y 3 + c 8 y 2 z+c 9 yz 2 + c 10 z 3 is an invariant of transition system Φ : V :{x 1,,x 10 },Θ,T :{τ 1,,τ k } if Θ = p=0 p=0 ρ τ1 = p = 0 p=0 ρ τk = p = 0 (initiation) that is, if it is implied by the initial condition, and (consecution) it is preserved by all transitions of the system Henny Sipma, November 16, 2006 Washington University at St Louis - p 46/66

47 Linear Equalities vs Nonlinear Equalities 1 Fix type and shape Gröbner Basis Theorem 3Encode Initiation 3Encode Consecution 4 Solve the constraints Computing Consequences for Polynomial Equalities Linear Equalities λ 1 e 1 = 0 λ m e m = 0 Polynomial Equalities g 1 p 1 = 0 g m p m = 0 e=0 p=0 λ 1,,λ m, reals g 1,, g m, arbitrary polynomials e=λ 1 e 1 + +λ m e m p= g 1 p g m p m e SPACE(e 1,,e m ) p IDEAL(p 1,,p m ) How do we test if p IDEAL(p 1,,p m )? Henny Sipma, November 16, 2006 Washington University at St Louis - p 47/66

48 Ideals 1 Fix type and shape Gröbner Basis Theorem 3Encode Initiation 3Encode Consecution 4 Solve the constraints Ideal: The ideal generated by P is the set of all polynomials of the form Á Ð(P)={g 1 p 1 ++ g m p m g 1,, g m polynomials} Example: Let P={x 2 y, y z, x+z} g 1 (x 2 y)+ g 2 (y z)+ g 3 (x+z) Á Ð(P)= g 1, g 2, g 3 are polynomials over x, y, z zx z= 1 (x 2 y)+ 1 }{{}}{{} g 1 g 2 Therefore, zx z Á Ð(P) (y z)+ x (x+z) }{{} g 3 Henny Sipma, November 16, 2006 Washington University at St Louis - p 48/66

49 Testing Ideal Membership 1 Fix type and shape Gröbner Basis Theorem 3Encode Initiation 3Encode Consecution 4 Solve the constraints : To test if p 1 = 0 p 2 = 0 p m = 0 = p=0 we instead test if p Á Ð({p 1,,p m }) ie, p= g 1 p g m p m for some g 1, g m How do we test if p Á Ð(P)? Henny Sipma, November 16, 2006 Washington University at St Louis - p 49/66

50 Gröbner Basis Theorem Given any set of polynomials P, compute special set of polynomials G, such that 1 Fix type and shape Gröbner Basis Theorem 3Encode Initiation 3Encode Consecution 4 Solve the constraints Á Ð(G)=Á Ð(P), G is confluent and terminating G is called the Gröbner basis of P For any polynomial p, unique normal form p G G NF G (p) Theorem: p Á Ð(P) iff NF G (p)=0 Henny Sipma, November 16, 2006 Washington University at St Louis - p 50/66

51 Testing Ideal Membership How do we test if p IDEAL(p 1,,p m )? 1 Compute Gröbner basis G for{p 1,,p m } Use Buchberger s Algorithm + Refinements 1 Fix type and shape Gröbner Basis Theorem 3Encode Initiation 3Encode Consecution 4 Solve the constraints 2 Compute normal form for p, denoted NF(p), 3 p IDEAL(p 1,,p m ) iff NF G (p)=0 Henny Sipma, November 16, 2006 Washington University at St Louis - p 51/66

52 Testing Ideal Membership 1 Fix type and shape Gröbner Basis Theorem 3Encode Initiation 3Encode Consecution 4 Solve the constraints Example: Let P={p 1 : x 2 y, p 2 : y+z, p 3 : x z} Can we find out if x 2 z Á Ð(P) using? P No! Gröbner basis of P is Can we find out using Yes! G={z 2 z, y z, x+z} G? Any sequence of reductions from x 2 z has normal form 0 Henny Sipma, November 16, 2006 Washington University at St Louis - p 52/66

53 Parametric Membership Problem Let P={p 1 : x 2 y, p 2 : y+z, p 3 : x z} Problem: For what values of c 1, c 2,,c 5 is the polynomial 1 Fix type and shape Gröbner Basis Theorem 3Encode Initiation 3Encode Consecution 4 Solve the constraints p : c 1 x 2 + x 2 y 2 + c 3 z 2 + c 4 z+c 5 Á Ð(P)? Solution: 1 Compute the Gröbner basis of P, 2 Compute Normal Form of P, G={z 2 z, y z, x+z} (c 1 + c 2 + c 3 + c 4 )z+c 5 3 Set every coefficient to be zero, (c 1 + c 2 + c 3 + c 4 = 0) (c 5 = 0) Henny Sipma, November 16, 2006 Washington University at St Louis - p 53/66

54 Parametric Membership Problem 1 Fix type and shape Gröbner Basis Theorem 3Encode Initiation 3Encode Consecution 4 Solve the constraints Note: For solutions to c 1,,c 5 that satisfy (c 1 + c 2 + c 3 + c 4 = 0) (c 5 = 0) it follows that p : c 1 x 2 + x 2 y 2 + c 3 z 2 + c 4 z+c 5 Á Ð(P) Henny Sipma, November 16, 2006 Washington University at St Louis - p 54/66

55 3 Encode the conditions: Initiation The condition Θ = p=0 1 Fix type and shape Gröbner Basis Theorem 3Encode Initiation 3Encode Consecution 4 Solve the constraints is encoded by reducing p wrt to the Gröbner basis G of ((Θ)): and setting p G NF(p) NF(p) 0 which produces a set S Θ of linear constraints on{c 1,c 10 } Henny Sipma, November 16, 2006 Washington University at St Louis - p 55/66

56 3 Encode the conditions: Consecution The condition p=0 ρ τi = p = 0 1 Fix type and shape Gröbner Basis Theorem 3Encode Initiation 3Encode Consecution 4 Solve the constraints is not practical to encode Instead we encode one of which result in a set S τi ρ τi = p = 0 ρ τi = p p=0 of linear constraints λ R ρ τi = p λp=0 q R[x 1,,x n ] ρ τi = p qp=0 which result in a set of nonlinear constraints Henny Sipma, November 16, 2006 Washington University at St Louis - p 56/66

57 4 Solve the constraints Solve for{c 1,,c 10 } S Θ S τ1 S τk 1 Fix type and shape Gröbner Basis Theorem 3Encode Initiation 3Encode Consecution 4 Solve the constraints Henny Sipma, November 16, 2006 Washington University at St Louis - p 57/66

58 5 Solutions 1 Fix type and shape Gröbner Basis Theorem 3Encode Initiation 3Encode Consecution 4 Solve the constraints The property c 1 x 3 + c 2 x 2 y+c 3 x 2 z+c 4 xy 2 + c 5 xyz+c 6 xz 2 + c 7 y 3 + c 8 y 2 z+c 9 yz 2 + c 10 z 3 = 0 is an invariant for all solutions of{c 1,,c 10 } Good news: Constraints are all linear: can be solved efficiently Bad news: Invariants are missed because of strengthening the conditions Henny Sipma, November 16, 2006 Washington University at St Louis - p 58/66

59 Example: Nonlinear Invariant Generation 1 Fix type and shape Gröbner Basis Theorem 3Encode Initiation 3Encode Consecution 4 Solve the constraints integer i, j, k, s where (s=0 j=k j 0) l 0 : while (k 0) do l 1 : (s, k) := (s+i, k 1) l 2 : Target Invariant: p=c 1 s+c 2 ik+c 3 ij+c 4 jk+c 5 Question: For what values of c 1,,c 5, is p=0inductive at l 0? Henny Sipma, November 16, 2006 Washington University at St Louis - p 59/66

60 Example: Nonlinear Invariant Generation 1 Fix type and shape Gröbner Basis Theorem 3Encode Initiation 3Encode Consecution 4 Solve the constraints 1 Fix a template (usually a generic polynomial of degree m ), c 1 s+c 2 ik+c 3 ij+c 4 jk+c 5 2 Generate constraints by encoding initiation and consecution, 3 Solve the constraints, 4 Generate the invariant c 2 + c 3 = 0 c 4 = c 5 = 0 c 1 c 2 = 0 c 3 = 1, c 1 = c 2 = 1, c 4 = c 5 = 0 s ik+ij=0 Invariant: s=i(j k) at l 0 Henny Sipma, November 16, 2006 Washington University at St Louis - p 60/66

61 Advantages Advantages Papers Related Work Current Topics of Investigation Henny Sipma, November 16, 2006 Washington University at St Louis - p 61/66

62 Advantages of Constraint-based Approach Controlling the complexity of the constraints Strengthen the conditions on the property Advantages Advantages Papers Related Work Current Topics of Investigation Θ = ψ ψ ρ τ = ψ = parametric linear constraints Constrain the property Θ = ψ ρ τ = ψ linear constraints c 1 x 3 + c 2 x 2 y+c 3 x 2 z+c 4 xy 2 + c 5 xyz+c 6 xz 2 + c 7 y 3 + c 8 y 2 z+c 9 yz 2 + c 10 z 3 c 1 x 3 + c 2 xy 2 + c 3 xz 2 + c 4 y 2 z Henny Sipma, November 16, 2006 Washington University at St Louis - p 62/66

63 Advantages of Constraint-based Approach Not limited to invariants termination temporal properties (LTL safety) Advantages Advantages Papers Related Work Current Topics of Investigation Applicable to any domain that allows computation of consequences Can exploit system structure to simplify the constraint system Petri nets Can take advantage of new results in constraint solving community Henny Sipma, November 16, 2006 Washington University at St Louis - p 63/66

64 Papers Termination analysis (TACAS 01, CAV 02, CAV 05) Linear invariant generation (CAV 03, SAS 04, VMCAI 05, VMCAI 06) Advantages Advantages Papers Related Work Current Topics of Investigation Nonlinear invariant generation (POPL 04) Nonlinear invariant generation for hybrid systems (HSCC 04) Differential equations (HSCC 06) Sriram Sankaranarayanan, Mathematical Analysis of Programs, PhD Thesis, Stanford, 2005 Henny Sipma, November 16, 2006 Washington University at St Louis - p 64/66

65 Related Work Set-constraint based analysis - [Heintze 93] - [Aiken 99] Advantages Advantages Papers Related Work Current Topics of Investigation Termination analysis - [Podelski,Rybalchenko,VMCAI 04,LICS 04] - [Cousot, VMCAI 05] Nonlinear invariants - [Bensalem et al, SAS 00] - [Müller-Olm,Seidl,SAS 02,POPL 04] - [Tiwari et al, TACAS 01,HSCC 03] - [Rodriguez-Carbonell,Kapur,ISSAC 04] - [Cousot, VMCAI 05] Henny Sipma, November 16, 2006 Washington University at St Louis - p 65/66

66 Current Topics of Investigation Classification of systems with simpler constraint systems Extension to game properties (ATL*) Advantages Advantages Papers Related Work Current Topics of Investigation Extension to other domains, in particular nonlinear inequalities More efficient constraint solving strategies Henny Sipma, November 16, 2006 Washington University at St Louis - p 66/66

Verification Constraint Problems with Strengthening

Verification Constraint Problems with Strengthening Aaron R. Bradley and Zohar Manna Computer Science Department Stanford University Stanford, CA 94305-9045 {arbrad,manna}@cs.stanford.edu Abstract. The