Automated Program Verification and Testing 15414/15614 Fall 2016 Lecture 8: Procedures for First-Order Theories, Part 2

Transcription

1 Automated Program Verification and Testing 15414/15614 Fall 2016 Lecture 8: Procedures for First-Order Theories, Part 2 Matt Fredrikson mfredrik@cs.cmu.edu October 17, 2016 Matt Fredrikson Theory Procedures 1 / 38

2 Theory of Equality and Uninterpreted Functions We will make things simpler by removingpredicatesymbols Signature: Σ E : {=, a, b, c,..., f, g, h,...} Axioms: 1. Reflexivity: x.x = x 2. Symmetry: x, y.x = y y = x 3. Transitivity: x, y, z.x = y y = z x = z 4. Function congruence: x, y. ( n i=1 x i = y i ) f(x) = f(y) This is the TheoryofEqualityandUninterpretedFunctions(EUF) Matt Fredrikson Theory Procedures 2 / 38

3 Decision Procedure for T E -Satisfiability Given a T E -formula F : s 1 = t 1 s m = t m s m+1 t m+1 s n t n with subterm set S F : 1. Construct the DAG for S F 2. For i {1,..., m}, merge s i and t i 3. If find(s i ) = find(t i ) for an i {m + 1,..., n}, then unsat 4. If find(s i ) find(t i ) for all i {m + 1,..., n}, then sat Matt Fredrikson Theory Procedures 3 / 38

4 T A : Theory of Arrays Signature: Σ A : {=, [ ], } a[i] is a binary function denoting read of a at index i a i v is a ternary function denoting write of value v into a at index i We ll see how to decide the quantifier-free, conjunctive fragment Is this expressive? Can only talk about individual elements, not entire arrays Afterwards, we ll cover a quantified fragment Matt Fredrikson Theory Procedures 4 / 38

5 T A : Axioms T A has the equality axioms reflexivity, symmetry, and transitivity Along with three that are specific to arrays: 1. Arraycongruence: a, i, j.i = j a[i] = a[j] 2. Read-over-write1: a, v, i, j.i = j a i v [j] = v 3. Read-over-write2: a, v, i, j.i j a i v [j] = a[j] Matt Fredrikson Theory Procedures 5 / 38

6 Deciding Theory of Arrays BasicIdea: We ll reduce this to deciding T E If a T A -formula has no writes, then reads can be viewed as uninterpreted function terms If there is a write, it must occur in the context of a read. Why? So all writes occur in read-over-write terms a i v [j] We apply the read-over-write axioms to decompose these terms into simpler ones Then we use our T E solver Matt Fredrikson Theory Procedures 6 / 38

7 Deciding Theory of Arrays, In Detail Given T A -formula F, follow these steps recursively: If F doesn t contain any write terms, do the following: 1. Associate each array variable a with a fresh function symbol f a 2. Replace each read term a[i] with f a (i) 3. Decide and return the T E satisfiability of the resulting formula Otherwise, select a term a i v [j], and split into cases: 1. By (read-over-write 1), replace F [a i v [j]] with F 1 : F [v] i = j. 2. By (read-over-write 2), repl. F [a i v [j]] with F 2 : F [a[j]] i j. 3. Recurse on F 1 and F 2. If both are unsat, then return unsat. 4. If either is sat, then return sat Matt Fredrikson Theory Procedures 7 / 38

8 T A Example F : i 1 = j i 1 i 2 a[j] = v 1 a i 1 v 1 i 2 v 2 [j] a[j] F has a write term, so select a read-over-write term to deconstruct: a i 1 v 1 i 2 v 2 [j] According to (read-over-write 1), assume i 2 = j and recurse on: F 1 : i 1 = j i 1 i 2 a[j] = v 1 v 2 a[j] i 2 = j This doesn t have any write terms, so build a T E -formula: F 1 : i 1 = j i 1 i 2 f a (j) = v 1 v 2 f a (j) i 2 = j This is unsatisfiable, so let s move on to the next case Matt Fredrikson Theory Procedures 8 / 38

9 T A Example F : i 1 = j i 1 i 2 a[j] = v 1 a i 1 v 1 i 2 v 2 [j] a[j] According to (read-over-write 2), assume i 2 j and recurse on: F 2 : i 1 = j i 1 i 2 a[j] = v 1 a i 1 v 1 [j] a[j] i 2 j This has a write term, so apply (read-over-write 1) and assume i 1 = j F 3 : i 1 = j i 1 i 2 a[j] = v 1 v 1 a[j] i 2 j This is unsatisfiable, so (read-over-write 2) and assume i 1 j: F 3 : i 1 = j i 1 i 2 a[j] = v 1 a[j] a[j] i 1 j Now all branches have been tried, and we conclude that F is T A -unsat Matt Fredrikson Theory Procedures 9 / 38

10 Bringing Back Quantifiers Reasoning about quantifier-free T A reduces to T E This is great we know how to decide T E efficiently But we re very limited in what we can say about arrays For example, we can t say anything equivalent to: a[i] = v a i v = a Now, we add quantifiers to define the arraypropertyfragment Matt Fredrikson Theory Procedures 10 / 38

11 Array Properties An arrayproperty is a T A -formula of the form: i.f [i] G[i] where i is bold to denote a list of variables Some terminology: F [i] is the indexguard G[i] is the valueconstraint In the value constraint: -quantified variables in G[i] can only appear in a read a[i] -quantified variables cannot occur in nested reads, e.g., a[b[i]] Matt Fredrikson Theory Procedures 11 / 38

12 Array Property Fragment We restrict how the index guard may be constructed: iguard ::= iguard iguard iguard iguard atom atom ::= var = var evar var var evar var ::= evar uvar uvar is a -quantified variable evar is an unquantified free variable The arraypropertyfragment consists of Boolean combinations of: Quantifier-free T A formulas Array properties Matt Fredrikson Theory Procedures 12 / 38

13 Example Is the following formula in the array property fragment? i.i a[k] a[i] = a[k] No. i a[k] is not a legal index guard as a[k] is not a variable Can we find an equisatisfiable formula in the fragment? a[k] = v i.i v a[i] = a[k] What about this formula? i.i a[i] a[i] = a[k] i is bound by the quantifier We can t move a[i] into a quantifier-free formula Matt Fredrikson Theory Procedures 13 / 38

14 Example How can we express: Allbutafinitenumberofelementsof a satisfy F ( n ) i. i j k F [a[i]] k=1 Updatingelement i of a onlychanges a[i] j.i j a i v [j] = a[j] Matt Fredrikson Theory Procedures 14 / 38

15 Extensionality The array property fragment can express equality between arrays This is called extensionality For a quantifier-free formula that asserts a = b for arrays a, b we can write an equisatisfiable formula in the fragment For any instance of a = b, replace it with: i.a[i] = b[i] Matt Fredrikson Theory Procedures 15 / 38

16 Deciding the Array Property Fragment Observe: Semantically, i.f [i] is equivalent to β(f ) β Where β ranges over all substitutions of i Basicidea: Replace i.f [i] with a finite conjunction F [t 1 ] F [t n ] t 1,..., t n are called the indexterms Need to find t 1,..., t n sufficient to decide satisfiability For the array property fragment, we can find t 1,..., t n by looking at F Matt Fredrikson Theory Procedures 16 / 38

17 Example Suppose we want to know if F is satisfiable: F : j.a i v [j] = a[j] a[i] v Which index terms do we need to consider? In this case, just i: F : a i v [j] = a[j] a[i] v j {i} This simplifies to: a i v [i] = a[i] a[i] v Or further: So, the formula is not satisfiable v = a[i] a[i] v Matt Fredrikson Theory Procedures 17 / 38

18 Array Property Fragment: An Algorithm Given a formula F in the array property fragment: 1. F 1 : Put F in negation normal form 2. F 2 : Remove all write terms from F 1 3. F 3 : Remove existential quantifiers from F 2 4. Select a sufficient set of index terms I 5. F 4 : Transform into conjunction using I 6. Decide the T A -satisfiability of F 5 Matt Fredrikson Theory Procedures 18 / 38

19 Step 1: Put F in NNF Apply equivalences to convert to NNF: F F (F 1 F 2 ) F 1 F 2 (F 1 F 2 ) F 1 F 2 F 1 F 2 F 1 F 2 x.f [x] x. F [x] x.f [x] x. F [x] atom ::= P, Q,... literal ::= atom atom formula ::= literal formula formula formula formula x. formula x. formula Matt Fredrikson Theory Procedures 19 / 38

20 Example Convert the following to NNF: x.( y.p(x, y) p(x, z)) w.p(x, w) 1. x. ( y.p(x, y) p(x, z)) w.p(x, w) 2. x.( y. (p(x, y) p(x, z))) w.p(x, w) 3. x.( y. p(x, y) p(x, z)) w.p(x, w) Matt Fredrikson Theory Procedures 20 / 38

21 Example Is the following in NNF? a l v [k] = b[k] b[k] v a[k] = v ( i.i l a[i] = b[i]) Yes Moving on... Matt Fredrikson Theory Procedures 21 / 38

22 Step 2: Remove all write terms F [a i v ] F [a ] a [i] = v ( j.j i a[j] = a For fresh a [j]) For each occurrence of a write term a i v in F : 1. Replace it with a 2. Conjoin a [i] = v to encode the write s update 3. Conjoin j.j i a[j] = a [j] to preserve other indices Matt Fredrikson Theory Procedures 22 / 38

23 Example Remove the writes from this formula a l v [k] = b[k] b[k] v a[k] = v ( i.i l a[i] = b[i]) There is one write term, a l v Replace it with a, and constrain its properties a [k] = b[k] b[k] v a[k] = v ( i.i l a[i] = b[i]) a [l] = v ( j.j l a [j] = a[j]) Matt Fredrikson Theory Procedures 23 / 38

24 Step 3: Remove existential quantifiers F [ i.g[i]] For fresh j F [G[j]] For each occurrence of i.g[i] in F, instantiate i with a free variable When deciding satisfiability, free variables are implicitly existential But the array property fragment doesn t allow explicit existentials Do we need this step? Existential quantifiers can arise when we convert to NNF Matt Fredrikson Theory Procedures 24 / 38

25 Step 5: Select the index terms I = {λ} {t [t] F and t is not -quantified } {t t is an evar in an index guard of F } In this step, we select symbolic array indices that could be relevant This set contains: 1. All unquantified terms that index a read, e.g., a[t] 2. All unquantified terms compared to a universally-quantified variable in an index guard, e.g., l in l i 3. A fresh constant λ that represents index positions not explicitly in I Matt Fredrikson Theory Procedures 25 / 38

26 Example a [k] = b[k] b[k] v a[k] = v ( i.i l a[i] = b[i]) Recalling, a [l] = v ( j.j l a [j] = a[j]) I = {λ} {t [t] F and t is not -quantified } {t t is an evar in an index guard of F } What is I in this example? I = λ, k, l Matt Fredrikson Theory Procedures 26 / 38

27 Step 5: Transform into Exhaustively apply: This is the crux of the algorithm H[ i.f [i] G[i]] H [ i I (F [i] G[i])] For each occurrence of i.f [i] G[i] in H, 1. Replace with the conjunction i I (F [i] G[i]) 2. In each conjunction, the quantified variable ranges over all terms in I After eliminating, conjoin the following term: λ i i I\{λ} Matt Fredrikson Theory Procedures 27 / 38

28 Example a [k] = b[k] b[k] v a[k] = v ( i.i l a[i] = b[i]) a [l] = v ( j.j l a [j] = a[j]) We found that I = {λ, k, l} What is the equivalent formula free of? a [k] = b[k] b[k] v a[k] = v i I(i l a[i] = b[i]) a [l] = v j I(j l a [j] = a[j]) λ k λ l Matt Fredrikson Theory Procedures 28 / 38

29 Example cont d. a [k] = b[k] b[k] v a[k] = v i I(i l a[i] = b[i]) a [l] = v j I(j l a [j] = a[j]) λ k λ l Expanding, a [k] = b[k] b[k] v a[k] = v a [l] = v (λ l a[λ] = b[λ]) (k l a[k] = b[k]) (l l a[l] = b[l]) (λ l a [λ] = a[λ]) (k l a [k] = a[k]) (l l a [l] = a[l]) λ k λ l Simplifying, a [k] = b[k] b[k] v a[k] = v a [l] = v λ k λ l a[λ] = b[λ] (k l a[k] = b[k]) a [λ] = a[λ] (k l a [k] = a[k]) Matt Fredrikson Theory Procedures 29 / 38

30 Step 6: Decide the resulting T A -formula We left off with: a [k] = b[k] b[k] v a[k] = v a [l] = v λ k λ l a[λ] = b[λ] (k l a[k] = b[k]) a [λ] = a[λ] (k l a [k] = a[k]) There are two cases two consider: 1. k = l: But a [l] = v and a [k] = b[k] imply that b[k] = v, but this contradicts b[k] v. 2. k l: But a[k] = v and a[k] = b[k] imply that b[k] = v again. So, F is unsatisfiable in the array property fragment. Matt Fredrikson Theory Procedures 30 / 38

31 Example Is the following satisfiable? ( i.i j a[i] = b[i]) ( i.i k a[i] b[i]) What is the index set? I = {λ, j, k} What is the -eliminated formula? (λ j a[λ] = b[λ]) (j j a[j] = b[j]) (k j a[k] = b[k]) (λ k a[λ] b[λ]) (j k a[j] b[j]) (k k a[k] b[k]) λ j λ k λ j, λ k, λ j a[λ] = b[λ], λ k a[λ] b[λ] contradict eachother. Matt Fredrikson Theory Procedures 31 / 38

32 Example ( i.i j a[i] = b[i]) ( i.i k a[i] b[i]) What if we didn t use λ to model the other indices? We d have the index set: I = {j, k} And the -eliminated formula: (j j a[j] = b[j]) (k j a[k] = b[k]) (j k a[j] b[j]) (k k a[k] b[k]) This simplifies to: (j k a[k] = b[k]) a[j] b[j] Unlike before, this formula is satisfiable Matt Fredrikson Theory Procedures 32 / 38

33 Heuristic Quantifier Instantiation The technique we just looked at works by instantiating quantifiers: x.f [x] is equivalent to β β(f [x]) where β ranges over all substitutions of x We considered fragments where one can always find a sufficient finite set of symbolic substitutions Modern solvers use instantiation in general cases as well But, this approach is not complete (hence, heuristic) This approach is sometimes called E-matching Matt Fredrikson Theory Procedures 33 / 38

34 Heuristic Quantifier Instantiation Suppose we have the following formula: z y p(z, y) ( x.p(x, y) x < y) We can unify p(x, y) with p(z, y), which binds x z This binding allows us to instantiate the quantifier: z y p(z, y) ( x.p(x, y) x < y) (p(z, y) z < y) z y p(z, y) ( x.p(x, y) x > y) z < y In this case, it was easy to find terms in the formula to unify Generally, these terms might not be readily available Matt Fredrikson Theory Procedures 34 / 38

35 Triggers: Hints for instantiation Z3, the solver used by Dafny, relies on this techniques Dafny provides trigger patterns to aid instantiation Dafny walks the AST rooted at a quantifier: 1. Finds terms that can act as triggers to match on: user-defined functions that mention all quantified variables 2. Identifies killer terms that prevent parent nodes from acting as triggers: calls to interpreted functions For example: Formula: x.p (x) (Q(x) P (x + 1) Expressions: x, P (x), Q(x), 1, x + 1, P (x + 1), Q(x) P (x + 1) Triggers: P (x) Q(x) Killers: x + 1 P (x + 1) Q(x) P (x + 1) (Thanks to Clément Pit-Claudel for the example) Matt Fredrikson Theory Procedures 35 / 38

36 Triggers in Dafny /!\ No terms found to trigger on. This means that Dafny can t find any matches Sometimes, it may just fail to prove what you think it should You can help it along with trigger annotations predicate P(x:int) { true } lemma MoreThanOneInt(x: int) ensures exists z: int {: trigger P(z)} :: z!= x { assert P(x+1); } (Thanks to Tim Wood for the example) Matt Fredrikson Theory Procedures 36 / 38

37 Triggers in Dafny For more on triggers and Dafny, see: TriggerSelectionStrategiestoStabilizeProgramVerifiers, K.R.M. Leino and Clément Pit-Claudel For more on triggers in general, see: ProgrammingwithTriggers, Michal Moskal Matt Fredrikson Theory Procedures 37 / 38

38 Next Lecture For more on today s material, see Chapter 9 of Bradley & Manna Next time, we ll talk about Satisfiability Modulo Theories (SMT) Induction Matt Fredrikson Theory Procedures 38 / 38