Nested Interpolants. Matthias Heizmann Jochen Hoenicke Andreas Podelski POPL University of Freiburg, Germany

Similar documents
Refinement of Trace Abstraction

Nested Interpolants. Matthias Heizmann Jochen Hoenicke Andreas Podelski. Abstract. 1. Introduction. University of Freiburg, Germany

Non-Monotonic Refinement of Control Abstraction for Concurrent Programs

Temporal Reasoning for Procedural Programs

Model Checking, Theorem Proving, and Abstract Interpretation: The Convergence of Formal Verification Technologies

A Termination Checker for Isabelle Hoare Logic

Complexity and algorithms for monomial and clausal predicate abstraction

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

arxiv: v1 [cs.lo] 29 May 2014

Simplifying Loop Invariant Generation Using Splitter Predicates

Simplifying Loop Invariant Generation Using Splitter Predicates

Applications of Craig Interpolants in Model Checking

Transition Predicate Abstraction and Fair Termination

Verification of Recursive Programs. Andreas Podelski February 8, 2012

IC3 and Beyond: Incremental, Inductive Verification

Interpolant-based Transition Relation Approximation

Interpolation and Symbol Elimination in Vampire

Vinter: A Vampire-Based Tool for Interpolation

Algorithmic Analysis of Array-Accessing Programs

Floyd-Hoare Style Program Verification

The Software Model Checker BLAST

SAT-Based Verification with IC3: Foundations and Demands

Constraint Solving for Program Verification: Theory and Practice by Example

Automata-Theoretic Model Checking of Reactive Systems

Lecture 17: Software Engineering Research

Model Checking: An Introduction

Constraint Solving for Program Verification: Theory and Practice by Example

Interpolation. Seminar Slides. Betim Musa. 27 th June Albert-Ludwigs-Universität Freiburg

A Practical and Complete Approach to Predicate Refinement

EFFICIENT PREDICATE ABSTRACTION OF PROGRAM SUMMARIES

Computer-Aided Program Design

Understanding IC3. Aaron R. Bradley. ECEE, CU Boulder & Summit Middle School. Understanding IC3 1/55

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Beyond Quantifier-Free Interpolation in Extensions of Presburger Arithmetic

Abstractions and Decision Procedures for Effective Software Model Checking

Compositional Safety Verification with Max-SMT

Relative Completeness of Abstraction Refinement for Software Model Checking

An Interpolating Theorem Prover

Information Flow Analysis via Path Condition Refinement

Reducing Concurrent Analysis Under a Context Bound to Sequential Analysis

Predicate Abstraction: A Tutorial

Symbolic Computation and Theorem Proving in Program Analysis

Deductive Verification

Non-linear Interpolant Generation and Its Application to Program Verification

Linear Arithmetic with Stars

Transition Predicate Abstraction and Fair Termination

Automatic Verification of Parameterized Data Structures

Inductive Data Flow Graphs

Horn Clauses and Beyond for Relational and Temporal Program Verification

Predicate Abstraction via Symbolic Decision Procedures

Proving Safety with Trace Automata and Bounded Model Checking

Automata-based Verification - III

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Analyzing Asynchronous Programs with Preemption

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Multi-Pushdown Systems with Budgets

The Impact of Craig s Interpolation Theorem. in Computer Science

IC3 Software Model Checking on Control Flow Automata

The TLA + proof system

On Linear Arithmetic with Stars

Spring 2014 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

Proofs That Count. Andreas Podelski. Abstract. 1. Introduction. University of Toronto. University of Freiburg

Spring 2015 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

Software Verification

Explain: A Tool for Performing Abductive Inference

Compositional May-Must Program Analysis: Unleashing the Power of Alternation

Interpolants from Z3 proofs

Reasoning about Threads with Bounded Lock Chains

Software Verification with Abstraction-Based Methods

Automata-based Verification - III

FMCAD 2013 Parameter Synthesis with IC3

Solving Constrained Horn Clauses using Interpolation

Logical Abduction and its Applications in Program Verification. Isil Dillig MSR Cambridge

Ranking Abstraction as Companion to Predicate Abstraction

Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Lemma Localization: A Practical Method for Downsizing SMT-Interpolants

Refining Interface Alphabets for Compositional Verification

Learning Universally Quantified Invariants of Linear Data Structures

Generalized Property Directed Reachability

Parameterised Pushdown Systems with Non-Atomic Writes

arxiv:cs.se/ v1 8 Feb 2005

Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

A Short Introduction to Hoare Logic

May/Must Abstraction-Based Software Model Checking For Sound Verification and Falsification

Automatic Generation of Polynomial Invariants for System Verification

Program verification. 18 October 2017

Efficient Craig Interpolation for Linear Diophantine (Dis)Equations and Linear Modular Equations

Formal Methods for Java

Detecting Spurious Counterexamples Efficiently in Abstract Model Checking

Teaching vs. Learning, and Course Wrap-Up

CS 267: Automated Verification. Lecture 1: Brief Introduction. Transition Systems. Temporal Logic LTL. Instructor: Tevfik Bultan

PLEASE DO NOT REMOVE THIS PAGE

Formal Methods for Java

REPORTS of SFB/TR 14 AVACS

Exploring Interpolants

Join Algorithms for the Theory of Uninterpreted Functions

Combining Relational Learning with SMT Solvers using CEGAR

Reasoning About Imperative Programs. COS 441 Slides 10b

Proofs of Correctness: Introduction to Axiomatic Verification

Transcription:

Nested Interpolants Matthias Heizmann Jochen Hoenicke Andreas Podelski University of Freiburg, Germany POPL 2010

Result Interpolant-based software model checking for recursive programs avoid construction of an abstract program Hoare logic nested words

Software model checking Thomas Ball, Sriram K. Rajamani: The SLAM project: debugging system software via static analysis. (POPL 2002) Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, Grégoire Sutre Lazy abstraction. (POPL 2002) Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, Kenneth L. McMillan Abstractions from proofs. (POPL 2004) theorem model proving checking program abstract program invariant

Software model checking Thomas Ball, Sriram K. Rajamani: The SLAM project: debugging system software via static analysis. (POPL 2002) Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, Grégoire Sutre Lazy abstraction. (POPL 2002) Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, Kenneth L. McMillan Abstractions from proofs. (POPL 2004) theorem model proving checking program abstract program invariant Bottleneck: Construction of abstract program

Recent approaches: Avoid construction of abstract program Franjo Ivancic, Ilya Shlyakhter, Aarti Gupta, Malay K. Ganai Model checking C programs using F-SOFT (ICCD 2005) Kenneth L. McMillan Lazy abstraction with interpolants (CAV 2006) Nels Beckman, Aditya V. Nori, Sriram K. Rajamani, Robert J. Simmons Proofs from tests (ISSTA 2008) Bhargav S. Gulavani, Supratik Chakraborty, Aditya V. Nori, Sriram K. Rajamani Automatically refining abstract interpretations (TACAS 2008)

One idea: Use interpolants to avoid construction of the abstract program theorem model proving checking program abstract program invariant interpolating theorem prover

One idea: Use interpolants to avoid construction of the abstract program theorem model proving checking program abstract program invariant interpolating theorem prover Ranjit Jhala, Kenneth L. McMillan A practical and complete approach to predicate refinement (TACAS 2006) Kenneth L. McMillan Lazy abstraction with interpolants (CAV 2006) Quantified invariant generation using an interpolating saturation prover (TACAS 2008) Open: Interpolants in interprocedural analysis

Interprocedural static analysis - motivation Recursive Programs?

Interprocedural static analysis - motivation Modularity! Recursive Programs?

Interprocedural static analysis - motivation Modularity! Recursive Programs? Interprocedural analysis, a classical topic in programming languages Micha Sharir, Amir Pnueli Two approaches to interprocedural data flow analysis (1981) Thomas W. Reps, Susan Horwitz, Shmuel Sagiv Precise interprocedural dataflow analysis via graph reachability (POPL 1995) Shaz Qadeer, Sriram K. Rajamani, Jakob Rehof Summarizing procedures in concurrent programs (POPL 2004)

Interpolants Interpolant - for a proof Given: Proof A B Interpolation: A I B.... automatically generated by SMT solver (Craig interpolation)

Interpolants Interpolant - for a proof Given: Proof A B Interpolation: A I B.... automatically generated by SMT solver (Craig interpolation) Interpolant - for an execution traces Given: Infeasible trace st 1... st i st i+1... st n Interpolation: post( true, st 1... st i ) I wp( st i+1... st n, false )... can be new formula, not contained in program

Inductive interpolants Construct sequence of interpolants I 0... I n inductively post( I i, st i ) I i+1 suitable Hoare annotation to prove infeasibility of program slice

Inductive interpolants Construct sequence of interpolants I 0... I n inductively post( I i, st i ) I i+1 suitable Hoare annotation to prove infeasibility of program slice What if execution trace contains procedure calls?

Interpolants for interprocedural analysis What is an interpolant for an interprocedural execution?

Interpolants for interprocedural analysis What is an interpolant for an interprocedural execution? state with a stack? locality of interpolant is lost

Interpolants for interprocedural analysis What is an interpolant for an interprocedural execution? state with a stack? locality of interpolant is lost only local valuations? call/return dependency lost, sequence of interpolants is not a proof

Our gordian knot How can we keep track of the call/return dependency in a sequence of states without a stack?

Nested words Idea: Add call/return dependency explicitly to the word Rajeev Alur Marrying words and trees (PODS 2007) Rajeev Alur, P. Madhusudan Adding nesting structure to words (DLT 2006, J. ACM 56(3) 2009) Rajeev Alur, Swarat Chaudhuri Temporal reasoning for procedural programs (VMCAI 2010)

Nested words Idea: Add call/return dependency explicitly to the word Rajeev Alur Marrying words and trees (PODS 2007) Rajeev Alur, P. Madhusudan Adding nesting structure to words (DLT 2006, J. ACM 56(3) 2009) Rajeev Alur, Swarat Chaudhuri Temporal reasoning for procedural programs (VMCAI 2010)

Nested interpolants What is a sequence of interpolants for an interprocedural execution? Idea: Define sequence interpolants with respect to nested trace

Nested interpolants What is a sequence of interpolants for an interprocedural execution? Idea: Define sequence interpolants with respect to nested trace ( ) post I i, I k, return I i+1

Control flow as nested word automata procedure m(x) returns (res) l 0: if x>100 x<=100 l0 l 1: res:=x-10 else l2 xm:=x+11 x>100 l 2: x m := x+11 l3 l 3: l4 xm:=resm return m l3 l1 l 4: x m := res m l5 l 5: l6 res:=resm res:=x-10 l 6: res := res m l 7: assert (x<=101 -> res=91) return m McCarthy 91 function l7 return m l5 x 101 res 91 lerr nested word automaton

Floyd-Hoare proof as nested word automata procedure m(x) returns (res) { } l 0: if x>100 l 1: {x 101} res:=x-10 else {x 100} l 2: x m := x+11 l 3: {xm 111} {resm 101} l 4: x m := res m l 5: l 6: {xm 101} {resm = 91} res := res m {res = 91 (x 101 res = x 10)} l 7: assert (x<=101 -> res=91) return m McCarthy 91 function x 100 xm 111 resm 101 xm 101 resm = 91 x<=100 xm:=x+11 xm:=resm return m xm 101 res:=resm return m xm 111 res = 91 x 101 res = x 10 nested word automaton x>100 res:=x-10 x 101

Floyd-Hoare proof as nested word automata procedure m(x) returns (res) { } l 0: if x>100 l 1: {x 101} res:=x-10 else {x 100} l 2: x m := x+11 l 3: {xm 111} {resm 101} l 4: x m := res m l 5: l 6: {xm 101} {resm = 91} res := res m {res = 91 (x 101 res = x 10)} l 7: assert (x<=101 -> res=91) return m McCarthy 91 function x 100 xm 111 resm 101 xm 101 resm = 91 x<=100 xm:=x+11 xm:=resm return m xm 101 res:=resm return m xm 111 res = 91 x 101 res = x 10 nested word automaton x>100 res:=x-10 x 101 e.g. post ( x 100, x m:=x+11 ) x m 111

Constructing a proof of correctness Compute sequence of nested interpolants x<=100 ϕ0 : x 1 100 I0 : I1 : x 100 xm:=x+11 ϕ1 : x 1 m =x 1 +11 ϕ2 : x 2 =x 1 m I2 : xm 111 I3 : x>100 ϕ3 : x 2 >100 I4 : res:=x-10 ϕ4 : res 4 =x 2 10 return m ϕ5 : res 5 m =res 4 I6 : resm 101 I5 : res x 10 xm:=resm ϕ6 : x 6 m =res 5 m ϕ7 : x 7 =x 6 m I7 : xm 101 I8 : x>100 ϕ8 : x 7 >100 I9 : x 101 res:=x-10 ϕ9 : res 9 =x 7 10 return m ϕ10 : res 10 m =res 9 I11 : resm = 91 I10 : x 101 res = x 10 res:=resm ϕ11 : res 11 =res m 10 I12 : res = 91 x 101 res 91) ϕ12 : x 1 100 res 11 91 I13 : infeasible nested trace π SSA of π sequence of interpolants for π

Constructing a proof of correctness Nested interpolant automaton I0 : q0 I1 : x 100 x<=100 q1 x<=100 xm:=x+11 x<=100 I2 : xm 111 I3 : q2 q3 x>100 I4 : q4 res:=x-10 I6 : resm 101 I5 : res x 10 q6 return m q2 q5 xm:=resm I7 : xm 101 I8 : q7 q8 x>100 I9 : x 101 return m q2 q9 res:=x-10 I11 : resm = 91 I10 : x 101 res = x 10 q11 return m q7 q10 res:=resm I12 : res = 91 q12 return m q7 x 101 res 91) I13 : sequence of interpolants for π q13 nested interpolant automaton

Constructing a proof of correctness Nested interpolant automaton I0 : x<=100 I1 : x 100 q0 x<=100 q1 x<=100 xm:=x+11 I2 : xm 111 I3 : x>100 xm:=x+11 q2 x<=100 q3 x>100 I4 : q4 res:=x-10 res:=x-10 I6 : resm 101 return m I5 : res x 10 q6 return m q2 q5 xm:=resm xm:=resm I7 : xm 101 I8 : q7 q8 x>100 x>100 I9 : x 101 return m q2 q9 res:=x-10 res:=x-10 I11 : resm = 91 return m I10 : x 101 res = x 10 q11 return m q7 q10 res:=resm I12 : res = 91 res:=resm q12 return m q7 x 101 res 91) x 101 res 91) I13 : sequence of interpolants for π q13 nested interpolant automaton

Constructing a proof of correctness CEGAR recursive program P start with A such that L(A) L(A Σ ) return refined abstraction A := A A I where A I is a nested interpolant automaton such that π L(A I ) no L(A) L(A P ) =? π L(A Σ )? no yes return nested error trace π such that π L(A) L(A P ) yes P is correct P is incorrect

Conclusion Interpolant-based software model checking for recursive programs avoid construction of an abstract program Hoare logic nested words

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback