Higher-Order Verification
This presentation is the property of its rightful owner.
Sponsored Links
1 / 107

Higher-Order Verification With Liquid Types PowerPoint PPT Presentation


  • 117 Views
  • Uploaded on
  • Presentation posted in: General

Higher-Order Verification With Liquid Types. Ranjit Jhala , UC San Diego (with Pat Rondon , Ming Kawaguchi). Part I. First-Order Verification. Part II. Higher-Order Verification. First-Order Verification. char* rev_copy ( char* a, int n){ i = 0; j = n – 1; b = malloc (n);

Download Presentation

Higher-Order Verification With Liquid Types

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Higher order verification with liquid types

  • Higher-Order Verification

  • With Liquid Types

RanjitJhala, UC San Diego

(with Pat Rondon, Ming Kawaguchi)


Higher order verification with liquid types

  • Part I

  • First-Order Verification

  • Part II

  • Higher-Order Verification


First order verification

First-Order Verification

char* rev_copy(char* a, int n){

i = 0;

j = n – 1;

b = malloc(n);

while(0<=j){

b[i] = a[j];

i++;

j--;

}

return b;

}


Example memory safety

Example: Memory Safety

char* rev_copy(char* a, int n){

i = 0;

j = n – 1;

b = malloc(n);

while(0<=j){

b[i] = a[j];

i++;

j--;

}

return b;

}

  • Access Within Array Bounds


Higher order verification with liquid types

char* rev_copy(char* a, int n){

i = 0;

j = n – 1;

b = malloc(n);

while(j>=0){

b[i] = a[j];

i++;

j--;

}

return b;

}

0:

0: i = 0;

j = n–1;

1: while (0<=j){

2: assert(i<n);

i = i+1;

j = j–1;

}

1:

2:

assert(i<n);

assert(0<=i && i<n);

  • Access Within Array Bounds

  • How to prove assert never fails ?


Higher order verification with liquid types

  • How to prove asserts?

  • Invariants [Floyd-Hoare]


Invariants

Invariant Proves Assert

Invariants

0: i = 0;

j = n–1;

1: while (0<=j){

2: assert(i<n);

i = i+1;

j = j–1;

}

true

  • Predicate that is always true

  • @ Program Location

i+j=n-1

i+j=n-1Æ0·j


Higher order verification with liquid types

  • How to Find Invariants?

  • How to Prove Asserts?


What are invariants

What are Invariants ?

0: i = 0;

j = n–1;

1: while (0<=j){

2: assert(i<n);

i = i+1;

j = j–1;

}

?

?

?


What are invariants1

What are Invariants ?

  • Let Xi= Invariant @ location i


What are invariants2

What are Invariants ?

?

X0

0: i = 0;

j = n–1;

1: while (0<=j){

2: assert(i<n);

i = i+1;

j = j–1;

}

X1

?

  • Properties of X0,X1,X2?

X2

?


What are invariants3

What are Invariants ?

X0

0: i = 0;

j = n–1;

1: while (0<=j){

2: assert(i<n);

i = i+1;

j = j–1;

}

  • X0= true

  • Initial Values Arbitrary


What are invariants4

What are Invariants ?

0: i = 0;

j = n–1;

1: while (0<=j){

2: assert(i<n);

i = i+1;

j = j–1;

}

true

X1

  • i=0Æj=n-1 )X1


What are invariants5

What are Invariants ?

0: i = 0;

j = n–1;

1: while (0<=j){

2: assert(i<n);

i = i+1;

j = j–1;

}

X1

X2

0·jÆX1)X2


What are invariants6

What are Invariants ?

0: i = 0;

j = n–1;

1: while (0<=j){

2: assert(i<n);

i = i+1;

j = j–1;

}

X2

X2)i<n


What are invariants7

What are Invariants ?

0: i = 0;

j = n–1;

1: while (0<=j){

2: assert(i<n);

i = i+1;

j = j–1;

}

X1

X2

i=io+1Æj=jo-1Æ[io/i][jo/j]X2)X1


What are invariants8

What are Invariants ?

  • Predicates X1, X2s.t.

  • i=0Æj=n-1 )X1

0·jÆX1)X2

X2)i<n

…Æ[io/i][jo/j]X2)X1


What are invariants9

What are Invariants ?

  • Predicates X1, X2s.t.

  • Idea: Lazy Abstraction

  • How to Infer Invariants?

  • How to Solve forX1, X2?

  • i=0Æj=n-1 )X1

0·jÆX1)X2

X2)i<n

…Æ[io/i][jo/j]X2)X1


Higher order verification with liquid types

  • Idea: Lazy Abstraction

  • Tree of executions over atomic predicates

i+j=n-1

Nodes: X1, X2

0·j

Edges: X1)X2


Lazy predicate abstraction

Lazy Predicate Abstraction

Tree Root

Root X(i.e. non-RHS)

X0

true

Atoms: i+j=n-1,0·j

  • i=0Æj=n-1ÆX0)X1

0·jÆX1)X2

X2)i<n

…[io/i][jo/j]X2)X1


Lazy predicate abstraction1

Lazy Predicate Abstraction

Tree Edge

“Unrolled” Implication

X0

true

X1

Atoms: i+j=n-1,0·j

  • i=0Æj=n-1ÆX0)X1

0·jÆX1)X2

X2)i<n

…[io/i][jo/j]X2)X1


Lazy predicate abstraction2

Lazy Predicate Abstraction

Theorem Prover

X0

true

  • i=0Æj=n-1Ætrue)

i+j=n-1

Valid

?

X1

Atoms: i+j=n-1,0·j

  • i=0Æj=n-1ÆX0)X1


Lazy predicate abstraction3

Lazy Predicate Abstraction

Theorem Prover

X0

true

  • i=0Æj=n-1Ætrue)

0·j

?

X1

i+j=n-1

Invalid

Atoms: i+j=n-1,0·j

  • i=0Æj=n-1ÆX0)X1

0·jÆX1)X2

X2)i<n

…[io/i][jo/j]X2)X1


Lazy predicate abstraction4

Lazy Predicate Abstraction

X0

true

X1

i+j=n-1

Atoms: i+j=n-1,0·j

?

X2

i+j=n-1Æ0·j

  • i=0Æj=n-1ÆX0)X1

0·jÆX1)X2

X2)i<n

…[io/i][jo/j]X2)X1


Lazy predicate abstraction5

Lazy Predicate Abstraction

Theorem Prover

X0

true

0·jÆi+j=n-1)

i<n

X1

Valid

i+j=n-1

Atoms: i+j=n-1,0·j

X2

i+j=n-1Æ0·j

  • i=0Æj=n-1ÆX0)X1

0·jÆX1)X2

i<n

X2)i<n

…[io/i][jo/j]X2)X1


Lazy predicate abstraction6

Lazy Predicate Abstraction

X0

true

X1

i+j=n-1

Atoms: i+j=n-1,0·j

X2

i+j=n-1Æ0·j

  • i=0Æj=n-1ÆX0)X1

0·jÆX1)X2

?

X1

i<n

i+j=n-1

X2)i<n

…[io/i][jo/j]X2)X1


Lazy predicate abstraction7

Lazy Predicate Abstraction

X0

true

Proved Asserts…

…not so fast!

Fixpoint

Stop Unrolling

Inferred Invariants

X1

i+j=n-1

  • Constraints Solved

Atoms: i+j=n-1,0·j

X2

i+j=n-1Æ0·j

  • i=0Æj=n-1ÆX0)X1

0·jÆX1)X2

X1

i<n

i+j=n-1

X2)i<n

…[io/i][jo/j]X2)X1


Higher order verification with liquid types

Lazy Abstraction

[popl 02]

Safety

Invariants

C Program

+

Asserts

Atoms

How to get good atoms?

e.g. i+j=n-1

If we have bad atoms...

e.g. i=0, j=n-1, 0·j


Yields counterexample path

Abstraction With Bad Atoms...

…Yields Counterexample “Path”

X0

true

i:=0

j:=n–1

X1

i=0 Æ j=n-1

0<=j?

Assert Holds

X2

i<n

i=0Æj=n-1Æ0·j

i:=i+1

j:=j-1

Not a fixpoint

X1

true

0<=j?

Assert Fails

X2

i<n

true


Higher order verification with liquid types

Bad atoms yield counterexample paths


Higher order verification with liquid types

Path

Atoms

Lazy Abstraction

[popl 02]

Safety

Invariants

C Program

+

Asserts

Atoms

Path

Counterexample

Analysis

Unsafe

Paths

“Counterexample Guided Abstraction Refinement”

[Kurshan 94, Clarke et al. 00, Ball & Rajamani 00]


Higher order verification with liquid types

Path

Formula

Proof

Atoms

X0

i:=0

j:=n–1

i:=0

j:=n–1

X1

How to compute

good atoms from paths?

0<=j?

0<=j?

X2

i:=i+1

j:=j-1

i:=i+1

j:=j-1

Good Atoms

Relationships from past

Prove safety of future

X1

0<=j?

0<=j?

X2

i<n


Higher order verification with liquid types

Path

Formula

Proof

Atoms

X0

Æi0 = 0

Æ j0 = n–1

i:=0

j:=n–1

Formula Unsatisfiable

iff

Assert Holds at Path End

X1

Rename

Variables

(SSA)

Æ 0·j0

0<=j?

Æ i1 = i0 + 1

Æ j1 = j0 - 1

X2

i:=i+1

j:=j-1

Æ 0·j1

X1

Negate Assert

0<=j?

Æ n·i1¸

X2

Formula Unsatisfiableiff Assert Holds

i<n


Higher order verification with liquid types

Path

Formula

Proof

Atoms

X0

0·j1

Æi0=0

Æ j0=n–1

Æi0 = 0

Æ j0 = n–1

i:=0

j:=n–1

+

0·j0-1

X1

Æ 0·j0

j1=j0-1

Æ 0·j0

0<=j?

+

0·n-2

Æ i1 = i0 + 1

Æ j1 = j0 - 1

X2

j0=n-1

Æ i1=i0+1

Æ j1=j0-1

i:=i+1

j:=j-1

+

False

0·-1

Æ 0·j1

i0=0

X1

+

0<=j?

n·1

Æ i1¸n

Æ 0·j1

n·i1

X2

+

n·i0+1

Æ n·i1

i1=i0+1

i<n


Higher order verification with liquid types

Path

Formula

Proof

Atoms

Good Atoms

Relationships from past

Prove safety of future

0·j1

+

0·j0-1

j1=j0-1

+

0·n-2

j0=n-1

+

False

i0=0

i+j=n-1

+

+

n·1

n·i1

+

n·i0+1

i1=i0+1


Higher order verification with liquid types

X0

i:=0

j:=n–1

X1

Atom = Craig Interpolant

Of Past, Future Formulas

0<=j?

0<=j?

X2

i:=i+1

j:=j-1

Extracted from proof

Of path unsatifiability

Inferred Good Atom

i+j=n-1

X1

0<=j?

X2

i<n


Recap

Recap

  • How to verify safety ?

  • Compute invariantsX1, X2...

  • How to solve for X1, X2... ?

  • Tree of executions over atoms

  • How to find good atoms ?

  • Interpolants of path formulas


Recap1

Recap

Safety

Invariants

X0, X1

  • Implications

  • X0)X1

AI, PA, CEGAR,…


Higher order verification with liquid types

  • Part I

  • First-Order (by Logic)

  • Part II

Higher-Order Verification


Key problem invariants for

Key Problem: Invariants for…

Collections?

Closures?

Polymorphism?

Recursive Data?


Higher order verification with liquid types

  • Idea: LiquidTypes

  • Idea: Logically Qualified Types

  • Factor Invariant to Logic x Type


Higher order verification with liquid types

  • Logic

  • Describes Individual Data

  • Type

  • Quantifies over Structure


Higher order verification with liquid types

8i:0 ·i<table.length)-1· table[i]

Logic

Type

  • factored into

table::{v:int|-1·v}array


Higher order verification with liquid types

8x:next*(root,x))-1·x.data

Logic

Type

  • factored into

root::{v:int|-1·v}list


Higher order verification with liquid types

  • Functions: Array.get

  • Pre-Condition

’aarray

->int

-> ’a

x:’aarray

->{v:int|0·v<lenx}

-> ’a

  • Post-Condition


Higher order verification with liquid types

  • Higher-Order: ffor

  • lo:int

  • ->hi:{int|lo·v}

  • ->({v:int|lo·v<hi}->unit)

  • -> unit

  • int

  • ->int

  • ->(int->unit)

  • -> unit


Higher order verification with liquid types

  • Logic

  • Describes Individual Data

  • Theorem Prover

  • Reasoning about Individual Data

  • Type System

  • Quantified Reasoning about Structure

  • Type

  • Quantifies over Structure


Higher order verification with liquid types

Demo

“Map-Reduce”


Map reduce

“Map-Reduce”

  • map :: (e -> (k, v) list)

  • -> elist

  • -> (k, v)list

  • group :: (k, v)list

  • -> (k, v list)table

  • reduce :: (v-> v-> v)

  • -> (k, vlist)table

  • -> (k, v) table


K means clustering

K-Means Clustering


0 choose k centers arbitrarily

0. Choose K Centers Arbitrarily


1 map points to nearest center

1. (Map) Points to Nearest Center


2 group points by center

2. (Group) Points by Center


3 reduce centroids into new centers

3. (Reduce) Centroids into New Centers


Repeat 1 2 3 until convergence

Repeat 1,2,3 Until Convergence


Higher order verification with liquid types

Demo

K-Means via Map-Reduce


Higher order verification with liquid types

  • Base Types

  • Collections

  • Closures

  • Polymorphism

  • Recursive Data


Higher order verification with liquid types

  • Type of f

  • int!unit

  • Template of f

  • {v:int|X1}!unit

let rec ffor l u f =

if l < u then (

f l;

ffor (l+1) u f

)

Solution

X1 = l·vÆv<u

lFlows Into Input of f

{v:int|v=l}<:{v:int|X1}

  • l<u|-

Liquid Type of f

{v:int|l·vÆv<u}!unit

Reduces to

l<u Æ v=l)X1


Higher order verification with liquid types

  • Base Types

  • Collections

  • Closures

  • Polymorphism

  • Recursive Data


Higher order verification with liquid types

let nearest dist ctra x =

let da = Array.map (dist x) ctra in

[min_index da, (x, 1)]

(’a !’b)!x:’aarray!{v:’barray|lenx=lenv}

Type of Output

int*’b*intlist

Template of Output

{v:int|X1}*’b*{v:int|X2}list

Solution

X1 = 0·v<lenctra

X2 = 0<v

Liquid Type of

da:{lenv=lenctra}

|-{0·v<lenda} *’b* {v=1}list <: {X1} *’b* {X2}list

da{v:’b array|lenv=lenctra}

min_indexda{v:int|0·vÆv<lenda}

x:’aarray!{v:int|0·vÆv<lenx}

Reduces To

Liquid Type of Output

{v:int|0·v<lenctra}*’b*{v:int|0<v}list

lenda=lenctraÆ0·v<lenda)X1

lenda=lenctraÆv=1)X2


Higher order verification with liquid types

  • Base Types

  • Collections

  • Closures

  • Polymorphism

  • Recursive Data


Higher order verification with liquid types

let min_index a =

let min = ref 0 in

ffor 0 (Array.length a) (fun i ->

if a.(i) < a.(!min) then min:=i

); !min

{Xi}

unit

unit

{Xi}!unit<:{0·v<lena}!unit

{0·v<lena}

Solution

Xi = 0·v<lena

Reduces To

Template of (fun i ->...)

{v:int|Xi}!unit

0·v<lena )Xi

{0·v<lena}<:{Xi}

unit<:unit

Liquid Type of (fun i ->...)

{v:int|0·v<lena} !unit

Liquid Type of ffor

l:int!u:int!({v:int|l·v<u}!unit)!unit

Liquid Type of ffor 0 (len a)

({v:int|0· v<len a}!unit)!unit

Liquid Type of ffor 0

u:int!({v:int|0·v<u}!unit)!unit


Higher order verification with liquid types

  • Base Types

  • Collections

  • Closures

  • Polymorphism

  • Recursive Data


Higher order verification with liquid types

mapreduce (nearest dist ctra) (centroid plus) xs

|> List.iter(fun (i,(x,sz))->ctra.(i)<-divxsz)

Type of mapreduce

(’a!’b*’c list)!...!’b*’clist

Template of mapreduce

(’a! {X1}*’a*{X2}list)!...!{X1}*’a*{X2}list

Liquid Type of (nearest dist ya)

’a! {0·v<lenctra}*’a*{0<v}list

Reduces To

0·v<lenctra ) X1

0<v ) X2

Type Instantiation

’a with’a

’b withint

’c with’a*int

Template Instantiation

’a with’a

’b with{v:int|X1}

’c with’a*{v:int|X2}

Solution

X1=0·v<lenctra

X2=0<v

’a! {0· v<lenctra}*’a*{0<v}list

<:

’a! {X1}*’a*{X2}list

Liquid Type of mapreduceOutput

{0·v<lenctra}*’a*{0<v}list


Higher order verification with liquid types

  • Polymorphism = “Meta” Invariants


Polymorphism meta invariants

Polymorphism = “Meta Invariants”

  • foldl::(a->b->a)->a->blist->a


Polymorphism meta invariants1

Polymorphism = “Meta Invariants”

  • foldl::(a->b->a)->a->blist->a

  • Initial Value Satisfies a


Polymorphism meta invariants2

Polymorphism = “Meta Invariants”

  • foldl::(a->b->a)->a->blist->a

  • Each “Iteration” Preserves a


Polymorphism meta invariants3

Polymorphism = “Meta Invariants”

  • foldl::(a->b->a)->a->blist->a

  • Hence, Output Satisfiesa


Polymorphism meta invariants4

Polymorphism = “Meta Invariants”

  • foldl::(a->b->a)->a->blist->a

At callsite instantiate a for invariant

Analysis oblivious to iterated structure


Higher order verification with liquid types

  • Base Types

  • Collections

  • Closures

  • Polymorphism

  • Recursive Data


Higher order verification with liquid types

Recursive Data Structures


Data structure invariants

Data (Structure) Invariants

  • Piggyback Predicates On Types


Representation

Representation

[]

::

{x:int|0<x}list

intlist

x:int

Describes all elements

0<x


Type unfolding

Type Unfolding

[]

[]

[]

::

::

::

x:int

x:int

h:int

0<x

0<x

0<h

Empty

Head

Tail

List of positive integers

Positive

Property holds recursively


Representation1

Representation

vDescribes tail elements

x<v

[]

::

x:int

Describes all elements

0<x


Type unfolding1

Type Unfolding

h<v

x<v

x<v

[]

[]

[]

::

::

::

x:int

x:int

h:int

h<x

Empty

Head

Tail

Push Edge Predicate Into Node

Rename Variable

List of sorted integers

Elements larger than head

Property holds recursively


Data structure invariants1

Data (Structure) Invariants

  • Piggyback Predicates On Types


Quantifier instantiation

Quantifier Instantiation

x<V

x<V

Unfold

l

t

h<x

::

[]

[]

::

::

matchlwithh::t

l:sortedlist

h:int

t:sortedlist

& {h<x}list

x:int

x:int

h:int

Instantiate


Data structure invariants2

Data (Structure) Invariants

  • Piggyback Predicates On Types


Quantifier generalization

Quantifier Generalization

x<V

x<V

Fold

l

t

h<x

::

[]

[]

::

::

letl=h::tin

l:sortedlist

h:int

t:sortedlist

& {h<x}list

x:int

x:int

h:int

Generalize


Higher order verification with liquid types

Demo

isort


Higher order verification with liquid types

Recursive Data Structures


Data structure invariants3

(Data) Structure Invariants

  • Piggyback Predicates On Types


Representation list length

Representation: List Length

measure len=

|[] -> 0

|x::xs -> 1+lenxs


Representation list length1

Representation: List Length

8l,x,xs.

len([]) = 0

len(x::xs) = 1+len(xs)


Data structure invariants4

(Data) Structure Invariants

  • Piggyback Predicates On Types


Quantifier instantiation1

Quantifier Instantiation

8l,x,xs.

len([]) = 0

len(x::xs) = 1+len(xs)

l:’a list

h:’a

t:’a list

len(l)=1+len(t)

matchlwithh::t

l:’a list

Instantiate


Data structure invariants5

(Data) Structure Invariants

  • Piggyback Predicates On Types


Quantifier generalization1

Quantifier Generalization

8l,x,xs.

len([]) = 0

len(x::xs) = 1+len(xs)

letl=h::tin

h:’a

t:’a list

l:’a list

len(l)=1+len(t)

h:’a

t:’a list

Generalize


Higher order verification with liquid types

Demo

msortb


Higher order verification with liquid types

Recursive Data Structures

Piggyback Measures


Higher order verification with liquid types

Height Balanced Tree

Height

tree

r

l

Node

|Hl–Hr|<2

Leaf

measure H =

|Leaf= 0

|Node(x,l,r) = 1+max(Hl)(Hr)

  • H l= Left subtree’s height

  • H r= Right subtree’s height

  • l = Left subtree

  • r = Right subtree

Height difference bounded at each node


Higher order verification with liquid types

Demo

eval


Higher order verification with liquid types

  • Automatic LiquidType Inference

  • By Predicate Abstraction


Automatic liquid type inference

Automatic Liquid Type Inference

Complex Subtyping

Between data types

X2

x<v

[]

::

x:int

Reduces To Simple Implications

Between X1, X2,...

X1

0<x

Let X1, X2, ... = Unknown Predicates

  • Predicates Determine Invariant

Solved by Predicate Abstraction

Over atoms 0<x,x<v,...


Higher order verification with liquid types

  • Part I

  • First-Order (by Logic)

  • Part II

Higher-Order (by Types)


Take home lessons

Take Home Lessons

  • Why are HO Programs difficult?

  • Complex “invariants”

  • How to represent invariants?

  • Factor into liquidtype

  • How to compute liquidtype?

  • AbsInt/Predicate Abstraction/…


Much work remains

Much Work Remains…

“Back-End” Logic

Constraint Solving

Rich Decidable Logics

Qualifier Discovery…


Much work remains1

Much Work Remains…

“Front-End” Types

Destructive Update

Concurrency

Objects & Classes

Dynamic Languages…


Much work remains2

Much Work Remains…

User Interface

The smarter your analysis,

the harder to tell why it fails!


Higher order verification with liquid types

http://goto.ucsd.edu/liquid

  • source, papers, demo, etc.


Finite maps ml

Finite Maps (ML)

5: ‘cat’

3: ‘cow’

8: ‘tic’

  • From Ocaml Standard Library

1: ‘doc’

4: ‘hog’

7: ‘ant’

9: ‘emu’

  • Verified Invariants

  • Binary Search Ordered

  • Height Balanced

  • Keys Implement Set

  • Implemented as AVL Trees

  • Rotate/Rebalance on Insert/Delete


Binary decision diagrams ml

Binary Decision Diagrams (ML)

X1

X2

X2

  • Graph-Based Boolean Formulas [Bryant 86]

X3

X4

X4

1

  • Efficient Formula Manipulation

  • Memoizing Results on Subformulas

  • Verified Invariant

  • Variables Ordered Along Each Path

X1ÛX2 Ù X3ÛX4


Vec extensible arrays 317 loc

Vec: Extensible Arrays (317 LOC)

“Python-style” extensible arrays for Ocaml

find, insert, delete, join etc.

Efficiency via balanced trees

Balanced

Height difference between siblings ≤ 2

Dsolve found balance violation


Recursive rebalance

Recursive Rebalance

fatal off-by-one error


Debugging via inference

Debugging via Inference

Using Dsolve we found

Where imbalance occurred

(specific path conditions)

How imbalance occurred

(left tree off by up to 4)

Leading to test and fix


  • Login