- 108 Views
- Uploaded on
- Presentation posted in: General

Quantified Invariant Generation using an Interpolating Saturation Prover

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Quantified Invariant Generationusing anInterpolating Saturation Prover

Ken McMillan

Cadence Research Labs

TexPoint fonts used in EMF: AAAAA

- Interpolants derived from proofs can provide an effective relevance heuristic for constructing inductive invariants
- Provides a way of generalizing proofs about bounded behaviors to the unbounded case
- Exploits a prover’s ability to focus on relevant facts

- Used in various applications, including
- Hardware verification (propositional case)
- Predicate abstraction (quantifier-free)
- Program verification (quantifier-free)

- Provides a way of generalizing proofs about bounded behaviors to the unbounded case
- This talk
- Moving to the first-order case, including FO(TC)
- Modifying SPASS to create an interpolating FO prover
- Apply to program verification with arrays, linked lists

invariant:

{x == y}

- Consider this very simple approach:
- Partially unwind a program into a loop-free, in-line program
- Construct a Floyd/Hoare proof for the in-line program
- See if this proof contains an inductive invariant proving the property

- Example program:

x = y = 0;

while(*)

x++; y++;

while(x != 0)

x--; y--;

assert (y == 0);

{True}

{True}

x = y = 0;

x++; y++;

x++; y++;

[x!=0];

x--; y--;

[x!=0];

x--; y--;

[x == 0]

[y != 0]

{y = 0}

{x = 0 ^ y = 0}

{y = 1}

{x = y}

{y = 2}

{x = y}

Proof of inline program

contains invariants

for both loops

{y = 1}

{x = y}

{y = 0}

{x = 0 ) y = 0}

{False}

{False}

- Assertions may diverge as we unwind
- A practical method must somehow prevent this kind of divergence!

[Craig,57]

- If A Ù B = false, there exists an interpolant A' for (A,B) such that:
- A implies A’
- A’ is inconsistent with B
- A’ is expressed over the common vocabulary of A and B

A variety of techniques exist for deriving an interpolant from a refutation of A Ù B, generated by a theorem prover.

{True}

True

x = y

x1= y0

x=y;

1. Each formula implies the next

)

x1=y0

{x=y}

y1=y0+1

y++

y++;

)

{y>x}

y1>x1

x1=y1

[x == y]

[x=y]

)

False

{False}

Proving in-line programs

proof

SSA

sequence

Hoare

Proof

Prover

Interpolation

2. Each is over common symbols of prefix and suffix

3. Begins with true, ends with false

invariant:

{8 x. 0 · x ^ x < i ) a[x] = x}

- Existing interpolating provers cannot produce quantified interpolants
- Problem: how to prevent the number of quantifiers from diverging in the same way that constants diverge when we unwind the loops?
- For linked structures we also require a theory of reachability (in effect, transitive closure)

for(i = 0; i < N; i++)

a[i] = i;

for(j = 0; j < N; j++)

assert a[j] = j;

Can we build an interpolating prover for full FOL

than that handles reachability, and avoids divergence?

- A clausal refutation prover takes a set of clauses and returns a proof of unsatisfiability (i.e., a refutation) if possible.
- A prover is based on inference rules of this form:

P1 ... Pn

C

- where P1 ... Pn are the premises and C the conclusion.
- A typical inference rule is resolution, of which this is an instance:

p(a) p(U) ! q(U)

q(a)

- This was accomplished by unifying p(a) and P(U), then dropping the complementary literals.

Modern FOL provers based on the superposition calculus

- example superposition inference:

Q(a) P ! (a = c)

P ! Q(c)

- this is just substitution of equals for equals
- in practice this approach generates a lot of substitutions!
- use reduction order to reduce number of inferences

- A reduction order Â is:
- a total, well founded order on ground terms
- subterm property: f(a) Â a
- monotonicity: a Â b implies f(a) Â f(b)

- Example: Recursive Path Ordering (with Status) (RPOS)
- start with a precedence on symbols: a Â b Â c Â f
- induces a reduction ordering on ground terms:
f(f(a) Â f(a) Â a Â f(b) Â b Â c Â f

These terms must be maximal in their clauses

Thm: Superposition with OC is complete for refutation in FOL with equality.

So how do we get interpolants from these proofs?

- Constrains rewrites to be “downward” in the reduction order:

Q(a) P ! (a = c)

P ! Q(c)

example: this inference only possible if a Â c

- A proof is local for a pair of clause sets (A,B) when every inference step uses only symbols from A or only symbols from B.
- From a local refutation of (A,B), we can derive an interpolant for (A,B) in linear time.
- This interpolant is a Boolean combination of formulas in the proof

A

B

x = y

f(y) = d

f(x) = c

c d

- A reduction order is oriented for (A,B) when:
- s Â t for every s L (B) and t 2L(B)

- Intuition: rewriting eliminates first A variables, then B variables.

oriented: xÂ yÂ cÂ dÂ f

x = y f(x) = c ` f(y) = c

Local!!

f(y) = c f(y) = d ` c = d

c = d c d `?

Q(a) a = c

Q(a)

Q(c)

a = c

a = U ! Q(U)

Q(c)

- Local superposition gives only c=c.
- Solution: replace non-local superposition with two inferences:

B

A

Q(a)

a = c

Q Â a Â b Â c

b = c

: Q(b)

Second inference can be postponed until after resolving with : Q(b)

This “procrastination” step is an example of a reduction rule,

and preserves completeness.

- Thm: Local superposition with procrastination is complete for refutation of pairs (A,B) such that:
- (A,B) has a universally quantified interpolant
- The reduction order is oriented for (A,B)

- This gives us a complete method for generation of universally quantified interpolants for arbitrary first-order formulas!
- This is easily extensible to interpolants for sequences of formulas, hence we can use the method to generate Floyd/Hoare proofs for inline programs.

- As argued earlier, we still need to prevent interpolants from diverging as we unwind the program further.
- Idea: stratify the clause language

Example: Let Lk be the set of clauses with at most k variables and nesting depth at most k.

Note that each Lk is a finite language.

- Stratified saturation prover:
- Initially let k = 1
- Restrict prover to generate only clauses in Lk
- When prover saturates, increase k by one and continue

The stratified prover is complete, since every proof is contained

in some Lk.

- Lemma: For every safety program M with a 8 safety invariant, and every stratified saturation prover P, there exists an integer k such that P refutes every unwinding of M in Lk, provided:
- The reduction ordering is oriented properly

- This means that as we unwind further, eventually all the interpolants are contained in Lk, for some k.
- Theorem: Under the above conditions, there is some unwinding of M for which the interpolants generated by P contain a safety invariant for M.

This means we have a complete procedure for finding universally quantified safety invariants whenever these exist!

- We have proved theoretical convergence. But does the procedure converge in practice in a reasonable time?
- Modify SPASS, an efficient superposition-based saturation prover:
- Generate oriented precedence orders
- Add procrastination rule to SPASS’s reduction rules
- Drop all non-local inferences
- Add stratification (SPASS already has something similar)

- Add axiomatizations of the necessary theories
- An advantage of a full FOL prover is we can add axioms!
- As argued earlier, we need a theory of arrays and reachability (TC)
- Since this theory is not finitely axiomatizable, we use an incomplete axiomatization that is intended to handle typical operations in list-manipulating programs

invariant:

{8 x. 0 · x ^ x < i ) a[x] = x}

for(i = 0; i < N; i++)

a[i] = i;

for(j = 0; j < N; j++)

assert a[j] = j;

i0 = 0

i0 < N

a1 = update(a0,i0,i0)

i1 = i0 + 1

i1 < N

a2 = update(a1,i1,i1)

i2 = i+1 + 1

i ¸ N ^ j0 = 0

j0 < N ^ j1 = j0 + 1

j1 < N

select(a2,j1) j1

{i0 = 0}

i = 0;

[i < N];

a[i] = i; i++;

[i < N];

a[i] = i; i++;

[i >= N]; j = 0;

[j < N]; j++;

[j < N];

a[j] != j;

invariant

{0 · U ^ U < i1) select(a1,U)=U}

{0 · U ^ U < i2) select(a2,U)=U}

invariant

{j · U ^ U < N ) select(a2,U)=U}

{j · U ^ U < N ) select(a2,U) = U}

- Unwind the loops twice

note: stratification prevents constants diverging

as 0, succ(0), succ(succ(0)), ...

- Invariant synthesized with 3 unwindings (after some: simplification):

a = create_list();

while(a){

tmp = a->next;

free(a);

a = tmp;

}

{rea(next,a,nil) ^

8 x (rea(next,a,x)! x = nil _ alloc(x))}

- That is, a is acyclic, and every cell is allocated
- Note that interpolation can synthesize Boolean structure.

This shows that divergence can be controlled.

But can we scale to large programs?...

- Interpolants and invariant generation
- Computing interpolants from proofs allows us to generalize from special cases such as loop-free unwindings
- Interpolation can extract relevant facts from proofs of these special cases
- Must avoid divergence

- Quantified invariants
- Needed for programs that manipulating arrays or heaps
- FO equality prover modified to produce local proofs (hence interpolants)
- Complete for universal invariants

- Can be used to construct invariants of simple array- and list-manipulating programs, using partial axiomatization of FO(TC)
- Language stratification prevents divergence

- Might be used as a relevance heuristic for shape analysis, IPA

Canonical

Heap

Abstractions

8FO(TC)

Indexed

Predicate

Abstraction

8FO

Expressiveness

Predicate

Abstraction

QF

Interpolant

Language

Parameterized

Abstract Domain

...

A1

A2

A3

An

True

False

...

)

)

)

)

A'1

A'2

A'3

A‘n-1

- Let A1...An be a sequence of formulas
- A sequence A’0...A’n is an interpolant for A1...An when
- A’0 = True
- A’i-1^ Ai) A’i, for i = 1..n
- An = False
- and finally, A’i2L (A1...Ai) \L(Ai+1...An)

In other words, the interpolant is a structured

refutation of A1...An

- This condition needed to prove memory safety (no use after free).
- Cannot be expressed in FO
- We need some predicate identifying a closed set of nodes that is allocated

- We require a theory of reachability (in effect, transitive closure)

...

node *a = create_list();

while(a){

assert(alloc(a));

a = a->next;

}

...

invariant:

8 x (rea(next,a,x) ^ x nil ! alloc(x))

Can we build an interpolating prover for full FOL

than that handles reachability, and avoids divergence?

- Axioms of the theory of arrays (with select and store)

8 (A, I, V) (select(update(A,I,V), I) = V

8 (A,I,J,V) (I J ! select(update(A,I,V), J) = select(A,J))

- Axioms for reachability (rea)

8 (L,E) rea(L,E,E)

8 (L,E,X) (rea(L,select(L,E),X) ! rea(L,E,X))

[ if e->link reaches x then e reaches x]

8 (L,E,X) (rea(L,E,X) ! E = X _ rea(L,select(L,E),X))

[ if e reaches x then e = x or e->link reaches x]

etc...

Since FO(TC) is incomplete, these axioms must be incomplete