1 / 21

A Data Driven Approach for Algebraic Loop Invariants

A Data Driven Approach for Algebraic Loop Invariants. Rahul Sharma Joint work with Saurabh Gupta, Bharath Hariharan , Alex Aiken, Percy Liang, and Aditya Nori (UC Berkeley, Stanford, Microsoft Research India). Algebraic invariants. Consider a program O ver variables

verena
Download Presentation

A Data Driven Approach for Algebraic Loop Invariants

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Data Driven Approach forAlgebraic LoopInvariants Rahul Sharma Joint work with Saurabh Gupta, BharathHariharan, Alex Aiken, Percy Liang, and AdityaNori (UC Berkeley, Stanford, Microsoft Research India)

  2. Algebraic invariants • Consider a program • Over variables • assume ; while B do S • Algebraic invariant

  3. Example program assume x = y = 0; while( * ) { y := y+1; x := x+y; } • Target invariant • Strongest invariant • Of a given degree d • d=2, • d=1,

  4. Guess-and-Check (G&C) • Generate data at the desired program point • Guess a candidate invariant (Linear Algebra) • Check whether candidate is an actual invariant • If not, guess again

  5. Data generation • Execute programs to generate data assume x = y = 0; while( * ) { Print(x,y); y := y+1; x := x+y; }

  6. Data processing • Given degree = 2 • Data Matrix : One column for each monomial

  7. Null space for candidate invariants • All such vectors can be represented by basis

  8. Invariants are in null space • Each algebraic equation of the target invariant • Satisfies data • is basis of null space, generates

  9. Sound under-approximation • Candidate : • Using, invariant lies in null space of data matrix and, candidate captures null space, we conclude, • Lack of data leads to spurious equations • Candidate captures all equalities consistent with data

  10. Check phase • Fails, • Add to • New candidate,

  11. Guess-and-Check (summary) • Run tests and print states at the loop head • Create data matrix using the given degree • Guess a candidate invariant using • If is empty, return • If null space is zero-dimensional, return • Check whether candidate is an actual invariant • If yes, then done • If no, then add counter-example to , and goto 3

  12. Soundness • G&C terminates only if candidate is an invariant • Need to prove that output is the strongest invariant • Counter-examples satisfy the target invariant ? I C

  13. Termination • Counter-example violates candidate invariant • It is linearly independent of the rows of • Adding the counter-example increases rank by 1 • Rank of data matrix is bounded by #columns

  14. Our Results • Formally characterize candidate invariants • Augment candidate generation with SMT • Sound approach for inferring algebraic invariants • Terminating procedure • If checking terminates then so does inference

  15. Consequences • Starting with zero states in data matrix • G&C terminates in at most iterations • With strongest algebraic invariant • Program tests decrease the number of G&C iterations

  16. Nested Loops • Instrument all loop heads, run whole program tests • Generate candidate invariants for all loops • Check them simultaneously: • Inner loops replaced by candidates • Candidates of outer loops generate preconditions • For a program with loops and data matrix columns • Terminate in iterations with algebraic invariants

  17. Implementation • MATLAB for computing null space • Z3 for checking invariants • Decision procedure queries in Peano arithmetic • Generated tests naively • Inputs within a small bounding box

  18. Experiments

  19. Arrays (i,a[0]) = (0,0); assume (n > 0); while (i != n) { Print(i,a[i],n) i := i+1; a[i] := a[i-1]+1; } assert(a[n] == n); • Mine equalities from data • Create a column for what we want to relate

  20. Related Work • Do not assume degree, but ignore nested loops • Rodríguez-Carbonell and Kapur[07], Kovács[09] • Restrict branches to equalities or dis-equalities • Sankaranarayananet al.[04], Müller-Olm and Seidl[04], Colón[04],Rodríguez-Carbonelland Kapur[07] • Does not use Gröbner bases: Cachera et al.[12] • Unsound: Daikon, Nguyen et al.[12]

  21. Conclusion • Sound and terminating inference engine • Data Driven: Leverage test suites for proofs • Separation of guess and check phases • Handle a rich syntax • Conceptually simple • Easy to engineer • Future work: Guess and check for richer invariants

More Related