1 / 18

A two-tier approach for supporting quantifiers in a lazily proof-explicating theorem prover

. Motivation. Quantifiers are used in symbolic reasoning techniques like program verificationAxioms about otherwise uninterpreted functionsAxioms about type systemObject invariants, for all objects of a typeQuantifications in user input

grazia
Download Presentation

A two-tier approach for supporting quantifiers in a lazily proof-explicating theorem prover

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. A two-tier approach for supporting quantifiers in a lazily proof-explicating theorem prover K. Rustan M. Leino Microsoft Research, Redmond Madan Musuvathi Microsoft Research, Redmond Xinming Ou Princeton University

    2. Motivation Quantifiers are used in symbolic reasoning techniques like program verification Axioms about otherwise uninterpreted functions Axioms about type system Object invariants, for all objects of a type Quantifications in user input …

    3. Example To prove: (?a,j,x • 0 = j ? j < Length(a) ? read(write(a,j,x), j) = x) ? 0 < Length(b) ? read(write(b,0,10), 0) = 10 try to satisfy its negation: (?a,j,x • 0 = j ? j < Length(a) ? read(write(a,j,x), j) = x) ? 0 < Length(b) ? ¬(read(write(b,0,10), 0) = 10)

    4. Simplify

    5. Lemmas-by-demand architecture

    6. Adding quantifiers

    7. What to do with instantiation facts Possible design: [Verifun: Flanagan, Joshi, Saxe, 2004] return facts as lemmas, even though they may not refute M (that is, conjoin instantiations to input formula) simple lemmas returned may contain atomic formulas not in input useful instantiations are automatically reused pollution from useless instantiations will linger on forever

    8. Two-tier approach Let a second SAT solver explore the new disjunctions

    9. CheckMonome(M) theories.Assert(M); theories.Checkpoint(); facts := { }; loop { if (¬theories.Consistent(out lemmas)) { facts := facts ? lemmas; } else if (quant.GenerateFacts(out newFacts)) { facts := facts ? newFacts; } else { return satisfiable; } if (¬satSolver.Satisfiable(M ? facts, out monome)) { return smallest subset m of M such that ¬satSolver.Satisfiable(m ? facts); } theories.RestoreCheckpoint(); theories.Assert(monome); }

    10. Example

    11. Example

    12. Example

    13. Example

    14. Example

    15. Example

    16. More tiers main design point: number of rounds before starting a new tier

    17. Evaluation Implemented in Zap Not yet enough data to say something conclusive about performance On hand-produced examples with characteristics of realistic verification conditions, 2-tier approach performs fewer case splits than 1-tier approach, but the gains are counteracted by the rather expensive UnsatCore routine We expect a long road toward understanding and tuning performance (cf. Simplify for ESC)

    18. More fact generators quantifier instantiations non-convex theories loop-invariant strengthenings

    19. Summary We added support for quantifiers in a lemmas-by-demand theorem prover Pollution reduction technique Instantiation facts are generated in a separate tier, lemmas returned are produced from useful facts Theorem prover can have other fact generators too Future work: gain more experience

More Related