Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Compositional Program Analysis using Max-SMT

17 views

Published on

Recent developments on SMT solvers for non-linear polynomial constraints have become crucial to make the template-based (or constraint-based) method for program analysis effective in practice. Moreover, using Max-SMT (its optimization version) is the key to extend this approach to develop an automated compositional program verification method based on generating conditional inductive invariants. We build a bottom-up program verification framework that propagates preconditions of small program parts as postconditions for preceding program parts and can recover from failures when some precondition is not proved. These techniques have successfully been implemented within the VeryMax tool which currently can check safety, reachability and termination properties of C++ code. In this talk we will provide an overview of the Max-SMT solving techniques and its application to compositional program analysis.

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

Compositional Program Analysis using Max-SMT

  1. 1. Compositional Program Analysis using Max-SMT Albert Rubio Cristina Borralleras, Marc Brockschmidt, Daniel Larraz, Albert Oliveras, José Miguel Rivero and Enric Rodríguez-Carbonell Universitat Politècnica de Catalunya - Barcelona Tech UCM Seminar March 2018 Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 1 / 44
  2. 2. Overview of the talk 1 Introduction 2 SMT/Max-SMT solving 3 Invariant generation 4 Compositional safety verification 5 VeryMax Tool 6 Conclusions and current work Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 2 / 44
  3. 3. Overview of the talk 1 Introduction 2 SMT/Max-SMT solving 3 Invariant generation 4 Compositional safety verification 5 VeryMax Tool 6 Conclusions and current work Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 3 / 44
  4. 4. Motivation Main Goal: Build static analysis tools for programmers. Fully automatic. Efficient. Scalable. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 4 / 44
  5. 5. Motivation Main Goal: Build static analysis tools for programmers. Fully automatic. Efficient. Scalable. Strategy: Take advantage of powerful arithmetic constraint solvers. SMT solvers Constraint-based Program Analysis techniques Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 4 / 44
  6. 6. Motivation Main Goal: Build static analysis tools for programmers. Fully automatic. Efficient. Scalable. Strategy: Take advantage of powerful arithmetic constraint solvers. Max-SMT solvers Constraint-based Program Analysis techniques Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 4 / 44
  7. 7. Motivation Main Goal: Build static analysis tools for programmers. Fully automatic. Efficient. Scalable. Strategy: Take advantage of powerful arithmetic constraint solvers. Max-SMT solvers Constraint-based Program Analysis techniques Goal: Verify safety and liveness properties of programs Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 4 / 44
  8. 8. Motivation Main Goal: Build static analysis tools for programmers. Fully automatic. Efficient. Scalable. Strategy: Take advantage of powerful arithmetic constraint solvers. Max-SMT solvers Constraint-based Program Analysis techniques Goal: Verify safety and liveness properties of programs Challenge: discover (loop) invariants. How can we guide the search? Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 4 / 44
  9. 9. Overview of the talk 1 Introduction 2 SMT/Max-SMT solving 3 Invariant generation 4 Compositional safety verification 5 VeryMax Tool 6 Conclusions and current work Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 5 / 44
  10. 10. SMT solvers We make extensive use of SMT solvers inside our program analysis tools. SAT and SMT solvers gain efficiency by: addressing only (expressive enough) decidable fragments of a certain logic incorporate domain-specific reasoning, e.g: arithmetic reasoning equality data structures (arrays, lists, stacks, ...) SAT: use propositional logic as the formalization language + high degree of efficiency - expressive (all NP-complete) but involved encodings SMT: propositional logic + domain-specific reasoning + improves the expressivity - certain (but acceptable) loss of efficiency Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 6 / 44
  11. 11. Need and Applications of SMT Some problems are more naturally expressed in other logics than propositional logic, e.g: Software verification needs reasoning about equality, arithmetic, data structures, ... SMT consists of deciding the satisfiability of a (ground) FO formula with respect to a background theory Example ( Equality with Uninterpreted Functions – EUF ): g(a)=c ∧ ( f (g(a))=f (c) ∨ g(a)=d ) ∧ c =d Wide range of applications: Predicate abstraction Model checking Scheduling Test generation ... Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 7 / 44
  12. 12. Theories of Interest - Arithmetic Very useful for obvious reasons Restricted fragments support more efficient methods: Bounds: x ⊲⊳ k with ⊲⊳∈ {<, >, ≤, ≥, =} Difference logic: x − y ⊲⊳ k, with ⊲⊳∈ {<, >, ≤, ≥, =} UTVPI: ±x ± y ⊲⊳ k, with ⊲⊳∈ {<, >, ≤, ≥, =} Linear arithmetic, e.g: 2x − 3y + 4z ≤ 5 Non-linear arithmetic, e.g: 2xy + 4xz2 − 5y ≤ 10 Variables are either reals or integers Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 8 / 44
  13. 13. SMT problems Input: Given a boolean formula ϕ over some theory T. Question: Is there any interpretation (solution) that satisfies the formula? Example: T = linear integer/real arithmetic. (x < 0 ∨ x ≤ y ∨ y < z) ∧ (x ≥ 0) ∧ (x > y ∨ y < z) {x = 1, y = 0, z = 2} Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 9 / 44
  14. 14. SMT problems Input: Given a boolean formula ϕ over some theory T. Question: Is there any interpretation (solution) that satisfies the formula? Example: T = linear integer/real arithmetic. (x < 0 ∨ x ≤ y ∨ y < z) ∧ (x ≥ 0) ∧ (x > y ∨ y < z) {x = 1, y = 0, z = 2} Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 9 / 44
  15. 15. SMT problems Input: Given a boolean formula ϕ over some theory T. Question: Is there any interpretation (solution) that satisfies the formula? Example: T = linear integer/real arithmetic. (x < 0 ∨ x ≤ y ∨ y < z) ∧ (x ≥ 0) ∧ (x > y ∨ y < z) {x = 1, y = 0, z = 2} There exist very efficient solvers: yices, z3, Barcelogic, ... Can handle large formulas with a complex boolean structure. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 9 / 44
  16. 16. Optimization problems (Weighted) Max-SMT problem Input: Given an SMT formula ϕ = C1 ∧ . . . ∧ Cm in CNF, where some of the clauses are hard and the others soft with a weight. Output: An assignment for the hard clauses that minimizes the sum of the weights of the falsified soft clauses. (x2 + y2 > 2 ∨ x · z ≤ y ∨ y · z < z2 ) ∧ (x > y ∨ 0 < z ∨ w(5)) ∧ . . . Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 10 / 44
  17. 17. Non-linear SMT solving Input: Given a boolean formula ϕ over some theory T. Question: Is there any solution that satisfies the formula? Example: T = non-linear (polynomial) integer/real arithmetic. (x2 + y2 > 2 ∨ x · z ≤ y ∨ y · z < z2 ) ∧ (x > y ∨ 0 < z) {x = 0, y = 1, z = 1} Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 11 / 44
  18. 18. Non-linear SMT solving Input: Given a boolean formula ϕ over some theory T. Question: Is there any solution that satisfies the formula? Example: T = non-linear (polynomial) integer/real arithmetic. (x2 + y2 > 2 ∨ x · z ≤ y ∨ y · z < z2 ) ∧ (x > y ∨ 0 < z) {x = 0, y = 1, z = 1} Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 11 / 44
  19. 19. Non-linear SMT solving Input: Given a boolean formula ϕ over some theory T. Question: Is there any solution that satisfies the formula? Example: T = non-linear (polynomial) integer/real arithmetic. (x2 + y2 > 2 ∨ x · z ≤ y ∨ y · z < z2 ) ∧ (x > y ∨ 0 < z) {x = 0, y = 1, z = 1} Non-linear arithmetic decidability: Integers: undecidable (Hilbert’s 10th problem). Reals: decidable (Tarski) but algorithms have prohibitive complexity. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 11 / 44
  20. 20. Non-linear SMT solving Input: Given a boolean formula ϕ over some theory T. Question: Is there any solution that satisfies the formula? Example: T = non-linear (polynomial) integer/real arithmetic. (x2 + y2 > 2 ∨ x · z ≤ y ∨ y · z < z2 ) ∧ (x > y ∨ 0 < z) {x = 0, y = 1, z = 1} Non-linear arithmetic decidability: Integers: undecidable (Hilbert’s 10th problem). Reals: decidable (Tarski) but algorithms have prohibitive complexity. Incomplete solvers focus on either satisfiability or unsatisfiability. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 11 / 44
  21. 21. Non-linear SMT solving Input: Given a boolean formula ϕ over some theory T. Question: Is there any solution that satisfies the formula? Example: T = non-linear (polynomial) integer/real arithmetic. (x2 + y2 > 2 ∨ x · z ≤ y ∨ y · z < z2 ) ∧ (x > y ∨ 0 < z) {x = 0, y = 1, z = 1} Non-linear arithmetic decidability: Integers: undecidable (Hilbert’s 10th problem). Reals: decidable (Tarski) but algorithms have prohibitive complexity. Incomplete solvers focus on either satisfiability or unsatisfiability. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 11 / 44
  22. 22. Solving non-linear SMT formulas Need to handle large formulas with non-linear arithmetic and complex boolean structure. Barcelogic has shown to be the best SMT-solver proving satisfiability of this kind of problems. Barcelogic can handle Max-SMT formulas (over non-linear arithmetic) as well. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 12 / 44
  23. 23. Overview of the talk 1 Introduction 2 SMT/Max-SMT solving 3 Invariant generation 4 Compositional safety verification 5 VeryMax Tool 6 Conclusions and current work Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 13 / 44
  24. 24. Invariant generation Definition An invariant of a program at a location is an assertion over the program variables that remains true whenever the location is reached. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 14 / 44
  25. 25. Invariant generation Definition An invariant of a program at a location is an assertion over the program variables that remains true whenever the location is reached. Definition An invariant is said to be inductive at a program location if: Initiation condition: It holds the first time the location is reached. Consecution condition: It is preserved under every cycle back to the location. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 14 / 44
  26. 26. Invariant generation Definition An invariant of a program at a location is an assertion over the program variables that remains true whenever the location is reached. Definition An invariant is said to be inductive at a program location if: Initiation condition: It holds the first time the location is reached. Consecution condition: It is preserved under every cycle back to the location. We focus on inductive invariants. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 14 / 44
  27. 27. Constraint-based invariant generation We inspire ourselves with the constraint-based method [CSS’03]. Assume input programs consist of linear expressions. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 15 / 44
  28. 28. Constraint-based invariant generation We inspire ourselves with the constraint-based method [CSS’03]. Assume input programs consist of linear expressions. Keys: Use a template for candidate invariants. c1x1 + . . . + cnxn + d ≤ 0 Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 15 / 44
  29. 29. Constraint-based invariant generation We inspire ourselves with the constraint-based method [CSS’03]. Assume input programs consist of linear expressions. Keys: Use a template for candidate invariants. c1x1 + . . . + cnxn + d ≤ 0 Impose initiation and consecution conditions obtaining an ∃∀ problem over non-linear arithmetic. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 15 / 44
  30. 30. Constraint-based invariant generation We inspire ourselves with the constraint-based method [CSS’03]. Assume input programs consist of linear expressions. Keys: Use a template for candidate invariants. c1x1 + . . . + cnxn + d ≤ 0 Impose initiation and consecution conditions obtaining an ∃∀ problem over non-linear arithmetic. Transform it using Farkas’ Lemma into an ∃ problem over non-linear arithmetic. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 15 / 44
  31. 31. Scalar invariant generation: Example Square root of a natural number N: int isqrt(int N) { //integer square root int a = 0, s = 1, t = 1; // Inv: c1a + c2s + c3t + d ≤ 0 while (s ≤ N) { a = a + 1; s = s + t + 2; t = t + 2; } return a; } Back Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 16 / 44
  32. 32. Scalar invariant generation: Example Square root of a natural number N: int isqrt(int N) { //integer square root int a = 0, s = 1, t = 1; // Inv: c1a + c2s + c3t + d ≤ 0 while (s ≤ N) { a = a + 1; s = s + t + 2; t = t + 2; } return a; } ∃ c1, c2, c3, d ∀ a, s, t true =⇒ c1 · 0 + c2 · 1 + c3 · 1 + d ≤ 0 ∧ Initiation condition s ≤ N ∧ c1 · a + c2 · s + c3 · t + d ≤ 0 =⇒ c1 · (a + 1) + c2 · (s + t + 2) + c3 · (t + 2) + d ≤ 0 consecution condition Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 16 / 44
  33. 33. Scalar invariant generation: Example Square root of a natural number N: int isqrt(int N) { //integer square root int a = 0, s = 1, t = 1; // Inv: c1a + c2s + c3t + d ≤ 0 while (s ≤ N) { a = a + 1; s = s + t + 2; t = t + 2; } return a; } ∃ c1, c2, c3, d ∀ a, s, t c2 + c3 + d ≤ 0 ∧ Initiation condition s ≤ N ∧ c1 · a + c2 · s + c3 · t + d ≤ 0 =⇒ c1 · a + c2 · s + (c2 + c3) · t + c1 + 2c2 + 2c3 + d ≤ 0 consecution condition Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 16 / 44
  34. 34. Scalar invariant generation: Example Square root of a natural number N: int isqrt(int N) { //integer square root int a = 0, s = 1, t = 1; // Inv: c1a + c2s + c3t + d ≤ 0 while (s ≤ N) { a = a + 1; s = s + t + 2; t = t + 2; } return a; } Apply Farkas’ Lemma to remove ∀ a, s, t Use Barcelogic to solve the non-linear SMT problem! Back Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 16 / 44
  35. 35. Scalar invariant generation: Example Square root of a natural number N: int isqrt(int N) { //integer square root int a = 0, s = 1, t = 1; // Inv: c1a + c2s + c3t + d ≤ 0 while (s ≤ N) { a = a + 1; s = s + t + 2; t = t + 2; } return a; } Apply Farkas’ Lemma to remove ∀ a, s, t Use Barcelogic to solve the non-linear SMT problem! {c1 = −2, c2 = 0, c3 = 1, d = −1} Back Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 16 / 44
  36. 36. Scalar invariant generation: Example Square root of a natural number N: int isqrt(int N) { //integer square root int a = 0, s = 1, t = 1; // Inv: −2a + 0s + 1t − 1 ≤ 0 while (s ≤ N) { a = a + 1; s = s + t + 2; t = t + 2; } return a; } Apply Farkas’ Lemma to remove ∀ a, s, t Use Barcelogic to solve the non-linear SMT problem! {c1 = −2, c2 = 0, c3 = 1, d = −1} Back Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 16 / 44
  37. 37. Scalar invariant generation: Example Square root of a natural number N: int isqrt(int N) { //integer square root int a = 0, s = 1, t = 1; // Inv: t ≤ 2a + 1 while (s ≤ N) { a = a + 1; s = s + t + 2; t = t + 2; } return a; } Apply Farkas’ Lemma to remove ∀ a, s, t Use Barcelogic to solve the non-linear SMT problem! {c1 = −2, c2 = 0, c3 = 1, d = −1} Back Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 16 / 44
  38. 38. Program analysis using SMT and Max-SMT We have used this approach for: Array invariant generation. [VMCAI2013] Termination analysis using Max-SMT. [FMCAD2013] (inspired by [BMS’05]) Key notion: quasi-ranking functions Non-Termination analysis using Max-SMT. [CAV2014] Key notion: quasi-invariant/conditional invariants Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 17 / 44
  39. 39. Overview of the talk 1 Introduction 2 SMT/Max-SMT solving 3 Invariant generation 4 Compositional safety verification 5 VeryMax Tool 6 Conclusions and current work Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 18 / 44
  40. 40. Safety verification Aim: verify assertions in large programs (several consecutive loops). Our approach: Goal oriented. Starts from the postcondition. Automatically generate intermediate assertions!! Simple example: while (j>0) { j--; i++; } while (i>0) { x=x+5; i--; } assert(x≥0); Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 19 / 44
  41. 41. Safety verification Aim: verify assertions in large programs (several consecutive loops). Our approach: Goal oriented. Starts from the postcondition. Automatically generate intermediate assertions!! Simple example: while (j>0) { j--; i++; } assert(x + 5*i >=0); while (i>0) { x=x+5; i--; } assert(x>=0); Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 19 / 44
  42. 42. Safety verification Aim: verify assertions in large programs (several consecutive loops). Our approach: Goal oriented. Starts from the postcondition. Automatically generate intermediate assertions!! Simple example: assert(j>=0 and x + 5*(i+j) >=0); while (j>0) { j--; i++; } assert(x + 5*i >=0); while (i>0) { x=x+5; i--; } assert(x≥0); Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 19 / 44
  43. 43. Conditional invariant generation Definition A formula is a conditional (inductive) invariant at a program location if: Consecution condition holds. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 20 / 44
  44. 44. Conditional invariant generation Definition A formula is a conditional (inductive) invariant at a program location if: Consecution condition holds. but Initiation condition may not hold. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 20 / 44
  45. 45. Conditional invariant generation Definition A formula is a conditional (inductive) invariant at a program location if: Consecution condition holds. Hard but Initiation condition may not hold. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 20 / 44
  46. 46. Conditional invariant generation Definition A formula is a conditional (inductive) invariant at a program location if: Consecution condition holds. Hard but Initiation condition may not hold. Soft Key: We prefer invariants but we can live with conditional invariants Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 20 / 44
  47. 47. Conditional invariant generation Altogether we have: Initiation condition (soft) Consecution condition (hard) Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 21 / 44
  48. 48. Conditional invariant generation Altogether we have: Initiation condition (soft) Consecution condition (hard) Plus implication of the Postcondition (hard) Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 21 / 44
  49. 49. Conditional invariant generation Altogether we have: Initiation condition (soft) Consecution condition (hard) Plus implication of the Postcondition (hard) Solve the problem with a Max-SMT solver (we use Barcelogic) Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 21 / 44
  50. 50. Conditional invariant generation Altogether we have: Initiation condition (soft) Consecution condition (hard) Plus implication of the Postcondition (hard) Solve the problem with a Max-SMT solver (we use Barcelogic) If initiation condition holds we are done Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 21 / 44
  51. 51. Conditional invariant generation Altogether we have: Initiation condition (soft) Consecution condition (hard) Plus implication of the Postcondition (hard) Solve the problem with a Max-SMT solver (we use Barcelogic) If initiation does not hold we have a new Postcondition for previous code Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 21 / 44
  52. 52. Conditional invariant generation Altogether we have: Initiation condition (soft) Consecution condition (hard) Plus implication of the Postcondition (hard) Solve the problem with a Max-SMT solver (we use Barcelogic) If initiation does not hold we have a new Postcondition for previous code call recursively to the safety checker Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 21 / 44
  53. 53. Safety verification: Recovering from failures In case of failure of the recursive call to the safety checker Add the negation of the conditional invariant in the corresponding locations: Narrow the loop Try to prove the Postcondition again (with more information). Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 22 / 44
  54. 54. Safety verification Narrowing loops: Recovering from failures Simple example: int x=-50; int y=nondet(); while (x<0) { x = x + y; y = y + 1; } assert(y>0); Skip Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 23 / 44
  55. 55. Safety verification Narrowing loops: Recovering from failures Simple example: int x=-50; int y=nondet(); assert(y>0); while (x<0) { x = x + y; y = y + 1; } assert(y>0); Skip Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 23 / 44
  56. 56. Safety verification Narrowing loops: Recovering from failures Simple example: int x=-50; int y=nondet(); assert(y>0); // Conditional invariant while (x<0) { x = x + y; y = y + 1; } assert(y>0); Skip Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 23 / 44
  57. 57. Safety verification Narrowing loops: Recovering from failures Simple example: int x=-50; int y=nondet(); assume(!(y>0)); while (x<0) { assume(!(y>0)); x = x + y; y = y + 1; } assert(y>0); Skip Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 23 / 44
  58. 58. Safety verification Narrowing loops: Recovering from failures Simple example: int x=-50; int y=nondet(); assume(y<=0); while (x<0) { assume(y<=0); x = x + y; y = y + 1; } assert(y>0); Skip Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 23 / 44
  59. 59. Safety verification Narrowing loops: Recovering from failures Simple example: int x=-50; int y=nondet(); assume(y<=0); assert(x<0); // Invariant while (x<0) { assume(y<=0); x = x + y; y = y + 1; } assert(y>0); // Unreachable! Skip Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 23 / 44
  60. 60. Experiments Our techniques have been implemented in a tool called VeryMax 217 programs taken from Numerical Recipes in C++ up to 284 lines of code 6452 safety problems 6106 can be proved highly parallelizable FMCAD 2015 Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 24 / 44
  61. 61. Conditional Termination Given a program (loop), obtain a (pre-)condition ensuring its termination. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 25 / 44
  62. 62. Conditional Termination Given a program (loop), obtain a (pre-)condition ensuring its termination. Our approach: Find ranking functions using (linear) templates Find supporting conditional invariants (like before) Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 25 / 44
  63. 63. Conditional Termination Given a program (loop), obtain a (pre-)condition ensuring its termination. Our approach: Find ranking functions using (linear) templates Find supporting conditional invariants (like before) Encode the problem with Max-SMT Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 25 / 44
  64. 64. Conditional Termination Given a program (loop), obtain a (pre-)condition ensuring its termination. Our approach: Find ranking functions using (linear) templates Find supporting conditional invariants (like before) Encode the problem with Max-SMT Using conditional termination we can prove termination by cases. Skip combine termination and non-termination analysis (in parallel). prove termination of consecutive loops in a compositional way. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 25 / 44
  65. 65. Running example int main() { int x, y, z; x = nondet(); y = nondet(); z = nondet(); while (y ≥ 0 && z = 0) { if (z < 0) { y = y + z; z = z − 1; } else { x = x − z; y = y + x; z = z + 1; } } } ℓ0 ℓ1 ℓ2 τ0: true τ1: y ≥ 0 ∧ z > 0 ∧ x′ = x − z ∧ y′ = y + x ∧ z′ = z + 1 τ2: y ≥ 0 ∧ z < 0 ∧ x′ = x ∧ y′ = y + z ∧ z′ = z − 1 τ3: y < 0 ∧ x′ = x ∧ y′ = y ∧ z′ = z τ4: z = 0 ∧ x′ = x ∧ y′ = y ∧ z′ = z Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 26 / 44
  66. 66. Ranking functions and Conditional Invariants In order to discard a transition τi we need to find a ranking function f over the integers such that: 1 τi =⇒ f (x1, . . . , xn) ≥ 0 (bounded) 2 τi =⇒ f (x1, . . . , xn) > f (x′ 1, . . . , x′ n) (strict-decreasing) 3 τj =⇒ f (x1, . . . , xn) ≥ f (x′ 1, . . . , x′ n) for all j (non-increasing) Use a linear template for the ranking function as well. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 27 / 44
  67. 67. Ranking functions and Invariants: Combined problem In order to prove properties of the ranking function we may need to generate invariants. Generation of both conditional invariants and ranking functions should be combined in the same optimization problem. Back Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 28 / 44
  68. 68. Ranking functions and Invariants: Combined problem In order to prove properties of the ranking function we may need to generate invariants. Generation of both conditional invariants and ranking functions should be combined in the same optimization problem. Back 1 I ∧ τi =⇒ f (x1, . . . , xn) ≥ 0 (bounded) 2 I ∧ τi =⇒ f (x1, . . . , xn) > f (x′ 1, . . . , x′ n) (strict-decreasing) 3 I ∧ τj =⇒ f (x1, . . . , xn) ≥ f (x′ 1, . . . , x′ n) for all j (non-increasing) Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 28 / 44
  69. 69. Ranking functions and Invariants: Combined problem In order to prove properties of the ranking function we may need to generate invariants. Generation of both conditional invariants and ranking functions should be combined in the same optimization problem. Back 1 I ∧ τi =⇒ f (x1, . . . , xn) ≥ 0 (bounded) 2 I ∧ τi =⇒ f (x1, . . . , xn) > f (x′ 1, . . . , x′ n) (strict-decreasing) 3 I ∧ τj =⇒ f (x1, . . . , xn) ≥ f (x′ 1, . . . , x′ n) for all j (non-increasing) Considering conditional invariants give more chances to the solver Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 28 / 44
  70. 70. Ranking functions and Invariants: Combined problem In order to prove properties of the ranking function we may need to generate invariants. Generation of both conditional invariants and ranking functions should be combined in the same optimization problem. Back 1 I ∧ τi =⇒ f (x1, . . . , xn) ≥ 0 (bounded) 2 I ∧ τi =⇒ f (x1, . . . , xn) > f (x′ 1, . . . , x′ n) (strict-decreasing) 3 I ∧ τj =⇒ f (x1, . . . , xn) ≥ f (x′ 1, . . . , x′ n) for all j (non-increasing) Considering conditional invariants give more chances to the solver But we get a conditional termination proof Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 28 / 44
  71. 71. Running example ℓ0 ℓ1 ℓ2 τ0: true τ1: y ≥ 0 ∧ z > 0 ∧ x′ = x − z ∧ y′ = y + x ∧ z′ = z + 1 τ2: y ≥ 0 ∧ z < 0 ∧ x′ = x ∧ y′ = y + z ∧ z′ = z − 1 τ3: y < 0 ∧ x′ = x ∧ y′ = y ∧ z′ = z τ4: z = 0 ∧ x′ = x ∧ y′ = y ∧ z′ = z Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 29 / 44
  72. 72. Running example ℓ0 ℓ1 τ0: true τ1: y ≥ 0 ∧ z > 0 ∧ x′ = x − z ∧ y′ = y + x ∧ z′ = z + 1 τ2: y ≥ 0 ∧ z < 0 ∧ x′ = x ∧ y′ = y + z ∧ z′ = z − 1 0 Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 29 / 44
  73. 73. Running example ℓ0 ℓ1 τ0: true τ1: y ≥ 0 ∧ z > 0 ∧ x′ = x − z ∧ y′ = y + x ∧ z′ = z + 1 τ2: y ≥ 0 ∧ z < 0 ∧ x′ = x ∧ y′ = y + z ∧ z′ = z − 1 0 z < 0 is a conditional invariant at location ℓ1 y is a ranking function 1 τ1 is disabled 2 τ2 is bounded and strictly decreasing Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 29 / 44
  74. 74. Running example ℓ0 ℓ1 τ0: true τ1: y ≥ 0 ∧ z > 0 ∧ x′ = x − z ∧ y′ = y + x ∧ z′ = z + 1 τ2: y ≥ 0 ∧ z < 0 ∧ x′ = x ∧ y′ = y + z ∧ z′ = z − 1 0 We have a conditional proof: The system terminates if the condition z < 0 holds at ℓ0 Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 29 / 44
  75. 75. Running example ℓ0 ℓ1 τ0: z < 0 τ2: y ≥ 0 ∧ z < 0 ∧ x′ = x ∧ y′ = y + z ∧ z′ = z − 1 τ1: y ≥ 0 ∧ z > 0 ∧ x′ = x − z ∧ y′ = y + x ∧ z′ = z + 1 We have a conditional proof: The system terminates if the condition z < 0 holds at ℓ0 (or τ0) Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 30 / 44
  76. 76. Running example: Narrowing In order to complete the termination proof we have to consider the complementary problem. Narrow the transitions removing all states that we already know that are terminating. We can do better than just add the negation of the condition in the entry. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 31 / 44
  77. 77. Running example: Narrowing ℓ0 ℓ1 τ0: true τ2: y ≥ 0 ∧ z < 0 ∧ x′ = x ∧ y′ = y + z ∧ z′ = z − 1 τ1: y ≥ 0 ∧ z > 0 ∧ x′ = x − z ∧ y′ = y + x ∧ z′ = z + 1 We know more!: whenever z < 0 holds at ℓ1 the system terminates Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 32 / 44
  78. 78. Running example: Narrowing ℓ0 ℓ1 τ0: true τ2: y ≥ 0 ∧ z < 0 ∧ x′ = x ∧ y′ = y + z ∧ z′ = z − 1 τ1: y ≥ 0 ∧ z > 0 ∧ x′ = x − z ∧ y′ = y + x ∧ z′ = z + 1 Narrow the transition system according to this: whenever z < 0 holds at ℓ1 the system terminates Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 32 / 44
  79. 79. Running example: Narrowing ℓ0 ℓ1 τ0: z ≥0 τ2: z ≥ 0 y ≥ 0 ∧ z < 0 ∧ x′ = x ∧ y′ = y + z ∧ z′ = z − 1 τ1: z ≥ 0 y ≥ 0 ∧ z > 0 ∧ x′ = x − z ∧ y′ = y + x ∧ z′ = z + 1 Narrow the transition system according to this: whenever z < 0 holds at ℓ1 the system terminates Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 33 / 44
  80. 80. Running example. Narrowing After simplifying the transition system we get: ℓ0 ℓ1 τ0: z ≥0 τ1: z ≥ 0 y ≥ 0 ∧ z > 0 ∧ x′ = x − z ∧ y′ = y + x ∧ z′ = z + 1 Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 34 / 44
  81. 81. Running example. Narrowing After simplifying the transition system we get: ℓ0 ℓ1 τ0: z ≥0 τ1: z ≥ 0 y ≥ 0 ∧ z > 0 ∧ x′ = x − z ∧ y′ = y + x ∧ z′ = z + 1 Conditionally terminates: x < 0 is a conditional invariant at location ℓ1 y is a ranking function 1 τ1 is bounded and strictly decreasing Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 34 / 44
  82. 82. Running example. Narrowing Narrowing again with the complement of x < 0 we get: ℓ0 ℓ1 τ0: z ≥0 x ≥0 τ1: z ≥ 0 x ≥ 0 y ≥ 0 ∧ z > 0 ∧ x′ = x − z ∧ y′ = y + x ∧ z′ = z + 1 Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 35 / 44
  83. 83. Running example. Narrowing Narrowing again with the complement of x < 0 we get: ℓ0 ℓ1 τ0: z ≥0 x ≥0 τ1: z ≥ 0 x ≥ 0 y ≥ 0 ∧ z > 0 ∧ x′ = x − z ∧ y′ = y + x ∧ z′ = z + 1 Which terminates with x as a ranking function Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 35 / 44
  84. 84. Compositional Termination Analysis Aim: prove termination of large programs (several consecutive loops). New approach: 1 Obtain a conditional termination proof. 2 Check the condition as a Safety property. Simple example: assume(x > y && y ≥ 0); while (y > 0) { x = x - 1; y = y - 1; } while (y < 0) { y = y + x; } Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 36 / 44
  85. 85. Compositional Termination Analysis Aim: prove termination of large programs (several consecutive loops). New approach: 1 Obtain a conditional termination proof. 2 Check the condition as a Safety property. Simple example: assume(x > y && y ≥ 0); while (y > 0) { x = x - 1; y = y - 1; } assert(x > 0); Rank: -y while (y < 0) { y = y + x; } Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 36 / 44
  86. 86. Compositional analysis through Conditional Termination Aim: verify termination in large programs (several consecutive loops). New approach: 1 Obtain a conditional termination proof. 2 Check the condition as a Safety property. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 37 / 44
  87. 87. Compositional analysis through Conditional Termination Aim: verify termination in large programs (several consecutive loops). New approach: 1 Obtain a conditional termination proof. 2 Check the condition as a Safety property. 3 In case of failure of the Safety checker Narrow the loop and try again! Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 37 / 44
  88. 88. Compositional analysis through Conditional Termination Aim: verify termination in large programs (several consecutive loops). New approach: 1 Obtain a conditional termination proof. 2 Check the condition as a Safety property. 3 In case of failure of the Safety checker Narrow the loop and try again! We can handle every loop independently Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 37 / 44
  89. 89. Experiments Our techniques have been implemented in VeryMax Results: won the C Integer programs categories of the Terminaton Competition in 2016 and 2017 Comparison with tools at the Termination category of SVComp. On the 358 benchmarks not involving recursion or pointers (273) Tool Term NTerm Fail TO Total (s) AProVE 222 76 41 19 10235.44 SeaHorn 189 75 22 72 34760.69 UltimateBuchiA 224 103 25 6 7882.13 VeryMax 231 101 26 0 2444.29 See our paper at TACAS 2017 for more details. Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 38 / 44
  90. 90. Overview of the talk 1 Introduction 2 SMT/Max-SMT solving 3 Invariant generation 4 Compositional safety verification 5 VeryMax Tool 6 Conclusions and current work Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 39 / 44
  91. 91. VeryMax global architecture 00001111 0000000000000000000000000000 00000000000000 00000000000000 00000000000000 0000000000000000000000000000 00000000000000 0000000000000000000000000000 00000000000000 00000000000000 00000000000000 0000000000000000000000000000 00000000000000 0000000000000000000000000000 0000000000000000000000000000 0000000000000000000000000000 1111111111111111111111111111 11111111111111 11111111111111 11111111111111 1111111111111111111111111111 11111111111111 1111111111111111111111111111 11111111111111 11111111111111 11111111111111 1111111111111111111111111111 11111111111111 1111111111111111111111111111 1111111111111111111111111111 1111111111111111111111111111 ITS (smt2) LLVM CODE TRANSFORMATION LLVM CODE C, C++ VERYMAX TRANSITION SYSTEM TERMINATION ANALISYS NON TERMINATION ANALISYS REACHABILITY CHECK CHECK MAX−SMT SOLVER INVARIANT CONDITIONAL GENERATOR RANKING FUNCTION + SAFETY Two phases 1 Front-end. From source programs to VeryMax Transition Systems 2 Static Analysis Tools Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 40 / 44
  92. 92. VeryMax static analysis tools 000111 00000000000000 0000000000000000000000000000 00000000000000 00000000000000 00000000000000 0000000000000000000000000000 00000000000000 00000000000000 00000000000000 0000000000000000000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 11111111111111 1111111111111111111111111111 11111111111111 11111111111111 11111111111111 1111111111111111111111111111 11111111111111 11111111111111 11111111111111 1111111111111111111111111111 11111111111111 11111111111111 11111111111111 11111111111111 11111111111111 11111111111111 11111111111111 11111111111111 VERYMAX TRANSITION SYSTEM TERMINATION ANALISYS NON TERMINATION ANALISYS REACHABILITY CHECK CHECK MAX−SMT SOLVER INVARIANT CONDITIONAL GENERATOR RANKING FUNCTION + SAFETY Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 41 / 44
  93. 93. VeryMax static analysis tools 000111 00000000000000 0000000000000000000000000000 00000000000000 00000000000000 00000000000000 0000000000000000000000000000 00000000000000 00000000000000 00000000000000 0000000000000000000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 11111111111111 1111111111111111111111111111 11111111111111 11111111111111 11111111111111 1111111111111111111111111111 11111111111111 11111111111111 11111111111111 1111111111111111111111111111 11111111111111 11111111111111 11111111111111 11111111111111 11111111111111 11111111111111 11111111111111 11111111111111 VERYMAX TRANSITION SYSTEM TERMINATION ANALISYS NON TERMINATION ANALISYS REACHABILITY CHECK CHECK MAX−SMT SOLVER INVARIANT CONDITIONAL GENERATOR RANKING FUNCTION + SAFETY VeryMax can 1 check safety properties 2 check reachability properties 3 prove termination 4 prove non-termination Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 41 / 44
  94. 94. Overview of the talk 1 Introduction 2 SMT/Max-SMT solving 3 Invariant generation 4 Compositional safety verification 5 VeryMax Tool 6 Conclusions and current work Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 42 / 44
  95. 95. Conclusions Two main conclusions: Using SMT and Max-SMT, automatic generation of needed (conditional) invariants can be made efficiently. Scalable program verification becomes feasible Other potential applications of conditional analysis and Max-SMT: Analysis of concurrent/distributed systems. Program synthesis. Program repair (minimize changes). Using Max-SMT we can express preferences among possible solutions Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 43 / 44
  96. 96. Thank you! Albert Rubio (UPC) Program Analysis using Max-SMT UCM Seminar 2018 44 / 44

×