Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft...
-
Upload
kaylee-mcmillan -
Category
Documents
-
view
219 -
download
1
Transcript of Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft...
![Page 1: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/1.jpg)
Demand-driven inference ofloop invariants in a theorem proverK. Rustan M. LeinoMicrosoft Research, Redmond, WA, USA
joint work with
Francesco LogozzoÉcole Polytechnique, Paris, France
3 April 2005Invited talk, AVIS 2005Edinburgh, Scotland, UK
Spec# joint work withMike Barnett,Robert DeLine,Manuel Fähndrich,Wolfram Schulte,
andHerman Venter
![Page 2: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/2.jpg)
Software engineering problem
Building and maintaining large systems that are correct
![Page 3: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/3.jpg)
Approach
• Specifications record design decisions– bridge intent and code
• Tools amplify human effort– manage details– find inconsistencies– ensure quality
![Page 4: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/4.jpg)
Spec#• Experimental mix of contracts and tool
support• Aimed at experienced developers who know
the high cost of testing and maintenance• Superset of C#
– non-null types– pre- and postconditions– object invariants
• Tool support– more type checking– compiler-emitted run-time checks– static program verification
C#contracts
everywhere
type checking
static verification
into the future
run-time checks
degree of checking,effort
![Page 5: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/5.jpg)
Spec# demo
![Page 6: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/6.jpg)
Basic architecture of a static verifier
verification conditiongenerator
theorem prover
verification condition
program with specifications
“correct” or list of errors
![Page 7: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/7.jpg)
Spec# static verifier architecture
V.C. generator
automatictheorem prover
verification condition
Spec#
“correct” or list of errors
Spec# compiler
MSIL (“bytecode”)
translator
Boogie PL
inference engine
Spec# static program verifier
• high precision• needs invariants
• computes invariants• over-approximates
![Page 8: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/8.jpg)
error message
Predicate abstraction and refinement
C program
predicates
boolean program
modelchecker
correct
concrete trace
feasible?
abstract trace
no yes
e.g.: Graf & Saïdi, SLAM, BLAST, …
predicateabstraction
predicaterefinement
![Page 9: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/9.jpg)
unsatisfiable
satisfiable
Lemmas-by-demand theorem proving
input formula
lemmas
propositional formula
SAT solver
conjunction of input literalsconsistent with theories?
monome
no yes
e.g.: Verifun, de Moura & Rueß, CVC Lite, Zap, …
conflict-clause
generation
![Page 10: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/10.jpg)
counterexample
valid
error message
Static program verification
program loop invariant
s
verification condition
theoremprover
program trace
verification condition
generation
![Page 11: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/11.jpg)
counterexample
valid
error message
Loop invariants on demand
program loop invariant
s
verification condition
theoremprover
program tracegive up?
no yesmore precise
(stronger or context sensitive)inference
verification condition
generation
![Page 12: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/12.jpg)
counterexample
valid
error message
Generating VC once
program
properties about loop invariants
verification condition
(VC)
theoremprover
program trace
give up?
no yes
more precise inference
formula
![Page 13: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/13.jpg)
sourcelanguage
intermediatelanguage
passive command
verification condition
S,T ::= x := E| assert E| S ; T| if E then S else T
end| while E do S end
![Page 14: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/14.jpg)
sourcelanguage
intermediatelanguage
passive command
verification condition
C,D ::= x := E| assert E| assume E| C ; D| C [] D| while * do S end
![Page 15: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/15.jpg)
sourcelanguage
intermediatelanguage
passive command
verification condition
Tr[ x := E ] = x := ETr[ assert E ] = assert ETr[ S;T ] = Tr[ S ] ; Tr[ T ]Tr[ if E then S else T end ] =
( assume E ; Tr[ S ] [] assume ¬E ; Tr[ T ] )
Tr[ while E do S end ] =while * do assume E ; Tr[ S ] end ;assume ¬E
![Page 16: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/16.jpg)
sourcelanguage
intermediatelanguage
passive command
verification condition
Tr[ x := E ] = x := ETr[ assert E ] = assert ETr[ S;T ] = Tr[ S ] ; Tr[ T ]Tr[ if E then S else T end ] =
( assume E ; Tr[ S ] [] assume ¬E ; Tr[ T ] )
Tr[ while E do S end ] =while * do assume E ; Tr[ S ] end ;( assume E ; Tr[ S ] ; assume false[] assume ¬E)
x := * ;assume J
![Page 17: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/17.jpg)
sourcelanguage
intermediatelanguage
passive command
verification condition
• variation on Single Static Assignment (SSA) form
Examples:• if name of x before assert E is x0,
then translate assert E into:assert E[x0 / x]
• if name of x before x := E is x0, then make up a new name x1 and translate x := E into:
assume x1 = E[x0 / x]
![Page 18: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/18.jpg)
sourcelanguage
intermediatelanguage
passive command
verification condition
• if name of x is x0 after S and x1 after T , then make up a new name x2 and translate S [] T into:
S’ ; assume x2 = x0[] T’ ; assume x2 = x1
• if name of x is x0 before while * do S end , then make up a new name x1 and translate the loop into:
assume J(x0, x1)where J is an uninterpreted predicate symbol
![Page 19: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/19.jpg)
sourcelanguage
intermediatelanguage
passive command
verification condition
• wp( assert E, Q ) = E Q• wp( assume E, Q ) = E Q• wp( S;T, Q ) = wp( S, wp( T,
Q ))• wp( S [] T, Q ) = wp( S, Q )
wp( T, Q )
![Page 20: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/20.jpg)
Examplefinding index of minimum element in an array
m := 0; x := 0;while x < N do
if * then m := x end;x := x + 1
end;if N > 0 then
assert 0 ≤ m < Nend
![Page 21: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/21.jpg)
Example: passive command
assume m0 = 0; assume x0 = 0;assume J(m0, m1, x0, x1);( assume x1 < N ;
( assume m2 = m1 [] assume m2 = x1 );assume x2 = x1 + 1;assume false
[]assume ¬ (x1 < N)
);( assume N > 0 ; assert 0 ≤ m1 < N[] assume ¬ (N > 0))
![Page 22: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/22.jpg)
Example: from monome to lemma
M : m0 = 0 x0 = 0 J(m0, m1, x0, x1) ¬ (x1 < N) N > 0 ¬(0 ≤ m1 < N)
On entry to the loop, the names m0, m1, N are in scope, about which M says:
m0 = 0 x0 = 0 N > 0
Thus, assuming the condition: m0 = 0 x0 = 0 N > 0 m0 = m x0 = x
on entry to the loop, an abstract interpreter may infer the following loop invariant:
0 = m0 ≤ m < N 0 = x0 ≤ x ≤ N
Thus, the abstract interpreter produces the following lemma about J:
m0 = 0 x0 = 0 N > 0 J(m0, m1, x0, x1) 0 = m0 ≤ m1 < N 0 = x0 ≤ x1 ≤ N
![Page 23: Demand-driven inference of loop invariants in a theorem prover K. Rustan M. Leino Microsoft Research, Redmond, WA, USA joint work with Francesco Logozzo.](https://reader033.fdocuments.in/reader033/viewer/2022061306/551475a0550346494e8b62b0/html5/thumbnails/23.jpg)
Watch forpreliminaryrelease of Spec#next week
Summary and conclusions• Spec# is a programming system that
includes a static program verifier• Trend: abstraction refinement on
demand• Inference of invariants can be done this
way, inside theorem prover!• Inference can be context sensitive• VCs can be generated once• Extensions to procedure summaries
http://research.microsoft.com/~leino
http://research.microsoft.com/projects/specsharp