Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v)...
Transcript of Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v)...
![Page 1: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/1.jpg)
Solving (Quantified) Horn Constraints for Program Verificationand Synthesis
Andrey Rybalchenko (Microsoft Research)
September 30, 2015
1 / 32
![Page 2: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/2.jpg)
Programs vs/as Equations
I Execution of rule-based programs
I Solving of equations in form of implication constraints
2 / 32
![Page 3: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/3.jpg)
Quiz
F1 := ∀x : (∃y : p(x , y))→ q(x)
vs.
F2 := ∀x ∀y : p(x , y)→ q(x)
3 / 32
![Page 4: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/4.jpg)
Transition System
I v - program variables
I init(v) - initial states
I step(v , v ′) - transition relation
I safe(v) - safe states
4 / 32
![Page 5: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/5.jpg)
Safety and Termination (WF) of Transition System
∃inv ∃round :
init(v)→ inv(v)
inv(v) ∧ step(v , v ′)→ inv(v ′)
inv(v)→ safe(v) safety
inv(v) ∧ step(v , v ′)→ round(v , v ′)
wf (round) well-foundedness
5 / 32
![Page 6: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/6.jpg)
Safety and Termination (WF) of Transition System
∃inv ∃round :
init(v)→ inv(v)
inv(v) ∧ step(v , v ′)→ inv(v ′)
inv(v)→ safe(v) safety
inv(v) ∧ step(v , v ′)→ round(v , v ′)
wf (round) well-foundedness
5 / 32
![Page 7: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/7.jpg)
From WF to DWF
wf (rel)
iff
∃ti :
rel(v , v ′)→ ti(v , v ′)
ti(v , v ′) ∧ rel(v ′, v ′′)→ ti(v , v ′′)
dwf (ti) disjunctive
well-foundedness
dwf - finite union of well-founded relations
6 / 32
![Page 8: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/8.jpg)
From WF to DWF
wf (rel)
iff
∃ti :
rel(v , v ′)→ ti(v , v ′)
ti(v , v ′) ∧ rel(v ′, v ′′)→ ti(v , v ′′)
dwf (ti) disjunctive
well-foundedness
dwf - finite union of well-founded relations
6 / 32
![Page 9: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/9.jpg)
Backward Safety of Transition System
∃inv :
¬safe(v)→ inv(v)
inv(v ′) ∧ step(v , v ′)→ inv(v)
inv(v) ∧ init(v)→ false
7 / 32
![Page 10: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/10.jpg)
Backward Safety of Transition System
∃inv :
¬safe(v)→ inv(v)
inv(v ′) ∧ step(v , v ′)→ inv(v)
inv(v) ∧ init(v)→ false
7 / 32
![Page 11: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/11.jpg)
Forward and Backward Safety of Transition System
∃finv ∃binv :
init(v)→ finv(v)
finv(v) ∧ step(v , v ′)→ finv(v ′)
¬safe(v)→ binv(v)
binv(v ′) ∧ step(v , v ′)→ binv(v)
finv(v) ∧ binv(v)→ false
8 / 32
![Page 12: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/12.jpg)
Forward and Backward Safety of Transition System
∃finv ∃binv :
init(v)→ finv(v)
finv(v) ∧ step(v , v ′)→ finv(v ′)
¬safe(v)→ binv(v)
binv(v ′) ∧ step(v , v ′)→ binv(v)
finv(v) ∧ binv(v)→ false
8 / 32
![Page 13: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/13.jpg)
Program with procedures
I v - program variables
I init(v) - initial states of main procedure
I step(v , v ′) - intra-procedural transition relation
I safe(v) - safe states
I call(v , v ′) - parameter passing relation
I ret(v , v ′) - return value passing
9 / 32
![Page 14: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/14.jpg)
Program with procedures
I v - program variables
I init(v) - initial states of main procedure
I step(v , v ′) - intra-procedural transition relation
I safe(v) - safe states
I call(v , v ′) - parameter passing relation
I ret(v , v ′) - return value passing
9 / 32
![Page 15: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/15.jpg)
Safety of Program with Procedures
∃sum :
init(v0)→ sum(v0, v0)
sum(v0, v1) ∧ step(v1, v2)→ sum(v0, v2)
sum(v0, v1) ∧ call(v1, v2)→ sum(v2, v2)
sum(v0, v1) ∧ call(v1, v2) ∧ sum(v2, v3) ∧ ret(v3, v4)→ sum(v0, v4)
sum(v0, v1)→ safe(v1)
10 / 32
![Page 16: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/16.jpg)
Safety of Program with Procedures
∃sum :
init(v0)→ sum(v0, v0)
sum(v0, v1) ∧ step(v1, v2)→ sum(v0, v2)
sum(v0, v1) ∧ call(v1, v2)→ sum(v2, v2)
sum(v0, v1) ∧ call(v1, v2) ∧ sum(v2, v3) ∧ ret(v3, v4)→ sum(v0, v4)
sum(v0, v1)→ safe(v1)
10 / 32
![Page 17: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/17.jpg)
Termination of Program with Procedures
∃round ∃descent :
. . .
sum(v0, v1) ∧ step(v1, v2)→ round(v1, v2)
sum(v0, v1) ∧ call(v1, v2) ∧ sum(v2, v3) ∧ ret(v3, v4)→ round(v1, v4)
sum(v0, v1) ∧ call(v1, v2)→ descent(v0, v2)
wf (round)
wf (descent)
11 / 32
![Page 18: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/18.jpg)
Termination of Program with Procedures
∃round ∃descent :
. . .
sum(v0, v1) ∧ step(v1, v2)→ round(v1, v2)
sum(v0, v1) ∧ call(v1, v2) ∧ sum(v2, v3) ∧ ret(v3, v4)→ round(v1, v4)
sum(v0, v1) ∧ call(v1, v2)→ descent(v0, v2)
wf (round)
wf (descent)
11 / 32
![Page 19: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/19.jpg)
Termination of Program with Procedures
∃round ∃descent :
. . .
sum(v0, v1) ∧ step(v1, v2)→ round(v1, v2)
sum(v0, v1) ∧ call(v1, v2) ∧ sum(v2, v3) ∧ ret(v3, v4)→ round(v1, v4)
sum(v0, v1) ∧ call(v1, v2)→ descent(v0, v2)
wf (round)
wf (descent)
11 / 32
![Page 20: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/20.jpg)
Solving Horn Constraints
12 / 32
![Page 21: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/21.jpg)
Symbolic self-composition (for non-interference)
∃sum :
. . .
v0 6= w0 ∧ sum(v0, v1) ∧ sum(w0,w1)→ v1 = w1
13 / 32
![Page 22: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/22.jpg)
Multi-Threaded Program
I v = (g , l1, l2) - global and thread-local variables
I init(v) - initial states
I safe(v) - safe states
I step1 (v , v ′) - transition relation of 1st thread, preserves l2I step2 (v , v ′) - transition relation of 2nd thread, preserves l1
14 / 32
![Page 23: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/23.jpg)
Multi-Threaded Program
I v = (g , l1, l2) - global and thread-local variables
I init(v) - initial states
I safe(v) - safe states
I step1 (v , v ′) - transition relation of 1st thread, preserves l2I step2 (v , v ′) - transition relation of 2nd thread, preserves l1
14 / 32
![Page 24: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/24.jpg)
Rely/Guarantee Rule for Safety
∃inv1 ∃inv2 ∃env1 ∃env2 :
init(v)→ inv1 (v)
inv1 (v) ∧ step1 (v , v ′)→ inv1 (v ′) ∧ env2 (v , v ′)
inv1 (v) ∧ env1 (v , v ′)→ inv1 (v ′)
· · ·inv1 (v) ∧ inv2 (v)→ safe(v)
Clauses for preservation of inv2 (v) are symmetric
15 / 32
![Page 25: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/25.jpg)
Resolving Rely/Guarantee Rule
∃env2 :
· · ·inv1 (v) ∧ step1 (v , v ′)→ env2 (v , v ′)
· · ·inv2 (v) ∧ env2 (v , v ′)→ inv2 (v ′)
· · ·
16 / 32
![Page 26: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/26.jpg)
Into Owicki/Gries Rule
· · ·env2 (v , v ′) := inv1 (v) ∧ step1 (v , v ′)
· · ·inv2 (v) ∧ inv1 (v) ∧ step1 (v , v ′)→ inv2 (v ′)
· · ·
17 / 32
![Page 27: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/27.jpg)
Owicki/Gries Rule for Safety
∃inv1 ∃inv2 :
init(v)→ inv1 (v)
inv1 (v) ∧ step1 (v , v ′)→ inv1 (v ′)
inv1 (v) ∧ inv2 (v) ∧ step2 (v , v ′)→ inv1 (v ′)
· · ·inv1 (v) ∧ inv2 (v)→ safe(v)
Clauses for preservation of inv2 (v) are symmetric
18 / 32
![Page 28: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/28.jpg)
Thread-Modular Rule for Safety
∃inv1 ∃inv2 ∃env :
init(v)→ inv1 (g , l1)
inv1 (g , l1) ∧ step1 (v , v ′)→ inv1 (g ′, l ′1) ∧ env(g , g ′)
· · ·inv1 (g , l1) ∧ inv2 (g , l2)→ safe(v)
Clauses for preservation of inv2 (v) are symmetric
19 / 32
![Page 29: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/29.jpg)
Quantifier Free Horn Clauses
∀v ∀w : body(v ,w)→ head(v)
body(v ,w) and head(v) are quantifier free
20 / 32
![Page 30: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/30.jpg)
Quantified Horn Clauses
I Existential temporal properties, e.g., CTL
I Program synthesis and infinite-state game solving
I Inference of transactions for concurrent programs
∀v ∀w : body(v ,w)→ ∃x : head(v , x)
I Quantified invariants/auxiliary assertions
∀v ∀w : (∀y : body(v ,w , y))→ head(v)
21 / 32
![Page 31: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/31.jpg)
Existentially Quantified Horn Clauses
∀v ∀w : body(v ,w)→ ∃x : head(v , x)
body(v ,w) and head(v , x) are quantifier free
22 / 32
![Page 32: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/32.jpg)
Proving CTL Properties
(init(v), step(v , v ′)) |= EF (q(v))
(init(v), step(v , v ′)) |= EG (EU(p(v), q(v)))
Based on proof system for CTL* by Kesten and Pnueli [TCS’05]
23 / 32
![Page 33: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/33.jpg)
Proving EF (q(v))
∃inv ∃round :
init(v)→ inv(v)
inv(v) ∧ ¬q(v)→ ∃v ′ : step(v , v ′)
∧ inv(v ′)
∧ round(v , v ′)
wf (round)
24 / 32
![Page 34: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/34.jpg)
Decomposing EG (EU(p(v), q(v)))
(init(v), step(v , v ′)) |= EG (EU(p(v), q(v)))
iff
∃mid :
(init(v), step(v , v ′)) |= EG (mid(v))
(mid(v), step(v , v ′)) |= EU(p(v), q(v))
25 / 32
![Page 35: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/35.jpg)
Proving (init(v), step(v , v ′)) |= EG (mid(v)) and
(mid(v), step(v , v ′)) |= EU(p(v), q(v))
∃mid ∃inv1 ∃inv2 ∃round :
init(v)→ inv1 (v)
inv1 (v)→ mid(v) ∧ ∃v ′ : step(v , v ′) ∧ inv1 (v ′)
mid(v)→ inv2 (v)
inv2 (v) ∧ ¬q(v)→ p(v) ∧ ∃v ′ : step(v , v ′) ∧ inv2 (v ′) ∧ round(v , v ′)
wf (round)
26 / 32
![Page 36: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/36.jpg)
Solving Infinite-State Game
Given five empty bottles arranged in circle and jar full of water
I Stepmother pours all water from jar into some bottles
I Cinderella empties pair of adjucent bottles
I Jar is refilled for next round
Stepmother wins if some bottle overflows
27 / 32
![Page 37: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/37.jpg)
Formalization of Game Arena
I v = (v1, . . . , v5)
I B - bottle volume
I J - jar volume
init(v) = (v1 = · · · = v5 = 0)
cindy(v , v ′) = (v ′1 = v ′2 = 0 ∧ same(v3, v4, v5) ∨· · ·∨ v ′5 = v ′1 = 0 ∧ same(v2, v3, v4))
step(v , v ′) = (v ′1 ≥ v1 ∧ · · · ∧ v ′5 ≥ v5 ∧v ′1 + · · ·+ v ′5 − (v1 + · · ·+ v5) = J)
over(v) = (v1 > B ∨ · · · ∨ v5 > B)
28 / 32
![Page 38: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/38.jpg)
Stepmother’s Victory as Constraint Satisfaction
∃win ∃round :
init(v)→ win(v)
win(v) ∧ ¬over(v) ∧ cindy(v , v ′)→ ∃v ′′ : step(v ′, v ′′)
∧ win(v ′′)
∧ round(v , v ′′)
wf (round)
29 / 32
![Page 39: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/39.jpg)
Example: instantiation of universal quantifiers
for(i = 0; i < n; i++) {
a[i] = i;
}
assert("forall p: 0 <= p && p < n -> a[p] == p");
30 / 32
![Page 40: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/40.jpg)
Example: instantiation of universal quantifiers
for(i = 0; i < n; i++) {
a[i] = i;
}
assert("forall p: 0 <= p && p < n -> a[p] == p");
∃invv1 :
∀i , n ∀a: i = 0→ invv1 (i , n, a)
∀i , n ∀a, a′: invv1 (i , n, a) ∧ i < n ∧ a′ = a{i := i} → invv1 (i + 1, n, a′)
∀i , n ∀a: invv1 (i , n, a)→ (∀q : 0 ≤ q < n→ a(q) = q)
30 / 32
![Page 41: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/41.jpg)
Example: instantiation of universal quantifiers
for(i = 0; i < n; i++) {
a[i] = i;
}
assert("forall p: 0 <= p && p < n -> a[p] == p");
∃invv2 :
∀i , n ∀a: i = 0→ (∀q : invv2 (i , n, q, a(q)))
∀i , n ∀a, a′: (∀p : invv2 (i , n, p, a(p))) ∧ i < n ∧ a′ = a{i := i} →
(∀q : invv2 (i , n, q, a′(q)))
∀i , n ∀a: (∀p : invv2 (i , n, p, a(p))→ (∀q : 0 ≤ q < n→ a(q) = q)
30 / 32
![Page 42: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/42.jpg)
Example: instantiation of universal quantifiers
for(i = 0; i < n; i++) {
a[i] = i;
}
assert("forall p: 0 <= p && p < n -> a[p] == p");
∃invv2 ∃t1 , t2 :
i = 0→ invv2 (i , n, q, a(q)))
t1 (i , n, q, p) ∧ invv2 (i , n, p, a(p)) ∧ i < n ∧ a′ = a{i := i} →
invv2 (i , n, q, a′(q))
t2 (i , n, q, p) ∧ invv2 (i , n, p, a(p)) ∧ 0 ≤ q < n→ a(q) = q
30 / 32
![Page 43: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/43.jpg)
Universally Quantified Invariant for Termination
for(i = 0; i < n; i++) a[i] = 1;
while (x > 0)
for(i = 0; i < n; i++) x = x-a[i];
∃inv ∃round :
. . .
inv(i , n, x , a) ∧ next(i , n, x , a, i ′, n′, x ′, a′)→ round(i , n, x , a, i ′, n′, x ′, a′)
wf (round)
31 / 32
![Page 44: Solving (Quantified) Horn Constraints for Program …...2015/09/30 · 2 9round : init(v) !inv 1(v) inv 1(v) !mid(v) ^9v0: step(v;v0) ^inv 1(v0) mid(v) !inv 2(v) inv 2(v) ^:q(v) !p(v)](https://reader033.fdocuments.in/reader033/viewer/2022042914/5f4cce632fa39105f93ca930/html5/thumbnails/44.jpg)
Further Pointers
I Solving recursion-free clauses over LI+UIF, [APLAS’11]
I Solving quantifier free clauses and well-foundedness, [PLDI’12]
I Solving existentially quantified clauses: [CAV’13]
I Solving universally quantified clauses: [SAS’13]
I Proof rules for multi-threaded programs [POPL’11, CAV’11, TACAS’12]
I Proof rules for functional programs [CAV’11, SAS’12]
I Software verification competition [SV-COMP’12, SV-COMP’13]
I Separation logic modulo theories [APLAS’13]
I A constraint-based approach to solving games on infinite graphs [POPL’2014]
I Compositional repair of programs with procedures
I Solving Horn clauses with cardinality constraints
I Probabilistic relational reasoning
32 / 32