Challenges in Decomposing Encodings of Verification Problems Peter - - PowerPoint PPT Presentation

challenges in decomposing encodings of verification
SMART_READER_LITE
LIVE PREVIEW

Challenges in Decomposing Encodings of Verification Problems Peter - - PowerPoint PPT Presentation

Jan 29, 2023 342 likes •765 views

Challenges in Decomposing Encodings of Verification Problems Peter Schrammel HCVS 2016 Eindhoven, The Netherlands Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned Motivation Modern software verification tools:

slide-1
SLIDE 1

Challenges in Decomposing Encodings of Verification Problems

Peter Schrammel HCVS 2016 Eindhoven, The Netherlands

slide-2
SLIDE 2

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Motivation

Modern software verification tools:

verification problem specification program formula solver

2 / 24

slide-3
SLIDE 3

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Motivation

Modern software verification tools:

verification problem specification program formula solver

Large programs: Problem: Formula too large for existing backend solvers

2 / 24

slide-4
SLIDE 4

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Motivation

Modern software verification tools:

verification problem specification program formula solver

Large programs: Problem: Formula too large for existing backend solvers Solution: Make formula smaller

2 / 24

slide-5
SLIDE 5

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Motivation

Modern software verification tools:

verification problem specification program formula solver

Large programs: Problem: Formula too large for existing backend solvers Solution: Make formula smaller

verification problem specification program preprocess formula solver

2 / 24

slide-6
SLIDE 6

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Motivation

Modern software verification tools:

verification problem specification program formula solver

Large programs: Problem: Formula too large for existing backend solvers Solution: Make formula smaller

verification problem specification program preprocess formula decompose solver solver solver

2 / 24

slide-7
SLIDE 7

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Case Studies: Termination Analyses (ASE’15)

Universal termination: Result: terminating / potentially non-term. / non-terminating Decision problem Conditional termination: Result: sufficient precondition for termination Inference problem

3 / 24

slide-8
SLIDE 8

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Case Studies: Termination Analyses (ASE’15)

Universal termination: Result: terminating / potentially non-term. / non-terminating Decision problem Conditional termination: Result: sufficient precondition for termination Inference problem

3 / 24

slide-9
SLIDE 9

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Example: Universal Termination Analysis

Encoding of the modular universal termination problem: ∃2Summaryf1, . . . , Summaryfn :

f ∈F

∃2Invf , RRf : ∀xinf , xf , x′f , xoutf : Initf (xinf , xf ) = ⇒ Invf (xf ) ∧ Invf (xf ) ∧ Transf (xf , x′f ) ∧

hi∈Hf Summaryh(xp inhi, xp outhi)

= ⇒ Invf (x′f ) ∧ RRf (xf , x′f ) ∧ Initf (xinf , xf ) ∧ Invf (x′f ) ∧ Outf (x′f , xoutf ) = ⇒ Summaryf (xinf , xoutf ) Decomposition: Procedural, top-down, context-sensitive

4 / 24

slide-10
SLIDE 10

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Example: Universal Termination Analysis

Benchmarks: Product line benchmarks from SV-COMP (597 benchmarks, 1.6 MLOC) Non-trivial procedural structure (on average 67 procedures, 5.5 loops) Results:

expected 2LS IPTA 2LS MTA TAN Ultimate terminating 264 249 26 18 50 non-terminating 333 320 333 3 324 potentially non-terminating — 14 1 425 timed out (0.5h) — 14 237 150 43 errors — 1 180 total run time (h) — 58.7 119.6 92.8 23.9 5 / 24

slide-11
SLIDE 11

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

2LS for Program Analysis

http://www.cprover.org/2LS Verification and static analysis on logical formulae Approximates solution to 2OL by reduction to FOL

verification problem specification program preprocess formula abstract & refine template- based synthesis template- based synthesis template- based synthesis

Bit-precise analysis

(including floating-point arithmetic)

Template-based synthesis

(using strategy iteration for optimisation)

SV-COMP’16

Analysis features: Interprocedural static analysis, termination analysis Incremental BMC, k-induction, kIkI (SAS’15)

6 / 24

slide-12
SLIDE 12

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Logical Specification of Verification Problems

Safety verification:

∃2Inv. ∀xin, x, x′.

  • Init(xin, x) =

⇒ Inv(x)

(Inv(x) ∧ Trans(x, x′) = ⇒ Inv(x′)) ∧ (Inv(x) = ⇒ ¬Err(x))

(Blass and Gurevich ’87, Grebenshchikov et al ’12, David et al ’15, ...)

7 / 24

slide-13
SLIDE 13

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Logical Specification of Verification Problems

Safety verification:

∃2Inv. ∀xin, x, x′.

  • Init(xin, x) =

⇒ Inv(x)

(Inv(x) ∧ Trans(x, x′) = ⇒ Inv(x′)) ∧ (Inv(x) = ⇒ ¬Err(x))

Invariant inference:

min Inv. ∀x, x′. (Init(x) = ⇒ Inv(x)) ∧ (Inv(x) ∧ Trans(x, x′) = ⇒ Inv(x′))

(Blass and Gurevich ’87, Grebenshchikov et al ’12, David et al ’15, ...)

7 / 24

slide-14
SLIDE 14

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Logical Specification of Verification Problems

Safety verification:

∃2Inv. ∀xin, x, x′.

  • Init(xin, x) =

⇒ Inv(x)

(Inv(x) ∧ Trans(x, x′) = ⇒ Inv(x′)) ∧ (Inv(x) = ⇒ ¬Err(x))

Invariant inference:

min Inv. ∀x, x′. (Init(x) = ⇒ Inv(x)) ∧ (Inv(x) ∧ Trans(x, x′) = ⇒ Inv(x′))

Termination verification:

∃2RR, Inv. ∀x, x′. (Init(x) = ⇒ Inv(x)) ∧

  • Inv(x) ∧ Trans(x, x′) =

⇒ Inv(x′) ∧ RR(x, x′)

  • . . .

(Blass and Gurevich ’87, Grebenshchikov et al ’12, David et al ’15, ...)

7 / 24

slide-15
SLIDE 15

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Template-Based Synthesis

Reduction to first-order logic via templates, e.g. safety verification: ∃2Inv.∀x, x′1. (Init(x) = ⇒ Inv(x)) ∧ (Inv(x) ∧ Trans(x, x′) = ⇒ Inv(x′)) ∧ (Inv(x) = ⇒ ¬Err(x))

8 / 24

slide-16
SLIDE 16

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Template-Based Synthesis

Reduction to first-order logic via templates, e.g. safety verification: ∃d. ∀x, x′. (Init(x) = ⇒ T (x, d)) ∧ (T (x, d) ∧ Trans(x, x′) = ⇒ T (x′, d)) ∧ (T (x, d) = ⇒ ¬Err(x)) where d are template parameters.

(Graf & Sa¨ ıdi CAV’97, . . . , Reps et al, . . . Brauer et al, . . . , Srivastava et al, . . . )

8 / 24

slide-17
SLIDE 17

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Template-Based Synthesis

Reduction to first-order logic via templates, e.g. invariant inference: min d. ∀x, x′. (Init(x) = ⇒ T (x, d)) ∧ (T (x, d) ∧ Trans(x, x′) = ⇒ T (x′, d)) where d are template parameters.

(Graf & Sa¨ ıdi CAV’97, . . . , Reps et al, . . . Brauer et al, . . . , Srivastava et al, . . . )

8 / 24

slide-18
SLIDE 18

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Solver Hierarchy

verification, synthesis, inference ∃2∀1 min2 ∀1 Eldarica, Spacer, . . . min1 ∀1 Symba, MathSAT-opt, . . . ∃1∀1        CVC4, Z3, MathSAT, . . . ∃1 ∃-propositional MiniSAT, Glucose, . . .

9 / 24

slide-19
SLIDE 19

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Solver Hierarchy

verification, synthesis, inference ∃2∀1 min2 ∀1 Eldarica, Spacer, . . . ——————————————reduction min1 ∀1 Symba, MathSAT-opt, . . . ∃1∀1        CVC4, Z3, MathSAT, . . . ∃1 ∃-propositional MiniSAT, Glucose, . . .

9 / 24

slide-20
SLIDE 20

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Program Encoding

Non-recursive programs with multiple procedures Procedure f :

  • Init(xin, x)

, Trans(x, x′) , Out(x, xout)

  • 10 / 24
slide-21
SLIDE 21

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Program Encoding

Non-recursive programs with multiple procedures Procedure f :

  • Init(xin, x)

, Trans(x, x′) , Out(x, xout)

  • unsigned f(unsigned z) {

unsigned w = 0; w0 = 0 if(z>0) ∧ g4 = z > 0 w = h(z); ∧ h0(z, rh0) ∧ w1 = rh0 ∧ w φ

2 = g4?w1 : w0

return w; ∧ rh = xφ

1

} unsigned h(unsigned y) { unsigned x; g0 = true for (x=0; ∧ x0 = 0 ∧ g1 = g0 ∧ xφ

1 = (ls3?xlb 3 : x0)

x<10; ∧ g2 = (xφ

1 < 10 ∧ g1)

x+=y); ∧ x2 = xφ

1 + y

return x; ∧ rh = xφ

1

}

10 / 24

slide-22
SLIDE 22

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Program Encoding

Non-recursive programs with multiple procedures Procedure f :

  • Init(xin, x)

, Trans(x, x′) , Out(x, xout)

  • unsigned f(unsigned z) {

unsigned w = 0; w0 = 0 if(z>0) ∧ g4 = z > 0 w = h(z); ∧ h0(z, rh0) ∧ w1 = rh0 ∧ w φ

2 = g4?w1 : w0

return w; ∧ rh = xφ

1

} unsigned h(unsigned y) { unsigned x; g0 = true for (x=0; ∧ x0 = 0 ∧ g1 = g0 ∧ xφ

1 = (ls3?xlb 3 : x0)

x<10; ∧ g2 = (xφ

1 < 10 ∧ g1)

x+=y); ∧ x2 = xφ

1 + y

return x; ∧ rh = xφ

1

}

10 / 24

slide-23
SLIDE 23

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Example: Modular Universal Termination Problem

∃2Summaryf1, . . . , Summaryfn :

f ∈F

∃2Invf , RRf : ∀xinf , xf , x′f , xoutf : Initf (xinf , xf ) = ⇒ Invf (xf ) ∧ Invf (xf ) ∧ Transf (xf , x′f ) ∧

hi∈Hf Summaryh(xp inhi, xp outhi)

= ⇒ Invf (x′f ) ∧ RRf (xf , x′f ) ∧ Initf (xinf , xf ) ∧ Invf (x′f ) ∧ Outf (x′f , xoutf ) = ⇒ Summaryf (xinf , xoutf ) Decomposition into a sequence of subproblems Classical approach: Follow the call graph top-down

11 / 24

slide-24
SLIDE 24

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Decomposition

Soundness of the decomposition by Soundness of the individual subproblems Soundness of the combination of the subproblem results Induction over the recursive decomposition algorithm

12 / 24

slide-25
SLIDE 25

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Decomposition

Soundness of the decomposition by Soundness of the individual subproblems

(e.g. calling contexts, summaries, . . . )

Soundness of the combination of the subproblem results

(e.g. joins, fixed points, upwards propagation, . . . )

Induction over the recursive decomposition algorithm

(e.g. call graph traversal) 12 / 24

slide-26
SLIDE 26

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Decomposition

Soundness of the decomposition by Soundness of the individual subproblems

(e.g. calling contexts, summaries, . . . )

Soundness of the combination of the subproblem results

(e.g. joins, fixed points, upwards propagation, . . . )

Induction over the recursive decomposition algorithm

(e.g. call graph traversal)

Problem Cyclically dependent predicates

12 / 24

slide-27
SLIDE 27

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Example: Universal Termination

∃2Summaryf1, . . . , Summaryfn :

f ∈F

∃2Invf , RRf : ∀xinf , xf , x′f , xoutf : Initf (xinf , xf ) = ⇒ Invf (xf ) ∧ Invf (xf ) ∧ Transf (xf , x′f ) ∧

hi∈Hf Summaryh(xp inhi, xp outhi)

= ⇒ Invf (x′f ) ∧ RRf (xf , x′f ) ∧ Initf (xinf , xf ) ∧ Invf (x′f ) ∧ Outf (x′f , xoutf ) = ⇒ Summaryf (xinf , xoutf )

13 / 24

slide-28
SLIDE 28

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Example: Universal Termination

Cyclically dependent predicates: Invf Summaryf RRf Summaryh

14 / 24

slide-29
SLIDE 29

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Example: Universal Termination

Cyclically dependent predicates: Invf CallCtxf Sumf RRf Sumh CallCtxh termStatusf termStatush

15 / 24

slide-30
SLIDE 30

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Example: Universal Termination

∃2Summaryf1, . . . , Summaryfn :

f ∈F

∃2Invf , RRf : ∀xinf , xf , x′f , xoutf : Initf (xinf , xf ) = ⇒ Invf (xf ) ∧ Invf (xf ) ∧ Transf (xf , x′f ) ∧

hi∈Hf Summaryh(xp inhi, xp outhi)

= ⇒ Invf (x′f ) ∧ RRf (xf , x′f ) ∧ Initf (xinf , xf ) ∧ Invf (x′f ) ∧ Outf (x′f , xoutf ) = ⇒ Summaryf (xinf , xoutf )

16 / 24

slide-31
SLIDE 31

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Example: Universal Termination

Summary (callee’s perspective): ∃2Summaryf1, . . . , Summaryfn :

f ∈F

For each f : ∃2Sumf : ∃2Invf , RRf : ∀xinf , xf , x′f , xoutf : Initf (xinf , xf ) = ⇒ Invf (xf ) ∧ Invf (xf ) ∧ Transf (xf , x′f ) ∧

hi∈Hf Sumh(xp inhi, xp outhi)

= ⇒ Invf (x′f ) ∧ RRf (xf , x′f ) ∧ Initf (xinf , xf ) ∧ Invf (x′f ) ∧ Outf (x′f , xoutf ) = ⇒ Sumf (xinf , xoutf )

17 / 24

slide-32
SLIDE 32

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Example: Universal Termination

Summary (callee’s perspective): ∃2Summaryf1, . . . , Summaryfn :

f ∈F

For each f : Given CallCtxf : ∃2Sumf : ∃2Invf , RRf : ∀xinf , xf , x′f , xoutf : CallCtxf (xinf , xoutf ) ∧ Initf (xinf , xf ) = ⇒ Invf (xf ) ∧ Invf (xf ) ∧ Transf (xf , x′f ) ∧

hi∈Hf Sumh(xp inhi, xp outhi)

= ⇒ Invf (x′f ) ∧ RRf (xf , x′f ) ∧ CallCtxf (xinf , xoutf ) ∧ Initf (xinf , xf ) ∧ Invf (x′f ) ∧ Outf (x′f , xoutf ) = ⇒ Sumf (xinf , xoutf )

17 / 24

slide-33
SLIDE 33

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Example: Universal Termination

Calling context (caller’s perspective): For each f : Given CallCtxf : For each hj ∈ Hf : ∃2CallCtxhj : ∃2Invf : ∀xinf , xf , x′f , xoutf : CallCtxf (xinf , xoutf ) ∧ Initf (xinf , xf ) = ⇒ Invf (xf ) ∧ Invf (xf ) ∧ Transf (xf , x′f ) ∧

hi∈Hf Sumh(xp inhi, xp outhi)

= ⇒ Invf (x′f ) ∧ CallCtxhj(xp inhj, xp outhj)

18 / 24

slide-34
SLIDE 34

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Example: Universal Termination

Invf CallCtxf Sumf RRf Sumh CallCtxh termStatusf termStatush

19 / 24

slide-35
SLIDE 35

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Example: Universal Termination

Invf CallCtxf Sumf RRf Sumh CallCtxh termStatusf termStatush

1 Calling contexts of procedure calls h in f 2 Recurse 3 Invariants and summary of procedure f 4 Termination argument for procedure f 5 Determine termination status of f

19 / 24

slide-36
SLIDE 36

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Example 2: Conditional Termination

Universal termination: Result: terminating / potentially non-term. / non-terminating Decision problem Conditional termination: Result: sufficient precondition for termination Inference problem

20 / 24

slide-37
SLIDE 37

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Sufficient Preconditions for Termination

Invo

f

CallCtxo

f

Sumo

f

RRf Sumo

h

CallCtxo

h

Invu

f

CallCtxu

f

Sumu

f

Precondu

f

Sumu

h

CallCtxu

h

  • ver-approximations

under-approximations

21 / 24

slide-38
SLIDE 38

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Lessons Learned

2LS for program analysis http://www.cprover.org/2LS Modular analyses and verification algorithms as decompositions of large formulae Predicate inference

(abstract interpretation, synthesis, optimisation)

Should expose solver interface Observations: Decomposition increases scalability

(smaller formulae, parallelise)

Decomposition introduces abstraction Decomposition does not eliminate fixed points Subproblems of decision problems may be inference problems Syntax is a bad criterion for decomposition.

22 / 24

slide-39
SLIDE 39

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Lessons Learned

Criteria for decomposition? Syntax

→ eliminate syntactic bias (control where to cut)

Abstract domains

(e.g. invariants vs ranking functions, lfp vs gfp)

Predicate interdependencies

→ avoid cutting cycles (still need fixed point, lfp vs gfp)

Precision / solving capacity-driven (inference problems)

As much as possible, as little as necessary

Property-driven (decision problems)

Decomposition = abstraction (start rough and refine) 23 / 24

slide-40
SLIDE 40

Introduction 2LS for Program Analysis Encoding Decomposition Lessons Learned

Lessons Learned

Challenges Dynamic decomposition

decomposing upfront is difficult

Better predicate inference algorithms

(product domains, under-approximations, lfp+gfp, . . . )

Decomposition of cycles?

→ precise handling of recursive functions

Precision / solving capacity-driven (inference problems)

→ best-effort refinement

Property-driven (decision problems)

→ modular refinement algorithms 24 / 24