A Data Driven Approach for Algebraic Loop Invariants Paper by Rahul Sharma, Saurabh Gupta, Bharath Hariharan, Alex Aiken, Percy Liang, and Aditya V. Nori In ESOP 2013 Vanya Dancheva Seminar: Research Topics in Software Engineering 22.04.2013 1
Motivation • Generating loop invariants is crucial for program verification • Major drawbacks with previous techniques for algebraic invariants – Restrict predicates on branches to either equalities or inequalities – Cannot handle nested loops – Interpret program variables as real numbers 2
Guess-and-check algorithm • Finds algebraic invariant of the form ∧ = f ( x ,..., x ) 0 i 1 n i • Guess phase – suggests a candidate invariant • Check phase – checks whether the candidate invariant is an invariant • Advantages – Uses a decision procedure to check the candidate invariant – The guess phase operates over data 3
Example • First, run the program 1: assume(x=0 && y=0); and accumulate the 2: while(*) do 3: writelog(x, y); resulting data 4: y := y + 1; 5: x := x + y; • Assume the loop is 6: done exercised once • Assume an upper bound on the degree of the polynomials – d = 2 4
Example • Enumerate all monomials up to the chosen degree α = 2 2 { 1 , x , y , y , x , xy } • Construct a data matrix A 1 x y y 2 x 2 xy 1 0 0 0 0 0 5
Example • Employ the null space of A to compute a candidate invariant 1 x y k ≡ ∧ = T I ( b 0 ) i 2 = y i 1 2 x xy is a basis for the null space of A b b b { , ,..., } 1 2 k 6
Example • The basis for the null space of A is 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 { , , , , } 0 0 1 0 0 0 0 0 1 0 0 0 0 0 1 • Candidate invariant is ≡ = ∧ = ∧ = ∧ = ∧ = 2 2 I x 0 y 0 x 0 y 0 xy 0 7
Example • Check the candidate invariant I L ≡ while B do S ϕ ϕ ⇒ 1. If is a precondition then I 2. Executing the loop body S with a state I ∧ satisfying , results in a state satisfying I B 8
Example 1. = ∧ = ⇒ = ∧ = ∧ = ∧ = ∧ = 2 2 ( x 0 y 0 ) ( x 0 y 0 x 0 y 0 xy 0 ) = ∧ = ∧ = ∧ = ∧ = ∧ = + ∧ = + 2. 2 2 ( x 0 y 0 x 0 y 0 xy 0 y ' y 1 x ' x y ' ) ⇒ = ∧ = ∧ = ∧ = ∧ = 2 2 ( x ' 0 y ' 0 x ' 0 y ' 0 x ' y ' 0 ) = = A counter example for 2. x ' 1 , y ' 1 9
Example • Lets generate more program states 1 x y y 2 x 2 xy 1 0 0 0 0 0 1 1 1 1 1 1 A= 1 3 2 4 9 36 1 6 3 9 36 18 1 10 4 16 100 40 10
Example 0 • Basis for the null space of A is 2 − 1 { } − 1 0 0 2 = ≡ − − • New candidate invariant is I 2 x y y 0 • Both conditions 1. and 2. are valid and this is the desired loop invariant 2 = = ∧ = ⇒ + ( x 0 y 0 ) y y 2 x 1. + = ∧ = + ∧ = + ⇒ + = 2 2 2. ( y y 2 x y ' y 1 x ' x y ' ) ( y ' y ' 2 x ' ) 11
The algorithm Guess-And-Check( L, ϕ ,d ) Guess(logfile, d) Returns: A loop invariant I for L Returns: A candidate invariant 1: x := vars (L) 1: if if logfile = {} then hen 2: Tests := TestGen( ϕ ,L) 2: ret etur urn false 3: logfile := {} 3: end end if if 4: for or t in Tests do do 4: A := DataMatrix(logfile, d) 5: logfile := logfile :: Execute(L, x = t) 5: B := Basis(NullSpace(A)) 6: end end for or 6: if if B = 0 then hen 7: repeat epeat 7: // No non-trivial invariant 8: I := Guess(logfile, d) 8: return true 9: (done, t) := Check(I, L, ϕ ) 9: end end if if 10: if if ¬done then hen 10: ret etur urn CandidateInvariant(B) 11: logfile := logfile :: t 12: end end if if 13: until til done 14: ret etur urn I 12
The algorithm • The Guess-and-check algorithm terminates after at most n iterations, if the Check procedure is sound and complete – n is the total number of monomials with degree bounded by d • If the algorithm Guess-and-check terminates and the Check procedure is sound it returns an invariant 13
Extensions and Evaluation • Guess-and-check easily extends to nested loops • Linear invariants • Evaluated on benchmarks from the literature • Terminated on all benchmarks in one iteration 14
References • de Moura, L.M., Bjorner. “Z3: An efficient SMT solver”. In TACAS. pp. 337-340 (2008) • Sharma, R., Gupta, S., Hariharan, B., Aiken, A., Nori. “A data driven approach for algebraic loop invariants”. Tech. Report MSR-TR-2012- 97, Microsoft Research (2012) 15
Recommend
More recommend
