Decision Procedures and Verifjcation NAIL094 Petr Kuera Charles - - PowerPoint PPT Presentation

Decision Procedures and Verifjcation

NAIL094 Petr Kučera

Charles University

2019/20 (10th lecture)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 1 / 46

Program analysis

Motivation

Is my program correct? Does my program contain bugs? Does my program satisfy the specifjcation?

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 3 / 46

Motivation

Is my program correct? Does my program contain bugs? Does my program satisfy the specifjcation?

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 3 / 46

Motivation

Is my program correct? Does my program contain bugs? Does my program satisfy the specifjcation?

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 3 / 46

Testing and Software Verifjcation

Testing Traditional way of bug fjnding Tests only specifjc inputs — incomplete Software Verifjcation aims at checking whether the specifjcation is satisfjed for all possible inputs No division by No out-of-bounds array access for variables and …

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 4 / 46

Testing and Software Verifjcation

Testing Traditional way of bug fjnding Tests only specifjc inputs — incomplete Software Verifjcation aims at checking whether the specifjcation is satisfjed for all possible inputs No division by 0 No out-of-bounds array access x < y for variables x and y …

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 4 / 46

Reachability Problem

Does a given program state occur in any execution of the program? Undecidable in general due to unbounded memory allocation Partial solutions

restricting the type of programs restricting the inputs the verifjcation procedure can give up or not terminate

Idea Use a reasoning engine with a decision procedure (SMT solver)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 5 / 46

Reachability Problem

Does a given program state occur in any execution of the program? Undecidable in general due to unbounded memory allocation Partial solutions

restricting the type of programs restricting the inputs the verifjcation procedure can give up or not terminate

Idea Use a reasoning engine with a decision procedure (SMT solver)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 5 / 46

Reachability Problem

Does a given program state occur in any execution of the program? Undecidable in general due to unbounded memory allocation Partial solutions

restricting the type of programs restricting the inputs the verifjcation procedure can give up or not terminate

Idea Use a reasoning engine with a decision procedure (SMT solver)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 5 / 46

Reachability Problem

Does a given program state occur in any execution of the program? Undecidable in general due to unbounded memory allocation Partial solutions

restricting the type of programs restricting the inputs the verifjcation procedure can give up or not terminate

Idea Use a reasoning engine with a decision procedure (SMT solver)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 5 / 46

Reachability Problem

Does a given program state occur in any execution of the program? Undecidable in general due to unbounded memory allocation Partial solutions

restricting the type of programs restricting the inputs the verifjcation procedure can give up or not terminate

Idea Use a reasoning engine with a decision procedure (SMT solver)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 5 / 46

Reachability Problem

Does a given program state occur in any execution of the program? Undecidable in general due to unbounded memory allocation Partial solutions

restricting the type of programs restricting the inputs the verifjcation procedure can give up or not terminate

Idea Use a reasoning engine with a decision procedure (SMT solver)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 5 / 46

Reachability Problem

Does a given program state occur in any execution of the program? Undecidable in general due to unbounded memory allocation Partial solutions

restricting the type of programs restricting the inputs the verifjcation procedure can give up or not terminate

Idea Use a reasoning engine with a decision procedure (SMT solver)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 5 / 46

Analysing Programs with Logic

Programs are dynamic Execute instructions one by

• ne

Reuse variables Allocate memory … Checks if there is a satisfying assignment Simultaneous assignment to all variables at once

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 6 / 46

Analysing Programs with Logic

Programs are dynamic Execute instructions one by

• ne

Reuse variables Allocate memory … Checks if there is a satisfying assignment Simultaneous assignment to all variables at once

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 6 / 46

Analysing Programs with Logic

Programs are dynamic Execute instructions one by

• ne

Reuse variables Allocate memory … Checks if there is a satisfying assignment Simultaneous assignment to all variables at once

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 6 / 46

Analysing Programs with Logic

Programs are dynamic Execute instructions one by

• ne

Reuse variables Allocate memory … Checks if there is a satisfying assignment Simultaneous assignment to all variables at once

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 6 / 46

Analysing Programs with Logic

Programs are dynamic Execute instructions one by

• ne

Reuse variables Allocate memory … Checks if there is a satisfying assignment Simultaneous assignment to all variables at once

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 6 / 46

Analysing Programs with Logic

Programs are dynamic Execute instructions one by

• ne

Reuse variables Allocate memory … Logic is static Checks if there is a satisfying assignment Simultaneous assignment to all variables at once

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 6 / 46

Analysing Programs with Logic

Programs are dynamic Execute instructions one by

• ne

Reuse variables Allocate memory … Logic is static Checks if there is a satisfying assignment Simultaneous assignment to all variables at once

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 6 / 46

Static Single Assignment (SSA) Form

Bound the number of loops Each variable gets a new copy when assigned a new value (timestamps) Static formula describing (bounded) execution paths Under-approximation of the original program We also consider over-approximation which considers a superset

• f possible execution paths

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 7 / 46

Static Single Assignment (SSA) Form

Bound the number of loops Each variable gets a new copy when assigned a new value (timestamps) Static formula describing (bounded) execution paths Under-approximation of the original program We also consider over-approximation which considers a superset

• f possible execution paths

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 7 / 46

Static Single Assignment (SSA) Form

Bound the number of loops Each variable gets a new copy when assigned a new value (timestamps) Static formula describing (bounded) execution paths Under-approximation of the original program We also consider over-approximation which considers a superset

• f possible execution paths

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 7 / 46

Static Single Assignment (SSA) Form

Bound the number of loops Each variable gets a new copy when assigned a new value (timestamps) Static formula describing (bounded) execution paths Under-approximation of the original program We also consider over-approximation which considers a superset

• f possible execution paths

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 7 / 46

Static Single Assignment (SSA) Form

Bound the number of loops Each variable gets a new copy when assigned a new value (timestamps) Static formula describing (bounded) execution paths Under-approximation of the original program We also consider over-approximation which considers a superset

• f possible execution paths

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 7 / 46

An Example Program

1

void ReadBlocks(int data[], int cookie)

2

{

3

int i = 0;

4

while (true)

5

{

6

int next;

7

next = data[i];

8

if (!(i < next && next < N)) return;

9

i = i + 1;

10

for (; i < next; i = i + 1) {

11

if (data[i] == cookie)

12

i = i + 1;

13

else

14

Process(data[i]);

15

}

16

}

17

}

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 8 / 46

An Example Program

1

void ReadBlocks(int data[], int cookie)

2

{

3

int i = 0;

4

while (true)

5

{

6

int next;

7

next = data[i];

8

if (!(i < next && next < N)) return;

9

i = i + 1;

10

for (; i < next; i = i + 1) {

11

if (data[i] == cookie)

12

i = i + 1;

13

else

14

Process(data[i]);

15

}

16

}

17

}

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 8 / 46

N denotes the size of array data

An Example Program

1

void ReadBlocks(int data[], int cookie)

2

{

3

int i = 0;

4

while (true)

5

{

6

int next;

7

next = data[i];

8

if (!(i < next && next < N)) return;

9

i = i + 1;

10

for (; i < next; i = i + 1) {

11

if (data[i] == cookie)

12

i = i + 1;

13

else

14

Process(data[i]);

15

}

16

}

17

}

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 8 / 46

N denotes the size of array data We want to check that there is no access out of bounds of the array data

Notation

Execution path a (possibly partial) sequence of program instructions executed during an execution of a program Execution trace a sequence of states that are observed along an execution path Many difgerent traces can correspond to a single path (difgerent inputs) Symbolic simulation uses symbolic representation of traces automatic test generation, detection of dead code, verifjcation of properties Assertion a program instruction which checks a given condition and aborts if the condition is not satisfjed Verifying an assertion means proving that for all inputs the condition of the assertion evaluates to true

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 9 / 46

Notation

Execution path a (possibly partial) sequence of program instructions executed during an execution of a program Execution trace a sequence of states that are observed along an execution path Many difgerent traces can correspond to a single path (difgerent inputs) Symbolic simulation uses symbolic representation of traces automatic test generation, detection of dead code, verifjcation of properties Assertion a program instruction which checks a given condition and aborts if the condition is not satisfjed Verifying an assertion means proving that for all inputs the condition of the assertion evaluates to true

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 9 / 46

Notation

Execution path a (possibly partial) sequence of program instructions executed during an execution of a program Execution trace a sequence of states that are observed along an execution path Many difgerent traces can correspond to a single path (difgerent inputs) Symbolic simulation uses symbolic representation of traces automatic test generation, detection of dead code, verifjcation of properties Assertion a program instruction which checks a given condition and aborts if the condition is not satisfjed Verifying an assertion means proving that for all inputs the condition of the assertion evaluates to true

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 9 / 46

Notation

Execution path a (possibly partial) sequence of program instructions executed during an execution of a program Execution trace a sequence of states that are observed along an execution path Many difgerent traces can correspond to a single path (difgerent inputs) Symbolic simulation uses symbolic representation of traces automatic test generation, detection of dead code, verifjcation of properties Assertion a program instruction which checks a given condition and aborts if the condition is not satisfjed Verifying an assertion means proving that for all inputs the condition of the assertion evaluates to true

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 9 / 46

Checking Feasibility of a Single Path

1

void ReadBlocks(int data[], int cookie)

2

{

3

int i = 0;

4

while (true)

5

{

6

int next;

7

next = data[i];

8

if (!(i < next && next < N)) return;

9

i = i + 1;

10

for(; i < next; i = i + 1) {

11

if (data[i] == cookie)

12

i = i + 1;

13

else

14

Process(data[i]);

15

}

16

}

17

}

Consider the following path

1 Run the for loop once,

take the else branch

3

i = 0;

7

next = data[i];

8

i < next && next < N

9

i = i + 1;

10

i < next;

11

data[i] != cookie;

14

Process(data[i]);

2 Exit the while loop in the

second iteration on line

10

i = i + 1

10

!(i < next)

7

next = data[i];

8

!(i < next && next < N)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 10 / 46

Checking Feasibility of a Single Path

1

void ReadBlocks(int data[], int cookie)

2

{

3

int i = 0;

4

while (true)

5

{

6

int next;

7

next = data[i];

8

if (!(i < next && next < N)) return;

9

i = i + 1;

10

for(; i < next; i = i + 1) {

11

if (data[i] == cookie)

12

i = i + 1;

13

else

14

Process(data[i]);

15

}

16

}

17

}

Consider the following path

1 Run the for loop once,

take the else branch

3

i = 0;

7

next = data[i];

8

i < next && next < N

9

i = i + 1;

10

i < next;

11

data[i] != cookie;

14

Process(data[i]);

2 Exit the while loop in the

second iteration on line

10

i = i + 1

10

!(i < next)

7

next = data[i];

8

!(i < next && next < N)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 10 / 46

Checking Feasibility of a Single Path

1

void ReadBlocks(int data[], int cookie)

2

{

3

int i = 0;

4

while (true)

5

{

6

int next;

7

next = data[i];

8

if (!(i < next && next < N)) return;

9

i = i + 1;

10

for(; i < next; i = i + 1) {

11

if (data[i] == cookie)

12

i = i + 1;

13

else

14

Process(data[i]);

15

}

16

}

17

}

Consider the following path

1 Run the for loop once,

take the else branch

3

i = 0;

7

next = data[i];

8

i < next && next < N

9

i = i + 1;

10

i < next;

11

data[i] != cookie;

14

Process(data[i]);

2 Exit the while loop in the

second iteration on line 8

10

i = i + 1

10

!(i < next)

7

next = data[i];

8

!(i < next && next < N)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 10 / 46

Checking Feasibility of a Single Path

Consider the sequence of instruction along this execution path Record the branching conditions of the conditional statements Line Instruction or condition Kind 3 i = 0; Assignment 7 next = data[i]; Assignment 8 i < next && next < N Branch 9 i = i + 1; Assignment 10 i < next; Branch 11 data[i] != cookie; Branch 14 Process(data[i]); Function call 10 i = i + 1 Assignment 10 !(i < next) Branch 7 next = data[i]; Assignment 8 !(i < next && next < N) Branch

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 11 / 46

Checking Feasibility of a Single Path

Consider the sequence of instruction along this execution path Record the branching conditions of the conditional statements Line Instruction or condition Kind 3 i = 0; Assignment 7 next = data[i]; Assignment 8 i < next && next < N Branch 9 i = i + 1; Assignment 10 i < next; Branch 11 data[i] != cookie; Branch 14 Process(data[i]); Function call 10 i = i + 1 Assignment 10 !(i < next) Branch 7 next = data[i]; Assignment 8 !(i < next && next < N) Branch

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 11 / 46

Is there an input which would lead to out-of-bounds access to array data along this path?

Static Single Assignment (SSA)

Rewrite instructions and conditions into the static single assignment representation

use new version of a variable after each write (assignment) timestamped versions of variables — xt represents the value of variable x after t assignments

Translate SSA into a logical formula ⇒ path constraint

Replace assignments with equalities Form a conjunction of all assignments and branch subformulas For simplicity, we assume that the function call Process(data[i]); does not change the value of data[i]

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 12 / 46

Static Single Assignment (SSA)

Rewrite instructions and conditions into the static single assignment representation

use new version of a variable after each write (assignment) timestamped versions of variables — xt represents the value of variable x after t assignments

Translate SSA into a logical formula ⇒ path constraint

Replace assignments with equalities Form a conjunction of all assignments and branch subformulas For simplicity, we assume that the function call Process(data[i]); does not change the value of data[i]

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 12 / 46

SSA Form of the Execution Trace

Line Instruction or condition Kind 3 i1 = 0; Assignment 7 next1 = data0[i1]; Assignment 8 i1 < next1 && next1 < N0 Branch 9 i2 = i1 + 1; Assignment 10 i2 < next1; Branch 11 data0[i2] != cookie0; Branch 14 Process(data0[i2]); Function call 10 i3 = i2 + 1 Assignment 10 !(i3 < next1) Branch 7 next2 = data0[i3]; Assignment 8 !(i3 < next2 && next2 < N0) Branch

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 13 / 46

SSA Formula

i1 = 0; next1 = data0[i1]; i1 < next1 && next1 < N0 i2 = i1 + 1; i2 < next1; data0[i2] != cookie0; Process(data0[i2]); i3 = i2 + 1 !(i3 < next1) next2 = data0[i3]; !(i3 < next2 && next2 < N0)

ssa ≔ i1 = 0 ∧ next1 = data0[i1] ∧ (i1 < next1 ∧ next1 < N0) ∧ i2 = i1 + 1 ∧ i2 < next1 ∧ data0[i2] ≠ cookie0 ∧ i3 = i2 + 1 ∧ !(i3 < next1) ∧ next2 = data0[i3] ∧ !(i3 < next2 ∧ next2 < N0)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 14 / 46

SSA Formula

i1 = 0; next1 = data0[i1]; i1 < next1 && next1 < N0 i2 = i1 + 1; i2 < next1; data0[i2] != cookie0; Process(data0[i2]); i3 = i2 + 1 !(i3 < next1) next2 = data0[i3]; !(i3 < next2 && next2 < N0)

ssa ≔ i1 = 0 ∧ next1 = data0[i1] ∧ (i1 < next1 ∧ next1 < N0) ∧ i2 = i1 + 1 ∧ i2 < next1 ∧ data0[i2] ≠ cookie0 ∧ i3 = i2 + 1 ∧ !(i3 < next1) ∧ next2 = data0[i3] ∧ !(i3 < next2 ∧ next2 < N0) All evaluations of inputs N0, data0 and cookie0 satisfying for- mula ssa correspond to a trace for the chosen path

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 14 / 46

Assertion checking

1 Consider path leading to an assertion 2 Take the path constraint of that path 3 Add negation of the assertion to the path constraint

Satisfying assignment corresponds to a trace leading to the assertion with its condition violated Problem of verifying corectness of a path in a program is reduced to checking the satisfjability of a formula

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 15 / 46

Assertion checking

1 Consider path leading to an assertion 2 Take the path constraint of that path 3 Add negation of the assertion to the path constraint

Satisfying assignment corresponds to a trace leading to the assertion with its condition violated Problem of verifying corectness of a path in a program is reduced to checking the satisfjability of a formula

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 15 / 46

Assertion checking

1 Consider path leading to an assertion 2 Take the path constraint of that path 3 Add negation of the assertion to the path constraint

Satisfying assignment corresponds to a trace leading to the assertion with its condition violated Problem of verifying corectness of a path in a program is reduced to checking the satisfjability of a formula

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 15 / 46

Assertion checking

1 Consider path leading to an assertion 2 Take the path constraint of that path 3 Add negation of the assertion to the path constraint

Satisfying assignment corresponds to a trace leading to the assertion with its condition violated Problem of verifying corectness of a path in a program is reduced to checking the satisfjability of a formula

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 15 / 46

Assertion checking

1 Consider path leading to an assertion 2 Take the path constraint of that path 3 Add negation of the assertion to the path constraint

Satisfying assignment corresponds to a trace leading to the assertion with its condition violated Problem of verifying corectness of a path in a program is reduced to checking the satisfjability of a formula

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 15 / 46

Assertions — Simple Example

1

void ReadBlocks(int data[], int cookie)

2

{

3

int i = 0;

4

while (true)

5

{

6

int next;

7

next = data[i];

8

...

Consider excution path which

1 executes the assignment on Line 3 and 2 checks if i is within bounds

We get the following constraint ssa ≔ i1 = 0 ∧ ¬(0 ≤ i1 ∧ i1 < N0) Formula ssa can be satisfjed by i1 ≔ 0, N0 ≔ 0 The assertion is violated and we found a bug

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 16 / 46

Assertions — Simple Example

1

void ReadBlocks(int data[], int cookie)

2

{

3

int i = 0;

4

while (true)

5

{

6

int next;

7

next = data[i];

8

...

Consider excution path which

1 executes the assignment on Line 3 and 2 checks if i is within bounds

We get the following constraint ssa ≔ i1 = 0 ∧ ¬(0 ≤ i1 ∧ i1 < N0) Formula ssa can be satisfjed by i1 ≔ 0, N0 ≔ 0 The assertion is violated and we found a bug

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 16 / 46

Assertions — Simple Example

1

void ReadBlocks(int data[], int cookie)

2

{

3

int i = 0;

4

while (true)

5

{

6

int next;

7

next = data[i];

8

...

Consider excution path which

1 executes the assignment on Line 3 and 2 checks if i is within bounds

We get the following constraint ssa ≔ i1 = 0 ∧ ¬(0 ≤ i1 ∧ i1 < N0) Formula ssa can be satisfjed by i1 ≔ 0, N0 ≔ 0 The assertion is violated and we found a bug

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 16 / 46

Assertions — Simple Example

1

void ReadBlocks(int data[], int cookie)

2

{

3

int i = 0;

4

while (true)

5

{

6

int next;

7

next = data[i];

8

...

Consider excution path which

1 executes the assignment on Line 3 and 2 checks if i is within bounds

We get the following constraint ssa ≔ i1 = 0 ∧ ¬(0 ≤ i1 ∧ i1 < N0) Formula ssa can be satisfjed by i1 ≔ 0, N0 ≔ 0 The assertion is violated and we found a bug

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 16 / 46

Assertions — Simple Example

1

void ReadBlocks(int data[], int cookie)

2

{

3

int i = 0;

4

while (true)

5

{

6

int next;

7

next = data[i];

8

...

Consider excution path which

1 executes the assignment on Line 3 and 2 checks if i is within bounds

We get the following constraint ssa ≔ i1 = 0 ∧ ¬(0 ≤ i1 ∧ i1 < N0) Formula ssa can be satisfjed by i1 ≔ 0, N0 ≔ 0 The assertion is violated and we found a bug

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 16 / 46

Assertions — Simple Example

1

void ReadBlocks(int data[], int cookie)

2

{

3

int i = 0;

4

while (true)

5

{

6

int next;

7

next = data[i];

8

...

Consider excution path which

1 executes the assignment on Line 3 and 2 checks if i is within bounds

We get the following constraint ssa ≔ i1 = 0 ∧ ¬(0 ≤ i1 ∧ i1 < N0) Formula ssa can be satisfjed by i1 ≔ 0, N0 ≔ 0 The assertion is violated and we found a bug

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 16 / 46

Another Execution Path With an Assertion

1

void ReadBlocks(int data[], int cookie)

2

{

3

int i = 0;

4

while (true)

5

{

6

int next;

7

next = data[i];

8

if (!(i < next && next < N)) return;

9

i = i + 1;

10

for(; i < next; i = i + 1) {

11

if (data[i] == cookie)

12

i = i + 1;

13

else

14

Process(data[i]);

15

}

16

}

17

}

Consider the following path

3

i = 0;

7

next = data[i];

8

i < next && next < N

9

i = i + 1;

10

i < next;

11

data[i] == cookie;

12

i = i + 1;

10

i = i + 1;

10

!(i < next)

7

assert(0 <= i && i < N)

Second execution of Line is replaced with an assertion that is within bounds

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 17 / 46

Another Execution Path With an Assertion

1

void ReadBlocks(int data[], int cookie)

2

{

3

int i = 0;

4

while (true)

5

{

6

int next;

7

next = data[i];

8

if (!(i < next && next < N)) return;

9

i = i + 1;

10

for(; i < next; i = i + 1) {

11

if (data[i] == cookie)

12

i = i + 1;

13

else

14

Process(data[i]);

15

}

16

}

17

}

Consider the following path

3

i = 0;

7

next = data[i];

8

i < next && next < N

9

i = i + 1;

10

i < next;

11

data[i] == cookie;

12

i = i + 1;

10

i = i + 1;

10

!(i < next)

7

assert(0 <= i && i < N)

Second execution of Line 7 is replaced with an assertion that i is within bounds

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 17 / 46

Considering Execution Path

Line Instruction or condition Kind 3 i = 0; Assignment 7 next = data[i]; Assignment 8 i < next && next < N Branch 9 i = i + 1; Assignment 10 i < next; Branch 11 data[i] == cookie; Branch 12 i = i + 1; Assignment 10 i = i + 1; Assignment 10 !(i < next) Branch 7 0 <= i && i < N Assertion

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 18 / 46

Add Timestamps to Variables

Line Instruction or condition Kind 3 i1 = 0; Assignment 7 next1 = data0[i1]; Assignment 8 i1 < next1 && next1 < N0 Branch 9 i2 = i1 + 1; Assignment 10 i2 < next1; Branch 11 data0[i2] == cookie0; Branch 12 i3 = i2 + 1; Assignment 10 i4 = i3 + 1; Assignment 10 !(i4 < next1) Branch 7 0 <= i4 && i4 < N0 Assertion

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 19 / 46

Write as an SSA Formula

ssa ≔ i1 = 0 ∧ next1 = data0[i1] ∧ i1 < next1 ∧ next1 < N0 ∧ i2 = i1 + 1 ∧ i2 < next1 ∧ data0[i2] = cookie0 ∧ i3 = i2 + 1; ∧ i4 = i3 + 1; ∧ ¬(i4 < next1) ∧ ¬(0 <= i4 ∧ i4 < N0) Negation of the assertion To check satisfjability, we need a combination of the theory of bit vectors with the theory of arrays The formula has a model e.g.

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 20 / 46

Write as an SSA Formula

ssa ≔ i1 = 0 ∧ next1 = data0[i1] ∧ i1 < next1 ∧ next1 < N0 ∧ i2 = i1 + 1 ∧ i2 < next1 ∧ data0[i2] = cookie0 ∧ i3 = i2 + 1; ∧ i4 = i3 + 1; ∧ ¬(i4 < next1) ∧ ¬(0 <= i4 ∧ i4 < N0) Negation of the assertion To check satisfjability, we need a combination of the theory of bit vectors with the theory of arrays The formula has a model e.g. i1 ≔ 0 N0 ≔ 3 i2 ≔ 1 next1 ≔ 2 i3 ≔ 2 data0 ≔ {2, 6, 5} i4 ≔ 3 cookie0 ≔ 6

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 20 / 46

Write as an SSA Formula

ssa ≔ i1 = 0 ∧ next1 = data0[i1] ∧ i1 < next1 ∧ next1 < N0 ∧ i2 = i1 + 1 ∧ i2 < next1 ∧ data0[i2] = cookie0 ∧ i3 = i2 + 1; ∧ i4 = i3 + 1; ∧ ¬(i4 < next1) ∧ ¬(0 <= i4 ∧ i4 < N0) Negation of the assertion To check satisfjability, we need a combination of the theory of bit vectors with the theory of arrays The formula has a model e.g. i1 ≔ 0 N0 ≔ 3 i2 ≔ 1 next1 ≔ 2 i3 ≔ 2 data0 ≔ {2, 6, 5} i4 ≔ 3 cookie0 ≔ 6 The assertion is violated, we found another bug.

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 20 / 46

Checking Feasibility of All Paths

Number of paths can grow exponentially in the number of branches Instead of considering one path at a time, we can generate SSA for bounded program with branches

The whole program, not just a single path

SSA is converted to a formula that encodes all possible paths

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 21 / 46

Checking Feasibility of All Paths

Number of paths can grow exponentially in the number of branches Instead of considering one path at a time, we can generate SSA for bounded program with branches

The whole program, not just a single path

SSA is converted to a formula that encodes all possible paths

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 21 / 46

Checking Feasibility of All Paths

Number of paths can grow exponentially in the number of branches Instead of considering one path at a time, we can generate SSA for bounded program with branches

The whole program, not just a single path

SSA is converted to a formula that encodes all possible paths

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 21 / 46

Checking Feasibility of All Paths

Number of paths can grow exponentially in the number of branches Instead of considering one path at a time, we can generate SSA for bounded program with branches

The whole program, not just a single path

SSA is converted to a formula that encodes all possible paths

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 21 / 46

SSA for the Whole Program

1 Unfold loops k times (k given by the user) 2 Assign the condition of each if statement to a new variable

γ (for guard)

3 Identify points where the control-fmow reconverges 4 Add φ-instructions setting the correct values of variables

For variables that has been changed in either branch Conditional statement checking on the guard variable

5 Translate to formula as before

If-then-else operator to represent φ instructions

6 Satisfying assignment corresponds to one trace (of one path)

Assignment of guard variables determines the branches taken

Example: for-loop from ReadBlocks unrolled 2 times

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 22 / 46

SSA for the Whole Program

1 Unfold loops k times (k given by the user) 2 Assign the condition of each if statement to a new variable

γ (for guard)

3 Identify points where the control-fmow reconverges 4 Add φ-instructions setting the correct values of variables

For variables that has been changed in either branch Conditional statement checking on the guard variable

5 Translate to formula as before

If-then-else operator to represent φ instructions

6 Satisfying assignment corresponds to one trace (of one path)

Assignment of guard variables determines the branches taken

Example: for-loop from ReadBlocks unrolled 2 times

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 22 / 46

SSA for the Whole Program

1 Unfold loops k times (k given by the user) 2 Assign the condition of each if statement to a new variable

γ (for guard)

3 Identify points where the control-fmow reconverges 4 Add φ-instructions setting the correct values of variables

For variables that has been changed in either branch Conditional statement checking on the guard variable

5 Translate to formula as before

If-then-else operator to represent φ instructions

6 Satisfying assignment corresponds to one trace (of one path)

Assignment of guard variables determines the branches taken

Example: for-loop from ReadBlocks unrolled 2 times

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 22 / 46

SSA for the Whole Program

1 Unfold loops k times (k given by the user) 2 Assign the condition of each if statement to a new variable

γ (for guard)

3 Identify points where the control-fmow reconverges 4 Add φ-instructions setting the correct values of variables

For variables that has been changed in either branch Conditional statement checking on the guard variable

5 Translate to formula as before

If-then-else operator to represent φ instructions

6 Satisfying assignment corresponds to one trace (of one path)

Assignment of guard variables determines the branches taken

Example: for-loop from ReadBlocks unrolled 2 times

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 22 / 46

SSA for the Whole Program

1 Unfold loops k times (k given by the user) 2 Assign the condition of each if statement to a new variable

γ (for guard)

3 Identify points where the control-fmow reconverges 4 Add φ-instructions setting the correct values of variables

For variables that has been changed in either branch Conditional statement checking on the guard variable

5 Translate to formula as before

If-then-else operator to represent φ instructions

6 Satisfying assignment corresponds to one trace (of one path)

Assignment of guard variables determines the branches taken

Example: for-loop from ReadBlocks unrolled 2 times

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 22 / 46

SSA for the Whole Program

1 Unfold loops k times (k given by the user) 2 Assign the condition of each if statement to a new variable

γ (for guard)

3 Identify points where the control-fmow reconverges 4 Add φ-instructions setting the correct values of variables

For variables that has been changed in either branch Conditional statement checking on the guard variable

5 Translate to formula as before

If-then-else operator to represent φ instructions

6 Satisfying assignment corresponds to one trace (of one path)

Assignment of guard variables determines the branches taken

Example: for-loop from ReadBlocks unrolled 2 times

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 22 / 46

SSA for the Whole Program

1 Unfold loops k times (k given by the user) 2 Assign the condition of each if statement to a new variable

γ (for guard)

3 Identify points where the control-fmow reconverges 4 Add φ-instructions setting the correct values of variables

For variables that has been changed in either branch Conditional statement checking on the guard variable

5 Translate to formula as before

If-then-else operator to represent φ instructions

6 Satisfying assignment corresponds to one trace (of one path)

Assignment of guard variables determines the branches taken

Example: for-loop from ReadBlocks unrolled 2 times

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 22 / 46

Unfold the For Loop Twice

Original for loop

1

for(; i<next; i=i+1){

2

if(data[i]==cookie)

3

i=i+1;

4

else

5

Process(data[i]);

6

}

for loop unfolded twice

1

if(i<next){

2

if(data[i]==cookie)

3

i=i+1;

4

else

5

Process(data[i]);

6 7

i=i+1;

8 9

if(i<next) {

10

if(data[i]==cookie)

11

i=i+1;

12

else

13

Process(data[i]);

14 15

i=i+1;

16

}

17

}

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 23 / 46

SSA for All Paths in a Bounded Program

for loop unfolded twice

1

if(i<next){

2

if(data[i]==cookie)

3

i=i+1;

4

else

5

Process(data[i]);

6 7

i=i+1;

8 9

if(i<next) {

10

if(data[i]==cookie)

11

i=i+1;

12

else

13

Process(data[i]);

14 15

i=i+1;

16

}

17

}

SSA for the unfolded loop

1

γ1 = (i0 < next0);

2

γ2 = (data0[i0] == cookie0);

3

i1 = i0 + 1;

4 5 6

i2 = γ2 ? i1 : i0; //φ

7

i3 = i2 + 1;

8 9

γ3 = (i3 < next0);

10

γ4 = (data0[i3] == cookie0);

11

i4 = i3 + 1;

12 13 14

i5 = γ4 ? i4 : i3; //φ

15

i6 = i5 + 1;

16

i7 = γ3 ? i6 : i3; //φ

17

i8 = γ1 ? i7 : i0; //φ

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 24 / 46

Under-Approximation vs Over-Approximation

What we have seen Transformation to a loop-free program by unrolling loops Under-approximation

Considers a subset of possible paths If it detects a bug, it is real Can declare program safe only up to given bound

What we will see Transformation to loop-free program using non-determinism Over-approximation

Considers a superset of possible paths Detected bugs can be spurious If the over-approximation is safe, the original program is safe

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 25 / 46

Under-Approximation vs Over-Approximation

What we have seen Transformation to a loop-free program by unrolling loops Under-approximation

Considers a subset of possible paths If it detects a bug, it is real Can declare program safe only up to given bound

What we will see Transformation to loop-free program using non-determinism Over-approximation

Considers a superset of possible paths Detected bugs can be spurious If the over-approximation is safe, the original program is safe

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 25 / 46

Under-Approximation vs Over-Approximation

What we have seen Transformation to a loop-free program by unrolling loops Under-approximation

Considers a subset of possible paths If it detects a bug, it is real Can declare program safe only up to given bound

What we will see Transformation to loop-free program using non-determinism Over-approximation

Considers a superset of possible paths Detected bugs can be spurious If the over-approximation is safe, the original program is safe

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 25 / 46

Under-Approximation vs Over-Approximation

What we have seen Transformation to a loop-free program by unrolling loops Under-approximation

Considers a subset of possible paths If it detects a bug, it is real Can declare program safe only up to given bound

What we will see Transformation to loop-free program using non-determinism Over-approximation

Considers a superset of possible paths Detected bugs can be spurious If the over-approximation is safe, the original program is safe

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 25 / 46

Under-Approximation vs Over-Approximation

What we have seen Transformation to a loop-free program by unrolling loops Under-approximation

Considers a subset of possible paths If it detects a bug, it is real Can declare program safe only up to given bound

What we will see Transformation to loop-free program using non-determinism Over-approximation

Considers a superset of possible paths Detected bugs can be spurious If the over-approximation is safe, the original program is safe

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 25 / 46

Under-Approximation vs Over-Approximation

What we have seen Transformation to a loop-free program by unrolling loops Under-approximation

Considers a subset of possible paths If it detects a bug, it is real Can declare program safe only up to given bound

What we will see Transformation to loop-free program using non-determinism Over-approximation

Considers a superset of possible paths Detected bugs can be spurious If the over-approximation is safe, the original program is safe

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 25 / 46

Under-Approximation vs Over-Approximation

What we have seen Transformation to a loop-free program by unrolling loops Under-approximation

Considers a subset of possible paths If it detects a bug, it is real Can declare program safe only up to given bound

What we will see Transformation to loop-free program using non-determinism Over-approximation

Considers a superset of possible paths Detected bugs can be spurious If the over-approximation is safe, the original program is safe

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 25 / 46

Under-Approximation vs Over-Approximation

What we have seen Transformation to a loop-free program by unrolling loops Under-approximation

Considers a subset of possible paths If it detects a bug, it is real Can declare program safe only up to given bound

What we will see Transformation to loop-free program using non-determinism Over-approximation

Considers a superset of possible paths Detected bugs can be spurious If the over-approximation is safe, the original program is safe

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 25 / 46

Under-Approximation vs Over-Approximation

What we have seen Transformation to a loop-free program by unrolling loops Under-approximation

Considers a subset of possible paths If it detects a bug, it is real Can declare program safe only up to given bound

What we will see Transformation to loop-free program using non-determinism Over-approximation

Considers a superset of possible paths Detected bugs can be spurious If the over-approximation is safe, the original program is safe

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 25 / 46

Under-Approximation vs Over-Approximation

What we have seen Transformation to a loop-free program by unrolling loops Under-approximation

Considers a subset of possible paths If it detects a bug, it is real Can declare program safe only up to given bound

What we will see Transformation to loop-free program using non-determinism Over-approximation

Considers a superset of possible paths Detected bugs can be spurious If the over-approximation is safe, the original program is safe

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 25 / 46

Under-Approximation vs Over-Approximation

What we have seen Transformation to a loop-free program by unrolling loops Under-approximation

Considers a subset of possible paths If it detects a bug, it is real Can declare program safe only up to given bound

What we will see Transformation to loop-free program using non-determinism Over-approximation

Considers a superset of possible paths Detected bugs can be spurious If the over-approximation is safe, the original program is safe

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 25 / 46

Over-Approximating Transformation

1 For each loop and each program variable x

If x is modifjed by the loop, add a nondeterministic assignment x = ∗ to the beginning of the loop

2 After each loop, add an assumption that the negation of the loop

condition holds Assumption a program statement assume(c) that aborts any path that does not satisfy c

3 Replace each while loop with an if statement checking the

condition of the while statement

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 26 / 46

Over-Approximating Transformation

1 For each loop and each program variable x

If x is modifjed by the loop, add a nondeterministic assignment x = ∗ to the beginning of the loop

2 After each loop, add an assumption that the negation of the loop

condition holds Assumption a program statement assume(c) that aborts any path that does not satisfy c

3 Replace each while loop with an if statement checking the

condition of the while statement

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 26 / 46

Over-Approximating Transformation

1 For each loop and each program variable x

If x is modifjed by the loop, add a nondeterministic assignment x = ∗ to the beginning of the loop

2 After each loop, add an assumption that the negation of the loop

condition holds Assumption a program statement assume(c) that aborts any path that does not satisfy c

3 Replace each while loop with an if statement checking the

condition of the while statement

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 26 / 46

Over-Approximating Transformation Example

Original program

1

int i = 0;

2

int j = 0;

3 4

while(data[i] != ’\n’)

5

{

6

++i;

7

j = i;

8

}

9

assert(i == j);

Transformed program

1

int i = 0;

2

int j = 0;

3 4

if(data[i] != ’\n’)

5

{

6

i = *;

7

j = *;

8

++i;

9

j = i;

10

}

11

assume(data[i] == ’\n’)

12 13

assert(i == j);

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 27 / 46

Over-Approximating Transformation Example

Transformed program

1

int i = 0;

2

int j = 0;

3 4

if(data[i] != ’\n’)

5

{

6

i = *;

7

j = *;

8

++i;

9

j = i;

10

}

11 12

assume(data[i] == ’\n’)

13 14

assert(i == j);

SSA form

1

i1 = 0;

2

j1 = 0;

3 4

γ1 = (data0[i1] != ’\n’);

5 6

// i2 is unrestricted

7

// j2 is unrestricted

8

i3 = i2 + 1;

9

j3 = i3;

10

i4 = γ1 ? i3 : i1; // φ

11

j4 = γ1 ? j3 : j1; // φ

12

assume(data0[i4]==’\n’);

13 14

assert(i4==j4);

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 28 / 46

Over-Approximating Transformation Example

SSA form

1

i1 = 0;

2

j1 = 0;

3 4

γ1 = (data0[i1] != ’\n’);

5 6 7 8

i3 = i2 + 1;

9

j3 = i3;

10

i4 = γ1 ? i3 : i1; // φ

11

j4 = γ1 ? j3 : j1; // φ

12

assume(data0[i4]==’\n’);

13 14

assert(i4==j4);

SSA formula ssa ≔ i1 = 0 ∧ j1 = 0 ∧ γ1 = (data0[i1] ≠ ’\n’) ∧ i3 = i2 + 1 ∧ j3 = i3 ∧ i4 = (γ1 ? i3 ∶ i1) ∧ j4 = (γ1 ? j3 ∶ j1) ∧ data0[i4] = ’\n’ ∧ i4 ≠ j4

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 29 / 46

Over-Approximating Transformation Example

SSA formula ssa ≔ i1 = 0 ∧ j1 = 0 ∧ γ1 = (data0[i1] ≠ ’\n’) ∧ i3 = i2 + 1 ∧ j3 = i3 ∧ i4 = (γ1 ? i3 ∶ i1) ∧ j4 = (γ1 ? j3 ∶ j1) ∧ data0[i4] = ’\n’ ∧ i4 ≠ j4

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 30 / 46

Over-Approximating Transformation Example

SSA formula ssa ≔ i1 = 0 ∧ j1 = 0 ∧ γ1 = (data0[i1] ≠ ’\n’) ∧ i3 = i2 + 1 ∧ j3 = i3 ∧ i4 = (γ1 ? i3 ∶ i1) ∧ j4 = (γ1 ? j3 ∶ j1) ∧ data0[i4] = ’\n’ ∧ i4 ≠ j4 Formula ssa is unsatisfjable

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 30 / 46

Over-Approximating Transformation Example

SSA formula ssa ≔ i1 = 0 ∧ j1 = 0 ∧ γ1 = (data0[i1] ≠ ’\n’) ∧ i3 = i2 + 1 ∧ j3 = i3 ∧ i4 = (γ1 ? i3 ∶ i1) ∧ j4 = (γ1 ? j3 ∶ j1) ∧ data0[i4] = ’\n’ ∧ i4 ≠ j4 Formula ssa is unsatisfjable The assertion holds for an arbitrary number of loop iter- ations

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 30 / 46

Checking Over-Approximation of a Program

Transformation to SSA/formula as before

Nondeterministic assignment modelled by incrementing variable counter Assumption translated by conjoining its condition to the formula

In the example:

Formula is unsatisfjable Program is safe for any number of iterations Abstraction worked, because the assertion does not depend on the previous iterations of the loop

In other cases, the abstraction needs to be refjned

Further assumptions and assertions Loop invariants

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 31 / 46

Checking Over-Approximation of a Program

Transformation to SSA/formula as before

Nondeterministic assignment modelled by incrementing variable counter Assumption translated by conjoining its condition to the formula

In the example:

Formula is unsatisfjable Program is safe for any number of iterations Abstraction worked, because the assertion does not depend on the previous iterations of the loop

In other cases, the abstraction needs to be refjned

Further assumptions and assertions Loop invariants

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 31 / 46

Checking Over-Approximation of a Program

Transformation to SSA/formula as before

Nondeterministic assignment modelled by incrementing variable counter Assumption translated by conjoining its condition to the formula

In the example:

Formula is unsatisfjable Program is safe for any number of iterations Abstraction worked, because the assertion does not depend on the previous iterations of the loop

In other cases, the abstraction needs to be refjned

Further assumptions and assertions Loop invariants

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 31 / 46

Checking Over-Approximation of a Program

Transformation to SSA/formula as before

Nondeterministic assignment modelled by incrementing variable counter Assumption translated by conjoining its condition to the formula

In the example:

Formula is unsatisfjable Program is safe for any number of iterations Abstraction worked, because the assertion does not depend on the previous iterations of the loop

In other cases, the abstraction needs to be refjned

Further assumptions and assertions Loop invariants

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 31 / 46

Checking Over-Approximation of a Program

Transformation to SSA/formula as before

Nondeterministic assignment modelled by incrementing variable counter Assumption translated by conjoining its condition to the formula

In the example:

Formula is unsatisfjable Program is safe for any number of iterations Abstraction worked, because the assertion does not depend on the previous iterations of the loop

In other cases, the abstraction needs to be refjned

Further assumptions and assertions Loop invariants

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 31 / 46

Checking Over-Approximation of a Program

Transformation to SSA/formula as before

Nondeterministic assignment modelled by incrementing variable counter Assumption translated by conjoining its condition to the formula

In the example:

Formula is unsatisfjable Program is safe for any number of iterations Abstraction worked, because the assertion does not depend on the previous iterations of the loop

In other cases, the abstraction needs to be refjned

Further assumptions and assertions Loop invariants

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 31 / 46

Checking Over-Approximation of a Program

Transformation to SSA/formula as before

Nondeterministic assignment modelled by incrementing variable counter Assumption translated by conjoining its condition to the formula

In the example:

Formula is unsatisfjable Program is safe for any number of iterations Abstraction worked, because the assertion does not depend on the previous iterations of the loop

In other cases, the abstraction needs to be refjned

Further assumptions and assertions Loop invariants

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 31 / 46

Checking Over-Approximation of a Program

Transformation to SSA/formula as before

Nondeterministic assignment modelled by incrementing variable counter Assumption translated by conjoining its condition to the formula

In the example:

Formula is unsatisfjable Program is safe for any number of iterations Abstraction worked, because the assertion does not depend on the previous iterations of the loop

In other cases, the abstraction needs to be refjned

Further assumptions and assertions Loop invariants

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 31 / 46

Checking Over-Approximation of a Program

Transformation to SSA/formula as before

Nondeterministic assignment modelled by incrementing variable counter Assumption translated by conjoining its condition to the formula

In the example:

Formula is unsatisfjable Program is safe for any number of iterations Abstraction worked, because the assertion does not depend on the previous iterations of the loop

In other cases, the abstraction needs to be refjned

Further assumptions and assertions Loop invariants

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 31 / 46

Checking Over-Approximation of a Program

Transformation to SSA/formula as before

Nondeterministic assignment modelled by incrementing variable counter Assumption translated by conjoining its condition to the formula

In the example:

Formula is unsatisfjable Program is safe for any number of iterations Abstraction worked, because the assertion does not depend on the previous iterations of the loop

In other cases, the abstraction needs to be refjned

Further assumptions and assertions Loop invariants

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 31 / 46

When Simple Abstraction is Not Enough

Consider the following function for computing a square of a number

1

int square(int n) {

2

int r=0;

3

int i=0;

4

while(i!=n){

5

r+=n;

6

++i;

7

}

8

return r;

9

}

Is the function correct?

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 32 / 46

When Simple Abstraction is Not Enough

Consider the following function for computing a square of a number

1

int square(int n) {

2

int r=0;

3

int i=0;

4

while(i!=n){

5

r+=n;

6

++i;

7

}

8

return r;

9

}

Is the function correct?

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 32 / 46

When Simple Abstraction is Not Enough

Add an assertion describing the required property

1

int square(int n) {

2

int r=0;

3

int i=0;

4

while(i!=n){

5

r+=n;

6

++i;

7

}

8

assert(r==n*n); // property

9

return r;

10

}

Does the assertion ever fail?

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 33 / 46

When Simple Abstraction is Not Enough

Add an assertion describing the required property

1

int square(int n) {

2

int r=0;

3

int i=0;

4

while(i!=n){

5

r+=n;

6

++i;

7

}

8

assert(r==n*n); // property

9

return r;

10

}

Does the assertion ever fail?

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 33 / 46

Over-Approximating Transformation and SSA Form

Original program

1

int r=0;

2

int i=0;

3

while(i!=n){

4

r+=n;

5

++i;

6

}

7

assert(r==n*n);

Transformed program

1

int r=0;

2

int i=0;

3

if(i!=n){

4

r=*;

5

i=*;

6

r+=n;

7

++i;

8

}

9 10

assume(i==n);

11

assert(r==n*n);

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 34 / 46

Over-Approximating Transformation and SSA Form

Transformed program

1

int r=0;

2

int i=0;

3

if(i!=n){

4

r=*;

5

i=*;

6

r+=n;

7

++i;

8

}

9 10

assume(i==n);

11

assert(r==n*n);

SSA form

1

r1 = 0;

2

i1 = 0;

3

γ1 = (i1 != n0);

4

// i2 is unrestricted

5

// r2 is unrestricted

6

r3 = r2 + n0;

7

i3 = i2 + 1;

8

r4 = γ1 ? r3 : r1; // φ

9

i4 = γ1 ? i3 : i1; // φ

10

assume(i4 == n0);

11

assert(r4 == n0 * n0);

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 35 / 46

Write as a Formula

SSA Form

1

r1 = 0;

2

i1 = 0;

3

γ1 = (i1 != n0);

4

// i2 is unrestricted

5

// r2 is unrestricted

6

r3 = r2 + n0;

7

i3 = i2 + 1;

8

r4 = γ1 ? r3 : r1; // φ

9

i4 = γ1 ? i3 : i1; // φ

10

assume(i4 == n0);

11

assert(r4 == n0 * n0);

SSA Formula ssa ≔ r1 = 0 ∧ i1 = 0 ∧ γ1 = (i1 ≠ n0) ∧ r3 = r2 + n0 ∧ i3 = i2 + 1 ∧ r4 = (γ1 ? r3 ∶ r1) ∧ i4 = (γ1 ? i3 ∶ i1) ∧ i4 = n0 ∧ r4 ≠ n0 ⋅ n0

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 36 / 46

Checking Correctness

SSA Formula ssa ≔ r1 = 0 ∧ i1 = 0 ∧ γ1 = (i1 ≠ n0) ∧ r3 = r2 + n0 ∧ i3 = i2 + 1 ∧ r4 = (γ1 ? r3 ∶ r1) ∧ i4 = (γ1 ? i3 ∶ i1) ∧ i4 = n0 ∧ r4 ≠ n0 ⋅ n0 Formula is satisfjable with model n0 ≔ 2 γ1 ≔ true r1 ≔ 0 i1 ≔ 0 r2 ≔ 0 i2 ≔ 1 r3 ≔ 2 i3 ≔ 2 r4 ≔ 2 i4 ≔ 2 There is no bug The over-approximation failed to check correctness and needs to be refjned

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 37 / 46

Checking Correctness

SSA Formula ssa ≔ r1 = 0 ∧ i1 = 0 ∧ γ1 = (i1 ≠ n0) ∧ r3 = r2 + n0 ∧ i3 = i2 + 1 ∧ r4 = (γ1 ? r3 ∶ r1) ∧ i4 = (γ1 ? i3 ∶ i1) ∧ i4 = n0 ∧ r4 ≠ n0 ⋅ n0 Formula is satisfjable with model n0 ≔ 2 γ1 ≔ true r1 ≔ 0 i1 ≔ 0 r2 ≔ 0 i2 ≔ 1 r3 ≔ 2 i3 ≔ 2 r4 ≔ 2 i4 ≔ 2 There is no bug The over-approximation failed to check correctness and needs to be refjned

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 37 / 46

Checking Correctness

SSA Formula ssa ≔ r1 = 0 ∧ i1 = 0 ∧ γ1 = (i1 ≠ n0) ∧ r3 = r2 + n0 ∧ i3 = i2 + 1 ∧ r4 = (γ1 ? r3 ∶ r1) ∧ i4 = (γ1 ? i3 ∶ i1) ∧ i4 = n0 ∧ r4 ≠ n0 ⋅ n0 Formula is satisfjable with model n0 ≔ 2 γ1 ≔ true r1 ≔ 0 i1 ≔ 0 r2 ≔ 0 i2 ≔ 1 r3 ≔ 2 i3 ≔ 2 r4 ≔ 2 i4 ≔ 2 There is no bug The over-approximation failed to check correctness and needs to be refjned

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 37 / 46

Loop invariant

Key tool in analysis of unbounded programs

Defjnition

A loop invariant is any predicate that holds at the beginning of the body irrespective of how many times the loop iterates.

1

int i = 0;

2

while(i != 10){

3

...

4

++i;

5

}

Loop invariant 0 ≤ i < 10 We use induction to prove that a given formula is an invariant

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 38 / 46

Proving loop invariant by induction

Assume program with loop-free code fragments A, B are and condition C and invariant I which can be checked without side-efgects

1

A;

2

while(C){

3

assert(I);

4

B;

5

}

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 39 / 46

Proving loop invariant by induction

Assume program with loop-free code fragments A, B are and condition C and invariant I which can be checked without side-efgects

1

A;

2

while(C){

3

assert(I);

4

B;

5

}

We want to prove by induction that I is an invariant.

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 39 / 46

Proving Loop Invariant by Induction

Base case I is satisfjed when entering the loop for the fjrst time We are checking the following program

1

A;

2

assert(C => I);

Step case If I holds before executing the body B, then I holds after executing B as well We are checking the following program

1

assume(C & I);

2

B;

3

assert(C -> I);

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 40 / 46

Proving Loop Invariant by Induction

Base case I is satisfjed when entering the loop for the fjrst time We are checking the following program

1

A;

2

assert(C => I);

Step case If I holds before executing the body B, then I holds after executing B as well We are checking the following program

1

assume(C & I);

2

B;

3

assert(C -> I);

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 40 / 46

Proving Loop Invariant by Induction — Example

Loop

1

int i = 0;

2

while(i != 10){

3

++i;

4

}

Base case

1

int i = 0;

2

assert(i != 10 -> (i >= 0 && i < 10));

Step case

1

assume(i != 10 && i >= 0 && i < 10);

2

++i;

3

assert(i != 10 -> (i >= 0 && i < 10));

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 41 / 46

By checking the base case program and step case program using techniques for loop-free programs, we verify that 0 ≤ i < 10 is an invariant of the loop.

Refjning Abstraction With Loop Invariants

Recall over-approximating transformation Assume that for each loop l we have found a loop invariant Il For each loop add the following steps to the transformation

1 Assertion that Il holds before the nondeterministic assignments to

the loop variables

This establishes the base case

2 Assumption that C ∧ Il holds after the nondeterministic assignments

to the loop variables

This is the induction hypothesis

3 Assertion that C ⇒ Il holds at the end of the loop body

This proves the induction step

Then we check the assertions using the techniques we already know

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 42 / 46

Refjning Abstraction With Loop Invariants

Recall over-approximating transformation Assume that for each loop l we have found a loop invariant Il For each loop add the following steps to the transformation

1 Assertion that Il holds before the nondeterministic assignments to

the loop variables

This establishes the base case

2 Assumption that C ∧ Il holds after the nondeterministic assignments

to the loop variables

This is the induction hypothesis

3 Assertion that C ⇒ Il holds at the end of the loop body

This proves the induction step

Then we check the assertions using the techniques we already know

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 42 / 46

Refjning Abstraction With Loop Invariants

Recall over-approximating transformation Assume that for each loop l we have found a loop invariant Il For each loop add the following steps to the transformation

1 Assertion that Il holds before the nondeterministic assignments to

the loop variables

This establishes the base case

2 Assumption that C ∧ Il holds after the nondeterministic assignments

to the loop variables

This is the induction hypothesis

3 Assertion that C ⇒ Il holds at the end of the loop body

This proves the induction step

Then we check the assertions using the techniques we already know

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 42 / 46

Refjning Abstraction With Loop Invariants

Recall over-approximating transformation Assume that for each loop l we have found a loop invariant Il For each loop add the following steps to the transformation

1 Assertion that Il holds before the nondeterministic assignments to

the loop variables

This establishes the base case

2 Assumption that C ∧ Il holds after the nondeterministic assignments

to the loop variables

This is the induction hypothesis

3 Assertion that C ⇒ Il holds at the end of the loop body

This proves the induction step

Then we check the assertions using the techniques we already know

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 42 / 46

Refjning Abstraction With Loop Invariants

Recall over-approximating transformation Assume that for each loop l we have found a loop invariant Il For each loop add the following steps to the transformation

1 Assertion that Il holds before the nondeterministic assignments to

the loop variables

This establishes the base case

2 Assumption that C ∧ Il holds after the nondeterministic assignments

to the loop variables

This is the induction hypothesis

3 Assertion that C ⇒ Il holds at the end of the loop body

This proves the induction step

Then we check the assertions using the techniques we already know

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 42 / 46

Refjning Abstraction With Loop Invariants

Recall over-approximating transformation Assume that for each loop l we have found a loop invariant Il For each loop add the following steps to the transformation

1 Assertion that Il holds before the nondeterministic assignments to

the loop variables

This establishes the base case

2 Assumption that C ∧ Il holds after the nondeterministic assignments

to the loop variables

This is the induction hypothesis

3 Assertion that C ⇒ Il holds at the end of the loop body

This proves the induction step

Then we check the assertions using the techniques we already know

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 42 / 46

Refjning Abstraction With Loop Invariants

Recall over-approximating transformation Assume that for each loop l we have found a loop invariant Il For each loop add the following steps to the transformation

1 Assertion that Il holds before the nondeterministic assignments to

the loop variables

This establishes the base case

2 Assumption that C ∧ Il holds after the nondeterministic assignments

to the loop variables

This is the induction hypothesis

3 Assertion that C ⇒ Il holds at the end of the loop body

This proves the induction step

Then we check the assertions using the techniques we already know

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 42 / 46

Refjning Abstraction With Loop Invariants

Recall over-approximating transformation Assume that for each loop l we have found a loop invariant Il For each loop add the following steps to the transformation

1 Assertion that Il holds before the nondeterministic assignments to

the loop variables

This establishes the base case

2 Assumption that C ∧ Il holds after the nondeterministic assignments

to the loop variables

This is the induction hypothesis

3 Assertion that C ⇒ Il holds at the end of the loop body

This proves the induction step

Then we check the assertions using the techniques we already know

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 42 / 46

Refjning Abstraction With Loop Invariants

Recall over-approximating transformation Assume that for each loop l we have found a loop invariant Il For each loop add the following steps to the transformation

1 Assertion that Il holds before the nondeterministic assignments to

the loop variables

This establishes the base case

2 Assumption that C ∧ Il holds after the nondeterministic assignments

to the loop variables

This is the induction hypothesis

3 Assertion that C ⇒ Il holds at the end of the loop body

This proves the induction step

Then we check the assertions using the techniques we already know

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 42 / 46

Refjning Abstraction With Loop Invariants

Recall over-approximating transformation Assume that for each loop l we have found a loop invariant Il For each loop add the following steps to the transformation

1 Assertion that Il holds before the nondeterministic assignments to

the loop variables

This establishes the base case

2 Assumption that C ∧ Il holds after the nondeterministic assignments

to the loop variables

This is the induction hypothesis

3 Assertion that C ⇒ Il holds at the end of the loop body

This proves the induction step

Then we check the assertions using the techniques we already know

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 42 / 46

Refjning Abstraction With Loop Invariants

Original program

1

int i = 0;

2

while(i != 10){

3

++i;

4

}

Refjned over-approximation

1

int i = 0;

2

if(i != 10){

3

assert (i>=0 && i<10); // base case

4

i=*;

5

assume (i>=0 && i<10); // induction hypothesis

6

++i;

7

assert(i != 10 -> (i >= 0 && i < 10)); // step case

8

}

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 43 / 46

Loop Invariant for the Square Function

1

int r=0;

2

int i=0;

3

while(i!=n){

4

r+=n;

5

++i;

6

}

7

assert(r==n*n); // property

Loop invariant: r == i * n

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 44 / 46

Refjning the Square Function

Refjned with loop invariant r == i * n

1

int r=0;

2

int i=0;

3

if(i!=n){

4

assert(r==i*n); // base case

5

r=*;

6

i=*;

7

assume(i!=n && r==i*n); // induction hypothesis

8

r+=n;

9

++i;

10

assert(i!=n -> r==i*n); // step case

11

}

12

assume(i==n); // cycle abstraction

13

assert(r==n*n); // property

By checking all three assertions we can verify the loop invariant and the program

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 45 / 46

Finding invariants

The challenge is to fjnd loop invariant that is strong enough to prove the required property

TRUE is always an invariant, but not very useful

Finding loop invariants is an area of active research Simple options:

Constructing candidates from predicates appearing in the code Combining program variables with usual relational operators

Generalizing facts obtained from examining unrolling of the loop. …

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (10th lecture) 46 / 46