First-Order Theorem Proving and Program Analysis Laura Kov acs - PowerPoint PPT Presentation

First-Order Theorem Proving and Program Analysis Laura Kov´ acs Chalmers University of Technology

Chalmers Laura Kovács Chalmers

Chalmers Laura Kovács Focus of my Research: Automated Program Analysis (ex. ~200kLoC, Vampire prover) Chalmers

Chalmers Laura Kovács Focus of my Research: Automated Program Analysis a=0, b=0, c=0; while (a<n) do if A[a]>0 then B[b]=A[a]+h(b); b=b+1; else C[c]=A[a]; c=c+1; a=a+1; end do Chalmers

Chalmers Laura Kovács Focus of my Research: Automated Program Analysis a=0, b=0, c=0; while (a<n) do if A[a]>0 then B[b]=A[a]+h(b); b=b+1; Program property: else C[c]=A[a]; c=c+1; ( ∀ p)(0 ≤ p<b ⇒ a=a+1; ( ∃ q)(0 ≤ q<a ∧ B[p]=A[q]+h(p) ∧ A[q]>0) end do Chalmers

Chalmers Laura Kovács Focus of my Research: Automated Program Analysis cnt=0, fib1=1, fib2=0; while (cnt<n) do t=fib1; fib1=fib1+fib2; fib2=t; cnt++; end do h a=0, b=0, c=0; while (a<n) do if A[a]>0 then B[b]=A[a]+h(b); b=b+1; else C[c]=A[a]; c=c+1; a=a+1; end do Chalmers

Chalmers Laura Kovács Focus of my Research: Automated Program Analysis cnt=0, fib1=1, fib2=0; while (cnt<n) do t=fib1; fib1=fib1+fib2; fib2=t; cnt++; end do h Program property: fib1 4 + fib2 4 + 2*fib1*fib2 3 – 2 fib1 3 *fib2 - fib1 2 *fib2 2 -1 = 0 a=0, b=0, c=0; while (a<n) do if A[a]>0 then B[b]=A[a]+h(b); b=b+1; else C[c]=A[a]; c=c+1; a=a+1; end do Chalmers

Chalmers Laura Kovács Focus of my Research: Automated Program Analysis cnt=0, fib1=1, fib2=0; while (cnt<n) do t=fib1; fib1=fib1+fib2; fib2=t; cnt++; end do h fib1 4 + fib2 4 + 2*fib1*fib2 3 – 2 fib1 3 *fib2 - fib1 2 *fib2 2 -1 = 0 Math ¡ a=0, b=0, c=0; while (a<n) do if A[a]>0 then B[b]=A[a]+h(b); b=b+1; Logic ¡ else C[c]=A[a]; c=c+1; a=a+1; end do ( ∀ p)(0 ≤ p<b ⇒ ( ∃ q)(0 ≤ q<a ∧ B[p]=A[q]+h(p) ∧ A[q]>0) Chalmers

Chalmers Laura Kovács Logic ¡ Math ¡ My ¡Research ¡ Vampire prover Program ¡Analysis ¡ Chalmers

Chalmers Laura Kovács Automated ¡ Symbolic ¡ Theorem ¡Proving ¡ Computa:on ¡ My ¡Research ¡ funded ¡by: ¡ Program ¡Analysis ¡ Chalmers

Chalmers Laura Kovács Automated ¡ Symbolic ¡ Theorem ¡Proving ¡ Computa:on ¡ My ¡Research ¡ funded ¡by: ¡ Need industrial partners/interest! (We have the funding!) Program ¡Analysis ¡ Chalmers

Outline Program Analysis and Theorem Proving Loop Assertions by Symbol Elimination Automated Theorem Proving Overview Saturation Algorithms Conclusions

Example: Array Partition A : -1 -3 -1 -5 -8 -0 -2 a := 0; b := 0; c := 0; a = 0 while ( a ≤ k ) do B : - * - * - * - * - * - * - * if A [ a ] ≥ 0 then B [ b ] := A [ a ] ; b := b + 1 ; b = 0 else C [ c ] := A [ a ] ; c := c + 1 ; C : - * - * - * - * - * - * - * a := a + 1 ; end while c = 0

Example: Array Partition A : -1 -3 -1 -5 -8 -0 -2 a := 0; b := 0; c := 0; a = 7 while ( a ≤ k ) do B : -1 -3 -8 -0 - * - * - * if A [ a ] ≥ 0 then B [ b ] := A [ a ] ; b := b + 1 ; b = 4 else C [ c ] := A [ a ] ; c := c + 1 ; C : -1 -5 -2 - * - * - * - * a := a + 1 ; end while c = 3

Example: Array Partition A : -1 -3 -1 -5 -8 -0 -2 a := 0; b := 0; c := 0; a = 7 while ( a ≤ k ) do B : -1 -3 -8 -0 - * - * - * if A [ a ] ≥ 0 then B [ b ] := A [ a ] ; b := b + 1 ; b = 4 else C [ c ] := A [ a ] ; c := c + 1 ; C : -1 -5 -2 - * - * - * - * a := a + 1 ; end while c = 3 Invariants with ∀ ∃ ◮ Each of B [ 0 ] , . . . , B [ b − 1 ] is non-negative and equal to one of A [ 0 ] , . . . , A [ a − 1 ] . ( ∀ p )( 0 ≤ p < b → B [ p ] ≥ 0 ∧ ( ∃ i )( 0 ≤ i < a ∧ A [ i ] = B [ p ]))

Example: Array Partition A : -1 -3 -1 -5 -8 -0 -2 a := 0; b := 0; c := 0; a = 7 while ( a ≤ k ) do B : -1 -3 -8 -0 - * - * - * if A [ a ] ≥ 0 then B [ b ] := A [ a ] ; b := b + 1 ; b = 4 else C [ c ] := A [ a ] ; c := c + 1 ; C : -1 -5 -2 - * - * - * - * a := a + 1 ; end while c = 3 Invariants with ∀ ∃ ◮ Each of B [ 0 ] , . . . , B [ b − 1 ] is non-negative and equal to one of A [ 0 ] , . . . , A [ a − 1 ] . ( ∀ p )( 0 ≤ p < b → B [ p ] ≥ 0 ∧ ( ∃ i )( 0 ≤ i < a ∧ A [ i ] = B [ p ]))

Invariant Generation – Overview of Our Method ◮ Given loop L ; ◮ Extend L to L ′ ; ◮ Extract a set P of loop properties in L ′ ; ◮ Generate loop property p in L s.t. P → p .

Invariant Generation – Overview of Our Method ◮ Given loop L ; ◮ Extend L to L ′ ; ◮ Extract a set P of loop properties in L ′ ; ◮ Generate loop property p in L s.t. P → p .

Invariant Generation – Overview of Our Method ◮ Given loop L ; ◮ Extend L to L ′ ; ◮ Extract a set P of loop properties in L ′ ; ◮ Generate loop property p in L s.t. P → p . ← Symbol elimination!

a := 0; b := 0; c := 0; while ( a ≤ k ) do Invariant Generation - The Method if A [ a ] ≥ 0 then B [ b ] := A [ a ] ; b := b + 1 ; else C [ c ] := A [ a ] ; c := c + 1 ; a := a + 1 ; end while 1. Extend the language L to L ′ : ( ∀ i )( i ∈ iter ⇔ 0 ≤ i ∧ i < n ) ◮ variables as functions of n : v ( i ) with 0 ≤ i < n ◮ predicates as loop properties: a = b + c , a ≥ 0 , b ≥ 0 , c ≥ 0 iter ( ∀ i ∈ iter )( a ( i + 1 ) > a ( i ) ) ( ∀ i ∈ iter )( b ( i + 1 ) = b ( i ) ∨ b ( i + 1 ) = b ( i ) + 1 ) 2. Collect loop properties: ( ∀ i ∈ iter )( a ( i ) = a ( 0 ) + i ) ( ∀ j , k ∈ iter )( k ≥ j → b ( k ) ≥ b ( j ) ) ( ∀ j , k ∈ iter )( k ≥ j → b ( j ) + k ≥ b ( k ) + j ) ( ∀ p )( b ( 0 ) ≤ p < b ( n ) → ( ∃ i ∈ iter )( b ( i ) = p ∧ A [ a ( i ) ] ≥ 0 )) ( ∀ i ) ¬ upd B ( i , p ) → B ( n ) [ p ] = B ( 0 ) [ p ] upd B ( i , p , x ) ∧ ( ∀ j > i ) ¬ upd B ( j , p ) → B ( n ) [ p ]= x ( ∀ i ∈ iter )( A [ a ( i ) ] ≥ 0 → B ( i + 1 ) [ b ( i ) ] = A [ a ( i ) ] ∧ b ( i + 1 ) = b ( i ) + 1 ∧ c ( i + 1 ) = c ( i ) )

a := 0; b := 0; c := 0; while ( a ≤ k ) do Invariant Generation - The Method if A [ a ] ≥ 0 then B [ b ] := A [ a ] ; b := b + 1 ; else C [ c ] := A [ a ] ; c := c + 1 ; a := a + 1 ; end while 1. Extend the language L to L ′ : ( ∀ i )( i ∈ iter ⇔ 0 ≤ i ∧ i < n ) ◮ variables as functions of n : v ( i ) with 0 ≤ i < n ◮ predicates as loop properties: a = b + c , a ≥ 0 , b ≥ 0 , c ≥ 0 iter ( ∀ i ∈ iter )( a ( i + 1 ) > a ( i ) ) ( ∀ i ∈ iter )( b ( i + 1 ) = b ( i ) ∨ b ( i + 1 ) = b ( i ) + 1 ) 2. Collect loop properties: ( ∀ i ∈ iter )( a ( i ) = a ( 0 ) + i ) ( ∀ j , k ∈ iter )( k ≥ j → b ( k ) ≥ b ( j ) ) ◮ Polynomial scalar properties ( ∀ j , k ∈ iter )( k ≥ j → b ( j ) + k ≥ b ( k ) + j ) ◮ Monotonicity properties of scalars ( ∀ p )( b ( 0 ) ≤ p < b ( n ) → ( ∃ i ∈ iter )( b ( i ) = p ∧ ◮ Update predicates of arrays A [ a ( i ) ] ≥ 0 )) ◮ Translation of guarded assignments ( ∀ i ) ¬ upd B ( i , p ) → B ( n ) [ p ] = B ( 0 ) [ p ] upd B ( i , p , x ) ∧ ( ∀ j > i ) ¬ upd B ( j , p ) → B ( n ) [ p ]= x ( ∀ i ∈ iter )( A [ a ( i ) ] ≥ 0 → B ( i + 1 ) [ b ( i ) ] = A [ a ( i ) ] ∧ b ( i + 1 ) = b ( i ) + 1 ∧ c ( i + 1 ) = c ( i ) )

a := 0; b := 0; c := 0; while ( a ≤ k ) do Invariant Generation - The Method if A [ a ] ≥ 0 then B [ b ] := A [ a ] ; b := b + 1 ; else C [ c ] := A [ a ] ; c := c + 1 ; a := a + 1 ; end while 1. Extend the language L to L ′ : ( ∀ i )( i ∈ iter ⇔ 0 ≤ i ∧ i < n ) ◮ variables as functions of n : v ( i ) with 0 ≤ i < n ◮ predicates as loop properties: a = b + c , a ≥ 0 , b ≥ 0 , c ≥ 0 iter ( ∀ i ∈ iter )( a ( i + 1 ) > a ( i ) ) ( ∀ i ∈ iter )( b ( i + 1 ) = b ( i ) ∨ b ( i + 1 ) = b ( i ) + 1 ) 2. Collect loop properties: ( ∀ i ∈ iter )( a ( i ) = a ( 0 ) + i ) ( ∀ j , k ∈ iter )( k ≥ j → b ( k ) ≥ b ( j ) ) ◮ Polynomial scalar properties ( ∀ j , k ∈ iter )( k ≥ j → b ( j ) + k ≥ b ( k ) + j ) ◮ Monotonicity properties of scalars ( ∀ p )( b ( 0 ) ≤ p < b ( n ) → ( ∃ i ∈ iter )( b ( i ) = p ∧ ◮ Update predicates of arrays A [ a ( i ) ] ≥ 0 )) ◮ Translation of guarded assignments ( ∀ i ) ¬ upd B ( i , p ) → B ( n ) [ p ] = B ( 0 ) [ p ] upd B ( i , p , x ) ∧ ( ∀ j > i ) ¬ upd B ( j , p ) → B ( n ) [ p ]= x ( ∀ i ∈ iter )( A [ a ( i ) ] ≥ 0 → B ( i + 1 ) [ b ( i ) ] = A [ a ( i ) ] ∧ b ( i + 1 ) = b ( i ) + 1 ∧ c ( i + 1 ) = c ( i ) )