Generating Sharper and Simpler Nonlinear Interpolants for Program - - PowerPoint PPT Presentation

Generating Sharper and Simpler Nonlinear Interpolants for Program Verification

Takamasa Okudono1, Yuki Nishida2, Kensuke Kojima2, Kohei Suenaga2, Kengo Kido1 and Ichiro Hasuo3

1University of Tokyo, Japan 2Kyoto University, Japan 3National Institute of Informatics, Japan

APLAS 2017, Suzhou, China. November 28th 2017

1 Takamasa Okudono (University of Tokyo)

Interpolant is effective at program verification

For polynomial interpolants, atomic propositions are: (Poly.)≧0, (Poly.)>0, (Poly.)=0

Purpose of This Work

• Automatic generation of polynomial interpolants.

Takamasa Okudono (University of Tokyo) 2

Disjointness of the regions Essential to separate the regions

• 𝐵, 𝐶: Formulas satisfying ⊨ ¬(𝐵 ∧ 𝐶).
• Formula 𝐽 is an interpolant of 𝐵 and 𝐶 if:
• 1. ⊨ 𝐵 → 𝐽
• 2. ⊨ ¬(𝐶 ∧ 𝐽)
• 3. Variables in 𝐽 appear in both of 𝐵, 𝐶
• Def. [interpolant]

Existing Work

• [Dai+, CAV’13]: generation of polynomial interpolants with

numerical optimization

• Challenge 1: Unable to generate any interpolants in “touching” cases
• Challenge 2: Incorrect and complex due to numerical errors

3 Takamasa Okudono (University of Tokyo)

Touching

54.1800𝑦 + 108.3601𝑧 ≥ 0 𝑦 + 2𝑧 ≥ 0

Our Contribution

• [Dai+, CAV’13]: generation of polynomial interpolants with

numerical optimization

• Challenge 1: Unable to generate any interpolants in “touching” cases
• Challenge 2: Incorrect and complex due to numerical errors

4 Takamasa Okudono (University of Tokyo)

Touching

54.1800𝑦 + 108.3601𝑧 ≥ 0 𝑦 + 2𝑧 ≥ 0

Solved! (Contribution 1) Solved! (Contribution 2)

Challenge 1 in [Dai+]: Sharpness

• If two regions of 𝐵, 𝐶 are “touching”, [Dai+, CAV’13] always

fails at generating their interpolant.

5 Takamasa Okudono (University of Tokyo)

Touching

• 𝐵 = (𝑧 − 𝑦 > 0 ∧ 𝑧 + 𝑦 > 0)
• 𝐶 = (−𝑧 ≥ 0)

Challenge 1 in [Dai+]: Sharpness

• If two regions of 𝐵, 𝐶 are “touching”, [Dai+, CAV’13] always

fails at generating their interpolant.

6 Takamasa Okudono (University of Tokyo)

Touching

• 𝐵 = (𝑧 − 𝑦 > 0 ∧ 𝑧 + 𝑦 > 0)
• 𝐶 = −𝑧 ≥ 0
• 𝐽 = 𝑧 > 0
• There is an interpolant, but

[Dai, CAV’13] cannot find it!

Challenge 1 in [Dai+]: Sharpness

• If two regions of 𝐵, 𝐶 are “touching”, [Dai+, CAV’13] always

fails at generating their interpolant.

7 Takamasa Okudono (University of Tokyo)

Challenge 1: Flow of [Dai+]

Takamasa Okudono (University of Tokyo) 8

(1) Formulas

𝐵, 𝐶

(2) Polynomial Optimization Problem (3) SDP Problem (4) Numerical Solution

• f (3)

(5) Numerical Solution

• f (2)

(6) Interpolant

𝐽

Use SDP Solver [Parrilo, Mathematical Programming’03]

↦ ↦ ↦ ↦ ↦

Contribution 1: Method for Sharpness

Takamasa Okudono (University of Tokyo) 9

Method for Sharpness (1) Formulas

𝐵, 𝐶

(2) Polynomial Optimization Problem (3) SDP Problem (4) Numerical Solution

• f (3)

(5) Numerical Solution

• f (2)

(6) Interpolant

𝐽

Use SDP Solver [Parrilo, Mathematical Programming’03]

↦ ↦ ↦ ↦ ↦

Contribution 1: Example

Takamasa Okudono (University of Tokyo) 10

(1) Formulas

𝐵, 𝐶

(2) Polynomial Optimization Problem Method for Sharpness

𝐵 = y − x > 0, y + x > 0 , 𝐶 = (−𝑧 ≥ 0)

↦

Contribution 1: Example [Dai+, CAV’13]

Takamasa Okudono (University of Tokyo) 11

• 𝐵 = (y − x > 0, y + x > 0), 𝐶 = (−𝑧 ≥ 0)
• [Dai+, CAV’13]
• Find polynomials 𝜏1, 𝜏2, 𝜏3, 𝜏4, 𝜏5 ∈ ℝ[𝑌]s.t.
• 𝐽 ≔

1 2 + 𝜏1 + 𝜏2 𝑧 − 𝑦 + 𝜏3 𝑧 + 𝑦 + 𝜏4 𝑧 − 𝑦

𝑧 + 𝑦 + 𝑧 − 𝑦 2 𝑧 + 𝑦 2

• 𝐽′ ≔

1 2 + 𝜏5(−𝑧)

• 𝜏1, 𝜏2, 𝜏3, 𝜏4, 𝜏5 are sums of squares
• 𝐽 + 𝐽′ = 0
• (𝐽 contains only 𝑧)
• Then 𝐽 > 0 is an interpolant

𝜏 is a sum of squares ⟺ ∃𝜒1, … , 𝜒𝑜 ∈ ℝ 𝑌 ; 𝜏 = 𝜒1

2 + ⋯ + 𝜒𝑜 2

Contribution 1: Example [Dai+, CAV’13]

Takamasa Okudono (University of Tokyo) 12

• 𝐵 = (y − x > 0, y + x > 0), 𝐶 = (−𝑧 ≥ 0)
• [Dai+, CAV’13]
• Find polynomials 𝜏1, 𝜏2, 𝜏3, 𝜏4, 𝜏5 ∈ ℝ[𝑌]s.t.
• 𝐽 ≔

1 2 + 𝜏1 + 𝜏2 𝑧 − 𝑦 + 𝜏3 𝑧 + 𝑦 + 𝜏4 𝑧 − 𝑦

𝑧 + 𝑦 + 𝑧 − 𝑦 2 𝑧 + 𝑦 2

• 𝐽′ ≔

1 2 + 𝜏5(−𝑧)

• 𝜏1, 𝜏2, 𝜏3, 𝜏4, 𝜏5 are sums of squares
• 𝐽 + 𝐽′ = 0
• (𝐽 contains only 𝑧)
• Then 𝐽 > 0 is an interpolant

Infeasible and unable to generate any interpolants!

Contribution 1: Example [Dai+, CAV’13]

Takamasa Okudono (University of Tokyo) 13

• 𝐵 = (y − x > 0, y + x > 0), 𝐶 = (−𝑧 ≥ 0)
• [Dai+, CAV’13]
• Find 𝜏1, 𝜏2, 𝜏3, 𝜏4, 𝜏5 ∈ ℝ[𝑌] s.t.
• 𝐽 ≔

1 2 + 𝜏1 + 𝜏2 𝑧 − 𝑦 + 𝜏3 𝑧 + 𝑦 + 𝜏4 𝑧 − 𝑦

𝑧 + 𝑦 + 𝑧 − 𝑦 2 𝑧 + 𝑦 2

• 𝐽′ ≔

1 2 + 𝜏5(−𝑧)

• 𝜏1, 𝜏2, 𝜏3, 𝜏4, 𝜏5 are sums of squares
• 𝐽 + 𝐽′ = 0
• (𝐽 contains only 𝑧)
• Then 𝐽 > 0 is an interpolant

Infeasible and unable to generate any interpolants! ∵Assume the feasibility. 0 = 𝐽 + 𝐽′ 0, 0 = 1 + 𝜏1 0, 0 > 0.

• Contradiction. □

Contribution 1: Example [Dai+, CAV’13]

Takamasa Okudono (University of Tokyo) 14

• 𝐵 = (y − x > 0, y + x > 0), 𝐶 = (−𝑧 ≥ 0)
• Our method for sharpness
• Find polynomials 𝜏1, 𝜏2, 𝜏3, 𝜏4, 𝜏5 ∈ ℝ[𝑌]and 𝑠

1, 𝑠2, 𝑠3 ∈ ℝ≥0 s.t.

• 𝐽 ≔ 𝜏1 + 𝜏2 𝑧 − 𝑦 + 𝜏3 𝑧 + 𝑦 + 𝜏4 𝑧 − 𝑦

𝑧 + 𝑦 + 𝑠

1 + 𝑠2 𝑧 − 𝑦 + 𝑠3 𝑧 + 𝑦

• 𝐽′ ≔ 𝜏5 −𝑧
• 𝜏1, 𝜏2, 𝜏3, 𝜏4, 𝜏5 are sums of squares
• 𝑠

1 + 𝑠2 + 𝑠3 > 0

• 𝐽 + 𝐽′ = 0
• 𝐽 contains only 𝑧
• Then 𝐽 > 0 is an interpolant

Contribution 1: Example [Dai+, CAV’13]

Takamasa Okudono (University of Tokyo) 15

• 𝐵 = (y − x > 0, y + x > 0), 𝐶 = (−𝑧 ≥ 0)
• Our method for sharpness
• Find polynomials 𝜏1, 𝜏2, 𝜏3, 𝜏4, 𝜏5 ∈ ℝ[𝑌]and 𝑠

1, 𝑠2, 𝑠3 ∈ ℝ≥0 s.t.

• 𝐽 ≔ 𝜏1 + 𝜏2 𝑧 − 𝑦 + 𝜏3 𝑧 + 𝑦 + 𝜏4 𝑧 − 𝑦

𝑧 + 𝑦 + 𝑠

1 + 𝑠2 𝑧 − 𝑦 + 𝑠3 𝑧 + 𝑦

• 𝐽′ ≔ 𝜏5 −𝑧
• 𝜏1, 𝜏2, 𝜏3, 𝜏4, 𝜏5 are sums of squares
• 𝑠

1 + 𝑠2 + 𝑠3 > 0

• 𝐽 + 𝐽′ = 0
• 𝐽 contains only 𝑧
• Then 𝐽 > 0 is an interpolant

𝜏1 = 0 𝜏2 = 0 𝜏3 = 1 𝜏4 = 0 𝑠

1 = 0

𝑠2 = 1 𝑠3 = 0 𝑠5 = 2

Feasible and able to generate an interpolant!

𝐽 = 2𝑧

Contribution 1: Completeness

Takamasa Okudono (University of Tokyo) 16

A and B s.t. ⊨ ¬(A∧B) [Dai+] Method for Sharpness “touching” cases

Challenge 2: Numerical Error in [Dai+]

Takamasa Okudono (University of Tokyo) 17

(1) Formulas

𝐵, 𝐶

(2) Polynomial Optimization Problem (3) SDP Problem (4) Numerical Solution

• f (3)

(5) Numerical Solution

• f (2)

(6) Interpolant

𝐽

Use SDP Solver

↦ ↦ ↦ ↦ ↦

Numerical Error

Challenge 2: Numerical Error in [Dai+]

Takamasa Okudono (University of Tokyo) 18

(1) Formulas

𝐵, 𝐶

(2) Polynomial Optimization Problem (3) SDP Problem (4) Numerical Solution

• f (3)

(5) Numerical Solution

• f (2)

(6) Interpolant

𝐽

Use SDP Solver

↦ ↦ ↦ ↦ ↦

Numerical Error Numerical Error

Challenge 2: Numerical Error in [Dai+]

Takamasa Okudono (University of Tokyo) 19

(1) Formulas

𝐵, 𝐶

(2) Polynomial Optimization Problem (3) SDP Problem (4) Numerical Solution

• f (3)

(5) Numerical Solution

• f (2)

(6) Interpolant

𝐽

Use SDP Solver

↦ ↦ ↦ ↦ ↦

Numerical Error Numerical Error Numerical Error Numerical error spreads Less simple Maybe spurious

Challenge 2: Numerical Error in [Dai+]

Takamasa Okudono (University of Tokyo) 20

(1) Formulas

𝐵, 𝐶

(2) Polynomial Optimization Problem (3) SDP Problem (4) Numerical Solution

• f (3)

(5) Numerical Solution

• f (2)

(6) Interpolant

𝐽

Use SDP Solver

↦ ↦ ↦ ↦ ↦

Numerical Error Numerical Error Numerical Error Numerical error spreads Less simple Maybe spurious

The same problem occurs in our method for sharpness (Contribution 1)

Challenge 2: Example

• Example: 𝐵 = 𝑦 = 0 ∧ 𝑧 = 0 , 𝐶 = (𝑦 + 2𝑧 < 0)
• Spurious interpolant 𝐽 = 54.1800𝑦 + 108.3601𝑧 ≥ 0
• 𝑦, 𝑧 = (−108.3601, 54.1800) satisfies both 𝐶 and 𝐽

21 Takamasa Okudono (University of Tokyo)

• 𝐵, 𝐶: Formulas satisfying ⊨ (𝐵 ∧ 𝐶).
• Formula 𝐽 is an interpolant of 𝐵 and 𝐶 if:
• 1. ⊨ 𝐵 → 𝐽
• 2. ⊨ ¬(𝐶 ∧ 𝐽)
• 3. Variables in 𝐽 appears in both of 𝐵, 𝐶
• Def. [interpolant]

Contribution 2: Observation

≈×2

22 Takamasa Okudono (University of Tokyo)

Spurious Interpolant: 𝐽 = 54.1800𝑦 + 108.3601𝑧 ≥ 0 Simplified Interpolant: 𝐽 = 𝑦 + 2𝑧 ≥ 0

Correct and simple interpolant of 𝐵 = 𝑦 = 0 ∧ 𝑧 = 0 , 𝐶 = (𝑦 + 2𝑧 < 0)

Contribution 2: Working Assumption

• Working Assumption: Simple interpolants tend to be correct

and useful to capture the program’s nature.

• Strategy:
• Simplify the ratio that appears in the interpolant
• Find and guess simple integers

Takamasa Okudono (University of Tokyo) 23

Contribution 2: Technique

24 Takamasa Okudono (University of Tokyo)

• Continued Fraction Expansion
• Input: real number 𝑦
• Output: “best” approximations 𝑏1

𝑐1 , 𝑏2 𝑐2 , … of 𝑦

• Example:
• 3.1416 = 3 +

1 7+

1 16+ 1 11

• 1st approximation: 3.1416 ≃ 3
• 2nd approximation: 3.1416 ≃ 3 + 1

7 = 22 7

• 3rd approximation: 3.1416 ≃ 3 +

1 7+ 1

16

= 355

113

Contribution 2: Technique

25 Takamasa Okudono (University of Tokyo)

• Continued Fraction Expansion
• Input: real number 𝑦
• Output: “best” approximations 𝑏1

𝑐1 , 𝑏2 𝑐2 , … of 𝑦

• Example:
• 3.1416 = 3 +

1 7+

1 16+ 1 11

• 1st approximation: 3.1416 ≃ 3
• 2nd approximation: 3.1416 ≃ 3 + 1

7 = 22 7

• 3rd approximation: 3.1416 ≃ 3 +

1 7+ 1

16

= 355

113

(3.1416: 1) (3: 1) (22: 7) (355: 113)

Simple Faithful

Contribution 2: Simplification of Ratio

26 Takamasa Okudono (University of Tokyo)

46.7375 155.0975 60.1733 1 3 1 3 10 4 31 103 40 97 322 125 … … … 467375 1550975 601733

More Faithful Less Simple

• The simplification starts from the simplest ratio
• Make it more faithful to the original solution and less simple

iteratively.

Original

(1) Formulas

𝐵, 𝐶

(2) Polynomial Optimization Problem (3) SDP Problem (4) Numerical Solution

• f (3)

(7) Simplified Solution

• f (2)

(8) Simple and Verified Interpolant 𝐽 d := 1 (6) Simplified Solution

• f (3)

(5) d-th Simplification

• f (4)

FAIL d++ if (5) does not satisfy (3) No validated solution (5) satisfies (3) Method for Sharpness Method for Simplicity Validity is guaranteed! Maybe spurious…

Challenge 2: Method for Simplicity

↦ ↦ ↦ → ↦ ↦ ↦ ↦ ↦ ↦

• 𝐵: blue regions, 𝐶: red regions, 𝐽: black hatched regions.

Experiments: Geometric Examples

28 Takamasa Okudono (University of Tokyo)

• 𝐵: blue regions, 𝐶: red regions, 𝐽: black hatched regions.

Experiments: Geometric Examples

29 Takamasa Okudono (University of Tokyo)

• These examples are rather simple, but [Dai+, CAV’13] cannot

verify them because of numerical errors (Challenge 2).

Experiments: Program Examples

30 Takamasa Okudono (University of Tokyo)

Experiments: Program Examples

31 Takamasa Okudono (University of Tokyo)

(x, v) = (0, 0) While(nondet()){ (x, v) = (x + 2*v, v + 2); } Assert(x >= 0) (x, v) = [𝑦 ≥ 0, 𝑤 ≥ 0] While(nondet()){ (x, v) = (x + 2*v, v + 2); } Assert(x >= 0)

Abstraction with

𝑦 ≥ 0 and 𝑤 ≥ 0

Find good predicates by CEGAR[Clarke+, CAV’00] and our interpolant generation

(x, v) = (0, 0); Assert(x >= 0) (x, v) = [anything]; Assert(x >= 0) (x, v) = [anything] While(nondet()){ (x, v) = (x + 2*v, v + 2); } Assert(x >= 0) (x, v) = (0, 0) While(nondet()){ (x, v) = (x + 2*v, v + 2); } Assert(x >= 0)

Experiments: Program Examples

32 Takamasa Okudono (University of Tokyo)

Abstraction with nothing Find Counterexample Extract the original trace 𝐵 = 𝑦 = 0, 𝑤 = 0 𝐶 = (𝑦 < 0) 𝐽 = (𝑦 ≥ 0) Make Formulas Generate an interpolant Touching Add 𝑦 ≥ 0

(x, v) = (0, 0); (x, v) = (x + 2*v, v + 2); Assert(x >= 0) (x, v) = [𝑦 ≥ 0, 𝑤: any]; (x, v) = (x + 2*v, v + 2); Assert(x >= 0) (x, v) = [𝑦 ≥ 0, 𝑤: any] While(nondet()){ (x, v) = (x + 2*v, v + 2); } Assert(x >= 0) (x, v) = (0, 0) While(nondet()){ (x, v) = (x + 2*v, v + 2); } Assert(x >= 0)

Experiments: Program Examples

33 Takamasa Okudono (University of Tokyo)

Abstraction with 𝑦 ≥ 0 Find Counterexample Extract the original trace 𝐵 = 𝑤1 = 0 𝐶 = (𝑦1 = 0 ∧ 𝑤2 = 𝑤1 + 2 ∧ 𝑦2 = 𝑦1 + 2𝑤1 ∧ 𝑦2 < 0) 𝐽 = (𝑤1 ≥ 0) Make Formulas Generate an interpolant Add 𝑤 ≥ 0

(x, v) = [𝑦 ≥ 0, 𝑤 ≥ 0] While(nondet()){ (x, v) = (x + 2*v, v + 2); } Assert(x >= 0) (x, v) = (0, 0) While(nondet()){ (x, v) = (x + 2*v, v + 2); } Assert(x >= 0)

Experiments: Program Examples

34 Takamasa Okudono (University of Tokyo)

Abstraction with 𝑦 ≥ 0 and 𝑤 ≥ 0

Our Challenge

• Our method works only for fairly simple examples:
• Geometric examples: at most quadratic
• Program examples: at most linear

35 Takamasa Okudono (University of Tokyo)

Conclusion

• Our Contributions: Solved some challenges in [Dai+, CAV’13]
• Challenge 1: Sharpness
• Challenge 2: Numerical Error
• Our method works only for fairly simple examples:
• Geometric examples: at most quadratic
• Program examples: at most linear

36 Takamasa Okudono (University of Tokyo)