Loop Summarization with Rational Vector Addition Systems Jake - PowerPoint PPT Presentation

Loop Summarization with Rational Vector Addition Systems Jake Silverman Zachary Kincaid Princeton University

The Why Invariant generation techniques are e ff ective but can be unpredictable � 2

The Why Invariant generation techniques are e ff ective but can be unpredictable i = 0 while(i < 5) do i++ assert(i == 5) Polyhedron domain with widening / narrowing verifies assertion *D. Monniaux and J. Le Guen. Stratified Static Analysis Based on Variable Dependencies. in Proc: International Workshop on Numerical and Symbolic Abstract Domains (NSAD ’11) � 2

The Why Invariant generation techniques are e ff ective but can be unpredictable i = 1 j = 0 while(i < 5) do j = j + i i++ assert(i == 5) Polyhedron domain with widening / narrowing fails to verify assertion Not monotone: more information led to worse analysis *D. Monniaux and J. Le Guen. Stratified Static Analysis Based on Variable Dependencies. in Proc: International Workshop on Numerical and Symbolic Abstract Domains (NSAD ’11) � 2

The Why Invariant generation techniques are e ff ective but can be unpredictable i = 1 i = 0 j = 0 j = 0 while(i < 5) do while(i < 1000) do j = j + i i = i + step i++ j = j + step assert(i == 5) assert(i == j) Polyhedron domain with Ultimate Automizer verifies assertion widening / narrowing fails to verify assertion Not monotone: more information led to worse analysis *D. Monniaux and J. Le Guen. Stratified Static Analysis Based on Variable Dependencies. in Proc: International Workshop on Numerical and Symbolic Abstract Domains (NSAD ’11) � 2

The Why Invariant generation techniques are e ff ective but can be unpredictable assume(step < 2) i = 1 i = 0 j = 0 j = 0 while(i < 5) do while(i < 1000) do j = j + i i = i + step i++ j = j + step assert(i == 5) assert(i == j) Polyhedron domain with Ultimate Automizer fails to verify widening / narrowing fails to verify assertion within 1 hour assertion Not monotone: more information led to worse analysis *D. Monniaux and J. Le Guen. Stratified Static Analysis Based on Variable Dependencies. in Proc: International Workshop on Numerical and Symbolic Abstract Domains (NSAD ’11) � 2

The What Want: invariant generation technique that is predictable - can make theoretical guarantees about invariant quality (in particular, monotonicity) precise - assertion verification capability comparable with state-of-the-art software model checkers � 3

⃗ ⃗ ⃗ � ⃗ � ⃗ � ⃗ ⃗ The How Exploit compositionality to compute transition formula that over-approximates reachability relation of input ] ≜ x ′ � = a ∧ ⋀ TR [ y ′ � = y [ x := a ] y ≠ x ] ≜ b ∧ TR [ ] ∨ ¬ b ∧ TR [ TR [ [ if b then S 1 else S 2 ] [ S 1 ] [ S 2 ] ] ] ≜ ∃ x ′ � ′ � . TR [ x ′ � ′ � / x ′ � ] ∧ TR [ x ′ � ′ � / TR [ [ S 1 ; S 2 ] [ S 1 ] ][ [ S 2 ] ][ x ] ] ≜ ( b ∧ TR [ ])* ∧ ¬ b [ x ′ � / TR [ [ while b do S ] [ S ] x ] � 4

� ⃗ ⃗ ⃗ ⃗ ⃗ � ⃗ � ⃗ The How Exploit compositionality to compute transition formula that over-approximates reachability relation of input ] ≜ x ′ � = a ∧ ⋀ TR [ y ′ � = y [ x := a ] y ≠ x ] ≜ b ∧ TR [ ] ∨ ¬ b ∧ TR [ TR [ [ if b then S 1 else S 2 ] [ S 1 ] [ S 2 ] ] ] ≜ ∃ x ′ � ′ � . TR [ x ′ � ′ � / x ′ � ] ∧ TR [ x ′ � ′ � / TR [ [ S 1 ; S 2 ] [ S 1 ] ][ [ S 2 ] ][ x ] ] ≜ ( b ∧ TR [ ])* ∧ ¬ b [ x ′ � / TR [ [ while b do S ] [ S ] x ] Can encode loop-free segments without loss of information if(*) then x = x + 1 x ′ � = x + 1 ∨ x ′ � = x + 2 else x = x + 2 � 4

⃗ ⃗ ⃗ � ⃗ � ⃗ � ⃗ ⃗ The How Exploit compositionality to compute transition formula that over-approximates reachability relation of input ] ≜ x ′ � = a ∧ ⋀ TR [ y ′ � = y [ x := a ] y ≠ x ] ≜ b ∧ TR [ ] ∨ ¬ b ∧ TR [ TR [ [ if b then S 1 else S 2 ] [ S 1 ] [ S 2 ] ] ] ≜ ∃ x ′ � ′ � . TR [ x ′ � ′ � / x ′ � ] ∧ TR [ x ′ � ′ � / TR [ [ S 1 ; S 2 ] [ S 1 ] ][ [ S 2 ] ][ x ] ] ≜ ( b ∧ TR [ ])* ∧ ¬ b [ x ′ � / TR [ [ while b do S ] [ S ] x ] Can encode loop-free segments without loss of information if(*) then x = x + 1 x ′ � = x + 1 ∨ x ′ � = x + 2 else x = x + 2 Reachability relation of loops needs to be over-approximated � 4

⃗ ⃗ ⃗ � ⃗ � ⃗ � ⃗ ⃗ The How Exploit compositionality to compute transition formula that over-approximates reachability relation of input ] ≜ x ′ � = a ∧ ⋀ TR [ y ′ � = y [ x := a ] y ≠ x ] ≜ b ∧ TR [ ] ∨ ¬ b ∧ TR [ TR [ [ if b then S 1 else S 2 ] [ S 1 ] [ S 2 ] ] ] ≜ ∃ x ′ � ′ � . TR [ x ′ � ′ � / x ′ � ] ∧ TR [ x ′ � ′ � / TR [ [ S 1 ; S 2 ] [ S 1 ] ][ [ S 2 ] ][ x ] ] ≜ ( b ∧ TR [ ])* ∧ ¬ b [ x ′ � / TR [ [ while b do S ] [ S ] x ] Can encode loop-free segments without loss of information if(*) then x = x + 1 x ′ � = x + 1 ∨ x ′ � = x + 2 else x = x + 2 Reachability relation of loops needs to be over-approximated If star operator is monotone, entire analysis in monotone � 4

This talk 1) Predictable loop summarization using rational vector addition system with resets ( ℚ -VASR) 2) Precision improvement via capturing control flow using ℚ -VASR with states ( ℚ -VASRS) � 5

ℚ -VASR Key property: Reachability relation is LIRA-definable and computable in polytime *C. Haase and S. Halfon. Integer vector addition systems with states. in Proc: International Workshop on Reachability Problems (RP ‘14) � 6

� ℚ -VASR Key property: Reachability relation is LIRA-definable and computable in polytime T 1 T 2 y ] + [ y ] + [ Finite set of transformers. → [ y ] → [ − 1 ] , − 1 ] x x x [ y ] 0 1 [ 10 Describes reset/inc to each dimension *C. Haase and S. Halfon. Integer vector addition systems with states. in Proc: International Workshop on Reachability Problems (RP ‘14) � 6

� ℚ -VASR Key property: Reachability relation is LIRA-definable and computable in polytime T 1 T 2 y ] + [ y ] + [ Finite set of transformers. → [ y ] → [ − 1 ] , − 1 ] x x x [ y ] 0 1 [ 10 Describes reset/inc to each dimension Corresponds to transition T 1 ( x ′ � = 1 ∧ y ′ � = y − 1) ∨ formula of form � ⋁ i ∈ T ⋀ x ′ � ⋅ x j + a ij j = r ij T 2 ( x ′ � = x + 10 ∧ y ′ � = y − 1) ⏟ ⏟ j ∈ vars ℚ {0,1} *C. Haase and S. Halfon. Integer vector addition systems with states. in Proc: International Workshop on Reachability Problems (RP ‘14) � 6

� ℚ -VASR Key property: Reachability relation is LIRA-definable and computable in polytime T 1 T 2 y ] + [ y ] + [ Finite set of transformers. → [ y ] → [ − 1 ] , − 1 ] x x x [ y ] 0 1 [ 10 Describes reset/inc to each dimension 5, 0.5 Corresponds to transition T 1 ( x ′ � = 1 ∧ y ′ � = y − 1) ∨ formula of form � ⋁ i ∈ T ⋀ x ′ � ⋅ x j + a ij j = r ij T 2 ( x ′ � = x + 10 ∧ y ′ � = y − 1) ⏟ ⏟ j ∈ vars ℚ {0,1} *C. Haase and S. Halfon. Integer vector addition systems with states. in Proc: International Workshop on Reachability Problems (RP ‘14) � 6

� ℚ -VASR Key property: Reachability relation is LIRA-definable and computable in polytime T 1 T 2 y ] + [ y ] + [ Finite set of transformers. → [ y ] → [ − 1 ] , − 1 ] x x x [ y ] 0 1 [ 10 Describes reset/inc to each dimension 1, -0.5 5, 0.5 Corresponds to transition T 1 ( x ′ � = 1 ∧ y ′ � = y − 1) ∨ formula of form 15, � ⋁ i ∈ T ⋀ x ′ � ⋅ x j + a ij -0.5 j = r ij T 2 ( x ′ � = x + 10 ∧ y ′ � = y − 1) ⏟ ⏟ j ∈ vars ℚ {0,1} *C. Haase and S. Halfon. Integer vector addition systems with states. in Proc: International Workshop on Reachability Problems (RP ‘14) � 6

� ℚ -VASR Key property: Reachability relation is LIRA-definable and computable in polytime T 1 T 2 1, y ] + [ y ] + [ Finite set of transformers. → [ y ] → [ − 1 ] , − 1 ] x x x [ y ] 0 1 [ 10 -1.5 Describes reset/inc to each dimension 1, -0.5 5, 11, 0.5 -1.5 Corresponds to transition T 1 ( x ′ � = 1 ∧ y ′ � = y − 1) ∨ formula of form 15, � ⋁ i ∈ T ⋀ x ′ � ⋅ x j + a ij -0.5 j = r ij T 2 ( x ′ � = x + 10 ∧ y ′ � = y − 1) ⏟ ⏟ j ∈ vars ℚ {0,1} 25, -1.5 *C. Haase and S. Halfon. Integer vector addition systems with states. in Proc: International Workshop on Reachability Problems (RP ‘14) � 6

Functional Queue Proof Goal: Amortized constant time operations Achieved by representing queue as two lists (front and back) � 7

Functional Queue Proof Goal: Amortized constant time operations Achieved by representing queue as two lists (front and back) Back Back enqueue( � ) hd hd � 7

Functional Queue Proof Goal: Amortized constant time operations Achieved by representing queue as two lists (front and back) Back Back enqueue( � ) hd hd dequeue() Front Front 1 If Front is not empty result hd hd � 7

Functional Queue Proof Goal: Amortized constant time operations Achieved by representing queue as two lists (front and back) Back Back enqueue( � ) hd hd dequeue() Front Front 1 If Front is not empty result hd hd Back Back 2 If Front is empty hd Front Front Front result hd hd � 7