Motivation SMT-solvers are routinely used in program analysis: - - PowerPoint PPT Presentation
Extending the Theory of Arrays: st , , and Beyond Stephan Falke , Florian Merz, and Carsten Sinz INSTITUTE FOR THEORETICAL COMPUTER SCIENCE (ITI) 0 08.07.2013 S. Falke , F. Merz, C. Sinz - Extending the Theory of
08.07.2013
ITI
INSTITUTE FOR THEORETICAL COMPUTER SCIENCE (ITI)
Stephan Falke, Florian Merz, and Carsten Sinz
KIT – University of the State of Baden-Wuerttemberg and National Research Center of the Helmholtz Association
www.kit.edu
1
08.07.2013
ITI
SMT-solvers are routinely used in program analysis:
Deductive program verification Symbolic execution Software bounded model checking . . .
1
08.07.2013
ITI
SMT-solvers are routinely used in program analysis:
Deductive program verification Symbolic execution Software bounded model checking . . .
Prominent theory: TA (theory of arrays)
Model arrays/structures/objects in the program Model main memory
2
08.07.2013
ITI
index terms tI ::= . . . element terms tE ::= . . . | r❡❛❞(tA, tI) array terms tA ::= a | ✇r✐t❡(tA, tI, tE)
2
08.07.2013
ITI
index terms tI ::= . . . element terms tE ::= . . . | r❡❛❞(tA, tI) array terms tA ::= a | ✇r✐t❡(tA, tI, tE) p = r = ⇒
2
08.07.2013
ITI
index terms tI ::= . . . element terms tE ::= . . . | r❡❛❞(tA, tI) array terms tA ::= a | ✇r✐t❡(tA, tI, tE) p = r = ⇒
a write modifies the position written to . . .
2
08.07.2013
ITI
index terms tI ::= . . . element terms tE ::= . . . | r❡❛❞(tA, tI) array terms tA ::= a | ✇r✐t❡(tA, tI, tE) p = r = ⇒
a write modifies the position written to . . . . . . and nothing else
3
08.07.2013
ITI
How to model standard library functions such as ♠❡♠s❡t and ♠❡♠❝♣②? ✈♦✐❞ ✯♠❡♠s❡t✭✈♦✐❞ ✯❞st✱ ✐♥t ❝✱ s✐③❡❴t ♥✮❀ ✈♦✐❞ ✯♠❡♠❝♣②✭✈♦✐❞ ✯❞st✱ ❝♦♥st ✈♦✐❞ ✯sr❝✱ s✐③❡❴t ♥✮❀
3
08.07.2013
ITI
How to model standard library functions such as ♠❡♠s❡t and ♠❡♠❝♣②? ✈♦✐❞ ✯♠❡♠s❡t✭✈♦✐❞ ✯❞st✱ ✐♥t ❝✱ s✐③❡❴t ♥✮❀ ✈♦✐❞ ✯♠❡♠❝♣②✭✈♦✐❞ ✯❞st✱ ❝♦♥st ✈♦✐❞ ✯sr❝✱ s✐③❡❴t ♥✮❀
might not be constant! might not be constant!
4
08.07.2013
ITI
✳✳✳ ♠❡♠❝♣②✭❛✱ ❜✱ ✹✮❀ ✳✳✳
4
08.07.2013
ITI
✳✳✳ ♠❡♠❝♣②✭❛✱ ❜✱ ✹✮❀ ✳✳✳
a1 = ✇r✐t❡(a, 0,r❡❛❞(b, 0))
4
08.07.2013
ITI
✳✳✳ ♠❡♠❝♣②✭❛✱ ❜✱ ✹✮❀ ✳✳✳
a1 = ✇r✐t❡(a, 0,r❡❛❞(b, 0)) a2 = ✇r✐t❡(a1, 1,r❡❛❞(b, 1))
4
08.07.2013
ITI
✳✳✳ ♠❡♠❝♣②✭❛✱ ❜✱ ✹✮❀ ✳✳✳
a1 = ✇r✐t❡(a, 0,r❡❛❞(b, 0)) a2 = ✇r✐t❡(a1, 1,r❡❛❞(b, 1)) a3 = ✇r✐t❡(a2, 2,r❡❛❞(b, 2))
4
08.07.2013
ITI
✳✳✳ ♠❡♠❝♣②✭❛✱ ❜✱ ✹✮❀ ✳✳✳
a1 = ✇r✐t❡(a, 0,r❡❛❞(b, 0)) a2 = ✇r✐t❡(a1, 1,r❡❛❞(b, 1)) a3 = ✇r✐t❡(a2, 2,r❡❛❞(b, 2)) a′ = ✇r✐t❡(a3, 3,r❡❛❞(b, 3))
4
08.07.2013
ITI
✳✳✳ ♠❡♠❝♣②✭❛✱ ❜✱ ✹✮❀ ✳✳✳
a1 = ✇r✐t❡(a, 0,r❡❛❞(b, 0)) a2 = ✇r✐t❡(a1, 1,r❡❛❞(b, 1)) a3 = ✇r✐t❡(a2, 2,r❡❛❞(b, 2)) a′ = ✇r✐t❡(a3, 3,r❡❛❞(b, 3)) Does not scale well for large constants
4
08.07.2013
ITI
✳✳✳ ♠❡♠❝♣②✭❛✱ ❜✱ ♥✮❀ ✳✳✳
4
08.07.2013
ITI
✳✳✳ ♠❡♠❝♣②✭❛✱ ❜✱ ♥✮❀ ✳✳✳
???
4
08.07.2013
ITI
✳✳✳ ♠❡♠❝♣②✭❛✱ ❜✱ ♥✮❀ ✳✳✳
a′ = copy(a, 0, b, 0, n)
4
08.07.2013
ITI
✳✳✳ ♠❡♠❝♣②✭❛✱ ❜✱ ♥✮❀ ✳✳✳
a′ = λi. ITE(0 ≤ i < n, r❡❛❞(b, i), r❡❛❞(a, i))
4
08.07.2013
ITI
✳✳✳ ♠❡♠❝♣②✭❛✱ ❜✱ ♥✮❀ ✳✳✳
a′ = λi. ITE(0 ≤ i < n, r❡❛❞(b, i), r❡❛❞(a, i)) = ⇒ Extend TA by λ-terms that describe arrays
5
08.07.2013
ITI
✳✳✳ ♠❡♠s❡t✭❛✱ ✈✱ ♥✮❀ ✳✳✳
5
08.07.2013
ITI
✳✳✳ ♠❡♠s❡t✭❛✱ ✈✱ ♥✮❀ ✳✳✳
a′ = λi. ITE(0 ≤ i < n, v, r❡❛❞(a, i))
6
08.07.2013
ITI
✐♥t ✐✱ ❥✱ ♥ ❂ ✳✳✳❀ ✐♥t ✯❛ ❂ ♠❛❧❧♦❝✭✷ ✯ ♥ ✯ s✐③❡♦❢✭✐♥t✮✮❀ ❢♦r ✭✐ ❂ ✵❀ ✐ ❁ ♥❀ ✰✰✐✮ ④ ❛❬✐❪ ❂ ✐ ✰ ✶❀ ⑥ ❢♦r ✭❥ ❂ ♥❀ ❥ ❁ ✷ ✯ ♥❀ ✰✰❥✮ ④ ❛❬❥❪ ❂ ✷ ✯ ❥❀ ⑥
6
08.07.2013
ITI
✐♥t ✐✱ ❥✱ ♥ ❂ ✳✳✳❀ ✐♥t ✯❛ ❂ ♠❛❧❧♦❝✭✷ ✯ ♥ ✯ s✐③❡♦❢✭✐♥t✮✮❀ ❢♦r ✭✐ ❂ ✵❀ ✐ ❁ ♥❀ ✰✰✐✮ ④ ❛❬✐❪ ❂ ✐ ✰ ✶❀ ⑥ ❢♦r ✭❥ ❂ ♥❀ ❥ ❁ ✷ ✯ ♥❀ ✰✰❥✮ ④ ❛❬❥❪ ❂ ✷ ✯ ❥❀ ⑥
a′ = λi. ITE(0 ≤ i < n, i + 1, r❡❛❞(a, i))
6
08.07.2013
ITI
✐♥t ✐✱ ❥✱ ♥ ❂ ✳✳✳❀ ✐♥t ✯❛ ❂ ♠❛❧❧♦❝✭✷ ✯ ♥ ✯ s✐③❡♦❢✭✐♥t✮✮❀ ❢♦r ✭✐ ❂ ✵❀ ✐ ❁ ♥❀ ✰✰✐✮ ④ ❛❬✐❪ ❂ ✐ ✰ ✶❀ ⑥ ❢♦r ✭❥ ❂ ♥❀ ❥ ❁ ✷ ✯ ♥❀ ✰✰❥✮ ④ ❛❬❥❪ ❂ ✷ ✯ ❥❀ ⑥
a′ = λi. ITE(0 ≤ i < n, i + 1, r❡❛❞(a, i)) a′′ = λj. ITE(n ≤ j < 2 ∗ n, 2 ∗ j, r❡❛❞(a′, j))
7
08.07.2013
ITI
1 TλA: an extension of TA with λ-terms
7
08.07.2013
ITI
1 TλA: an extension of TA with λ-terms 2 Satisfiability checking for TλA
8
08.07.2013
ITI
index terms tI ::= . . . element terms tE ::= . . . | r❡❛❞(tA, tI) array terms tA ::= a | ✇r✐t❡(tA, tI, tE) p = r = ⇒ r❡❛❞(✇r✐t❡(a, p, v), r) = v ¬(p = r) = ⇒ r❡❛❞(✇r✐t❡(a, p, v), r) = r❡❛❞(a, r)
8
08.07.2013
ITI
index terms tI ::= . . . element terms tE ::= . . . | r❡❛❞(tA, tI) array terms tA ::= a | ✇r✐t❡(tA, tI, tE) | λi. tE p = r = ⇒ r❡❛❞(✇r✐t❡(a, p, v), r) = v ¬(p = r) = ⇒ r❡❛❞(✇r✐t❡(a, p, v), r) = r❡❛❞(a, r)
8
08.07.2013
ITI
index terms tI ::= . . . element terms tE ::= . . . | r❡❛❞(tA, tI) array terms tA ::= a | ✇r✐t❡(tA, tI, tE) | λi. tE p = r = ⇒ r❡❛❞(✇r✐t❡(a, p, v), r) = v ¬(p = r) = ⇒ r❡❛❞(✇r✐t❡(a, p, v), r) = r❡❛❞(a, r)
8
08.07.2013
ITI
index terms tI ::= . . . element terms tE ::= . . . | r❡❛❞(tA, tI) array terms tA ::= a | ✇r✐t❡(tA, tI, tE) | λi. tE p = r = ⇒ r❡❛❞(✇r✐t❡(a, p, v), r) = v ¬(p = r) = ⇒ r❡❛❞(✇r✐t❡(a, p, v), r) = r❡❛❞(a, r)
β-reduction
8
08.07.2013
ITI
index terms tI ::= . . . element terms tE ::= . . . | r❡❛❞(tA, tI) array terms tA ::= a | ✇r✐t❡(tA, tI, tE) | λi. tE p = r = ⇒ r❡❛❞(✇r✐t❡(a, p, v), r) = v ¬(p = r) = ⇒ r❡❛❞(✇r✐t❡(a, p, v), r) = r❡❛❞(a, r)
β-reduction
9
08.07.2013
ITI
Precisely model ♠❡♠s❡t and ♠❡♠❝♣②
9
08.07.2013
ITI
Precisely model ♠❡♠s❡t and ♠❡♠❝♣② Summarize loops
9
08.07.2013
ITI
Precisely model ♠❡♠s❡t and ♠❡♠❝♣② Summarize loops Zero initialization of global variables
9
08.07.2013
ITI
Precisely model ♠❡♠s❡t and ♠❡♠❝♣② Summarize loops Zero initialization of global variables Zero initialization of fresh memory pages
9
08.07.2013
ITI
Precisely model ♠❡♠s❡t and ♠❡♠❝♣② Summarize loops Zero initialization of global variables Zero initialization of fresh memory pages “Havoc” memory regions (volatile variables)
9
08.07.2013
ITI
Precisely model ♠❡♠s❡t and ♠❡♠❝♣② Summarize loops Zero initialization of global variables Zero initialization of fresh memory pages “Havoc” memory regions (volatile variables) Model memory mapped I/O
9
08.07.2013
ITI
Precisely model ♠❡♠s❡t and ♠❡♠❝♣② Summarize loops Zero initialization of global variables Zero initialization of fresh memory pages “Havoc” memory regions (volatile variables) Model memory mapped I/O Attaching metadata to memory regions (allocated, de-allocated, . . . )
10
08.07.2013
ITI
Broadly speaking:
loop iterations do not depend on earlier iterations consecutive iterations update consecutive array locations
10
08.07.2013
ITI
Broadly speaking:
loop iterations do not depend on earlier iterations consecutive iterations update consecutive array locations
More precisely:
Induction variable i is incremented by one in each iteration ith iteration unconditionally updates only a[i] No other variable declared outside the loop is modified ith iteration of the loop may not use elements of a that have been modified in earlier iterations
10
08.07.2013
ITI
Broadly speaking:
loop iterations do not depend on earlier iterations consecutive iterations update consecutive array locations
More precisely:
Induction variable i is incremented by one in each iteration ith iteration unconditionally updates only a[i] No other variable declared outside the loop is modified ith iteration of the loop may not use elements of a that have been modified in earlier iterations
Loops can often be automatically transformed into loops that satisfy these requirements
11
08.07.2013
ITI
Based on reductions to theories supported by SMT-solvers
11
08.07.2013
ITI
Based on reductions to theories supported by SMT-solvers One quantifier-based approach
11
08.07.2013
ITI
Based on reductions to theories supported by SMT-solvers One quantifier-based approach Two quantifier-free approaches
Eager reduction Instantiation-based approach
12
08.07.2013
ITI
Replace λi. s by a fresh constant as
12
08.07.2013
ITI
Replace λi. s by a fresh constant as Add the constraint ∀r. r❡❛❞(as, r) = s[i/r] to the formula
12
08.07.2013
ITI
Replace λi. s by a fresh constant as Add the constraint ∀r. r❡❛❞(as, r) = s[i/r] to the formula Requires an SMT-solver that supports quantifiers
12
08.07.2013
ITI
Replace λi. s by a fresh constant as Add the constraint ∀r. r❡❛❞(as, r) = s[i/r] to the formula Requires an SMT-solver that supports quantifiers Does not provide a decision procedure in general
13
08.07.2013
ITI
Replace
by ITE(p = r, v, r❡❛❞(a, r))
13
08.07.2013
ITI
Replace
by ITE(p = r, v, r❡❛❞(a, r)) Replace
by s[i/r]
13
08.07.2013
ITI
Replace
by ITE(p = r, v, r❡❛❞(a, r)) Replace
by s[i/r] TλA axioms are applied eagerly
13
08.07.2013
ITI
Replace
by ITE(p = r, v, r❡❛❞(a, r)) Replace
by s[i/r] TλA axioms are applied eagerly Can be used in combination with any solver that supports TA and the index and element theories
14
08.07.2013
ITI
Replace λi. s by a fresh constant as
14
08.07.2013
ITI
Replace λi. s by a fresh constant as Add needed instantiations of ∀r. r❡❛❞(as, r) = s[i/r] to the formula
14
08.07.2013
ITI
Replace λi. s by a fresh constant as Add needed instantiations of ∀r. r❡❛❞(as, r) = s[i/r] to the formula Needed instantiations are determined by r❡❛❞s that “depend” on as
14
08.07.2013
ITI
Replace λi. s by a fresh constant as Add needed instantiations of ∀r. r❡❛❞(as, r) = s[i/r] to the formula Needed instantiations are determined by r❡❛❞s that “depend” on as Can be used in combination with any solver that supports TA and the index and element theories
15
08.07.2013
ITI
Done in the software bounded model checker ▲▲❇▼❈
15
08.07.2013
ITI
Done in the software bounded model checker ▲▲❇▼❈ Uses bitvectors as index and element theories
15
08.07.2013
ITI
Done in the software bounded model checker ▲▲❇▼❈ Uses bitvectors as index and element theories Applied on 81 benchmark programs
67 programs produce λ-terms obtained from ♠❡♠s❡t or ♠❡♠❝♣② 14 program contain loops that can be summarized using λ-terms
15
08.07.2013
ITI
Done in the software bounded model checker ▲▲❇▼❈ Uses bitvectors as index and element theories Applied on 81 benchmark programs
67 programs produce λ-terms obtained from ♠❡♠s❡t or ♠❡♠❝♣② 14 program contain loops that can be summarized using λ-terms
Of the resulting formulas, 20 are satisfiable and 61 are unsatisfiable
15
08.07.2013
ITI
Done in the software bounded model checker ▲▲❇▼❈ Uses bitvectors as index and element theories Applied on 81 benchmark programs
67 programs produce λ-terms obtained from ♠❡♠s❡t or ♠❡♠❝♣② 14 program contain loops that can be summarized using λ-terms
Of the resulting formulas, 20 are satisfiable and 61 are unsatisfiable Evaluated three reductions and loop unrolling
Quantifier-based approach using ❩✸ and ❈❱❈✹ Eager reduction and instantiation-based approach using ❙❚P,
Loop unrolling approach using ❙❚P, ❇♦♦❧❡❝t♦r, ❩✸, and ❈❱❈✹
16
08.07.2013
ITI
SMT solver Approach Total Time # Solved Formulas # Timeouts # Aborts
❙❚P
Instantiation 206.034 80 1 –
❙❚P
Eager 779.544 70 11 –
❙❚P
Loops 670.526 70 6 5
❇♦♦❧❡❝t♦r
Instantiation 818.782 71 10 –
❇♦♦❧❡❝t♦r
Eager 986.751 70 11 –
❇♦♦❧❡❝t♦r
Loops 1139.483 61 15 5
❩✸
Instantiation 948.365 67 13 1
❩✸
Eager 1043.632 66 15 –
❩✸
Quantifiers 1122.489 65 16 –
❩✸
Loops 1619.583 53 23 5
❈❱❈✹
Instantiation 928.079 67 14 –
❈❱❈✹
Eager 1119.748 65 16 –
❈❱❈✹
Quantifiers 1407.118 54 21 6
❈❱❈✹
Loops 1552.698 56 19 6
17
08.07.2013
ITI
10 20 30 40 50 60 10 20 30 40 50 60 70 80 Instantiation (STP) Eager (STP) Loops (STP) Quantifiers (Z3)
18
08.07.2013
ITI
18
08.07.2013
ITI
summarizable loops
18
08.07.2013
ITI
summarizable loops
Quantifier-free reductions perform better than ❩✸’s and ❈❱❈✹’s reasoning involving quantifiers
18
08.07.2013
ITI
summarizable loops
Quantifier-free reductions perform better than ❩✸’s and ❈❱❈✹’s reasoning involving quantifiers Integration into an SMT-solver using “Lemmas-on-demand”/“lazy instantiation” is the next step
19
08.07.2013
ITI