SLIDE 1
On Using a Black-Box Floating-Point Simplex for Generating Proof - - PowerPoint PPT Presentation
On Using a Black-Box Floating-Point Simplex for Generating Proof - - PowerPoint PPT Presentation
On Using a Black-Box Floating-Point Simplex for Generating Proof Witnesses Fr ed eric Besson Inria Rennes - Bretagne Atlantique Approaches for Mobile Code Security Reputation-based security Digital signature AppStore
SLIDE 2
SLIDE 3
Proof Carrying Code (PCC)
Producer Annotate the program P with invariant I Generate verification condition VC ≡ VcGen(I, P) ⇒ I ∧ I ⇒ Sec Generate proof witnesses W for the verification condition such that CheckProof (VC, W ) = true ⇒ valid(VC) consumer Receive (P, (I, W )) Regenerate the verification condition VcGen(I, P) Verify that CheckProof (VcGen(I, P)) returns true
SLIDE 4
Proof Carrying-Code (` a la mode de bretagne)
Automatic inference of program invariants ⇒ static analysis Trustworthy VcGen ⇒ proved correct in Coq w.r.t program semantics Trustworthy proof checker ⇒ proved correct in Coq Efficient proof-generating decision procedure ⇒ For Linear Real Arithmetic, use a floating-point Simplex
SLIDE 5
Floating-point Simplex vs rational arithmetic Simplex
float gmp memory 64bits ??? speed O(1) ??? accuracy 99% 100% soundness ??? yes How to get a sound result in 99% of the cases ? Theory Proof witnesses for LRA and linear programming Practice Witness reconstruction from approximate solution Implem Conjunctive benchmarks More Compliance with SMT solver interface
SLIDE 6
Linear Real Arithmetic
a1x1 + · · · + anxn b
◮ a1, . . . , an and b are rational constants; ◮ x1, . . . , xn are real variables; ◮ ∈ {=, ≤, <}
What is a proof of non satisfiability ? A · x ≤ a B · x < b C · x = c
SLIDE 7
Proof-witnesses for Linear Real Arithmetic
Lemma (Farkas’ Lemma (Variant) )
∃x, A · x ≤ a if and only if ∀y, y ≥ 0 ∧ At · y = 0 ⇒ at · y ≥ 0
SLIDE 8
Proof-witnesses for Linear Real Arithmetic
Lemma (Farkas’ Lemma (Variant) )
∃x, A · x ≤ a if and only if ∀y, y ≥ 0 ∧ At · y = 0 ⇒ at · y ≥ 0
Example
(2x + y) ≤ 1 (−x − y) ≤ − 2 (y) ≤ 1
SLIDE 9
Proof-witnesses for Linear Real Arithmetic
Lemma (Farkas’ Lemma (Variant) )
∃x, A · x ≤ a if and only if ∀y, y ≥ 0 ∧ At · y = 0 ⇒ at · y ≥ 0
Example
1 · (2x + y) ≤ 1 · 1 2 · (−x − y) ≤ 2 · − 2 1 · (y) ≤ 1 · 1
SLIDE 10
Proof-witnesses for Linear Real Arithmetic
Lemma (Farkas’ Lemma (Variant) )
∃x, A · x ≤ a if and only if ∀y, y ≥ 0 ∧ At · y = 0 ⇒ at · y ≥ 0
Example
1 · (2x + y) ≤ 1 · 1 + + 2 · (−x − y) ≤ 2 · − 2 + + 1 · (y) ≤ 1 · 1
SLIDE 11
Proof-witnesses for Linear Real Arithmetic
Lemma (Farkas’ Lemma (Variant) )
∃x, A · x ≤ a if and only if ∀y, y ≥ 0 ∧ At · y = 0 ⇒ at · y ≥ 0
Example
1 · (2x + y) ≤ 1 · 1 + + 2 · (−x − y) ≤ 2 · − 2 + + 1 · (y) ≤ 1 · 1 ≤ − 2 (1,2,1) is a witness of non satisfiability
SLIDE 12
About strict inequalities
Floating-point Simplex do not handle strict inequalities Previous approaches:
◮ Relax strict inequalities
x = 0 ∧ x < 0
- x = 0 ∧ x ≤ 0
unsat
- sat
◮ Strengthen strict inequalities e.g. subtract 10−5
x ≥ 0 ∧ x < 10−5/2
- x ≥ 0 ∧ x ≤ −10−5/2
sat
- unsat
SLIDE 13
Motzkin’s transposition theorem
∃x, A · x < a ∧ B · x ≤ b if and only if y ≥ 0 ∧ z ≥ 0 ⇒
- At · y + Bt · z = 0
⇒ at · y + bt · z ≥ 0 At · y + Bt · z = 0 ∧ ¬(y = 0) ⇒ at · y + bt · z > 0
SLIDE 14
Witnesses for strict inequalities
Definition (Witness)
A triple of vectors (y, z, t) is a witness that A · x < a, B · x ≤ b, C · x = c is unsatisfiable if the following conditions hold: i) y ≥ 0, z ≥ 0 ii) At · y + Bt · z + C t · t = 0 iii) at · y + bt · z + ct · t < 0 or ¬(y = 0) ∧ at · y + bt · z + ct · t ≤ 0
SLIDE 15
Witnesses for strict inequalities
Definition (Witness)
A triple of vectors (y, z, t) is a witness that A · x < a, B · x ≤ b, C · x = c is unsatisfiable if the following conditions hold: i) y ≥ 0, z ≥ 0 ii) At · y + Bt · z + C t · t = 0 iii) at · y + bt · z + ct · t < 0 or ¬(y = 0) ∧ at · y + bt · z + ct · t ≤ 0 How to obtain a witness ?
SLIDE 16
Witnesses for strict inequalities
Definition (Witness)
A triple of vectors (y, z, t) is a witness that A · x < a, B · x ≤ b, C · x = c is unsatisfiable if the following conditions hold: i) y ≥ 0, z ≥ 0 ii) At · y + Bt · z + C t · t = 0 iii) at · y + bt · z + ct · t < 0 or ¬(y = 0) ∧ at · y + bt · z + ct · t ≤ 0 How to obtain a witness ? Linear programming ?
SLIDE 17
Linear programming
max{ct · x | A · x = 0, l ≤ x ≤ u} The Simplex solves linear programs:
◮ No solution ⇒ unsatisfiable; ◮ An optimal solution ⇒ x such that ct · x is optimal ◮ Solutions but none is optimal ⇒ unbounded
SLIDE 18
Witness Linear Program (wlp)
max 8 > > > > > > > > > > > > < > > > > > > > > > > > > : 0t · (y/z/t) ˛ ˛ ˛ ˛ ˛ ˛ ˛ ˛ ˛ ˛ ˛ ˛ ˛ ˛ ˛ ˛ ˛ ˛ a
- At · y + Bt · z + C t · t
= b
- u + at · y + btz + ct · t
= c
- v − u − 1t · y
= d
- 0 ≤
y ≤ +∞ e
- 0 ≤
z ≤ +∞ f
- −∞ ≤
t ≤ +∞ g
- 0 ≤
u ≤ +∞ h
- 1 ≤
v ≤ +∞ 9 > > > > > > > > > > > > = > > > > > > > > > > > > ;
Lemma (Soundness of wlp)
If wlp(A, a, B, b, C, c) has optimal (y/z/t/u/v) then wit(A, a, B, b, C, c, (y, z, t)) holds.
Lemma (Completeness of wlp)
If wit(A, a, B, b, C, c, (y, z, t)) then there exists α > 0, u and v such that wlp(A, a, B, b, C, c) has optimal α · (y/z/t/u/v).
SLIDE 19
From untrusted oracles to proof witnesses
Require: A · x < a, B · x ≤ b, C · c = c
1: lp ← wlp(A, a, B, b, C, c) = max{0 | M · y = 0, l ≤ y ≤ u} 2: InexactSimplex(lp) 3: if status(lp) = not feasible then return probably sat 4: if status(lp) = error then return unknown 5: if status(lp) = optimal(x) then return probably unsat
In practice, inexact Simplex are very accurate:
◮ x is very close to a witness ◮ x is usually not a witness
⇒ optimistic witness reconstruction.
SLIDE 20
Witness reconstruction
Require: A · x < a, B · x ≤ b, C · c = c
1: lp ← wlp(A, a, B, b, C, c) = max{0 | M · y = 0, l ≤ y ≤ u} 2: M ← ConstraintMatrix(lp) 3: Simplex(lp) 4: if status(lp) = not feasible then return probably sat 5: if status(lp) = error then return unknown 6: {status(lp) == optimal} 7: r ← Solution(lp) 8: r ←
ri if li ≤ ri ≤ ui li if li = −∞ ui
- therwise
9: M′
i,j ←
Mi,j if rj = 0
- therwise
10: U ← LU(M′) 11: w ← BS(U, r) 12: if l ≤ w ≤ u then return definitively unsat by(w) 13: return maybe unsat
SLIDE 21
Experiments (1/2)
Unsatisfiable conjunctions obtained from SMT problems
200 400 600 800 1000 1200 1400 1600 1800 1000 2000 3000 4000 5000 6000 cumulative time (s) number of benchmarks MathSat Z3 Fps Yices
SLIDE 22
Experiments (2/2)
Conjunctive random dense benchmarks
0.01 0.1 1 10 100 1000 10000 100000 20 40 60 80 100 120 140 160 180 200 cumulative time (s) number of benchmarks MathSat Z3 Fps Yices
SLIDE 23
Integration into SMT solvers (1/2) SAT(CC+LRA+. . . )
Correctness ⇒ guaranteed by proof witnesses Conflict clauses ⇒ by-product of the witness Theory propagation ⇒ by-product of the witness 1 · (2x + y) ≤ 1 · 1 + + 2 · (−x − y) ≤ 2 · −2 + + 1 · (y) ≤ 1 · 1 + + 0 · (2y + z) ≤ 0 · 1 ≤ −2
SLIDE 24
Integration into a SMT solver (2/2)
Incremental updates α · (2x + y) ≤ α · 1 α ≥ 0 + + β · (−x − y) ≤ β · −2 β ≥ 0 + + γ · (y) ≤ γ · 1 γ ≥ 0 ≤ −1 Removal of (2x + y) ≤ 1 : update bound condition α = 0 ⇒ Simplex ready for re-optimisation Re-Addition of (2x + y) ≤ 1 : re-establish bound condition α ≥ 0 ⇒ Simplex ready for re-optimisation Addition of (2y + z) ≤ 1 : modify the constraint matrix ⇒ Simplex must reconstruct an initial basis
SLIDE 25
Related Work
A Fast Linear-Arithmetic Solver for DPLL(T) [Dutertre, de Moura, CAV’06] SAT Modulo the Theory of Linear Arithmetic: Exact, Inexact and Commercial Solvers [Faure, Nieuwenhuis, Oliveras, Rodriguez-Carbonell, SAT’08] On Using Floating-Point Computations to Help an Exact Linear Arithmetic Decision Procedure [Monniaux, CAV’09]
SLIDE 26