On Using a Black-Box Floating-Point Simplex for Generating Proof - PowerPoint PPT Presentation

On Using a Black-Box Floating-Point Simplex for Generating Proof Witnesses Fr´ ed´ eric Besson Inria Rennes - Bretagne Atlantique

Approaches for Mobile Code Security Reputation-based security ◮ Digital signature ◮ AppStore Semantics-based security ◮ Java Byte-Code Verification (StackMaps) ◮ Proof-Carrying Code [Necula’97] check ( P , W ) = true ⇒ P � Sec W is a proof witness that P verifies the security policy

Proof Carrying Code (PCC) Producer Annotate the program P with invariant I Generate verification condition VC ≡ VcGen ( I , P ) ⇒ I ∧ I ⇒ Sec Generate proof witnesses W for the verification condition such that CheckProof ( VC , W ) = true ⇒ valid ( VC ) consumer Receive ( P , ( I , W )) Regenerate the verification condition VcGen ( I , P ) Verify that CheckProof ( VcGen ( I , P )) returns true

Proof Carrying-Code (` a la mode de bretagne) Automatic inference of program invariants ⇒ static analysis Trustworthy VcGen ⇒ proved correct in Coq w.r.t program semantics Trustworthy proof checker ⇒ proved correct in Coq Efficient proof-generating decision procedure ⇒ For Linear Real Arithmetic, use a floating-point Simplex

Floating-point Simplex vs rational arithmetic Simplex float gmp memory 64bits ??? speed O(1) ??? accuracy 99% 100% soundness ??? yes How to get a sound result in 99% of the cases ? Theory Proof witnesses for LRA and linear programming Practice Witness reconstruction from approximate solution Implem Conjunctive benchmarks More Compliance with SMT solver interface

Linear Real Arithmetic a 1 x 1 + · · · + a n x n � b ◮ a 1 , . . . , a n and b are rational constants; ◮ x 1 , . . . , x n are real variables; ◮ � ∈ { = , ≤ , < } What is a proof of non satisfiability ? A · x ≤ a B · x < b C · x = c

Proof-witnesses for Linear Real Arithmetic Lemma (Farkas’ Lemma (Variant) ) ∃ x , A · x ≤ a if and only if ∀ y , y ≥ 0 ∧ A t · y = 0 ⇒ a t · y ≥ 0

Proof-witnesses for Linear Real Arithmetic Lemma (Farkas’ Lemma (Variant) ) ∃ x , A · x ≤ a if and only if ∀ y , y ≥ 0 ∧ A t · y = 0 ⇒ a t · y ≥ 0 Example (2 x + y ) ≤ 1 ( − x − y ) ≤ − 2 ( y ) ≤ 1

Proof-witnesses for Linear Real Arithmetic Lemma (Farkas’ Lemma (Variant) ) ∃ x , A · x ≤ a if and only if ∀ y , y ≥ 0 ∧ A t · y = 0 ⇒ a t · y ≥ 0 Example 1 · (2 x + y ) ≤ 1 · 1 2 · ( − x − y ) ≤ 2 · − 2 1 · ( y ) ≤ 1 · 1

Proof-witnesses for Linear Real Arithmetic Lemma (Farkas’ Lemma (Variant) ) ∃ x , A · x ≤ a if and only if ∀ y , y ≥ 0 ∧ A t · y = 0 ⇒ a t · y ≥ 0 Example 1 · (2 x + y ) ≤ 1 · 1 + + 2 · ( − x − y ) ≤ 2 · − 2 + + 1 · ( y ) ≤ 1 · 1

Proof-witnesses for Linear Real Arithmetic Lemma (Farkas’ Lemma (Variant) ) ∃ x , A · x ≤ a if and only if ∀ y , y ≥ 0 ∧ A t · y = 0 ⇒ a t · y ≥ 0 Example 1 · (2 x + y ) ≤ 1 · 1 + + 2 · ( − x − y ) ≤ 2 · − 2 + + 1 · ( y ) ≤ 1 · 1 0 ≤ − 2 (1,2,1) is a witness of non satisfiability

About strict inequalities Floating-point Simplex do not handle strict inequalities Previous approaches: ◮ Relax strict inequalities x = 0 ∧ x < 0 x = 0 ∧ x ≤ 0 � unsat sat � ◮ Strengthen strict inequalities e.g. subtract 10 − 5 x ≥ 0 ∧ x < 10 − 5 / 2 x ≥ 0 ∧ x ≤ − 10 − 5 / 2 � sat unsat �

Motzkin’s transposition theorem ∃ x , A · x < a ∧ B · x ≤ b if and only if y ≥ 0 ∧ z ≥ 0 ⇒ A t · y + B t · z = 0 a t · y + b t · z ≥ 0 � ⇒ A t · y + B t · z = 0 ∧ ¬ ( y = 0 ) a t · y + b t · z > 0 ⇒

Witnesses for strict inequalities Definition (Witness) A triple of vectors ( y , z , t ) is a witness that A · x < a , B · x ≤ b , C · x = c is unsatisfiable if the following conditions hold: i) y ≥ 0 , z ≥ 0 ii) A t · y + B t · z + C t · t = 0 iii) a t · y + b t · z + c t · t < 0 or ¬ ( y = 0 ) ∧ a t · y + b t · z + c t · t ≤ 0

Witnesses for strict inequalities Definition (Witness) A triple of vectors ( y , z , t ) is a witness that A · x < a , B · x ≤ b , C · x = c is unsatisfiable if the following conditions hold: i) y ≥ 0 , z ≥ 0 ii) A t · y + B t · z + C t · t = 0 iii) a t · y + b t · z + c t · t < 0 or ¬ ( y = 0 ) ∧ a t · y + b t · z + c t · t ≤ 0 How to obtain a witness ?

Witnesses for strict inequalities Definition (Witness) A triple of vectors ( y , z , t ) is a witness that A · x < a , B · x ≤ b , C · x = c is unsatisfiable if the following conditions hold: i) y ≥ 0 , z ≥ 0 ii) A t · y + B t · z + C t · t = 0 iii) a t · y + b t · z + c t · t < 0 or ¬ ( y = 0 ) ∧ a t · y + b t · z + c t · t ≤ 0 How to obtain a witness ? Linear programming ?

Linear programming max { c t · x | A · x = 0 , l ≤ x ≤ u } The Simplex solves linear programs: ◮ No solution ⇒ unsatisfiable; ◮ An optimal solution ⇒ x such that c t · x is optimal ◮ Solutions but none is optimal ⇒ unbounded

Witness Linear Program ( wlp ) A t · y + B t · z + C t · t 8 ˛ � a = 0 9 ˛ u + a t · y + b t z + c t · t > > > ˛ > � b = 0 > > > ˛ > > v − u − 1 t · y > > ˛ > � c = 0 > > > ˛ > > > > ˛ > > > > ˛ > < 0 t · ( y / z / t ) = ˛ max � d 0 ≤ y ≤ + ∞ ˛ ˛ e � 0 ≤ z ≤ + ∞ > > > ˛ > > > > ˛ > f � −∞ ≤ t ≤ + ∞ > > > ˛ > > > > ˛ > g � 0 ≤ u ≤ + ∞ > > > ˛ > > > > ˛ > h : � 1 ≤ v ≤ + ∞ ; ˛ Lemma (Soundness of wlp ) If wlp ( A , a , B , b , C , c ) has optimal ( y / z / t / u / v ) then wit ( A , a , B , b , C , c , ( y , z , t )) holds. Lemma (Completeness of wlp ) If wit ( A , a , B , b , C , c , ( y , z , t )) then there exists α > 0 , u and v such that wlp ( A , a , B , b , C , c ) has optimal α · ( y / z / t / u / v ) .

From untrusted oracles to proof witnesses Require: A · x < a , B · x ≤ b , C · c = c 1: lp ← wlp ( A , a , B , b , C , c ) = max { 0 | M · y = 0 , l ≤ y ≤ u } 2: InexactSimplex ( lp ) 3: if status ( lp ) = not feasible then return probably sat 4: if status ( lp ) = error then return unknown 5: if status ( lp ) = optimal ( x ) then return probably unsat In practice, inexact Simplex are very accurate: ◮ x is very close to a witness ◮ x is usually not a witness ⇒ optimistic witness reconstruction.

Witness reconstruction Require: A · x < a , B · x ≤ b , C · c = c 1: lp ← wlp ( A , a , B , b , C , c ) = max { 0 | M · y = 0 , l ≤ y ≤ u } 2: M ← ConstraintMatrix ( lp ) 3: Simplex ( lp ) 4: if status ( lp ) = not feasible then return probably sat 5: if status ( lp ) = error then return unknown 6: { status ( lp ) == optimal } 7: r ← Solution ( lp )  r i if l i ≤ r i ≤ u i  8: r ← l i if l i � = − ∞ otherwise  u i � M i , j if r j � = 0 9: M ′ i , j ← 0 otherwise 10: U ← LU ( M ′ ) 11: w ← BS ( U , r ) 12: if l ≤ w ≤ u then return definitively unsat by ( w ) 13: return maybe unsat

Experiments (1/2) Unsatisfiable conjunctions obtained from SMT problems 1800 MathSat Z3 Fps 1600 Yices 1400 1200 cumulative time (s) 1000 800 600 400 200 0 0 1000 2000 3000 4000 5000 6000 number of benchmarks

Experiments (2/2) Conjunctive random dense benchmarks 100000 MathSat Z3 Fps Yices 10000 1000 cumulative time (s) 100 10 1 0.1 0.01 0 20 40 60 80 100 120 140 160 180 200 number of benchmarks

Integration into SMT solvers (1/2) SAT(CC+LRA+. . . ) Correctness ⇒ guaranteed by proof witnesses Conflict clauses ⇒ by-product of the witness Theory propagation ⇒ by-product of the witness 1 · (2 x + y ) ≤ 1 · 1 + + 2 · ( − x − y ) ≤ 2 · − 2 + + 1 · ( y ) ≤ 1 · 1 + + 0 · (2 y + z ) ≤ 0 · 1 0 ≤ − 2

Integration into a SMT solver (2/2) Incremental updates α · (2 x + y ) ≤ α · 1 α ≥ 0 + + β · ( − x − y ) ≤ β · − 2 β ≥ 0 + + γ · ( y ) ≤ γ · 1 γ ≥ 0 0 ≤ − 1 Removal of (2 x + y ) ≤ 1 : update bound condition α = 0 ⇒ Simplex ready for re-optimisation Re-Addition of (2 x + y ) ≤ 1 : re-establish bound condition α ≥ 0 ⇒ Simplex ready for re-optimisation Addition of (2 y + z ) ≤ 1 : modify the constraint matrix ⇒ Simplex must reconstruct an initial basis

Related Work A Fast Linear-Arithmetic Solver for DPLL(T) [Dutertre, de Moura, CAV’06] SAT Modulo the Theory of Linear Arithmetic: Exact, Inexact and Commercial Solvers [Faure, Nieuwenhuis, Oliveras, Rodriguez-Carbonell, SAT’08] On Using Floating-Point Computations to Help an Exact Linear Arithmetic Decision Procedure [Monniaux, CAV’09]

Summary Optimistic (decision) procedure for LRA Based on a dual formulation of the LP problem ◮ Witness generation for free ◮ No strict inequalities ⇒ a good interface for an inexact floating-point Simplex Efficient witness reconstruction from inexact Simplex results ◮ In theory, incomplete ◮ In practice, always succeeds (for a benchmark suite) Compliant with the SMT interface ⇒ integration in progress in the veriT SMT prover