proving and inferring invariants
play

Proving and inferring invariants David Monniaux CNRS / VERIMAG - PowerPoint PPT Presentation

Aug 19, 2023 •251 likes •956 views

Proving and inferring invariants David Monniaux CNRS / VERIMAG Grenoble, France December 13, 2013 David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 1 / 54 Grenoble David Monniaux (CNRS / VERIMAG) Proving

  1. Proving and inferring invariants David Monniaux CNRS / VERIMAG Grenoble, France December 13, 2013 David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 1 / 54

  2. Grenoble David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 2 / 54

  3. VERIMAG VERIMAG is a joint research laboratory of CNRS, Universit´ e Joseph Fourier (Grenoble-1) and Grenoble-INP David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 3 / 54

  4. Plan Safety properties 1 Inductive invariants 2 Policy iteration 3 Min-policy iteration Max-policy iteration Implicit graphs Unknown template shape 4 Conclusion 5 David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 4 / 54

  5. Safety properties Proving properties of programs : safety : the program never enters an undesirable state (crash, variable too large for specification, assertion violation. . . ) liveness : the program progresses (no entering into deadlocks or neverending loops) David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 5 / 54

  6. Safety properties Proving properties of programs : safety : the program never enters an undesirable state (crash, variable too large for specification, assertion violation. . . ) liveness : the program progresses (no entering into deadlocks or neverending loops) In this talk, focus on safety (liveness often uses safety properties). David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 5 / 54

  7. Proofs on programs A program written in a real programmming language ⇓ Its semantics : its “meaning” in mathematical terms David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 6 / 54

  8. Proofs on programs A program written in a real programmming language ⇓ Its semantics : its “meaning” in mathematical terms For real languages (C, C++, PHP. . . ), very difficult and fraught with errors. We’ll bravely assume the problem solved and suppose a toy language with well-defined mathematical semantics. David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 6 / 54

  9. Properties to prove A property in natural language (e.g. “the program sorts the array”) ⇓ A mathematical property (e.g. definition of the total order on array elements, the output is sorted, it is a permutation of the input. . . ) David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 7 / 54

  10. Properties to prove A property in natural language (e.g. “the program sorts the array”) ⇓ A mathematical property (e.g. definition of the total order on array elements, the output is sorted, it is a permutation of the input. . . ) Again, fraught with errors. We’ll bravely assume mathematically defined properties. David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 7 / 54

  11. The setting A set C of control points : instructions heads of control blocks lines of program Memory state as a vector of variables in S (can be Z n (or Q n , or B m × Q n where B = { 0 , 1 } Booleans) For i , j ∈ C , a transition relation τ i , j ⊆ S × S (often expressed with x , y , . . . variables before and x ′ , y ′ , . . . after) A starting state q 0 ∈ C and a “bad” state q B ∈ C . David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 8 / 54

  12. Concrete example j = 0; for ( int i=0; i<100; i++) { j = j+2; } i ≥ 100 i ′ = 0 i ′ = i j ′ = 0 j ′ = j q 0 q 1 q 2 i < 100 i ′ = i + 1 j ′ = j + 2 David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 9 / 54

  13. Concrete example with an assertion j = 0; for ( int i=0; i<100; i++) { j = j+2; } assert(j < 210); i ′ = i i ≥ 100 i ′ = 0 i ′ = i j ′ = j j ′ = 0 j ′ = j j < 210 q 0 q 1 q 2 q 3 i ′ = i j ′ = j q B j ≥ 210 i < 100 i ′ = i + 1 j ′ = j + 2 David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 10 / 54

  14. Proving safety Whether q B is reachable. . . David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 11 / 54

  15. Proving safety Whether q B is reachable. . . Is an undecidable problem ( halting problem ) David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 11 / 54

  16. Plan Safety properties 1 Inductive invariants 2 Policy iteration 3 Min-policy iteration Max-policy iteration Implicit graphs Unknown template shape 4 Conclusion 5 David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 12 / 54

  17. Floyd-Hoare-like proofs (Ideas dating back to at least Robert Floyd and C.A.R Hoare, late 1960s, and even to Turing): Adorn each state q i in the automaton with a formula φ i Show that these formulas are inductive : if φ i ( x ) and τ i , j ( x , x ′ ) then φ j ( x ) Check that the formula φ 0 for q 0 (initial state) is “true” Check that the formula φ B for q B (bad state) is “false” David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 13 / 54

  18. Floyd-Hoare-like proofs (Ideas dating back to at least Robert Floyd and C.A.R Hoare, late 1960s, and even to Turing): Adorn each state q i in the automaton with a formula φ i Show that these formulas are inductive : if φ i ( x ) and τ i , j ( x , x ′ ) then φ j ( x ) Check that the formula φ 0 for q 0 (initial state) is “true” Check that the formula φ B for q B (bad state) is “false” By induction on the length of the computation, the system state ( c , x ) ∈ S × S can never exit the φ i “invariant”: For any reachable ( c , x ), x satifies φ c . David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 13 / 54

  19. Direct induction does not necessarily work Program initialization: − 1 ≤ x ≤ 1 ∧ y = 0 Operation: ( x ′ , y ′ ) = rotate (( x , y ) , 45) − 1 ≤ x ≤ 1 ∧ − 1 ≤ y ≤ 1 is always true. . . David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 14 / 54

  20. Direct induction does not necessarily work Program initialization: − 1 ≤ x ≤ 1 ∧ y = 0 Operation: ( x ′ , y ′ ) = rotate (( x , y ) , 45) − 1 ≤ x ≤ 1 ∧ − 1 ≤ y ≤ 1 is always true. . . But not by induction! Need some stronger inductive property e.g. x 2 + y 2 ≤ 1. David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 14 / 54

  21. With invariants j = 0; for ( int i=0; i<100; i++) { j = j+2; } assert(j < 210); i ′ = i i ≥ 100 i ′ = 0 i ′ = i j ′ = j j ′ = 0 j ′ = j j < 210 i = j i = 100 true true j = 200 i ≤ 100 i ′ = i j ′ = j i < 100 false i ′ = i + 1 j ≥ 210 j ′ = j + 2 David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 15 / 54

  22. Checking inductive invariants A tool requires the user to provide invariants, and checks that they are inductive. Possible if the invariants φ i and the transition relations τ i , j are within a decidable theory : Check that φ i ∧ τ i , j ∧ ¬ φ j is unsatisfiable for all i , j . Various degrees of automation Tools : Frama-C, Why, B-Method, Frama-C. . . David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 16 / 54

  23. Inferring inductive invariants More ambitious: complete automation! The problem: exhibit φ c at all control state c ∈ C so that the φ c are inductive and φ 0 is “true” and φ B is “false” But what is φ c ? An arbitrary first-order formula? David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 17 / 54

  24. Abstract domains So as to automatize the task: look for φ c in a particular class (or domain ) of properties: e.g. propositional formulas over the Boolean variables conjunctions of linear inequalities over rational/integer variables ( convex polyhedra ) intervals over rational/integer variables David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 18 / 54

  25. Example of an inductive polyhedron David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 19 / 54

  26. Abstract interpretation in convex polyhedra j = 0; for ( int i=0; i<100; i++) { j = j+2; } David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 20 / 54

  27. Abstract interpretation in convex polyhedra j = 0; for ( int i=0; i<100; i++) { j = j+2; } David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 20 / 54

  28. Abstract interpretation in convex polyhedra j = 0; for ( int i=0; i<100; i++) { j = j+2; } David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 20 / 54

  29. Abstract interpretation in convex polyhedra j = 0; for ( int i=0; i<100; i++) { j = j+2; } David Monniaux (CNRS / VERIMAG) Proving and inferring invariants December 13, 2013 20 / 54

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Daikon: Dynamic Analysis for Inferring Likely Invariants Reading: Dynamically Discovering Likely

Daikon: Dynamic Analysis for Inferring Likely Invariants Reading: Dynamically Discovering Likely

Daikon: Dynamic Analysis for Inferring Likely Invariants Reading: Dynamically Discovering Likely Program Invariants to Support Program Evolution 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich What is an Invariant? A

361 views • 22 slides
GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification

GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification

GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification Inductive invariants are easy to prove Provable by SAT for finite state machines In ACL2, can use GL. Downsides:

596 views • 12 slides
Inferring and Asserting Distributed System Invariants https://bitbucket.org/bestchai/dinv Stewart

Inferring and Asserting Distributed System Invariants https://bitbucket.org/bestchai/dinv Stewart

Inferring and Asserting Distributed System Invariants https://bitbucket.org/bestchai/dinv Stewart Grant , Hendrik Cech , Ivan Beschastnikh University of British Columbia , University of Bamberg 1 Distributed Systems are pervasive

943 views • 59 slides
Proving invariants: how many times a program should be unfolded ? Paul Caspi, Jan Mik

Proving invariants: how many times a program should be unfolded ? Paul Caspi, Jan Mik

Proving invariants: how many times a program should be unfolded ? Paul Caspi, Jan Mik VERIMAG Grenoble Problem definition 1 A closed system state space S initial state I is a predicate on S transition relation T is a predicate on S

161 views • 13 slides
Daikon: Dynamic Analysis for Inferring Likely Invariants Reading:

Daikon: Dynamic Analysis for Inferring Likely Invariants Reading:

Daikon: Dynamic Analysis for Inferring Likely Invariants Reading:

650 views • 17 slides
On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies Internet Routing Policies Feng Wang Lixin Gao Department of Electrical and Computer Engineering University of Massachusetts, Amherst MA 01002, USA 1

450 views • 18 slides
Better termination proving through cooperation Marc Brockschmidt 1 Byron Cook 2 , 3 Carsten Fuhs 3

Better termination proving through cooperation Marc Brockschmidt 1 Byron Cook 2 , 3 Carsten Fuhs 3

Better termination proving through cooperation Marc Brockschmidt 1 Byron Cook 2 , 3 Carsten Fuhs 3 1 RWTH Aachen University 2 Microsoft Research Cambridge 3 University College London Deduktionstreffen 2013 Termination Analysis: Invariants and Rank

538 views • 37 slides
Searching for Program Invariants using Genetic Programming and Mutation Testing Sam Ratcliff,

Searching for Program Invariants using Genetic Programming and Mutation Testing Sam Ratcliff,

Searching for Program Invariants using Genetic Programming and Mutation Testing Sam Ratcliff, David R. White and John A. Clark. The 13th CREST Open Workshop Thursday 12 May 2011 Outline Invariants Using GP to find Invariants Identifying

417 views • 38 slides
GENERATING INVARIANTS IN POSITIVE CHARACTERISTIC VISU MAKAM Abstract. The ring of invariants for a

GENERATING INVARIANTS IN POSITIVE CHARACTERISTIC VISU MAKAM Abstract. The ring of invariants for a

GENERATING INVARIANTS IN POSITIVE CHARACTERISTIC VISU MAKAM Abstract. The ring of invariants for a rational representation of a reductive group is finitely generated by the results of Hilbert, Nagata and Haboush. However, the proof is not

482 views • 3 slides
On Theorem Proving for Program Checking Historical perspective and recent developments Maria

On Theorem Proving for Program Checking Historical perspective and recent developments Maria

Outline Introduction Where is theorem proving in program checking Inside theorem proving Big and little engines together: a new theorem proving style Decision procedures with speculative inferences Current and future challenges On Theorem

944 views • 69 slides
Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without

Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without

Interactive Theorem Proving, Nancy August 22, 2016 Joachim Breitner Karlsruhe Institute of Technology University of Pennsylvania, Philadelphia Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without Syntax

579 views • 43 slides
Local invariants of maps between 3-manifolds Victor Goryunov University of Liverpool Conference

Local invariants of maps between 3-manifolds Victor Goryunov University of Liverpool Conference

Introduction Generic critical value sets Integer invariants mod2 invariants Local invariants of maps between 3-manifolds Victor Goryunov University of Liverpool Conference Legacy of Vladimir Arnold Fields Institute, Toronto 25 November

1.37k views • 84 slides
Learning theorem proving through self-play Stanisaw Purga Overview AlphaZero Proving

Learning theorem proving through self-play Stanisaw Purga Overview AlphaZero Proving

Learning theorem proving through self-play Stanisaw Purga Overview AlphaZero Proving game adjusting MCTS for proving game some results 2019-10 1 Neural black box game state S move policy expected outcome R n v

455 views • 45 slides
Loop invariants &lt;precondition: n&gt;0&gt; int i = 0; while (i &lt; n){ i = i+1; We want to

Loop invariants &lt;precondition: n&gt;0&gt; int i = 0; while (i &lt; n){ i = i+1; We want to

4/23/16 Loop invariants as a way of reasoning about the state of your program Loop invariants &lt;precondition: n&gt;0&gt; int i = 0; while (i &lt; n){ i = i+1; We want to prove: } i==n right after the loop &lt;post condition: i==n&gt;

80 views • 7 slides
Cheeger-Gromov L 2 -invariants of 3-manifolds Geunho Lim Indiana University Bloomington

Cheeger-Gromov L 2 -invariants of 3-manifolds Geunho Lim Indiana University Bloomington

Cheeger-Gromov L 2 -invariants of 3-manifolds Geunho Lim Indiana University Bloomington limg@iu.edu L 2 -invariants Topological Definition of L 2 -invariants, (2) (M, ) M is a closed (4k-1)-manifold. : 1 ( M) G is

805 views • 3 slides
4.5: Proving the Correctness of Grammars In this section, we consider techniques for proving the

4.5: Proving the Correctness of Grammars In this section, we consider techniques for proving the

4.5: Proving the Correctness of Grammars In this section, we consider techniques for proving the correctness of grammars, i.e., for proving that grammars generate the languages we want them to. 1 / 21 Definition of Suppose G is a grammar and

324 views • 21 slides
Mathematical modeling in biology. D. Salort, LBCQ, Sorbonne University, Paris 03-07 september

Mathematical modeling in biology. D. Salort, LBCQ, Sorbonne University, Paris 03-07 september

Some spatial mathematical models in neurosciences. Mathematical modeling in biology. D. Salort, LBCQ, Sorbonne University, Paris 03-07 september 2018 D. Salort, LBCQ, Sorbonne University, Paris Mathematical modeling in biology. Some spatial

728 views • 23 slides
Pasadena, USA, December 9 14, 2001 RFNC-VNIITF MULTIFUNCTIONAL SHOCK TUBE FOR INVESTIGATING

Pasadena, USA, December 9 14, 2001 RFNC-VNIITF MULTIFUNCTIONAL SHOCK TUBE FOR INVESTIGATING

8 th International Workshop on Physics of Compressible Turbulent Mixing Pasadena, USA, December 9 14, 2001 RFNC-VNIITF MULTIFUNCTIONAL SHOCK TUBE FOR INVESTIGATING THE EVOLUTION OF INSTABILITIES IN UNSTATIONARY GASDYNAMIC FLOWS Yu. A.

314 views • 7 slides
Sound Multiple Choice Practice Problems Problems Slide 3 / 51 Slide 4 / 51 1 Two sound

Sound Multiple Choice Practice Problems Problems Slide 3 / 51 Slide 4 / 51 1 Two sound

Slide 1 / 51 Slide 2 / 51 Sound Multiple Choice Practice Problems Problems Slide 3 / 51 Slide 4 / 51 1 Two sound sources S 1 and S 2 produce waves with 2 Which of the following is a true statement about frequencies 500 Hz and 250 Hz. When

695 views • 9 slides
Solutions for a hyperbolic model of multiphase flow and related numerical issues Debora Amadori

Solutions for a hyperbolic model of multiphase flow and related numerical issues Debora Amadori

Solutions for a hyperbolic model of multiphase flow and related numerical issues Debora Amadori University of LAquila (Italy) AMIS2012, June 20 2012 Outline Outline Part I: A multiphase flow model 1 Description Basics on the homogeneous

745 views • 62 slides
The Event Generator WHIZARD Jrgen R. Reuter, DESY J.R.Reuter The event

The Event Generator WHIZARD Jrgen R. Reuter, DESY J.R.Reuter The event

The Event Generator WHIZARD Jrgen R. Reuter, DESY J.R.Reuter The event generator WHIZARD MC4BSM 2015, Fermilab, 19.5.2015 WHIZARD: Some (technical) facts WHIZARD v2.2.6 (02.05.2015) http://whizard.hepforge.org

1.46k views • 71 slides
Outline Introduction Meson transition form factors and ( g 2) 0

Outline Introduction Meson transition form factors and ( g 2) 0

Towards a Dispersive Analysis of the 0 Transition Form Factor Bastian Kubis Helmholtz-Institut f ur Strahlen- und Kernphysik (Theorie) Bethe Center for Theoretical Physics Universit at Bonn, Germany Hadronic Probes of Fundamental

1.03k views • 66 slides
Factor Vocab Word 2 Sometimes when you subtract the fractions, Its meaning you find that you

Factor Vocab Word 2 Sometimes when you subtract the fractions, Its meaning you find that you

Slide 1 / 309 Slide 2 / 309 Graphing Linear Equations 8th Grade 2015-01-26 www.njctl.org Slide 3 / 309 Slide 4 / 309 Table of Contents click on the topic to go Vocabulary Review Links to PARCC sample questions to that section Tables

884 views • 60 slides
Lafros MaCS: an experimental Scala monitoring and control API Rob Dickens Introduction The

Lafros MaCS: an experimental Scala monitoring and control API Rob Dickens Introduction The

Lafros MaCS: an experimental Scala monitoring and control API Rob Dickens Introduction The Lafros MaCS (Monitoring and Control System) API is designed to help facilitate the local or remote, interactive and programmatic, monitoring and control

249 views • 12 slides

More recommend