Reasoning about floating-point arithmetic with ACDCL Unifying - - PowerPoint PPT Presentation
Reasoning about floating-point arithmetic with ACDCL Unifying Abstract Interpretation and Decision Procedures Daniel Kroening (joint work with Leopold Haller, Vijay DSilva, Michael Tautschnig, Martin Brain) 9 January 2013 1 Thursday, 17
Unifying Abstract Interpretation and Decision Procedures
Daniel Kroening
9 January 2013
(joint work with Leopold Haller, Vijay D’Silva, Michael Tautschnig, Martin Brain)
1
Thursday, 17 January 13
2
Thursday, 17 January 13
3
Thursday, 17 January 13
Abstract Satisfiability
Existing approaches to FP - Verification
Manual, Semi-automated Decision Procedures Decision Procedures
Abstract Interpretation Abstract Interpretation
Our research
4
Thursday, 17 January 13
5
Thursday, 17 January 13
Special values: −0, +0, −∞, ∞, NaN
6
Thursday, 17 January 13
7
Thursday, 17 January 13
Is this program correct?
8 (We will ignore the case x=NaN)
Thursday, 17 January 13
Three possible meanings:
9
Thursday, 17 January 13
Abstract Interpretation Manual Decision Procedures
10
Thursday, 17 January 13
Requires experts, expensive, powerful
Abstract Interpretation Manual Decision Procedures
11
Thursday, 17 January 13
Error
execution
Abstract representation Program traces Error states do not overlap abstract representation, hence program is safe Program Abstract Interpreter Program is safe
?
12
Thursday, 17 January 13
Interpreter Abstract Domain
An abstract interpreter modularly uses
Changing the domain changes the analysis.
Example
Signs domain
y = + x = + z = +
safe! Constants domain
{c | c ∈ FP} ∪ {?} {+, −} ∪ {?} y = 5 x = ? z = ?
Possibly unsafe
13
Thursday, 17 January 13
Interpreter Abstract Domain
An abstract interpreter modularly uses
Changing the domain changes the analysis.
Example
Interval Domain {[l, u] | l, u ∈ Int} x, y ∈ [min(Int), max(Int)] x, y ∈ [min(Int), −1] x ∈ [5, 5], y ∈ [min(Int), max(Int)] x ∈ [min(Int), 5], y ∈ [min(Int), max(Int)]
14
Thursday, 17 January 13
Floating Point Intervals
{[l, u] | l, u ∈ FP} ∪ {?}
result ∈ [−2.216760, 2.216760] result ∈ [−2.301135, 2.301135] result ∈ [−2.296453, 2.296453] x ∈ [−1.570796, 1.570796]
Potentially unsafe
15
Thursday, 17 January 13
lines of code in 1h -> highly scalable
Ellipses Octagons Intervals Original traces
16
Thursday, 17 January 13
rational numbers
associativity which do not hold over floating point numbers (a + b) + c = a + (b + c)
numbers as real number operations + error terms
17
Thursday, 17 January 13
x ∈ [−5, 5] y ∈ [−25, 25] x ∈ [0, 1] x, y ∈ [0, 1] x ∈ [−1, 1] x, y ∈ [1, 1] x ∈ [100001, max(Int)] y ∈ [min(Int), max(Int)]
18
Thursday, 17 January 13
are convex
Ellipses Octagons Intervals Original traces Convex polyhedra
✓ ∪ ◆
6 −2 2 −2 2
ˆ x∪ˆ y ˆ u
Zonotope
19
Thursday, 17 January 13
What if convex abstractions are too weak?
Error Error
Very common scenario
20
Thursday, 17 January 13
Conclusion:
behaviour (success in avionics)
21
Thursday, 17 January 13
. Cousot. A sound floating-point polyhedra abstract domain. APLAS 2008
. Cousot. An abstract domain to discover interval Linear Equalities. VMCAI 2010
. Cousot. Interval polyhedra: An Abstract Domain to Infer Interval Linear Relationships. SAS 2009
Floating point abstract domains
22
Thursday, 17 January 13
Industrial Case Studies
. Baufreton, J. Gassino. Static analysis of the accuracy in control systems: principles and experiments. FMICS 2007
Védrine. Towards an industrial use of FLUCTUAT on safety-critical avionics software. FMICS 2009
P . Cousot. Proving the absence of run-time errors in safety-critical avionics code. EMSOFT 2007
FP Static Analysers
. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, D. Monniaux and X. Rival. A static analyzer for large safety- critical software. SIGPLAN 38(5), 2003 P . Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, D. Monniaux and Xavier Rival. The ASTREÉ analyzer. ESOP 2005
2002 23
Thursday, 17 January 13
Requires experts, expensive, powerful
Abstract Interpretation Manual Decision Procedures
Scalable and efficient. Precise analysis requires experts
24
Thursday, 17 January 13
Error
Decision Procedures
logical formula
Program traces
Program is safe exactly if isTrace(t) ∧ error(t) is satisfied by some t
25
Thursday, 17 January 13
Propositional SAT
ϕ = (a ∨ ¬b) ∧ (¬a ∨ b) ∧ ¬b Propositional formula: Is there an assignment to a,b that makes the formula true?
2 2 1 2 2 2 3 2 4 2 5 2 6 2 7 1 s 1 s 1 sDecrease in SAT solving time for SAT algorithms 2000-2007
26
Thursday, 17 January 13
Why are SAT solvers so efficient Probe for solution Learn from failure failure
27
Thursday, 17 January 13
Example
c → (r = a/32b) ∧ ¬c → (r = a ∗32 b) ∧ a > 0 ∧ b > 0 ∧ r < 0
Can be translated to propositional logic using divider and multiplier circuits The formula evaluates to true under the following assignment:
a, b 7! 123456789 r 7! 1757895751 c 7! false
Decision Procedures
Counterexample!
28
Thursday, 17 January 13
Bounded Model Checking
Loops require unrolling before translation If the loop does not have a known fixed bound, the result is unrolled up to a chosen depth.
29
Thursday, 17 January 13
Bounded Model Checking
Decision Procedure Program has bug, counter-example is returned
?
Satisfiable Unsatisfiable
30
Thursday, 17 January 13
FP support in CBMC (2008)
numbers using a propositional encoding
Thursday, 17 January 13
Scalability of Propositional Encoding
N Nr. Variables Memory use 5 ~130000 ~90MB 10 ~260000 ~180MB
amounts of memory
32
Thursday, 17 January 13
Related work
Constraint satisfaction
SMT
P . Ruemmer and T. Wahl. An SMT
Incomplete Solvers
33
Thursday, 17 January 13
Requires experts, scalable, precise
Abstract Interpretation Manual Decision Procedures
Scalable. Precision requires experts Precise. Scalability requires experts
34
Thursday, 17 January 13
Theorem proving Decision procedures Abstract interpretation
Abstract Interpreter Decision Procedures Safe ? Bug ?
35
Thursday, 17 January 13
36
Thursday, 17 January 13
37
Thursday, 17 January 13
Decision procedures Abstract interpretation
We are interested in techniques that are
38
Thursday, 17 January 13
Error Error
y ∈ [−1, 1]
Potentially unsafe! Safe!
39
Thursday, 17 January 13
40
Thursday, 17 January 13
Their main data structure is a partial variable assignment which represents a solution candidate V → {t, f}
clauses literals
| {z }
| {z } ϕ = (p ∨ ¬q) ∧ . . . ∧ (¬r ∨ w ∨ q)
SAT solvers accept formulas in conjunctive normal form
41
Thursday, 17 January 13
ϕ = p ∧ (¬p ∨ ¬q) ∧ (q ∨ r ∨ ¬w) ∧ (q ∨ r ∨ w) SAT deduces new facts from clauses: p 7! t p 7! t q 7! f At this point, clauses yield no further information
42
Thursday, 17 January 13
ϕ = p ∧ (¬p ∨ ¬q) ∧ (q ∨ r ∨ ¬w) ∧ (q ∨ r ∨ w)
p ∈ [1, 1] q ∈ [0, 0]
p 7! t p 7! t q 7! f
The result of deduction is identical to applying interval analysis to the program:
Deduction in a SAT solver is abstract analysis
43
Thursday, 17 January 13
ϕ = p ∧ (¬p ∨ ¬q) ∧ (q ∨ r ∨ ¬w) ∧ (q ∨ r ∨ w) Pick an unassigned variable and assign a truth value p 7! t q 7! f p 7! t q 7! f r 7! f SAT solver makes a “guess” Now new deductions are possible
44
Thursday, 17 January 13
ϕ = p ∧ (¬p ∨ ¬q) ∧ (q ∨ r ∨ ¬w) ∧ (q ∨ r ∨ w) The variable w would have to be both true and false.
The contradiction is the result of r being assigned to false as part of a
p 7! t q 7! f r 7! f
45
Thursday, 17 January 13
ϕ = p ∧ (¬p ∨ ¬q) ∧ (q ∨ r ∨ ¬w) ∧ (q ∨ r ∨ w) The variable w would have to be both true and false.
The contradiction is the result of r being assigned to false as part of a
p 7! t q 7! f r 7! f p 7! t q 7! f r 7! f w 7! f conflict
45
Thursday, 17 January 13
Decisions and learning in a SAT solver are abstract partitioning
ϕ ϕ ∧ r
46
Thursday, 17 January 13
refinement algorithm.
SAT(A)
Expanding the scope of SAT
47
Thursday, 17 January 13
refinement algorithm.
SAT(A)
Rich logic, e.g. FP Programs
Boolean programs
Data Control
Expanding the scope of SAT
47
Thursday, 17 January 13
n1 c2 c3 c1 c4 n2 [a ≤ −2] [a = −1] [a = 0] [a ≥ 1] b := 2 b := −2 b := −1 b := 1 [b = 0]
DL0
n1 c2 c3 c1 c4 n2 [a ≤ −2] [a = −1] [a = 0] [a ≥ 1] b := 2 b := −2 b := −1 b := 1 [b = 0]
DL0
c1 : a ≤ −2 c2 : a ≤ −1 c3 : a ≤ 0 c2 : a ≥ −1 c3 : a ≥ 0 c4 : a ≥ 1 c3 : a = 0 c2 : a = −1
n1 c2 c3 c1 c4 n2 [a ≤ −2] [a = −1] [a = 0] [a ≥ 1] b := 2 b := −2 b := −1 b := 1 [b = 0]
DL0
c1 : a ≤ −2 c2 : a ≤ −1 c3 : a ≤ 0 c2 : a ≥ −1 c3 : a ≥ 0 c4 : a ≥ 1 n2 : b ≤ 2 n2 : b ≥ −2 : b ≤ 0 : b ≥ 0
n1 c2 c3 c1 c4 n2 [a ≤ −2] [a = −1] [a = 0] [a ≥ 1] b := 2 b := −2 b := −1 b := 1 [b = 0]
DL0
c1 : a ≤ −2 c2 : a ≤ −1 c3 : a ≤ 0 c2 : a ≥ −1 c3 : a ≥ 0 c4 : a ≥ 1 n2 : b ≤ 2 n2 : b ≥ −2 : b ≤ 0 : b ≥ 0
DL1
n1 : a ≤ −42
n1 c2 c3 c1 c4 n2 [a ≤ −2] [a = −1] [a = 0] [a ≥ 1] b := 2 b := −2 b := −1 b := 1 [b = 0]
DL0
c1 : a ≤ −2 c2 : a ≤ −1 c3 : a ≤ 0 c2 : a ≥ −1 c3 : a ≥ 0 c4 : a ≥ 1 n2 : b ≤ 2 n2 : b ≥ −2 : b ≤ 0 : b ≥ 0
DL1
n1 : a ≤ −42 c2 : ⊥ c3 : ⊥ c4 : ⊥ c1 : a ≤ −42 n2 : b ≥ 2 : ⊥
SAFE
n1 c2 c3 c1 c4 n2 [a ≤ −2] [a = −1] [a = 0] [a ≥ 1] b := 2 b := −2 b := −1 b := 1 [b = 0]
DL0
c1 : a 2 c2 : a 1 c3 : a 0 c2 : a 1 c3 : a 0 c4 : a 1 n2 : b 2 n2 : b 2 : b 0 : b 0
DL1
n1 : a 2 c2 : ? c3 : ? c4 : ? c1 : > n2 : b 1 : ?
SAFE → Generalise!
maximal wp-underapproximation transformer
n1 c2 c3 c1 c4 n2 [a ≤ −2] [a = −1] [a = 0] [a ≥ 1] b := 2 b := −2 b := −1 b := 1 [b = 0]
b ≤ 0
DL0
c1 : a 2 c2 : a 1 c3 : a 0 c2 : a 1 c3 : a 0 c4 : a 1 n2 : b 2 n2 : b 2 : b 0 : b 0
DL1
n1 : a 2 c2 : ? c3 : ? c4 : ? c1 : > n2 : b 1 : ?
SAFE → find cut ¬(n2 : b ≥ 1) ¬(n : a ≤ −2)
48
Thursday, 17 January 13
interpreters
procedures on short non-linear programs
49
Thursday, 17 January 13
benchmark time (s)
5 10 15 20 25 30 35 40 45 50 55 0.1 1 10 100 1000 Astr´ ee CBMC CDFL
50
Thursday, 17 January 13
− π
2 π 2
51
Thursday, 17 January 13
− π
2 π 2
− π
2 π 2
result ≤ 2.0 result ≥ -2.0
52
Thursday, 17 January 13
− π
2 π 2
− π
2 π 2
result ≤ 2.0 result ≥ -2.0 − π
2 π 2
result ≤ 1.5 result ≥ -1.5
53
Thursday, 17 January 13
− π
2 π 2
− π
2 π 2
result ≤ 2.0 result ≥ -2.0 − π
2 π 2
result ≤ 1.5 result ≥ -1.5 − π
2 π 2
result ≤ 1.2 result ≥ -1.2
54
Thursday, 17 January 13
− π
2 π 2
− π
2 π 2
result ≤ 2.0 result ≥ -2.0 − π
2 π 2
result ≤ 1.5 result ≥ -1.5 − π
2 π 2
result ≤ 1.2 result ≥ -1.2 − π
2 π 2
result ≤ 1.1 result ≥ -1.1
55
Thursday, 17 January 13
− π
2 π 2
− π
2 π 2
result ≤ 2.0 result ≥ -2.0 − π
2 π 2
result ≤ 1.5 result ≥ -1.5 − π
2 π 2
result ≤ 1.2 result ≥ -1.2 − π
2 π 2
result ≤ 1.1 result ≥ -1.1 − π
2 π 2
result ≤ 1.01 result ≥ -1.01
56
Thursday, 17 January 13
− π
2 π 2
− π
2 π 2
result ≤ 2.0 result ≥ -2.0 − π
2 π 2
result ≤ 1.5 result ≥ -1.5 − π
2 π 2
result ≤ 1.2 result ≥ -1.2 − π
2 π 2
result ≤ 1.1 result ≥ -1.1 − π
2 π 2
result ≤ 1.01 result ≥ -1.01 − π
2 π 2
result ≤ 1.001 result ≥ -1.001
57
Thursday, 17 January 13
58
Thursday, 17 January 13
Rich logic, e.g. FP Programs
Boolean programs
2 2 1 2 2 2 3 2 4 2 5 2 6 2 7 1 s 1 s 1 s58
Thursday, 17 January 13
59
FP-ACDCL bit-vector encoding (Z3)
0.01 0.1 1 10 100 1000 0.01 0.1 1 10 100 1000
(a)
FP-ACDCL FP-ACDCL w.o. generalisation
0.01 0.1 1 10 100 1000 0.01 0.1 1 10 100 1000
(b)
Thursday, 17 January 13
verification
learning strategies
60
Thursday, 17 January 13
verification
learning strategies
Rich logic, e.g. FP Programs
Boolean programs
60
Thursday, 17 January 13
Theorem proving Decision procedures Abstract interpretation
ACDL
61
Thursday, 17 January 13
62
Thursday, 17 January 13