Solving (Quantified) Horn Constraints for Program Verification and - PowerPoint PPT Presentation

Solving (Quantified) Horn Constraints for Program Verification and Synthesis Andrey Rybalchenko (Microsoft Research) September 30, 2015 1 / 32

Programs vs/as Equations ◮ Execution of rule-based programs ◮ Solving of equations in form of implication constraints 2 / 32

Quiz F1 := ∀ x : ( ∃ y : p ( x , y )) → q ( x ) vs. F2 := ∀ x ∀ y : p ( x , y ) → q ( x ) 3 / 32

Transition System ◮ v - program variables ◮ init ( v ) - initial states ◮ step ( v , v ′ ) - transition relation ◮ safe ( v ) - safe states 4 / 32

Safety and Termination (WF) of Transition System ∃ inv ∃ round : init ( v ) → inv ( v ) inv ( v ) ∧ step ( v , v ′ ) → inv ( v ′ ) 5 / 32

Safety and Termination (WF) of Transition System ∃ inv ∃ round : init ( v ) → inv ( v ) inv ( v ) ∧ step ( v , v ′ ) → inv ( v ′ ) inv ( v ) → safe ( v ) safety inv ( v ) ∧ step ( v , v ′ ) → round ( v , v ′ ) wf ( round ) well-foundedness 5 / 32

From WF to DWF wf ( rel ) iff ∃ ti : rel ( v , v ′ ) → ti ( v , v ′ ) ti ( v , v ′ ) ∧ rel ( v ′ , v ′′ ) → ti ( v , v ′′ ) dwf ( ti ) disjunctive well-foundedness 6 / 32

From WF to DWF wf ( rel ) iff ∃ ti : rel ( v , v ′ ) → ti ( v , v ′ ) ti ( v , v ′ ) ∧ rel ( v ′ , v ′′ ) → ti ( v , v ′′ ) dwf ( ti ) disjunctive well-foundedness dwf - finite union of well-founded relations 6 / 32

Backward Safety of Transition System ∃ inv : ¬ safe ( v ) → inv ( v ) inv ( v ′ ) ∧ step ( v , v ′ ) → inv ( v ) 7 / 32

Backward Safety of Transition System ∃ inv : ¬ safe ( v ) → inv ( v ) inv ( v ′ ) ∧ step ( v , v ′ ) → inv ( v ) inv ( v ) ∧ init ( v ) → false 7 / 32

Forward and Backward Safety of Transition System ∃ finv ∃ binv : init ( v ) → finv ( v ) finv ( v ) ∧ step ( v , v ′ ) → finv ( v ′ ) ¬ safe ( v ) → binv ( v ) binv ( v ′ ) ∧ step ( v , v ′ ) → binv ( v ) 8 / 32

Forward and Backward Safety of Transition System ∃ finv ∃ binv : init ( v ) → finv ( v ) finv ( v ) ∧ step ( v , v ′ ) → finv ( v ′ ) ¬ safe ( v ) → binv ( v ) binv ( v ′ ) ∧ step ( v , v ′ ) → binv ( v ) finv ( v ) ∧ binv ( v ) → false 8 / 32

Program with procedures ◮ v - program variables ◮ init ( v ) - initial states of main procedure ◮ step ( v , v ′ ) - intra-procedural transition relation ◮ safe ( v ) - safe states 9 / 32

Program with procedures ◮ v - program variables ◮ init ( v ) - initial states of main procedure ◮ step ( v , v ′ ) - intra-procedural transition relation ◮ safe ( v ) - safe states ◮ call ( v , v ′ ) - parameter passing relation ◮ ret ( v , v ′ ) - return value passing 9 / 32

Safety of Program with Procedures ∃ sum : init ( v 0 ) → sum ( v 0 , v 0 ) sum ( v 0 , v 1 ) ∧ step ( v 1 , v 2 ) → sum ( v 0 , v 2 ) sum ( v 0 , v 1 ) ∧ call ( v 1 , v 2 ) → sum ( v 2 , v 2 ) sum ( v 0 , v 1 ) ∧ call ( v 1 , v 2 ) ∧ sum ( v 2 , v 3 ) ∧ ret ( v 3 , v 4 ) → sum ( v 0 , v 4 ) 10 / 32

Safety of Program with Procedures ∃ sum : init ( v 0 ) → sum ( v 0 , v 0 ) sum ( v 0 , v 1 ) ∧ step ( v 1 , v 2 ) → sum ( v 0 , v 2 ) sum ( v 0 , v 1 ) ∧ call ( v 1 , v 2 ) → sum ( v 2 , v 2 ) sum ( v 0 , v 1 ) ∧ call ( v 1 , v 2 ) ∧ sum ( v 2 , v 3 ) ∧ ret ( v 3 , v 4 ) → sum ( v 0 , v 4 ) sum ( v 0 , v 1 ) → safe ( v 1 ) 10 / 32

Termination of Program with Procedures ∃ round ∃ descent : . . . sum ( v 0 , v 1 ) ∧ step ( v 1 , v 2 ) → round ( v 1 , v 2 ) sum ( v 0 , v 1 ) ∧ call ( v 1 , v 2 ) ∧ sum ( v 2 , v 3 ) ∧ ret ( v 3 , v 4 ) → round ( v 1 , v 4 ) 11 / 32

Termination of Program with Procedures ∃ round ∃ descent : . . . sum ( v 0 , v 1 ) ∧ step ( v 1 , v 2 ) → round ( v 1 , v 2 ) sum ( v 0 , v 1 ) ∧ call ( v 1 , v 2 ) ∧ sum ( v 2 , v 3 ) ∧ ret ( v 3 , v 4 ) → round ( v 1 , v 4 ) sum ( v 0 , v 1 ) ∧ call ( v 1 , v 2 ) → descent ( v 0 , v 2 ) 11 / 32

Termination of Program with Procedures ∃ round ∃ descent : . . . sum ( v 0 , v 1 ) ∧ step ( v 1 , v 2 ) → round ( v 1 , v 2 ) sum ( v 0 , v 1 ) ∧ call ( v 1 , v 2 ) ∧ sum ( v 2 , v 3 ) ∧ ret ( v 3 , v 4 ) → round ( v 1 , v 4 ) sum ( v 0 , v 1 ) ∧ call ( v 1 , v 2 ) → descent ( v 0 , v 2 ) wf ( round ) wf ( descent ) 11 / 32

Solving Horn Constraints 12 / 32

Symbolic self-composition (for non-interference) ∃ sum : . . . v 0 � = w 0 ∧ sum ( v 0 , v 1 ) ∧ sum ( w 0 , w 1 ) → v 1 = w 1 13 / 32

Multi-Threaded Program ◮ v = ( g , l 1 , l 2 ) - global and thread-local variables ◮ init ( v ) - initial states ◮ safe ( v ) - safe states 14 / 32

Multi-Threaded Program ◮ v = ( g , l 1 , l 2 ) - global and thread-local variables ◮ init ( v ) - initial states ◮ safe ( v ) - safe states ◮ step 1 ( v , v ′ ) - transition relation of 1st thread, preserves l 2 ◮ step 2 ( v , v ′ ) - transition relation of 2nd thread, preserves l 1 14 / 32

Rely/Guarantee Rule for Safety ∃ inv 1 ∃ inv 2 ∃ env 1 ∃ env 2 : init ( v ) → inv 1 ( v ) inv 1 ( v ) ∧ step 1 ( v , v ′ ) → inv 1 ( v ′ ) ∧ env 2 ( v , v ′ ) inv 1 ( v ) ∧ env 1 ( v , v ′ ) → inv 1 ( v ′ ) · · · inv 1 ( v ) ∧ inv 2 ( v ) → safe ( v ) Clauses for preservation of inv 2 ( v ) are symmetric 15 / 32

Resolving Rely/Guarantee Rule ∃ env 2 : · · · inv 1 ( v ) ∧ step 1 ( v , v ′ ) → env 2 ( v , v ′ ) · · · inv 2 ( v ) ∧ env 2 ( v , v ′ ) → inv 2 ( v ′ ) · · · 16 / 32

Into Owicki/Gries Rule · · · env 2 ( v , v ′ ) := inv 1 ( v ) ∧ step 1 ( v , v ′ ) · · · inv 2 ( v ) ∧ inv 1 ( v ) ∧ step 1 ( v , v ′ ) → inv 2 ( v ′ ) · · · 17 / 32

Owicki/Gries Rule for Safety ∃ inv 1 ∃ inv 2 : init ( v ) → inv 1 ( v ) inv 1 ( v ) ∧ step 1 ( v , v ′ ) → inv 1 ( v ′ ) inv 1 ( v ) ∧ inv 2 ( v ) ∧ step 2 ( v , v ′ ) → inv 1 ( v ′ ) · · · inv 1 ( v ) ∧ inv 2 ( v ) → safe ( v ) Clauses for preservation of inv 2 ( v ) are symmetric 18 / 32

Thread-Modular Rule for Safety ∃ inv 1 ∃ inv 2 ∃ env : init ( v ) → inv 1 ( g , l 1 ) inv 1 ( g , l 1 ) ∧ step 1 ( v , v ′ ) → inv 1 ( g ′ , l ′ 1 ) ∧ env ( g , g ′ ) · · · inv 1 ( g , l 1 ) ∧ inv 2 ( g , l 2 ) → safe ( v ) Clauses for preservation of inv 2 ( v ) are symmetric 19 / 32

Quantifier Free Horn Clauses ∀ v ∀ w : body ( v , w ) → head ( v ) body ( v , w ) and head ( v ) are quantifier free 20 / 32

Quantified Horn Clauses ◮ Existential temporal properties, e.g., CTL ◮ Program synthesis and infinite-state game solving ◮ Inference of transactions for concurrent programs ∀ v ∀ w : body ( v , w ) → ∃ x : head ( v , x ) ◮ Quantified invariants/auxiliary assertions ∀ v ∀ w : ( ∀ y : body ( v , w , y )) → head ( v ) 21 / 32

Existentially Quantified Horn Clauses ∀ v ∀ w : body ( v , w ) → ∃ x : head ( v , x ) body ( v , w ) and head ( v , x ) are quantifier free 22 / 32

Proving CTL Properties ( init ( v ) , step ( v , v ′ )) | = EF ( q ( v )) ( init ( v ) , step ( v , v ′ )) | = EG ( EU ( p ( v ) , q ( v ))) Based on proof system for CTL* by Kesten and Pnueli [TCS’05] 23 / 32

Proving EF ( q ( v )) ∃ inv ∃ round : init ( v ) → inv ( v ) inv ( v ) ∧ ¬ q ( v ) → ∃ v ′ : step ( v , v ′ ) ∧ inv ( v ′ ) ∧ round ( v , v ′ ) wf ( round ) 24 / 32

Decomposing EG ( EU ( p ( v ) , q ( v ))) ( init ( v ) , step ( v , v ′ )) | = EG ( EU ( p ( v ) , q ( v ))) iff ∃ mid : ( init ( v ) , step ( v , v ′ )) | = EG ( mid ( v )) ( mid ( v ) , step ( v , v ′ )) | = EU ( p ( v ) , q ( v )) 25 / 32

Proving ( init ( v ) , step ( v , v ′ )) | = EG ( mid ( v )) and ( mid ( v ) , step ( v , v ′ )) | = EU ( p ( v ) , q ( v )) ∃ mid ∃ inv 1 ∃ inv 2 ∃ round : init ( v ) → inv 1 ( v ) inv 1 ( v ) → mid ( v ) ∧ ∃ v ′ : step ( v , v ′ ) ∧ inv 1 ( v ′ ) mid ( v ) → inv 2 ( v ) inv 2 ( v ) ∧ ¬ q ( v ) → p ( v ) ∧ ∃ v ′ : step ( v , v ′ ) ∧ inv 2 ( v ′ ) ∧ round ( v , v ′ ) wf ( round ) 26 / 32

Solving Infinite-State Game Given five empty bottles arranged in circle and jar full of water ◮ Stepmother pours all water from jar into some bottles ◮ Cinderella empties pair of adjucent bottles ◮ Jar is refilled for next round Stepmother wins if some bottle overflows 27 / 32

Formalization of Game Arena ◮ v = ( v 1 , . . . , v 5 ) ◮ B - bottle volume ◮ J - jar volume init ( v ) = ( v 1 = · · · = v 5 = 0) cindy ( v , v ′ ) = ( v ′ 1 = v ′ 2 = 0 ∧ same ( v 3 , v 4 , v 5 ) ∨ · · · ∨ v ′ 5 = v ′ 1 = 0 ∧ same ( v 2 , v 3 , v 4 )) step ( v , v ′ ) = ( v ′ 1 ≥ v 1 ∧ · · · ∧ v ′ 5 ≥ v 5 ∧ v ′ 1 + · · · + v ′ 5 − ( v 1 + · · · + v 5 ) = J ) over ( v ) = ( v 1 > B ∨ · · · ∨ v 5 > B ) 28 / 32

Stepmother’s Victory as Constraint Satisfaction ∃ win ∃ round : init ( v ) → win ( v ) win ( v ) ∧ ¬ over ( v ) ∧ cindy ( v , v ′ ) → ∃ v ′′ : step ( v ′ , v ′′ ) ∧ win ( v ′′ ) ∧ round ( v , v ′′ ) wf ( round ) 29 / 32

Example: instantiation of universal quantifiers for(i = 0; i < n; i++) { a[i] = i; } assert("forall p: 0 <= p && p < n -> a[p] == p"); 30 / 32