Consequence Generation, Interpolants, and Invariant Discovery

1
Consequence Generation,Interpolants,
andInvariant Discovery

• Ken McMillan
• Cadence Berkeley Labs

2
Automated abstraction

• Abstraction means throwing away information about
  a system not needed to prove a given property.
• Automated abstraction has become a key element in
  the practice of model checking.
• Verification of sequential circuits
• without abstraction, up to about 100 registers
• with abstraction, gt 200,000 registers!
• Software model checking
• without abstraction, finite-state only
• with abstraction, infinite-state, gt 100,000 loc

Note, we are talking about very shallow
properties!
3
Predicate Abstraction
Graf Saïdi

• Terminology A safety invariant is an inductive
  invariant that implies the safety condition of a
  program.
• Given a set of atomic predicates P, construct the
  strongest inductive invariant of a program
  expressible as a Boolean combination of P.
• That is, we are restricted to the language of
  Boolean combinations of P.
• Example let P ij,xy

strongest inductive invariant
xi yj while(x!0) x-- y-- if (i
j) assert y0
i j ) x y
But where do the predicates come from?
4
Iterative refinement
Verify Abstraction
safe
new abstraction
diagnostic information
Refine Abstraction
safe

• CounterExample Guided Abstraction Refinement
  (CEGAR)
• Diagnostic information is an abstract
  counterexample
• Refinement adds information sufficient to refute
  counterexample.
• In the infinite state case this refinement loop
  can diverge. This talk is concerned with avoiding
  diverging of the refinement loop, thus
• guaranteeing a limited kind of completeness.

5
Completeness of abstraction

• An abstraction is a restricted language L
• Example predicate abstraction (without
  refinement)
• L is the language of Boolean combinations of
  predicates in P
• We try to compute the strongest inductive
  invariant of a program in L
• An abstraction refinement heuristic chooses a
  sequence of sublangauges L0 µ L1,... from a
  broader langauge L.
• Example predicate abstraction with refinement
• L is the set of quantifier-free FO formulas (QF)
• Li is characterized by a set of atomic predictes
  Pi
• Completeness relative to a language

An abstraction refinement heuristic is complete
for language L, iff it always eventually chooses
a sublanguage Li µ L containing a safety
invariant whenever L contains a safety invariant.
6
Where do abstractions come from?

• Existing methods based on the idea of
  generalizing from the proof of particular cases.

Heuristic Information that is used to prove a
particular case is likely to be useful in the
general case.

• Examples
• Prove all executions of just k steps are safe
• Prove a particular program path is safe
• Refute a particular "abstract counterexample"

7
Structured Proofs

• A sequence of formulas assigned to the states of
  a program path, s.t.
• Each is a postcondition of its predecessor
• Starts with true, ends with false
• Example, path that executes our program loop once.

True
xi yj while(x!0) x-- y-- if (i
j) assert y0
Extract predicates from proof P ij,xy
i0j0 ) x1y1
i0j0 ) x2y2
False
SSA form!
8
Good proofs and bad proofs

• Bad example refute path using "weakest
  precondition"

True
xi yj while(x!0) x-- y-- if (i
j) assert y0
Extract predicates from proof P ij,
x0, y0 x1, y1...
ij Æ x1 ) y1
ij Æ x0 ) y0
False
As we unwind the loop further, these predicates
diverge...
9
Two questions

• How to generate structured proofs
• Proofs generated by decision procedures will not
  be structured
• Solution We can rewrite unstructured proofs into
  structured ones
• How to guarantee completeness
• Bad proofs lead to divergence
• Solution a structured prover

10
Interpolation Lemma
(Craig,57)

• Notation L(?) is the set of FO formulas over the
  symbols of ?
• If A Ù B false, there exists an interpolant A'
  for (A,B) such that
• A Þ A'
• A' Ù B false
• A' 2 L(A) Å L(B)
• Example
• A p Ù q, B Øq Ù r, A' q
• Interpolants from proofs
• in certain quantifier-free theories, we can
  obtain an interpolant for a pair A,B from a
  refutation in linear time. TACAS05
• in particular, we can have linear
  arithmetic,uninterpreted functions, and arrays

11
Interpolants for sequences

• Let A1...An be a sequence of formulas
• A sequence A0...An is an interpolant for
  A1...An when
• A0 True
• Ai-1 Æ Ai ) Ai, for i 1..n
• An False
• and finally, Ai 2 L (A1...Ai) Å L(Ai1...An)

In other words, the interpolant is a
structured refutation of A1...An
12
Structured proofs are interpolants
2. Each is over common symbols of prefix and
suffix
3. Begins with true, ends with false
idea R. Jhala
13
Enforcing completeness
Lattice of sublanguages
L
2. Refute counterexample at lowest possible level
xy
If a saftey invariant exists in Lk, then we never
exit Lk. Since this is f finite language,
abstraction refinement must converge.
14
Restriction Language Example

• Difference-bound formulas
• Let Lk be the Boolean combinations of constraints
  of the form
• x y c, or x c,
• where c k.
• Restrict the interpolants to L0

15
Consequence finders
McIlraith Amir, 2001

• A consequence finder takes as input a set of
  hypothese ? and returns a set of consequences of
  ?.
• Consequence finder R is complete for L-generation
  iff, for any f2 L
• G²f implies R(G)Å L² f

That is, the consequence finder need not generate
all consequences of ? in L, but the generated
L-consequences must imply all others.
16
Split prover

• Divide the prover into a sequence of
  communicating consequence finders...

Theorem If each Ri is complete for
L(Ai1...An)-generation, then iRi is complete
for refutation McIlraith Amir, 2001.
17
L-restricted split prover
R1
R2
R3
Rn
L
L
L
L
L

• In the L-restricted composition, LRi, the
  provers can exchange only formulas in L.

Theorem If each Ri is complete for
LÅL(Ai1...An)-generation, then Ai1...An has an
L-interpolant exactly when ? is refuted by LRi.
Moreover, the refutation generated by LRi,
induces an L-interpolant.
18
L-restricted interpolants
split proof
L-restricted interpolant
SSA sequence
LRi
structured proof
L-restricted split prover
Interpolation

• That is, if we can build complete consequence
  generators for some restriction language L, we
  have a complete procedure to generate
  L-restricted interpolants.

19
Complete abstraction heuristic

• Given finite languages L0 µ L1, µ L where Li
  QF...

Theorem This procedure is complete for QF
invariants. That is, if a safety invariant exists
in QF, we conclude "safe".
20
Proof idea

• Let ? be a program path ending in an error
  location.
• Let ?2 Lk be a safety invariant of the program.
• Then ?n-1 is an Lk-interpolant ?
• Thus, the split prover must find an
  Lk-interpolant ?
• Moreover, ? must contain an AP not in P
• (else predicate abstraction would have refute
  the path with P)
• Thus, we must add some AP in Lk to P at each
  iteration
• This must terminate, since Lk is a finite
  langauge
• (over the program variables)

21
Building a split prover

• First you have to choose your hierarchy L0,L1,...
• We will consider QF formulas with
• integer difference bound constraints (e.g., x y
  c)
• equality and uninterpreted functions
• restrict use of array operations "select" and
  "store"
• These are sufficient to prove simple properties
  of programs with arrays
• Our restriction language Lk will be determined by
• The finite set CD of allowed constants c in x y
  c
• The finite set CB of allowed constants c in x c
• The bound bf on the depth of nesting of function
  sybols

For a finite vocabulary, Lk is finite and every
formula is included in some Lk.
22
Lazy architecture
Constraints
Satisfying minterms
Ground Decision Procedure
SAT solver
Refutations
Refutation
Interpolation

• Note propositional part of refutation has
  non-local steps, but generated interpolant is
  still L-restricted, because propositional
  interpolation rules dont introduce new atomic
  predicates.

23
Prover architecture

• Lazy approach means split prover must refute only
  minterms
• Convexity theory is convex if Horn consequences
  are complete
• In convex case, provers only exchange literals
  Nelson Oppen, 1980
• Simple proof rules for complete unit consequence
  finding in Lk
• For EUF, us Shostak-style canonizer
• order terms appropriately, to generate desired
  consequences
• For linear arithmetic, use Fourier-Motzkin
• need weakening rule x y c ! x y d, if c lt
  d
• in case of a non-convexity, split cases in SAT
  solver
• integers and array store operations introduce
  non-convexities.
• Multiple theories handled by hierarchical
  decomposition

These and other optimizations can result in a
relatively efficient prover...
24
Performance comparison

• Refuting counterexamples for two hardest Windows
  device driver examples in the Blast benchmark
  set.
• Compare split prover against Nelson-Oppen style,
  same SAT solver

25
Some "trivial" benchmarks
example substring copy
main() char x, z int
from,to,i,j,k i from j 0
while(xi ! 0 i lt to) zj xi
i j / prove strlen(z) gt j /
assert !(k gt 0 k lt j zk 0)
26
Results
example SatAbs Magic Blast Blast (new)
simple loop X X ? ?
array copy X ? ? ?
two loops X X ? ?
array fill (increment) X ? ? ?
array fill (fixed size) X X ? ?
zero fill X X ? ?
scan for zero X X ? ?
string overflow X X ? ?
string concat (size) X ? ? ?
string concat (ovfl) X X ? slow
string copy X X ? ?
substring (size) X X ? ?
substring (ovfl) X X ? ?
X refine fail, ? bug, ? diverge, TO
timeout, ? verified safe
27
Summary

• An abstraction refinement heuristic is complete
  for language L if it guarantees to find a safety
  invariant if one exists in L
• Existing PA heuristics are incomplete and diverge
  on trivial programs
• CEGAR can be made complete by...
• Stratifying L into a hierarchy of finite
  sublanguages L0, L1, ...
• Refuting counterexamples with Lk-restricted split
  prover
• Staying at the lowest possible level of the
  hierarchy
• A split prover can be made efficient enough to
  use in practice
• (at least for some useful theories)
• Theoretical completeness can acutally lead to
  improved practical performance.

28
Abstraction in infinite lattices

• In a lattice of infinite height, fixed point
  computation may not converge
• ) widening ) incompleteness

29
Pure interpolant approach

• Progressively unfold the program, computing
  interpolants...

• If program has a safety invariant in QF,
  interpolants must eventually contain a safety
  invariant.
• This gives an alternative to predicate
  abstraction CAV06
• Note, this is neither a fixed point iteration,
  nor a parameterized approach.

30
Quantified invariants

• Even very simple properties often require
  quantified invariants
• This can be handled be a method called indexed
  predicate abstraction
• Predicates can contain index variables the are
  implicitly quantified
• Computes strongest quantified inductive invariant
  expressible as a Boolean combination of the the
  given atomic predicates
• To obtain completeness in this case, we need to
  restrict the number of quantifiers in Lk (else Lk
  is not finite, and we may diverge)
• Questions
• Is there a resolution strategy that is complete
  for consequence generation with a restricted
  number of free variables?
• Can we extend to richer theories, including,
  e.g., transitive closure?