Invariants on demand

1
Invariants on demand

• K. Rustan M. LeinoMicrosoft Research, Redmond,
  WA, USA
• Francesco LogozzoÉcole Normale Supérieure,
  Paris, France

Spec joint work with Mike Barnett, Bor-Yuh
Evan Chang, Robert DeLine, Manuel
Fähndrich, Bart Jacobs, Wolfram Schulte,
Herman Venter, Peter Müller, David A.
Naumann,
8 Sep 2005Invited talk, SEFM 2005Koblenz,
Germany
2
Software engineering problem

• Building and maintaining large systems that are
  correct

3
Approach

• Specifications record design decisions
• bridge intent and code
• Tools amplify human effort
• manage details
• find inconsistencies
• ensure quality

4
Spec

• Experimental mix of contracts and tool support
• Aimed at experienced developers who know the high
  cost of testing and maintenance
• Superset of C
• non-null types
• pre- and postconditions
• object invariants
• Tool support
• more type checking
• compiler-emitted run-time checks
• static program verification

contracts everywhere
C
into the future
type checking
static verification
run-time checks
degree of checking,effort
5
Spec demo
6
Basic architecture of a static verifier
program with specifications
verification conditiongenerator
verification condition
theorem prover
correct or list of errors
7
Spec static verifier architecture
Spec
Spec compiler
MSIL (bytecode)
Boogie
, aka
Spec static program verifier
translator
inference engine
Boogie PL

• computes invariants
• over-approximates

V.C. generator
verification condition

• high precision
• needs invariants

automatictheorem prover
correct or list of errors
8
Predicate abstraction and refinement
e.g. Graf Saïdi, SLAM, BLAST,
correct
modelchecker
boolean program
abstract trace
predicateabstraction
concrete trace
C program
predicates
feasible?
no
yes
error message
predicaterefinement
9
Lemmas-on-demand theorem proving
e.g. Verifun, de Moura Rueß, CVC Lite, Zap,
unsatisfiable
SAT solver
propositional formula
monome
conjunction of input literals
input formula
lemmas
consistent with theories?
no
yes
conflict-clause generation
satisfiable
10
Static program verification
valid
theoremprover
verification condition
counterexample
verification condition generation
program trace
loop invariants
program
error message
11
Loop invariants on demand
valid
theoremprover
verification condition
counterexample
verification condition generation
program trace
loop invariants
program
give up?
no
yes
more precise(stronger or context
sensitive)inference
error message
12
Generating VC once
valid
theoremprover
formula
counterexample
give up?
yes
no
?
program
more precise inference
verification condition (VC)
properties about loop invariants
program trace
error message
13
Examplefinding index of minimum element in an
array

• m 0 x 0
• while x lt N do
• if then m x end
• x x 1
• end
• if 0 lt N then
• assert 0 m lt N
• end

14
Rewriting loops

• x true, J(x0,x,y) if B then S assume
  falseend
• while B do S endwhere the program variables
  are x and y,S changes x, and J(x0,x,y) is a (not
  necessarily inductive) invariant of the loop

15
Exampleafter rewriting the loop

• m 0 x 0
• x,m true, J(x0,x,m0,m)
• if x lt N then
• if then m x end
• x x 1
• assume false
• end
• if 0 lt N then
• assert 0 m lt N
• end

16
Dynamic single assignment

• Replace definitions and uses of variables by
  definitions and uses of different incarnations of
  the variables
• x?x0, y?y0 x E(x,y) x1 E(x0,y0)
  x?x1, y?y0
• x?x0, y?y0 xP(x,y), Q(x0,x,y) x1
  P(x0,y0), Q(x0,x1,y0) x?x1, y?y0

17
Dynamic single assignment if

• Given x?x0 ,y?y0 S S x?x1, y?y0 x?x0,
  y?y0 T T x?x2, y?y0
• then we have
• x?x0, y?y0 if E(x,y) then S else T end if
  E(x0,y0) then S x3 x1else T x3
  x2end
• x?x3, y?y0

18
Exampleafter applying Dynamic Single Assignment

• m0 0 x0 0
• x1,m1 true, J(x0,x1,m0,m1)
• if x1 lt N then
• if then m2 x1 m3 m2else m3
  m1end
• x2 x1 1
• assume false
• end
• if 0 lt N then
• assert 0 m1 lt N
• end

19
Passive commands

• In a dynamic-single-assignment program
• change x E into assume x E
• change xP,Q into assert P assume Q

20
Examplein passive form

• assume m0 0 assume x0 0
• assume J(x0,x1,m0,m1)
• if x1 lt N then
• if then assume m2 x1 assume m3
  m2else assume m3 m1end
• assume x2 x1 1
• assume false
• end
• if 0 lt N then
• assert 0 m1 lt N
• end

21
Weakest preconditions

• wp( assert E, Q ) E ? Q
• wp( assume E, Q ) E ? Q
• wp( ST, Q ) wp( S, wp( T, Q ))
• wp( if then S else T end, Q ) wp( S, Q ) ?
  wp( T, Q )
• wp( if E then S else T end, Q ) (E ? wp(S,
  Q)) ? (E ? wp(T, Q))

22
wp(Example, true)

• m0 0 ? x0 0 ?
• J(x0,x1,m0,m1) ?
• (x1 lt N ?
• (m2 x1 ? m3 m2 ? x2 x1 1 ? false ?
  ) ? (m3 m1 ? x2 x1 1 ? false ?
  )
• )
• ?
• ((x1 lt N) ?
• (0 lt N ? 0 m1 lt N ? true) ?
• ((0 lt N) ? true)
• )

23
Counterexample monome

• m0 0 ? x0 0 ?
• J(x0,x1,m0,m1) ?
• (x1 lt N ?
• (m2 x1 ? m3 m2 ? x2 x1 1 ? false ?
  ) ? (m3 m1 ? x2 x1 1 ? false ?
  )
• )
• ?
• ((x1 lt N) ?
• (0 lt N ? 0 m1 lt N ? true) ?
• ((0 lt N) ? true)
• )

24
From monome to lemma

• M m0 0 ? x0 0 ? J(x0, x1, m0, m1) ?
• (x1 lt N) ? 0 lt N ? (0 m1)
• On entry to the loop, the incarnations are m0,
  x0, N, about which M says
• m0 0 ? x0 0 ? 0 lt N
• Thus, assuming the condition
• m0 0 ? x0 0 ? 0 lt N ? m0 m ? x0
  x
• on entry to the loop, an abstract interpreter may
  infer the following loop invariant
• 0 m0 m lt N ? 0 x0 x N
• Thus, the abstract interpreter produces the
  following lemma about J
• m0 0 ? x0 0 ? 0 lt N ? J(x0, x1, m0,
  m1) ?
• 0 m0 m1 lt N ? 0 x0 x1 N

25
Summary and conclusions

• Spec is a programming system that includes a
  static program verifier
• Trend abstraction refinement on demand
• Inference of invariants can be done this way,
  inside theorem prover!
• Inference can be context sensitive
• VCs can be generated once
• Extensions to procedure summaries?

Download Specfrom here
http//research.microsoft.com/leino
http//research.microsoft.com/specsharp