Demanddriven inference of loop invariants in a theorem prover

1
Demand-driven inference ofloop invariants in a
theorem prover

• K. Rustan M. LeinoMicrosoft Research, Redmond,
  WA, USA
• joint work withFrancesco LogozzoÉcole
  Polytechnique, Paris, France

Spec joint work with Mike Barnett, Robert
DeLine, Manuel Fähndrich, Wolfram Schulte,
and Herman Venter
3 April 2005Invited talk, AVIS 2005Edinburgh,
Scotland, UK
2
Software engineering problem

• Building and maintaining large systems that are
  correct

3
Approach

• Specifications record design decisions
• bridge intent and code
• Tools amplify human effort
• manage details
• find inconsistencies
• ensure quality

4
Spec

• Experimental mix of contracts and tool support
• Aimed at experienced developers who know the high
  cost of testing and maintenance
• Superset of C
• non-null types
• pre- and postconditions
• object invariants
• Tool support
• more type checking
• compiler-emitted run-time checks
• static program verification

contracts everywhere
C
into the future
type checking
static verification
run-time checks
degree of checking,effort
5
Spec demo
6
Basic architecture of a static verifier
program with specifications
verification conditiongenerator
verification condition
theorem prover
correct or list of errors
7
Spec static verifier architecture
Spec
Spec compiler
MSIL (bytecode)
Spec static program verifier
translator
inference engine
Boogie PL

• computes invariants
• over-approximates

V.C. generator
verification condition

• high precision
• needs invariants

automatictheorem prover
correct or list of errors
8
Predicate abstraction and refinement
e.g. Graf Saïdi, SLAM, BLAST,
correct
modelchecker
boolean program
abstract trace
predicateabstraction
concrete trace
C program
predicates
feasible?
no
yes
error message
predicaterefinement
9
Lemmas-by-demand theorem proving
e.g. Verifun, de Moura Rueß, CVC Lite, Zap,
unsatisfiable
SAT solver
propositional formula
monome
conjunction of input literals
input formula
lemmas
consistent with theories?
no
yes
conflict-clause generation
satisfiable
10
Static program verification
valid
theoremprover
verification condition
counterexample
verification condition generation
program trace
loop invariants
program
error message
11
Loop invariants on demand
valid
theoremprover
verification condition
counterexample
verification condition generation
program trace
loop invariants
program
give up?
no
yes
more precise(stronger or context
sensitive)inference
error message
12
Generating VC once
valid
theoremprover
formula
counterexample
give up?
yes
no
?
program
more precise inference
verification condition (VC)
properties about loop invariants
program trace
error message
13
sourcelanguage
intermediatelanguage
passive command
verification condition
S,T x E assert E S T if E then
S else T end while E do S end
14
sourcelanguage
intermediatelanguage
passive command
verification condition
C,D x E assert E assume E C
D C D while do S end
15
sourcelanguage
intermediatelanguage
passive command
verification condition
Tr x E x E Tr assert E assert
E Tr ST Tr S Tr T Tr if E then S
else T end ( assume E Tr S assume
E Tr T ) Tr while E do S end while
do assume E Tr S end assume E
16
sourcelanguage
intermediatelanguage
passive command
verification condition
Tr x E x E Tr assert E assert
E Tr ST Tr S Tr T Tr if E then S
else T end ( assume E Tr S assume
E Tr T ) Tr while E do S end while
do assume E Tr S end ( assume E Tr
S assume false assume E)
x assume J
17
sourcelanguage
intermediatelanguage
passive command
verification condition

• variation on Single Static Assignment (SSA) form
• Examples
• if name of x before assert E is x0, then
  translate assert E into assert Ex0 / x
• if name of x before x E is x0, then make up
  a new name x1 and translate x E
  into assume x1 Ex0 / x

18
sourcelanguage
intermediatelanguage
passive command
verification condition

• if name of x is x0 after S and x1 after T ,
  then make up a new name x2 and translate S T
  into S assume x2 x0 T
  assume x2 x1
• if name of x is x0 before while do S end , then
  make up a new name x1 and translate the loop
  into assume J(x0, x1)where J is an
  uninterpreted predicate symbol

19
sourcelanguage
intermediatelanguage
passive command
verification condition

• wp( assert E, Q ) E ? Q
• wp( assume E, Q ) E ? Q
• wp( ST, Q ) wp( S, wp( T, Q ))
• wp( S T, Q ) wp( S, Q ) ? wp( T, Q )

20
Examplefinding index of minimum element in an
array

• m 0 x 0
• while x lt N do
• if then m x end
• x x 1
• end
• if N gt 0 then
• assert 0 m lt N
• end

21
Example passive command

• assume m0 0 assume x0 0
• assume J(m0, m1, x0, x1)
• ( assume x1 lt N
• ( assume m2 m1 assume m2 x1 )
• assume x2 x1 1
• assume false
• assume (x1 lt N)
• )
• ( assume N gt 0 assert 0 m1 lt N
• assume (N gt 0)
• )

22
Example from monome to lemma

• M m0 0 ? x0 0 ?
• J(m0, m1, x0, x1) ?
• (x1 lt N) ?
• N gt 0 ? (0 m1 lt N)
• On entry to the loop, the names m0, m1, N are in
  scope, about which M says
• m0 0 ? x0 0 ? N gt 0
• Thus, assuming the condition
• m0 0 ? x0 0 ? N gt 0 ? m0 m ? x0
  x
• on entry to the loop, an abstract interpreter may
  infer the following loop invariant
• 0 m0 m lt N ? 0 x0 x N
• Thus, the abstract interpreter produces the
  following lemma about J
• m0 0 ? x0 0 ? N gt 0 ? J(m0, m1, x0,
  x1) ?
• 0 m0 m1 lt N ? 0 x0 x1 N

23
Summary and conclusions

• Spec is a programming system that includes a
  static program verifier
• Trend abstraction refinement on demand
• Inference of invariants can be done this way,
  inside theorem prover!
• Inference can be context sensitive
• VCs can be generated once
• Extensions to procedure summaries

Watch forpreliminaryrelease of Specnext week
http//research.microsoft.com/leino
http//research.microsoft.com/projects/specsharp