© Anvesh Komuravelli

Quantified Invariants in Rich Domainsusing

Model Checking and Abstract Interpretation

Anvesh Komuravelli, CMU

Joint work with Ken McMillan

© Anvesh Komuravelli 2

The Problem

Array-Manipulating Program P

+ Assertions

Automatic analysis for

assertion failures

Safe + Proof

Unsafe + CEX

Unknown + Partial Proof

Quantified Invariants!

© Anvesh Komuravelli 3

Quantified Invariants, Typically

Specialized Abstract Domains

E.g. Segmentation abstraction,Indexed Predicate

Abstraction,Points-to Analysis, etc.

• Restrictive• False warnings

Unrestricted Model Checking

E.g. Interpolation-based

• Hard to find the right quantifiers• Divergence

Rich-enough abstract domain?

© Anvesh Komuravelli 4

The abstract domain

i := 0;while (i < n) {

//a[i] := c;i++;

}

assume (0 ≤ k < n)assert (a[k] = c)

Quantified variables

Predicate signature

AbstractDomain

Goal: Find a quantifier-free interpretationof the predicates

© Anvesh Komuravelli 5

Guess-and-check doesn’t work anymore!

i := 0;while (i < n) {

//a[i] := c;i++;

}

assume (0 ≤ k < n)assert (a[k] = c)

Given a guess for P, how to check if it suffices?

FOL validity is undecidable!

Can we still use existing model checkers?

© Anvesh Komuravelli 6

Let’s look at the VCs

i := 0;while (i < n) {

//a[i] := c;i++;

}

assume (0 ≤ k < n)assert (a[k] = c)

© Anvesh Komuravelli 7

Pulled to the outermost

scope

Let’s look at the VCs

© Anvesh Komuravelli 8

Let’s look at the VCs

Real challenge!

Find a sufficient set of witnesses

© Anvesh Komuravelli 9

Let’s look at the VCs

Reduces to quantifier-freeinvariant generation

(use an off-the-shelfmodel checker)

© Anvesh Komuravelli 10

Two Goals

i := 0;while (i < n) {

//a[i] := c;i++;

}

assume (0 ≤ k < n)assert (a[k] = c)

Quantified variables

Predicate signature

AbstractDomain

Goal 2: Find a quantifier-free interpretationof the predicates

Goal 1: Find a sufficient set ofwitnesses for j

© Anvesh Komuravelli 11

A Strategy

Guess some witnesses

Check if they suffice using a model checker Y Found Proof

N

Give up!

Eager Syntactic Pattern Matching

[BMR13]

[BMR13]: On Solving Universally Quantified Horn Clauses,Bjorner, McMillan, Rybalchenko, SAS’13

• Unguided instantiation• Worst-case unbounded• Grows exponentially with

number of quantified vars• May choke the model checker• No fall-back strategy

© Anvesh Komuravelli 12

Our Strategy

Guess some witnesses

Check if they suffice using a model checker Y Found Proof

N CEX

Refine the guessConstraint

on the witness

Guess-and-check,but of the witnesses and

not the invariant itself

© Anvesh Komuravelli 13

Obtaining Strong Constraints

Generalized Counterexamples Strong Constraints

Symbolic Counterexamples

• Number of variables = O(size)• Constraint solving becomes harder

(easily diverging)

Ground Counterexamples+

Abstract Interpretation

© Anvesh Komuravelli 14

Note – one witness suffices!

is equivalent to

May not be expressible!

© Anvesh Komuravelli 15

Concrete vs. Abstract

© Anvesh Komuravelli 16

Concrete vs. Abstract

© Anvesh Komuravelli 17

The algorithm[B]

[L]

[E]

© Anvesh Komuravelli 18

The algorithm

Instantiate Check

[B]

[L]

[E]

P(k0,v0,i0,c0)

P(k1,v1,i1,c1)

P(k2,v2,i2,c2)

B

L

L

E

© Anvesh Komuravelli 19

The algorithm

Instantiate Check

P(k0,v0,i0,c0) P(k1,v1,i1,c1) P(k2,v2,i2,c2)B L L E

Analyze

© Anvesh Komuravelli 20

The algorithm

Instantiate Check

P(0,0,0,0) P(0,0,1,0) P(0,0,2,0)B L L E

Analyze

✕? ✕? ✕? ✕?

© Anvesh Komuravelli 21

P(0,0,0,0) P(0,1,0,0) P(0,2,0,0)B L L E

✕? ✕? ✕? ✕?

Use k for j

The algorithm

Instantiate Check Analyze

© Anvesh Komuravelli 22

The algorithm

Instantiate

[B]

[L]

[E]

© Anvesh Komuravelli 23

The algorithm

Instantiate

[B]

[L]

[E]

…

© Anvesh Komuravelli 24

Finding a new witness

Given Constraint

Checklocal vars

quantified variable

Skolem Template f

Solve for t using sampling-based approachrestrict to

linear templates

© Anvesh Komuravelli 25

Add lc to existing samples S

Pick candidate tc

Quantifier Alternation using Sampling

?Y

Return tc

CEX lc

?

N

CEX SNY

Newcandidate

tc

Source of Divergence!

Quantifier Elimination

Eliminate arrays(thanks to Nikolaj for

the discussion),

Cheap QE of integers

© Anvesh Komuravelli 26

Abstract Post, in practice

1. Cheap QE tricks, case-split on equalities on j, etc.2. Under-approximate, otherwise.

SolveGeneralize models

1. Cheap QE tricks, case-split on array-index arguments, etc.2. Under-approximate, otherwise.

Solve an SMT problemGeneralize models

© Anvesh Komuravelli 27

Experiments

Implemented “qe_array” tactic in Z3 Prototype in Python using Z3Py interface for witness generation

Automatically generated “sufficient witnesses” for small array-manipulatingprograms (BMR13) – array init, find, copy, concatenate, reverse, etc. Used GPDR engine in Z3 to solve for quantifier-free predicates Up to two universal quantifiers per predicate Witness was just a local variable in the VC

© Anvesh Komuravelli 28

Moving forward…

Scalability

Handle large programs (with multiple procedures) How to pick relevant “set” of witnesses? Can we synthesize guards to combine them into a single witness?

Implementation-wise

Cache previous AI results Reuse bounded proofs – Proof-based Abstraction Lazy QE – postponing to later steps?

Alternatives

Use over-approximations of reachable states Witness may not exist – need to refine the approximation

© Anvesh Komuravelli 29

Questions?