Automating Relatively Complete Verification of Higher-Order Functional Programs

Hiroshi Unno (University of Tsukuba)Tachio Terauchi (Nagoya University)

Naoki Kobayashi (University of Tokyo)

2013/1/23 POPL 2013 1

Path-Sensitive Verifier for Functional Programs(cf. SLAM, BLAST, … for Imperative Programs)

2013/1/23 POPL 2013 2

let rec mc x = if x > 100 then x – 10 else mc (mc (x + 11))inlet n = randi() inif n · 101 then assert (mc n = 91) Verifier

Program & Spec.Result

Certificateor

Counterexample

All these verifiers are based on refinement type system

(cf. Hoare logic for first-orderimperative programs)

Demo

• Refinement type inference by Horn clause solving [Unno and Kobayashi 2008, 2009]

• Liquid Types [Rondon, Kawaguchi and Jhala 2008, …]• Depcegar [Terauchi 2010]• MoCHi [Sato, Unno and Kobayashi 2011, 2013]• HMC [Jhala, Majumdar and Rybalchenko 2011]

Refinement Types

Non-negative integers

Functions that take an integer andreturn an integer not less than

2013/1/23 POPL 2013 3

FOL formulas for refinement

Soundness of refinement type system : is safe (i.e., )if is well-typed (i.e., )

𝐥𝐞𝐭 𝐚𝐩𝐩𝐥𝐲 𝒙 𝒇= 𝒇 𝒙

Example: Typing Safe Program under

2013/1/23 POPL 2013 4

𝒙 : 𝐢𝐧𝐭→ {𝝂∨𝝂=𝒙 }→𝐮𝐧𝐢𝐭

{𝝂|𝝂=𝒊 }→𝐮𝐧𝐢𝐭

𝒙 : 𝐢𝐧𝐭→ ( {𝝂|𝝂=𝒙 }→𝐮𝐧𝐢𝐭 )→𝐮𝐧𝐢𝐭

( {𝝂|𝝂=𝒊 }→𝐮𝐧𝐢𝐭 )→𝐮𝐧𝐢𝐭( {𝝂|𝝂=𝒊 }→𝐮𝐧𝐢𝐭 )→𝐮𝐧𝐢𝐭Well-typed!

Automated Verification viaRefinement Type Inference

• Input a program • Infer a type environment such that

(cf. invariant inference for Hoare logic)

2013/1/23 POPL 2013 5

𝐥𝐞𝐭 𝐚𝐩𝐩𝐥𝐲 𝒙 𝒇= 𝒇 𝒙𝚪={𝐚𝐩𝐩𝐥𝐲↦𝒙 : 𝐢𝐧𝐭→ ( {𝝂|𝝂=𝒙 }→𝐮𝐧𝐢𝐭 )→𝐮𝐧𝐢𝐭

𝐜𝐡𝐞𝐜𝐤↦𝒙 :𝐢𝐧𝐭→ {𝝂|𝝂=𝒙 }→𝐮𝐧𝐢𝐭 ,𝐦𝐚𝐢𝐧↦𝐢𝐧𝐭→𝐮𝐧𝐢𝐭 }

Limitation of Refinement Type System

Incompleteness: There is a safe but untypable program

2013/1/23 POPL 2013 6

whereas Hoare logic is relatively complete

𝐥𝐞𝐭 𝐚𝐩𝐩𝐥𝐲𝐬𝐰 𝒇 𝒙= 𝒇 𝒙

Example: Safe but Untypable Program

2013/1/23 POPL 2013 7

{𝝂|𝝂=𝒊 }→𝐮𝐧𝐢𝐭

( {𝝂|𝑷 (𝝂 )}→𝐮𝐧𝐢𝐭 )→ 𝒙 : {𝝂|𝑸(𝝂)}→𝐮𝐧𝐢𝐭( {𝝂|𝑷 (𝝂 )}→𝐮𝐧𝐢𝐭 )→ 𝒙 : {𝝂|𝑸(𝝂)}→𝐮𝐧𝐢𝐭Cannot

depend on

Untypable because:

Refinement predicate for

Refinement predicate for the 1st arg. of

Our Contributions

• Relatively complete extension ofordinary refinement type system

• Type inference method for

2013/1/23 POPL 2013 8

Our Contributions

• Relatively complete extension ofordinary refinement type system

• Type inference method for

2013/1/23 POPL 2013 9

for any safe programgiven an oracle to decide the validity of

formulas of Peano arithmetic

Our Design Goal of

• Easy to automate type checking & inference– By exploiting techniques from first-order

automated theorem proving (e.g., interpolation, SMT)• Rejected alternative designs:– Refinement predicates on functions (cf. Coq)

– Unrestricted use of quantification (cf. Dependent ML)

2013/1/23 POPL 2013 10

𝐥𝐞𝐭 𝐚𝐩𝐩𝐥𝐲𝐬𝐰 𝒇 𝒙= 𝒇 𝒙

Our Approach: RestrictedUse of Quantification

• Add one universal quantifier over integerjust before each function parameter[Goerdt 1985, German, Clarke, and Halpern 1983, 1989]

2013/1/23 POPL 2013 11

∀𝒂 . ( {𝝂|𝑷 (𝝂 ,𝒂) }→𝐮𝐧𝐢𝐭 )→ {𝝂|𝑸 (𝝂 ,𝒂)}→𝐮𝐧𝐢𝐭

A quantifier instantiation for

𝐥𝐞𝐭 𝐚𝐩𝐩𝐥𝐲𝐬𝐰 𝒇 𝒙= 𝒇 𝒙

Example: Typing under

2013/1/23 POPL 2013 12

{𝝂|𝝂=𝒊 }→𝐮𝐧𝐢𝐭 {𝝂|𝝂=𝒊 }

∀𝒂 . ( {𝝂|𝑷 (𝝂 ,𝒂) }→𝐮𝐧𝐢𝐭 )→ {𝝂|𝑸 (𝝂 ,𝒂)}→𝐮𝐧𝐢𝐭{𝝂∨𝝂=𝒂} {𝝂|𝝂=𝒂 }

[𝒊]Well-typed!

Theorem: Relative Completeness of

2013/1/23 POPL 2013 13

A program is safe

There exists a substitution for “?”s such that

Our Contributions

• Relatively complete extension ofordinary refinement type system

• Type inference method for

2013/1/23 POPL 2013 14

Type Inference for

• Find a substitution as well asa type environment such that

2013/1/23 POPL 2013 15

𝐥𝐞𝐭 𝐚𝐩𝐩𝐥𝐲𝐬𝐰 𝒇 𝒙= 𝒇 𝒙

Our Approach

• Counterexample guided inference of and (cf. CEGAR in software model checking for imperative programs)– For inference of a type environment :• Use existing refinement type inference methods for

[Terauchi 2010, Kobayashi, Sato, Unno 2011]

– For inference of a substitution for “?”s: • Use a new method based on non-linear constraint solving

2013/1/23 POPL 2013 16

Our Approach

• Counterexample guided inference of and (cf. CEGAR in software model checking for imperative programs)– For inference of a type environment :• Use existing refinement type inference methods for

[Terauchi 2010, Kobayashi, Sato, Unno 2011]

– For inference of a substitution for “?”s: • Use a new method based on non-linear constraint solving

2013/1/23 POPL 2013 17

Counterexample GuidedRefinement Type Inference

2013/1/23 POPL 2013 18

Input Program

unsafe

Step 1: Fixed-PointType Inference [1,2]

Step 3: Refinement [1,2]

safe

Counter-example s.t.

CandidateType Envs.

yes

∃𝚪 .𝚪⊢𝝅

∃𝚪∈𝚫 .𝚪⊢𝑷

Step 2: SafetyCheck of [2]

no

unknown

¬∃𝚪∈𝚫 .𝚪⊢𝑷

¬∃𝚪 .𝚪⊢𝝅

New CandidateType Envs.

s.t.

[1] Terauchi POPL 2010 [2] Kobayashi, Sato, Unno PLDI 2011

Our Approach

• Counterexample guided inference of and (cf. CEGAR in software model checking for imperative programs)– For inference of a type environment :• Use existing refinement type inference methods for

[Terauchi 2010, Kobayashi, Sato, Unno 2011]

– For inference of a substitution for “?”s: • Use a new method based on non-linear constraint solving

2013/1/23 POPL 2013 19

Candidate Substitution

Counterexample GuidedSubstitution Inference

2013/1/23 POPL 2013 20

Input Program

unsafe

Step 1: Fixed-PointType Inference [1,2]

safe

Counter-example s.t.

CandidateType Envs.

yes

∃𝚪 .𝚪⊢𝝈 𝝅

∃𝚪∈𝚫 .𝚪⊢𝝈𝑷

Step 2: SafetyCheck of [2]

no

¬∃𝚪∈𝚫 .𝚪⊢𝝈 𝑷

¬∃𝚪 .𝚪⊢𝝈𝝅

New CandidateType Envs.

s.t.

[1] Terauchi POPL 2010 [2] Kobayashi, Sato, Unno PLDI 2011

Instantiated Program

New Candidate Substitution

s.t.

Step 3: Refinement [1,2]

Finding New Candidate Substitution

• Input:a safe non-recursive fragment such that

• Output: such that

2013/1/23 POPL 2013 21

By reduction to non-linear constraint solving using linear expression templates for

𝐥𝐞𝐭 𝐚𝐩𝐩𝐥𝐲𝐬𝐰 𝒇 𝒙= 𝒇 𝒙𝐥𝐞𝐭 𝐚𝐩𝐩𝐥𝐲𝐬𝐰 𝒇 𝒙= 𝒇 𝒙

Example: Reduction to Non-Linear Constraint Solving

2013/1/23 POPL 2013 22

∃𝒄𝟎 ,𝒄𝟏 ,𝑷 ,𝑸

. (∀𝒂 ,𝒙 , 𝒊 .𝒂=𝒄𝟎+𝒄𝟏 ⋅𝒊∧𝒙=𝒊⇒𝑸 (𝒂 , 𝒙 )∀𝒂 ,𝒙 ,𝝂 .𝑸 (𝒂 ,𝒙 )∧𝝂=𝒙⇒ 𝑷 (𝒂 ,𝝂)∀𝒂 ,𝝂 , 𝒊 .𝑷 (𝒂 ,𝝂 )∧𝒂=𝒄𝟎+𝒄𝟏⋅𝒊⇒𝝂=𝒊)

∀𝒂 .( {𝝂|𝑷 (𝒂 ,𝝂 ) }→𝐮𝐧𝐢𝐭 )→ {𝒙∨ {𝑸 (𝒂 , 𝒙 ) }→𝐮𝐧𝐢𝐭

Example: Non-linearConstraint Solving (1/2)

2013/1/23 POPL 2013 23

∃𝒄𝟎 ,𝒄𝟏 .∀ 𝒂 , 𝒊 , 𝒋 .𝒂=𝒄𝟎+𝒄𝟏⋅𝒊∧

𝒂=𝒄𝟎+𝒄𝟏⋅ 𝒋⇒ 𝒊= 𝒋

∃𝒄𝟎 ,𝒄𝟏 ,𝑷 ,𝑸

. (∀𝒂 ,𝒙 , 𝒊 .𝒂=𝒄𝟎+𝒄𝟏 ⋅𝒊∧𝒙=𝒊⇒𝑸 (𝒂 , 𝒙 )∀𝒂 ,𝒙 ,𝝂 .𝑸 (𝒂 ,𝒙 )∧𝝂=𝒙⇒ 𝑷 (𝒂 ,𝝂)∀𝒂 ,𝝂 , 𝒊 .𝑷 (𝒂 ,𝝂 )∧𝒂=𝒄𝟎+𝒄𝟏⋅𝒊⇒𝝂=𝒊)

Elim.

Elim.

∃𝒄𝟎 ,𝒄𝟏 ,𝑸

. (∀𝒂 ,𝒙 , 𝒊 .𝒂=𝒄𝟎+𝒄𝟏 ⋅𝒊∧𝒙=𝒊⇒𝑸 (𝒂 , 𝒙 )

∀𝒂 ,𝒙 ,𝝂 , 𝒊 . 𝑸 (𝒂 , 𝒙 )∧𝝂=𝒙∧𝒂=𝒄𝟎+𝒄𝟏⋅𝒊⇒𝝂=𝒊 )

iff

Example: Non-linearConstraint Solving (2/2)

2013/1/23 POPL 2013 24

∃𝒄𝟎 ,𝒄𝟏 .∀ 𝒂 , 𝒊 , 𝒋 .𝒂=𝒄𝟎+𝒄𝟏⋅ 𝒊∧𝒂=𝒄𝟎+𝒄𝟏⋅ 𝒋⇒ 𝒊= 𝒋

∃𝒄𝟎 ,𝒄𝟏 .∃𝝀𝟏 ,𝝀𝟐 .𝝀𝟏+𝝀𝟐=𝟎∧

𝒄𝟏⋅𝝀𝟏=𝟏∧𝒄𝟏⋅𝝀𝟐=−𝟏

𝒄𝟎=𝟎 ,𝒄𝟏=𝟏

𝐥𝐞𝐭 𝐚𝐩𝐩𝐥𝐲𝐬𝐰 𝒇 𝒙= 𝒇 𝒙𝒊

to

Bit-vector modeling & SMT [Gulwani, Srivastava, Venkatesan 2008]

Farkas’ lemma: iff

Implementation

• Extended MoCHi [Sato, Unno and Kobayashi 2011, 2013]

with the type inference method for

2013/1/23 POPL 2013 25

let rec mc x = if x > 100 then x – 10 else mc (mc (x + 11))inlet n = randi() inif n · 101 then assert (mc n = 91) MoCHi

Program & Spec.Result

Certificateor

Counterexample

Conclusion

• Relatively complete refinement type system – Restricted use of quantification• Add one universal quantifier over integer

just before each function parameter

• Type inference method for – Counterexample guided inference of and • inference by application of existing refinement type

inference methods [Terauchi 2010, Kobayashi, Sato, Unno 2011]

• Inference by reduction to non-linear constraint solving

2013/1/23 POPL 2013 26