A specialization calculus for program verification

Cristian GherghinaJoint work with:

Wei-Ngan Chin, Razvan Voicu, Quang Loc Le Florin Craciun, Shengchao Qin

Focus

Logics with inductive predicates provide an expressive abstraction mechanism

Becoming popular in the field of program analysis

Tricky to efficiently reason with

2

Folding/Unfolding Given a predicate definition

Unfolding performance loss Unfolded states are costlier due to disjunctions

3

Unfolding

Folding

Proposal

We introduce a sound and complete calculus to support pruning of infeasible disjuncts

Use predicate specialization.Benefits:

eagerly discards unsatisfiable disjunctsstate in abstracted form

4

OverviewMotivating example

Informal description of the calculus

Predicate Specialization

Annotation inference

Experiments

5

Motivating Example

6

Consider the entailment:

The LHS unfolds to:

Motivation

7

Performance penaltiesUnfold operations are followed by costly

satisfiability checks

The remaining satisfiable disjuncts expose considerable information Detailed information not always needed Reasoning with larger formulas is inherently costly

8

OverviewMotivating example

Informal description of the calculus

Predicate Specialization

Correctness

Experiments

9

Predicate definition changes

10

Invariant family

Pruning conditions

The previous entailment with annotations

Predicate specialization , for list x1. Pruning

2. Invariant enrichment

Entailment - revisited

11

Predicate specialization, for list y

1. Pruning

2. Invariant enrichment

Entailment - revisited

12

OverviewMotivating example

Informal description of the calculus

Predicate Specialization

Annotation inference

Experiments

13

Predicate Specialization Convention:

We will use the term context ( C ) to denote the pure part of the formula

The rationale is that C will be the context in which predicate specialization takes place

14

Predicate SpecializationPredicate specialization

Aims forfewer viable branches : L2L1 fewer possible pruning conditions : R2

R1 stronger context : C1 C2

15

Given

1. Pick a pruning condition 2. Drop the infeasible branches from L3. Enrich the context 4. Drop irrelevant pruning conditions

Predicate Specialization

16

L={1,2} ; C : ;

1. From pick:

Contradicts with C : -> such checks can be syntactic

2. Drop infeasible branches :

3. Add the invariant of to C C1 :

4. Drop irrelevant pruning conditions

17

Irrelevant pruning conditionsGiven:

C : L : {1}

Result:

18

Predicate specialization gains

Simple implication checks (mostly syntactic)

Considerable drop in formula size after an unfold

Increase in formula information without an unfold

19

OverviewMotivating example

Informal description of the calculus

Predicate Specialization

Annotation inference

Experiments

20

Annotation inference

We need a mechanism for computing

Invariant family Pruning conditions

21

Inferring the invariant familyGiven a predicate definition

Compute fixpoint for the predicate definition

For each possible set of branches compute a conjunctive invariant

22

Inferring the invariant family (for dll)1. Replace recursive points with , the fixpoint of2. For each possible subset of the branches:

23

Branch

{1}{2}{1,2}

Pick the pure part of the branches root=null ( root=null) ∨

Transform to simple constraints root=null

( root=null) ∨()

Approximate to a conjunction root=null

Inferring the pruning conditionsGiven a predicate definition and the invariant

families

Compute an approximation of the closure of branch invariants

For each atomic constraint in all closures construct the list of branches in which it appears (by which it is implied)

24

Inferring the pruning conditionsCompute an approximation of the transitive closure of each

branch invariant

Group all branches that imply an atomic constraint

25

Branch

branch invariant Transitive closure

{1} root=null root=null{2} {1,2} Guard Branch

esGuard Branch

es

{1}Guard Branche

s

OverviewMotivating example

Informal description of the calculus

Predicate Specialization

Annotation inference

Experiments

26

ExperimentsAdded the calculus to a program verifier

(HIP)Verified functional correctness for small and

medium-sized programs with moderate complexity.

A benchmark of 17 small programs (7% faster)Singly, doubly, sorted and circular linked lists, selection-

sort, insertion- sort, methods for handling heaps an perfect trees

Complex shapes and invariants (12-90% faster) Red black trees, balanced binary trees, quick sort,

merge sort

27

28

17 small progs

Bubblesort

Quicksort

Mergesort

Complete

AVL (h, s,b)

Heap Trees

AVL (h, s)

AVL (h, s, s)

Red Black

0

20

40

60

80

100

Avg. Dis-juncts

Avg. Size

Time

HIP %

HIP + Spec :

Changes

Formula size 13%

Disjuncts per formula 36%

Total verification time 15%

ConclusionsPresented an effective, sound and complete

calculus for predicate specialization

Application of the calculus benefits in two ways: Keep abstraction, where possible Improve verification performance by

Pruning unsatisfiable disjuncts Propagate invariant constraints Various optimization techniques (details in paper).

29

Questions?

Thank you!

30