Embed Size (px)
DESCRIPTION
Automating Relatively Complete Verification of Higher-Order Functional Programs. Hiroshi Unno (University of Tsukuba) Tachio Terauchi (Nagoya University) Naoki Kobayashi (University of Tokyo). Path-Sensitive Verifier for Functional Programs (cf. SLAM, BLAST, … for Imperative Programs). - PowerPoint PPT Presentation
Citation preview
Automating Relatively Complete Verification of Higher-Order Functional Programs
Hiroshi Unno (University of Tsukuba)Tachio Terauchi (Nagoya University)
Naoki Kobayashi (University of Tokyo)
2013/1/23 POPL 2013 1
Path-Sensitive Verifier for Functional Programs(cf. SLAM, BLAST, … for Imperative Programs)
2013/1/23 POPL 2013 2
let rec mc x = if x > 100 then x – 10 else mc (mc (x + 11))inlet n = randi() inif n · 101 then assert (mc n = 91) Verifier
Program & Spec.Result
Certificateor
Counterexample
All these verifiers are based on refinement type system
(cf. Hoare logic for first-orderimperative programs)
Demo
• Refinement type inference by Horn clause solving [Unno and Kobayashi 2008, 2009]
• Liquid Types [Rondon, Kawaguchi and Jhala 2008, …]• Depcegar [Terauchi 2010]• MoCHi [Sato, Unno and Kobayashi 2011, 2013]• HMC [Jhala, Majumdar and Rybalchenko 2011]
Refinement Types
Non-negative integers
Functions that take an integer andreturn an integer not less than
2013/1/23 POPL 2013 3
FOL formulas for refinement
Soundness of refinement type system : is safe (i.e., )if is well-typed (i.e., )
𝐥𝐞𝐭 𝐚𝐩𝐩𝐥𝐲 𝒙 𝒇= 𝒇 𝒙
Example: Typing Safe Program under
2013/1/23 POPL 2013 4
𝒙 : 𝐢𝐧𝐭→ {𝝂∨𝝂=𝒙 }→𝐮𝐧𝐢𝐭
{𝝂|𝝂=𝒊 }→𝐮𝐧𝐢𝐭
𝒙 : 𝐢𝐧𝐭→ ( {𝝂|𝝂=𝒙 }→𝐮𝐧𝐢𝐭 )→𝐮𝐧𝐢𝐭
( {𝝂|𝝂=𝒊 }→𝐮𝐧𝐢𝐭 )→𝐮𝐧𝐢𝐭( {𝝂|𝝂=𝒊 }→𝐮𝐧𝐢𝐭 )→𝐮𝐧𝐢𝐭Well-typed!
Automated Verification viaRefinement Type Inference
• Input a program • Infer a type environment such that
(cf. invariant inference for Hoare logic)
2013/1/23 POPL 2013 5
𝐥𝐞𝐭 𝐚𝐩𝐩𝐥𝐲 𝒙 𝒇= 𝒇 𝒙𝚪={𝐚𝐩𝐩𝐥𝐲↦𝒙 : 𝐢𝐧𝐭→ ( {𝝂|𝝂=𝒙 }→𝐮𝐧𝐢𝐭 )→𝐮𝐧𝐢𝐭
𝐜𝐡𝐞𝐜𝐤↦𝒙 :𝐢𝐧𝐭→ {𝝂|𝝂=𝒙 }→𝐮𝐧𝐢𝐭 ,𝐦𝐚𝐢𝐧↦𝐢𝐧𝐭→𝐮𝐧𝐢𝐭 }
Limitation of Refinement Type System
Incompleteness: There is a safe but untypable program
2013/1/23 POPL 2013 6
whereas Hoare logic is relatively complete
𝐥𝐞𝐭 𝐚𝐩𝐩𝐥𝐲𝐬𝐰 𝒇 𝒙= 𝒇 𝒙
Example: Safe but Untypable Program
2013/1/23 POPL 2013 7
{𝝂|𝝂=𝒊 }→𝐮𝐧𝐢𝐭
( {𝝂|𝑷 (𝝂 )}→𝐮𝐧𝐢𝐭 )→ 𝒙 : {𝝂|𝑸(𝝂)}→𝐮𝐧𝐢𝐭( {𝝂|𝑷 (𝝂 )}→𝐮𝐧𝐢𝐭 )→ 𝒙 : {𝝂|𝑸(𝝂)}→𝐮𝐧𝐢𝐭Cannot
depend on
Untypable because:
Refinement predicate for
Refinement predicate for the 1st arg. of
Our Contributions
• Relatively complete extension ofordinary refinement type system
• Type inference method for
2013/1/23 POPL 2013 8
Our Contributions
• Relatively complete extension ofordinary refinement type system
• Type inference method for
2013/1/23 POPL 2013 9
for any safe programgiven an oracle to decide the validity of
formulas of Peano arithmetic
Our Design Goal of
• Easy to automate type checking & inference– By exploiting techniques from first-order
automated theorem proving (e.g., interpolation, SMT)• Rejected alternative designs:– Refinement predicates on functions (cf. Coq)
– Unrestricted use of quantification (cf. Dependent ML)
2013/1/23 POPL 2013 10
𝐥𝐞𝐭 𝐚𝐩𝐩𝐥𝐲𝐬𝐰 𝒇 𝒙= 𝒇 𝒙
Our Approach: RestrictedUse of Quantification
• Add one universal quantifier over integerjust before each function parameter[Goerdt 1985, German, Clarke, and Halpern 1983, 1989]
2013/1/23 POPL 2013 11
∀𝒂 . ( {𝝂|𝑷 (𝝂 ,𝒂) }→𝐮𝐧𝐢𝐭 )→ {𝝂|𝑸 (𝝂 ,𝒂)}→𝐮𝐧𝐢𝐭
A quantifier instantiation for
𝐥𝐞𝐭 𝐚𝐩𝐩𝐥𝐲𝐬𝐰 𝒇 𝒙= 𝒇 𝒙
Example: Typing under
2013/1/23 POPL 2013 12
{𝝂|𝝂=𝒊 }→𝐮𝐧𝐢𝐭 {𝝂|𝝂=𝒊 }
∀𝒂 . ( {𝝂|𝑷 (𝝂 ,𝒂) }→𝐮𝐧𝐢𝐭 )→ {𝝂|𝑸 (𝝂 ,𝒂)}→𝐮𝐧𝐢𝐭{𝝂∨𝝂=𝒂} {𝝂|𝝂=𝒂 }
[𝒊]Well-typed!
Theorem: Relative Completeness of
2013/1/23 POPL 2013 13
A program is safe
There exists a substitution for “?”s such that
Our Contributions
• Relatively complete extension ofordinary refinement type system
• Type inference method for
2013/1/23 POPL 2013 14
Type Inference for
• Find a substitution as well asa type environment such that
2013/1/23 POPL 2013 15
𝐥𝐞𝐭 𝐚𝐩𝐩𝐥𝐲𝐬𝐰 𝒇 𝒙= 𝒇 𝒙
Our Approach
• Counterexample guided inference of and (cf. CEGAR in software model checking for imperative programs)– For inference of a type environment :• Use existing refinement type inference methods for
[Terauchi 2010, Kobayashi, Sato, Unno 2011]
– For inference of a substitution for “?”s: • Use a new method based on non-linear constraint solving
2013/1/23 POPL 2013 16
Our Approach
• Counterexample guided inference of and (cf. CEGAR in software model checking for imperative programs)– For inference of a type environment :• Use existing refinement type inference methods for
[Terauchi 2010, Kobayashi, Sato, Unno 2011]
– For inference of a substitution for “?”s: • Use a new method based on non-linear constraint solving
2013/1/23 POPL 2013 17
Counterexample GuidedRefinement Type Inference
2013/1/23 POPL 2013 18
Input Program
unsafe
Step 1: Fixed-PointType Inference [1,2]
Step 3: Refinement [1,2]
safe
Counter-example s.t.
CandidateType Envs.
yes
∃𝚪 .𝚪⊢𝝅
∃𝚪∈𝚫 .𝚪⊢𝑷
Step 2: SafetyCheck of [2]
no
unknown
¬∃𝚪∈𝚫 .𝚪⊢𝑷
¬∃𝚪 .𝚪⊢𝝅
New CandidateType Envs.
s.t.
[1] Terauchi POPL 2010 [2] Kobayashi, Sato, Unno PLDI 2011
Our Approach
• Counterexample guided inference of and (cf. CEGAR in software model checking for imperative programs)– For inference of a type environment :• Use existing refinement type inference methods for
[Terauchi 2010, Kobayashi, Sato, Unno 2011]
– For inference of a substitution for “?”s: • Use a new method based on non-linear constraint solving
2013/1/23 POPL 2013 19
Candidate Substitution
Counterexample GuidedSubstitution Inference
2013/1/23 POPL 2013 20
Input Program
unsafe
Step 1: Fixed-PointType Inference [1,2]
safe
Counter-example s.t.
CandidateType Envs.
yes
∃𝚪 .𝚪⊢𝝈 𝝅
∃𝚪∈𝚫 .𝚪⊢𝝈𝑷
Step 2: SafetyCheck of [2]
no
¬∃𝚪∈𝚫 .𝚪⊢𝝈 𝑷
¬∃𝚪 .𝚪⊢𝝈𝝅
New CandidateType Envs.
s.t.
[1] Terauchi POPL 2010 [2] Kobayashi, Sato, Unno PLDI 2011
Instantiated Program
New Candidate Substitution
s.t.
Step 3: Refinement [1,2]
Finding New Candidate Substitution
• Input:a safe non-recursive fragment such that
• Output: such that
2013/1/23 POPL 2013 21
By reduction to non-linear constraint solving using linear expression templates for
𝐥𝐞𝐭 𝐚𝐩𝐩𝐥𝐲𝐬𝐰 𝒇 𝒙= 𝒇 𝒙𝐥𝐞𝐭 𝐚𝐩𝐩𝐥𝐲𝐬𝐰 𝒇 𝒙= 𝒇 𝒙
Example: Reduction to Non-Linear Constraint Solving
2013/1/23 POPL 2013 22
∃𝒄𝟎 ,𝒄𝟏 ,𝑷 ,𝑸
. (∀𝒂 ,𝒙 , 𝒊 .𝒂=𝒄𝟎+𝒄𝟏 ⋅𝒊∧𝒙=𝒊⇒𝑸 (𝒂 , 𝒙 )∀𝒂 ,𝒙 ,𝝂 .𝑸 (𝒂 ,𝒙 )∧𝝂=𝒙⇒ 𝑷 (𝒂 ,𝝂)∀𝒂 ,𝝂 , 𝒊 .𝑷 (𝒂 ,𝝂 )∧𝒂=𝒄𝟎+𝒄𝟏⋅𝒊⇒𝝂=𝒊)
∀𝒂 .( {𝝂|𝑷 (𝒂 ,𝝂 ) }→𝐮𝐧𝐢𝐭 )→ {𝒙∨ {𝑸 (𝒂 , 𝒙 ) }→𝐮𝐧𝐢𝐭
Example: Non-linearConstraint Solving (1/2)
2013/1/23 POPL 2013 23
∃𝒄𝟎 ,𝒄𝟏 .∀ 𝒂 , 𝒊 , 𝒋 .𝒂=𝒄𝟎+𝒄𝟏⋅𝒊∧
𝒂=𝒄𝟎+𝒄𝟏⋅ 𝒋⇒ 𝒊= 𝒋
∃𝒄𝟎 ,𝒄𝟏 ,𝑷 ,𝑸
. (∀𝒂 ,𝒙 , 𝒊 .𝒂=𝒄𝟎+𝒄𝟏 ⋅𝒊∧𝒙=𝒊⇒𝑸 (𝒂 , 𝒙 )∀𝒂 ,𝒙 ,𝝂 .𝑸 (𝒂 ,𝒙 )∧𝝂=𝒙⇒ 𝑷 (𝒂 ,𝝂)∀𝒂 ,𝝂 , 𝒊 .𝑷 (𝒂 ,𝝂 )∧𝒂=𝒄𝟎+𝒄𝟏⋅𝒊⇒𝝂=𝒊)
Elim.
Elim.
∃𝒄𝟎 ,𝒄𝟏 ,𝑸
. (∀𝒂 ,𝒙 , 𝒊 .𝒂=𝒄𝟎+𝒄𝟏 ⋅𝒊∧𝒙=𝒊⇒𝑸 (𝒂 , 𝒙 )
∀𝒂 ,𝒙 ,𝝂 , 𝒊 . 𝑸 (𝒂 , 𝒙 )∧𝝂=𝒙∧𝒂=𝒄𝟎+𝒄𝟏⋅𝒊⇒𝝂=𝒊 )
iff
Example: Non-linearConstraint Solving (2/2)
2013/1/23 POPL 2013 24
∃𝒄𝟎 ,𝒄𝟏 .∀ 𝒂 , 𝒊 , 𝒋 .𝒂=𝒄𝟎+𝒄𝟏⋅ 𝒊∧𝒂=𝒄𝟎+𝒄𝟏⋅ 𝒋⇒ 𝒊= 𝒋
∃𝒄𝟎 ,𝒄𝟏 .∃𝝀𝟏 ,𝝀𝟐 .𝝀𝟏+𝝀𝟐=𝟎∧
𝒄𝟏⋅𝝀𝟏=𝟏∧𝒄𝟏⋅𝝀𝟐=−𝟏
𝒄𝟎=𝟎 ,𝒄𝟏=𝟏
𝐥𝐞𝐭 𝐚𝐩𝐩𝐥𝐲𝐬𝐰 𝒇 𝒙= 𝒇 𝒙𝒊
to
Bit-vector modeling & SMT [Gulwani, Srivastava, Venkatesan 2008]
Farkas’ lemma: iff
Implementation
• Extended MoCHi [Sato, Unno and Kobayashi 2011, 2013]
with the type inference method for
2013/1/23 POPL 2013 25
let rec mc x = if x > 100 then x – 10 else mc (mc (x + 11))inlet n = randi() inif n · 101 then assert (mc n = 91) MoCHi
Program & Spec.Result
Certificateor
Counterexample
Conclusion
• Relatively complete refinement type system – Restricted use of quantification• Add one universal quantifier over integer
just before each function parameter
• Type inference method for – Counterexample guided inference of and • inference by application of existing refinement type
inference methods [Terauchi 2010, Kobayashi, Sato, Unno 2011]
• Inference by reduction to non-linear constraint solving
2013/1/23 POPL 2013 26
