Decision procedures with unsound theorem proving for...
Transcript of Decision procedures with unsound theorem proving for...
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Decision procedures with unsound theoremproving for software verification
Maria Paola Bonacina1
Dipartimento di Informatica
Universita degli Studi di Verona
Verona, Italy
September 2009
1Joint work with Chris Lynch (Clarkson U., NY) and Leonardo de Moura(MSR, Redmond, WA)
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Motivation: reasoning about softwareProblem statementCombining strengths of different reasoners
Unsound theorem proving
DPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systems
Discussion
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Problem statementCombining strengths of different reasoners
Motivation
◮ Software is everywhere
◮ Needed: Reliability
◮ Difficult goal: Software may be◮ Artful◮ Complex◮ Huge◮ Varied◮ Old (and undocumented)
◮ Software/hardware border: blurred, evolving
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Problem statementCombining strengths of different reasoners
Some approaches to software reliability
◮ Testing (test case generation ...)
◮ Programmer assistants
◮ Program analyzers
◮ Static analysis (types, extended static checking, abstractinterpretations ...)
◮ Dynamic analysis (traces ...)
◮ Software model checkers (+ theorem proving, e.g.,SMT-BMC, CEGAR-SMC)
Reasoning about software
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Problem statementCombining strengths of different reasoners
Systems with reasoning about software
Typical architecture:
◮ Front-end: interface, problem modelling, compiling◮ From programs to formulæ
(via specifications, annotations, intermediate languages)
◮ Back-end: problem solving by reasoning engine◮ Problem: determine satisfiability of formulæ◮ Objective: decision procedures
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Problem statementCombining strengths of different reasoners
Ingredients of formulæ
◮ Propositional logic (PL): ∨, ¬, ∧
◮ Equality: ≃, 6≃, free constant and function symbols
◮ Theories of data structures, e.g.:◮ Lists, recursive data structures: constructors (cons), selectors
(car , cdr)◮ Arrays, records: select, store◮ Bitvectors
◮ Linear arithmetic: ≤, +, −, . . . − 2,−1, 0, 1, 2, . . .
◮ Formalizations of type systems, e.g.: subtype relation ⊑, typeconstructor Array-of (monadic function f )
◮ First-order logic (FOL): ∀, ∃, free predicate symbols
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Problem statementCombining strengths of different reasoners
Why quantifiers
◮ To capture frame conditions over loops
◮ To summarize auxiliary invariants over heaps
◮ To axiomatize type systems
◮ To supply axioms of theories without decision procedure forground formulæ
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Problem statementCombining strengths of different reasoners
Shape of problems
◮ Background theory T◮ T =
⋃n
i=1 Ti , e.g., linear arithmetic, bit-vectors
◮ Set of formulæ: R∪ P◮ R: set of non-ground clauses without T -symbols◮ P : large ground formula (set of ground clauses)
may contain T -symbols
◮ Determine whether R∪ P is satisfiable modulo T(Equivalently: determine whether T ∪ R ∪ P is satisfiable)
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Problem statementCombining strengths of different reasoners
What do we need
◮ Ti -solvers: Satisfiability procedures for the Ti ’s, e.g.Simplex method for linear arithmetic
◮ Davis-Putnam-Logemann-Loveland (DPLL) procedure for SAT
◮ DPLL(T )-based SMT-solver: Decision procedure for T withNelson-Oppen combination of the Ti -sat procedures
◮ First-order engine to handle R (additional theory):Resolution+Rewriting+Superposition: Superposition-based
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Problem statementCombining strengths of different reasoners
Combining strengths of different reasoning engines
◮ DPLL: SAT-problems; large non-Horn clauses
◮ Theory solvers: linear arithmetic, bitvectors
◮ DPLL(T )-based SMT solvers: efficient, scalable, integratedtheory reasoning
◮ Superposition-based inference system Γ:◮ equalities, Horn clauses, universal quantifiers◮ known to be a sat-procedure for several theories of data
structures
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
How about termination?
◮ During development conjectures are usually false because ofmistakes in implementation or specification
◮ Need a theorem prover that terminates on satisfiable inputs
◮ Not possible in general:◮ FOL is only semi-decidable◮ First-order formulæ of linear arithmetic with uninterpreted
function: not even semi-decidable
However we need less than a general solution!
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Problematic axioms do occur in relevant inputs
Let ⊑ be a subtype relation and f a type constructor
◮ Transitivity
¬(x ⊑ y) ∨ ¬(y ⊑ z) ∨ x ⊑ z
◮ Monotonicity
¬(x ⊑ y) ∨ f (x) ⊑ f (y)
Resolution generates unbounded number of clauses
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
In practice we need finitely many
Example:
1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)
2. a ⊑ b generate
3. {f i (a) ⊑ f i(b)}i≥0
In practice f (a) ⊑ f (b) or f 2(a) ⊑ f 2(b) often suffice to showsatisfiability
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Idea: Unsound theorem proving
◮ TP applied to maths: most conjectures are true
◮ Sacrifice completeness for efficiencyRetain soundness: if proof found, input unsatisfiable
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Idea: Unsound theorem proving
◮ TP applied to maths: most conjectures are true
◮ Sacrifice completeness for efficiencyRetain soundness: if proof found, input unsatisfiable
◮ TP applied to verification: most conjectures are false
◮ Sacrifice soundness for terminationRetain completeness: if no proof, input satisfiable
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Idea: Unsound theorem proving
◮ TP applied to maths: most conjectures are true
◮ Sacrifice completeness for efficiencyRetain soundness: if proof found, input unsatisfiable
◮ TP applied to verification: most conjectures are false
◮ Sacrifice soundness for terminationRetain completeness: if no proof, input satisfiable
◮ How do we do it: Additional axioms to enforce termination
◮ Detect unsoundness as conflict + Recover by backtracking
(DPLL framework)
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Example
1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)
2. a ⊑ b
3. a ⊑ f (c)
4. ¬(a ⊑ c)
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Example
1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)
2. a ⊑ b
3. a ⊑ f (c)
4. ¬(a ⊑ c)
1. Add f (x) ≃ x
2. Rewrite a ⊑ f (c) into a ⊑ c and get 2: backtrack!
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Example
1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)
2. a ⊑ b
3. a ⊑ f (c)
4. ¬(a ⊑ c)
1. Add f (x) ≃ x
2. Rewrite a ⊑ f (c) into a ⊑ c and get 2: backtrack!
3. Add f (f (x)) ≃ x
4. a ⊑ b yields only f (a) ⊑ f (b)
5. a ⊑ f (c) yields only f (a) ⊑ c
6. Reach saturated state and detect satisfiability
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
DPLL
State of derivation: M ||F
◮ Decide: guess L is true, add it to M
◮ UnitPropagate: propagate consequences of assignment
◮ Conflict: detect L1 ∨ . . . ∨ Ln all false
◮ Learn: detect by resolution Li made false by assignment (notpropagation)
◮ Backjump: undo assignment for Li
◮ Unsat: conflict clause is 2 (nothing else to try)
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
DPLL(T )
State of derivation: M ||F
◮ T -Propagate: add to M an L that is T -consequence of M
◮ T -Conflict: detect that L1, . . . ,Ln in M are T -inconsistent
Since Ti -solvers build T -model:
◮ PropagateEq: add to M a ground s ≃ t true in T -model
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
DPLL(Γ + T ): integrate Γ in DPLL(T )
◮ Idea: literals in M can be premises of Γ-inferences
◮ Stored as hypotheses in inferred clause
◮ Hypothetical clause: H ⊲ C (equivalent to ¬H ∨ C )
◮ Inferred clauses inherit hypotheses from the premises
◮ Note: don’t need Γ for ground inferences
◮ Use each engine for what is best for:◮ non-ground clauses: seen only by Γ◮ ground non-unit clauses: seen only by DPLL(T )◮ ground unit clauses: seen by both
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
DPLL(Γ + T )
State of derivation: M ||F
◮ Deduce: Γ-inference, e.g., superposition, using non-ground
clauses in F and literals in M
◮ Backjump: remove hypothetical clauses depending on undoneassignments
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Unsound inferences
◮ Single unsound inference rule: add arbitrary clause C
◮ Simulate many:◮ Suppress literals in long clause C ∨ D:
add C and subsume◮ Replace deep term t by constant a:
add t ≃ a and rewrite
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Controlling unsound inferences
◮ Unsound inferences to induce termination on sat input
◮ What if the unsound inference makes problem unsat?!
◮ Detect conflict and backjump:◮ Keep track by adding ⌈C⌉ ⊲ C◮ ⌈C⌉: new propositional variable (a “name” for C )◮ Treat “unnatural failure” like “natural failure”
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Unsound theorem proving in DPLL(Γ + T )
State of derivation: M ||F
Inference rule:
◮ UnsoundIntro: add ⌈C⌉ ⊲ C to F and ⌈C⌉ to M
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Example as done by system
1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)
2. a ⊑ b
3. a ⊑ f (c)
4. ¬(a ⊑ c)
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Example as done by system
1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)
2. a ⊑ b
3. a ⊑ f (c)
4. ¬(a ⊑ c)
1. Add ⌈f (x) ≃ x⌉ ⊲ f (x) ≃ x
2. Rewrite a ⊑ f (c) into ⌈f (x) ≃ x⌉ ⊲ a ⊑ c
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Example as done by system
1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)
2. a ⊑ b
3. a ⊑ f (c)
4. ¬(a ⊑ c)
1. Add ⌈f (x) ≃ x⌉ ⊲ f (x) ≃ x
2. Rewrite a ⊑ f (c) into ⌈f (x) ≃ x⌉ ⊲ a ⊑ c
3. Generate ⌈f (x) ≃ x⌉ ⊲ 2; Backtrack, learn ¬⌈f (x) ≃ x⌉
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Example as done by system
1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)
2. a ⊑ b
3. a ⊑ f (c)
4. ¬(a ⊑ c)
1. Add ⌈f (x) ≃ x⌉ ⊲ f (x) ≃ x
2. Rewrite a ⊑ f (c) into ⌈f (x) ≃ x⌉ ⊲ a ⊑ c
3. Generate ⌈f (x) ≃ x⌉ ⊲ 2; Backtrack, learn ¬⌈f (x) ≃ x⌉
4. Add ⌈f (f (x)) ≃ x⌉ ⊲ f (f (x)) ≃ x
5. a ⊑ b yields only f (a) ⊑ f (b)
6. a ⊑ f (c) yields only f (a) ⊑ f (f (c))hence ⌈f (f (x)) = x⌉ ⊲ f (a) ⊑ c
7. Reach saturated state and detect satisfiability
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Issues about completeness
◮ Γ is refutationally complete
◮ Since Γ sees only non-ground clauses, DPLL(Γ + T ) does notinherit refutational completeness trivially
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Issues about completeness
◮ Γ is refutationally complete
◮ Since Γ sees only non-ground clauses, DPLL(Γ + T ) does notinherit refutational completeness trivially
◮ DPLL(T ) has depth-first search: complete for ground SMTproblems, not when injecting non-ground inferences
◮ Solution: iterative deepening on inference depth
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Issues about completeness
◮ Γ is refutationally complete
◮ Since Γ sees only non-ground clauses, DPLL(Γ + T ) does notinherit refutational completeness trivially
◮ DPLL(T ) has depth-first search: complete for ground SMTproblems, not when injecting non-ground inferences
◮ Solution: iterative deepening on inference depth
◮ However refutationally complete only for T emptyExample: R = {x = a ∨ x = b}, P = ∅, T is arithmeticUnsat but can’t tell!
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Issues about completeness (continued)
◮ Sufficient condition for refutational completeness with T 6= ∅:◮ R be variable inactive (a technical but simple condition)
◮ it implies stable-infiniteness(needed for completeness of Nelson-Oppen combination)
◮ it excludes cardinality constraints (e.g., x = a ∨ x = b)
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Issues about completeness (continued)
◮ Sufficient condition for refutational completeness with T 6= ∅:◮ R be variable inactive (a technical but simple condition)
◮ it implies stable-infiniteness(needed for completeness of Nelson-Oppen combination)
◮ it excludes cardinality constraints (e.g., x = a ∨ x = b)
◮ Use iterative deepening on both Deduce and UnsoundIntro
to impose also termination: DPLL(Γ + T ) gets “stuck” at k
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
How to get decision procedures
To decide satisfiability modulo T of R∪ P :
◮ Find sequence of “unsound axioms” U
◮ Show that there exists k s.t. k-bounded DPLL(Γ + T ) isguaranteed to terminate
◮ with Unsat if R∪ P is T -unsat◮ in a state which is not stuck at k if R∪ P is T -sat
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Decision procedures
◮ R has single monadic function symbol f
◮ Essentially finite: if R ∪ P is sat, has model where range of f
is finite
◮ Such a model satisfies f j(x) ≃ f k(x) for some j 6= k
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Decision procedures
◮ R has single monadic function symbol f
◮ Essentially finite: if R ∪ P is sat, has model where range of f
is finite
◮ Such a model satisfies f j(x) ≃ f k(x) for some j 6= k
◮ UnsoundIntro adds “pseudo-axioms” f j(x) ≃ f k(x) for j > k
◮ Use f j(x) ≃ f k(x) as rewrite rule to limit term depth
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Decision procedures
◮ R has single monadic function symbol f
◮ Essentially finite: if R ∪ P is sat, has model where range of f
is finite
◮ Such a model satisfies f j(x) ≃ f k(x) for some j 6= k
◮ UnsoundIntro adds “pseudo-axioms” f j(x) ≃ f k(x) for j > k
◮ Use f j(x) ≃ f k(x) as rewrite rule to limit term depth
◮ Clause length limited by properties of Γ and R
◮ Only finitely many clauses generated: termination withoutgetting stuck
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Concrete examples of essentially finite theories
Decision procedures for axiomatizations of type systems:
Reflexivity x ⊑ x (1)
Transitivity ¬(x ⊑ y) ∨ ¬(y ⊑ z) ∨ x ⊑ z (2)
Anti-Symmetry ¬(x ⊑ y) ∨ ¬(y ⊑ x) ∨ x ≃ y (3)
Monotonicity ¬(x ⊑ y) ∨ f (x) ⊑ f (y) (4)
Tree-Property ¬(z ⊑ x) ∨ ¬(z ⊑ y) ∨ x ⊑ y ∨ y ⊑ x (5)
MI = {(1), (2), (3), (4)}: type system with multiple inheritance
SI = MI ⊎ {(5)}: type system with single inheritance
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Summary of contributions
◮ Unsound theorem proving [Lynch at CSL 2004]
◮ Variable-inactivity [Bonacina et al. at IJCAR 2006]
◮ DPLL(Γ) [de Moura, Bjorner at IJCAR 2008]
◮ DPLL(Γ + T ) + variable-inactivity: extend completeness(T 6= ∅)
◮ DPLL(Γ + T ) + unsound TP: termination
◮ Decision procedures for type systems with multiple/singleinheritance used in ESC/Java and Spec#
[Bonacina, Lynch, de Moura at CADE 2009]
Maria Paola Bonacina Decision procedures with unsound theorem proving for software