Viap PDF

VIAP - Automated System for Verifying Integer
Assignment Programs with Loops
Pritom Rajkhowa and Fangzhen Lin
Department of Computer Science

The Hong Kong University of Science and Technology
Clear Water Bay, Kowloon, Hong Kong
prajkhowa@cs.ust.com
September 20, 2017
Pritom Rajkhowa and Fangzhen Lin (HKUST) VIAP September 20, 2017 1 / 30
Overview
1 Objective
2 The main contribution of the paper
3 How to prove the Correctness of program with loop
4 Translation
5 VIAP architecture
6 Proof strategies
7 Strategy 1: direct proof
8 Strategy 2: simple induction
9 A comparative study with other automatic verifiers
10 Partial correctness and total correctness
11 Conclusion and Future Work
12 References
Objectives
Programs are some of the most complex man-made systems.

Considering a program as an agent with a knowledge base.
Translate program(like C and Java) to first-order logic axioms.
This will give us a complete formalization, instead of specific tools for
program slicing, pointer alias analysis,array bound checking, and so
on.
The main contribution of the paper
VIAP implements the algorithm to translation a computer program to

first order axioms. Then extends the translation by solving
recurrences generated by the translation[Lin16].
VIAP automatically proves the partial correctness of a program given
precondition(s) and post-condition(s) by mathematical induction with
Z3 as the base prover without using loop invariants.
VIAP can prove the correctness of programs without generating loop
invariants, unlike existing work in literature. There are many
benchmark programs like
[NKWF12] [NKWF14] [RK07] [BKKS13] [LM10] which are used to
validate invariant generation tools in literature. We have shown that
VIAP can also prove these benchmark programs without requiring to
go through the process of loop-invariant generation.
How to prove the Correctness of program with loop
First consider partial correctness
The loop may not terminate, but if it does, the post-condition will hold
{P} while B do S {Q}
Find an invariant Inv such that
P ) Inv
The invariant is initially true
{ Inv && B } S {Inv}
Each execution of the loop preserves the invariant
(Inv && ¬B) ) Q

The invariant and the loop exit condition imply the postcondition
To prove the correctness of non-parallel imperative computer programs

with loop, a suitable loop invariant is required. The study of program
invariants has been a major research area since the 1970s . There has been
a large amount of work on automatic discovery of loop invariants using
static or dynamic analysis. Few mention-able works InvGen,DIG and
Daikan
Grammar
Our system handles programs consisting of integer assignments, sequence,

conditionals and while loops:
 ::= <X> = <E> |

; |
if <C> then else |
while <C> do 
where <X> is an integer variable, <E> a integer expression and <C> a

boolean condition.
What Translation Gives
Translation of Program to a first-order theory captures

In this paper, we propose a way to translate a program to a first-order
theory with quantification over natural numbers which provide relationship
between the input and output values of the program variables.
Relationship between the input and output values of the program variables
which is independent of what one may want to prove about the program
Translation Example
Sequence Statement
X =X +Y
Y =2⇤X
can be captured by the following two axioms:
X1 = X + Y ,
Y1 = 2 ⇤ (X + Y )
X and Y denote the initial values of the corresponding program

variables
X1 and Y1 their values after the statement is performed
Translation of Loop
For a while loop like while C { B }, it generates the following two formulas:
Representing Loop
¬C (N), (1)
8n.n < N ! C (n) (2)
N is a new natural number constant denoting the number of

iterations that the loop ran before it exits
C(n) a formula denoting the true value of the condition C at the end
of the nth iteration of the loop
C(N) a formula denoting the true value of the condition C at the end
of the Nth iteration of the loop
Example
Consider the following while loop
while X < M do { X = f ( X ) }
What does it output? No e↵ect on M, but for X, it depends on f:
M1 = M,
X M ! X1 = X ,
X < M ! X1 = X (N),
X (0) = X ,
8n.X (n + 1) = f (X (n)),
X (N) M,
8n.n < N ! X (n) < M
X1 = X (N)
N denotes the number of iterations that the loop runs until termination.
X(n) is the value of X after the nth iteration.
VIAP architecture
Figure: Architecture Overview of VIAP
VIAP architecture
VIAP is implemented in python. The overall approach is illustrated in the

previous Figure . VIAP has been developed in a modular fashion and its
architecture is layered in to two parts:
Front-End : The system accepts a program (e.g. Java) as input and
translates it to first order axioms. Mathematica and sympy solves the
recurrences generated during the translation if closed form solutions
are available.
Back-End: : Takes the set of translated first order axioms and
translates all the axioms to Z 3 compatible equation by pre-processing
them using sympy. Then the proof engine applies di↵erent strategies
and tries to prove post-conditions in Z 3.
Proof strategies
Encoding of First order axioms in Z3. For example, to encode in Z3 the
following axiom that universally quantifies natural number variable n:
n < N2 ! r7 (n) Y
we use an integer type variable n and add the condition n 0:
n=Int(’n’)
Y=Int(’Y’)
N2=Const(’N2’,IntSort())
r7=Function(’r7’,IntSort(),IntSort())
ForAll([n], Implies(n>=0, Implies(n<N2,r7(n)>=Y)))
The second issue that we had with Z3 was that it has difficulty with
axioms of the form (2), which is crucial for our axiomatization of loops.
Our strategy is to add the following consequence of (2) to the axiom set:
N = 0 _ C (N 1). (3)
Proof strategies
Another issue is that many of the benchmark programs that we tried have
exponentiation. We found that Z3’s builtin module NLSat (nonlinear real
arithmetic) was too weak most of the time. Instead, we define our own
exponentiation function power (x, y ) on integers:
power=Function(’power’,IntSort(),IntSort()
,IntSort())
and include the following axioms:
ForAll([n],Implies(n>=0, power(0,n)==0))
ForAll([n,m],Implies(power(m,n)==0,m==0))
ForAll([n],Implies(n>0, power(n,0)==1))
ForAll([n,m],Implies(power(n,m)==1,
Or(n==1,m==0)))
ForAll([n,m],Implies(And(n>0,m>=0),
power(n,m+1)==power(n,m)*n)))
Strategy 1: direct proof
To illustrate how our system works, consider the following program for
computing the integer square root of a given non-negative integer X
a =0; su =1; t =1;
while ( su <= X ) { a = a +1; t = t +2; su = su + t ;}
return a ;
To prove the correctness of the program we need to prove the following
post-conditions
(a1 + 1)2 > X ,

a12  X
After Translation To FOL Axioms
After Translation of Square Root program to First Order Logic Axioms,
We will have following set of Axioms
X1 = X ,
a1 = a3 (N), t1 = t3 (N), su1 = su3 (N),
a3 (n + 1) = a3 (n) + 1, t3 (n + 1) = t3 (n) + 2,
su3 (n + 1) = su3 (n) + t3 (n) + 2,
a3 (0) = 0, t3 (0) = 1, su3 (0) = 1,
(su3 (N) > X ),
(n < N) ! (su3 (n)  X ),
where a denotes the input value of the program variable a, a3 (n) a
temporary function denoting the value of a after the nth iteration of the
while loop. Similar conventions apply to X , t, su and their subscripted
versions. The constant N is introduced to denote the number of iterations
of the while loop before it exits. The variable n ranges over natural
numbers and is universally quantified.
Find Close Form Solution and Eliminate Terms
Computes closed-form solutions for a3 (), t3 (), and su3 (), eliminates them,
and produces the following axioms
X1 = X ,
a1 = N,
t1 = 2N + 1,
su1 = N ⇤ N + 2 ⇤ N + 1,
(N ⇤ N + 2 ⇤ N + 1 > X ),
(n < N) ! (n ⇤ n + 2 ⇤ n + 1  X ).
Z3 query
_s . add ( X1 == X )
_s . add ( a1 == _N1 )
_s . add ( t1 == 2* _N1 + 1)
_s . add ( su1 == _N1 * _N1 + 2* _N1 + 1)
_s . add ( _N1 * _N1 + 2* _N1 + 1 > X )
_s . add ( ForAll ([ _n1 ] , Implies ( And (( _n1 < _N1 ) , _n1 >=0)
, _n1 * _n1 + 2* _n1 + 1 <= X )))
_s . add ( Or ( _N1 ==0 , _N1 * _N1 <= X ))
_s . add ( _N1 >=0)
_s . add (X >=0)
Now if we add the following sentence to the above query to prove post
condition a1 ⇤ a1 < X :
_s . add ( Not ( a1 * a1 <= X ))
Strategy 2: simple induction
To illustrate how our system works, consider the following program which
implements the well-known Cohns integer division algorithm-
Q =0; R = X ;
while ( R >= Y ) do {
A =1; B = Y ;
while ( R >= 2* B )
do { A = 2* A ; B = 2* B ;}
R = R-B; Q = Q+A; }
// return Q = X / Y ;
To prove the correctness of the program we need to prove the following
post-conditions
X = Y ⇤ Q1 + R1,
Y 1 > R1
R1 0
Find Close Form Solution and Eliminate Terms
Y1 = Y , X1 = X ,
A1 = A7 (N2 ), q1 = q7 (N2 ), r1 = r7 (N2 ), B1 = B7 (N2 ),
r7 (n) < 2 ⇥ 2N1 (n) ⇥ Y ,
n1 < N1 (n2 ) ! r7 (n2 ) 2 ⇥ 2n 1 ⇥ Y ,
A7 (n + 1) = 2N1 (n) ⇥ 1,
B7 (n + 1) = 2N1 (n) ⇥ Y ,
q7 (n + 1) = q7 (n) + 2N1 (n) ⇥ 1,
r7 (n + 1) = r7 (n) 2N1 (n) ⇥ Y ,
A7 (0) = A, B7 (0) = B, q7 (0) = 0, r7 (0) = X ,
r7 (N2 ) < Y ,
n < N2 ! r7 (n) Y
Simple Induction
As an illustration, consider proving the following postcondition
X = q1 Y + r1 (recall that q1 and r1 denote the output values of q and r ,
respectively):
X = q1 Y + r1 (4)
under the precondition :
X 0^Y >0
for the above Cohen’s division program. First VIAP converts the
postcondition into the following assertion using the equations about q1
and p1 in the set of axioms:
X = q7 (N2 )Y + r7 (N2 ).
Then it tries to prove it directly using Z3, but fails. So it tries to prove the
following more general one
8n.X = q7 (n)Y + r7 (n) (5)
by induction on n, which succeeds.
A comparative study with other automatic verifiers
Leon [BKKS13] started as a verification system for the pure

functional subset of Scala.
Smack [CHW+ 16] is a self contained software verifier and also a
modular software verification tool chain.
Seahorn [GKKN15] is a fully automated analysis framework for
LLVM-based languages.
2LS [SK16] is a static analysis and verification tool for C program
which is built upon the CPROVER infrastructure which implements
incremental bounded model checking, invariant generation techniques
and k-induction.
UAutomizer [HCD+ 13] is a model checker (that implements an
approach based on automata) for C program which proves the
correctness of the program by computing inductive invariants from
interpolation.
Experimental Results(Table)
Partial correctness and total correctness
Typically VIAP proves only partial correctness of a program with respect

to a precondition and a post-condition. This is because by introducing a
natural number term to denote the number of iterations that a loop ran
before it exits, we assume that the loop terminates. Otherwise, a
contradiction will arise. Consider the following program:
while ( X != 1) {
if ( X ==0) { X =1; }
}
VIAP translates it into the following axioms:
X1 = X2 ( _N1 )
X2 ( _n1 +1) = ite ( X2 ( _n1 )==0 ,1 , X2 ( _n1 ))
X2 (0) = X
X2 ( _N1 )==1
_n1 < _N1 -> X2 ( _n1 )!=1
Partial correctness and total correctness
_s . add ( X1 == X2 ( _N1 ))
_s . add ( ForAll ([ _n1 ] , Implies ( _n1 >=0 ,
X2 ( _n1 +1)== If ( X2 ( _n1 )==0 ,1 , X2 ( _n1 )))))
_s . add ( X2 (0) == X )
_s . add (( X2 ( _N1 )==1))
_s . add ( ForAll ([ _n1 ] , Implies ( And (( _n1 < _N1 )
,_n1 >=0) ,
Not ( X2 ( _n1 )==1))))
_s . add ( _N1 >=0)
Now if we add the following sentence to the above query:

_s . add ( And ( Not ( X ==1) , Not ( X ==0)))
Z3 returns with ”unsat”, thus proves that the axioms entails
X = 1 _ X = 0.
Conclusion and Future Work
The translation needs to be done only once for a program and the
translated axioms can be used to prove multiple post-conditions.
While not shown in this paper, properties about the program during
its execution can be expressed and proved as well. All one needs is a
label to mark the point of interest - see [Lin16].
For each loop in the program, the translated axioms include an
explicit representation of the exact number of iterations that this loop
executes before terminating. All properties about the loops are
expressed in terms of this representation.
Loop invariants are not required. Of course, they can be added to the
axioms if available. Our experiments show that for many programs,
VIAP can prove properties about them that would normally require
proper loop invariants. In fact, most of these programs are
benchmarks for testing systems that discover loop invariants.
Thank You
References I
Régis Blanc, Viktor Kuncak, Etienne Kneuss, and Philippe Suter, An

overview of the leon verification system: Verification by translation to
recursive functions, Proceedings of the 4th Workshop on Scala (New
York, NY, USA), SCALA ’13, ACM, 2013, pp. 1:1–1:10.
Montgomery Carter, Shaobo He, Jonathan Whitaker, Zvonimir
Rakamarić, and Michael Emmi, Smack software verification toolchain,
ICSE ’16, ACM, 2016, pp. 589–592.
Arie Gurfinkel, Temesghen Kahsai, Anvesh Komuravelli, and Jorge A.
Navas, The seahorn verification framework, pp. 343–361, Springer
International Publishing, Cham, 2015.
Matthias Heizmann, Jürgen Christ, Daniel Dietsch, Evren Ermis,
Jochen Hoenicke, Markus Lindenmann, Alexander Nutz, Christian
Schilling, and Andreas Podelski, Ultimate automizer with smtinterpol,
pp. 641–643, Springer Berlin Heidelberg, Berlin, Heidelberg, 2013.
References II
Fangzhen Lin, A formalization of programs in first-order logic with a

discrete linear order, Artificial Intelligence 235 (2016), 1 – 25.
K. Rustan M. Leino and Rosemary Monahan, Dafny meets the
verification benchmarks challenge, Proceedings of the Third
International Conference on Verified Software: Theories, Tools,
Experiments (Berlin, Heidelberg), VSTTE’10, Springer-Verlag, 2010,
pp. 112–126.
ThanhVu Nguyen, Deepak Kapur, Westley Weimer, and Stephanie
Forrest, Using dynamic analysis to discover polynomial and array
invariants, Proceedings of the 34th ICSE (Piscataway, NJ, USA), ICSE
’12, IEEE Press, 2012, pp. 683–693.
References III
ThanhVu Nguyen, Deepak Kapur, Westley Weimer, and Stephanie

Forrest, DIG: A dynamic invariant generator for polynomial and array
invariants, ACM Trans. Softw. Eng. Methodol. 23 (2014), no. 4,
30:1–30:30.
Enric Rodrı́guez-Carbonell and Deepak Kapur, Generating all
polynomial invariants in simple loops, J. Symb. Comput. 42 (2007),
no. 4, 443–476.
Peter Schrammel and Daniel Kroening, 2ls for program analysis -
(competition contribution), TACAS 2016, Lecture Notes in Computer
Science, vol. 9636, Springer, 2016, pp. 905–907.

Viap PDF

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Viap PDF

Enviado por

Direitos autorais:

Formatos disponíveis

VIAP - Automated System for Verifying Integer

Assignment Programs with Loops

Pritom Rajkhowa and Fangzhen Lin

Department of Computer Science

September 20, 2017

Programs are some of the most complex man-made systems.

VIAP implements the algorithm to translation a computer program to

(Inv && ¬B) ) Q

To prove the correctness of non-parallel imperative computer programs

Our system handles programs consisting of integer assignments, sequence,

<P> ::= <X> = <E> |

where <X> is an integer variable, <E> a integer expression and <C> a

Translation of Program to a first-order theory captures

X and Y denote the initial values of the corresponding program

N is a new natural number constant denoting the number of

Figure: Architecture Overview of VIAP

VIAP is implemented in python. The overall approach is illustrated in the

and include the following axioms:

(a1 + 1)2 > X ,

Leon [BKKS13] started as a verification system for the pure

Typically VIAP proves only partial correctness of a program with respect

Now if we add the following sentence to the above query:

Régis Blanc, Viktor Kuncak, Etienne Kneuss, and Philippe Suter, An

Fangzhen Lin, A formalization of programs in first-order logic with a

ThanhVu Nguyen, Deepak Kapur, Westley Weimer, and Stephanie

Você também pode gostar