Constraint-Based Static Analysis of Programs

Henny Sipma, November 16, 2006 Washington University at St Louis - p. 1/66

Constraint-Based Static Analysis ofPrograms

Joint work withMichael Colon, Sriram Sankaranarayanan, Aaron Bradley

and Zohar Manna

Henny SipmaStanford University

Master Class Seminar at Washington University at St Louis, 2006

Introduction

● Motivation

● Motivation

● Overflows

● Division by Zero

● Deadlock Freedom

● Transition Systems


● Traditional Approach

● Forward Propagation

● Problems

● Common Solution

● Example

● Example - step 1




● Constraint-Based

Constraint-based Analysis:

Overview

Computing Linear Invariants

Linear Ranking Functions

Nonlinear Invariants

Summary


Introduction

Introduction

● Motivation

● Motivation

● Overflows







● Problems

● Common Solution

● Example







Overview




Summary


Motivation

Objective: To extract information about the program behaviorfrom the program text■ invariants■ termination■ temporal properties■ . . .

Introduction

● Motivation

● Motivation

● Overflows







● Problems

● Common Solution

● Example







Overview




Summary


Trivial Example

integer i, j where i = 2 ∧ j = 0

ℓ0 : while (...) do

if (...) then

i := i + 4

else

(i, j) := (i + 2, j + 1)

i ≥ 2 , j ≥ 0 , and i − 2 j ≥ 2 are invariants.

Objective: To obtain such invariants automatically

Introduction

● Motivation

● Motivation

● Overflows







● Problems

● Common Solution

● Example







Overview




Summary


Buffer Overflow Analysis

1: int *a = malloc( sizeof(int) * n);

2: int i,j,k;

3: for(i=0; i<n; ++i)

4: for(j=0;2*j<=i;++j)

5: if (a[i] <= a[2*j+1])

6: .....

7: ...

0 ≤ i < n?

0 ≤ 2 j + 1 < n?

Check bounds for each array access.

Introduction

● Motivation

● Motivation

● Overflows







● Problems

● Common Solution

● Example







Overview




Summary


Division by Zero

1: double a,b,c

2: ....

3: while ( b > 0 || c >= 0 ) {

4: a = a + b/(c+b-1);

5: ....

6: }

c + b − 1 > 0

Prove every divisor non-zero.

Introduction

● Motivation

● Motivation

● Overflows







● Problems

● Common Solution

● Example







Overview




Summary


Deadlock Freedom

x1 x2 x3

x5

x4

x6

x7

x8

x9

x11

x14

x10

x15

x12

x13

x17

x18

x16

x19

x20

x21

x22

x23

x24

x25

Is this Petri net deadlock free? [Zhou et al. : 1992]

Introduction

● Motivation

● Motivation

● Overflows







● Problems

● Common Solution

● Example







Overview




Summary


Preliminaries: Transition Systems


l0 : while true do

i := i + 4

or

(i, j) := (i + 2, j + 1)

Transition system:⟨

L : {ℓ0}︸︷︷︸

locations

, V :{i, j}

︸︷︷︸

variables

, T : {τ1, τ2}︸︷︷︸

transitions

, Θ : (i = 2 ∧ j = 0)︸︷︷︸

initial condition

, L0 : l0︸︷︷︸

initial location

⟩

withτ1 =

⟨l0, l0, ρτ1

: (i′ = i + 4 ∧ j′ = j)⟩

τ2 =

⟨

l0, l0, ρτ2: (i′ = i + 2 ∧ j′ = j + 1)︸︷︷︸

transition relation

⟩

Introduction

● Motivation

● Motivation

● Overflows







● Problems

● Common Solution

● Example







Overview




Summary


Transition System: Execution

Computation: Infinite sequence of states 〈li, xi〉

〈ℓ0, x0〉τ1−→ 〈ℓ1, x1〉

τ2−→ 〈ℓ2, x2〉 → · · ·

such that■ Initial Condition satisfied

ℓ0 = L0 ∧ Θ(x0)

■ Consecutive states 〈ℓi, xi〉 → 〈ℓi+1, xi+1〉 satisfy sometransition

τk :⟨ℓi, ℓi+1, ρτk

(xi, xi+1)⟩

Introduction

● Motivation

● Motivation

● Overflows







● Problems

● Common Solution

● Example







Overview




Summary


Static Analysis: Traditional Approach

Symbolic forward simulation to obtain an overapproximation ofthe reachable state space (i.e. invariants)

ΘF1

F2

Breachable

states

Introduction

● Motivation

● Motivation

● Overflows







● Problems

● Common Solution

● Example







Overview




Summary


Forward Propagation

F0 : Θ

F1 : F0 ∨(∨

τ∈T postτ(F0))

F2 : F1 ∨(∨

τ∈T postτ(F1))

...

untilFi+1 → Fi

withpostτ(ϕ) : ∃V0 · (ϕ(V0) ∧ ρτ(V0,V))

Introduction

● Motivation

● Motivation

● Overflows







● Problems

● Common Solution

● Example







Overview




Summary


Problems

1. May not converge in finite timeExample:

integer i where i = 0

while true do x := x + 1

F0 : i = 0

F1 : i = 0 ∨ i = 1

F2 : i = 1 ∨ i = 1 ∨ i = 2...

We never reach: x ≥ 0

2. May not be able to detect convergence

Fn+1 → Fn

Introduction

● Motivation

● Motivation

● Overflows







● Problems

● Common Solution

● Example







Overview




Summary


Common Solution

Abstract Interpretation [Cousot&Cousot,77]: perform thesymbolic simulation in an abstract domain:

Domain converges? Reference

Linear equalities yes Karr’76Müller-Olm,Seidl,’04Gulwani+Necula’03

Linear inequalities no Cousot,Halbwachs’79Intervals no Cousot,Cousot’76Octagons no Mine’01Octahedra no Clarisó,Cortadella’04TCM no SSM’04

Use widening operator to force convergence.

Introduction

● Motivation

● Motivation

● Overflows







● Problems

● Common Solution

● Example







Overview




Summary


Example: Forward Propagation


l0 : while true do

i := i + 4

or

(i, j) := (i + 2, j + 1)

Abstract Domain: Linear Inequalities over Reals

Introduction

● Motivation

● Motivation

● Overflows







● Problems

● Common Solution

● Example







Overview




Summary


Step 1: Iteration

η0 : ( j = 0) ∧ (i = 2)

post(η0, τ1) : ( j = 0) ∧ (i = 6)

post(η0, τ2) : ( j = 1) ∧ (i = 4)

η1 : (0 ≤ j ≤ 1) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≤ 6)

i

j(2, 0) (6, 0)

(4, 1)

τ2

τ1

b b

b

η0

Introduction

● Motivation

● Motivation

● Overflows







● Problems

● Common Solution

● Example







Overview




Summary


Step 2: Iteration

η1 : (0 ≤ j ≤ 1) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≥ 6)

post(η1, τ1) : (0 ≤ j ≤ 1) ∧ (i − 2 j ≥ 6) ∧ (i + 2 j ≥ 10)

post(η1, τ2) : (1 ≤ j ≤ 2) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≥ 10)

η2 : (0 ≤ j ≤ 2) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≥ 10)

i

j(2, 0) (6, 0)

(4, 1) (8, 1)

(6, 2)

η1

(10, 0)

b

τ2

τ1

Introduction

● Motivation

● Motivation

● Overflows







● Problems

● Common Solution

● Example







Overview




Summary


Step 3: Widening Iteration

η1 : (0 ≤ j ≤ 1) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≤ 6)

η2 : (0 ≤ j ≤ 2) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≤ 10)

η3 : (0 ≤ j ≤ 3) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≤ 14)

η′3= η2∇η3 : (0 ≤ j) ∧ (i − 2 j ≥ 2)

i

j(2, 0)

b

(6, 0)b

(4, 1)b

(6, 2)b

(10, 0)b

η′3

Introduction

● Motivation

● Motivation

● Overflows







● Problems

● Common Solution

● Example







Overview




Summary


Iteration: Step 4

post(η′3, τ1) : (0 ≤ j) ∧ (i − 2 j ≥ 2)

post(η′3, τ2) : (0 ≤ j) ∧ (i − 2 j ≥ 2)

η4 = η′3∪ post(η′

3, {τ1, τ2}) : (0 ≤ j) ∧ (i − 2 j ≥ 2)

i

j(2, 0)

b

η′3

Note: Termination of iteration, η4 = η′3.

The final invariants are 0 ≤ j ∧ 2 ≤ i − 2 j

Introduction

● Motivation

● Motivation

● Overflows







● Problems

● Common Solution

● Example







Overview




Summary


Constraint-based Analysis: Outline

■ Overview■ Computing linear invariants■ Computing linear ranking functions■ Computing polynomial invariants■ Related Work■ Conclusions

Introduction


Overview

● Overview




Summary


Constraint-based Analysis: Overview

Introduction


Overview

● Overview




Summary


Constraint-based Analysis: Overview

1. Fix the type and shape of the desired propertyExamples:■ linear invariant,■ linear ranking function■ polynomial invariant

2. Provide the conditions for the property to hold

3. Encode the conditions on the property as a system ofconstraints

4. Solve the constraints

5. Every solution is a property of the desired type and shape

Introduction


Overview


● 1. Fix type and shape

● 2. Property Conditions

● 2. Example

● Farkas’ Lemma

● 3.Encode Initiation

● 3. Example

● 3.Encode Consecution

● 3. Example

● 3. Example

● 4. Solve the constraints

● 4. Example

● 5. Solutions

● Summary

● Pros and Cons



Summary



Introduction


Overview




● 2. Example

● Farkas’ Lemma


● 3. Example


● 3. Example

● 3. Example


● 4. Example

● 5. Solutions

● Summary

● Pros and Cons



Summary


1. Fix type and shape

■ Type: Invariant

■ Shape:c1x1 + c2x2 + . . . + cnxn + d ≤ 0

where{x1, . . . , xn} are the program variables

and{c1, . . . , cn, d} are unknown coefficients

Introduction


Overview




● 2. Example

● Farkas’ Lemma


● 3. Example


● 3. Example

● 3. Example


● 4. Example

● 5. Solutions

● Summary

● Pros and Cons



Summary


2. Property Conditions

The property

ψ : c1x1 + c2x2 + . . . + cnxn + d ≤ 0

is an invariant of transition systemΦ : 〈V : {x1, . . . , xn} ,Θ,T : {τ1, . . . , τk}〉 if

Θ |= ψ (initiation)ψ ∧ ρτ1

|= ψ′

(consecution)...

ψ ∧ ρτk|= ψ′

that is, if■ it is implied by the initial condition, and■ it is preserved by all transitions of the system

Introduction


Overview




● 2. Example

● Farkas’ Lemma


● 3. Example


● 3. Example

● 3. Example


● 4. Example

● 5. Solutions

● Summary

● Pros and Cons



Summary


Property Conditions: Example


l0 : while true do

i := i + 4

or

(i, j) := (i + 2, j + 1)

Target invariant: ψ : c1i + c2 j + d ≤ 0

Conditions:

i = 2 ∧ j = 0︸︷︷︸

Θ

|= c1i + c2 j + d ≤ 0︸︷︷︸

ψ

c1i + c2 j + d ≤ 0 ∧ i′ = i + 4 ∧ j′ = j |= c1i′ + c2 j′ + d ≤ 0

c1i + c2 j + d ≤ 0︸︷︷︸

ψ

∧ i′ = i + 2 ∧ j′ = j + 1︸︷︷︸

ρτ1, ρτ2

|= c1i′ + c2 j′ + d ≤ 0︸︷︷︸

ψ′

Introduction


Overview




● 2. Example

● Farkas’ Lemma


● 3. Example


● 3. Example

● 3. Example


● 4. Example

● 5. Solutions

● Summary

● Pros and Cons



Summary


Farkas’ Lemma

Let S be a system of linear inequalities over real-valuedvariables x1, . . . , xn,

S :

a11x1 + · · · + a1nxn + b1 ≤ 0...

......

am1x1 + · · · + amnxn + bm ≤ 0

and ψ a linear inequality,

ψ : c1x1 + · · · + cnxn + d ≤ 0

If S is satisfiable, S |= ψ iff there exist real multipliersλ1, . . . , λm ≥ 0 such that:

c1 =

m∑

i=1

λiai1 . . . cn =

m∑

i=1

λiain d ≤ (

m∑

i=1

λibi)

Introduction


Overview




● 2. Example

● Farkas’ Lemma


● 3. Example


● 3. Example

● 3. Example


● 4. Example

● 5. Solutions

● Summary

● Pros and Cons



Summary


3. Encode the conditions: Initiation

Initiation: Θ |= c1x1 + · · · + cnxn + d ≤ 0 is encoded by

λθ,1 θ11x1 + · · · + θ1nxn + θ1,n+1 ≤ 0

Θ...

......

...

λθ,m θm1x1 + · · · + θmnxn + θm,n+1 ≤ 0

c1x1 + · · · + cnxn + d ≤ 0

which produces the constraints

SΘ : ∃(λθ,1 . . . λθ,m ≥ 0) .

c1 =∑m

i=1 λθ,iθi1 ∧

. . . ∧

cn =∑m

i=1 λθ,iθin ∧

d ≤ (∑m

i=1 λθ,iθi,n+1)

Introduction


Overview




● 2. Example

● Farkas’ Lemma


● 3. Example


● 3. Example

● 3. Example


● 4. Example

● 5. Solutions

● Summary

● Pros and Cons



Summary


Example:Encoding Initiation

Initial Condition Θ : i = 2 ∧ j = 0

λ0 − 1 ≤ 0

λ1 i − 2 ≤ 0

λ2 −i 2 ≤ 0

λ3 j ≤ 0

λ4 − j ≤ 0

c1i + c2 j + d ≤ 0 ← ψ

Constraints:

(∃ λ0,...,4 ≥ 0) [λ1 − λ2 = c1 ∧ λ3 − λ4 = c2 ∧ −λ0 − 2λ1 + 2λ2 = d]

Eliminate λ0, . . . λ4:SΘ : 2c1 + d ≤ 0

Introduction


Overview




● 2. Example

● Farkas’ Lemma


● 3. Example


● 3. Example

● 3. Example


● 4. Example

● 5. Solutions

● Summary

● Pros and Cons



Summary


3. Encode the Conditions: Consecution

Consecution:

c1x1 + · · · + cnxn + d ≤ 0 ∧ ρτi|= c1x′1 + · · · cnx′n + d ≤ 0

is encoded by

µτi c1x1 + · · · + cnxn + d ≤ 0

λτi ,1τi,11x1 + · · · + τi,1nxn + τ′

i,11x′

1+ . . . + τ′

i,1nx′n + τi,1,n+1 ≤ 0

ρτi...

.

.

.

.

.

.

.

.

.

λτi ,m τi,m1x1 + · · · + τi,mnxn + τ′i,m1

x′1+ . . . + τ′

i,mnx′n + τi,m,n+1 ≤ 0

c1x′1+ . . . + cnx′n + d ≤ 0


Sτi: ∃(µτi

, λτi,1, . . . , λτi,m ≥ 0) .

µτi c1 +∑m

j=1λτi , j

τi, j1 = 0 ∧

. . . ∧

µτi cn +∑m

j=1λτi , j

τi, jn = 0 ∧

∑mj=1

λτi , jτ′

i, j1= c1 ∧

. . . ∧∑m

j=1λτi , j

τ′i, jn= cn ∧

µτi d +∑m

j=1λτi , j

τi, j,n+1 ≤ d

Introduction


Overview




● 2. Example

● Farkas’ Lemma


● 3. Example


● 3. Example

● 3. Example


● 4. Example

● 5. Solutions

● Summary

● Pros and Cons



Summary


Example:Encoding Consecution for τ1

Transition relation ρτ1: i′ = i + 4 ∧ j′ = j

λ0 − 1 ≤ 0

µ1 c1i + c2 j + d ≤ 0 ← ψ

λ1 i − i′ + 4 = 0}

ρτ1λ2 j − j′ = 0

c1i′ + c2 j′ + d ≤ 0 ← ψ′

Constraints:

(∃λ0, µ1 ≥ 0)(∃λ1, λ2)

µ1c1 + λ1 = 0 ∧ µ2c2 + λ2 = 0 ∧

−λ1 = c1 ∧ −λ2 = c2 ∧ λ0 + µ1d + 4λ1 = d

Eliminate λ0, . . . , λ2, µ1:

Sτ1: (c1 ≤ 0) ∨ (c1 = 0 ∧ c2 = 0)

Introduction


Overview




● 2. Example

● Farkas’ Lemma


● 3. Example


● 3. Example

● 3. Example


● 4. Example

● 5. Solutions

● Summary

● Pros and Cons



Summary


Example: Combined Constraint

The overall constraint is:

(2c1 + d ≤ 0) ← Initiation

∧

(c1 ≤ 0) ∨

(c1 = 0 ∧ c2 = 0)

← τ1 consecution

∧

(2c1 + c2 ≤ 0) ∨

(c1 = 0 ∧ c2 = 0)

← τ2 consecution

which simplifies to

2c1 + d ≤ 0 ∧ c1 ≤ 0 ∧ 2c1 + c2 ≤ 0

Introduction


Overview




● 2. Example

● Farkas’ Lemma


● 3. Example


● 3. Example

● 3. Example


● 4. Example

● 5. Solutions

● Summary

● Pros and Cons



Summary



Solve the constraint systems

SΘ ∧ Sτ1∧ . . . ∧ Sτk

for {c1, . . . , cn, d}

Introduction


Overview




● 2. Example

● Farkas’ Lemma


● 3. Example


● 3. Example

● 3. Example


● 4. Example

● 5. Solutions

● Summary

● Pros and Cons



Summary


Example: Solving the Constraints

The basic solutions of

2c1 + d ≤ 0 ∧ c1 ≤ 0 ∧ 2c1 + c2 ≤ 0

arec1 c2 d c1i + c2 j + d ≤ 0

0 0 −1 −1 ≤ 0

0 −1 0 − j ≤ 0

−1 2 2 −i + 2 j + 2 ≤ 0

which corresponds to the inductive invariants

j ≥ 0 and i − 2 j ≥ 2

Introduction


Overview




● 2. Example

● Farkas’ Lemma


● 3. Example


● 3. Example

● 3. Example


● 4. Example

● 5. Solutions

● Summary

● Pros and Cons



Summary


5. Solutions

The propertyc1x1 + . . . + cnxn + d ≤ 0

is an invariant for all solutions of {c1, . . . , cn, d}.

■ Good news: The method is complete for linear systems:The solutions of {c1, . . . , cn} represent all linear inductiveinequalities of the given shape.

■ But: Requires individual inductiveness.

Introduction


Overview




● 2. Example

● Farkas’ Lemma


● 3. Example


● 3. Example

● 3. Example


● 4. Example

● 5. Solutions

● Summary

● Pros and Cons



Summary


Summary

1. Fix a target property with unknown coefficients,

c1i + c2 j + d ≤ 0

2. Encode the property conditions3. Compute constraints on the unknown coefficients,

2c1 + d ≤ 0 ∧ c1 ≤ 0 ∧ 2c1 + c2 ≤ 0

4. Solve these constraints

〈c1, c2, d〉 = 〈0,−1, 0〉〈c1, c2, d〉 = 〈−1, 2, 2〉

5. Generate the invariants

〈0,−1, 0〉 ↔ 0i − 1 j + 0 ≤ 0

〈−1, 2, 2〉 ↔ −1i + 2 j + 2 ≤ 0

Invariants: j ≥ 0 and i − 2 j ≥ 2

Introduction


Overview




● 2. Example

● Farkas’ Lemma


● 3. Example


● 3. Example

● 3. Example


● 4. Example

● 5. Solutions

● Summary

● Pros and Cons



Summary


Pros and Cons

Advantages:■ No widening necessary■ All inductive invariants are generated (or obtained as

consequences)■ System structure can be exploited to obtain linear

constraints: Petri nets

Disadvantages:■ The constraint systems Sτ1

, . . . , Sτkare nonlinear and may be

hard to solve. Tools: QEPCAD■ But: Sτ1

, . . . , Sτkare parametric linear

More efficient solution methods: factorization, polynomialroot findingTool: REDLOG [Weispfennig; Dolzmann,Sturm]

Introduction


Overview



● 1.Fix type and shape


● 3.Encode Bounded

● 3.Encode Ranking


● 5. Solutions


Summary


Computing Linear Ranking Functions

Introduction


Overview








● 5. Solutions


Summary



■ Type: Ranking function

■ Shape:c1x1 + c2x2 + . . . + cnxn + d

where{x1, . . . , xn} are the program variables

and{c1, . . . , cn, d} are unknown coefficients

Introduction


Overview








● 5. Solutions


Summary



The functionδ : c1x1 + c2x2 + . . . + cnxn + d

is a ranking function of a loopΦ : 〈V : {x1, . . . , xn} ,Θ,T : {τ1, . . . , τk}〉 if

ρτ1|= δ ≥ 0

bounded...

ρτk|= δ ≥ 0

ρτ1|= δ − δ′ > 0

ranking...

ρτk|= δ − δ′ > 0

that is, if■ it is bounded from below, and■ it is decreased by each transition

Introduction


Overview








● 5. Solutions


Summary


3. Encode the conditions: Bounded

Bounded:ρτi|= δ ≥ 0

is encoded by

λτi ,1τi,11x1 + · · · + τi,1nxn + τ′

i,11x′

1+ . . . + τ′

i,1nx′n + τi,1,n+1 ≤ 0

ρτi...

.

.

.

.

.

.

.

.

.


x′1+ . . . + τ′


−c1x1 − . . . − cnxn + − d ≤ 0


Bτi: ∃(λτi,1, . . . , λτi,m ≥ 0) .

∑mj=1

λτi , jτi, j1 = −c1 ∧

. . . ∧∑m

j=1λτi , j

τi, jn = −cn ∧

∑mj=1

λτi , jτ′

i, j1= 0 ∧

. . . ∧∑m

j=1λτi , j

τ′i, jn

= 0 ∧

−∑m

j=1λτi , j

τi, j,n+1 ≤ d

Introduction


Overview








● 5. Solutions


Summary


3. Encode the conditions: Ranking

Ranking:ρτi|= δ − δ′ > 0

is encoded by

λτi ,1τi,11x1 + · · · + τi,1nxn + τ′

i,11x′

1+ . . . + τ′

i,1nx′n + τi,1,n+1 ≤ 0

ρτi...

.

.

.

.

.

.

.

.

.


x′1+ . . . + τ′


−c1x1 − . . . − cnxn + c1x′1+ . . . + cnx′n ǫ ≤ 0


Rτi: ∃(λτi,1, . . . , λτi,m ≥ 0) .

∑mj=1

λτi , jτi, j1 = −c1 ∧

. . . ∧∑m

j=1λτi , j

τi, jn = −cn ∧

∑mj=1

λτi , jτ′

i, j1= c1 ∧

. . . ∧∑m

j=1λτi , j

τ′i, jn

= cn ∧

−∑m

j=1λτi , j

τi, j,n+1 ≤ −ǫ

Introduction


Overview








● 5. Solutions


Summary



Solve the constraint systems

Bτ1∧ . . . ∧ Bτk

∧ Rτ1∧ . . . ∧ Rτk

for {c1, . . . , cn, d}

Introduction


Overview








● 5. Solutions


Summary


5. Solutions

The functionc1x1 + c2x2 + . . . + cnxn + d

is a ranking function for all solutions of {c1, . . . , cn, d}.

■ Good news: The method is complete for linear systems:The solutions represent all linear ranking functions of thegiven (uninitialized) loop.

■ Good news:Constraints are all linear: can be solvedefficiently

■ Bad news: Most ranking functions require invariants to proveboundedness

Introduction


Overview






● Ideals

● Ideals

● Testing Ideal Membership

● Gröbner Basis Theorem



● Parametric Membership





● 5. Solutions

● Example

● Example

Summary


Computing Nonlinear Invariants

Introduction


Overview






● Ideals

● Ideals










● 5. Solutions

● Example

● Example

Summary



■ Type: Invariant

■ Shape:

c1x3 + c2x2y + c3x2z + c4xy2 + c5xyz + c6xz2+

c7y3 + c8y2z + c9yz2 + c10z3 = 0

where{x, y, z} are the program variables

and{c1, . . . , c10} are unknown coefficients

Introduction


Overview






● Ideals

● Ideals










● 5. Solutions

● Example

● Example

Summary



The property p = 0 with

p :c1x3 + c2x2y + c3x2z + c4xy2 + c5xyz + c6xz2+

c7y3 + c8y2z + c9yz2 + c10z3

is an invariant of transition systemΦ : 〈V : {x1, . . . , x10} ,Θ,T : {τ1, . . . , τk}〉 if

Θ |= p = 0 (initiation)p = 0 ∧ ρτ1

|= p′ = 0

(consecution)...

p = 0 ∧ ρτk|= p′ = 0

that is, if■ it is implied by the initial condition, and■ it is preserved by all transitions of the system

Introduction


Overview






● Ideals

● Ideals










● 5. Solutions

● Example

● Example

Summary


Linear Equalities vs Nonlinear Equalities

Computing Consequences for Polynomial Equalities

Linear Equalities Polynomial Equalitiesλ1 e1 = 0...

...

λm em = 0

e = 0

g1 p1 = 0...

...

gm pm = 0

p = 0

λ1, . . . , λm, reals g1, . . . , gm, arbitrary polynomialse = λ1e1 + · · · + λmem p = g1p1 + · · · + gmpm

e ∈ SPACE(e1, . . . , em) p ∈ IDEAL(p1, . . . , pm)

How do we test if p ∈ IDEAL(p1, . . . , pm) ?

Introduction


Overview






● Ideals

● Ideals










● 5. Solutions

● Example

● Example

Summary


Ideals

Ideal: The ideal generated by P is the set of all polynomialsof the formIdeal(P) = {g1p1 + . . . + gmpm | g1, . . . , gm polynomials}

Example: Let P = {x2 − y, y − z, x + z}.Ideal(P) =

g1(x2 − y) + g2(y − z) + g3(x + z) |

g1, g2, g3 are polynomials over x, y, z

−zx − z = 1︸︷︷︸

g1

· (x2 − y) + 1︸︷︷︸

g2

· (y − z) + −x︸︷︷︸

g3

(x + z)

Therefore, −zx − z ∈ Ideal(P).

Introduction


Overview






● Ideals

● Ideals










● 5. Solutions

● Example

● Example

Summary


Testing Ideal Membership

Summary: To test if

p1 = 0 ∧ p2 = 0 ∧ · · · ∧ pm = 0 |= p = 0

we instead test if

p ∈ Ideal({p1, . . . , pm})

i.e.,p = g1p1 + · · · + gmpm

for some g1, . . . gm.

How do we test if p ∈ Ideal(P)?

Introduction


Overview






● Ideals

● Ideals










● 5. Solutions

● Example

● Example

Summary


Gröbner Basis Theorem

Given any set of polynomials P, compute special set ofpolynomials G, such that

■ Ideal(G) = Ideal(P),

■G−→ is confluent and terminating.

G is called the Gröbner basis of P.For any polynomial p, unique normal form

pG−→ · · ·

G−→ NFG(p)

Theorem: p ∈ Ideal(P) iff NFG(p) = 0.

Introduction


Overview






● Ideals

● Ideals










● 5. Solutions

● Example

● Example

Summary



How do we test if p ∈ IDEAL(p1, . . . , pm) ?

1. Compute Gröbner basis G for {p1, . . . , pm}.Use Buchberger’s Algorithm + Refinements

2. Compute normal form for p, denoted NF(p),

3. p ∈ IDEAL(p1, . . . , pm) iff NFG(p) = 0.

Introduction


Overview






● Ideals

● Ideals










● 5. Solutions

● Example

● Example

Summary



Example: Let P = {p1 : x2 − y, p2 : y + z, p3 : x − z}.

Can we find out if x2 − z ∈ Ideal(P) usingP−→?

No!

Gröbner basis of P is

G = {z2 − z, y − z, x + z}

Can we find out usingG−→?

Yes!

Any sequence of reductions from x2 − z has normal form 0.

Introduction


Overview






● Ideals

● Ideals










● 5. Solutions

● Example

● Example

Summary


Parametric Membership Problem

Let P = {p1 : x2 − y, p2 : y + z, p3 : x − z}.Problem: For what values of c1, c2, . . . , c5 is the polynomial

p : c1x2+ x2y2

+ c3z2+ c4z + c5 ∈ Ideal(P)?

Solution:1. Compute the Gröbner basis of P,

G = {z2 − z, y − z, x + z}

2. Compute Normal Form of P,

(c1 + c2 + c3 + c4)z + c5

3. Set every coefficient to be zero,

(c1 + c2 + c3 + c4 = 0) ∧ (c5 = 0)

Introduction


Overview






● Ideals

● Ideals










● 5. Solutions

● Example

● Example

Summary


Parametric Membership Problem

Note: For solutions to c1, . . . , c5 that satisfy

(c1 + c2 + c3 + c4 = 0) ∧ (c5 = 0)

it follows that

p : c1x2+ x2y2

+ c3z2+ c4z + c5 ∈ Ideal(P)

Introduction


Overview






● Ideals

● Ideals










● 5. Solutions

● Example

● Example

Summary


3. Encode the conditions: Initiation

The conditionΘ |= p = 0

is encoded by reducing p wrt to the Gröbner basis G of ((Θ)):

pG−→ NF(p)

and settingNF(p) ≡ 0

which produces a set SΘ of linear constraints on {c1, . . . c10}.

Introduction


Overview






● Ideals

● Ideals










● 5. Solutions

● Example

● Example

Summary


3. Encode the conditions: Consecution

The conditionp = 0 ∧ ρτi

|= p′ = 0

is not practical to encode. Instead we encode one of

ρτi|= p′ = 0

ρτi|= p′ − p = 0

which result in a set Sτiof linear constraints

∃λ ∈ R ρτi|= p′ − λp = 0

∃q ∈ R[x1, . . . , xn] ρτi|= p′ − qp = 0

which result in a set of nonlinear constraints.

Introduction


Overview






● Ideals

● Ideals










● 5. Solutions

● Example

● Example

Summary



SolveSΘ ∧ Sτ1

∧ . . . ∧ Sτk

for {c1, . . . , c10}

Introduction


Overview






● Ideals

● Ideals










● 5. Solutions

● Example

● Example

Summary


5. Solutions

The property


c7y3 + c8y2z + c9yz2 + c10z3 = 0

is an invariant for all solutions of {c1, . . . , c10}

■ Good news: Constraints are all linear: can be solvedefficiently

■ Bad news: Invariants are missed because of strengtheningthe conditions

Introduction


Overview






● Ideals

● Ideals










● 5. Solutions

● Example

● Example

Summary


Example: Nonlinear Invariant Generation

integer i, j, k, s where (s = 0 ∧ j = k ∧ j ≥ 0)

l0 : while (k ≥ 0) do

l1 : (s, k) := (s + i, k − 1)

l2 :

Target Invariant: p = c1s + c2ik + c3i j + c4 jk + c5

Question: For what values of c1, . . . , c5, is p = 0 inductive at l0?

Introduction


Overview






● Ideals

● Ideals










● 5. Solutions

● Example

● Example

Summary


Example: Nonlinear Invariant Generation

1. Fix a template (usually a “generic polynomial” of degree m ),

c1s + c2ik + c3i j + c4 jk + c5

2. Generate constraints by encoding initiation andconsecution,

c2 + c3 = 0 ∧ c4 = c5 = 0 ∧ c1 − c2 = 0

3. Solve the constraints,

c3 = 1, c1 = c2 = −1, c4 = c5 = 0

4. Generate the invariant

−s − ik + i j = 0

Invariant: s = i( j − k) at l0.

Introduction


Overview




Summary

● Advantages

● Advantages

● Papers

● Related Work● Current Topics of

Investigation


Summary

Introduction


Overview




Summary

● Advantages

● Advantages

● Papers


Investigation


Advantages of Constraint-based Approach

■ Controlling the complexity of the constraints

◆ Strengthen the conditions on the property

Θ |= ψ

ψ ∧ ρτ |= ψ′=⇒

Θ |= ψ

ρτ |= ψ′

parametric linear constraints linear constraints

◆ Constrain the property


c7y3 + c8y2z + c9yz2 + c10z3

⇓

c1x3 + c2xy2 + c3xz2 + c4y2z

Introduction


Overview




Summary

● Advantages

● Advantages

● Papers


Investigation


Advantages of Constraint-based Approach

■ Not limited to invariants◆ termination◆ temporal properties (LTL safety)

■ Applicable to any domain that allows computation ofconsequences

■ Can exploit system structure to simplify the constraintsystem◆ Petri nets

■ Can take advantage of new results in constraint solvingcommunity

Introduction


Overview




Summary

● Advantages

● Advantages

● Papers


Investigation


Papers

■ Termination analysis (TACAS’01, CAV’02, CAV’05)

■ Linear invariant generation (CAV’03, SAS’04, VMCAI’05,VMCAI’06)

■ Nonlinear invariant generation (POPL’04)

■ Nonlinear invariant generation for hybrid systems (HSCC’04)

■ Differential equations (HSCC’06)

Sriram Sankaranarayanan, Mathematical Analysis ofPrograms, PhD Thesis, Stanford, 2005.

Introduction


Overview




Summary

● Advantages

● Advantages

● Papers


Investigation


Related Work

■ Set-constraint based analysis◆ - [Heintze’93]◆ - [Aiken’99]

■ Termination analysis◆ - [Podelski,Rybalchenko,VMCAI’04,LICS’04]◆ - [Cousot, VMCAI’05]

■ Nonlinear invariants◆ - [Bensalem et al, SAS’00]◆ - [Müller-Olm,Seidl,SAS’02,POPL’04]◆ - [Tiwari et al, TACAS’01,HSCC’03]◆ - [Rodriguez-Carbonell,Kapur,ISSAC’04]◆ - [Cousot, VMCAI’05]

Introduction


Overview




Summary

● Advantages

● Advantages

● Papers


Investigation


Current Topics of Investigation

■ Classification of systems with simpler constraint systems

■ Extension to game properties (ATL*)

■ Extension to other domains, in particular nonlinearinequalities

■ More efficient constraint solving strategies

Constraint-Based Static Analysis of Programs

Documents