Outline Motivation: reasoning about software Unsound theorem proving DPLL(Γ+ T ): Superposition within SMT-solver Decision procedures for type systems Discussion Decision procedures with unsound theorem proving for software verification Maria Paola Bonacina 1 Dipartimento di Informatica Universit` a degli Studi di Verona Verona, Italy September 2009 1 Joint work with Chris Lynch (Clarkson U., NY) and Leonardo de Moura (MSR, Redmond, WA) Maria Paola Bonacina Decision procedures with unsound theorem proving for software
41
Embed
Decision procedures with unsound theorem proving for ...profs.sci.univr.it/~bonacina/talks/ETHZ+EPFL2009dpllGammaT-slides.pdf · Discussion Decision procedures with unsound theorem
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Decision procedures with unsound theoremproving for software verification
Maria Paola Bonacina1
Dipartimento di Informatica
Universita degli Studi di Verona
Verona, Italy
September 2009
1Joint work with Chris Lynch (Clarkson U., NY) and Leonardo de Moura(MSR, Redmond, WA)
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Motivation: reasoning about softwareProblem statementCombining strengths of different reasoners
Unsound theorem proving
DPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systems
Discussion
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Problem statementCombining strengths of different reasoners
Motivation
◮ Software is everywhere
◮ Needed: Reliability
◮ Difficult goal: Software may be◮ Artful◮ Complex◮ Huge◮ Varied◮ Old (and undocumented)
◮ Software/hardware border: blurred, evolving
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Problem statementCombining strengths of different reasoners
◮ Superposition-based inference system Γ:◮ equalities, Horn clauses, universal quantifiers◮ known to be a sat-procedure for several theories of data
structures
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
How about termination?
◮ During development conjectures are usually false because ofmistakes in implementation or specification
◮ Need a theorem prover that terminates on satisfiable inputs
◮ Not possible in general:◮ FOL is only semi-decidable◮ First-order formulæ of linear arithmetic with uninterpreted
function: not even semi-decidable
However we need less than a general solution!
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Problematic axioms do occur in relevant inputs
Let ⊑ be a subtype relation and f a type constructor
◮ Transitivity
¬(x ⊑ y) ∨ ¬(y ⊑ z) ∨ x ⊑ z
◮ Monotonicity
¬(x ⊑ y) ∨ f (x) ⊑ f (y)
Resolution generates unbounded number of clauses
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
In practice we need finitely many
Example:
1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)
2. a ⊑ b generate
3. {f i (a) ⊑ f i(b)}i≥0
In practice f (a) ⊑ f (b) or f 2(a) ⊑ f 2(b) often suffice to showsatisfiability
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Idea: Unsound theorem proving
◮ TP applied to maths: most conjectures are true
◮ Sacrifice completeness for efficiencyRetain soundness: if proof found, input unsatisfiable
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Idea: Unsound theorem proving
◮ TP applied to maths: most conjectures are true
◮ Sacrifice completeness for efficiencyRetain soundness: if proof found, input unsatisfiable
◮ TP applied to verification: most conjectures are false
◮ Sacrifice soundness for terminationRetain completeness: if no proof, input satisfiable
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Idea: Unsound theorem proving
◮ TP applied to maths: most conjectures are true
◮ Sacrifice completeness for efficiencyRetain soundness: if proof found, input unsatisfiable
◮ TP applied to verification: most conjectures are false
◮ Sacrifice soundness for terminationRetain completeness: if no proof, input satisfiable
◮ How do we do it: Additional axioms to enforce termination
◮ Detect unsoundness as conflict + Recover by backtracking
(DPLL framework)
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Example
1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)
2. a ⊑ b
3. a ⊑ f (c)
4. ¬(a ⊑ c)
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Example
1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)
2. a ⊑ b
3. a ⊑ f (c)
4. ¬(a ⊑ c)
1. Add f (x) ≃ x
2. Rewrite a ⊑ f (c) into a ⊑ c and get 2: backtrack!
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Example
1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)
2. a ⊑ b
3. a ⊑ f (c)
4. ¬(a ⊑ c)
1. Add f (x) ≃ x
2. Rewrite a ⊑ f (c) into a ⊑ c and get 2: backtrack!
3. Add f (f (x)) ≃ x
4. a ⊑ b yields only f (a) ⊑ f (b)
5. a ⊑ f (c) yields only f (a) ⊑ c
6. Reach saturated state and detect satisfiability
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
DPLL
State of derivation: M ||F
◮ Decide: guess L is true, add it to M
◮ UnitPropagate: propagate consequences of assignment
◮ Conflict: detect L1 ∨ . . . ∨ Ln all false
◮ Learn: detect by resolution Li made false by assignment (notpropagation)
◮ Backjump: undo assignment for Li
◮ Unsat: conflict clause is 2 (nothing else to try)
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
DPLL(T )
State of derivation: M ||F
◮ T -Propagate: add to M an L that is T -consequence of M
◮ T -Conflict: detect that L1, . . . ,Ln in M are T -inconsistent
Since Ti -solvers build T -model:
◮ PropagateEq: add to M a ground s ≃ t true in T -model
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
DPLL(Γ + T ): integrate Γ in DPLL(T )
◮ Idea: literals in M can be premises of Γ-inferences
◮ Stored as hypotheses in inferred clause
◮ Hypothetical clause: H ⊲ C (equivalent to ¬H ∨ C )
◮ Inferred clauses inherit hypotheses from the premises
◮ Note: don’t need Γ for ground inferences
◮ Use each engine for what is best for:◮ non-ground clauses: seen only by Γ◮ ground non-unit clauses: seen only by DPLL(T )◮ ground unit clauses: seen by both
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
DPLL(Γ + T )
State of derivation: M ||F
◮ Deduce: Γ-inference, e.g., superposition, using non-ground
clauses in F and literals in M
◮ Backjump: remove hypothetical clauses depending on undoneassignments
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Unsound inferences
◮ Single unsound inference rule: add arbitrary clause C
◮ Simulate many:◮ Suppress literals in long clause C ∨ D:
add C and subsume◮ Replace deep term t by constant a:
add t ≃ a and rewrite
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Controlling unsound inferences
◮ Unsound inferences to induce termination on sat input
◮ What if the unsound inference makes problem unsat?!
◮ Detect conflict and backjump:◮ Keep track by adding ⌈C⌉ ⊲ C◮ ⌈C⌉: new propositional variable (a “name” for C )◮ Treat “unnatural failure” like “natural failure”
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Unsound theorem proving in DPLL(Γ + T )
State of derivation: M ||F
Inference rule:
◮ UnsoundIntro: add ⌈C⌉ ⊲ C to F and ⌈C⌉ to M
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Example as done by system
1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)
2. a ⊑ b
3. a ⊑ f (c)
4. ¬(a ⊑ c)
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver
Decision procedures for type systemsDiscussion
Example as done by system
1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)
2. a ⊑ b
3. a ⊑ f (c)
4. ¬(a ⊑ c)
1. Add ⌈f (x) ≃ x⌉ ⊲ f (x) ≃ x
2. Rewrite a ⊑ f (c) into ⌈f (x) ≃ x⌉ ⊲ a ⊑ c
Maria Paola Bonacina Decision procedures with unsound theorem proving for software
OutlineMotivation: reasoning about software
Unsound theorem provingDPLL(Γ + T ): Superposition within SMT-solver