A SAT characterization of boolean-program correctness

1
A SAT characterization of boolean-program
correctness

• K. Rustan M. LeinoMicrosoft Research, Redmond, WA

14 Nov 2002IFIP WG 2.4 meeting, Schloß Dagstuhl,
Germany
2
Motivation
This program has performed an illegal
operation. If the problem persists, please
contact the vendor.
3
The SLAM toolkit
Tom Ball, Sriram Rajamani, et al., Microsoft
Research
Properties of interest x ?? resource is
locked y ? t gt 0
Device driver (C program)
Abstraction (boolean program)
APIERR DevGetStatus(LPSTATUS status) unsigned
int t struct _Info info for (i 0 i lt
SPIGOT_COUNT i) APIERR err info.cbSize
sizeof(struct _Info) info.iSpigot i err
W_GetStatus(info) if (err !
APIERR_Success) return err t
info.fStatus SPIGOT_ALIVE status-gtresult
t 0x2055 return APIERR_Success APIERR
W_GetStatus(struct _Info pinfo) APIERR
err bool fChanged TRUE do err
DevRegisterColumn(pinfo, TRUE) if (err !
APIERR_Success) return err if
(pinfo-gthuwMagi lt 10) fChanged
FALSE else err DevReleaseColumn(pi
nfo) while (fChanged) return
DevReleaseColumn(pinfo)
APIERR DevGetStatus(LPSTATUS status) unsigned
int t struct _Info info for (i 0 i lt
SPIGOT_COUNT i) APIERR err info.cbSize
sizeof(struct _Info) info.iSpigot i err
W_GetStatus(info) if (err !
APIERR_Success) return err t
info.fStatus SPIGOT_ALIVE status-gtresult
t 0x2055 return APIERR_Success APIERR
W_GetStatus(struct _Info pinfo) APIERR
err bool fChanged TRUE do err
DevRegisterColumn(pinfo, TRUE) if (err !
APIERR_Success) return err if
(pinfo-gthuwMagi lt 10) fChanged
FALSE else err DevReleaseColumn(pi
nfo) while (fChanged) return
DevReleaseColumn(pinfo)
y false
assert ??x
x true
x x ? y
Predicate abstraction
4
The SLAM toolkit
Tom Ball, Sriram Rajamani, et al., Microsoft
Research
Device driver (C program)
Abstraction (boolean program)
APIERR DevGetStatus(LPSTATUS status) unsigned
int t struct _Info info for (i 0 i lt
SPIGOT_COUNT i) APIERR err info.cbSize
sizeof(struct _Info) info.iSpigot i err
W_GetStatus(info) if (err !
APIERR_Success) return err t
info.fStatus SPIGOT_ALIVE status-gtresult
t 0x2055 return APIERR_Success APIERR
W_GetStatus(struct _Info pinfo) APIERR
err bool fChanged TRUE do err
DevRegisterColumn(pinfo, TRUE) if (err !
APIERR_Success) return err if
(pinfo-gthuwMagi lt 10) fChanged
FALSE else err DevReleaseColumn(pi
nfo) while (fChanged) return
DevReleaseColumn(pinfo)
APIERR DevGetStatus(LPSTATUS status) unsigned
int t struct _Info info for (i 0 i lt
SPIGOT_COUNT i) APIERR err info.cbSize
sizeof(struct _Info) info.iSpigot i err
W_GetStatus(info) if (err !
APIERR_Success) return err t
info.fStatus SPIGOT_ALIVE status-gtresult
t 0x2055 return APIERR_Success APIERR
W_GetStatus(struct _Info pinfo) APIERR
err bool fChanged TRUE do err
DevRegisterColumn(pinfo, TRUE) if (err !
APIERR_Success) return err if
(pinfo-gthuwMagi lt 10) fChanged
FALSE else err DevReleaseColumn(pi
nfo) while (fChanged) return
DevReleaseColumn(pinfo)
y false
assert ??x
assert ??x
x true
x x ? y
5
The SLAM toolkit
Tom Ball, Sriram Rajamani, et al., Microsoft
Research
Device driver (C program)
Abstraction (boolean program)
APIERR DevGetStatus(LPSTATUS status) unsigned
int t struct _Info info for (i 0 i lt
SPIGOT_COUNT i) APIERR err info.cbSize
sizeof(struct _Info) info.iSpigot i err
W_GetStatus(info) if (err !
APIERR_Success) return err t
info.fStatus SPIGOT_ALIVE status-gtresult
t 0x2055 return APIERR_Success APIERR
W_GetStatus(struct _Info pinfo) APIERR
err bool fChanged TRUE do err
DevRegisterColumn(pinfo, TRUE) if (err !
APIERR_Success) return err if
(pinfo-gthuwMagi lt 10) fChanged
FALSE else err DevReleaseColumn(pi
nfo) while (fChanged) return
DevReleaseColumn(pinfo)
APIERR DevGetStatus(LPSTATUS status) unsigned
int t struct _Info info for (i 0 i lt
SPIGOT_COUNT i) APIERR err info.cbSize
sizeof(struct _Info) info.iSpigot i err
W_GetStatus(info) if (err !
APIERR_Success) return err t
info.fStatus SPIGOT_ALIVE status-gtresult
t 0x2055 return APIERR_Success APIERR
W_GetStatus(struct _Info pinfo) APIERR
err bool fChanged TRUE do err
DevRegisterColumn(pinfo, TRUE) if (err !
APIERR_Success) return err if
(pinfo-gthuwMagi lt 10) fChanged
FALSE else err DevReleaseColumn(pi
nfo) while (fChanged) return
DevReleaseColumn(pinfo)
y false
assert ??x
assert ??x
x true
x x ? y
real error
6
The SLAM toolkit
Tom Ball, Sriram Rajamani, et al., Microsoft
Research
Device driver (C program)
Abstraction (boolean program)
APIERR DevGetStatus(LPSTATUS status) unsigned
int t struct _Info info for (i 0 i lt
SPIGOT_COUNT i) APIERR err info.cbSize
sizeof(struct _Info) info.iSpigot i err
W_GetStatus(info) if (err !
APIERR_Success) return err t
info.fStatus SPIGOT_ALIVE status-gtresult
t 0x2055 return APIERR_Success APIERR
W_GetStatus(struct _Info pinfo) APIERR
err bool fChanged TRUE do err
DevRegisterColumn(pinfo, TRUE) if (err !
APIERR_Success) return err if
(pinfo-gthuwMagi lt 10) fChanged
FALSE else err DevReleaseColumn(pi
nfo) while (fChanged) return
DevReleaseColumn(pinfo)
APIERR DevGetStatus(LPSTATUS status) unsigned
int t struct _Info info for (i 0 i lt
SPIGOT_COUNT i) APIERR err info.cbSize
sizeof(struct _Info) info.iSpigot i err
W_GetStatus(info) if (err !
APIERR_Success) return err t
info.fStatus SPIGOT_ALIVE status-gtresult
t 0x2055 return APIERR_Success APIERR
W_GetStatus(struct _Info pinfo) APIERR
err bool fChanged TRUE do err
DevRegisterColumn(pinfo, TRUE) if (err !
APIERR_Success) return err if
(pinfo-gthuwMagi lt 10) fChanged
FALSE else err DevReleaseColumn(pi
nfo) while (fChanged) return
DevReleaseColumn(pinfo)
y false
assert ??x
x true
x x ? y
infeasible path
7
The SLAM toolkit
Tom Ball, Sriram Rajamani, et al., Microsoft
Research
Properties of interest x ?? resource is
locked y ? t gt 0 z ? p?? NULL
Device driver (C program)
Abstraction (boolean program)
APIERR DevGetStatus(LPSTATUS status) unsigned
int t struct _Info info for (i 0 i lt
SPIGOT_COUNT i) APIERR err info.cbSize
sizeof(struct _Info) info.iSpigot i err
W_GetStatus(info) if (err !
APIERR_Success) return err t
info.fStatus SPIGOT_ALIVE status-gtresult
t 0x2055 return APIERR_Success APIERR
W_GetStatus(struct _Info pinfo) APIERR
err bool fChanged TRUE do err
DevRegisterColumn(pinfo, TRUE) if (err !
APIERR_Success) return err if
(pinfo-gthuwMagi lt 10) fChanged
FALSE else err DevReleaseColumn(pi
nfo) while (fChanged) return
DevReleaseColumn(pinfo)
APIERR DevGetStatus(LPSTATUS status) unsigned
int t struct _Info info for (i 0 i lt
SPIGOT_COUNT i) APIERR err info.cbSize
sizeof(struct _Info) info.iSpigot i err
W_GetStatus(info) if (err !
APIERR_Success) return err t
info.fStatus SPIGOT_ALIVE status-gtresult
t 0x2055 return APIERR_Success APIERR
W_GetStatus(struct _Info pinfo) APIERR
err bool fChanged TRUE do err
DevRegisterColumn(pinfo, TRUE) if (err !
APIERR_Success) return err if
(pinfo-gthuwMagi lt 10) fChanged
FALSE else err DevReleaseColumn(pi
nfo) while (fChanged) return
DevReleaseColumn(pinfo)
y false
assert ??x
x true
z true
x x ? y
Predicate abstraction
Predicate abstraction
if (z)
8
Boolean programs

• Prog var Id Block
• Block LabelId Stmt goto LabelId
• Stmt Id Expr assert Expr assume Expr
• Expr false true Id ?Expr Expr ? Expr
  Expr ? Expr

9
Example

• var x, yA x true goto BB assert x x
  x ? y goto B or CC

A x true
B assert x x x ? y
C
10
Semantics Weakest preconditions

• For any statement S and postcondition Q, wp(S,Q)
  characterizes those pre-states from which
  execution is guaranteed
• not to go wrong, and
• either the execution doesnt terminate or it
  terminates in a state satisfying Q

Q
S
wp(S,Q)
11
Semantics Weakest preconditions

• wp(x E, Q) QxEwp(assert E, Q) E ?
  Qwp(assume E, Q) E ? Q
• wp(skip, Q) Qwp(ST, Q) wp(S, wp(T,Q))
• wp(goto labels, Q) (? L ? labels wp(L,Q))

12
Semantics of blocks
What I write

• For any block var w L S goto
  labels introduce a boolean function L, such
  that

What I really mean
L(w) wp(S, (?G?labels G(w)))
(?w L(w) wp(S, (?G?labels G(w))) )
or equivalently
L (?w wp(S, (?G?labels G(w))) )
13
Example

• A(x,y) wp(x true, B(x,y))B(x,y)
  wp(assert x x x ? y,
  B(x,y) ? C(x,y))C(x,y) wp(skip, true)

• A(x,y) B(true,y)B(x,y) x ? B(x ? y, y) ?
  C(x ? y, y)C(x,y) true

A x true
B assert x x x ? y
C
14
Equations with multiple solutions

• A, B, C A(x,y) B(true, y) B(x,y) x ?
  B(x?y, y) ? C(x?y, y) C(x,y) true

The unknowns
Solution 0 A(x,y) false B(x,y)
false C(x,y) true
Solution 1 A(x,y) y B(x,y) x ?
y C(x,y) true
We want the weakest solution
15
Weakest solution

• A,B,C A(x,y) B(true, y) B(x,y) x ?
  B(x?y, y) ? C(x?y, y) C(x,y) true

16
Weakest solution

• A,B,C A (?x,y B(true, y)) B (?x,y x
  ? B(x?y, y) ? C(x?y, y)) C (?x,y true)

F(A,B,C)
G(A,B,C)
H(A,B,C)
17
Weakest solution/fixpoint

• A,B,C A F(A,B,C) B G(A,B,C) C
  H(A,B,C)
• where F (?x,y B(true, y)) G (?x,y
  x ? B(x?y, y) ? C(x?y, y)) H (?x,y true)

(?x,y B(true, y))
(?x,y x ? B(x?y, y) ? C(x?y, y))
Weakest solution of A,B,C
(?x,y true)
F(A,B,C)
G(A,B,C)
H(A,B,C)
F
G
H
Weakest fixpoint of F,G,H
18
Program correctness

• A program with variables w and start block A is
  correct iff (?w A(w))
• That is, the program has an error
  iff ?A(w)is satisfiable.

boolean equations, satisfiability
SAT
SAT
functions, weakest solutions
19
Equations over a closed set of terms

• Using the definitions A(x,y) B(true,
  y) B(x,y) x ? B(x?y, y) ? C(x?y, y) C(x,y)
  true
• We produce
• A(x,y) B(true, y)
• B(true, y) true ? B(true?y, y) ? C(true?y, y)
• B(true?y, y) true?y ? B(true?y?y, y) ?
  C(true?y?y, y)
• C(true?y, y) true

20
Point functions

• A function f(w) f(false) ? f(w)can be
  expressed as two point functions ffalse
  ffalse ? ffalse ftrue ffalse ? ftrue

21
Point-function equations

• A set of equations f f(w) f(false) ?
  f(w)can be expressed as ffalse, ftrue
  ffalse ffalse ? ffalse ftrue ffalse
  ? ftrue

22
A fixpoint theorem

• Given a function F on a complete lattice,if F is
  continuous, then its weakest fixpoint exists and
  is given by Fk( T )for some natural number
  k.
• k is the fixpoint depth of F
• fixpoint depth ? lattice height

T
lattice height
F k ( T )
?
23
Computing fixpoints outward

• T
• apply F
• F(T)
• apply F
• F(F(T))
• apply F
• F(F(F(T)))
• apply F
• F(F(F(F(T))))

Suppose fixpoint depth of F is 3
produced in previous step
equal to each otherweakest fixpoint of F
24
Computing fixpoints inward

• ?
• replace ? with F(?)
• F(?)
• replace ? with F(?)
• F(F(?))
• replace ? with F(?)
• F(F(F(?)))
• replace ? with T
• F(F(F(T)))

Suppose fixpoint depth of F is 3
produced in previous step
no need for further applications of F
weakest fixpoint of F
25
Multiple unknowns

• a,b a F(a,b) b G(a,b)
• Suppose fixpoint depths of F,G are 2,1
• Weakest solution for a is
• a00
• F(a10 , b10
  )
• F(F(a20, b20 ), G(a11
  , b11))
• F(F(T , G(a21, b21)), G(F(a21, b21), T ))
• F(F(T , G(T , T )), G(F(T , T ), T ))

Number of enclosing applications of G
Number of enclosing applications of F
26
Special instance

• Lattice of booleans has height 1
• If F returns a boolean, then Fs fixpoint depth
  is at most 1
• and so Fs weakest fixpoint is F(T)

27
Back to our problem

• Using the definitions A(x,y) B(true,
  y) B(x,y) x ? B(x?y, y) ? C(x?y, y) C(x,y)
  true
• We produce
• Ax,y Btrue,y
• Btrue,y true ? Btrue?y,y ? Ctrue?y,y
• By,y y ? By?y,y ? Cy?y,y

true
28
Back to our problem

• Using the definitions A(x,y) B(true,
  y) B(x,y) x ? B(x?y, y) ? C(x?y, y) C(x,y)
  true
• We produce
• Ax,y Btrue,y
• Btrue,y true ? Btrue?y,y ? Ctrue?y,y
• By,y y ? true ? Cy?y,y
• Cy,y true

29
Leibniz constraints

• Being a function means, for any f (?w,w
  (ww) ? (f(w)f(w)))Leibnizs rule
• So when we have Btrue,y By,y we
  also generate the following Leibniz constraint
  (truey) ? (yy) ? (Btrue,y By,y)

30
SAT formula

• From the closed set of terms Ax,y
  Btrue,y Btrue,y true ? Btrue?y,y ?
  Ctrue?y,y By,y y ? true ? Cy?y,y Cy,y
  true
• we produce the following SAT equations ?a a
  b b true ? b ? c b y ? true ? c c
  true y ? (bb)

a b b c
negated start symbol ?A(x,y)
Leibniz constraint
31
Summary

• Boolean program, whose semantics is defined by
  weakest solution of weakest-precondition
  equations
• Translate to SAT problem
• Instantiate equations to get a closed set of
  terms
• Replace nested recursive instantiations by true
• Conjoin negated start symbol and Leibniz
  constraints
• Write point functions as propositional variables
• Check for satisfiability
• Performance? Heuristics?
• Are Leibniz constraints really needed?
• Better encoding of procedures?

32
Complexity

• With N blocks and K variables
• each boolean function has K arguments, each a
  boolean expression
• there are 22K different boolean expressions
• So, there are N2K2K different terms
• Suppose each of the 2K initial states were
  considered individually
• each boolean-function argument can then be folded
  into one of the 2 boolean constants
• Then, there are only 2KN2K different terms

?? Symbolic checking
? Explicit-state checking
33
Symbolic vs. explicit-state checking

• The following equality (and others?) can be
  exploited heuristically to try to get a good
  balance
• f(P, Q, R)(P ? f(true, Q, R)) ? (?P ?
  f(false, Q, R))

34
Summary

• Boolean program, whose semantics is defined by
  weakest solution of weakest-precondition
  equations
• Translate to SAT problem
• Instantiate equations to get a closed set of
  terms
• Replace nested recursive instantiations by true
• Conjoin negated start symbol and Leibniz
  constraints
• Write point functions as propositional variables
• Check for satisfiability
• Performance heuristics symbolic vs.
  explicit-state
• Other heuristics?
• Are Leibniz constraints really needed?
• Better encoding of procedures?