Program Verification as Probabilistic Inference - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Program Verification as Probabilistic Inference

Description:

Inconsistency Measure. Algorithm. Experiments. 5. Consistency of an ... Where the inconsistency measure IM( 1, 2) is some approximation of the number of ... – PowerPoint PPT presentation

Number of Views:26
Avg rating:3.0/5.0
Slides: 22
Provided by: ResearchM53
Category:

less

Transcript and Presenter's Notes

Title: Program Verification as Probabilistic Inference


1
Program Verification as Probabilistic Inference
  • Sumit Gulwani Nebojsa Jojic
  • Microsoft Research, Redmond

2
Problem of Program Verification
  • Given a program with a pre/post-condition pair,
    discover proof of validity or invalidity.
  • Proof is in the form of an invariant at each
    program point that can be locally verified.

3
Example 1
x 0
Proof of Validity
?entry
y 50
?1
?2
x lt100
False
True
?exit
?3
y 100
x lt 50
True
False
?6
?4
x x 1 y y 1
x x 1
?5
?7
?8
4
Machine Learning Algorithm for Program
Verification
  • Initialize invariants at all program points to
    any element (from an abstract domain over which
    the proof exists)
  • Pick a program point (randomly) whose invariant
    is locally inconsistent update it to make it
    less inconsistent.

5
Outline
  • Inconsistency Measure
  • Algorithm
  • Experiments

6
Consistency of an invariant I at program point ?
  • I is consistent at ? iff Post(?) ) I Æ I )
    Pre(?)
  • Post(?) is the strongest postcondition of the
    invariants at the predecessors of ? at ?
  • Pre(?) is the weakest precondition of the
    invariants at the successors of ? at ?
  • Example

?1
P
s
?2
  • Post(?2) StrongestPost(P,s)
  • Pre(?2) (c ) Q) Æ ( c ) R)

I
c
?4
?3
Q
R
7
Measuring Inconsistency of an invariant I at ?
  • Local inconsistency of invariant I at program
    point ?
  • IM(Post(?), I) IM(I, Pre(?))
  • Where the inconsistency measure IM(?1, ?2) is
    some approximation of the number of program
    states that violate ?1 ) ?2

8
Example of an inconsistency measure IM
  • Consider the abstract domain of Boolean formulas
    (with the usual implication as the partial
    order).
  • Let ?1 a1 Ç Ç an in DNF
  • and ?2 b1 Æ Æ bm in CNF
  • IM(?1, ?2) ?(ai,bj)
  • where ?(ai,bj) 0, if ai ) bj
  • 1, otherwise

9
Outline
  • Inconsistency Measure Penalty Function
  • Algorithm
  • Experiments

10
Algorithm
  • Search for proof of validity and invalidity in
    parallel.
  • Same algorithm with different boundary
    conditions.
  • Proof of Validity
  • Iexit Postcondition
  • Ientry Precondition
  • Proof of Invalidity
  • Iexit Postcondition
  • Ientry ) Precondition, and Ientry is satisfiable
  • This assumes that program terminates on all
    inputs.

11
Algorithm (Continued)
  • Initialize invariant Ij at program point ?j to
    any element (from an abstract domain over which
    the proof exists)
  • While invariant at some point is locally
    inconsistent
  • Choose j randomly s.t. Ij is inconsistent at ?j
  • Update Ij s.t. inconsistency of Ij at ?j is
    minimized Sandwich Step
  • More precisely, Ij is chosen randomly with
    probability inversely proportional to its
    inconsistency at ?j (to avoid getting stuck in a
    local minima). But now, termination is only
    probabilistic.

12
Comparison with Interpolants
  • Interpolant
  • Given ?1, ?2 such that ?1 ) ?2, find ? such that
  • ?1 ) ? ) ?2
  • Vars(?) µ Vars(?1) Ã… Vars(?2)
  • Sandwich Step
  • Given ?1, ?2, find ? such that
  • IM(?1, ?) IM(?,?2) is minimum
  • (i.e., of states violating ?1 ) ? ) ?2 is
    minimum)
  • ? is from a given abstract domain

13
Intersection of Forward Backward Analysis
x 0
y 50
?1
?2
x lt100
False
True
  • - Assume abstract elements can have at most 3
    conjuncts.
  • Post(?8) x0 Æ x100 Æ (x50 Ç xy) Æ (y50 Ç
    x51). Dropping any conjunct is a valid choice at
    ?8 in a forward analysis.
  • But backward guidance from ?2 calls for keeping
    x100 and (x50 Ç xy)

?3
y 100
x lt 50
True
False
?6
?4
x x 1 y y 1
x x 1
?5
?7
?8
14
Outline
  • Inconsistency Measure Penalty Function
  • Algorithm
  • Experiments

15
Example 1
x 0
Proof of Validity
?entry
y 50
?1
?2
x lt100
False
True
?exit
?3
y 100
x lt 50
True
False
?6
?4
x x 1 y y 1
x x 1
?5
?7
?8
16
Stats Proof vs Incremental Proof of Validity
  • Black Proof of Validity
  • Grey Incremental Proof of Validity
  • Incremental proof requires fewer updates

17
Stats Different Sizes of Boolean Formulas
  • Grey 53, Black 43, White 32
  • nm denotes n conjuncts m disjuncts
  • Larger size requires fewer updates

18
Example 2
true
Proof of Validity
?entry
x 0 m 0
?1
?2
x lt n
False
True
?exit
?3
n 0 Ç 0 m lt n
?4
?6
m x
?5
?7
x x 1
?8
19
Stats Proof of Validity
  • Example 2 is easier than Example 1.
  • Easier example requires fewer updates.

20
Related Work Probabilistic Techniques
  • Used successfully in several areas of computer
    science.
  • Yields more efficient, precise, even simpler
    algorithms.
  • An earlier technique Random Interpretation POPL
    03-05
  • Discovers program invariants
  • Monte Carlo Algorithm May generate invalid
    invariants with a small probability. Running time
    is bounded.
  • Random Testing Abstract Interpretation
  • This talk Machine Learning
  • Discovers proof of validity/invalidity of a Hoare
    triple.
  • Las Vegas Algorithm Generates a correct proof.
    Running time is probabilistic.
  • Forward Analysis Backward Analysis

21
Conclusion
  • Combining Randomized Symbolic techniques is
    powerful
  • Interprocedural Random Interpretation POPL 05
  • DART PLDI 05, Yogi FSE 06
  • This work
  • Machine Learning Algorithm
  • Inconsistency Measure for an abstract domain How
    far are two abstract elements from satisfying the
    partial order?
  • Algorithm Pick a program point (randomly) whose
    invariant is locally inconsistent update it to
    make it less inconsistent.
  • Intersection of forward and backward analysis.
Write a Comment
User Comments (0)
About PowerShow.com