Back to the Future:Revisiting Precise Program

Verification Using SMT Solvers

Shuvendu LahiriShaz Qadeer

Microsoft Research, Redmond

Presented earlier at POPL’08

Select(f1,b) = 5 f2 = Store(f1,a,5) Select(f2,a) + Select(f2,b) = 10is valid

{ b.f = 5 } a.f = 5 { a.f + b.f = 10 }is valid

theory of equality: f, =theory of arithmetic: 5, 10, +theory of arrays: Select, Store

iff

Constraints arising in program verification are mixed!

• [Nelson & Oppen ’79]

Satisfiability-Modulo-Theory (SMT) solvers

• Boolean satisfiability solving + theory reasoning• Ground theories

– Equality, arithmetic, Select/Store• NP-complete

• Phenomenal progress in the past few years– Yices [Dutretre&deMoura’06], – Z3 [deMoura&Bjorner’07]

• Potential to prove properties of real-world programs (ESC-JAVA, Spec#)

next

prev

data

next

prev

data

next

prev

data

channel_name

file_name

logtype

struct _logentry

log_list.head log_list.tail

LinkNode

char *

[muh: Internet Relay Chat (IRC) bouncer]

LinkNode *iter = log_list.head;while (iter != null) { struct _logentry *entry = iter->data; free (entry->channel_name); free (entry->file_name); free (entry); entry = NULL; iter = iter->next;}

For every node x in the list between log_list.head and null:x->data is a unique pointer, andx->data->channel_name is a unique pointer, andx->data->file_name is a unique pointer.

Universal quantification

Reachability predicateData structure invariant

Ensure absence of double free

Challenges in program verification

• Concise and precise expression of non-aliasing and disjointness of the heap

• Properties of unbounded collections– Lists, Arrays, Trees

• …..• …..

Limitations of SMT solvers

• No support for precise reasoning with reachability predicate– Incompleteness in Floyd-Hoare proofs for straight

line code• Brittle support for quantifiers

– Complexity: NP-complete (ground) undecidable– Leads to unpredictable behavior of verifiers

• Proof times, proof success rate

– Requires user ingenuity to craft axioms/invariants with quantifiers

HAVOC

• Heap Aware Verifier fOr C programs– Modular verifier for C programs– Being developed at MSR Redmond

• Focus on low-level systems software (file systems, device drivers, ..)– Linked lists, nested data structures, ..

Contribution

• Expressive and efficient logic for precise program verification with the heap

• A decision procedure for the logic within SMT solvers

Memory model

• Memory Model– Heap consists of a set of objects (obj)– Each field “f” is a mutable map f: obj obj

next

prev

data

next

prev

data

next

prev

data

yx

Btwnnext(x,y)

Btwnprev(y,x)

Reachability predicate: Btwnf

next

prev

data

next

prev

data

next

prev

data

yx

Inverse of a function: f-1

w

data-1(w) = {x, y}

LinkNode *iter = log_list.head;while (iter != null) { struct _logentry *entry = iter->data; free (entry->channel_name); free (entry->file_name); free (entry); entry = NULL; iter = iter->next;}

For every node x in the list between log_list.head and null:x->data is a unique pointer, and….

Data structure invariant

x Btwnf (log_list.head, null) \ {null}.data-1(data(x)) = {x} ….

Expressive logic

• Express properties of collectionsx Btwnf (f(hd), hd). state(x) = LOCKED //cyclic

• Arithmetic reasoning on data (e.g. sortedness)x Btwnf (hd, null) \ {null}.

y Btwnf (x, null) \ {null}. d(x) d(y)

• Type/object invariants x Type-1(“__logentry”).

logtype(x) > 0 file_name(x) != null

Precise

• Given the Floyd-Hoare triple X = {P} S {Q}– P and Q are expressed in our logic– S is a loop-free call-free program

• We can construct a formula Y in our logic – Y is linear in the size of X– X is valid iff Y is valid

Need annotations/abstractions only at procedure/loop boundaries

Efficient

• Decision problem is NP-complete – Can’t expect any better with propositional logic!– Retains the complexity of current SMT logics

• Provide a decision procedure for the logic on top of state-of-the-art Z3 SMT solver– Leverages powerful ground-theory reasoning

(arithmetic, arrays, uninterpreted functions…)

Rest of the talk

• Logic and decision procedure• Implementation and experience in HAVOC• Related work

Ground Logic

t Term ::= c | x | t1 + t2 | t1 - t2 | f(t)

G GFormula ::= t = t’ | t < t’ |

t Btwnf(t1, t2) | G

S Set ::= f-1(t) | Btwnf(t1, t2)F Formula ::= G | F1 F2 |F1 F2 |

x S. F

Logic

Ground decision procedure

• Provide a set of 10 rewrite rules for Btwnf

– Sound, complete and terminating• E.g. Transitivity3

t1 Btwnf(t0, t2) t Btwnf(t0, t1)

t Btwnf(t0, t2), t1 Btwnf(t, t2)

t Term ::= c | x | t1 + t2 | t1 - t2 | f(t)

G GFormula ::= t = t’ | t < t’ |

t Btwnf(t1, t2) | G

S Set ::= f-1(t) | Btwnf(t1, t2)F Formula ::= G | F1 F2 |F1 F2 |

x S. F

Logic

Bounded quantification over interpreted sets

Sort restriction

• The unsorted logic is undecidable !! • Unsorted logic Sorted logic

– Each term has a sort D, each function f has a sort D E

– There is a partial order on the sorts• Sort-restriction on x S. F

– sort(x) should be less than the sort(t[x]) for any term t[x] inside F

Sort restriction

• Sort-restriction on x S. F– sort(x) should be less than the sort(t[x]) for

any term t[x] inside F

• Sorts are quite natural– Come from program types

• Most interesting specifications can be expressed– See paper for exceptions

Lazy quantifier instantiation

• Instantiation rulet S x S. F

F[t/x]

• Lazy instantiation– Instantiate only when a term t belongs to the set S– Substantially reduces the number of terms to

instantiate a quantified fact

Implementation using triggers

• E.g. Transitivity3 t1 Btwnf(t0, t2) t Btwnf(t0, t1)

t Btwnf(t0, t2), t1 Btwnf(t, t2)

t0, t1 , t2 , t :: {Btwnf(t0, t2 , t1), Btwnf(t0, t1 , t2) } Btwnf(t0, t2 , t1) Btwnf(t0, t1 , t2)

Btwnf(t0, t2 , t) Btwnf(t, t2 , t1)

Preliminary results

• Implemented a prototype in HAVOC – Uses Boogie and Z3

• Compared with an earlier [TACAS’07] implementation– Unrestricted quantifiers, incomplete

axiomatization of reachability, no f-1

– Small to medium sized benchmarks

Experience

• Greatly improved the predictability of the verifier– Reduced runtimes (2X – 100X)– Eliminate need for carefully crafted axioms and

invariants– Can handle newer examples

• Next step: infer annotations– E.g. Interpolants (builds on SMT solver)

Related work

• Ternary reachability predicate– Nelson ‘83, Rakamaric et al. ’07

• Decidability with quantifiers (no reachability)– McPeak and Necula ‘05

• Separation logic [Berdine et al. ’04]• Second-order logic

– MONA [Moeller et al. ’01], LRP [Yorsh et al. ’06]

Ongoing work

• HAVOC available for download– www.research.microsoft.com/projects/HAVOC

• Extend the logic to other interpreted set constructors– All elements in an array– All pointers of a given type for C

Questions