Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 1/66
Constraint-Based Static Analysis ofPrograms
Joint work withMichael Colon, Sriram Sankaranarayanan, Aaron Bradley
and Zohar Manna
Henny SipmaStanford University
Master Class Seminar at Washington University at St Louis, 2006
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 2/66
Introduction
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 3/66
Motivation
Objective: To extract information about the program behaviorfrom the program text■ invariants■ termination■ temporal properties■ . . .
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 4/66
Trivial Example
integer i, j where i = 2 ∧ j = 0
ℓ0 : while (...) do
if (...) then
i := i + 4
else
(i, j) := (i + 2, j + 1)
i ≥ 2 , j ≥ 0 , and i − 2 j ≥ 2 are invariants.
Objective: To obtain such invariants automatically
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 5/66
Buffer Overflow Analysis
1: int *a = malloc( sizeof(int) * n);
2: int i,j,k;
3: for(i=0; i<n; ++i)
4: for(j=0;2*j<=i;++j)
5: if (a[i] <= a[2*j+1])
6: .....
7: ...
0 ≤ i < n?
0 ≤ 2 j + 1 < n?
Check bounds for each array access.
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 6/66
Division by Zero
1: double a,b,c
2: ....
3: while ( b > 0 || c >= 0 ) {
4: a = a + b/(c+b-1);
5: ....
6: }
c + b − 1 > 0
Prove every divisor non-zero.
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 7/66
Deadlock Freedom
x1 x2 x3
x5
x4
x6
x7
x8
x9
x11
x14
x10
x15
x12
x13
x17
x18
x16
x19
x20
x21
x22
x23
x24
x25
Is this Petri net deadlock free? [Zhou et al. : 1992]
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 8/66
Preliminaries: Transition Systems
integer i, j where i = 2 ∧ j = 0
l0 : while true do
i := i + 4
or
(i, j) := (i + 2, j + 1)
Transition system:⟨
L : {ℓ0}︸ ︷︷ ︸
locations
, V :{i, j}
︸ ︷︷ ︸
variables
, T : {τ1, τ2}︸ ︷︷ ︸
transitions
, Θ : (i = 2 ∧ j = 0)︸ ︷︷ ︸
initial condition
, L0 : l0︸︷︷︸
initial location
⟩
withτ1 =
⟨l0, l0, ρτ1
: (i′ = i + 4 ∧ j′ = j)⟩
τ2 =
⟨
l0, l0, ρτ2: (i′ = i + 2 ∧ j′ = j + 1)︸ ︷︷ ︸
transition relation
⟩
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 9/66
Transition System: Execution
Computation: Infinite sequence of states 〈li, xi〉
〈ℓ0, x0〉τ1−→ 〈ℓ1, x1〉
τ2−→ 〈ℓ2, x2〉 → · · ·
such that■ Initial Condition satisfied
ℓ0 = L0 ∧ Θ(x0)
■ Consecutive states 〈ℓi, xi〉 → 〈ℓi+1, xi+1〉 satisfy sometransition
τk :⟨ℓi, ℓi+1, ρτk
(xi, xi+1)⟩
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 10/66
Static Analysis: Traditional Approach
Symbolic forward simulation to obtain an overapproximation ofthe reachable state space (i.e. invariants)
ΘF1
F2
Breachable
states
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 11/66
Forward Propagation
F0 : Θ
F1 : F0 ∨(∨
τ∈T postτ(F0))
F2 : F1 ∨(∨
τ∈T postτ(F1))
...
untilFi+1 → Fi
withpostτ(ϕ) : ∃V0 · (ϕ(V0) ∧ ρτ(V0,V))
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 12/66
Problems
1. May not converge in finite timeExample:
integer i where i = 0
while true do x := x + 1
F0 : i = 0
F1 : i = 0 ∨ i = 1
F2 : i = 1 ∨ i = 1 ∨ i = 2...
We never reach: x ≥ 0
2. May not be able to detect convergence
Fn+1 → Fn
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 13/66
Common Solution
Abstract Interpretation [Cousot&Cousot,77]: perform thesymbolic simulation in an abstract domain:
Domain converges? Reference
Linear equalities yes Karr’76Müller-Olm,Seidl,’04Gulwani+Necula’03
Linear inequalities no Cousot,Halbwachs’79Intervals no Cousot,Cousot’76Octagons no Mine’01Octahedra no Clarisó,Cortadella’04TCM no SSM’04
Use widening operator to force convergence.
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 14/66
Example: Forward Propagation
integer i, j where i = 2 ∧ j = 0
l0 : while true do
i := i + 4
or
(i, j) := (i + 2, j + 1)
Abstract Domain: Linear Inequalities over Reals
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 15/66
Step 1: Iteration
η0 : ( j = 0) ∧ (i = 2)
post(η0, τ1) : ( j = 0) ∧ (i = 6)
post(η0, τ2) : ( j = 1) ∧ (i = 4)
η1 : (0 ≤ j ≤ 1) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≤ 6)
i
j(2, 0) (6, 0)
(4, 1)
τ2
τ1
b b
b
η0
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 16/66
Step 2: Iteration
η1 : (0 ≤ j ≤ 1) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≥ 6)
post(η1, τ1) : (0 ≤ j ≤ 1) ∧ (i − 2 j ≥ 6) ∧ (i + 2 j ≥ 10)
post(η1, τ2) : (1 ≤ j ≤ 2) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≥ 10)
η2 : (0 ≤ j ≤ 2) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≥ 10)
i
j(2, 0) (6, 0)
(4, 1) (8, 1)
(6, 2)
η1
(10, 0)
b
τ2
τ1
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 17/66
Step 3: Widening Iteration
η1 : (0 ≤ j ≤ 1) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≤ 6)
η2 : (0 ≤ j ≤ 2) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≤ 10)
η3 : (0 ≤ j ≤ 3) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≤ 14)
η′3= η2∇η3 : (0 ≤ j) ∧ (i − 2 j ≥ 2)
i
j(2, 0)
b
(6, 0)b
(4, 1)b
(6, 2)b
(10, 0)b
η′3
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 18/66
Iteration: Step 4
post(η′3, τ1) : (0 ≤ j) ∧ (i − 2 j ≥ 2)
post(η′3, τ2) : (0 ≤ j) ∧ (i − 2 j ≥ 2)
η4 = η′3∪ post(η′
3, {τ1, τ2}) : (0 ≤ j) ∧ (i − 2 j ≥ 2)
i
j(2, 0)
b
η′3
Note: Termination of iteration, η4 = η′3.
The final invariants are 0 ≤ j ∧ 2 ≤ i − 2 j
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 19/66
Constraint-based Analysis: Outline
■ Overview■ Computing linear invariants■ Computing linear ranking functions■ Computing polynomial invariants■ Related Work■ Conclusions
Introduction
Constraint-based Analysis:
Overview
● Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 20/66
Constraint-based Analysis: Overview
Introduction
Constraint-based Analysis:
Overview
● Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 21/66
Constraint-based Analysis: Overview
1. Fix the type and shape of the desired propertyExamples:■ linear invariant,■ linear ranking function■ polynomial invariant
2. Provide the conditions for the property to hold
3. Encode the conditions on the property as a system ofconstraints
4. Solve the constraints
5. Every solution is a property of the desired type and shape
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 22/66
Computing Linear Invariants
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 23/66
1. Fix type and shape
■ Type: Invariant
■ Shape:c1x1 + c2x2 + . . . + cnxn + d ≤ 0
where{x1, . . . , xn} are the program variables
and{c1, . . . , cn, d} are unknown coefficients
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 24/66
2. Property Conditions
The property
ψ : c1x1 + c2x2 + . . . + cnxn + d ≤ 0
is an invariant of transition systemΦ : 〈V : {x1, . . . , xn} ,Θ,T : {τ1, . . . , τk}〉 if
Θ |= ψ (initiation)ψ ∧ ρτ1
|= ψ′
(consecution)...
ψ ∧ ρτk|= ψ′
that is, if■ it is implied by the initial condition, and■ it is preserved by all transitions of the system
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 25/66
Property Conditions: Example
integer i, j where i = 2 ∧ j = 0
l0 : while true do
i := i + 4
or
(i, j) := (i + 2, j + 1)
Target invariant: ψ : c1i + c2 j + d ≤ 0
Conditions:
i = 2 ∧ j = 0︸ ︷︷ ︸
Θ
|= c1i + c2 j + d ≤ 0︸ ︷︷ ︸
ψ
c1i + c2 j + d ≤ 0 ∧ i′ = i + 4 ∧ j′ = j |= c1i′ + c2 j′ + d ≤ 0
c1i + c2 j + d ≤ 0︸ ︷︷ ︸
ψ
∧ i′ = i + 2 ∧ j′ = j + 1︸ ︷︷ ︸
ρτ1, ρτ2
|= c1i′ + c2 j′ + d ≤ 0︸ ︷︷ ︸
ψ′
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 26/66
Farkas’ Lemma
Let S be a system of linear inequalities over real-valuedvariables x1, . . . , xn,
S :
a11x1 + · · · + a1nxn + b1 ≤ 0...
......
am1x1 + · · · + amnxn + bm ≤ 0
and ψ a linear inequality,
ψ : c1x1 + · · · + cnxn + d ≤ 0
If S is satisfiable, S |= ψ iff there exist real multipliersλ1, . . . , λm ≥ 0 such that:
c1 =
m∑
i=1
λiai1 . . . cn =
m∑
i=1
λiain d ≤ (
m∑
i=1
λibi)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 27/66
3. Encode the conditions: Initiation
Initiation: Θ |= c1x1 + · · · + cnxn + d ≤ 0 is encoded by
λθ,1 θ11x1 + · · · + θ1nxn + θ1,n+1 ≤ 0
Θ...
......
...
λθ,m θm1x1 + · · · + θmnxn + θm,n+1 ≤ 0
c1x1 + · · · + cnxn + d ≤ 0
which produces the constraints
SΘ : ∃(λθ,1 . . . λθ,m ≥ 0) .
c1 =∑m
i=1 λθ,iθi1 ∧
. . . ∧
cn =∑m
i=1 λθ,iθin ∧
d ≤ (∑m
i=1 λθ,iθi,n+1)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 28/66
Example:Encoding Initiation
Initial Condition Θ : i = 2 ∧ j = 0
λ0 − 1 ≤ 0
λ1 i − 2 ≤ 0
λ2 −i 2 ≤ 0
λ3 j ≤ 0
λ4 − j ≤ 0
c1i + c2 j + d ≤ 0 ← ψ
Constraints:
(∃ λ0,...,4 ≥ 0) [λ1 − λ2 = c1 ∧ λ3 − λ4 = c2 ∧ −λ0 − 2λ1 + 2λ2 = d]
Eliminate λ0, . . . λ4:SΘ : 2c1 + d ≤ 0
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 29/66
3. Encode the Conditions: Consecution
Consecution:
c1x1 + · · · + cnxn + d ≤ 0 ∧ ρτi|= c1x′1 + · · · cnx′n + d ≤ 0
is encoded by
µτi c1x1 + · · · + cnxn + d ≤ 0
λτi ,1τi,11x1 + · · · + τi,1nxn + τ′
i,11x′
1+ . . . + τ′
i,1nx′n + τi,1,n+1 ≤ 0
ρτi...
.
.
.
.
.
.
.
.
.
λτi ,m τi,m1x1 + · · · + τi,mnxn + τ′i,m1
x′1+ . . . + τ′
i,mnx′n + τi,m,n+1 ≤ 0
c1x′1+ . . . + cnx′n + d ≤ 0
which produces the constraints
Sτi: ∃(µτi
, λτi,1, . . . , λτi,m ≥ 0) .
µτi c1 +∑m
j=1λτi , j
τi, j1 = 0 ∧
. . . ∧
µτi cn +∑m
j=1λτi , j
τi, jn = 0 ∧
∑mj=1
λτi , jτ′
i, j1= c1 ∧
. . . ∧∑m
j=1λτi , j
τ′i, jn= cn ∧
µτi d +∑m
j=1λτi , j
τi, j,n+1 ≤ d
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 30/66
Example:Encoding Consecution for τ1
Transition relation ρτ1: i′ = i + 4 ∧ j′ = j
λ0 − 1 ≤ 0
µ1 c1i + c2 j + d ≤ 0 ← ψ
λ1 i − i′ + 4 = 0}
ρτ1λ2 j − j′ = 0
c1i′ + c2 j′ + d ≤ 0 ← ψ′
Constraints:
(∃λ0, µ1 ≥ 0)(∃λ1, λ2)
µ1c1 + λ1 = 0 ∧ µ2c2 + λ2 = 0 ∧
−λ1 = c1 ∧ −λ2 = c2 ∧ λ0 + µ1d + 4λ1 = d
Eliminate λ0, . . . , λ2, µ1:
Sτ1: (c1 ≤ 0) ∨ (c1 = 0 ∧ c2 = 0)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 31/66
Example: Combined Constraint
The overall constraint is:
(2c1 + d ≤ 0) ← Initiation
∧
(c1 ≤ 0) ∨
(c1 = 0 ∧ c2 = 0)
← τ1 consecution
∧
(2c1 + c2 ≤ 0) ∨
(c1 = 0 ∧ c2 = 0)
← τ2 consecution
which simplifies to
2c1 + d ≤ 0 ∧ c1 ≤ 0 ∧ 2c1 + c2 ≤ 0
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 32/66
4. Solve the constraints
Solve the constraint systems
SΘ ∧ Sτ1∧ . . . ∧ Sτk
for {c1, . . . , cn, d}
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 33/66
Example: Solving the Constraints
The basic solutions of
2c1 + d ≤ 0 ∧ c1 ≤ 0 ∧ 2c1 + c2 ≤ 0
arec1 c2 d c1i + c2 j + d ≤ 0
0 0 −1 −1 ≤ 0
0 −1 0 − j ≤ 0
−1 2 2 −i + 2 j + 2 ≤ 0
which corresponds to the inductive invariants
j ≥ 0 and i − 2 j ≥ 2
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 34/66
5. Solutions
The propertyc1x1 + . . . + cnxn + d ≤ 0
is an invariant for all solutions of {c1, . . . , cn, d}.
■ Good news: The method is complete for linear systems:The solutions of {c1, . . . , cn} represent all linear inductiveinequalities of the given shape.
■ But: Requires individual inductiveness.
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 35/66
Summary
1. Fix a target property with unknown coefficients,
c1i + c2 j + d ≤ 0
2. Encode the property conditions3. Compute constraints on the unknown coefficients,
2c1 + d ≤ 0 ∧ c1 ≤ 0 ∧ 2c1 + c2 ≤ 0
4. Solve these constraints
〈c1, c2, d〉 = 〈0,−1, 0〉 〈c1, c2, d〉 = 〈−1, 2, 2〉
5. Generate the invariants
〈0,−1, 0〉 ↔ 0i − 1 j + 0 ≤ 0
〈−1, 2, 2〉 ↔ −1i + 2 j + 2 ≤ 0
Invariants: j ≥ 0 and i − 2 j ≥ 2
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 36/66
Pros and Cons
Advantages:■ No widening necessary■ All inductive invariants are generated (or obtained as
consequences)■ System structure can be exploited to obtain linear
constraints: Petri nets
Disadvantages:■ The constraint systems Sτ1
, . . . , Sτkare nonlinear and may be
hard to solve. Tools: QEPCAD■ But: Sτ1
, . . . , Sτkare parametric linear
More efficient solution methods: factorization, polynomialroot findingTool: REDLOG [Weispfennig; Dolzmann,Sturm]
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
● 1.Fix type and shape
● 2. Property Conditions
● 3.Encode Bounded
● 3.Encode Ranking
● 4. Solve the constraints
● 5. Solutions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 37/66
Computing Linear Ranking Functions
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
● 1.Fix type and shape
● 2. Property Conditions
● 3.Encode Bounded
● 3.Encode Ranking
● 4. Solve the constraints
● 5. Solutions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 38/66
1. Fix type and shape
■ Type: Ranking function
■ Shape:c1x1 + c2x2 + . . . + cnxn + d
where{x1, . . . , xn} are the program variables
and{c1, . . . , cn, d} are unknown coefficients
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
● 1.Fix type and shape
● 2. Property Conditions
● 3.Encode Bounded
● 3.Encode Ranking
● 4. Solve the constraints
● 5. Solutions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 39/66
2. Property Conditions
The functionδ : c1x1 + c2x2 + . . . + cnxn + d
is a ranking function of a loopΦ : 〈V : {x1, . . . , xn} ,Θ,T : {τ1, . . . , τk}〉 if
ρτ1|= δ ≥ 0
bounded...
ρτk|= δ ≥ 0
ρτ1|= δ − δ′ > 0
ranking...
ρτk|= δ − δ′ > 0
that is, if■ it is bounded from below, and■ it is decreased by each transition
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
● 1.Fix type and shape
● 2. Property Conditions
● 3.Encode Bounded
● 3.Encode Ranking
● 4. Solve the constraints
● 5. Solutions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 40/66
3. Encode the conditions: Bounded
Bounded:ρτi|= δ ≥ 0
is encoded by
λτi ,1τi,11x1 + · · · + τi,1nxn + τ′
i,11x′
1+ . . . + τ′
i,1nx′n + τi,1,n+1 ≤ 0
ρτi...
.
.
.
.
.
.
.
.
.
λτi ,m τi,m1x1 + · · · + τi,mnxn + τ′i,m1
x′1+ . . . + τ′
i,mnx′n + τi,m,n+1 ≤ 0
−c1x1 − . . . − cnxn + − d ≤ 0
which produces the constraints
Bτi: ∃(λτi,1, . . . , λτi,m ≥ 0) .
∑mj=1
λτi , jτi, j1 = −c1 ∧
. . . ∧∑m
j=1λτi , j
τi, jn = −cn ∧
∑mj=1
λτi , jτ′
i, j1= 0 ∧
. . . ∧∑m
j=1λτi , j
τ′i, jn
= 0 ∧
−∑m
j=1λτi , j
τi, j,n+1 ≤ d
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
● 1.Fix type and shape
● 2. Property Conditions
● 3.Encode Bounded
● 3.Encode Ranking
● 4. Solve the constraints
● 5. Solutions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 41/66
3. Encode the conditions: Ranking
Ranking:ρτi|= δ − δ′ > 0
is encoded by
λτi ,1τi,11x1 + · · · + τi,1nxn + τ′
i,11x′
1+ . . . + τ′
i,1nx′n + τi,1,n+1 ≤ 0
ρτi...
.
.
.
.
.
.
.
.
.
λτi ,m τi,m1x1 + · · · + τi,mnxn + τ′i,m1
x′1+ . . . + τ′
i,mnx′n + τi,m,n+1 ≤ 0
−c1x1 − . . . − cnxn + c1x′1+ . . . + cnx′n ǫ ≤ 0
which produces the constraints
Rτi: ∃(λτi,1, . . . , λτi,m ≥ 0) .
∑mj=1
λτi , jτi, j1 = −c1 ∧
. . . ∧∑m
j=1λτi , j
τi, jn = −cn ∧
∑mj=1
λτi , jτ′
i, j1= c1 ∧
. . . ∧∑m
j=1λτi , j
τ′i, jn
= cn ∧
−∑m
j=1λτi , j
τi, j,n+1 ≤ −ǫ
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
● 1.Fix type and shape
● 2. Property Conditions
● 3.Encode Bounded
● 3.Encode Ranking
● 4. Solve the constraints
● 5. Solutions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 42/66
4. Solve the constraints
Solve the constraint systems
Bτ1∧ . . . ∧ Bτk
∧ Rτ1∧ . . . ∧ Rτk
for {c1, . . . , cn, d}
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
● 1.Fix type and shape
● 2. Property Conditions
● 3.Encode Bounded
● 3.Encode Ranking
● 4. Solve the constraints
● 5. Solutions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 43/66
5. Solutions
The functionc1x1 + c2x2 + . . . + cnxn + d
is a ranking function for all solutions of {c1, . . . , cn, d}.
■ Good news: The method is complete for linear systems:The solutions represent all linear ranking functions of thegiven (uninitialized) loop.
■ Good news:Constraints are all linear: can be solvedefficiently
■ Bad news: Most ranking functions require invariants to proveboundedness
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 44/66
Computing Nonlinear Invariants
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 45/66
1. Fix type and shape
■ Type: Invariant
■ Shape:
c1x3 + c2x2y + c3x2z + c4xy2 + c5xyz + c6xz2+
c7y3 + c8y2z + c9yz2 + c10z3 = 0
where{x, y, z} are the program variables
and{c1, . . . , c10} are unknown coefficients
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 46/66
2. Property Conditions
The property p = 0 with
p :c1x3 + c2x2y + c3x2z + c4xy2 + c5xyz + c6xz2+
c7y3 + c8y2z + c9yz2 + c10z3
is an invariant of transition systemΦ : 〈V : {x1, . . . , x10} ,Θ,T : {τ1, . . . , τk}〉 if
Θ |= p = 0 (initiation)p = 0 ∧ ρτ1
|= p′ = 0
(consecution)...
p = 0 ∧ ρτk|= p′ = 0
that is, if■ it is implied by the initial condition, and■ it is preserved by all transitions of the system
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 47/66
Linear Equalities vs Nonlinear Equalities
Computing Consequences for Polynomial Equalities
Linear Equalities Polynomial Equalitiesλ1 e1 = 0...
...
λm em = 0
e = 0
g1 p1 = 0...
...
gm pm = 0
p = 0
λ1, . . . , λm, reals g1, . . . , gm, arbitrary polynomialse = λ1e1 + · · · + λmem p = g1p1 + · · · + gmpm
e ∈ SPACE(e1, . . . , em) p ∈ IDEAL(p1, . . . , pm)
How do we test if p ∈ IDEAL(p1, . . . , pm) ?
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 48/66
Ideals
Ideal: The ideal generated by P is the set of all polynomialsof the formIdeal(P) = {g1p1 + . . . + gmpm | g1, . . . , gm polynomials}
Example: Let P = {x2 − y, y − z, x + z}.Ideal(P) =
g1(x2 − y) + g2(y − z) + g3(x + z) |
g1, g2, g3 are polynomials over x, y, z
−zx − z = 1︸︷︷︸
g1
· (x2 − y) + 1︸︷︷︸
g2
· (y − z) + −x︸︷︷︸
g3
(x + z)
Therefore, −zx − z ∈ Ideal(P).
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 49/66
Testing Ideal Membership
Summary: To test if
p1 = 0 ∧ p2 = 0 ∧ · · · ∧ pm = 0 |= p = 0
we instead test if
p ∈ Ideal({p1, . . . , pm})
i.e.,p = g1p1 + · · · + gmpm
for some g1, . . . gm.
How do we test if p ∈ Ideal(P)?
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 50/66
Gröbner Basis Theorem
Given any set of polynomials P, compute special set ofpolynomials G, such that
■ Ideal(G) = Ideal(P),
■G−→ is confluent and terminating.
G is called the Gröbner basis of P.For any polynomial p, unique normal form
pG−→ · · ·
G−→ NFG(p)
Theorem: p ∈ Ideal(P) iff NFG(p) = 0.
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 51/66
Testing Ideal Membership
How do we test if p ∈ IDEAL(p1, . . . , pm) ?
1. Compute Gröbner basis G for {p1, . . . , pm}.Use Buchberger’s Algorithm + Refinements
2. Compute normal form for p, denoted NF(p),
3. p ∈ IDEAL(p1, . . . , pm) iff NFG(p) = 0.
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 52/66
Testing Ideal Membership
Example: Let P = {p1 : x2 − y, p2 : y + z, p3 : x − z}.
Can we find out if x2 − z ∈ Ideal(P) usingP−→?
No!
Gröbner basis of P is
G = {z2 − z, y − z, x + z}
Can we find out usingG−→?
Yes!
Any sequence of reductions from x2 − z has normal form 0.
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 53/66
Parametric Membership Problem
Let P = {p1 : x2 − y, p2 : y + z, p3 : x − z}.Problem: For what values of c1, c2, . . . , c5 is the polynomial
p : c1x2+ x2y2
+ c3z2+ c4z + c5 ∈ Ideal(P)?
Solution:1. Compute the Gröbner basis of P,
G = {z2 − z, y − z, x + z}
2. Compute Normal Form of P,
(c1 + c2 + c3 + c4)z + c5
3. Set every coefficient to be zero,
(c1 + c2 + c3 + c4 = 0) ∧ (c5 = 0)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 54/66
Parametric Membership Problem
Note: For solutions to c1, . . . , c5 that satisfy
(c1 + c2 + c3 + c4 = 0) ∧ (c5 = 0)
it follows that
p : c1x2+ x2y2
+ c3z2+ c4z + c5 ∈ Ideal(P)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 55/66
3. Encode the conditions: Initiation
The conditionΘ |= p = 0
is encoded by reducing p wrt to the Gröbner basis G of ((Θ)):
pG−→ NF(p)
and settingNF(p) ≡ 0
which produces a set SΘ of linear constraints on {c1, . . . c10}.
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 56/66
3. Encode the conditions: Consecution
The conditionp = 0 ∧ ρτi
|= p′ = 0
is not practical to encode. Instead we encode one of
ρτi|= p′ = 0
ρτi|= p′ − p = 0
which result in a set Sτiof linear constraints
∃λ ∈ R ρτi|= p′ − λp = 0
∃q ∈ R[x1, . . . , xn] ρτi|= p′ − qp = 0
which result in a set of nonlinear constraints.
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 57/66
4. Solve the constraints
SolveSΘ ∧ Sτ1
∧ . . . ∧ Sτk
for {c1, . . . , c10}
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 58/66
5. Solutions
The property
c1x3 + c2x2y + c3x2z + c4xy2 + c5xyz + c6xz2+
c7y3 + c8y2z + c9yz2 + c10z3 = 0
is an invariant for all solutions of {c1, . . . , c10}
■ Good news: Constraints are all linear: can be solvedefficiently
■ Bad news: Invariants are missed because of strengtheningthe conditions
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 59/66
Example: Nonlinear Invariant Generation
integer i, j, k, s where (s = 0 ∧ j = k ∧ j ≥ 0)
l0 : while (k ≥ 0) do
l1 : (s, k) := (s + i, k − 1)
l2 :
Target Invariant: p = c1s + c2ik + c3i j + c4 jk + c5
Question: For what values of c1, . . . , c5, is p = 0 inductive at l0?
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 60/66
Example: Nonlinear Invariant Generation
1. Fix a template (usually a “generic polynomial” of degree m ),
c1s + c2ik + c3i j + c4 jk + c5
2. Generate constraints by encoding initiation andconsecution,
c2 + c3 = 0 ∧ c4 = c5 = 0 ∧ c1 − c2 = 0
3. Solve the constraints,
c3 = 1, c1 = c2 = −1, c4 = c5 = 0
4. Generate the invariant
−s − ik + i j = 0
Invariant: s = i( j − k) at l0.
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
● Advantages
● Advantages
● Papers
● Related Work● Current Topics of
Investigation
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 61/66
Summary
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
● Advantages
● Advantages
● Papers
● Related Work● Current Topics of
Investigation
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 62/66
Advantages of Constraint-based Approach
■ Controlling the complexity of the constraints
◆ Strengthen the conditions on the property
Θ |= ψ
ψ ∧ ρτ |= ψ′=⇒
Θ |= ψ
ρτ |= ψ′
parametric linear constraints linear constraints
◆ Constrain the property
c1x3 + c2x2y + c3x2z + c4xy2 + c5xyz + c6xz2+
c7y3 + c8y2z + c9yz2 + c10z3
⇓
c1x3 + c2xy2 + c3xz2 + c4y2z
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
● Advantages
● Advantages
● Papers
● Related Work● Current Topics of
Investigation
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 63/66
Advantages of Constraint-based Approach
■ Not limited to invariants◆ termination◆ temporal properties (LTL safety)
■ Applicable to any domain that allows computation ofconsequences
■ Can exploit system structure to simplify the constraintsystem◆ Petri nets
■ Can take advantage of new results in constraint solvingcommunity
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
● Advantages
● Advantages
● Papers
● Related Work● Current Topics of
Investigation
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 64/66
Papers
■ Termination analysis (TACAS’01, CAV’02, CAV’05)
■ Linear invariant generation (CAV’03, SAS’04, VMCAI’05,VMCAI’06)
■ Nonlinear invariant generation (POPL’04)
■ Nonlinear invariant generation for hybrid systems (HSCC’04)
■ Differential equations (HSCC’06)
Sriram Sankaranarayanan, Mathematical Analysis ofPrograms, PhD Thesis, Stanford, 2005.
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
● Advantages
● Advantages
● Papers
● Related Work● Current Topics of
Investigation
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 65/66
Related Work
■ Set-constraint based analysis◆ - [Heintze’93]◆ - [Aiken’99]
■ Termination analysis◆ - [Podelski,Rybalchenko,VMCAI’04,LICS’04]◆ - [Cousot, VMCAI’05]
■ Nonlinear invariants◆ - [Bensalem et al, SAS’00]◆ - [Müller-Olm,Seidl,SAS’02,POPL’04]◆ - [Tiwari et al, TACAS’01,HSCC’03]◆ - [Rodriguez-Carbonell,Kapur,ISSAC’04]◆ - [Cousot, VMCAI’05]
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
● Advantages
● Advantages
● Papers
● Related Work● Current Topics of
Investigation
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 66/66
Current Topics of Investigation
■ Classification of systems with simpler constraint systems
■ Extension to game properties (ATL*)
■ Extension to other domains, in particular nonlinearinequalities
■ More efficient constraint solving strategies