Inductive Reachability Witnesses

In this work, we consider the fundamental problem of reachability analysis over imperative programs with real variables. The reachability property requires that a program can reach certain target states during its execution. Previous works that tackle reachability analysis are either unable to handle programs consisting of general loops (e.g. symbolic execution), or lack completeness guarantees (e.g. abstract interpretation), or are not automated (e.g. incorrectness logic/reverse Hoare logic). In contrast, we propose a novel approach for reachability analysis that can handle general programs, is (semi-)complete, and can be entirely automated for a wide family of programs. Our approach extends techniques from both invariant generation and ranking-function synthesis to reachability analysis through the notion of (Universal) Inductive Reachability Witnesses (IRWs/UIRWs). While traditional invariant generation uses over-approximations of reachable states, we consider the natural dual problem of under-approximating the set of program states that can reach a target state. We then apply an argument similar to ranking functions to ensure that all states in our under-approximation can indeed reach the target set in finitely many steps.

[1]  S. Rajamani,et al.  A decade of software model checking with SLAM , 2011, Commun. ACM.

[2]  Enric Rodríguez-Carbonell,et al.  Generation of Basic Semi-algebraic Invariants Using Convex Polyhedra , 2005, SAS.

[3]  A. Turing On Computable Numbers, with an Application to the Entscheidungsproblem. , 1937 .

[4]  Isil Dillig,et al.  Inductive invariant generation via abductive inference , 2013, OOPSLA.

[5]  Matthias Heizmann,et al.  Ranking Templates for Linear Loops , 2014, Log. Methods Comput. Sci..

[6]  David Monniaux,et al.  Invariant Generation through Strategy Iteration in Succinctly Represented Control Flow Graphs , 2012, Log. Methods Comput. Sci..

[7]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[8]  Peter W. O'Hearn Incorrectness logic , 2020, Proc. ACM Program. Lang..

[9]  Peter W. O'Hearn,et al.  Scaling static analyses at Facebook , 2019, Commun. ACM.

[10]  Markus Püschel,et al.  Fast Numerical Program Analysis with Reinforcement Learning , 2018, CAV.

[11]  Bican Xia,et al.  Finding Polynomial Loop Invariants for Probabilistic Programs , 2017, ATVA.

[12]  Ernst W. Mayr An Algorithm for the General Petri Net Reachability Problem , 1984, SIAM J. Comput..

[13]  Henny B. Sipma,et al.  Synthesis of Linear Ranking Functions , 2001, TACAS.

[14]  Krishnendu Chatterjee,et al.  Polynomial invariant generation for non-deterministic recursive programs , 2019, PLDI.

[15]  Andreas Podelski,et al.  Transition invariants , 2004, Proceedings of the 19th Annual IEEE Symposium on Logic in Computer Science, 2004..

[16]  Paul Feautrier,et al.  Multi-dimensional Rankings, Program Termination, and Complexity Bounds of Flowchart Programs , 2010, SAS.

[17]  Marsha Chechik,et al.  Yasm: A Software Model-Checker for Verification and Refutation , 2006, CAV.

[18]  Marsha Chechik,et al.  From Under-Approximations to Over-Approximations and Back , 2012, TACAS.

[19]  Shrawan Kumar,et al.  VeriAbs: Verification by Abstraction and Test Generation - (Competition Contribution) , 2018, TACAS.

[20]  Nikolai Tillmann,et al.  DySy: dynamic symbolic execution for invariant inference , 2008, ICSE.

[21]  C. A. R. Hoare,et al.  An axiomatic basis for computer programming , 1969, CACM.

[22]  Ichiro Hasuo,et al.  Ranking and Repulsing Supermartingales for Reachability in Probabilistic Programs , 2018, ATVA.

[23]  Jorge A. Navas,et al.  TRACER: A Symbolic Execution Tool for Verification , 2012, CAV.

[24]  Thomas A. Henzinger,et al.  The software model checker Blast , 2007, International Journal on Software Tools for Technology Transfer.

[25]  Dirk Beyer,et al.  CPAchecker: A Tool for Configurable Software Verification , 2009, CAV.

[26]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[27]  Sriram Sankaranarayanan,et al.  Expectation Invariants for Probabilistic Program Loops as Fixed Points , 2014, SAS.

[28]  Paul Feautrier,et al.  Accelerated Invariant Generation for C Programs with Aspic and C2fsm , 2010, Electron. Notes Theor. Comput. Sci..

[29]  David A. Schmidt A calculus of logical relations for over- and underapproximating static analyses , 2007, Sci. Comput. Program..

[30]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[31]  Roberto Giacobazzi,et al.  Making abstract interpretations complete , 2000, JACM.

[32]  Zoltán Micskei,et al.  Efficient Strategies for CEGAR-Based Model Checking , 2019, Journal of Automated Reasoning.

[33]  Dirk Beyer,et al.  Advances in Automatic Software Verification: SV-COMP 2020 , 2020, TACAS.

[34]  Laure Gonnord,et al.  Abstract acceleration in linear relation analysis , 2014, Sci. Comput. Program..

[35]  Roberto Bagnara,et al.  Precise widening operators for convex polyhedra , 2003, Sci. Comput. Program..

[36]  Markus Püschel,et al.  Fast polyhedra abstract domain , 2017, POPL.

[37]  Xavier Rival,et al.  Understanding the Origin of Alarms in Astrée , 2005, SAS.

[38]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[39]  Alberto L. Sangiovanni-Vincentelli,et al.  An Iterative Approach to Language Containment , 1993, CAV.

[40]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[41]  Michael Francis Atiyah,et al.  Introduction to commutative algebra , 1969 .

[42]  Samir Genaim,et al.  On Multiphase-Linear Ranking Functions , 2017, CAV.

[43]  Patrick Cousot,et al.  Proving Program Invariance and Termination by Parametric Abstraction, Lagrangian Relaxation and Semidefinite Programming , 2005, VMCAI.

[44]  Ralph-Johan Back,et al.  Refinement Calculus: A Systematic Introduction , 1998 .

[45]  Krishnendu Chatterjee,et al.  Modular verification for almost-sure termination of probabilistic programs , 2019, Proc. ACM Program. Lang..

[46]  Roberto Giacobazzi,et al.  Completeness in Abstract Interpretation: A Domain Perspective , 1997, AMAST.

[47]  Thomas A. Henzinger,et al.  Handbook of Model Checking , 2018, Springer International Publishing.

[48]  Marsha Chechik,et al.  Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification , 2012, CAV.

[49]  Henny B. Sipma,et al.  Linear Invariant Generation Using Non-linear Constraint Solving , 2003, CAV.

[50]  Mohamed Faouzi Atig,et al.  Approximating Petri Net Reachability Along Context-free Traces , 2011, FSTTCS.

[51]  Krishnendu Chatterjee,et al.  Termination Analysis of Probabilistic Programs Through Positivstellensatz's , 2016, CAV.

[52]  Henny B. Sipma,et al.  Constraint-Based Linear-Relations Analysis , 2004, SAS.

[53]  Slawomir Lasota,et al.  The Reachability Problem for Petri Nets Is Not Elementary , 2018, J. ACM.

[54]  Patrice Godefroid,et al.  Compositional dynamic test generation , 2007, POPL '07.

[55]  Zachary Kincaid,et al.  Non-linear reasoning for invariant synthesis , 2017, Proc. ACM Program. Lang..

[56]  Zohar Manna,et al.  Temporal verification of reactive systems - safety , 1995 .

[57]  Alexander Aiken,et al.  From invariant checking to invariant inference using randomized search , 2014, Formal Methods Syst. Des..

[58]  Francesco Ranzato,et al.  Complete Abstractions Everywhere , 2013, VMCAI.

[59]  Marco Roveri,et al.  The nuXmv Symbolic Model Checker , 2014, CAV.

[60]  Zachary Kincaid,et al.  Compositional recurrence analysis , 2015, 2015 Formal Methods in Computer-Aided Design (FMCAD).

[61]  R. Vanderbei LOQO:an interior point code for quadratic programming , 1999 .

[62]  D. Handelman Representing polynomials by positive linear functions on compact convex polyhedra. , 1988 .

[63]  J. Farkas Theorie der einfachen Ungleichungen. , 1902 .

[64]  Lauretta O. Osho,et al.  Axiomatic Basis for Computer Programming , 2013 .

[65]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[66]  Andy R. Terrel,et al.  SymPy: Symbolic computing in Python , 2017, PeerJ Prepr..

[67]  Christel Baier,et al.  Principles of model checking , 2008 .

[68]  Nikolaj Bjørner,et al.  Resourceful Reachability as HORN-LA , 2013, LPAR.

[69]  Andreas Podelski,et al.  A Complete Method for the Synthesis of Linear Ranking Functions , 2004, VMCAI.

[70]  Henny B. Sipma,et al.  Linear Ranking with Reachability , 2005, CAV.

[71]  Sriram Sankaranarayanan,et al.  Probabilistic Program Analysis with Martingales , 2013, CAV.

[72]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[73]  Nicholas J. Higham,et al.  Cholesky factorization , 2009 .

[74]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[75]  Philippe Darondeau,et al.  Petri Net Reachability Graphs: Decidability Status of First Order Properties , 2012, Log. Methods Comput. Sci..

[76]  Thomas A. Henzinger,et al.  Generating tests from counterexamples , 2004, Proceedings. 26th International Conference on Software Engineering.

[77]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[78]  Henny B. Sipma,et al.  Termination of Polynomial Programs , 2005, VMCAI.

[79]  Parosh Aziz Abdulla,et al.  Counter-Example Guided Program Verification , 2016, FM.

[80]  Samir Genaim,et al.  Complexity of Bradley-Manna-Sipma Lexicographic Ranking Functions , 2015, CAV.

[81]  Alon Itai,et al.  Timing Verification by Successive Approximation , 1992, CAV.

[82]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[83]  Zachary Kincaid,et al.  Compositional recurrence analysis revisited , 2017, PLDI.

[84]  H. Rice Classes of recursively enumerable sets and their decision problems , 1953 .

[85]  Rupak Majumdar,et al.  Hybrid Concolic Testing , 2007, 29th International Conference on Software Engineering (ICSE'07).

[86]  Henny B. Sipma,et al.  Non-linear loop invariant generation using Gröbner bases , 2004, POPL.

[87]  Rastislav Bodík,et al.  Programming with angelic nondeterminism , 2010, POPL '10.