CHCVerif: A Portfolio-Based Solver for Constrained Horn Clauses

Transcript

1. CHCVERIF: A PORTFOLIO-BASED SOLVER FOR CONSTRAINED HORN CLAUSES Mihály Dobos-Kovács,

   Levente Bajczi, András Vörös BME-MIT, Budapest HCVS'25

2. HCVS'25 Background & theory Goals & contributions Experiment design &

   results Significance & summary Agenda

3. Background & Theory What are CHCs? How to transform them

   to C? HCVS'25

4. HCVS'25 CHC to Control Flow Automata n = 0 ⇒

   A(n) A(n − 2) ⇒ A(n) A(6) ⇒ false L0 A LE n := 0 [n == 6] havoc t [n == t-2] n := t Forward int main() { int n, t = 0; n = t; while(true) { t = nondet(); if(n == 6) reach_error(); else if(n == t-2) n = t; } } Bottom-up

5. HCVS'25 CHC to Control Flow Automata n = 0 ⇒

   A(n) A(n − 2) ⇒ A(n) A(6) ⇒ false L0 A LE n := 0 [n == 6] havoc t [n == t-2] n := t Forward int main() { int n, t = 0; n = t; while(true) { t = nondet(); if(n == 6) reach_error(); else if(n == t-2) n = t; } } HCVS’23: 10.4204/EPTCS.402.11 Bottom-up

6. HCVS'25 CHC to Control Flow Automata #2 n = 0

   ⇒ A(n) A(n − 2) ⇒ A(n) A(6) ⇒ false Forward int main() { int n, t = 0; n = t; while(true) { t = nondet(); if(n == 6) reach_error(); else if(n == t-2) n = t; } } Bottom-up Backward _Bool A(int n) { if(A(n-2)) return 1; else if(n == 0) return 1; else return 0; } … if(A(6)) reach_error(); Top-down

7. HCVS'25 • What if t > MAX_INT? – Or array

   out of bounds, … CHC to Programs int main() { int n, t = 0; n = t; while(true) { t = nondet(); if(n == 6) reach_error(); else if(n == t-2) n = t; } } Tell the verification tool to use SMT semantics • Not available with every tool • Not really a C program any more Use safeguarding to prevent erroneous verdicts • Limits verification power – Safe verdicts are dependent on all variables being bounded – Unsafe verdicts are still valid Can only return t ∈ [min; max]

8. HCVS'25 CHC to Programs int main() { int n, t

   = 0; n = t; while(true) { t = nondet(); if(n == 6) reach_error(); else if(n == t-2) n = t; } } Can only return t ∈ [min; max] SPIN’24: 10.1007/978-3-031-66149-5_8

9. Goals & Contributions What did we want to achieve? HCVS'25

10. HCVS'25 Goals of this Work Broaden the field of CHC

    solvers with SW verification tools Provide SW verification tools with valuable benchmarks to test and debug

11. Experiment design & results What did we do? How did

    the tools do? HCVS'25

12. HCVS'25 CHCVERIF overview No arrays, no ADTs LIA, BV(, Fp)

    http://github.com/ftsrg/chc2c Spoiler: hard to do, WiP Strength: portfolio CoVeriTeam

13. HCVS'25 CHCVERIF: LIA

14. HCVS'25 CHCVERIF: LIA • Quite a lot wrong results •

    Best single tool: around 100 UNSAT, 130 SAT • In comparison, leading CHC solvers: 150+ UNSAT, 250+ SAT results

15. HCVS'25 CHCVERIF: BV • Few wrong results • Many ‘unconfirmed’

    – these are not solved by CHC solvers! Portfolio: 131 UNSAT, 86 SAT (non-refuted)

16. Significance & Summary Why should you care? HCVS'25

17. HCVS'25 • We believe so… Has this benefitted CHC solving?

    New solvers (for BV out-of-the-box) Previously unsolved tasks More competition, more visibility

18. HCVS'25 • We are sure! And software verification? ISO/IEC 9899:202x

    extern _Bool __VERIFIER_nondet_Bool(); extern void reach_error(); int main(){ _Bool b = __VERIFIER_nondet_Bool(); switch(b) { case 0: return 0; case 1: return 0; } reach_error(); // never called? } CPAchecker: already fixed!

19. HCVS'25 • We are sure! And software verification? New benchmarks

20. HCVS'25 Summary Try CHC2C: github.com/ftsrg/chc2c See CHC-to-CFA paper: 10.4204/EPTCS.402.11 See

    CHC-to-C paper: 10.1007/978-3-031-66149-5_8 Zenodo tool archive: 10.5281/zenodo.15283157