PLDI '21論文読み会: Specification Synthesis with Constrainted Horn Clauses

Transcript

1. Specification Synthesis with Constrainted Horn Clauses Prabhu+

2. WHAT IS THIS • This material is something I used

   at a private reading seminar where every attendee picks one paper from PLDIʼ21 and explains its gist to the audience. • The copyrights of pictures shown in the remaining slides are, when no explicit notes are given, attributed to the authors of the paper [Prabhu+ PLDIʼ21]. • I took some exact slides from the pdf for the oral presentation of the paper. [1] • I have some background but am not an expert, so Iʼm not 100% sure about what I think I grasped. Please contact me if you find any false statements or misinterpretations. • [1] Specification Synthesis with Constrained Horn Clauses, Sumanth Prabhu S, PLDI 2021. https://fmindia.cmi.ac.in/update2021/slides/sumanth-fmupdate2021.pdf

3. (輪読会としての)概要 • 別の著者の2016年の論⽂(かなり⾯⽩い)の改良 • Maximal specification synthesis [Albarghouthi+ POPL'16] •

   PLDI ですがプログラム検証の論⽂です • 僕は平均よりは詳しいと思いますが専⾨家ではありません • 時間もないので分野と問題意識についての説明がメインになります • ⾔語実装界隈の⼈でもなるべくついてこられるように説明します

4. ᴫせ ‡ 䝥䝻䜾䝷䝮᳨ド䛸䛛䛾ᩥ⬦䛷௙ᵝྜᡂ (Specification Synthesis) 䛸࿧ 䜀䜜䜛ၥ㢟䛜䛒䜛䜘 ‡ ᛂ⏝ୖ䚸ྜᡂ䛥䜜䜛௙ᵝ䛜௨ୗ䛾ᛶ㉁䜢‶䛯䛧䛶ḧ䛧䛔䜘 ‡

   ᴟ኱ (Maximal) ‡ 㠀✵ (Non-vacuous) ‡ ᪤Ꮡ䛾ᡭἲ䛷ј䛾୧᪉䜢‶䛯䛩௙ᵝ䜢ぢ䛴䛡䜛᪂䛧䛔䜰䝹䝂䝸䝈䝮 䜢స䛳䛯䜘 ‡ ≉䛻䝛䝇䝖䛧䛯 while ᩥ䜢ᣢ䛴䜘䛖䛺䝥䝻䜾䝷䝮䛾᳨ド䛻ᑐ䛧䛶ຠ⋡ⓗ䛰䜘 ‡ ᥦ᱌䛧䛯䜰䝹䝂䝸䝈䝮䜢ᐇ⿦䛧䚸ホ౯䛧䛯䜘

5. ௙ᵝྜᡂ (Specification Synthesis)

6. ௙ᵝྜᡂ (Specification Synthesis) 㠀Ỵᐃⓗ㑅ᢥ

7. ௙ᵝྜᡂ (Specification Synthesis) 㛵ᩘ f 䛸 g 䛾୰㌟䛿ᮍ▱ 㠀Ỵᐃⓗ㑅ᢥ

8. ௙ᵝྜᡂ (Specification Synthesis) 㛵ᩘ f 䛸 g 䛾୰㌟䛿ᮍ▱ ၥ㢟: 䛣䛾⾜䛜ⴠ䛱䛺䛔䜘

   䛖䛺 f 䛸 g 䛾௙ᵝ䜢ぢ䛴䛡 䜘 㠀Ỵᐃⓗ㑅ᢥ

9. ௙ᵝྜᡂ (Specification Synthesis)

10. ௙ᵝྜᡂ (Specification Synthesis) ゎ1 F(z) :֞ z = -1 G(y)

    :֞ y = 19

11. ௙ᵝྜᡂ (Specification Synthesis) ゎ1 F(z) :֞ z = -1 G(y)

    :֞ y = 19 ゎ2 F(z) :֞ z < 0 G(y) :֞ y = 19 || y = 20

12. ௙ᵝྜᡂ (Specification Synthesis) ゎ1 F(z) :֞ z = -1 G(y)

    :֞ y = 19 ゎ2 F(z) :֞ z < 0 G(y) :֞ y = 19 || y = 20 ゎ3 F(z) :֞ z <= 0 G(y) :֞ y >= 19

13. ௙ᵝྜᡂ (Specification Synthesis) ゎ1 F(z) :֞ z = -1 G(y)

    :֞ y = 19 ゎ2 F(z) :֞ z < 0 G(y) :֞ y = 19 || y = 20 ゎ3 F(z) :֞ z <= 0 G(y) :֞ y >= 19 Maximal

14. 䛱䛺䜏䛻: ᴟ኱䛺௙ᵝ䛾ྜᡂ ‡ ᴟ኱䛺௙ᵝ䛾ྜᡂ䛻䛴䛔䛶䛿2016ᖺ䛾ඛ⾜◊✲䛜㠃ⓑ䛔 ‡ Maximal specification synthesis [Albarghouthi+ POPL'16]

    ‡ ⣧⢋䛻ㄽ⌮Ꮫⓗ䛺⤖ᯝ䜢ฟ䛧䛯ୖ䛷䛭䜜䜢౑䛳䛶Windows䛾䜹䞊䝛 䝹䝗䝷䜲䝞䞊䜢౑䛳䛶䝕䝰䛧䛶䜛 ‡ ௙ᵝ䛾ᴟ኱ᛶ䛾ᩘᏛⓗᐃ⩏䛾ᥦ᱌ ‡ ᴟ኱䛺௙ᵝ䛾ྜᡂ䜢⾜䛖䜰䝹䝂䝸䝈䝮䛾ᥦ᱌ ‡ Windows䛾䜹䞊䝛䝹䝗䝷䜲䝞䞊䛾stub䛾୰䛾assertion䛸䛾ẚ㍑ ‡ ⌮ㄽ䛛䜙ᛂ⏝䜎䛷඲㒊⧅䛢䛶䛶ᙉ䛟䛶㠃ⓑ䛔䛾䛷䛬䜂ㄞ䜣䛷䜏䛶䛟 䛰䛥䛔

15. ちなみに: 個⼈的所⾒(間違ってるかも) • 先程⾒せた例なんかは先⾏研究の⽅法ですでに計算できる(と思う) • 今回の論⽂はそれをCHCを使うやり⽅にしてみたという論⽂ • CHCはプログラム検証界隈ではよく使う中間表現で、⾼速なソルバーも複 数ある •

    なので極⼤仕様合成を普通のCHCに帰着できればうれしいというのはわか る • 先⾏研究は問題を直接解く専⽤のソルバーを提案していてモジュラーじゃない • けど、今回は問題を普通のCHCじゃなくCHCの拡張に帰着するので別に 既存のソルバーが使えるわけでもないので、CHCにした意味が曖昧に感じ る(?) • 結果的にはパフォーマンスは上がったようだけど結果論のような気も • 詳しい⼈おしえてください！

16. CHC 䜢⏝䛔䛯䝥䝻䜾䝷䝮᳨ド ‡ ୍᪦௙ᵝྜᡂ䛾ヰ䛿ᛀ䜜䛶䚸䝥䝻䜾䝷䝮᳨ド䛾ヰ https://ece.uwaterloo.ca/~agurfink/ece750t29f18/assets/pdf/07_CHC_LIA.pdf

17. CHC 䜢⏝䛔䛯䝥䝻䜾䝷䝮᳨ド ‡ ୍᪦௙ᵝྜᡂ䛾ヰ䛿ᛀ䜜䛶䚸䝥䝻䜾䝷䝮᳨ド䛾ヰ https://ece.uwaterloo.ca/~agurfink/ece750t29f18/assets/pdf/07_CHC_LIA.pdf ၥ㢟: 䛣䛾⾜䛜ⴠ䛱䛺䛔䛣 䛸䜢⮬ື䛷ุᐃ䛫䜘

18. CHC 䜢⏝䛔䛯䝥䝻䜾䝷䝮᳨ド ‡ 䝥䝻䜾䝷䝮䛛䜙 CHC (䛾㞟ྜ)䜢⏕ᡂ https://ece.uwaterloo.ca/~agurfink/ece750t29f18/assets/pdf/07_CHC_LIA.pdf z = x

    & i = 0 & y > 0 ֜ Inv(x,y,z,i) Inv(x,y,z,i) & i < y & t = z + 1 & u = i + 1 ֜ Inv(x,y,t,u) Inv(x,y,z,i) & i >= y & z != x + y ֜ false

19. CHC 䜢⏝䛔䛯䝥䝻䜾䝷䝮᳨ド ‡ 䝥䝻䜾䝷䝮䛛䜙 CHC (䛾㞟ྜ)䜢⏕ᡂ https://ece.uwaterloo.ca/~agurfink/ece750t29f18/assets/pdf/07_CHC_LIA.pdf z = x

    & i = 0 & y > 0 ֜ Inv(x,y,z,i) Inv(x,y,z,i) & i < y & t = z + 1 & u = i + 1 ֜ Inv(x,y,t,u) Inv(x,y,z,i) & i >= y & z != x + y ֜ false 䛣䜜䛜ゎ䜢ᣢ䛴䛣䛸䛸ᕥ䛾䝥䝻䜾䝷䝮䛜ⴠ䛱䛺䛔䛣䛸䛜ྠ್

20. CHC 䜢⏝䛔䛯䝥䝻䜾䝷䝮᳨ド ‡ 䝥䝻䜾䝷䝮䛛䜙 CHC (䛾㞟ྜ)䜢⏕ᡂ https://ece.uwaterloo.ca/~agurfink/ece750t29f18/assets/pdf/07_CHC_LIA.pdf z = x

    & i = 0 & y > 0 ֜ Inv(x,y,z,i) Inv(x,y,z,i) & i < y & t = z + 1 & u = i + 1 ֜ Inv(x,y,t,u) Inv(x,y,z,i) & i >= y & z != x + y ֜ false 䛣䜜䛜ゎ䜢ᣢ䛴䛣䛸䛸ᕥ䛾䝥䝻䜾䝷䝮䛜ⴠ䛱䛺䛔䛣䛸䛜ྠ್ ゎ Inv(x,y,z,i) :֞ z = x + i & z <= x + y

21. ௙ᵝྜᡂ ‡ CHC䛻䜘䜛䝥䝻䜾䝷䝮᳨ド䛾⪃䛘᪉䜢௙ᵝྜᡂ䛻ᣑᙇ䛧䛶䜏䜛

22. ௙ᵝྜᡂ ‡ CHC䛻䜘䜛䝥䝻䜾䝷䝮᳨ド䛾⪃䛘᪉䜢௙ᵝྜᡂ䛻ᣑᙇ䛧䛶䜏䜛

23. ௙ᵝྜᡂ ‡ CHC䛻䜘䜛䝥䝻䜾䝷䝮᳨ド䛾⪃䛘᪉䜢௙ᵝྜᡂ䛻ᣑᙇ䛧䛶䜏䜛 䛣䜜䛾ゎ䜢᥈䛫䜀Ⰻ䛔䠛

24. ௙ᵝྜᡂ ‡ CHC䛻䜘䜛䝥䝻䜾䝷䝮᳨ド䛾⪃䛘᪉䜢௙ᵝྜᡂ䛻ᣑᙇ䛧䛶䜏䜛 䛣䜜䛾ゎ䜢᥈䛫䜀Ⰻ䛔䠛 ᠱᛕ1 ᖐ⣡ⓗ䛺CHC䛜䛒䜛䛸ồゎ䛻 ᫬㛫䛜䛛䛛䜛 (᭱ᙉz3䛷10ศ䛛䛛 䜛䜙䛧䛔)

25. ௙ᵝྜᡂ ‡ CHC䛻䜘䜛䝥䝻䜾䝷䝮᳨ド䛾⪃䛘᪉䜢௙ᵝྜᡂ䛻ᣑᙇ䛧䛶䜏䜛 䛣䜜䛾ゎ䜢᥈䛫䜀Ⰻ䛔䠛 ᠱᛕ2 䛣䛖䛔䛖ゎ䛿㝖እ䛧䛯䛔 F(z) :֞ false G(y)

    :֞ false Inv(x) :֞ true ᠱᛕ1 ᖐ⣡ⓗ䛺CHC䛜䛒䜛䛸ồゎ䛻 ᫬㛫䛜䛛䛛䜛 (᭱ᙉz3䛷10ศ䛛䛛 䜛䜙䛧䛔)

26. ௙ᵝྜᡂ ‡ CHC䛻䜘䜛䝥䝻䜾䝷䝮᳨ド䛾⪃䛘᪉䜢௙ᵝྜᡂ䛻ᣑᙇ䛧䛶䜏䜛 䛣䜜䛾ゎ䜢᥈䛫䜀Ⰻ䛔䠛 ᠱᛕ2 䛣䛖䛔䛖ゎ䛿㝖እ䛧䛯䛔 F(z) :֞ false G(y)

    :֞ false Inv(x) :֞ true Vacuous ᠱᛕ1 ᖐ⣡ⓗ䛺CHC䛜䛒䜛䛸ồゎ䛻 ᫬㛫䛜䛛䛛䜛 (᭱ᙉz3䛷10ศ䛛䛛 䜛䜙䛧䛔)

27. ௙ᵝྜᡂ ‡ CHC䛻䜘䜛䝥䝻䜾䝷䝮᳨ド䛾⪃䛘᪉䜢௙ᵝྜᡂ䛻ᣑᙇ䛧䛶䜏䜛 䛣䜜䛾ゎ䜢᥈䛫䜀Ⰻ䛔䠛 ᠱᛕ2 䛣䛖䛔䛖ゎ䛿㝖እ䛧䛯䛔 F(z) :֞ false G(y)

    :֞ false Inv(x) :֞ true Vacuous ᠱᛕ1 ᖐ⣡ⓗ䛺CHC䛜䛒䜛䛸ồゎ䛻 ᫬㛫䛜䛛䛛䜛 (᭱ᙉz3䛷10ศ䛛䛛 䜛䜙䛧䛔) ᠱᛕ3 ᴟ኱䛺ゎ䜢ồ䜑䛯䛔

28. ௙ᵝྜᡂ ‡ CHC䛻䜘䜛䝥䝻䜾䝷䝮᳨ド䛾⪃䛘᪉䜢௙ᵝྜᡂ䛻ᣑᙇ䛧䛶䜏䜛 䛣䜜䛾ゎ䜢᥈䛫䜀Ⰻ䛔䠛 ᠱᛕ2 䛣䛖䛔䛖ゎ䛿㝖እ䛧䛯䛔 F(z) :֞ false G(y)

    :֞ false Inv(x) :֞ true Vacuous ᠱᛕ1 ᖐ⣡ⓗ䛺CHC䛜䛒䜛䛸ồゎ䛻 ᫬㛫䛜䛛䛛䜛 (᭱ᙉz3䛷10ศ䛛䛛 䜛䜙䛧䛔) ᠱᛕ3 ᴟ኱䛺ゎ䜢ồ䜑䛯䛔 ј䛾せ௳䜢‶䛯䛩 CHC 䝋䝹䝞䞊䛜 䛺䛛䛳䛯䛾䛷స䛳䛯䜘

29. 䜰䝹䝂䝸䝈䝮ᴫせ

30. Non-vacuous solving (1/3)

31. Non-vacuous solving (2/3)

32. Non-vacuous solving (3/3)

33. 18/28 Maximality Checking - Definition Recall: Given: S (a system

    of CHCs) R (a set of relations) M is maximal if no solution M0 satisfies 8r 2 R . M(r) =) M0(r) and 9r 2 R . M0(r) 6 =) M(r)

34. 19/28 Maximality Checking - Illustration inv(x) 7! x  19

    f(y) 7! y = 19 Non-Vacuous Solution ⌥ ⌅ x = 19 =) inv(x) inv(x) ^ x0 = x 1 =) inv(x0) inv(x) ^ f(y) =) x  y ⌃ ⇧ Input CHC Intuition: Try to weaken interpretations by at least one more point by adding two conjuncts

35. 19/28 Maximality Checking - Illustration inv(x) 7! x  19

    f(y) 7! y = 19 Non-Vacuous Solution ⌥ ⌅ x = 19 =) inv(x) inv(x) ^ x0 = x 1 =) inv(x0) inv(x) ^ f(y) =) x  y ⌃ ⇧ Input CHC 1. In input CHC, substitute inv(x) 7! x  19 _ x = px f(y) 7! y = 19 _ y = py

36. 19/28 Maximality Checking - Illustration inv(x) 7! x  19

    f(y) 7! y = 19 Non-Vacuous Solution ⌥ ⌅ x = 19 =) inv(x) inv(x) ^ x0 = x 1 =) inv(x0) inv(x) ^ f(y) =) x  y ⌃ ⇧ Input CHC 2. Constrain values of placeholder variables px , py ¬(px  19) _ ¬(py = 19)

37. 19/28 Maximality Checking - Illustration inv(x) 7! x  19

    f(y) 7! y = 19 Non-Vacuous Solution ⌥ ⌅ x = 19 =) inv(x) inv(x) ^ x0 = x 1 =) inv(x0) inv(x) ^ f(y) =) x  y ⌃ ⇧ Input CHC CTM |= 1 ^ 2 Based on values of px and py from counterexample-to-maximality (CTM), decide relations to weaken

38. 20/28 Maximality Checking - Illustration ⌥ ⌅ x = 19

    =) inv(x) inv(x) ^ x0 = x 1 =) inv(x0) inv(x) ^ f(y)^ =) x  y y = 19 =) f(y) ¬(y = 19) ^ pf (y) =) f(y) ⌃ ⇧ New CHCs for Weakening A non-vacuous solution to pf ensures that current solution for M(f) is weakened

39. 20/28 Maximality Checking - Illustration ⌥ ⌅ x = 19

    =) inv(x) inv(x) ^ x0 = x 1 =) inv(x0) inv(x) ^ f(y)^ =) x  y y = 19 =) f(y) ¬(y = 19) ^ pf (y) =) f(y) ⌃ ⇧ New CHCs for Weakening pf (y) 7! y = 20 and f(y) 7! y 19

40. ホ౯ ‡ HornSpec 䛸䛔䛖ᐇ⿦䜢స䛳䛯 ‡ ⫼ᬒ⌮ㄽ䛾䝋䝹䝞䞊䛻䛿z3䜢౑⏝䛧䛯 ‡ ᮍᐃ⩏㛵ᩘ䛾࿧䜃ฟ䛧䜢ྵ䜐䝥䝻䜾䝷䝮65ಶ䛛䜙CHC䜢⏕ᡂ ‡ 䛖䛱43ಶ䛿CHC-COMP䛸䛔䛖᳨ド⏺㝰䛷䜘䛟౑䜟䜜䜛䝔䝇䝖䝉䝑䝖䛛䜙⏕ᡂ

    ‡ ṧ䜚䛾22ಶ䛿᳨ド䛾䝁䞁䝨䛷䛾㢖ฟ䝟䝍䞊䞁䜢䜒䛸䛻⏕ᡂ ‡ ஧✀㢮䛾䝧䞁䝏䝬䞊䜽䜢ྲྀ䛳䛯 ‡ Non-vacuous specification generation ‡ Maximal specification generation

41. Non-vacuous specification ‡ CVC4䛸Z3䛸ẚ㍑ ‡ 30⛊௨ෆ䛻ゎ䛡䛯䛾䛿 ‡ HornSpec: 60/65 ‡

    CVC4: 51/65 ‡ Z3: 23/65

42. Maximal specifications ‡ ᪤Ꮡ䛾CHC䝋䝹䝞䞊䛿Maximal Specification䜢ฟຊ䛷䛝䛺䛔 ‡ ẚ㍑䛾䛯䜑䛻Non-vacuous specification䜢⏕ᡂ䛩䜛㒊ศ䛰䛡௚䛾䝋 䝹䝞䞊䛻ኚ䛘䛯 ;і䛭䜜ẚ㍑䛻䛺䛳䛶䛺䛟䛺䛔䠛)

    ‡ ゎ䛡䛯ၥ㢟ᩘ ‡ HornSpec: 54/65 ‡ CVC4: 23/65 ‡ Z3: 5/65

43. Related Work ‡ ┬␎

44. 結論 • MaximalかつNon-vacuousな仕様の合成を⾏うためのCHCソル バーを作った • Non-vacuousな解を出⼒する既存のCHCソルバーよりも速い • Maximalな解を出⼒するCHCソルバーはなかった • 感想

    • なぜCHCソルバーにする必要があったのかの部分がよくわからなかっ たのでくわしいひとおしえてください