83 research outputs found
Polynomial Invariants for Affine Programs
We exhibit an algorithm to compute the strongest polynomial (or algebraic)
invariants that hold at each location of a given affine program (i.e., a
program having only non-deterministic (as opposed to conditional) branching and
all of whose assignments are given by affine expressions). Our main tool is an
algebraic result of independent interest: given a finite set of rational square
matrices of the same dimension, we show how to compute the Zariski closure of
the semigroup that they generate
Relational Symbolic Execution
Symbolic execution is a classical program analysis technique used to show
that programs satisfy or violate given specifications. In this work we
generalize symbolic execution to support program analysis for relational
specifications in the form of relational properties - these are properties
about two runs of two programs on related inputs, or about two executions of a
single program on related inputs. Relational properties are useful to formalize
notions in security and privacy, and to reason about program optimizations. We
design a relational symbolic execution engine, named RelSym which supports
interactive refutation, as well as proving of relational properties for
programs written in a language with arrays and for-like loops
A Relational Logic for Higher-Order Programs
Relational program verification is a variant of program verification where
one can reason about two programs and as a special case about two executions of
a single program on different inputs. Relational program verification can be
used for reasoning about a broad range of properties, including equivalence and
refinement, and specialized notions such as continuity, information flow
security or relative cost. In a higher-order setting, relational program
verification can be achieved using relational refinement type systems, a form
of refinement types where assertions have a relational interpretation.
Relational refinement type systems excel at relating structurally equivalent
terms but provide limited support for relating terms with very different
structures.
We present a logic, called Relational Higher Order Logic (RHOL), for proving
relational properties of a simply typed -calculus with inductive types
and recursive definitions. RHOL retains the type-directed flavour of relational
refinement type systems but achieves greater expressivity through rules which
simultaneously reason about the two terms as well as rules which only
contemplate one of the two terms. We show that RHOL has strong foundations, by
proving an equivalence with higher-order logic (HOL), and leverage this
equivalence to derive key meta-theoretical properties: subject reduction,
admissibility of a transitivity rule and set-theoretical soundness. Moreover,
we define sound embeddings for several existing relational type systems such as
relational refinement types and type systems for dependency analysis and
relative cost, and we verify examples that were out of reach of prior work.Comment: Submitted to ICFP 201
Differential cost analysis with simultaneous potentials and anti-potentials
We present a novel approach to differential cost analysis that, given a program revision, attempts to statically bound the difference in resource usage, or cost, between the two program versions. Differential cost analysis is particularly interesting because of the many compelling applications for it, such as detecting resource-use regressions at code-review time or proving the absence of certain side-channel vulnerabilities. One prior approach to differential cost analysis is to apply relational reasoning that conceptually constructs a product program on which one can over-approximate the difference in costs between the two program versions. However, a significant challenge in any relational approach is effectively aligning the program versions to get precise results. In this paper, our key insight is that we can avoid the need for and the limitations of program alignment if, instead, we bound the difference of two cost-bound summaries rather than directly bounding the concrete cost difference. In particular, our method computes a threshold value for the maximal difference in cost between two program versions simultaneously using two kinds of cost-bound summaries---a potential function that evaluates to an upper bound for the cost incurred in the first program and an anti-potential function that evaluates to a lower bound for the cost incurred in the second. Our method has a number of desirable properties: it can be fully automated, it allows optimizing the threshold value on relative cost, it is suitable for programs that are not syntactically similar, and it supports non-determinism. We have evaluated an implementation of our approach on a number of program pairs collected from the literature, and we find that our method computes tight threshold values on relative cost in most examples
Differential cost analysis with simultaneous potentials and anti-potentials
We present a novel approach to differential cost analysis that, given a program revision, attempts to statically bound the difference in resource usage, or cost, between the two program versions. Differential cost analysis is particularly interesting because of the many compelling applications for it, such as detecting resource-use regressions at code-review time or proving the absence of certain side-channel vulnerabilities. One prior approach to differential cost analysis is to apply relational reasoning that conceptually constructs a product program on which one can over-approximate the difference in costs between the two program versions. However, a significant challenge in any relational approach is effectively aligning the program versions to get precise results. In this paper, our key insight is that we can avoid the need for and the limitations of program alignment if, instead, we bound the difference of two cost-bound summaries rather than directly bounding the concrete cost difference. In particular, our method computes a threshold value for the maximal difference in cost between two program versions simultaneously using two kinds of cost-bound summaries---a potential function that evaluates to an upper bound for the cost incurred in the first program and an anti-potential function that evaluates to a lower bound for the cost incurred in the second. Our method has a number of desirable properties: it can be fully automated, it allows optimizing the threshold value on relative cost, it is suitable for programs that are not syntactically similar, and it supports non-determinism. We have evaluated an implementation of our approach on a number of program pairs collected from the literature, and we find that our method computes tight threshold values on relative cost in most example
Ranking LLM-Generated Loop Invariants for Program Verification
Synthesizing inductive loop invariants is fundamental to automating program
verification. In this work, we observe that Large Language Models (such as
gpt-3.5 or gpt-4) are capable of synthesizing loop invariants for a class of
programs in a 0-shot setting, yet require several samples to generate the
correct invariants. This can lead to a large number of calls to a program
verifier to establish an invariant. To address this issue, we propose a {\it
re-ranking} approach for the generated results of LLMs. We have designed a
ranker that can distinguish between correct inductive invariants and incorrect
attempts based on the problem definition. The ranker is optimized as a
contrastive ranker. Experimental results demonstrate that this re-ranking
mechanism significantly improves the ranking of correct invariants among the
generated candidates, leading to a notable reduction in the number of calls to
a verifier.Comment: Findings of The 2023 Conference on Empirical Methods in Natural
Language Processing (EMNLP-findings 2023
Defunctionalization with Dependent Types
The defunctionalization translation that eliminates higher-order functions
from programs forms a key part of many compilers. However, defunctionalization
for dependently-typed languages has not been formally studied. We present the
first formally-specified defunctionalization translation for a
dependently-typed language and establish key metatheoretical properties such as
soundness and type preservation. The translation is suitable for incorporation
into type-preserving compilers for dependently-typed language
Predictive Monitoring against Pattern Regular Languages
In this paper, we focus on the problem of dynamically analysing concurrent
software against high-level temporal specifications. Existing techniques for
runtime monitoring against such specifications are primarily designed for
sequential software and remain inadequate in the presence of concurrency --
violations may be observed only in intricate thread interleavings, requiring
many re-runs of the underlying software. Towards this, we study the problem of
predictive runtime monitoring, inspired by the analogous problem of predictive
data race detection studied extensively recently. The predictive runtime
monitoring question asks, given an execution , if it can be soundly
reordered to expose violations of a specification.
In this paper, we focus on specifications that are given in regular
languages. Our notion of reorderings is trace equivalence, where an execution
is considered a reordering of another if it can be obtained from the latter by
successively commuting adjacent independent actions. We first show that the
problem of predictive admits a super-linear lower bound of , where
is the number of events in the execution, and is a parameter
describing the degree of commutativity. As a result, predictive runtime
monitoring even in this setting is unlikely to be efficiently solvable.
Towards this, we identify a sub-class of regular languages, called pattern
languages (and their extension generalized pattern languages). Pattern
languages can naturally express specific ordering of some number of (labelled)
events, and have been inspired by popular empirical hypotheses, the `small bug
depth' hypothesis. More importantly, we show that for pattern (and generalized
pattern) languages, the predictive monitoring problem can be solved using a
constant-space streaming linear-time algorithm
- …