Software Engineering&

Automated Deduction

Willem VisserStellenbosch University

WithNikolaj Bjorner (Microsoft Research, Redmond)

Natarajan Shankar (SRI Computer Science Lab, Menlo Park)

Stellenbosch?

Automated DeductionAutomated Deduction

Software Engineering

Software Engineering

VerificationVerification

Automated deduction uses computation to perform symbolic logical reasoning*

* [101] Shankar. Automated deduction for verification. ACM Computing Surveys. 2009

Is a logical formula φ valid?

or is there a counter-example?in which case !φ is satisfiable

φ valid iff !φ unsatisfiable

Is a logical formula φ satisfiable?

Is there a Model that satisfies φ?

Satisfiability checking proceduresare the cornerstone of automated deduction

We tend to want to know about our code …

Given that we have a specification of what is expected

φ

Program

Specification

Logic Formula

AutomatedDeduction Tool

Logics Techniques

First-order logic Automated Theorem Proving

Propositional logic SAT SolversExp

ress

iven

ess

Aut

omat

ion

From around the early-mid 1990s SAT solvers improved dramatically

Program

φLogic Formula

Integer arithmetic

Arrays

BitVectors

Floating point

Strings

Linear integers

Heaps

Machine integers

Features

Floating point

Theories

Strings

+

Satisfiability Modulo Theories (SMT) SolversFully Automated Satisfiability Checkers

Perfect fit for solving Software Engineering problems

VerificationFull automation is not always possible

Formulas to prove can fall outside

of decidable fragment

Even if it can be provedit might be too slow

or require tricky invariants

Requires human interaction Proof Environments

Too much manual effort

seL4 microkernel verification took 20 man yearsusing Isabelle/HOL

Program Verifiers are more domain specificthey verify annotations in the code holds

Spec# ESC-Java

Model Checking

Explicit state Symbolic

PredicateAbstraction

withCEGAR

BDDs SAT

SLAM BLAST (Nu)SMV CBMC

is M a model for φ

Symbolic Execution

void test(int x, int y) { if (y == x*10) S0; else S1; if (x > 3 && y > 10) S2; else S3;}

[ Y=X*10 ] S0

[ X>3 & 10<Y=X*10] S2

[ true ] test (X,Y)

[ Y!=X*10 & !(X>3 & Y>10) ] S3

[ Y!=X*10 ] S1

[ Y=X*10 & !(X>3 & Y>10) ] S3

[ X>3 & 10<Y!=X*10] S2

SMT solvers check feasibility

Test cases derived from models

ConcolicDynamic SE

void test(int x, int y) { if (y == x*10) S0; else S1; if (x > 3 && y > 10) S2; else S3;}

[ Y=X*10 ] S0

[ X>3 & 10<Y=X*10] S2

[ true ] test (0,1)

[ Y!=X*10 & !(X>3 & Y>10) ] S3

[ Y!=X*10 ] S1

[ Y=X*10 & !(X>3 & Y>10) ] S3

[ X>3 & 10<Y!=X*10] S2

Pick random inputsCollect PC during executionNegate one of the conditionsIf feasible derive new inputs

[ Y!=X*10 & (X>3 & Y>10) ] => Test(4,11)

(Dynamic) Symbolic Execution is the poster child

for the positive effect of AD in SE

An idea from the early 1970sthat only sprang to life in late 1990s

due to the advances in SAT/SMT solving

Automated Deduction

Software Engineering

In the past

currently

SE drivers for AD

HeapsLocally finite theories

with limited quantification

Data structures Monadic 2nd Order Logic

(Bounded) Software Model Checking Horn Clauses

Security Strings

Reliability andInformation Flow Model Counting (#SAT)

Not good enough any more

For test case generation we need models

High-integrity code need certifiable proofs

Fault localization and repair need unsatisfiable cores

Reliability analysis need number of solutions

Informal Survey of SE Researchers

What would you like to see most from an Automated Deduction tool?

Black-box with limited visibility to internals

White-box thatexposes inner workings

Want to know why not just what

Lessons from Automated Deduction

Competitions/Benchmarking

InteroperabilityTPTP

DIMACS

SMT-LIB2

vs

CASC (1996)

SMT-COMP (2005)vs

SATE (2008)

SV-COMP and RERS (2012)

SyGus-COMP (2014)

Some New Trends in SE

Synthesis

Education

Sketching*

harness void doubleSketch(int x){ int t = x * ??; assert t == x + x;}

* http://people.csail.mit.edu/asolar/sketch2012/

Learning to Code

Some More TrendsProbabilistic Analysis

Reliability

[ X>3 & 10<Y=X*10] [ X>3 & 10<Y!=X*10] [ Y!=X*10 & !(X>3 & Y>10) ][ Y=X*10 & !(X>3 & Y>10) ]

y=10xy=10x

x>3 & y>10x>3 & y>10x>3 & y>10x>3 & y>10

1

0.999

0.855

0.001

0.6 0.4 0.145

0.0006 0.0004 0.8538 0.1452

Automated Deduction

Software Engineering

In the past

currently

Black-box with limited visibility to internals

White-box thatexposes inner workings

Want to know why not just what