GenPro: Generating and Proving Program Properties via Symbol Elimination

1. Purpose and Aims Software systems used in our daily life, such as networking, security, autonomous devices, traffic control, etc., heavily rely on software used in them. Such software is becoming increasingly more sophisticated, resulting in system malfunctioning and error-prone and insecure system behavior. Software errors are very costly. There are many studies attempting to quantify the cost of software failures, including survey reports by the European Services Strategy Unit, the British Computer Society, and the US National Institute of Standards and Technology. For example, according to US National Institute of Standards and Technology software errors cost the US economy nearly 60 billion annually, and 80% of development costs involve identifying and correcting errors. For this reason, there is a growing interest, both industrial and academic, in applying formal methods for ensuring reliability of long-lived, high-quality software systems. Formal verification aims at providing a methodology that produces more reliable and robust systems. Companies developing and running safety-critical systems, such as Microsoft, IBM, and Intel, have therefore started to use precise formal methods and scalable tools developed in this area. Precision of designed methods is necessary in order to ensure that the reported potential system errors are indeed errors, and that no bugs are omitted during the verification process. Scalability is required so that the tools work efficiently for large systems. Among the main techniques of formal verification are model checking, abstract interpretation, satisfiability modulo theory (SMT) reasoning, and first-order theorem proving. These methods are interrelated and many modern formal verification tools use a combination of them. The objective of our proposal is to develop new methods advancing the applicability of firstorder theorem proving in formal software verification. The project will explore and advance the power of the symbol elimination method, introduced recently by ourselves, for generating and proving program properties. Symbol elimination is based on first-order theorem proving and is fully automatic. It was the first ever method able to automatically discover complex program properties with quantifier alternations. The method is based on the following steps. Given a program loop, we first extend the language of the program with additional symbols, such as a loop counter. Next, we extract various information about the program that can be expressed by first-order formulas. These formulas can however use the introduced auxiliary symbols. Therefore, we run a superposition-based first-order theorem prover to eliminate the auxiliary symbols and obtain program properties expressed in the original language of the program. In our project we will pay special attention to developing new theory and tools based on symbol elimination, solve automated reasoning problems arising in program verification, and thus prove automatically the validity of safety properties of software. Safety properties ensure that something ”bad” never happens in the program. Verifying such properties becomes an especially challenging task when programs contain (nested) loops or recursion. The verification of such programs needs additional information, so-called program assertions, that express conditions to hold at certain intermediate points of the program. Typical auxiliary assertions are loop invariants, which describe program states that can be reached during program computations and thus are essential for safety property verification. The effectiveness of using symbol elimination in formal verification thus crucially depends on whether such assertions, even trivial ones, can be deduced automatically. The overall purpose of our project is to design new, unconventional methods for reasoning about program properties, by using symbol elimination in first-order theorem proving. We will implement world-leading tools that are likely to be used by others in the area, and apply our methods and tools on problems of industrial relevance. The results of our project will provide fundamentally new ways of generating and proving program properties by symbol elimination,