Higher-order constrained horn clauses for verification

Toby Cathcart Burn, C.-H. Luke Ong, Steven J. Ramsay
2017 Proceedings of the ACM on Programming Languages  
This is the final published version of the article (version of record). It first appeared online via ACM at https://dl.acm.org/citation.cfm?doid=3177123.3158099 . Please refer to any applicable terms of use of the publisher. University of Bristol -Explore Bristol Research General rights This document is made available in accordance with publisher policies. Please cite only the published version using the reference above. Full terms of use are available: Motivated by applications in automated
more » ... ification of higher-order functional programs, we develop a notion of constrained Horn clauses in higher-order logic and a decision problem concerning their satisfiability. We show that, although satisfiable systems of higher-order clauses do not generally have least models, there is a notion of canonical model obtained through a reduction to a problem concerning a kind of monotone logic program. Following work in higher-order program verification, we develop a refinement type system in order to reason about and automate the search for models. This provides a sound but incomplete method for solving the decision problem. Finally, we show that there is a sense in which we can use refinement types to express properties of terms whilst staying within the higher-order constrained Horn clause framework. This paper concerns automated verification of higher-order, functional programs. Whilst there are approaches to the verification of functional programs in which constrained Horn clause solving plays an important role, there is inevitably a mismatch between the higher-order nature of the program and the first-order logic in which the Horn clauses are expressed, and this must be addressed in some intelligent way by the program verifier. For example, in recent work on refinement types (see e.g. Rondon, Kawaguchi, and Jhala [2008], Vazou, Bakst, and Jhala [2015] and Unno, Terauchi, and Kobayashi [2013] ), a type system is used to reduce the problem of finding an invariant for the higher-order program to finding a number of first-order invariants of the ground-type data at certain program points. This latter problem can often be expressed as a system of constrained Horn clauses. When that system is solvable, the first-order invariants obtained can be composed in the type system to yield a higher-order invariant for the program (expressed as a type assignment). In this paper we introduce higher-order constrained Horn clauses, an extension of the notion of constrained Horn clause to higher-order logic. This gives us a language in which we can express Horn constraints over higher-order functions (actually, higher-order relations), which is not possible to do directly with only first-order constrained Horn clauses. Although the definition is natural, it is not immediate that it is suitable for automated verification, so we go on to show three important results in that direction, namely: the existence of canonical solutions, the applicability of existing techniques to automated solving and the expressibility of program properties of higher type. Let us elaborate on each of these and illustrate our motivation more concretely by discussing a particular example. Consider the following higher-order program: let add x y = x + y let rec iter f s n = if n ≤ 0 then s else f n (iter f s (n − 1)) in λn. assert (n ≤ iter add 0 n) The term iter add 0 n occurring in the last line of the program is the sum of the integers from 1 to n in case n is non-negative and is 0 otherwise. Let us say that the program is safe just in case the assertion is never violated, i.e. the summation is not smaller than n. To verify safety, we must find an invariant that implies the required property. For our purposes, an invariant will be an over-approximation of the input-output graphs of the functions defined in the program. If we can find an over-approximation of the graph of the function iter add 0 which does not contain any pair (n, m) with n > m, then we can be certain that the guard on the assertion is never violated. Hence, we seek a set of pairs of natural numbers relating n to m at least whenever iter add 0 n evaluates to m and which has no intersection with >. The idea is to express the problem of finding such a program invariant logically, as a satisfiability problem for the following set of higher-order constrained Horn clauses: ∀xyz. z = x + y ⇒ Add x y z ∀f snm. n ≤ 0 ∧ m = s ⇒ Iter f s n m ∀f snm. n > 0 ∧ ∃p. Iter f s (n − 1) p ∧ f n p m ⇒ Iter f s n m ∀nm. Iter Add 0 n m ⇒ n ≤ m The clauses constrain the variables Add : int → int → int → o and Iter: (int → int → int → o) → int → int → int → o with respect to the theory of integer linear arithmetic, so a model is just an assignment of particular relations 1 to these variables that satisfies the formulas. The first clause constrains Add to be an over-approximation of the graph of the addition function add: whenever z = x + y, we at least know that x, y and z are related by Add. The second and third constrain Iter to be an over-approximation of the graph of the iteration combinator iter. Observe that the two I o (b) = b I ι→ρ (r ) = I ρ • r I ρ 1 →ρ 2 (r ) = I ρ 2 • r • L ρ 1 J o (b) = b J ι→ρ (r ) = J ρ • r J ρ 1 →ρ 2 (r ) = J ρ 2 • r • U ρ 1
doi:10.1145/3158099 dblp:journals/pacmpl/BurnOR18 fatcat:ndnyxiljkvgudh7dh42gebv3he