Almost Correct Invariants: Synthesizing Inductive Invariants by Fuzzing Proofs
Fri 22 Jul 2022 00:00 - 00:20 at ISSTA 1 - Session 1-9: Fuzzing and Friends A
Real-life programs contain multiple operations whose semantics are unavailable to verification engines, like third-party library calls, inline assembly and SIMD instructions, special compiler-provided primitives, and queries to uninterpretable machine learning models. Even with the exceptional success story of program verification, synthesis of inductive invariants for such open" programs has remained a challenge. Currently, this problem is handled by manuallyclosing" the program—by providing hand-written \textit{stubs} that attempt to capture the behavior of the unmodelled operations; writing stubs is not only difficult and tedious, but the stubs are often incorrect—raising serious questions on the whole endeavor.
In this work, we propose \textit{Almost Correct Invariants} as an automated strategy for synthesizing inductive invariants for such ``open" programs. We adopt an active learning strategy where a data-driven learner proposes candidate invariants. In deviation from prior work that attempt to \textit{verify} invariants, we attempt to \textit{falsify} the invariants: we reduce the falsification problem to a set of reachability checks on non-deterministic programs; we ride on the success of modern fuzzers to answer these reachability queries. Our tool, $\textit{ACHAR}$, automatically synthesizes inductive invariants that are sufficient to prove the correctness of the target programs. We compare $\textit{ACHAR}$ with a state-of-the-art invariant synthesis tool that employs theorem proving on formulae built over the program source. Though $\textit{ACHAR}$ is without strong soundness guarantees, our experiments show that even when we provide almost no access to the program source, $\textit{ACHAR}$ outperforms the state-of-the-art invariant generator that has complete access to the source. We also evaluate $\textit{ACHAR}$ on programs that current invariant synthesis engines cannot handle—programs that invoke external library calls, inline assembly, and queries to convolution neural networks; $\textit{ACHAR}$ successfully infers the necessary inductive invariants within a reasonable time.
Wed 20 JulDisplayed time zone: Seoul change
16:20 - 17:20 | Session 3-2: Fuzzing and Friends CTechnical Papers at ISSTA 2 Chair(s): Behnaz Hassanshahi Oracle Labs, Australia | ||
16:20 20mTalk | SnapFuzz: High-Throughput Fuzzing of Network Applications Technical Papers DOI | ||
16:40 20mTalk | SLIME: Program-sensitive Energy Allocation for Fuzzing Technical Papers Chenyang Lyu Zhejiang University, Hong Liang Zhejiang University, Shouling Ji Zhejiang University, Xuhong Zhang Zhejiang University, Binbin Zhao Georgia Institute of Technology, Meng Han Binjiang Institute of Zhejiang University & Zhejiang University, Yun Li Huawei Technologies Co., Ltd., Zhe Wang State Key Laboratory of Computer Architecture, Institute of Computing Technology, Chinese Academy of Sciences, Wenhai Wang Zhejiang University, Raheem Beyah Georgia Institute of Technology DOI | ||
17:00 20mTalk | Almost Correct Invariants: Synthesizing Inductive Invariants by Fuzzing Proofs Technical Papers DOI | ||
Fri 22 JulDisplayed time zone: Seoul change
00:00 - 01:00 | |||
00:00 20mTalk | Almost Correct Invariants: Synthesizing Inductive Invariants by Fuzzing Proofs Technical Papers DOI | ||
00:20 20mTalk | MDPFuzz: Testing Models Solving Markov Decision Processes Technical Papers Qi Pang HKUST, Yuanyuan Yuan The Hong Kong University of Science and Technology, Shuai Wang Hong Kong University of Science and Technology DOI | ||
00:40 20mTalk | SnapFuzz: High-Throughput Fuzzing of Network Applications Technical Papers DOI | ||