Program Verification with Graph Types and Monadic Second-order Logic

Slides:



Advertisements
Similar presentations
Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat.
Extensible Shape Analysis by Designing with the User in Mind Bor-Yuh Evan Chang Bor-Yuh Evan Chang, Xavier Rival, and George Necula University of California,
Automated Verification with HIP and SLEEK Asankhaya Sharma.
Semantics Static semantics Dynamic semantics attribute grammars
Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.
Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.
Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
CS 355 – Programming Languages
Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008.
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.
1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Specialized Reference Counting Garbage Collection using Data Structure Annotations By Eric Watkins and Dzin Avots for CS 343 Spring 2002.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Program analysis Mooly Sagiv html://
Program analysis Mooly Sagiv html://
The Pointer Assertion Logic Engine Anders Møller Michael I. Schwartzbach CMSC 631 presentation: Nikolaos Frangiadakis.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Overview of program analysis Mooly Sagiv html://
Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Describing Syntax and Semantics
David Luebke 1 7/2/2015 ITCS 6114 Red-Black Trees.
1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.
Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.
Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Cristian Gherghina Joint work with: Wei-Ngan Chin, Razvan Voicu, Quang Loc Le Florin Craciun, Shengchao Qin TexPoint fonts used in EMF. Read the TexPoint.
Dagstuhl Seminar "Applied Deductive Verification" November Symbolically Computing Most-Precise Abstract Operations for Shape.
1 Graph Query Verification using Monadic 2 nd -Order Logic Kazuhiro Inaba ( 稲葉 一浩 ) NII.ac.jp Oct 10, st PKU-NII International Joint Workshop.
June 27, 2002 HornstrupCentret1 Using Compile-time Techniques to Generate and Visualize Invariants for Algorithm Explanation Thursday, 27 June :00-13:30.
Automatic Verification of Pointer Programs using Grammar-based Shape Analysis Hongseok Yang Seoul National University (Joint Work with Oukseh Lee and Kwangkeun.
Checking Reachability using Matching Logic Grigore Rosu and Andrei Stefanescu University of Illinois, USA.
Symbolically Computing Most-Precise Abstract Operations for Shape Analysis Greta Yorsh Thomas Reps Mooly Sagiv Tel Aviv University University of Wisconsin.
Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.
1 / 48 Formal a Language Theory and Describing Semantics Principles of Programming Languages 4.
1 Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University Shape analysis with applications Chapter 4.6
Predicate Abstraction. Abstract state space exploration Method: (1) start in the abstract initial state (2) use to compute reachable states (invariants)
Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications Chapter.
Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists Pranav Garg 1, P. Madhusudan 1 and Gennaro Parlato 2 1 University of Illinois at.
Shape & Alias Analyses Jaehwang Kim and Jaeho Shin Programming Research Laboratory Seoul National University
Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.
David Luebke 1 3/20/2016 CS 332: Algorithms Skip Lists.
Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.
Putting Static Analysis to Work for Verification A Case Study Tal Lev-Ami Thomas Reps Mooly Sagiv Reinhard Wilhelm.
Weakest Precondition of Unstructured Programs
Spring 2016 Program Analysis and Verification
GC211Data Structure Lecture2 Sara Alhajjam.
Graph-Based Operational Semantics
Lecture 22 Binary Search Trees Chapter 10 of textbook
(One-Path) Reachability Logic
Symbolic Implementation of the Best Transformer
Lecture 5 Floyd-Hoare Style Verification
Programming Languages 2nd edition Tucker and Noonan
Over-Approximating Boolean Programs with Unbounded Thread Creation
Reduction in End-User Shape Analysis
Predicate Transformers
Programming Languages 2nd edition Tucker and Noonan
Presentation transcript:

Program Verification with Graph Types and Monadic Second-order Logic Anders Møller Michael I. Schwartzbach BRICS, Aarhus University

Introduction Motivation: find bugs optimize code in programs that heavily rely on pointers, such as data type implementations General approach: model the heap, including records and pointer fields describe properties in some assertion language verify correctness of assertions Variations in expressive power and use(/need) of annotations. Program Verification with Graph Types and Monadic Second-order Logic

Three approaches Shape Types [Fradet & Le Métayer, POPL’97] based on context-free graph grammars Shape Graphs [Sagiv, Reps & Wilhelm, POPL’96+’99] based on classical abstract interpretation and program analysis Graph Types [Klarlund & Schwartzbach, POPL’93] based on regular expressions and monadic second-order logic Program Verification with Graph Types and Monadic Second-order Logic

Overview Shape Types Shape Graphs Graph Types Verification with graph types Monadic 2nd-order Logic (M2L) Hoare logic Implementation: PALE – the Pointer Assertion Logic Engine Example: red_black_insert.pale Program Verification with Graph Types and Monadic Second-order Logic

Shape Types [Fradet & Le Métayer, POPL’97] Define classes of heap structures with context-free graph grammars Model program execution with single-step transformers Program Verification with Graph Types and Monadic Second-order Logic

Shape Types - example An example: the doubly-linked list with a pointer to the first element can be described by a multiset of tuples: {p a1, pred a1 a1, next a1 a2, pred a2 a1, next a2 a3, pred a3 a2, next a3 a3} Such lists can be described by a context-free graph grammar: Doubly = p x, pred x x, L x L x = next x y, pred y x, L y L x = next x x where Doubly and L are non-terminals. pred next next next a1 a2 a3 p pred pred Program Verification with Graph Types and Monadic Second-order Logic

Shape Types - transformers A program step is modeled by a single-step transformer, e.g: next a b, pred b a, next b c, pred c b  next a c, pred c a “Shape invariance”: rewriting a graph using a transformer must preserve the shape type – the paper describes a conservative algorithm Program Verification with Graph Types and Monadic Second-order Logic

Shape Types – practical problems Requires extensive modifications of the programming language Shape invariance, grammar equivalence, and grammar inclusion are undecidable decidable for a rather unelegant subclass no experimental results Apparently, only considers single steps of execution does not permit temporary but intentional invalidation of properties, which always occurs in programs Program Verification with Graph Types and Monadic Second-order Logic

Shape Graphs [Sagiv, Reps & Wilhelm, POPL’96] Idea: approximate a concrete heap with a shape graph: nodes that are not directly reachable from program variables are collapsed into a summary node nodes are labeled with sharing information (a single bit) (many variants) Use abstract interpretation (standard forward least-fixpoint iterative data-flow analysis) to find a (set of) shape graphs for each program point. Note: uses no annotations, but scales poorly compared to its precision Program Verification with Graph Types and Monadic Second-order Logic

Parametric Shape Analysis [Sagiv, Reps & Wilhelm, POPL’99] Use a 3-valued first-order logic with transitive closure Represent shape graphs as logical structures Parametric in the choice of instrumentation predicates Assertions can be specified in the logic Core predicates: ptr_x(v) (“does the program variable x point to the record v?”) succ_f(v,w) (“does the f field of v point to w?”) sm(v) (“does v represent more than one concrete record?”) Example instrumentation predicates: reachable(v) (“is v reachable from some program variable?”) shared(v) (“does more than one field point to v?”) More general approach, but same problems with scalability, and requires manual construction of interpretation of predicates Similarities with the approach based on monadic second-order logic (next...) Program Verification with Graph Types and Monadic Second-order Logic

Graph Types [Klarlund & Schwartzbach, POPL’93] A Graph type is a recursive type with auxiliary pointers: the recursive type defines a spanning tree (the “backbone”) the auxiliary pointers provide short-cuts across the backbone or into other trees they must be functionally determined by the backbone (“wellformedness”) they are defined by “routing expressions” Graph types are interesting because many common shapes can be expressed monadic second-order logic on finite trees can be used for verification – and this is one of the most expressive logics that is practically decidable Program Verification with Graph Types and Monadic Second-order Logic

Graph types – routing expressions A routing expression is a regular expression over navigation directives: a: “move down” along a given pointer field : “move up” one step backwards ^: “check at root” of the backbone $: “check at leaf” T:v “check type and variant” combined with choice (r1+r2), sequence (r1 r2), and repetition (r*) Program Verification with Graph Types and Monadic Second-order Logic

Graph Types – examples A few examples: list with pointer to the last element H  (first: L, last: L[first tail* $ ]) L  (tail: L) L  () doubly-linked cyclic list D  (next: D, prev: D[ + ^next* $]) D  (next: D[* ^], prev: D[ +^]) binary tree in which all the leaves are joined in a cyclic list J  (left, right: J) J  (next: J[right* (left right + ^) left*]) H L L L L first tail tail last Program Verification with Graph Types and Monadic Second-order Logic

Monadic Second-order Logic on finite Trees (M2L-Tree) Allows routing expressions and wellformedness to be expressed Provides an expressive assertion language for imperative programs manipulating graph type structures ::= ¬ |  |  |  |  | 1x. | 1x. | 2X. | 2X. (formulas) | t=t | tT | T=T | TT | ... T ::= X | TT | TT | T\T |  (set terms) t ::= x | t.left | t.right | t.up (position terms) Decidable using tree automata. Implementation: the MONA tool (www.brics.dk/mona) Program Verification with Graph Types and Monadic Second-order Logic

Graph Types and M2L-Tree for Program Verification Pointer Assertion Logic (PAL): M2L–Tree + generalized routing expressions (as syntactic sugar) Use PAL formulas in graph type declarations (to specify the auxiliary pointers and express wellformedness) as program assertions (e.g. invariants, pre- and post-conditions) Goal: automatically verify correctness of these program annotations Program Verification with Graph Types and Monadic Second-order Logic

Hoare Logic Require invariants at all while-loops and procedure calls (extra assertions are also allowed) Split the program into Hoare triples: {pre} stm {post} (graph types need only be valid at cut-points) Verify each triple separately (only loop-free code left) including check for null-pointer dereferences and other memory errors Note: highly modular, but requires invariants Program Verification with Graph Types and Monadic Second-order Logic

Verifying the Hoare triples Reduce everything to M2L-Tree and use the MONA tool. Use a technique of transductions to encode statements: A collection of M2L-Tree store predicates describes a set of stores at a given program point, e.g: succ_T_d(v,w) is true if v denotes a record of type T with a pointer field d pointing to the record w ptr_p(v) is true if v denotes the record pointed to by the program variable p Each statement is simulated by predicate transformation, e.g: p = q.next; is simulated by updating the ptr_p(v) predicate to ptr_p’(v) = w. ptr_q(w)  succ_T_next(w,v) This technique is sound and complete for loop-free code! Program Verification with Graph Types and Monadic Second-order Logic

Challenges and Extensions How to split into Hoare triples without too many cut-points? (each cut-point requires an invariant) use a non-standard form of Hoare triples How to handle procedure calls? (procedure calls are known to cause problems for Hoare logics) use call invariants, pre- and post-conditions, and logical variables How to obtain a working decision procedure? (M2L-Tree has a non-elementary complexity!) use advanced features of the MONA tool How precisely can record data (i.e. the non-pointer fields) be expressed? some data abstraction is possible, e.g. sorted lists can be expressed ... Program Verification with Graph Types and Monadic Second-order Logic

Example: red_black_insert.pale (1) A red-black tree is a binary tree whose records are red or black and have parent pointers a red record cannot have a red successor the root is black the number of black records is the same for all direct paths from the root to a leaf 1) is a graph type 2) and 3) can be captured as PAL formula invariants 4) cannot be expressed Program Verification with Graph Types and Monadic Second-order Logic

Example: red_black_insert.pale (2) type Node = { bool color; data left,right:Node; pointer p:Node[this^Node.left union this^Node.right={p}]; } pred red(pointer n:Node) = n.color=false; pred black(pointer n:Node) = n.color=true | n=null; pred inv(pointer n:Node) = black(n) & allpos m of Node: n<(left+right)*>m => (red(m) => black(m.left) & black(m.right)); Program Verification with Graph Types and Monadic Second-order Logic

Example: red_black_insert.pale (3) proc redblackinsert(data t,root:Node):Node [t.left=null & t.right=null & inv(root)] { pointer y,x:Node; x = t; root = treeinsert(x,root) [treeinsert.Z=x & treeinsert.Q=root]; x.color = false; while [x!=null & root<(left+right)*>x & almostinv1(root,x) & (black(root) | x=root) & (x!=root & red(x.p) => red(x))] (x!=root & x.p.color=false) { if (x.p=x.p.p.left) { y = x.p.p.right; if (y!=null & y.color=false) { x.p.color = true; y.color = true; x.p.p.color = false; x = x.p.p; } else { if (x=x.p.right) { x = x.p; root = leftrotate(x,root) [leftrotate.X=x & root<(left+right)*>x & red(leftrotate.Y)]; split [x.p.left=x & x.p.p.left=x.p & black(x.p.p.right) & root<(left+right)*>x & almostinv2(root,x) & black(x.left) & black(x.right) & black(x.p.right)]; root = rightrotate(x.p.p,root) [rightrotate.Y.left=x & root<(left+right)*>x & red(rightrotate.X) & rightrotate.Q=root & x!=null]; root.color = true; } } else { ... }} return root; } [inv(return)] + auxiliary procedures leftrotate, rightrotate, and treeinsert (total ~135 lines of program code) Program Verification with Graph Types and Monadic Second-order Logic

Example: red_black_insert.pale (4) Insert invariants and pre- and post-conditions, expressing partial correctness of red_black_insert and the auxiliary procedures Run the PALE tool Result: after ~10000 tree automaton operations and 55 seconds, PALE replies that all assertions are valid there can be no null-pointer dereferences or memory leaks the graph type is wellformed and valid at all cut-points If verification fails, a counterexample is returned. Note: very detailed information, also useful for optimizing code Program Verification with Graph Types and Monadic Second-order Logic

http://www.brics.dk/PALE “The Pointer Assertion Logic Engine” (submitted) The PALE tool (8000 lines of C, GPL licence) Detailed description of the translation into MONA code More examples (singly-linked lists, doubly-linked lists with tail pointers, threaded trees, sorted lists) Program Verification with Graph Types and Monadic Second-order Logic