Automated Verification with HIP and SLEEK Asankhaya Sharma
Recall the List length Example int length(struct node* p) requires p::list ensures p::list & res=n; */ { if(p == NULL) return 0; else return 1 + length(p->next); } Memory Safety Length of the List Bag of Values
Total Correctness int length(struct node* p) requires p::list & Term[n] ensures p::list & res=n; */ { if(p == NULL) return 0; else return 1 + length(p->next); } Termination Metric A ranking function which decreases with each recursive call (or loop iteration)
Termination Examples for SLEEK checkentail Term[m] & m > n |- Term[n]. checkentail x::list & x !=null & Term[n] |- x::node * p::list & Term[m]. checkentail Term[m] |- Loop. checkentail Term[m] |- MayLoop. Valid. InValid.
Structured Specifications Richer specifications that provide guidance to automated verification Support automatic case analysis Support Reuse of Verification Support Multiple specifications
Trivial Loop Example while(z!=n) requires true ensures z’ = n { z = z + 1; } Precondition same as loop invariant Postcondition of loop is final state when loop terminates When does this loop terminate ?
With Termination while(z!=n) requires z <= n & Term[n-z] ensures z’ = n { z = z + 1; } Specify ranking function Term[R]
With Non-Termination while(z!=n) requires z > n & Loop ensures false { z = z + 1; } Post condition is false which signifies unreachable exit
Recall Multiple Specs while(z!=n) requires z n & Loop ensures false { z = z + 1; } Case Analysis
Case Structure Case Specification case { p1 requires R1 ensures Q1; p2 requires R2 ensures Q2; } Analogous to LEM – It can be applied during verification to support more comprehensive reasoning
Why Case ? The presence of case structures enables: – Automatic case analysis – Clearer and more concise specifications
Case Specs for Scenario Analysis Trivial loop with multiple scenarios revisited: while(z!=n) case{ z n requires Loop ensures false } { z = z + 1; }
A Tricky Loop What termination spec to give to this loop ? while(x>0) { x = x + y; }
Case Specs for Scenario Analysis Three Scenarios while(x>0) case{ x<=0 ensures x’ = x x > 0 case { y >= 0 ensures false y <0 ensures y<x’<=0; } } { x = x + y;} Base Case Non-terminating Recursive but terminating
With Termination Specs while(x>0) case{ x<=0 requires Term[] ensures x’ = x x > 0 case{ y >= 0 requires Loop ensures false y <0 requires Term[x] ensures y<x’<=0} } { x = x + y;}
McCarthy 91 Function This function always returns 91 when input is less than or equal to 100 int mcCarthy(int n) { if (n>100) return n-10; else return mcCarthy(mcCarthy(n+11)); } Nested recursion. Does it terminate ?
Termination int mcCarthy(int n) case{ n > 100 requires Term[] ensures res=n-10 n<=100 requires Term[100-n] ensures res = 91 }{}{ if (n>100) return n-10; else return mcCarthy(mcCarthy(n+11)); }
Further Reading Gherghina, Cristian, Cristina David, Shengchao Qin, and Wei-Ngan Chin. "Structured specifications for better verification of heap- manipulating programs." In FM 2011: Formal Methods, pp Springer Berlin Heidelberg, 2011.