Matching Logic Grigore Rosu University of Illinois at Urbana-Champaign, USA 1.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Debugging Natural Semantics Specifications Adrian Pop and Peter Fritzson Programming Environment Laboratory Department of Computer and Information Science.
Semantics Static semantics Dynamic semantics attribute grammars
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.
Formal Modelling of Reactive Agents as an aggregation of Simple Behaviours P.Kefalas Dept. of Computer Science 13 Tsimiski Str Thessaloniki Greece.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
11111 Functional Program Verification CS 4311 A. M. Stavely, Toward Zero Defect Programming, Addison-Wesley, Y. Cheon and M. Vela, A Tutorial on.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.
ISBN Chapter 3 Describing Syntax and Semantics.
CS 330 Programming Languages 09 / 19 / 2006 Instructor: Michael Eckmann.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
CS 355 – Programming Languages
1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
PSUCS322 HM 1 Languages and Compiler Design II Formal Semantics Material provided by Prof. Jingke Li Stolen with pride and modified by Herb Mayer PSU Spring.
Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.
Describing Syntax and Semantics
CSE 413 Programming Languages & Implementation Hal Perkins Autumn 2012 Context-Free Grammars and Parsing 1.
Reading and Writing Mathematical Proofs
Invariant Based Programming in Education Tutorial, FM’08 Linda Mannila
An Algebra for Composing Access Control Policies (2002) Author: PIERO BONATTI, SABRINA DE CAPITANI DI, PIERANGELA SAMARATI Presenter: Siqing Du Date:
Overview of Formal Methods. Topics Introduction and terminology FM and Software Engineering Applications of FM Propositional and Predicate Logic Program.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
Slide 1 Propositional Definite Clause Logic: Syntax, Semantics and Bottom-up Proofs Jim Little UBC CS 322 – CSP October 20, 2014.
Checking Reachability using Matching Logic Grigore Rosu and Andrei Stefanescu University of Illinois, USA.
Formal Semantics of Programming Languages 虞慧群 Topic 1: Introduction.
3.2 Semantics. 2 Semantics Attribute Grammars The Meanings of Programs: Semantics Sebesta Chapter 3.
Chapter 3 Part II Describing Syntax and Semantics.
Programming Languages and Design Lecture 3 Semantic Specifications of Programming Languages Instructor: Li Ma Department of Computer Science Texas Southern.
Syntax and Semantics CIS 331 Syntax: the form or structure of the expressions, statements, and program units. Semantics: the meaning of the expressions,
From Hoare Logic to Matching Logic Reachability Grigore Rosu and Andrei Stefanescu University of Illinois, USA.
Just Enough Type Theory or, Featherweight Java A Simple Formal Model of Objects Jonathan Aldrich
1 First order theories (Chapter 1, Sections 1.4 – 1.5) From the slides for the book “Decision procedures” by D.Kroening and O.Strichman.
All-Path Reachability Logic Andrei Stefanescu 1, Stefan Ciobaca 2, Radu Mereuta 1,2, Brandon Moore 1, Traian Serbanuta 3, Grigore Rosu 1 1 University of.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
Specify and Verify Your Language using K Grigore Rosu University of Illinois at Urbana-Champaign Joint project between the FSL group at UIUC (USA) and.
Technology and Products
Duminda WijesekeraSWSE 623: Introduction1 Introduction to Formal and Semi- formal Methods Based on A Specifier's Introduction to Formal Methods (J. Wing)
Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications Chapter.
CMSC 330: Organization of Programming Languages Operational Semantics.
Operational Semantics Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
June 21, Reasoning about explicit strictness in a lazy language using mixed lazy/strict semantics Marko van Eekelen Maarten de Mol Nijmegen University,
Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson
K Framework Grigore Rosu University of Illinois at Urbana-Champaign, USA Traian-Florin Serbanuta Alexandru Ioan-Cuza University, Iasi, Romania Joint work.
Certifying and Synthesizing Membership Equational Proofs Patrick Lincoln (SRI) joint work with Steven Eker (SRI), Jose Meseguer (Urbana) and Grigore Rosu.
CS598 - Runtime verification
Introduction to Logic for Artificial Intelligence Lecture 2
Grigore Rosu University of Illinois at Urbana-Champaign, USA
Matching Logic An Alternative to Hoare/Floyd Logic
Towards trustworthy refactoring in Erlang
Technology and Products
(One-Path) Reachability Logic
Matching Logic - A New Program Verification Approach -
Lecture 5 Floyd-Hoare Style Verification
Generating Optimal Linear Temporal Logic Monitors by Coinduction
A Language-Independent Approach To Smart Contract Verification
Predicate Transformers
Towards a Unified Theory of Operational and Axiomatic Semantics
Language-Independent Verification Framework
Motivation for Language Specification
A Language-Independent Approach To Smart Contract Verification
Presentation transcript:

Matching Logic Grigore Rosu University of Illinois at Urbana-Champaign, USA 1

Motivation Goal: verify programs using directly the trusted executable semantics of the language – Avoid defining Hoare logic or axiomatic semantics Many existing executable semantics frameworks – PLT-REDEX (Findler etal), MSOS tool (Mosses etal), OTT (Sewell etal), Spoofax (Visser etal), K (Rosu etal) – Semantics = rewrite rules over configuration patterns Need: specify properties/patterns/structure of interest over program configurations 2

Matching Logic - Overview Logic for reasoning about structure – Structure defined as algebraic data-types – Formulae specify desired structure templates or patterns – Formula satisfaction is pattern matching Historical remarks – First variant proposed in 2010 (Rosu, Ellison, Schulte) – Continuously improved, implemented and applied since then, as part of larger projects on program reasoning – Latest and most comprehensive reference: RTA’15 Most general variant; soundness and completeness 3

Talk Overview Context: Executable language semantics – The K framework Matching logic Application: Program specification and verification using matching logic 4

Runtime Verification, Inc., USA – Dwight Guth – Manasvi Saxena K Team UIUC, USA – Grigore Rosu (started K in 2003) – Thomas Bogue – Brandon Moore – Daejun Park – Cosmin Radoi – Yuwen Shijiao – Andrei Stefanescu Former members – Kyle Blocher, Peter Dinges, Chucky Ellison, Cansu Erdogan, Dwight Guth, Mike Ilseman, David Lazar, Patrick Meredith, Erick Mikida, Traian Serbanuta Romania – Dorel Lucanu – Traian Florin Serbanuta – Andrei Arusoae – Stefan Ciobaca – Radu Mereuta Former Members – Irina Asavoae, Mihai Asavoae, Denis Bogdanas, Gheorghe Grigoras, Emilian Necula, Raluca Necula 5

Vision and Objective Deductive program verifier Parser Interpreter Compiler (semantic) Debugger Symbolic execution Model checker Formal Language Definition (Syntax and Semantics) Test-case generation 6

Current State-of-the-Art in PL Design, Implementation and Analysis Consider some programming language, L Formal semantics of L? – Typically skipped: considered expensive and useless Implementations for L – Based on some adhoc understanding of what L is Model checkers for L – Based on some adhoc encodings/models of L Program verifiers for L – Based on some other adhoc encodings/models of L … 7

Example of C Program What should the following program evaluate to? According to the C “standard”, it is undefined GCC4, MSVC: it returns 4 GCC3, ICC, Clang: it returns 3 State-of-the-art formal program verifiers "prove" that this program returns 4 int main(void) { int x = 0; return (x = 1) + (x = 2); } 8

A Formal Semantics Manifesto Languages must have formal semantics ! – And analysis/verification tools should build on them Otherwise they are adhoc and likely wrong Informal manuals are not sufficient – Manuals typically have a formal syntax of the language (in an appendix) – Why not a formal semantics appendix as well? 9

K Approach Deductive program verifier Parser Interpreter Compiler (semantic) Debugger Symbolic execution Model checker Formal Language Definition (Syntax and Semantics) Test-case generation 10

Formal Language Definition (Syntax and Semantics) If one needs a PhD to define a language, then we have already failed. 11

Complete K Definition of KernelC 12

Complete K Definition of KernelC Syntax declared using annotated BNF … 13

Complete K Definition of KernelC Configuration given as a nested cell structure. Leaves can be sets, multisets, lists, maps, or syntax 14

Complete K Definition of KernelC Semantic rules given contextually X = V => V … … X |-> (_ => V) … 15

K Scales Several large languages were recently defined in K: Java 1.4: by Bogdanas etal [POPL’15] – 800+ program test suite that covers the semantics JavaScript ES5: by Park etal [PLDI’15] – Passes existing conformance test suite (2872 pgms) – Found (confirmed) bugs in Chrome, IE, Firefox, Safari C11: Ellison etal [POPL’12, PLDI’15] – All 77 different types of undefined behavior – Commercialized by startup (Runtime Verification, Inc.) … 16

K Configuration and Definition of C 120 Cells! Heap … plus ~2000 rules … 17

K Semantics are testable! Parser Interpreter (semantic) Debugger Formal Language Definition (Syntax and Semantics) 18

Testing the K definition of C Tested on thousands of C programs (several benchmarks, including the gcc torture test, code from the obfuscated C competition, etc.) – Passed 99.2% so far! – GCC passes 99%, ICC 99.4%, Clang 98.3% (no opt.) The most complete formal C semantics [POPL’12, PLDI’15] 19

K Demo Using Kweb, an online interface to K – – Show KOOLKOOL – Show Damas-Milner type inferencer 20

Formal Language Definition (Syntax and Semantics) Deductive program verifier Symbolic execution 21

State-of-the-Art Redefine the language using a different semantic approach (Hoare/separation/dynamic logic) Language specific, non-executable, error-prone Many different program logics for “state” properties: FOL, HOL, Separation logic… 22

State-of-the-Art Thus, these semantics need to be proved sound (and relatively complete) wrt trusted, operational semantics (reference model) – Huge effort, few dare to do it; so typically not done But verification tools are developed using them So we have an inherent gap between trusted, operational semantics, and the semantics currently used for program verification 23

Our Approach Use directly the trusted operational semantics! – Has been done before (e.g, ACL2), but proofs are low-level (induction on the transition system) and language-specific Language-independent proof system – Takes operational semantics as axioms – Derives reachability properties – Sound and relatively complete for all languages! Formal Language Definition (Syntax and Semantics) Deductive program verifier Symbolic execution 24

Formal Language Definition (Syntax and Semantics) Deductive program verifier Symbolic execution Need a means to specify static and dynamic program properties 25

Matching Logic for Static Properties Specify properties over program configurations and reason about them using matching logic Ultimate “program logic” for the language in question, specifically crafted for it We only discuss first-order variant here Can be obtained from FOL by collapsing its operation and predicate symbols – Collapsing its terms and predicates, into patterns – Interpreting symbols in powerset domains 26

Recall - First Order Logic 27

From FOL to Matching Logic 28

From FOL to Matching Logic Collapse symbols 29

From FOL to Matching Logic Collapse symbols 30

From FOL to Matching Logic Collapse terms and predicates 31

From FOL to Matching Logic Collapse terms and predicates 32

From FOL to Matching Logic Interpret symbols into powerdomains 33

From FOL to Matching Logic Interpret symbols into powerdomains 34

Matching Logic vs. FOL Simpler (no need to distinguish operations from predicates) Same expressiveness, but patterns more succinct than FOL formulae When fixing model(s), quite a convenient notation (captures separation logic) 35

Bottom Line No distinction between function and predicate symbols; they build patterns In models, patterns evaluate to sets of elements, namely those that match them Examples –, written, matched by singletons of sort s – matched by successor of x – elements are either zero or successors – matched by all linked lists in the heap starting with pointer x and holding mathematical sequence S 36

Useful Sugar Derived constructs Definedness, equality, membership Either the empty set (when  empty) or otherwise the total set (when  non-empty) Sort subscripts and superscripts can be inferred from the context, so we do not write them 37

More Sugar Functions (recovering “operation” symbols) Similarly we can define partial functions, total relations, etc. Algebraic specification and FOL subsumed notationally. For example: We write it using the functional notation: 38

Matching Logic vs. Separation Logic Matching logic achieves separation through matching at the structural (term) level, not through special logical connectives (*). Separation logic = Matching logic [heap] – OOPSLA’12, RTA’15 Matching logic realizes separation at all levels of the configuration, not only in the heap – the heap was only 1 out of the 120 cells in C’s def. 39

Separation logic = Matching logic [heap] Consider map model, with some useful axioms Then we can define map patterns “a la SL” 40

Examples of Complex Patterns x points to sequence A with |A|>1, and the reversed sequence rev(A) has been output untrusted() can only be called from trusted()  |A| >1 41

MatchC Example 42

Sound and complete proof system (see paper) Sample derivation Local reasoning can be globalized – Above derivation can be lifted to whole configuration 43

Reduction to Predicate Logic (see paper) Like FOL, ML can be reduced to predicate logic Explosion in size, new quantifiers; impractical 44

Formal Language Definition (Syntax and Semantics) Deductive program verifier Symbolic execution Need a means to specify static and dynamic program properties 45

Reachability Logic for Dynamic Properties [LICS’13], [RTA’14] “Rewrite” rules over matching logic patterns: (generalize to conditional rules) Since patterns generalize terms, matching logic reachability rules capture term rewriting rules Moreover, deals naturally with side conditions: turn into 46

Expressiveness of Reachability Rules Capture operational semantics rules: Capture Hoare Triples: 47

Reachability Logic Language-independent proof system for deriving sequents of the form where A (axioms) and C (circularities) are sets of reachability rules Intuitively: symbolic execution with operational semantics + reasoning with cyclic behaviors 48

Proof System for Reachability Proves any reachability property of any lang., including anything that Hoare logic can (proofs of comparable size) [FM’12] Sound (partially correct) and relatively complete [ICALP’12], [OOPSLA’12], [LICS’13], [RTA’14] 49

Traditional Verification vs. Our Approach Traditional proof systems: language-specific Our proof system: language-independent 50

Matching Logic Verification Demo Using MatchC –

Conclusion: It can be done! Thanks to matching logic Deductive program verifier Parser Interpreter Compiler (semantic) Debugger Symbolic execution Model checker Formal Language Definition (Syntax and Semantics) Test-case generation 52

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.