10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook.

Slides:



Advertisements
Similar presentations
A Randomized Satisfiability Procedure for Arithmetic and Uninterpreted Function Symbols Sumit Gulwani George Necula EECS Department University of California,
Advertisements

Copyright © Cengage Learning. All rights reserved.
Adders Used to perform addition, subtraction, multiplication, and division (sometimes) Half-adder adds rightmost (least significant) bit Full-adder.
Chapter 7 Constructors and Other Tools. Copyright © 2006 Pearson Addison-Wesley. All rights reserved. 7-2 Learning Objectives Constructors Definitions.
© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
UNITED NATIONS Shipment Details Report – January 2006.
8 Copyright © 2005, Oracle. All rights reserved. Creating the Web Tier: JavaServer Pages.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×
Exit a Customer Chapter 8. Exit a Customer 8-2 Objectives Perform exit summary process consisting of the following steps: Review service records Close.
Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Solve Multi-step Equations
REVIEW: Arthropod ID. 1. Name the subphylum. 2. Name the subphylum. 3. Name the order.
Factoring Quadratics — ax² + bx + c Topic
Turing Machines.
1 Refactoring with Contracts Shmuel Tyszberowicz School of Computer Science The Academic College of Tel Aviv Yaffo Maayan Goldstein School of Computer.
Chapter 17 Linked Lists.
Data Structures Using C++
Chapter 1 Object Oriented Programming 1. OOP revolves around the concept of an objects. Objects are created using the class definition. Programming techniques.
EU market situation for eggs and poultry Management Committee 20 October 2011.
Semantic Analysis and Symbol Tables
Displaying Data from Multiple Tables
EIS Bridge Tool and Staging Tables September 1, 2009 Instructor: Way Poteat Slide: 1.
Copyright © 2013, 2009, 2005 Pearson Education, Inc.
Bellwork Do the following problem on a ½ sheet of paper and turn in.
1 University of Utah – School of Computing Computer Science 1021 "Thinking Like a Computer"
2 |SharePoint Saturday New York City
Name Convolutional codes Tomashevich Victor. Name- 2 - Introduction Convolutional codes map information to code bits sequentially by convolving a sequence.
1 Decision Procedures An algorithmic point of view Equality Logic and Uninterpreted Functions.
1 RA III - Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Buenos Aires, Argentina, 25 – 27 October 2006 Status of observing programmes in RA.
Factor P 16 8(8-5ab) 4(d² + 4) 3rs(2r – s) 15cd(1 + 2cd) 8(4a² + 3b²)
Basel-ICU-Journal Challenge18/20/ Basel-ICU-Journal Challenge8/20/2014.
1..
A Third Look At ML 1. Outline More pattern matching Function values and anonymous functions Higher-order functions and currying Predefined higher-order.
CONTROL VISION Set-up. Step 1 Step 2 Step 3 Step 5 Step 4.
© 2012 National Heart Foundation of Australia. Slide 2.
Adding Up In Chunks.
1 Termination and shape-shifting heaps Byron Cook Microsoft Research, Cambridge Joint work with Josh Berdine, Dino Distefano, and.
Datorteknik TopologicalSort bild 1 To verify the structure Easy to hook together combinationals and flip-flops Harder to make it do what you want.
Chapter 10: The Traditional Approach to Design
Analyzing Genes and Genomes
Systems Analysis and Design in a Changing World, Fifth Edition
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
Pointers and Arrays Chapter 12
Essential Cell Biology
Intracellular Compartments and Transport
PSSA Preparation.
Essential Cell Biology
Datorteknik TopologicalSort bild 1 To verify the structure Easy to hook together combinationals and flip-flops Harder to make it do what you want.
Energy Generation in Mitochondria and Chlorplasts
Techniques for proving programs with pointers A. Tikhomirov.
User Defined Functions Lesson 1 CS1313 Fall User Defined Functions 1 Outline 1.User Defined Functions 1 Outline 2.Standard Library Not Enough #1.
1 Decidability continued…. 2 Theorem: For a recursively enumerable language it is undecidable to determine whether is finite Proof: We will reduce the.
The Pumping Lemma for CFL’s
4/11/20151 Programming Languages and Compilers (CS 421) Elsa L Gunter 2112 SC, UIUC Based in part on slides by Mattox.
SAT Solver CS 680 Formal Methods Jeremy Johnson. 2 Disjunctive Normal Form  A Boolean expression is a Boolean function  Any Boolean function can be.
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
Daniel Kroening and Ofer Strichman Decision Procedure
1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,
© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,
Presentation transcript:

SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook and J. Berdine

Daniel Kroening 2 Program Verification Goal: Editor that highlights programming errors Not syntax, but semantics

Daniel Kroening 3 Like what?

Daniel Kroening 4 Verification Engines UnwindingAbstraction Bounded Model Checking (BMC) No invariant discovery One very large constraint problem A lot of case-splitting Abstract interpretation Predicate abstraction Attempting invariant discovery Many small constraint problems Little case-splitting

Daniel Kroening 5 Program Analysis: BMC BMC Progra m C ONSTRAINT S OLVER VC Model SAT solver, CVC-Lite, Math-SAT, … CBMC, …

Daniel Kroening 6 BMC Overview ANSI-C Program unwind parsing + * = Parse tree + * = Constraint Problem CNF SAT Solver

Daniel Kroening 7 ANSI-C Transformation 1.Preparation Side effect removal continue, break replaced by goto for, do while replaced by while 2.Unwinding Loops are unwound Same for backward goto jumps and recursive functions

Daniel Kroening 8 Implementation 3.Transformation into Equation After unwinding: Transform into SSA Example: Generate constraints by simply conjoining equations resulting from assignments For arrays, use simple lambda notation

Daniel Kroening 9 Example

Daniel Kroening 10 Required Theories Bit vector Arrays Pointers (pair of object/offset) Floating Point If contained in assertion: Quantifiers Data type predicates (lists, trees, …)

Daniel Kroening 11 int *p, x, y; int main() { int z; y=z; p=&y; x=*p; assert(x==z); } cbmc test.c –cvc –outfile test Example

Daniel Kroening 12 p0: [# object: INT, offset: BITVECTOR(32) #] = (# object:=0, offset:=0bin #); x0: BITVECTOR(32) = 0bin ; y0: BITVECTOR(32) = 0bin ; z1: BITVECTOR(32); z0: BITVECTOR(32); y1: BITVECTOR(32) = z0; p1: [# object: INT, offset: BITVECTOR(32) #] = (# object:=3, offset:=0bin #); x1: BITVECTOR(32) = y1; l1: BOOLEAN; ASSERT l1 (x1=z0); ASSERT (NOT l1); QUERY FALSE; Download me! We have ~300 MB of benchmark files available Soon: SMT-Lib format

Daniel Kroening 13 Program Analysis: Abstraction P ROGRAM A NALYSIS E NGINE Progra m C ONSTRAINT S OLVER VCs Model W IDENING T Simplify, Zapato, Cogent, CPLEX, … Pre-, Post-, Proof-based, … SLAM, …

Daniel Kroening 14 Existing Tools Implement Fragments of linear arithmetic, Maybe arrays, maybe pointers Sometimes float

Daniel Kroening 15 Extending the Assertion Logic P ROGRAM A NALYSIS E NGINE Progra m C ONSTRAINT S OLVER VCCs Model W IDENING T Linear Arithmetic, Arrays, Float, …

Daniel Kroening 16 Existing Tools Biggest challenge for mass-market: dynamic data structures Fix with choice of assertion logic, e.g., Reynolds Separation Logic E.g., add separating conjunction and predicates for linked list

Daniel Kroening 17 Separation Logic A logic for heap data structures NOT the same as the fragment of linear arithmetic called difference logic Due to Reynolds/OHearn

Daniel Kroening 18 Separation Logic.. Payload next pointer ….. … Main problem: Need to specify that all heap cells are disjoint

Daniel Kroening 19 Separation Logic In general, one needs to express constraints that a data structure does not share cells with any other data structure Key idea: new logical operator P * Q Separating Conjunction

Daniel Kroening 20 Separation Logic Semantics of expressions defined over valuations of heaps (maps from addresses to values) Obvious meaning for StateHeapPointerValue

Daniel Kroening 21 Separation Logic Define disjoint heaps: Separating conjunction:

Daniel Kroening 22 Separation Logic: Lists Notation for sequences : empty sequence x ¢ : concatenation Define list:

Daniel Kroening 23 Extending the Assertion Logic P ROGRAM A NALYSIS E NGINE Progra m C ONSTRAINT S OLVER VCCs Model W IDENING T Linear Arithmetic, Arrays, Float, … +Separation Logic

Daniel Kroening 24 Who does the assertions? Manual annotations Automatic discovery Standard Template Library Data in containers is implicitly in separate heap cells typedef std::hash_map symbolst;... typedef std::vector nodest;

Daniel Kroening 25 Requirements for Constraint Solvers Constraint solver must support very rich logic Data types might even be application-specific But most queries are simple! Extending custom-made constraint solver is tedious

Daniel Kroening 26 Proposed Solution Assumption: we have a (partial) axiomatization of all logics Goal: high performance constraint solver 1 st step: define language for axioms

Daniel Kroening 27 Example: Equality Logic equality_transitivity: A "=" B, B "=" C -> A "=" C; emp: rewrite h"|=""emp" h"="["semp""**""semp"]; equality_commutativity: A "=" B B "=" A; equality: A "=" A; disequality: A "!=" B NOT A "=" B;

Daniel Kroening 28 Build a Compiler! 2 nd step: build a compiler Axioms g++ codegen C++ code Binary VCC SAT/UNSAT

Daniel Kroening 29 Multiple Theories Note that one can combine multiple theories Interfacing through arbitrary propositions, not just equalities Convexity requirement?

Daniel Kroening 30 What about OR? We could build case-splitting into the generated code However, we will never be able to implement Proper decision heuristics Non-chronological back-tracking Learning

Daniel Kroening 31 What about OR? Alternative: produce reduction to propositional logic Generate CNF, and pass formula to SAT solver The formula is unsatisfiable iff there exists a deduction that shows a contradiction

Daniel Kroening 32 What about OR? 3 nd step: add SAT solver Axioms g++ codegen C++ code Binary VCC CNF SAT Solver This is the eager version – lazy version straight-forward.

Daniel Kroening 33 What about OR? emp: rewrite h"|=""emp" h"="["semp""**""semp"]; 1.Maintain truth value with each fact: 2.Set new facts to unknown 3.Assign a literal to each fact that has truth value unknown 4.For each deduction step, generate constraint

Daniel Kroening 34 Separation Logic disjoint_not_self: h != emp -> not [h "# h]; not: h "|=" ["!" P] not [h "|=" P]; and: h "|=" [P "^" Q] h "|=" P, h "|=" Q; conditional: h "|=" [P "?" Q ":" R] (h "|=" P -> h "|=" Q), (h "|=" "!" P -> h "|=" R);

Daniel Kroening 35 Separation Logic emp: rewrite h"|=""emp" h"="["semp""**""semp"]; star: h "|=" [P "*" Q] NEW h0 "|=" P, NEW h1 "|=" Q, h "=" [NEW h0 "**" NEW h1], NEW h0 "#" NEW h1;

Daniel Kroening 36 Obtaining Invariants Again, could be custom-made Instead: inspect proofs of failed refutation-attempts Paper available on doing this for bit-vectors E.g., for constructing interpolants

Daniel Kroening 37 Conclusion Generic constraint solver with propositional SAT as backend Especially for complicated logics Extensions of logic are easy All case-splitting is pushed into propositional SAT solver

Daniel Kroening 38 Cross-Advertising TACAS: this can be used for –quantification over predicates CAV: Predicate abstraction for deep loops PDPAR: Completeness How to tell for sure that no proof exists?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.