© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh

© Andrew IrelandDependable Systems Group Outline Separation logic Automatic software verification challenges Cooperative reasoning proposal

© Andrew IrelandDependable Systems Group Separation Logic John Reynolds (CMU) and Peter O’Hearn (QMU) Extends Hoare’s axiomatic basis so as to simplify pointer program proofs Deals smoothly with “dirty features” such as memory disposal and address arithmetic Focuses the reasoning effort on only those parts of the heap that are relevant to a program unit, i.e. local reasoning

© Andrew IrelandDependable Systems Group Logical Conjunction P ∧ Q Heap

© Andrew IrelandDependable Systems Group Separating Conjunction P ∗ Q Heap

© Andrew IrelandDependable Systems Group An Example x := cons(1,2); y := cons(3,4); [x+1] := y; [y+1] := x; store heap

© Andrew IrelandDependable Systems Group x := cons(1,2); y := cons(3,4); [x+1] := y; [y+1] := x; store x 12 heap (x ↦ 1, 2) An Example

© Andrew IrelandDependable Systems Group x := cons(1,2); y := cons(3,4); [x+1] := y; [y+1] := x; x y store heap 1234 (x ↦ 1, 2) ∗ (y ↦ 3, 4) An Example

© Andrew IrelandDependable Systems Group x := cons(1,2); y := cons(3,4); [x+1] := y; [y+1] := x; x y store heap 134 (x ↦ 1, y) ∗ (y ↦ 3, 4) An Example

© Andrew IrelandDependable Systems Group x := cons(1,2); y := cons(3,4); [x+1] := y; [y+1] := x; x y store heap 13 (x ↦ 1, y) ∗ (y ↦ 3, x) An Example

© Andrew IrelandDependable Systems Group Frame Rule {P} C {Q} {R*P} C {R*Q} where no variable occurring free in R is modified by C

© Andrew IrelandDependable Systems Group Singly-linked Lists list ( [],Y,Z ) ↔ emp  Y=Z list ( [W|X],Y,Z)↔ ( ∃ p.( Y ↦ W,p ) *list ( X,p,Z )) a1a1 a2a2 anan … i list([a 1, a 2, …, a n ],i,j) j

© Andrew IrelandDependable Systems Group {list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(A t,i t,nil)} copylist(it; jt); {R ∗ list(A t,i t,nil) * list(A t,j t,nil)} j := cons(ih, jt) end if end copylist {list(A,i,nil) * list(A,j,nil)} { ∃ A h, A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil)} copylist(it; jt); { ∃ A h,A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil) ∗ list(A t,j t,nil)} Frame Axiom Discovery

© Andrew IrelandDependable Systems Group {list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(A t,i t,nil)} copylist(it; jt); {R ∗ list(A t,i t,nil) * list(A t,j t,nil} j := cons(ih, jt) end if end copylist {list(A,i,nil) * list(A,j,nil)} { ∃ A h, A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil)} copylist(it; jt); { ∃ A h,A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil) ∗ list(A t,j t,nil)} shape Frame Axiom Discovery

© Andrew IrelandDependable Systems Group {list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(A t,i t,nil)} copylist(it; jt); {R ∗ list(A t,i t,nil) * list(A t,j t,nil} j := cons(ih, jt) end if end copylist {list(A,i,nil) * list(A,j,nil)} { ∃ A h, A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil)} copylist(it; jt); { ∃ A h,A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil) ∗ list(A t,j t,nil)} content Frame Axiom Discovery

© Andrew IrelandDependable Systems Group { ∃ A. list(A,i,nil) ∧ A init = A} j := nil; {R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop { ∃ B.list(B,j,nil) ∧ rev(A init )= B)} Loop Invariant Discovery R : { ∃ A,B.list(A,i,nil)*list(B,j,nil) ∧ rev(A init )=app(rev(A),B)}

© Andrew IrelandDependable Systems Group { ∃ A. list(A,i) ∧ A init = A} j := nil; {R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop { ∃ B.list(B,j,nil) ∧ rev(A init )= B)} R : { ∃ A,B.list(A,i,nil)*list(B,j,nil) ∧ rev(A init )=app(rev(A),B)} Loop Invariant Discovery shape

© Andrew IrelandDependable Systems Group { ∃ A. list(A,i) ∧ A init = A} j := nil; {R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop { ∃ B.list(B,j,nil) ∧ rev(A init )= B)} R : { ∃ A,B.list(A,i,nil)*list(B,j,nil) ∧ rev(A init )=app(rev(A),B)} Loop Invariant Discovery content

© Andrew IrelandDependable Systems Group { ∃ A,B. list(A,x,nil)* list(B,y,nil) ∧ A = A init ∧ B = B init } if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y; { ∃ C.list(C,x,nil) ∧ C = app(A init,B init )} Inductive Lemma Discovery list(X,V,W)*list(Y,W,nil) ↔ list(app(X,Y),V,nil)

© Andrew IrelandDependable Systems Group { ∃ A,B. list(A,x,nil)* list(B,y,nil) ∧ A = A init ∧ B = B init } if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y; { ∃ C.list(C,x,nil) ∧ C = app(A init,B init )} Inductive Lemma Discovery list(X,V,W)*list(Y,W,nil) ↔ list(app(X,Y),V,nil) shape

© Andrew IrelandDependable Systems Group { ∃ A,B. list(A,x,nil)* list(B,y,nil) ∧ A = A init ∧ B = B init } if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y; { ∃ C.list(C,x,nil) ∧ C = app(A init,B init )} Inductive Lemma Discovery list(X,V,W)*list(Y,W,nil) ↔ list(app(X,Y),V,nil) content

© Andrew IrelandDependable Systems Group Symbolic Execution Smallfoot: implements a symbolic execution method that automates the verification of shape properties for loop-free code SpaceInvader: extends Smallfoot so as to deal with loops, i.e. uses abstraction to discovery loop (shape) invariants Tools lack extensibility, i.e. fixed number of data types and inductive properties

© Andrew IrelandDependable Systems Group Automatic Theorem Proving Proof planning Methods + Critics Proof checking Tactics Conjectures Theory Proof plans promote reuse, robustness and tool integration

© Andrew IrelandDependable Systems Group Proof Planning Middle-out reasoning: use of meta-variables in delaying choice during proof planning Proof critics: automatic proof patching via proof- failure analysis, e.g. generalization, lemma and loop invariant discovery Cooperative reasoning: –Clam/HOL: proof by mathematical induction –SPADEase: program analysis & proof planning for SPARK

© Andrew IrelandDependable Systems Group Cooperative Reasoning +=

© Andrew IrelandDependable Systems Group Cooperative Reasoning += = Complementary techniques compensating for each other’s weaknesses

© Andrew IrelandDependable Systems Group Symbolic ExecutionProof Planning shape invariants content invariants soundness extensibility Compensating for Weaknesses?

© Andrew IrelandDependable Systems Group Executive Summary Adapt and extend existing proof plans for use within separation logic – IsaPlanner/Isabelle. Build upon off-the-shelf shape analysis tools from Peter O’Hearn’s group (QMU) – Smallfoot etc. Hypothesis: Proposed cooperation will improve state-of-the-art for verification automation. Specification = shape + content