Cristian Gherghina 1, Cristina David 1, Shengchao Qin 2, Wei-Ngan Chin 1 1 National University of Singapore 2 University of Teesside Structured Specifications.

Slides:



Advertisements
Similar presentations
A Framework for describing recursive data structures Kenneth Roe Scott Smith.
Advertisements

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Meta Predicate Abstraction for Hierarchical Symbolic Heaps Josh Berdine Microsoft Research, Cambridge joint with Mike Emmi University of California, Los.
Automated Verification with HIP and SLEEK Asankhaya Sharma.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Techniques for proving programs with pointers A. Tikhomirov.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AAA A A A AA A Proving that non-blocking algorithms don't block.
Automated Verification with HIP and SLEEK Asankhaya Sharma.
Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?
Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.
Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.
Verification of Functional Programs in Scala Philippe Suter (joint work w/ Ali Sinan Köksal and Viktor Kuncak) ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE,
Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.
Automated Verification with HIP and SLEEK Asankhaya Sharma.
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
HIP/SLEEK11 HIP/SLEEK :Automatic Verification and Specification Inference System Wei-Ngan Chin & Asankhaya Sharma Dept of Computer Science National University.
Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN
© M. Winter COSC 4P41 – Functional Programming Testing vs Proving Testing –uses a set of “typical” examples, –symbolic testing, –may find errors,
S. Sudarshan Based partly on material from Fawzi Emad & Chau-Wen Tseng
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 1 Symbolic Execution and Proof of Properties.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
CS 355 – Programming Languages
Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.
1 Trees. 2 Outline –Tree Structures –Tree Node Level and Path Length –Binary Tree Definition –Binary Tree Nodes –Binary Search Trees.
CS2420: Lecture 27 Vladimir Kulyukin Computer Science Department Utah State University.
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Automating Separation Logic with Trees and Data Ruzica Piskac Yale University Thomas Wies New York University Damien Zufferey MIT CSAIL CAV, ,
1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.
Mathematics throughout the CS Curriculum Support by NSF #
Cristian Gherghina Joint work with: Wei-Ngan Chin, Razvan Voicu, Quang Loc Le Florin Craciun, Shengchao Qin TexPoint fonts used in EMF. Read the TexPoint.
Trees, Binary Search Trees, Recursion, Project 2 Bryce Boe 2013/08/01 CS24, Summer 2013 C.
Aquinas Hobor and Cristian Gherghina (National University of Singapore) TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.:
1 Dependable Software via Automated Verification Huu Hai Nguyen(NUS) Cristina David(NUS) Shengchao Qin(Durham, UK) Wei-Ngan Chin(NUS)
CS 363 Comparative Programming Languages Semantics.
Synthesis, Analysis, and Verification Lecture 05a Lectures: Viktor Kuncak Programs with Data Structures: Assertions for Accesses. Dynamic Allocation.
Checking Reachability using Matching Logic Grigore Rosu and Andrei Stefanescu University of Illinois, USA.
Refinements to techniques for verifying shape analysis invariants in Coq Kenneth Roe GBO Presentation 9/30/2013 The Johns Hopkins University.
A Certifying Compiler and Pointer Logic Zhaopeng Li Software Security Lab. Department of Computer Science and Technology, University of Science and Technology.
Starting at Binary Trees
Reading and Writing Mathematical Proofs Spring 2015 Lecture 4: Beyond Basic Induction.
Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen.
Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.
1 Automated Verification via Separation Logic Cristian Gherghina (NUS, Singapore) Cristina David(NUS, Singapore) Shengchao Qin(Durham, UK) Wei-Ngan Chin(NUS,
Chapter 3 Part II Describing Syntax and Semantics.
COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen.
A Specification Logic for Exceptions and Beyond Cristina David Cristian Gherghina National University of Singapore.
Automated Verification with HIP and SLEEK Asankhaya Sharma.
Lightweight Support for Magic Wands in an Automatic Verifier Malte Schwerhoff and Alexander J. Summers 10 th July 2015, ECOOP, Prague.
1. Iterative Preorder Traversal Rpreorder(T) 1. [process the root node] if T!= NULL then Write Data(T) else Write “empty Tree” 2. [process the left subtree]
Adaptive Shape Analysis Thomas Wies joint work with Josh Berdine Cristiano Calcagno TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists Pranav Garg 1, P. Madhusudan 1 and Gennaro Parlato 2 1 University of Illinois at.
Mostly-Automated Verification of Low-Level Programs in Computational Separation Logic Adam Chlipala Harvard University PLDI 2011.
A Resource-based Logic for Termination and Non-Termination Proofs Ton Chanh Le Cristian Gherghina Aquinas Hobor Wei-Ngan Chin National University of Singapore.
Enhancing Modular OO Verification with Separation Logic
Reasoning about code CSE 331 University of Washington.
Formal Methods in Software Engineering 1
CSE332: Data Abstractions Lecture 5: Binary Heaps, Continued
Binary Search Tree AVL Tree
Programming Languages 2nd edition Tucker and Noonan
Programming Languages 2nd edition Tucker and Noonan
COP4020 Programming Languages
Presentation transcript:

Cristian Gherghina 1, Cristina David 1, Shengchao Qin 2, Wei-Ngan Chin 1 1 National University of Singapore 2 University of Teesside Structured Specifications for Better Verification of Heap-Manipulating Programs TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A

Aim  Our aim is to add structures to the specifications for improving:  precision: verification succeeds for more scenarios.  efficiency: faster verification.  conciseness: more concise specifications. 2 FM 2011

Verifier Separation Logic Prover Program Code Program Code Pre/Post Conditions Pre/Post Conditions Separation logic: Used to reason about shared mutable data structures. emp// heap is empty x  y // heap has exactly one cell A * B// heap is divided so that A holds in // one partition, while B the other HIP/SLEEK 3 FM 2011

Heap Predicates Heap Predicates Verifier Separation Logic Prover Program Code Program Code Pre/Post Conditions Pre/Post Conditions HIP/SLEEK 4 FM 2011 data node{int val; node next} ll = root=null  n=0  root  node * ll

Pure Provers (Omega, Mona, Isabelle) Pure Provers (Omega, Mona, Isabelle) Heap Predicates Heap Predicates Verifier Separation Logic Prover Program Code Program Code Pre/Post Conditions Pre/Post Conditions HIP/SLEEK 5 FM 2011

What can we prove? – Properties of mutable data structures. – Sortedness, length, height-balanced, etc. What must the user provide? – Heap predicates. – Pre and post conditions for each method (together with loop invariants). Heap Predicates Heap Predicates Verifier Separation Logic Prover Program Code Program Code Pre/Post Conditions Pre/Post Conditions SPECIFICATION HIP/SLEEK 6 FM 2011 Pure Provers (Omega, Mona, Isabelle) Pure Provers (Omega, Mona, Isabelle)

FM User intuition Spec. Structured spec. Triggers techniques during the proving process Better verification Formula staging Case analysis Early/late Instanti- ations

Agenda Background Case induced specifications 8 Early vs. Late instantiations Conclusions FM 2011 Staged formulae

 root  node  avl  avl   D  root  node  avl  avl   D 1+ h 1 = h 2  b=-1 h 1 =h 2  b=0 avl  root,h,n,B,b   root=null  h=n=b=0  B={ }  root  node  avl  avl   D h 1 = 1 + h 2  b=1 AVL tree with original spec 9 D = (n=1 + n 1 + n 2  B={v} U B 1 U B 2   x  B 1.x  v  x  B 2. x > v) FM 2011 Binary search tree Balance factor heightsize bag balance data node{ int val; node left; node right; } data node{ int val; node left; node right; }

AVL tree with original spec 10 avl  root,h,n,B,b   root=null  h=n=b=0  B={ }  root  node  avl  avl   D  root  node  avl  avl   D  root  node  avl  avl   D D = (n=1 + n 1 + n 2  B={v} U B 1 U B 2   x  B 1.x  v  x  B 2. x > v) FM 2011 h 1 =h 2  b=0 h 1 = 1 + h 2  b=1 1+ h 1 = h 2  b=-1

AVL tree with original spec 11 avl  root,h,n,B,b   root=null  h=n=b=0  B={ }  root  node  avl  avl   D D = (n=1 + n 1 + n 2  B={v} U B 1 U B 2   x  B 1.x  v  x  B 2. x > v) FM 2011 h 1 =h 2  b=0 h 1 = 1 + h 2  b=1 1+ h 1 = h 2  b=-1 then Staged formula  

Agenda Background Case induced specifications 12 Early vs. Late instantiations Conclusions FM 2011 Staged formulae

node tail (node x) requires llx,n ∧ n>0 ensures (res=null ∧ n=1) ∨ (llres,n-1 ∧ n  1); { node aux = x.next; return aux; } ∃ q · x  node_, q ∗ llq,n−1 ∧ n > 0 Tail function llx,n ∧ n>0 x  node _, aux ∗ llaux,n−1 ∧ n > 0 x  node _, res ∗ llres,n−1 ∧ n > 0 x  node _, res ∗ llres,n−1 ∧ n > 0 |- postcondition 13 FM 2011 data node{ int val; node next} ll = root=null  n=0  root  node * ll

Entailment with inductive predicates  1 |-  2 *  r  Determine if the heap in  1 contains the heap in  2   r is the residue of  1 not matching  2 Separation logic formula 14 FM 2011

x  node_, res ∗ llres, n−1  n  0 |- (res=null  n=1) *  r x  node_, res ∗ llres, n−1  n  0 |- (res=null  n=1) ∨ (llres,n−1  n  1) Entailment with inductive predicates x  node_, res ∗ llres, n−1  n  0 |- (llres, n−1  n  1) *  r Entailment fails! 15 FM 2011 node tail (node x) requires llx,n ∧ n>0 ensures (res=null ∧ n=1) ∨ (llres,n-1 ∧ n  1);

node tail (node x) requires llx,n ∧ n>0 ensures (res=null ∧ n=1) ∨ (llres,n-1 ∧ n  1); Tail function 16 Disjunction is difficult to reason about, leading to incompleteness. FM 2011

Tail function - structured node tail (node x) requires llx,n ∧ n > 0 case { n=1 → ensures res = null ; n  1 → ensures llres,n-1; } 17 FM 2011

Automatic case analysis  |- case {  1 -> Z 1 ;  2 -> Z 2 } too general  ∧  1 |- Z 1  ∧  2 |- Z 2 strengthened by case analysis disjoint conditions 18 FM 2011

x  node _, res ∗ llres,n−1 ∧ n>0 ∧ n=1 |- (res=null) *  r x  node _, res ∗ llres,n−1 ∧ n>0 |- case { n=1 → ensures res = null; n  1 → ensures llres,n-1;} Entailment with inductive predicates x  node _, res ∗ llres,n−1 ∧ n>0 ∧ n  1 |- (llres,n−1) *  r Entailments succeed! 19 FM 2011 node tail (node x) requires llx,n ∧ n>0 case { n=1 → ensures res = null; n  1 → ensures llres,n-1;}

node mergeAVL(node t 1, node t 2 ) requires avlt 1, s 1, h 1, b 1 * avlt 2, s 2, h 2, b 2 ensures t 1 = null  avlres, s 2, h 2, b 2 Ç t 1 != null  avlres, s 1 +s 2, _, _; 20 FM 2011 Example height size balance

node mergeAVL(node t 1, node t 2 ) case{ t 1 =null → requires avlt 2, s 2, h 2, b 2 ensures avlres, s 2, h 2, b 2 ; t 1 !=null → requires avlt 2, s 2, h 2, b 2 ∗ avlt 1, s 1, _, _ ensures avlres, s 1 +s 2, _, _}; 21 FM 2011 Example

node mergeAVL(node t 1, node t 2 ) requires avlt 2, s 2, h 2, b 2 case{ t 1 =null → requires avlt 2, s 2, h 2, b 2 ensures avlres, s 2, h 2, b 2 ; t 1 !=null → requires avlt 2, s 2, h 2, b 2 ∗ avlt 1, s 1, _, _ ensures avlres, s 1 +s 2, _, _}; 22 FM 2011 Example

node mergeAVL(node t 1, node t 2 ) requires avlt 2, s 2, h 2, b 2 case{ t 1 =null → ensures avlres, s 2, h 2, b 2 ; t 1 !=null → requires avlt 1, s 1, _, _ ensures avlres, s 1 +s 2, _, _}; 23 FM 2011 Example

Agenda Background Case induced specifications 24 Early vs. Late instantiations Conclusions FM 2011 Staged formulae

Instantiations (1)  Different types of bindings for the logical variables (of consequent) during the entailment.  Used for the variables linking the precondition with the postcondition. int length (node x) requires x::ll ensures x::ll  res=n 25 FM 2011 logical var program var

Instantiations (2)  x  node |-  n.(x::ll  n>0) x  node |-  n.(x  node * ll  n>0) n=1 |- n-1=0  n>0 Instantiation: n=1 26 FM 2011 data node{ int val; node next} ll = root=null  n=0  root  node * ll Entailment succeeds!

data cell {int val} cellPredroot, i = (root=null  i  3)  (root  cell_  i>3);  Early instantiation: p = null |-  k.(cellPredp, k  k>2) *  r p = null |-  k.((p=null  k  3)  k>2) *  r p = null  k  3|-  p=null  k>2  k  3) *  r Instantiation: k  3  Late instantiation: p = null |- ([k] cellPredp, k  k>2) *  r p = null |-  k. (p=null  k  3  k>2) *  r Instantiation: k  3  k>2 Instantiations (3) 27 Entailment fails! Entailment succeeds! FM 2011

Early vs. Late instantiation  Triggered for just the matched predicate.  Minimizes the use of existential quantification.  Triggered for the entire formula.  More complete. 28 FM 2011 Early instantiation: Late instantiation:

Experiments 29 FM 2011

Conclusion  The structured specification mechanism:  Enables automatic case analysis.  Promotes a more modular verification, where larger/hard proofs are broken into smaller/simpler proofs.  Guides the steps taken by the prover from the specification level. 30 FM 2011

Thank you! 31

Limerick: On verification This work improves the specification Based on a logic of separation We propose case analysis To be used in my thesis For a better verification! 32

Separation logic - example 3 3 y y x  3,y x 3 3 y y (x  3,y) * (y  3,z) 3 3 z z x 33 FM 2011

then case { h 1 = h 2 => b=0 1 +h 1 = h 2 => b=-1 h 1 = 1+ h 2 => b=1} AVL tree with original spec 34 avl  root,h,n,B,b   root=null  h=n=b=0  B={ }  root  node  avl  avl   D D = (n=1 + n 1 + n 2  B={v} U B 1 U B 2   x  B 1.x  v  x  B 2. x > v) FM 2011 h 1 =h 2  b=0 h 1 = 1 + h 2  b=1 1+ h 1 = h 2  b=-1

then case { h 1 = h 2 => b=0 1 +h 1 = h 2 => b=-1 h 1 = 1+ h 2 => b=1} AVL tree with original spec 35 avl  root,h,n,B,b   root=null  h=n=b=0  B={ }  root  node  avl  avl   D D = (n=1 + n 1 + n 2  B={v} U B 1 U B 2   x  B 1.x  v  x  B 2. x > v) FM 2011 Staged formula Case induced specs

Instantiations - examples data cell {int val} cellPredroot, i = (root=null  i  3)  (root  cell_  i>3);  Early instantiation: p  cell_ |- (cellPredp, k  k>2) *  r k>3 |- k>3  k>2 *  r  Late instantiation: 36 Both entailments succeed! FM 2011 p  cell_ |- ([k] cellPredp, k  k>2)*  r p  cell_ |-  k. (k  3  k>2) *  r

ll = root=null  n=0  root  node * ll Heap predicate for a singly-linked list data node{ int val; node next} data node{ int val; node next} root ….. q 37 FM 2011

Pre and post conditions int length(node x) { if (x==null) then 0 else 1+length(x.next) } requires llx,n ensures llx,n ∧ res=n; 38 FM 2011

data cell {int val} cellPredroot, i = (root=null  i  3)  (root  cell_  i>3);  Early instantiation: p = null |-  k.(cellPredp, k  k>2) *  r p = null |-  k.((p=null  k  3)  k>2) *  r p = null  k  3 |-  (p=null  k  3)  k>2 *  r p = null  k  3 |-  k>2 *  r Instantiation: k  3 Instantiations - examples 39 Entailment fails! FM 2011

Aim  Typically, a specification mechanism focuses on:  expressiveness: verification of more properties.  abstraction: information hiding in spec.  modularity: more readable and reusable specs.  Our aim is to add structures to the specs for improving:  precision: verification succeeds for more scenarios.  efficiency: faster verification.  conciseness: more concise specifications. 40 FM 2011