Cristian Gherghina 1, Cristina David 1, Shengchao Qin 2, Wei-Ngan Chin 1 1 National University of Singapore 2 University of Teesside Structured Specifications for Better Verification of Heap-Manipulating Programs TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A
Aim Our aim is to add structures to the specifications for improving: precision: verification succeeds for more scenarios. efficiency: faster verification. conciseness: more concise specifications. 2 FM 2011
Verifier Separation Logic Prover Program Code Program Code Pre/Post Conditions Pre/Post Conditions Separation logic: Used to reason about shared mutable data structures. emp// heap is empty x y // heap has exactly one cell A * B// heap is divided so that A holds in // one partition, while B the other HIP/SLEEK 3 FM 2011
Heap Predicates Heap Predicates Verifier Separation Logic Prover Program Code Program Code Pre/Post Conditions Pre/Post Conditions HIP/SLEEK 4 FM 2011 data node{int val; node next} ll = root=null n=0 root node * ll
Pure Provers (Omega, Mona, Isabelle) Pure Provers (Omega, Mona, Isabelle) Heap Predicates Heap Predicates Verifier Separation Logic Prover Program Code Program Code Pre/Post Conditions Pre/Post Conditions HIP/SLEEK 5 FM 2011
What can we prove? – Properties of mutable data structures. – Sortedness, length, height-balanced, etc. What must the user provide? – Heap predicates. – Pre and post conditions for each method (together with loop invariants). Heap Predicates Heap Predicates Verifier Separation Logic Prover Program Code Program Code Pre/Post Conditions Pre/Post Conditions SPECIFICATION HIP/SLEEK 6 FM 2011 Pure Provers (Omega, Mona, Isabelle) Pure Provers (Omega, Mona, Isabelle)
FM User intuition Spec. Structured spec. Triggers techniques during the proving process Better verification Formula staging Case analysis Early/late Instanti- ations
Agenda Background Case induced specifications 8 Early vs. Late instantiations Conclusions FM 2011 Staged formulae
root node avl avl D root node avl avl D 1+ h 1 = h 2 b=-1 h 1 =h 2 b=0 avl root,h,n,B,b root=null h=n=b=0 B={ } root node avl avl D h 1 = 1 + h 2 b=1 AVL tree with original spec 9 D = (n=1 + n 1 + n 2 B={v} U B 1 U B 2 x B 1.x v x B 2. x > v) FM 2011 Binary search tree Balance factor heightsize bag balance data node{ int val; node left; node right; } data node{ int val; node left; node right; }
AVL tree with original spec 10 avl root,h,n,B,b root=null h=n=b=0 B={ } root node avl avl D root node avl avl D root node avl avl D D = (n=1 + n 1 + n 2 B={v} U B 1 U B 2 x B 1.x v x B 2. x > v) FM 2011 h 1 =h 2 b=0 h 1 = 1 + h 2 b=1 1+ h 1 = h 2 b=-1
AVL tree with original spec 11 avl root,h,n,B,b root=null h=n=b=0 B={ } root node avl avl D D = (n=1 + n 1 + n 2 B={v} U B 1 U B 2 x B 1.x v x B 2. x > v) FM 2011 h 1 =h 2 b=0 h 1 = 1 + h 2 b=1 1+ h 1 = h 2 b=-1 then Staged formula
Agenda Background Case induced specifications 12 Early vs. Late instantiations Conclusions FM 2011 Staged formulae
node tail (node x) requires llx,n ∧ n>0 ensures (res=null ∧ n=1) ∨ (llres,n-1 ∧ n 1); { node aux = x.next; return aux; } ∃ q · x node_, q ∗ llq,n−1 ∧ n > 0 Tail function llx,n ∧ n>0 x node _, aux ∗ llaux,n−1 ∧ n > 0 x node _, res ∗ llres,n−1 ∧ n > 0 x node _, res ∗ llres,n−1 ∧ n > 0 |- postcondition 13 FM 2011 data node{ int val; node next} ll = root=null n=0 root node * ll
Entailment with inductive predicates 1 |- 2 * r Determine if the heap in 1 contains the heap in 2 r is the residue of 1 not matching 2 Separation logic formula 14 FM 2011
x node_, res ∗ llres, n−1 n 0 |- (res=null n=1) * r x node_, res ∗ llres, n−1 n 0 |- (res=null n=1) ∨ (llres,n−1 n 1) Entailment with inductive predicates x node_, res ∗ llres, n−1 n 0 |- (llres, n−1 n 1) * r Entailment fails! 15 FM 2011 node tail (node x) requires llx,n ∧ n>0 ensures (res=null ∧ n=1) ∨ (llres,n-1 ∧ n 1);
node tail (node x) requires llx,n ∧ n>0 ensures (res=null ∧ n=1) ∨ (llres,n-1 ∧ n 1); Tail function 16 Disjunction is difficult to reason about, leading to incompleteness. FM 2011
Tail function - structured node tail (node x) requires llx,n ∧ n > 0 case { n=1 → ensures res = null ; n 1 → ensures llres,n-1; } 17 FM 2011
Automatic case analysis |- case { 1 -> Z 1 ; 2 -> Z 2 } too general ∧ 1 |- Z 1 ∧ 2 |- Z 2 strengthened by case analysis disjoint conditions 18 FM 2011
x node _, res ∗ llres,n−1 ∧ n>0 ∧ n=1 |- (res=null) * r x node _, res ∗ llres,n−1 ∧ n>0 |- case { n=1 → ensures res = null; n 1 → ensures llres,n-1;} Entailment with inductive predicates x node _, res ∗ llres,n−1 ∧ n>0 ∧ n 1 |- (llres,n−1) * r Entailments succeed! 19 FM 2011 node tail (node x) requires llx,n ∧ n>0 case { n=1 → ensures res = null; n 1 → ensures llres,n-1;}
node mergeAVL(node t 1, node t 2 ) requires avlt 1, s 1, h 1, b 1 * avlt 2, s 2, h 2, b 2 ensures t 1 = null avlres, s 2, h 2, b 2 Ç t 1 != null avlres, s 1 +s 2, _, _; 20 FM 2011 Example height size balance
node mergeAVL(node t 1, node t 2 ) case{ t 1 =null → requires avlt 2, s 2, h 2, b 2 ensures avlres, s 2, h 2, b 2 ; t 1 !=null → requires avlt 2, s 2, h 2, b 2 ∗ avlt 1, s 1, _, _ ensures avlres, s 1 +s 2, _, _}; 21 FM 2011 Example
node mergeAVL(node t 1, node t 2 ) requires avlt 2, s 2, h 2, b 2 case{ t 1 =null → requires avlt 2, s 2, h 2, b 2 ensures avlres, s 2, h 2, b 2 ; t 1 !=null → requires avlt 2, s 2, h 2, b 2 ∗ avlt 1, s 1, _, _ ensures avlres, s 1 +s 2, _, _}; 22 FM 2011 Example
node mergeAVL(node t 1, node t 2 ) requires avlt 2, s 2, h 2, b 2 case{ t 1 =null → ensures avlres, s 2, h 2, b 2 ; t 1 !=null → requires avlt 1, s 1, _, _ ensures avlres, s 1 +s 2, _, _}; 23 FM 2011 Example
Agenda Background Case induced specifications 24 Early vs. Late instantiations Conclusions FM 2011 Staged formulae
Instantiations (1) Different types of bindings for the logical variables (of consequent) during the entailment. Used for the variables linking the precondition with the postcondition. int length (node x) requires x::ll ensures x::ll res=n 25 FM 2011 logical var program var
Instantiations (2) x node |- n.(x::ll n>0) x node |- n.(x node * ll n>0) n=1 |- n-1=0 n>0 Instantiation: n=1 26 FM 2011 data node{ int val; node next} ll = root=null n=0 root node * ll Entailment succeeds!
data cell {int val} cellPredroot, i = (root=null i 3) (root cell_ i>3); Early instantiation: p = null |- k.(cellPredp, k k>2) * r p = null |- k.((p=null k 3) k>2) * r p = null k 3|- p=null k>2 k 3) * r Instantiation: k 3 Late instantiation: p = null |- ([k] cellPredp, k k>2) * r p = null |- k. (p=null k 3 k>2) * r Instantiation: k 3 k>2 Instantiations (3) 27 Entailment fails! Entailment succeeds! FM 2011
Early vs. Late instantiation Triggered for just the matched predicate. Minimizes the use of existential quantification. Triggered for the entire formula. More complete. 28 FM 2011 Early instantiation: Late instantiation:
Experiments 29 FM 2011
Conclusion The structured specification mechanism: Enables automatic case analysis. Promotes a more modular verification, where larger/hard proofs are broken into smaller/simpler proofs. Guides the steps taken by the prover from the specification level. 30 FM 2011
Thank you! 31
Limerick: On verification This work improves the specification Based on a logic of separation We propose case analysis To be used in my thesis For a better verification! 32
Separation logic - example 3 3 y y x 3,y x 3 3 y y (x 3,y) * (y 3,z) 3 3 z z x 33 FM 2011
then case { h 1 = h 2 => b=0 1 +h 1 = h 2 => b=-1 h 1 = 1+ h 2 => b=1} AVL tree with original spec 34 avl root,h,n,B,b root=null h=n=b=0 B={ } root node avl avl D D = (n=1 + n 1 + n 2 B={v} U B 1 U B 2 x B 1.x v x B 2. x > v) FM 2011 h 1 =h 2 b=0 h 1 = 1 + h 2 b=1 1+ h 1 = h 2 b=-1
then case { h 1 = h 2 => b=0 1 +h 1 = h 2 => b=-1 h 1 = 1+ h 2 => b=1} AVL tree with original spec 35 avl root,h,n,B,b root=null h=n=b=0 B={ } root node avl avl D D = (n=1 + n 1 + n 2 B={v} U B 1 U B 2 x B 1.x v x B 2. x > v) FM 2011 Staged formula Case induced specs
Instantiations - examples data cell {int val} cellPredroot, i = (root=null i 3) (root cell_ i>3); Early instantiation: p cell_ |- (cellPredp, k k>2) * r k>3 |- k>3 k>2 * r Late instantiation: 36 Both entailments succeed! FM 2011 p cell_ |- ([k] cellPredp, k k>2)* r p cell_ |- k. (k 3 k>2) * r
ll = root=null n=0 root node * ll Heap predicate for a singly-linked list data node{ int val; node next} data node{ int val; node next} root ….. q 37 FM 2011
Pre and post conditions int length(node x) { if (x==null) then 0 else 1+length(x.next) } requires llx,n ensures llx,n ∧ res=n; 38 FM 2011
data cell {int val} cellPredroot, i = (root=null i 3) (root cell_ i>3); Early instantiation: p = null |- k.(cellPredp, k k>2) * r p = null |- k.((p=null k 3) k>2) * r p = null k 3 |- (p=null k 3) k>2 * r p = null k 3 |- k>2 * r Instantiation: k 3 Instantiations - examples 39 Entailment fails! FM 2011
Aim Typically, a specification mechanism focuses on: expressiveness: verification of more properties. abstraction: information hiding in spec. modularity: more readable and reusable specs. Our aim is to add structures to the specs for improving: precision: verification succeeds for more scenarios. efficiency: faster verification. conciseness: more concise specifications. 40 FM 2011