Download presentation
Presentation is loading. Please wait.
1
A Framework for describing recursive data structures
Kenneth Roe Scott Smith
2
Shape analysis and Recursive data structures
The objective is to verify the integrity of dynamic data structures such as lists and trees Based on principles of separation logic Builds on work from Byron Cook and company The key contribution is reasoning about data structures more complex than linked lists Regular expressions are used to describe paths through data structures
3
Sample progam Data Structures
struct list { struct list *n; struct tree *t; int data; }; struct tree { struct tree *l, *r; int value;};
4
Sample program code Struct list *p; void build pre order(struct tree *r) { struct list *i = NULL, *n, *x; struct tree *t = r; p = NULL; while (t) { n=p; p = malloc(sizeof(struct list)); p->l = t; p->n = n; if (t->l==NULL && t->r==NULL) { if (i==NULL) { t = NULL;} else { struct list *tmp = i->n; t = i->l; free(l); i = tmp;} } else if (t->r==NULL) {t = t->l; } else if (t->l==NULL) {t = t->r; } else {n = i; i = malloc(sizeof(struct list)); i->n = n; x = t->r; i->t = x; t = t->l; } } }
5
Invariants p r i n t l 4 r n t n t l 2 r l 6 r n t … … l 1 r l 3 r l 5 r The program maintains two well formed linked lists, the heads of which are pointed to by i and p.
6
Invariants The program maintains a well formed tree pointed to by r. p
4 r n t n t l 2 r l 6 r n t … … l 1 r l 3 r l 5 r The program maintains a well formed tree pointed to by r.
7
Invariants t always points to an element in the tree rooted at r. p r
4 r n t n t l 2 r l 6 r n t … … l 1 r l 3 r l 5 r t always points to an element in the tree rooted at r.
8
Invariants The two lists and the tree do not share any nodes. p r i n
4 r n t n t l 2 r l 6 r n t … … l 1 r l 3 r l 5 r The two lists and the tree do not share any nodes.
9
Invariants p r i n t l 4 r n t n t l 2 r l 6 r n t … … l 1 r l 3 r l 5 r Other than the memory used for the two lists and the tree, no other heap memory is allocated.
10
Invariants p r i n t l 4 r n t n t l 2 r l 6 r n t … nil l 1 r l 3 r l 5 r The l field of every element in both list structures points to an element in the tree.
11
State representation Rn∗ (p, ∅) * R(l |r)∗ (r, ∅) * Rn∗ (i, ∅) n t l 4 r n t n t l 2 r l 6 r n t … nil l 1 r l 3 r l 5 r r ↝(l|r)* t ∧ (∀v.∃z.p ↝n*v → v↝tz∧ r↝(l |r)*z)∧ (∀v.∃z.i ↝n*v → v↝tz∧r↝(l |r)*z)
12
Backward reasoning Logic rules for back propagation
Generated preconditions imply post condition Not guaranteed to get weakest pre-condition The system also contains rules for merging states Becomes necessary when joining the branches of an “if” statement
13
Back-chaining example
Last line of source code: n = i; i = malloc(sizeof(struct list)); i->n = n; x = t->r; i->t = x; t = t->l;
14
Back-chaining example
r t i n t l 4 r n t n t l 2 r l 6 r n t … nil l 1 r l 3 r l 5 r r ↝(l |r)* t ∧ (∀v.∃z.p↝n*v → v↝tz∧ r↝(l |r)*z)∧ (∀v.∃z. i↝n*v → v↝tz∧r↝(l |r)*z) Rn∗ (p, ∅) * R(l |r)∗ (r, ∅) * Rn∗ (i, ∅)
15
Back-chaining example
t = t->l p r t i n t l 4 r n t n t l 2 r l 6 r n t … nil l 1 r l 3 r l 5 r t↝lq ∧r↝(l |r)*q ∧ (∀v.∃z.p↝n* v → v↝lz∧ r↝(l |r)*z)∧ (∀v.∃z. i↝n*v → v↝lz ∧ r↝(l|r)*z) Rn∗ (p, ∅) * R(l |r)∗ (r, ∅) * Rn∗ (i, ∅)
16
Back-chaining example
t = t->l p r t i n t l 4 r n t n t l 2 r l 6 r n t … nil l 1 r l 3 r l 5 r t↝lq ∧r↝(l|r)* t ∧ (∀v.∃z.p↝n*v → v ↝l z∧ r↝(l|r)*z)∧ (∀v.∃z.i↝n*v → v ↝l z∧r↝(l|r)*z) Rn∗ (p, ∅) * R(l|r)∗ (r, ∅) * Rn∗ (i, ∅)
17
Back-chaining example
We have back propagated over the last statement. We have several more statements to go n = i; i = malloc(sizeof(struct list)); i->n = n; x = t->r; i->t = x; t = t->l;
18
Back-chaining example
After back-propagating over the remaining statements, we end up with the following which is almost our original invariant: t ↝l q ∧ t ↝r e ∧ r↝(l|r)*t ∧(∀v.∃z. p↝n*v → v↝lz∧ r↝(l |r)*z)∧ (∀v.∃z. i↝n*v → v↝lz∧r↝(l |r)*z) | Rn∗ (p, ∅) * R(l |r)∗ (r, ∅) * Rn∗ (i, ∅)
19
Future work Arrays Length predicate Handling procedures
COQ verification (in progress)
Similar presentations
