Presentation is loading. Please wait.

Presentation is loading. Please wait.

Goal: Static Software Verification Verify absence of run-time errors Buffer overflows Deadlocks Assertion failures Requires precise data structure verification.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Goal: Static Software Verification Verify absence of run-time errors Buffer overflows Deadlocks Assertion failures Requires precise data structure verification."— Presentation transcript:

1

2 Goal: Static Software Verification Verify absence of run-time errors Buffer overflows Deadlocks Assertion failures Requires precise data structure verification

3 The Problem With Structures 1 1 2 2 5 5 3 3 4 4 1 1 2 2 5 5 3 3 4 4 1 1 2 2 4 4 3 3 5 5 Unbounded Size Need Universally Quantified Properties “Every element has property P”

4 Contributions Precise properties of individual cells Types Predicates Lift properties to invariants on structures

5 Contributions Recursive Structures (Lists, Trees) Table Structures (Fields, Arrays, Hash Maps) Supports Inference Expressive Sorted, Duplicate-Free, Height-Balanced, Acyclic, … Practical Sorting Algorithms, Splay Heaps, Binary Heaps, AVL Trees, Red-Black Trees, Vectors, Union-Find, BDDs, … Predicate-Type Mechanisms TypeMechanisms Refined

6 Plan Contributions Types & Structures Refined Types & Data Structures Expressiveness Results

7 Types & Structures How do types handle structures? 1.Represent Universal Properties 2.Algorithm for Instantiating Properties 3.Algorithm for Generalizing Properties 4.Algorithm for Inference

8 1. Representation: Recursive Types 1 1 2 2 3 3 1::(2::(3::[])) type int list = | [] | :: of x:int * int list [] :: x : int

9 [] :: x : int [] :: h 1 : int [] :: x : int [] :: h 2 : int [] :: x : int [] :: h 3 : int [] :: x : int 1. Representation: Recursive Types Type Unfolding Universal Property: For all x in l, x is an int Universal Property: For all x in l, x is an int Universal Property: h 1 : int, h 2 : int, h 3 : int, … Universal Property: h 1 : int, h 2 : int, h 3 : int, …

10 Types & Structures How do types handle structures? 1.Represent Universal Properties 2.Algorithm for Instantiating Properties 3.Algorithm for Generalizing Properties 4.Algorithm for Inference

11 2. Instantiation Algorithm: Unfold [] :: x : int Unfold :: h : int [] :: x : int l : int listh:intt:int list Instantiate tl l = h :: t

12 3. Generalization Algorithm: Fold [] :: x : int Fold :: h : int [] :: x : int h:intt:int list Generalize tl l = h :: t l : int list

13 Types & Structures How do types handle structures? 1.Represent Universal Properties 2.Algorithm for Instantiating Properties 3.Algorithm for Generalizing Properties 4.Algorithm for Inference

14 let rec insert(x,l) = match l with | [] -> x::[] | h::t -> if x<h then x::l else h::insert(x,t) insert :: (x: int, l: int list) ! int list Verification = Generalization + Instantiation Ex: Typecheck Insertion Into List 1. 2. 3.

15 Assume Input Type Output Checks! []:int list x:int let rec insert(x,l) = match l with | [] -> x::[] | h::t -> if x<h then x::l else h::insert(x,t) Generalize x :: []:int list Ex: Typecheck Insertion Into List 1/3 G insert :: (x: int, l: int list) ! int list 1. 2. 3.

16 Assume Input Type Output Checks! let rec insert(x,l) = match l with | [] -> x::[] | h::t -> if x<h then x::l else h::insert(x,t) Ex: Typecheck Insertion into List 2/3 Generalize G insert :: (x: int, l: int list) ! int list x:int l:int list x::l:int list 1. 2. 3.

17 Input Assumption Output Checks! let rec insert(x,l) = match l with | [] -> x::[] | h::t -> if x<h then x::l else h::insert(x,t) h :: t:int list Ex: Typecheck Insertion into List 3/3 h:int t:int list I Generalize h :: insert(x,t):int list h:int insert(x,t):int list G Instantiate insert :: (x: int, l: int list) ! int list x:int 2. 3. 1.

18 let rec insert(x,l) = match l with | [] -> x::[] | h::t -> if x<h then x::l else h::insert(x,t) I G insert :: (x: int, l: int list) ! int list G G Verification = Generalization + Instantiation Gen when adding to struct. Ins when taking from struct.

19 Types & Structures How do types handle structures? 1.Represent Universal Properties 2.Algorithm for Instantiating Properties 3.Algorithm for Generalizing Properties 4.Algorithm for Inference

20 Plan Contributions Types & Structures Refined Types & Data Structures Expressiveness Results

21 Idea: “Piggyback” Predicates over Type 1.Representation for Universal Data Properties 2.Algorithm for Instantiating Data Properties 3.Algorithm for Generalizing Data Properties 4.Algorithm for Inference Refined Types & Data Structures

22 0<x [] :: x : int [] :: h : int 1. Representation: Refined RecTypes Refined Type Unfolding [] :: x : int 0<x 0<h

23 0<x [] :: x : int 0<x [] :: h 1 : int [] :: x : int [] :: x : int [] :: x : int 1. Representation: Refined RecTypes 0<h 1 0<h 2 0<h 3 0<x [] :: h 2 : int [] :: h 3 : int Universal Data Property: For all x in l, 0<x Universal Data Property: For all x in l, 0<x Refined Type Unfolding Universal Data Property: l:{x: int | 0<x} list Universal Data Property: l:{x: int | 0<x} list

24 1. Representation: RecRefined RecTypes [] :: x : int [] :: x 1 : int [] :: x : int x<V 0<x V Refers to Each Element in Tail Refines all elements Refines tail’s elements

25 x<V [] :: x : int [] :: h : int 1. Representation: RecRefined RecTypes RecRefined Type Unfolding [] :: x : int x<V h<V Push Edge Predicate Into Node h<x Instantiate V

26 h 2 <x h 1 <x x<V [] :: x : int x<V [] :: h 1 : int [] :: x : int [] :: x : int 1. Representation: RecRefined RecTypes h 1 <V h 3 <x [] :: h 2 : int [] :: h 3 : int RecRefined Type Unfolding h 1 <h 2 h 2 <V h 1 <h 3 [] :: x : int h 2 <h 3 h 3 <V h 1 <x h 2 <x x<V Universal Recursive Data Property h 1 < h 2 < h 3 < … Universal Recursive Data Property h 1 < h 2 < h 3 < … Universal Recursive Data Property l: sorted list Universal Recursive Data Property l: sorted list

27 2. Instantiation Algorithm: Unfold [] :: x : int Unfold :: h : int [] :: x : int l:sorted listh:intt:sorted list & {h<x} list Instantiate tl l = h :: t x<V h<x

28 3. Generalization Algorithm: Fold [] :: x : int Fold h : int [] :: x : int :: l:sorted listh:intt:sorted list & {h<x} list Generalize tl l = h :: t x<V h<x

29 Refined Types & Data Structures Idea: “Piggyback” Predicates over Type 1.Representation for Universal Data Properties 2.Algorithm for Instantiating Data Properties 3.Algorithm for Generalizing Data Properties 4.Algorithm for Inference

30 Refinement Type Inference [] :: x : int x<V Refinements Determine Property 1. Unknown refinements are variables 2. Constraints over variables 3. Solve to find refinements 0<x K2K2 K1K1

31 Hints for Type Inference Apply at Refinement PointsKeep Only Valid Refinements Refinement Type Inference [] :: x : int Refinements Determine Property 1. Unknown refinements are variables 2. Constraints over variables 3. Solve to find refinements K2K2 K1K1 *<* 0<* *=* … x<V 0<x x=V … x<V 0<x x<V 0<x x=V … Instantiate With Program Variables

32 Refined Types & Data Structures Idea: “Piggyback” Predicates over Type 1.Representation for Universal Data Properties 2.Algorithm for Instantiating Data Properties 3.Algorithm for Generalizing Data Properties 4.Algorithm for Inference Free Representation Free Algorithms

33 let rec insert(x,l) = match l with | [] -> x::[] | h::t -> if x<h then x::l else h::insert(x,t) I G G G Verification = Generalization + Instantiation insert :: (x:int, l:sorted list) ! sorted list Generalize, Instantiate at same place as typechecker! Gen when adding to struct. Ins when taking from struct. Verify Insertion Into List insert :: (x: int, l: int list) ! int list Verify Insertion Into Sorted List

34 Plan Contributions Types & Structures Refined Types & Data Structures Expressiveness Results

35 [] :: x : int x<V :: h 1 : int Property: h 1 < h 2 < h 3 < … Refined Unfolded :: h 2 : int h 1 <h 2 :: h 3 : int h 1 <h 3 h 2 <h 3 h 3 <x [] :: x : int h 1 <x h 2 <x x<V Property: sorted list Type Refinements Determine Property

36 [] :: x : int xVxV :: h 1 : int Property: h 1  h 2  h 3  … Refined Unfolded :: h 2 : int h1h2h1h2 :: h 3 : int h1h3h1h3 h2h3h2h3 h3xh3x [] :: x : int h1xh1x h2xh2x xVxV Property: duplicate-free list Type Non-aliasing in Collections e.g. list of distinct addresses Collections

37 Trees: Type Leaf Node x : int x<V V<x Trees: Refined Type

38 Node Leaf Node x : int Leaf Node x : int Unfold Refined Type Node x:int Leaf x<V V<x x<V V<x r<V V<r Push edge predicate inside LHS nodes < root < RHS nodes Property: binary-search tree r<V V<x r:int V<r x<V x<rr<x

39 Refined Type Node |Hl – Hr|< 2 Leaf l r Refine Node l, r = Names of left, right trees H l, H r = Heights of left, right trees

40 Node |Hl – Hr|< 2 Leaf l r Refined Type Unfold Node |Hl1 – Hr1|< 2|Hl1 – Hr1|< 2 l1l1 r1r1 |Hl – Hr|< 2 Leaf l r Node |Hl – Hr|< 2 Leaf l r Refined Type Unfold Height balanced at each level Property: balanced tree

41 Plan Contributions Types & Structures Refined Types & Data Structures Expressiveness Results

42 Our Inference Tool Specification Unsafe Safe Dsolve Hints OCaml Program

43 Data Structures Program Lines List-sort111 Map98 Redblack106 Stablesort124 Vec343 BinHeap122 SplayHeap134 Malloc71 Bdd206 UnionFind65 SubvSolve264 Total1736

44 Data Structures Program LinesProperty List-sort111Sorted, Outputs Permutation of Input Map98Balance, BST, Implements a Set Redblack106Balance, BST, Color Stablesort124Sorted Vec343Balance, Bounds Checking, … BinHeap122Heap, Returns Minimum, … SplayHeap134BST, Returns Minimum, Implements a Set Malloc71Used and Free Lists Are Accurate Bdd206Maintains Variable Order UnionFind65Acyclic SubvSolve264Acyclic Total1736

45 Data Structures Program LinesProperty List-sort111Sorted, Outputs Permutation of Input Map98Balance, BST, Implements a Set Redblack106Balance, BST, Color Stablesort124Sorted Vec343Balance, Bounds Checking, … BinHeap122Heap, Returns Minimum, … SplayHeap134BST, Returns Minimum, Implements a Set Malloc71Used and Free Lists Are Accurate Bdd206Maintains Variable Order UnionFind65Acyclic SubvSolve264Acyclic Total1736

46 Program LinesProperty List-sort111Sorted, Outputs Permutation of Input Map98Balance, BST, Implements a Set Redblack106Balance, BST, Color Stablesort124Sorted Vec343Balance, Bounds Checking, … BinHeap122Heap, Returns Minimum, … SplayHeap134BST, Returns Minimum, Implements a Set Malloc71Used and Free Lists Are Accurate Bdd206Maintains Variable Order UnionFind65Acyclic SubvSolve264Acyclic Total1736 Data Structures

47 Program LinesProperty List-sort111Sorted, Outputs Permutation of Input Map98Balance, BST, Implements a Set Redblack106Balance, BST, Color Stablesort124Sorted Vec343Balance, Bounds Checking, … BinHeap122Heap, Returns Minimum, … SplayHeap134BST, Returns Minimum, Implements a Set Malloc71Used and Free Lists Are Accurate Bdd206Maintains Variable Order UnionFind65Acyclic SubvSolve264Acyclic Total1736 Data Structures

48 Program LinesProperty List-sort111Sorted, Outputs Permutation of Input Map98Balance, BST, Implements a Set Redblack106Balance, BST, Color Stablesort124Sorted Vec343Balance, Bounds Checking, … BinHeap122Heap, Returns Minimum, … SplayHeap134BST, Returns Minimum, Implements a Set Malloc71Used and Free Lists Are Accurate Bdd206Maintains Variable Order UnionFind65Acyclic SubvSolve264Acyclic Total1736 Data Structures

49 Program Lines List-sort111 Map98 Redblack106 Stablesort124 Vec343 BinHeap122 SplayHeap134 Malloc71 Bdd206 UnionFind65 SubvSolve264 Total1736

50 Data Structures Program LinesHints List-sort1117 Map9814 Redblack1062 Stablesort1241 Vec3439 BinHeap1226 SplayHeap1343 Malloc712 Bdd2063 UnionFind652 SubvSolve2642 Total173654 3% of code size

51 Data Structures Program LinesHintsTime (sec) List-sort11175 Map981425 Redblack106229 Stablesort12414 Vec343987 BinHeap122633 SplayHeap13436 Malloc7122 Bdd206380 UnionFind6525 SubvSolve264220 Total173654300

52 Data Structures Program LinesHintsTime (sec) List-sort11175 Map981425 Redblack106229 Stablesort12414 Vec343987 BinHeap122633 SplayHeap13436 Malloc7122 Bdd206380 UnionFind6525 SubvSolve264220 Total173654300

53 Vec: Extensible Arrays (317 LOC) “Python-style” arrays for OCaml find, insert, delete, join etc. Efficiency via balanced trees Balanced Height difference between siblings ≤ 2 Dsolve found balance violation

54 fatal off-by-one error Recursive Rebalance

55 Debugging via Inference Using Dsolve we found Where imbalance occurred (specific path conditions) How imbalance occurred (left tree off by up to 4) Leading to test and fix

56 Plan Contributions Types & Structures Refined Types & Data Structures Expressiveness Results

57 http://pho.ucsd.edu/liquid source, papers, demo, etc.

58 Data Precision Types Predicates Lifting to Structures Data Structure Verification Conclusion

59 (Finite) Maps 1 1 2 2 4 4 3 3 5 5 n 1.succs =[ n 2 ; n 3 ; n 4 ] (node, node list) Map Field Read/Get Field Write/Set n.succs n.succs := e set succs n e get succs n Data Key

60 Refined Maps 1 1 2 2 4 4 3 3 5 5 (node, node list) Map ( n: node,{ x: node|n<x} list) Map P(x 0 ), P(x 1 ),… 8 x. P(x) How to Generalize? How to Instantiate? Refine poly-type for set Refine poly-type for get When getting data from key When setting key to data Acyclic Graph!

61 Textual Representation μt. [] + ::(x: int, t) [] :: x : int x<V 0<x, > type int list = | [] | :: of x:int * int list [] has no parameters Refines Elements Refines Tail [] + ::(x: {0 t)) μt. [] + ::(x: int,, >t)

62 Insertion Sort Type and Hint let rec ins l x = match l with | [] -> x :: [] | h :: xs -> if x < h then x :: h :: xs else h :: (ins xs x) let insert_sort lst = List.fold_left ins [] lst hint: * =< * sorted = μt. [] + ::(x: int,, = x, true>>t) insert_sort: sorted ! sorted

Download ppt "Goal: Static Software Verification Verify absence of run-time errors Buffer overflows Deadlocks Assertion failures Requires precise data structure verification."

Similar presentations

§2 Binary Trees Note: In a tree, the order of children does not matter. But in a binary tree, left child and right child are different. A B A B andare.

§2 Binary Trees Note: In a tree, the order of children does not matter. But in a binary tree, left child and right child are different. A B A B andare.
Automated Verification with HIP and SLEEK Asankhaya Sharma.

Automated Verification with HIP and SLEEK Asankhaya Sharma.
Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.

Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.
AVL-Trees (Part 2) COMP171. AVL Trees / Slide 2 A warm-up exercise … * Create a BST from a sequence, n A, B, C, D, E, F, G, H * Create a AVL tree for.

AVL-Trees (Part 2) COMP171. AVL Trees / Slide 2 A warm-up exercise … * Create a BST from a sequence, n A, B, C, D, E, F, G, H * Create a AVL tree for.
Verification of Functional Programs in Scala Philippe Suter (joint work w/ Ali Sinan Köksal and Viktor Kuncak) ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE,

Verification of Functional Programs in Scala Philippe Suter (joint work w/ Ali Sinan Köksal and Viktor Kuncak) ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE,
Transform and Conquer Chapter 6. Transform and Conquer Solve problem by transforming into: a more convenient instance of the same problem (instance simplification)

Transform and Conquer Chapter 6. Transform and Conquer Solve problem by transforming into: a more convenient instance of the same problem (instance simplification)
S. Sudarshan Based partly on material from Fawzi Emad & Chau-Wen Tseng

S. Sudarshan Based partly on material from Fawzi Emad & Chau-Wen Tseng
Tree Data Structures &Binary Search Tree 1. Trees Data Structures Tree  Nodes  Each node can have 0 or more children  A node can have at most one parent.

Tree Data Structures &Binary Search Tree 1. Trees Data Structures Tree  Nodes  Each node can have 0 or more children  A node can have at most one parent.
Time Complexity of Basic BST Operations Search, Insert, Delete – These operations visit the nodes along a root-to- leaf path – The number of nodes encountered.

Time Complexity of Basic BST Operations Search, Insert, Delete – These operations visit the nodes along a root-to- leaf path – The number of nodes encountered.
1 CSE 373 AVL trees, continued read: Weiss Ch. 4, section 4.1 - 4.4 slides created by Marty Stepp

1 CSE 373 AVL trees, continued read: Weiss Ch. 4, section slides created by Marty Stepp
Balanced Binary Search Trees

Balanced Binary Search Trees
4.5 AVL Trees  A tree is said to be balanced if for each node, the number of nodes in the left subtree and the number of nodes in the right subtree differ.

4.5 AVL Trees  A tree is said to be balanced if for each node, the number of nodes in the left subtree and the number of nodes in the right subtree differ.
AVL-Trees (Part 1) COMP171. AVL Trees / Slide 2 * Data, a set of elements * Data structure, a structured set of elements, linear, tree, graph, … * Linear:

AVL-Trees (Part 1) COMP171. AVL Trees / Slide 2 * Data, a set of elements * Data structure, a structured set of elements, linear, tree, graph, … * Linear:
1 Trees. 2 Outline –Tree Structures –Tree Node Level and Path Length –Binary Tree Definition –Binary Tree Nodes –Binary Search Trees.

1 Trees. 2 Outline –Tree Structures –Tree Node Level and Path Length –Binary Tree Definition –Binary Tree Nodes –Binary Search Trees.
Trees CS-212 Dick Steflik. What is a Tree A tree is a finite set of one or more nodes such that: –There is a specially designated node called the root.

Trees CS-212 Dick Steflik. What is a Tree A tree is a finite set of one or more nodes such that: –There is a specially designated node called the root.
Verification and Data Structures int kmp_search(char str[], char pat[]){ p = 0; s = 0; while (p

Verification and Data Structures int kmp_search(char str[], char pat[]){ p = 0; s = 0; while (p
Lec 15 April 9 Topics: l binary Trees l expression trees Binary Search Trees (Chapter 5 of text)

Lec 15 April 9 Topics: l binary Trees l expression trees Binary Search Trees (Chapter 5 of text)
AVL Trees / Slide 1 Balanced Binary Search Tree  Worst case height of binary search tree: N-1  Insertion, deletion can be O(N) in the worst case  We.

AVL Trees / Slide 1 Balanced Binary Search Tree  Worst case height of binary search tree: N-1  Insertion, deletion can be O(N) in the worst case  We.
Chapter 13 Binary Search Trees. Copyright © 2005 Pearson Addison-Wesley. All rights reserved. 13-2 Chapter Objectives Define a binary search tree abstract.

Chapter 13 Binary Search Trees. Copyright © 2005 Pearson Addison-Wesley. All rights reserved Chapter Objectives Define a binary search tree abstract.
CS 307 Fundamentals of Computer Science 1 Data Structures Review Session 2 Ramakrishna, PhD student. Grading Assistant for this course.

CS 307 Fundamentals of Computer Science 1 Data Structures Review Session 2 Ramakrishna, PhD student. Grading Assistant for this course.

Similar presentations

Ads by Google