Download presentation
Presentation is loading. Please wait.
1
Effectively-Propositional Reasoning about Reachability in Linked Data Structures Shachar Itzhaky Anindya Banerjee Neil Immerman Aleks Nanevski Mooly Sagiv http://www.cs.tau.ac.il/~shachar/afwp.html TAU IMDEA UMASS IMDEA TAU
2
Motivation Proving presence (absence) of pointer paths between memory allocated objects in a given program –Partial program correctness Memory safety Absence of memory leaks Data structure invariants –Acylicity, Sortedness –Total program correctness –Program equivalence
3
Program Termination traverse(Node x, Node y) { for (t =x; t != y ; t = t.n) { … } {x y} null nnnn x y
4
Disjoint Parallelism for (x =h; x != null; x = x.n) { … } for (y=k; y != null; y = y.n) { … } { : null (h k )} null nnnn h nnn k x y
5
Challenges Complexity of reasoning about reachability assertions –Undecidability of reachability [Inferring reachability properties from the code] " there is a mismatch between the simple intuitions about the way pointer operations work and the complexity of their axiomatic treatments " O'Hearn, Reynolds, Yang [CSL 2001]
![Challenges Complexity of reasoning about reachability assertions –Undecidability of reachability [Inferring reachability properties from the code] there is a mismatch between the simple intuitions about the way pointer operations work and the complexity of their axiomatic treatments O Hearn, Reynolds, Yang [CSL 2001]](http://images.slideplayer.com./24/7013393/slides/slide_5.jpg "Challenges Complexity of reasoning about reachability assertions –Undecidability of reachability [Inferring reachability properties from the code] there is a mismatch between the simple intuitions about the way pointer operations work and the complexity of their axiomatic treatments O Hearn, Reynolds, Yang [CSL 2001]")
6
Link list manipulations are simple Simple to reason about correctness –Small counterexamples “Simple” invariants –Alternation Free + Reachability “ ” * *
7
EA( * * ) formulas Bernays-Schönfinkel-Ramsey t ::= var | constant (Terms) ap ::= t 1 = t 2 | r(t 1,t 2, …, t n ) qf ::= ap | qf 1 qf 2 | qf 1 qf 2 | qf ea ::= 1, 2, n : 1, 2, m : qf Effectively Propositional –Skolimization yields finite models –EQ-satisfiable to a propositional formula –Support from Z3
8
EA( ) formulas Bernays-Schönfinkel-Ramsey 1, 2, : 1 : r( 1, 1 ) r( 1, 2 ) = sat 1 : r(c 1, 1 ) r( 1, c 2 ) = sat (r(c 1, c 1 ) r(c 1, c 2 )) (r(c 1, c 2 ) r(c 2, c 2 )) = sat (P 11 P 12 ) (P 12 P 22 )
9
Alternation Free Reachability (AF R ) “Extended subset” of EA –Closed under negation t ::= var | constant (Terms) ap ::= t 1 = t 2 | r(t 1,t 2, …, t n ) | t 1 t 2 (Reachability via sequences of f’s) ( exists k: f k (t 1 )=t 2 ) qf ::= qf | qf 1 qf 2 | qf 1 qf 2 | qf e ::= 1, 2,…, n : qf a: ::= 1, 2,…, m : qf af R ::= e | a | af R 1 af R 2 | af R 1 af R 2
10
AF R Program Properties Acylicity – , : – , : = Acyclic list with a head h – , : h h = Sorted segment – , : data n*n* n*n* n*n* n*n* h u n*n* v u v
11
AF R Program Properties Doubly linked lists – , : Disjoint lists with heads h and k – : null (h k ) f * b*b* 11 n*n* h k 22
12
List Reversal (isolatd) h d n*n* n*n* n*n* n*n* n*n* n*n* n n null Node reverse(Node h) { Node c = h; Node d = null; while (c != null) { Node t = c.next; c.next = d; d = c; c = t; } return d } {ac [h] : h }
![List Reversal (isolatd) h d n*n* n*n* n*n* n*n* n*n* n*n* n n null Node reverse(Node h) { Node c = h; Node d = null; while (c != null) { Node t = c.next; c.next = d; d = c; c = t; } return d } {ac [h] : h }](http://images.slideplayer.com./24/7013393/slides/slide_12.jpg "List Reversal (isolatd) h d n*n* n*n* n*n* n*n* n*n* n*n* n n null Node reverse(Node h) { Node c = h; Node d = null; while (c != null) { Node t = c.next; c.next = d; d = c; c = t; } return d } {ac [h] : h }")
13
Invariant List Reversal (isolatd) Node reverse(Node h) { Node c = h; Node d = null; while (c != null) { Node t = c.next; c.next = d; d = c; c = t; } return d } {ac [h] : h } h d n*n* n*n* n*n* n*n* n*n* n*n* n n null n c d c ( ) d I= , :
![Invariant List Reversal (isolatd) Node reverse(Node h) { Node c = h; Node d = null; while (c != null) { Node t = c.next; c.next = d; d = c; c = t; } return d } {ac [h] : h } h d n*n* n*n* n*n* n*n* n*n* n*n* n n null n c d c ( ) d I= , :](http://images.slideplayer.com./24/7013393/slides/slide_13.jpg "Invariant List Reversal (isolatd) Node reverse(Node h) { Node c = h; Node d = null; while (c != null) { Node t = c.next; c.next = d; d = c; c = t; } return d } {ac [h] : h } h d n*n* n*n* n*n* n*n* n*n* n*n* n n null n c d c ( ) d I= , :")
14
List Reversal (isolated) Node reverse(Node h) { Node c = h; Node d = null; while {I} (c != null) { Node t = c.next; c.next = d; d = c; c = t; } return d } {ac [h] : h } {ac[d] , : } d c ( ) d I= , :
![List Reversal (isolated) Node reverse(Node h) { Node c = h; Node d = null; while {I} (c != null) { Node t = c.next; c.next = d; d = c; c = t; } return d } {ac [h] : h } {ac[d] , : } d c ( ) d I= , :](http://images.slideplayer.com./24/7013393/slides/slide_14.jpg "List Reversal (isolated) Node reverse(Node h) { Node c = h; Node d = null; while {I} (c != null) { Node t = c.next; c.next = d; d = c; c = t; } return d } {ac [h] : h } {ac[d] , : } d c ( ) d I= , :")
15
List Reversal (isolated) Node reverse(Node h) { Node c = h; Node d = null; while {I} (c != null) { Node t = c.next; c.next = d; d = c; c = t; } return d } {ac [h] : h } {ac[d] , : : d } d c ( ) d I= , :
![List Reversal (isolated) Node reverse(Node h) { Node c = h; Node d = null; while {I} (c != null) { Node t = c.next; c.next = d; d = c; c = t; } return d } {ac [h] : h } {ac[d] , : : d } d c ( ) d I= , :](http://images.slideplayer.com./24/7013393/slides/slide_15.jpg "List Reversal (isolated) Node reverse(Node h) { Node c = h; Node d = null; while {I} (c != null) { Node t = c.next; c.next = d; d = c; c = t; } return d } {ac [h] : h } {ac[d] , : : d } d c ( ) d I= , :")
16
List Reversal (ownership) { , : h h } Node reverse(Node h) { Node c = h; Node d = null; while {I} (c != null) { Node t = c.next; c.next = d; d = c; c = t; } return d }
17
List Reversal (ownership) h d n*n* n*n* n*n* n*n* n*n* n*n* n n h h null Case 1:
18
List Reversal (ownership) h<n*> h<n*>h<n*> h<n*> h d n*n* n *, n * n*n* n null n Case 2:
19
List Reversal (ownership) h d n*n* n*n* n*n* n*n* h<n*> h<n*>h<n*> h<n*> false n null n Case 3:
20
List Reversal (ownership) d h=h= n*n* n*n* n *, n * h h h= n null n Case 4:
21
List Reversal (ownership) Node reverse(Node h) { Node c = h; Node d = null; while (c != null) { Node t = c.next; c.next = d; d = c; c = t; } return d; } {ac [h] , : h h } h h <n*><n*> <n*><n*> h<n*> h<n*>h<n*> h<n*> , : h<n*> h<n*>h<n*> h<n*> false h= h h
![List Reversal (ownership) Node reverse(Node h) { Node c = h; Node d = null; while (c != null) { Node t = c.next; c.next = d; d = c; c = t; } return d; } {ac [h] , : h h } h h <n*><n*> <n*><n*> h<n*> h<n*>h<n*> h<n*> , : h<n*> h<n*>h<n*> h<n*> false h= h h ](http://images.slideplayer.com./24/7013393/slides/slide_21.jpg "List Reversal (ownership) Node reverse(Node h) { Node c = h; Node d = null; while (c != null) { Node t = c.next; c.next = d; d = c; c = t; } return d; } {ac [h] , : h h } h h <n*><n*> <n*><n*> h<n*> h<n*>h<n*> h<n*> , : h<n*> h<n*>h<n*> h<n*> false h= h h ")
22
Why AF R ? Represents the invariants of simple linked list manipulations Closed under , , , Finite model property Decidable for satisfiability/validity AF R AF Can be reduced to a propositional formula –SAT solver is complete for verification/falsification
23
AF R AF Introduce an auxiliary relation n* t[ ] =n * ( , ) Completely axiomatize n* by an AF formula linOrd = , : n * ( , ) n * ( , ) = , , : n * ( , ) n * ( , ) n * ( , ) , , : n * ( , ) n * ( , ) (n * ( , ) n * ( , )) is satisfiable ( linOrd t[ ]) is satisfiable –AF formulas have finite model
![AF R AF Introduce an auxiliary relation n* t[ ] =n * ( , ) Completely axiomatize n* by an AF formula linOrd = , : n * ( , ) n * ( , ) = , , : n * ( , ) n * ( , ) n * ( , ) , , : n * ( , ) n * ( , ) (n * ( , ) n * ( , )) is satisfiable ( linOrd t[ ]) is satisfiable –AF formulas have finite model](http://images.slideplayer.com./24/7013393/slides/slide_23.jpg "AF R AF Introduce an auxiliary relation n* t[ ] =n * ( , ) Completely axiomatize n* by an AF formula linOrd = , : n * ( , ) n * ( , ) = , , : n * ( , ) n * ( , ) n * ( , ) , , : n * ( , ) n * ( , ) (n * ( , ) n * ( , )) is satisfiable ( linOrd t[ ]) is satisfiable –AF formulas have finite model")
24
Inverting n* n Every finite model in which n* satisfies the order requirements: linOrd = , : n * ( , ) n * ( , ) = , , : n * ( , ) n * ( , ) n * ( , ) , , : n * ( , ) n * ( , ) (n * ( , ) n * ( , )) n * uniquely determines n
25
Inverting n* n u v w x y n*n* n*n* n*n* n*n* n*n* n*n* n*n* n*n* n*n* n*n* n*n* n*n* n*n* n*n*
26
Inverting n* n u v w x y n( ) = : n+n+ n+n+ n+n+ n+n+ n+n+ n+n+ n+n+ n+n+ n n+n+ n n n+n+ n
27
Simple SAT Application Determine if two clients are identical –Produce isomorphic reachable stores reverse(reverse(h)) = h , : , : , :
28
Verification Process Program P Assertions VC gen Verification Condition P “ ” SAT Solver Counterexample Proof
29
wp Weakest Precondition wp: Stm (Ass Ass) wp S (Q) – the weakest condition such that every terminating computation of S results in a state satisfying Q wp S (Q) ’: S ’ ’ Q Can be used to compute verification conditions Q
30
Hoare Assignment Rule wp x := e (Q) =Q[e / x] wp x := 5 (x=5) = 5=5 true wp x := 5 (x=6) = 6=5 false wp[x := x +1](x=7) = x+1 = 7 x = 6 d c d wc c := d , : = d d d , :
![Hoare Assignment Rule wp x := e (Q) =Q[e / x] wp x := 5 (x=5) = 5=5 true wp x := 5 (x=6) = 6=5 false wp[x := x +1](x=7) = x+1 = 7 x = 6 d c d wc c := d , : = d d d , :](http://images.slideplayer.com./24/7013393/slides/slide_30.jpg "Hoare Assignment Rule wp x := e (Q) =Q[e / x] wp x := 5 (x=5) = 5=5 true wp x := 5 (x=6) = 6=5 false wp[x := x +1](x=7) = x+1 = 7 x = 6 d c d wc c := d , : = d d d , :")
31
WP Compound statements wp skip (Q) = Q wp x := e (Q) = Q[e / x] wp S 1 ; S 2 (Q) = wp S 1 (wp S 2 (Q)) wp if B then S 1 else S 2 = ( B wp S 1 (Q)) ( B wp S 2 (Q)) wp while B do {I} S = I
![WP Compound statements wp skip (Q) = Q wp x := e (Q) = Q[e / x] wp S 1 ; S 2 (Q) = wp S 1 (wp S 2 (Q)) wp if B then S 1 else S 2 = ( B wp S 1 (Q)) ( B wp S 2 (Q)) wp while B do {I} S = I](http://images.slideplayer.com./24/7013393/slides/slide_31.jpg "WP Compound statements wp skip (Q) = Q wp x := e (Q) = Q[e / x] wp S 1 ; S 2 (Q) = wp S 1 (wp S 2 (Q)) wp if B then S 1 else S 2 = ( B wp S 1 (Q)) ( B wp S 2 (Q)) wp while B do {I} S = I")
32
VC rules VC gen ({P} S {Q}) = P wp S (Q) VC aux (S, Q) VC aux (S, Q) = {} (for any atomic statement) VC aux (S 1 ; S 2, Q) = VC aux (S 1, wp(S 2, Q)) VC aux (S 2, Q) VC aux (if C then S 1 else S 2, Q) = VC aux (S 1, Q) VC aux (S 2, Q) VC aux (while B do S, Q) = VC aux (S, I) {I B wp S (I)} {I B Q}
33
But how about heap mutations? McCarthy assignment rule does not work wp c.n := null (Q) = Q[n[c null] / n] –Refers to n –Does not explicitly update reachability –Outside AF R Employ incremental updates n n’ x.n := null QF n’* n* FO TC
34
Dong & Su [SIGMOD’00] DAG c d : c n( )= c
![Dong & Su [SIGMOD’00] DAG c d : c n( )= c](http://images.slideplayer.com./24/7013393/slides/slide_34.jpg "Dong & Su [SIGMOD’00] DAG c d : c n( )= c")
35
Deterministic Graphs (function) c d c d c d c d
36
Mutating Single Linked Lists wp c.n := null (Q) = Q[( ( c c)) / ] Can also enforce absence of null dereferences c null
![Mutating Single Linked Lists wp c.n := null (Q) = Q[( ( c c)) / ] Can also enforce absence of null dereferences c null](http://images.slideplayer.com./24/7013393/slides/slide_36.jpg "Mutating Single Linked Lists wp c.n := null (Q) = Q[( ( c c)) / ] Can also enforce absence of null dereferences c null")
37
Circular Linked Lists Slightly more complex but Quantifier-Free [Hesse’03,Reps, Lahiri&Quadeer POPL’08] wp remains in QF
![Circular Linked Lists Slightly more complex but Quantifier-Free [Hesse’03,Reps, Lahiri&Quadeer POPL’08] wp remains in QF](http://images.slideplayer.com./24/7013393/slides/slide_37.jpg "Circular Linked Lists Slightly more complex but Quantifier-Free [Hesse’03,Reps, Lahiri&Quadeer POPL’08] wp remains in QF")
38
Single Mutation c.n := y (assuming c.n =null) Simple for general graphs AF R for arbitrary data structures wp c.n := y (Q) = Q[( ( c y ))/ ] Can also enforce acyclicity y c , : ( x y )
![Single Mutation c.n := y (assuming c.n =null) Simple for general graphs AF R for arbitrary data structures wp c.n := y (Q) = Q[( ( c y ))/ ] Can also enforce acyclicity y c , : ( x y )](http://images.slideplayer.com./24/7013393/slides/slide_38.jpg "Single Mutation c.n := y (assuming c.n =null) Simple for general graphs AF R for arbitrary data structures wp c.n := y (Q) = Q[( ( c y ))/ ] Can also enforce acyclicity y c , : ( x y )")
39
But what about pointer traversals? x := x.n Hoare assignment rule goes outside AF R wp x := y.n (Q) = Q[n(y) / x] –Outside AF R Reason about list segments Coincides with complications in pointer and shape analysis
40
WP Compound statements wp skip (Q) = Q wp x := e (Q) = Q[e / x] wp S 1 ; S 2 (Q) = wp S 1 (wp S 2 (Q)) wp if B then S 1 else S 2 = ( B wp S 1 (Q)) ( B wp S 2 (Q)) wp while B do {I} S = I
![WP Compound statements wp skip (Q) = Q wp x := e (Q) = Q[e / x] wp S 1 ; S 2 (Q) = wp S 1 (wp S 2 (Q)) wp if B then S 1 else S 2 = ( B wp S 1 (Q)) ( B wp S 2 (Q)) wp while B do {I} S = I](http://images.slideplayer.com./24/7013393/slides/slide_40.jpg "WP Compound statements wp skip (Q) = Q wp x := e (Q) = Q[e / x] wp S 1 ; S 2 (Q) = wp S 1 (wp S 2 (Q)) wp if B then S 1 else S 2 = ( B wp S 1 (Q)) ( B wp S 2 (Q)) wp while B do {I} S = I")
41
VC rules VC gen ({P} S {Q}) = P wp S (Q) VC aux (S, Q) VC aux (S, Q) = {} (for any atomic statement) VC aux (S 1 ; S 2, Q) = VC aux (S 1, wp(S 2, Q)) VC aux (S 2, Q) VC aux (if C then S 1 else S 2, Q) = VC aux (S 1, Q) VC aux (S 2, Q) VC aux (while B do S, Q) = VC aux (S, I) {I B wp S (I)} {I B Q}
42
Pointer Traversals Observe that wp is only used positively in VCs (unlike invariants and preconditions) Allows EA formulas with reachability (AE R ) wp x := y.n (Q) = : ‘n(y)= ’ Q[ /x] –Replace n with n * using reachability inversions Universal quantifications are also used for allocation x := new()
![Pointer Traversals Observe that wp is only used positively in VCs (unlike invariants and preconditions) Allows EA formulas with reachability (AE R ) wp x := y.n (Q) = : ‘n(y)= ’ Q[ /x] –Replace n with n * using reachability inversions Universal quantifications are also used for allocation x := new()](http://images.slideplayer.com./24/7013393/slides/slide_42.jpg "Pointer Traversals Observe that wp is only used positively in VCs (unlike invariants and preconditions) Allows EA formulas with reachability (AE R ) wp x := y.n (Q) = : ‘n(y)= ’ Q[ /x] –Replace n with n * using reachability inversions Universal quantifications are also used for allocation x := new()")
43
Backward Reasoning with WP {a n * e c n * b disjoint(a,c)} d := e.n ; d.n := null ; d.n := c ; {a n * b} {a n * b (a n * d c n * b)} ( a n * b ( a n * d b n * d ) ) ( a n * d ( a n * d d n * d ) c n * b ( c n * d b n * d ) ) {} true
44
Backward Reasoning with WP {a n * e c n * b disjoint(a,c)} d := e.n ; d.n := null ; d.n := c ; {a n * b} {a n * b (a n * d c n * b)} ( a n * b ( a n * d b n * d ) ) ( a n * d c n * b ( c n * d b n * d ) ) {} : “n(e) = ” ( a n * b ( a n * b n * ) ) ( a n * c n * b ( c n * b n * ) ) {}
45
Closure Properties QF AE EA ,,,,,,,, wp x:=y , wp x.n:=y AF ,, , , , wp x:=y.n wp x:=new( ) ,,,,
46
Benchmark Formula Size Solving time P,QIVC # # # (Z3) SLL: reverse 221121333 57ms SLL: filter 511412804 39ms SLL: create 1010363 13ms SLL: delete 501211523 23ms SLL: deleteAll 32721063 32ms SLL: insert 81611783 17ms SLL: find 7171643 15ms SLL: last 3050743 15ms SLL: merge 14231222553226ms SLL: rotate 61 - -733 22ms SLL: swap 142 - -9655 26ms DLL: fix 521121213 32ms DLL: splice 102 - -1674 27ms
47
Disproving with SAT BenchmarkNature of defect Formula Size Solving time C.e. Size P,QIVC # # # (Z3) (vertices) SLL: find null pointer dereference 7171643 18ms 2 SLL: deleteAll Loop invariant in annotation is too weak to prove the desired property 3252683 58ms 5 SLL: rotate Transient cycle introduced during execution 61 - -1093 25ms 3 SLL: insert Unhandled corner case when an element with the same value already exists in the list --- ordering violated 81611783 33ms 4
48
Example Bug Node insert(Node h, Node e) { Node i = h, j = null; while {I} (i != null && e.val >= i.val) { j = i; i = i.n; } if (j != null) { j.n = e; e.n = i; } else { e.n = h; h = e; } return h; } I = : h i e < val null vnn h vn i e i’
49
Data Structures outside AF R Lists with the same lengths DAGs Grids …
50
List Reversal (general) Node reverse(Node h) { Node c = h; Node d = null; while {I} (c != null) { Node t = c.next; c.next = d; d = c; c = t; } return d } {ac [h] , : h h } h<n*> h<n*>h<n*> h<n*><n*><n*> <n*><n*> h h h h false : h n( ) h h null h , :
![List Reversal (general) Node reverse(Node h) { Node c = h; Node d = null; while {I} (c != null) { Node t = c.next; c.next = d; d = c; c = t; } return d } {ac [h] , : h h } h<n*> h<n*>h<n*> h<n*><n*><n*> <n*><n*> h h h h false : h n( ) h h null h , : ](http://images.slideplayer.com./24/7013393/slides/slide_50.jpg "List Reversal (general) Node reverse(Node h) { Node c = h; Node d = null; while {I} (c != null) { Node t = c.next; c.next = d; d = c; c = t; } return d } {ac [h] , : h h } h<n*> h<n*>h<n*> h<n*><n*><n*> <n*><n*> h h h h false : h n( ) h h null h , : ")
51
Related Work Axiomatizing Rechability –[Nelson POPL’83] Useful axioms –[Lev-Ami’09] Useful axioms + completeness study Descriptive Complexity [Hesse’03, Reps’03, Lahiri&Qadeer POPL’08] Decidable Logics [Mona, STRAND, LRP]
![Related Work Axiomatizing Rechability –[Nelson POPL’83] Useful axioms –[Lev-Ami’09] Useful axioms + completeness study Descriptive Complexity [Hesse’03, Reps’03, Lahiri&Qadeer POPL’08] Decidable Logics [Mona, STRAND, LRP]](http://images.slideplayer.com./24/7013393/slides/slide_51.jpg "Related Work Axiomatizing Rechability –[Nelson POPL’83] Useful axioms –[Lev-Ami’09] Useful axioms + completeness study Descriptive Complexity [Hesse’03, Reps’03, Lahiri&Qadeer POPL’08] Decidable Logics [Mona, STRAND, LRP]")
52
Summary Reduction to SAT Works for many programs Principles –Restricted invariants –Inversion n* –Incremental updates –Two logics
Similar presentations
