Download presentation
Presentation is loading. Please wait.
Published byRiley Holden Modified over 11 years ago
1
10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook and J. Berdine
2
10.8.2006 Daniel Kroening 2 Program Verification Goal: Editor that highlights programming errors Not syntax, but semantics
3
10.8.2006 Daniel Kroening 3 Like what?
4
10.8.2006 Daniel Kroening 4 Verification Engines UnwindingAbstraction Bounded Model Checking (BMC) No invariant discovery One very large constraint problem A lot of case-splitting Abstract interpretation Predicate abstraction Attempting invariant discovery Many small constraint problems Little case-splitting
5
10.8.2006 Daniel Kroening 5 Program Analysis: BMC BMC Progra m C ONSTRAINT S OLVER VC Model SAT solver, CVC-Lite, Math-SAT, … CBMC, …
6
10.8.2006 Daniel Kroening 6 BMC Overview ANSI-C Program unwind parsing + * = Parse tree + * = Constraint Problem CNF SAT Solver
7
10.8.2006 Daniel Kroening 7 ANSI-C Transformation 1.Preparation Side effect removal continue, break replaced by goto for, do while replaced by while 2.Unwinding Loops are unwound Same for backward goto jumps and recursive functions
8
10.8.2006 Daniel Kroening 8 Implementation 3.Transformation into Equation After unwinding: Transform into SSA Example: Generate constraints by simply conjoining equations resulting from assignments For arrays, use simple lambda notation
9
10.8.2006 Daniel Kroening 9 Example
10
10.8.2006 Daniel Kroening 10 Required Theories Bit vector Arrays Pointers (pair of object/offset) Floating Point If contained in assertion: Quantifiers Data type predicates (lists, trees, …)
11
10.8.2006 Daniel Kroening 11 int *p, x, y; int main() { int z; y=z; p=&y; x=*p; assert(x==z); } cbmc test.c –cvc –outfile test Example
12
10.8.2006 Daniel Kroening 12 p0: [# object: INT, offset: BITVECTOR(32) #] = (# object:=0, offset:=0bin00000000000000000000000000000000 #); x0: BITVECTOR(32) = 0bin00000000000000000000000000000000; y0: BITVECTOR(32) = 0bin00000000000000000000000000000000; z1: BITVECTOR(32); z0: BITVECTOR(32); y1: BITVECTOR(32) = z0; p1: [# object: INT, offset: BITVECTOR(32) #] = (# object:=3, offset:=0bin00000000000000000000000000000000 #); x1: BITVECTOR(32) = y1; l1: BOOLEAN; ASSERT l1 (x1=z0); ASSERT (NOT l1); QUERY FALSE; Download me! We have ~300 MB of benchmark files available Soon: SMT-Lib format
13
10.8.2006 Daniel Kroening 13 Program Analysis: Abstraction P ROGRAM A NALYSIS E NGINE Progra m C ONSTRAINT S OLVER VCs Model W IDENING T Simplify, Zapato, Cogent, CPLEX, … Pre-, Post-, Proof-based, … SLAM, …
14
10.8.2006 Daniel Kroening 14 Existing Tools Implement Fragments of linear arithmetic, Maybe arrays, maybe pointers Sometimes float
15
10.8.2006 Daniel Kroening 15 Extending the Assertion Logic P ROGRAM A NALYSIS E NGINE Progra m C ONSTRAINT S OLVER VCCs Model W IDENING T Linear Arithmetic, Arrays, Float, …
16
10.8.2006 Daniel Kroening 16 Existing Tools Biggest challenge for mass-market: dynamic data structures Fix with choice of assertion logic, e.g., Reynolds Separation Logic E.g., add separating conjunction and predicates for linked list
17
10.8.2006 Daniel Kroening 17 Separation Logic A logic for heap data structures NOT the same as the fragment of linear arithmetic called difference logic Due to Reynolds/OHearn
18
10.8.2006 Daniel Kroening 18 Separation Logic.. Payload next pointer ….. … Main problem: Need to specify that all heap cells are disjoint
19
10.8.2006 Daniel Kroening 19 Separation Logic In general, one needs to express constraints that a data structure does not share cells with any other data structure Key idea: new logical operator P * Q Separating Conjunction
20
10.8.2006 Daniel Kroening 20 Separation Logic Semantics of expressions defined over valuations of heaps (maps from addresses to values) Obvious meaning for StateHeapPointerValue
21
10.8.2006 Daniel Kroening 21 Separation Logic Define disjoint heaps: Separating conjunction:
22
10.8.2006 Daniel Kroening 22 Separation Logic: Lists Notation for sequences : empty sequence x ¢ : concatenation Define list:
23
10.8.2006 Daniel Kroening 23 Extending the Assertion Logic P ROGRAM A NALYSIS E NGINE Progra m C ONSTRAINT S OLVER VCCs Model W IDENING T Linear Arithmetic, Arrays, Float, … +Separation Logic
24
10.8.2006 Daniel Kroening 24 Who does the assertions? Manual annotations Automatic discovery Standard Template Library Data in containers is implicitly in separate heap cells typedef std::hash_map symbolst;... typedef std::vector nodest;
25
10.8.2006 Daniel Kroening 25 Requirements for Constraint Solvers Constraint solver must support very rich logic Data types might even be application-specific But most queries are simple! Extending custom-made constraint solver is tedious
26
10.8.2006 Daniel Kroening 26 Proposed Solution Assumption: we have a (partial) axiomatization of all logics Goal: high performance constraint solver 1 st step: define language for axioms
27
10.8.2006 Daniel Kroening 27 Example: Equality Logic equality_transitivity: A "=" B, B "=" C -> A "=" C; emp: rewrite h"|=""emp" h"="["semp""**""semp"]; equality_commutativity: A "=" B B "=" A; equality: A "=" A; disequality: A "!=" B NOT A "=" B;
28
10.8.2006 Daniel Kroening 28 Build a Compiler! 2 nd step: build a compiler Axioms g++ codegen C++ code Binary VCC SAT/UNSAT
29
10.8.2006 Daniel Kroening 29 Multiple Theories Note that one can combine multiple theories Interfacing through arbitrary propositions, not just equalities Convexity requirement?
30
10.8.2006 Daniel Kroening 30 What about OR? We could build case-splitting into the generated code However, we will never be able to implement Proper decision heuristics Non-chronological back-tracking Learning
31
10.8.2006 Daniel Kroening 31 What about OR? Alternative: produce reduction to propositional logic Generate CNF, and pass formula to SAT solver The formula is unsatisfiable iff there exists a deduction that shows a contradiction
32
10.8.2006 Daniel Kroening 32 What about OR? 3 nd step: add SAT solver Axioms g++ codegen C++ code Binary VCC CNF SAT Solver This is the eager version – lazy version straight-forward.
33
10.8.2006 Daniel Kroening 33 What about OR? emp: rewrite h"|=""emp" h"="["semp""**""semp"]; 1.Maintain truth value with each fact: 2.Set new facts to unknown 3.Assign a literal to each fact that has truth value unknown 4.For each deduction step, generate constraint
34
10.8.2006 Daniel Kroening 34 Separation Logic disjoint_not_self: h != emp -> not [h "# h]; not: h "|=" ["!" P] not [h "|=" P]; and: h "|=" [P "^" Q] h "|=" P, h "|=" Q; conditional: h "|=" [P "?" Q ":" R] (h "|=" P -> h "|=" Q), (h "|=" "!" P -> h "|=" R);
35
10.8.2006 Daniel Kroening 35 Separation Logic emp: rewrite h"|=""emp" h"="["semp""**""semp"]; star: h "|=" [P "*" Q] NEW h0 "|=" P, NEW h1 "|=" Q, h "=" [NEW h0 "**" NEW h1], NEW h0 "#" NEW h1;
36
10.8.2006 Daniel Kroening 36 Obtaining Invariants Again, could be custom-made Instead: inspect proofs of failed refutation-attempts Paper available on doing this for bit-vectors E.g., for constructing interpolants
37
10.8.2006 Daniel Kroening 37 Conclusion Generic constraint solver with propositional SAT as backend Especially for complicated logics Extensions of logic are easy All case-splitting is pushed into propositional SAT solver
38
10.8.2006 Daniel Kroening 38 Cross-Advertising TACAS: this can be used for –quantification over predicates CAV: Predicate abstraction for deep loops PDPAR: Completeness How to tell for sure that no proof exists?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.