Download presentation
Presentation is loading. Please wait.
Published byBrent Dean Modified over 8 years ago
1
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh
2
© Andrew IrelandDependable Systems Group Outline Separation logic Automatic software verification challenges Cooperative reasoning proposal
3
© Andrew IrelandDependable Systems Group Separation Logic John Reynolds (CMU) and Peter O’Hearn (QMU) Extends Hoare’s axiomatic basis so as to simplify pointer program proofs Deals smoothly with “dirty features” such as memory disposal and address arithmetic Focuses the reasoning effort on only those parts of the heap that are relevant to a program unit, i.e. local reasoning
4
© Andrew IrelandDependable Systems Group Logical Conjunction P ∧ Q Heap
5
© Andrew IrelandDependable Systems Group Separating Conjunction P ∗ Q Heap
6
© Andrew IrelandDependable Systems Group An Example x := cons(1,2); y := cons(3,4); [x+1] := y; [y+1] := x; store heap
7
© Andrew IrelandDependable Systems Group x := cons(1,2); y := cons(3,4); [x+1] := y; [y+1] := x; store x 12 heap (x ↦ 1, 2) An Example
8
© Andrew IrelandDependable Systems Group x := cons(1,2); y := cons(3,4); [x+1] := y; [y+1] := x; x y store heap 1234 (x ↦ 1, 2) ∗ (y ↦ 3, 4) An Example
9
© Andrew IrelandDependable Systems Group x := cons(1,2); y := cons(3,4); [x+1] := y; [y+1] := x; x y store heap 134 (x ↦ 1, y) ∗ (y ↦ 3, 4) An Example
10
© Andrew IrelandDependable Systems Group x := cons(1,2); y := cons(3,4); [x+1] := y; [y+1] := x; x y store heap 13 (x ↦ 1, y) ∗ (y ↦ 3, x) An Example
11
© Andrew IrelandDependable Systems Group Frame Rule {P} C {Q} {R*P} C {R*Q} where no variable occurring free in R is modified by C
12
© Andrew IrelandDependable Systems Group Singly-linked Lists list ( [],Y,Z ) ↔ emp Y=Z list ( [W|X],Y,Z)↔ ( ∃ p.( Y ↦ W,p ) *list ( X,p,Z )) a1a1 a2a2 anan … i list([a 1, a 2, …, a n ],i,j) j
13
© Andrew IrelandDependable Systems Group {list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(A t,i t,nil)} copylist(it; jt); {R ∗ list(A t,i t,nil) * list(A t,j t,nil)} j := cons(ih, jt) end if end copylist {list(A,i,nil) * list(A,j,nil)} { ∃ A h, A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil)} copylist(it; jt); { ∃ A h,A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil) ∗ list(A t,j t,nil)} Frame Axiom Discovery
14
© Andrew IrelandDependable Systems Group {list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(A t,i t,nil)} copylist(it; jt); {R ∗ list(A t,i t,nil) * list(A t,j t,nil} j := cons(ih, jt) end if end copylist {list(A,i,nil) * list(A,j,nil)} { ∃ A h, A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil)} copylist(it; jt); { ∃ A h,A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil) ∗ list(A t,j t,nil)} shape Frame Axiom Discovery
15
© Andrew IrelandDependable Systems Group {list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(A t,i t,nil)} copylist(it; jt); {R ∗ list(A t,i t,nil) * list(A t,j t,nil} j := cons(ih, jt) end if end copylist {list(A,i,nil) * list(A,j,nil)} { ∃ A h, A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil)} copylist(it; jt); { ∃ A h,A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil) ∗ list(A t,j t,nil)} content Frame Axiom Discovery
16
© Andrew IrelandDependable Systems Group { ∃ A. list(A,i,nil) ∧ A init = A} j := nil; {R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop { ∃ B.list(B,j,nil) ∧ rev(A init )= B)} Loop Invariant Discovery R : { ∃ A,B.list(A,i,nil)*list(B,j,nil) ∧ rev(A init )=app(rev(A),B)}
17
© Andrew IrelandDependable Systems Group { ∃ A. list(A,i) ∧ A init = A} j := nil; {R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop { ∃ B.list(B,j,nil) ∧ rev(A init )= B)} R : { ∃ A,B.list(A,i,nil)*list(B,j,nil) ∧ rev(A init )=app(rev(A),B)} Loop Invariant Discovery shape
18
© Andrew IrelandDependable Systems Group { ∃ A. list(A,i) ∧ A init = A} j := nil; {R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop { ∃ B.list(B,j,nil) ∧ rev(A init )= B)} R : { ∃ A,B.list(A,i,nil)*list(B,j,nil) ∧ rev(A init )=app(rev(A),B)} Loop Invariant Discovery content
19
© Andrew IrelandDependable Systems Group { ∃ A,B. list(A,x,nil)* list(B,y,nil) ∧ A = A init ∧ B = B init } if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y; { ∃ C.list(C,x,nil) ∧ C = app(A init,B init )} Inductive Lemma Discovery list(X,V,W)*list(Y,W,nil) ↔ list(app(X,Y),V,nil)
20
© Andrew IrelandDependable Systems Group { ∃ A,B. list(A,x,nil)* list(B,y,nil) ∧ A = A init ∧ B = B init } if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y; { ∃ C.list(C,x,nil) ∧ C = app(A init,B init )} Inductive Lemma Discovery list(X,V,W)*list(Y,W,nil) ↔ list(app(X,Y),V,nil) shape
21
© Andrew IrelandDependable Systems Group { ∃ A,B. list(A,x,nil)* list(B,y,nil) ∧ A = A init ∧ B = B init } if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y; { ∃ C.list(C,x,nil) ∧ C = app(A init,B init )} Inductive Lemma Discovery list(X,V,W)*list(Y,W,nil) ↔ list(app(X,Y),V,nil) content
22
© Andrew IrelandDependable Systems Group Symbolic Execution Smallfoot: implements a symbolic execution method that automates the verification of shape properties for loop-free code SpaceInvader: extends Smallfoot so as to deal with loops, i.e. uses abstraction to discovery loop (shape) invariants Tools lack extensibility, i.e. fixed number of data types and inductive properties
23
© Andrew IrelandDependable Systems Group Automatic Theorem Proving Proof planning Methods + Critics Proof checking Tactics Conjectures Theory Proof plans promote reuse, robustness and tool integration
24
© Andrew IrelandDependable Systems Group Proof Planning Middle-out reasoning: use of meta-variables in delaying choice during proof planning Proof critics: automatic proof patching via proof- failure analysis, e.g. generalization, lemma and loop invariant discovery Cooperative reasoning: –Clam/HOL: proof by mathematical induction –SPADEase: program analysis & proof planning for SPARK
25
© Andrew IrelandDependable Systems Group Cooperative Reasoning +=
26
© Andrew IrelandDependable Systems Group Cooperative Reasoning += = Complementary techniques compensating for each other’s weaknesses
27
© Andrew IrelandDependable Systems Group Symbolic ExecutionProof Planning shape invariants content invariants soundness extensibility Compensating for Weaknesses?
28
© Andrew IrelandDependable Systems Group Executive Summary Adapt and extend existing proof plans for use within separation logic – IsaPlanner/Isabelle. Build upon off-the-shelf shape analysis tools from Peter O’Hearn’s group (QMU) – Smallfoot etc. Hypothesis: Proposed cooperation will improve state-of-the-art for verification automation. Specification = shape + content
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.