Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cristian Gherghina 1, Cristina David 1, Shengchao Qin 2, Wei-Ngan Chin 1 1 National University of Singapore 2 University of Teesside Structured Specifications.

Similar presentations


Presentation on theme: "Cristian Gherghina 1, Cristina David 1, Shengchao Qin 2, Wei-Ngan Chin 1 1 National University of Singapore 2 University of Teesside Structured Specifications."— Presentation transcript:

1 Cristian Gherghina 1, Cristina David 1, Shengchao Qin 2, Wei-Ngan Chin 1 1 National University of Singapore 2 University of Teesside Structured Specifications for Better Verification of Heap-Manipulating Programs TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A

2 Aim  Our aim is to add structures to the specifications for improving:  precision: verification succeeds for more scenarios.  efficiency: faster verification.  conciseness: more concise specifications. 2 FM 2011

3 Verifier Separation Logic Prover Program Code Program Code Pre/Post Conditions Pre/Post Conditions Separation logic: Used to reason about shared mutable data structures. emp// heap is empty x  y // heap has exactly one cell A * B// heap is divided so that A holds in // one partition, while B the other HIP/SLEEK 3 FM 2011

4 Heap Predicates Heap Predicates Verifier Separation Logic Prover Program Code Program Code Pre/Post Conditions Pre/Post Conditions HIP/SLEEK 4 FM 2011 data node{int val; node next} ll = root=null  n=0  root  node * ll

5 Pure Provers (Omega, Mona, Isabelle) Pure Provers (Omega, Mona, Isabelle) Heap Predicates Heap Predicates Verifier Separation Logic Prover Program Code Program Code Pre/Post Conditions Pre/Post Conditions HIP/SLEEK 5 FM 2011

6 What can we prove? – Properties of mutable data structures. – Sortedness, length, height-balanced, etc. What must the user provide? – Heap predicates. – Pre and post conditions for each method (together with loop invariants). Heap Predicates Heap Predicates Verifier Separation Logic Prover Program Code Program Code Pre/Post Conditions Pre/Post Conditions SPECIFICATION HIP/SLEEK 6 FM 2011 Pure Provers (Omega, Mona, Isabelle) Pure Provers (Omega, Mona, Isabelle)

7 FM 2011 7 User intuition Spec. Structured spec. Triggers techniques during the proving process Better verification Formula staging Case analysis Early/late Instanti- ations

8 Agenda Background Case induced specifications 8 Early vs. Late instantiations Conclusions FM 2011 Staged formulae

9  root  node  avl  avl   D  root  node  avl  avl   D 1+ h 1 = h 2  b=-1 h 1 =h 2  b=0 avl  root,h,n,B,b   root=null  h=n=b=0  B={ }  root  node  avl  avl   D h 1 = 1 + h 2  b=1 AVL tree with original spec 9 D = (n=1 + n 1 + n 2  B={v} U B 1 U B 2   x  B 1.x  v  x  B 2. x > v) FM 2011 Binary search tree Balance factor heightsize bag balance data node{ int val; node left; node right; } data node{ int val; node left; node right; }

10 AVL tree with original spec 10 avl  root,h,n,B,b   root=null  h=n=b=0  B={ }  root  node  avl  avl   D  root  node  avl  avl   D  root  node  avl  avl   D D = (n=1 + n 1 + n 2  B={v} U B 1 U B 2   x  B 1.x  v  x  B 2. x > v) FM 2011 h 1 =h 2  b=0 h 1 = 1 + h 2  b=1 1+ h 1 = h 2  b=-1

11 AVL tree with original spec 11 avl  root,h,n,B,b   root=null  h=n=b=0  B={ }  root  node  avl  avl   D D = (n=1 + n 1 + n 2  B={v} U B 1 U B 2   x  B 1.x  v  x  B 2. x > v) FM 2011 h 1 =h 2  b=0 h 1 = 1 + h 2  b=1 1+ h 1 = h 2  b=-1 then Staged formula  

12 Agenda Background Case induced specifications 12 Early vs. Late instantiations Conclusions FM 2011 Staged formulae

13 node tail (node x) requires llx,n ∧ n>0 ensures (res=null ∧ n=1) ∨ (llres,n-1 ∧ n  1); { node aux = x.next; return aux; } ∃ q · x  node_, q ∗ llq,n−1 ∧ n > 0 Tail function llx,n ∧ n>0 x  node _, aux ∗ llaux,n−1 ∧ n > 0 x  node _, res ∗ llres,n−1 ∧ n > 0 x  node _, res ∗ llres,n−1 ∧ n > 0 |- postcondition 13 FM 2011 data node{ int val; node next} ll = root=null  n=0  root  node * ll

14 Entailment with inductive predicates  1 |-  2 *  r  Determine if the heap in  1 contains the heap in  2   r is the residue of  1 not matching  2 Separation logic formula 14 FM 2011

15 x  node_, res ∗ llres, n−1  n  0 |- (res=null  n=1) *  r x  node_, res ∗ llres, n−1  n  0 |- (res=null  n=1) ∨ (llres,n−1  n  1) Entailment with inductive predicates x  node_, res ∗ llres, n−1  n  0 |- (llres, n−1  n  1) *  r Entailment fails! 15 FM 2011 node tail (node x) requires llx,n ∧ n>0 ensures (res=null ∧ n=1) ∨ (llres,n-1 ∧ n  1);

16 node tail (node x) requires llx,n ∧ n>0 ensures (res=null ∧ n=1) ∨ (llres,n-1 ∧ n  1); Tail function 16 Disjunction is difficult to reason about, leading to incompleteness. FM 2011

17 Tail function - structured node tail (node x) requires llx,n ∧ n > 0 case { n=1 → ensures res = null ; n  1 → ensures llres,n-1; } 17 FM 2011

18 Automatic case analysis  |- case {  1 -> Z 1 ;  2 -> Z 2 } too general  ∧  1 |- Z 1  ∧  2 |- Z 2 strengthened by case analysis disjoint conditions 18 FM 2011

19 x  node _, res ∗ llres,n−1 ∧ n>0 ∧ n=1 |- (res=null) *  r x  node _, res ∗ llres,n−1 ∧ n>0 |- case { n=1 → ensures res = null; n  1 → ensures llres,n-1;} Entailment with inductive predicates x  node _, res ∗ llres,n−1 ∧ n>0 ∧ n  1 |- (llres,n−1) *  r Entailments succeed! 19 FM 2011 node tail (node x) requires llx,n ∧ n>0 case { n=1 → ensures res = null; n  1 → ensures llres,n-1;}

20 node mergeAVL(node t 1, node t 2 ) requires avlt 1, s 1, h 1, b 1 * avlt 2, s 2, h 2, b 2 ensures t 1 = null  avlres, s 2, h 2, b 2 Ç t 1 != null  avlres, s 1 +s 2, _, _; 20 FM 2011 Example height size balance

21 node mergeAVL(node t 1, node t 2 ) case{ t 1 =null → requires avlt 2, s 2, h 2, b 2 ensures avlres, s 2, h 2, b 2 ; t 1 !=null → requires avlt 2, s 2, h 2, b 2 ∗ avlt 1, s 1, _, _ ensures avlres, s 1 +s 2, _, _}; 21 FM 2011 Example

22 node mergeAVL(node t 1, node t 2 ) requires avlt 2, s 2, h 2, b 2 case{ t 1 =null → requires avlt 2, s 2, h 2, b 2 ensures avlres, s 2, h 2, b 2 ; t 1 !=null → requires avlt 2, s 2, h 2, b 2 ∗ avlt 1, s 1, _, _ ensures avlres, s 1 +s 2, _, _}; 22 FM 2011 Example

23 node mergeAVL(node t 1, node t 2 ) requires avlt 2, s 2, h 2, b 2 case{ t 1 =null → ensures avlres, s 2, h 2, b 2 ; t 1 !=null → requires avlt 1, s 1, _, _ ensures avlres, s 1 +s 2, _, _}; 23 FM 2011 Example

24 Agenda Background Case induced specifications 24 Early vs. Late instantiations Conclusions FM 2011 Staged formulae

25 Instantiations (1)  Different types of bindings for the logical variables (of consequent) during the entailment.  Used for the variables linking the precondition with the postcondition. int length (node x) requires x::ll ensures x::ll  res=n 25 FM 2011 logical var program var

26 Instantiations (2)  x  node |-  n.(x::ll  n>0) x  node |-  n.(x  node * ll  n>0) n=1 |- n-1=0  n>0 Instantiation: n=1 26 FM 2011 data node{ int val; node next} ll = root=null  n=0  root  node * ll Entailment succeeds!

27 data cell {int val} cellPredroot, i = (root=null  i  3)  (root  cell_  i>3);  Early instantiation: p = null |-  k.(cellPredp, k  k>2) *  r p = null |-  k.((p=null  k  3)  k>2) *  r p = null  k  3|-  p=null  k>2  k  3) *  r Instantiation: k  3  Late instantiation: p = null |- ([k] cellPredp, k  k>2) *  r p = null |-  k. (p=null  k  3  k>2) *  r Instantiation: k  3  k>2 Instantiations (3) 27 Entailment fails! Entailment succeeds! FM 2011

28 Early vs. Late instantiation  Triggered for just the matched predicate.  Minimizes the use of existential quantification.  Triggered for the entire formula.  More complete. 28 FM 2011 Early instantiation: Late instantiation:

29 Experiments 29 FM 2011

30 Conclusion  The structured specification mechanism:  Enables automatic case analysis.  Promotes a more modular verification, where larger/hard proofs are broken into smaller/simpler proofs.  Guides the steps taken by the prover from the specification level. 30 FM 2011

31 Thank you! 31

32 Limerick: On verification This work improves the specification Based on a logic of separation We propose case analysis To be used in my thesis For a better verification! 32

33 Separation logic - example 3 3 y y x  3,y x 3 3 y y (x  3,y) * (y  3,z) 3 3 z z x 33 FM 2011

34 then case { h 1 = h 2 => b=0 1 +h 1 = h 2 => b=-1 h 1 = 1+ h 2 => b=1} AVL tree with original spec 34 avl  root,h,n,B,b   root=null  h=n=b=0  B={ }  root  node  avl  avl   D D = (n=1 + n 1 + n 2  B={v} U B 1 U B 2   x  B 1.x  v  x  B 2. x > v) FM 2011 h 1 =h 2  b=0 h 1 = 1 + h 2  b=1 1+ h 1 = h 2  b=-1

35 then case { h 1 = h 2 => b=0 1 +h 1 = h 2 => b=-1 h 1 = 1+ h 2 => b=1} AVL tree with original spec 35 avl  root,h,n,B,b   root=null  h=n=b=0  B={ }  root  node  avl  avl   D D = (n=1 + n 1 + n 2  B={v} U B 1 U B 2   x  B 1.x  v  x  B 2. x > v) FM 2011 Staged formula Case induced specs

36 Instantiations - examples data cell {int val} cellPredroot, i = (root=null  i  3)  (root  cell_  i>3);  Early instantiation: p  cell_ |- (cellPredp, k  k>2) *  r k>3 |- k>3  k>2 *  r  Late instantiation: 36 Both entailments succeed! FM 2011 p  cell_ |- ([k] cellPredp, k  k>2)*  r p  cell_ |-  k. (k  3  k>2) *  r

37 ll = root=null  n=0  root  node * ll Heap predicate for a singly-linked list data node{ int val; node next} data node{ int val; node next} root ….. q 37 FM 2011

38 Pre and post conditions int length(node x) { if (x==null) then 0 else 1+length(x.next) } requires llx,n ensures llx,n ∧ res=n; 38 FM 2011

39 data cell {int val} cellPredroot, i = (root=null  i  3)  (root  cell_  i>3);  Early instantiation: p = null |-  k.(cellPredp, k  k>2) *  r p = null |-  k.((p=null  k  3)  k>2) *  r p = null  k  3 |-  (p=null  k  3)  k>2 *  r p = null  k  3 |-  k>2 *  r Instantiation: k  3 Instantiations - examples 39 Entailment fails! FM 2011

40 Aim  Typically, a specification mechanism focuses on:  expressiveness: verification of more properties.  abstraction: information hiding in spec.  modularity: more readable and reusable specs.  Our aim is to add structures to the specs for improving:  precision: verification succeeds for more scenarios.  efficiency: faster verification.  conciseness: more concise specifications. 40 FM 2011


Download ppt "Cristian Gherghina 1, Cristina David 1, Shengchao Qin 2, Wei-Ngan Chin 1 1 National University of Singapore 2 University of Teesside Structured Specifications."

Similar presentations


Ads by Google