Download presentation
Presentation is loading. Please wait.
Published byLouisa Joseph Modified over 9 years ago
1
Cristian Gherghina 1, Cristina David 1, Shengchao Qin 2, Wei-Ngan Chin 1 1 National University of Singapore 2 University of Teesside Structured Specifications for Better Verification of Heap-Manipulating Programs TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A
2
Aim Our aim is to add structures to the specifications for improving: precision: verification succeeds for more scenarios. efficiency: faster verification. conciseness: more concise specifications. 2 FM 2011
3
Verifier Separation Logic Prover Program Code Program Code Pre/Post Conditions Pre/Post Conditions Separation logic: Used to reason about shared mutable data structures. emp// heap is empty x y // heap has exactly one cell A * B// heap is divided so that A holds in // one partition, while B the other HIP/SLEEK 3 FM 2011
4
Heap Predicates Heap Predicates Verifier Separation Logic Prover Program Code Program Code Pre/Post Conditions Pre/Post Conditions HIP/SLEEK 4 FM 2011 data node{int val; node next} ll = root=null n=0 root node * ll
5
Pure Provers (Omega, Mona, Isabelle) Pure Provers (Omega, Mona, Isabelle) Heap Predicates Heap Predicates Verifier Separation Logic Prover Program Code Program Code Pre/Post Conditions Pre/Post Conditions HIP/SLEEK 5 FM 2011
6
What can we prove? – Properties of mutable data structures. – Sortedness, length, height-balanced, etc. What must the user provide? – Heap predicates. – Pre and post conditions for each method (together with loop invariants). Heap Predicates Heap Predicates Verifier Separation Logic Prover Program Code Program Code Pre/Post Conditions Pre/Post Conditions SPECIFICATION HIP/SLEEK 6 FM 2011 Pure Provers (Omega, Mona, Isabelle) Pure Provers (Omega, Mona, Isabelle)
7
FM 2011 7 User intuition Spec. Structured spec. Triggers techniques during the proving process Better verification Formula staging Case analysis Early/late Instanti- ations
8
Agenda Background Case induced specifications 8 Early vs. Late instantiations Conclusions FM 2011 Staged formulae
9
root node avl avl D root node avl avl D 1+ h 1 = h 2 b=-1 h 1 =h 2 b=0 avl root,h,n,B,b root=null h=n=b=0 B={ } root node avl avl D h 1 = 1 + h 2 b=1 AVL tree with original spec 9 D = (n=1 + n 1 + n 2 B={v} U B 1 U B 2 x B 1.x v x B 2. x > v) FM 2011 Binary search tree Balance factor heightsize bag balance data node{ int val; node left; node right; } data node{ int val; node left; node right; }
10
AVL tree with original spec 10 avl root,h,n,B,b root=null h=n=b=0 B={ } root node avl avl D root node avl avl D root node avl avl D D = (n=1 + n 1 + n 2 B={v} U B 1 U B 2 x B 1.x v x B 2. x > v) FM 2011 h 1 =h 2 b=0 h 1 = 1 + h 2 b=1 1+ h 1 = h 2 b=-1
11
AVL tree with original spec 11 avl root,h,n,B,b root=null h=n=b=0 B={ } root node avl avl D D = (n=1 + n 1 + n 2 B={v} U B 1 U B 2 x B 1.x v x B 2. x > v) FM 2011 h 1 =h 2 b=0 h 1 = 1 + h 2 b=1 1+ h 1 = h 2 b=-1 then Staged formula
12
Agenda Background Case induced specifications 12 Early vs. Late instantiations Conclusions FM 2011 Staged formulae
13
node tail (node x) requires llx,n ∧ n>0 ensures (res=null ∧ n=1) ∨ (llres,n-1 ∧ n 1); { node aux = x.next; return aux; } ∃ q · x node_, q ∗ llq,n−1 ∧ n > 0 Tail function llx,n ∧ n>0 x node _, aux ∗ llaux,n−1 ∧ n > 0 x node _, res ∗ llres,n−1 ∧ n > 0 x node _, res ∗ llres,n−1 ∧ n > 0 |- postcondition 13 FM 2011 data node{ int val; node next} ll = root=null n=0 root node * ll
14
Entailment with inductive predicates 1 |- 2 * r Determine if the heap in 1 contains the heap in 2 r is the residue of 1 not matching 2 Separation logic formula 14 FM 2011
15
x node_, res ∗ llres, n−1 n 0 |- (res=null n=1) * r x node_, res ∗ llres, n−1 n 0 |- (res=null n=1) ∨ (llres,n−1 n 1) Entailment with inductive predicates x node_, res ∗ llres, n−1 n 0 |- (llres, n−1 n 1) * r Entailment fails! 15 FM 2011 node tail (node x) requires llx,n ∧ n>0 ensures (res=null ∧ n=1) ∨ (llres,n-1 ∧ n 1);
16
node tail (node x) requires llx,n ∧ n>0 ensures (res=null ∧ n=1) ∨ (llres,n-1 ∧ n 1); Tail function 16 Disjunction is difficult to reason about, leading to incompleteness. FM 2011
17
Tail function - structured node tail (node x) requires llx,n ∧ n > 0 case { n=1 → ensures res = null ; n 1 → ensures llres,n-1; } 17 FM 2011
18
Automatic case analysis |- case { 1 -> Z 1 ; 2 -> Z 2 } too general ∧ 1 |- Z 1 ∧ 2 |- Z 2 strengthened by case analysis disjoint conditions 18 FM 2011
19
x node _, res ∗ llres,n−1 ∧ n>0 ∧ n=1 |- (res=null) * r x node _, res ∗ llres,n−1 ∧ n>0 |- case { n=1 → ensures res = null; n 1 → ensures llres,n-1;} Entailment with inductive predicates x node _, res ∗ llres,n−1 ∧ n>0 ∧ n 1 |- (llres,n−1) * r Entailments succeed! 19 FM 2011 node tail (node x) requires llx,n ∧ n>0 case { n=1 → ensures res = null; n 1 → ensures llres,n-1;}
20
node mergeAVL(node t 1, node t 2 ) requires avlt 1, s 1, h 1, b 1 * avlt 2, s 2, h 2, b 2 ensures t 1 = null avlres, s 2, h 2, b 2 Ç t 1 != null avlres, s 1 +s 2, _, _; 20 FM 2011 Example height size balance
21
node mergeAVL(node t 1, node t 2 ) case{ t 1 =null → requires avlt 2, s 2, h 2, b 2 ensures avlres, s 2, h 2, b 2 ; t 1 !=null → requires avlt 2, s 2, h 2, b 2 ∗ avlt 1, s 1, _, _ ensures avlres, s 1 +s 2, _, _}; 21 FM 2011 Example
22
node mergeAVL(node t 1, node t 2 ) requires avlt 2, s 2, h 2, b 2 case{ t 1 =null → requires avlt 2, s 2, h 2, b 2 ensures avlres, s 2, h 2, b 2 ; t 1 !=null → requires avlt 2, s 2, h 2, b 2 ∗ avlt 1, s 1, _, _ ensures avlres, s 1 +s 2, _, _}; 22 FM 2011 Example
23
node mergeAVL(node t 1, node t 2 ) requires avlt 2, s 2, h 2, b 2 case{ t 1 =null → ensures avlres, s 2, h 2, b 2 ; t 1 !=null → requires avlt 1, s 1, _, _ ensures avlres, s 1 +s 2, _, _}; 23 FM 2011 Example
24
Agenda Background Case induced specifications 24 Early vs. Late instantiations Conclusions FM 2011 Staged formulae
25
Instantiations (1) Different types of bindings for the logical variables (of consequent) during the entailment. Used for the variables linking the precondition with the postcondition. int length (node x) requires x::ll ensures x::ll res=n 25 FM 2011 logical var program var
26
Instantiations (2) x node |- n.(x::ll n>0) x node |- n.(x node * ll n>0) n=1 |- n-1=0 n>0 Instantiation: n=1 26 FM 2011 data node{ int val; node next} ll = root=null n=0 root node * ll Entailment succeeds!
27
data cell {int val} cellPredroot, i = (root=null i 3) (root cell_ i>3); Early instantiation: p = null |- k.(cellPredp, k k>2) * r p = null |- k.((p=null k 3) k>2) * r p = null k 3|- p=null k>2 k 3) * r Instantiation: k 3 Late instantiation: p = null |- ([k] cellPredp, k k>2) * r p = null |- k. (p=null k 3 k>2) * r Instantiation: k 3 k>2 Instantiations (3) 27 Entailment fails! Entailment succeeds! FM 2011
28
Early vs. Late instantiation Triggered for just the matched predicate. Minimizes the use of existential quantification. Triggered for the entire formula. More complete. 28 FM 2011 Early instantiation: Late instantiation:
29
Experiments 29 FM 2011
30
Conclusion The structured specification mechanism: Enables automatic case analysis. Promotes a more modular verification, where larger/hard proofs are broken into smaller/simpler proofs. Guides the steps taken by the prover from the specification level. 30 FM 2011
31
Thank you! 31
32
Limerick: On verification This work improves the specification Based on a logic of separation We propose case analysis To be used in my thesis For a better verification! 32
33
Separation logic - example 3 3 y y x 3,y x 3 3 y y (x 3,y) * (y 3,z) 3 3 z z x 33 FM 2011
34
then case { h 1 = h 2 => b=0 1 +h 1 = h 2 => b=-1 h 1 = 1+ h 2 => b=1} AVL tree with original spec 34 avl root,h,n,B,b root=null h=n=b=0 B={ } root node avl avl D D = (n=1 + n 1 + n 2 B={v} U B 1 U B 2 x B 1.x v x B 2. x > v) FM 2011 h 1 =h 2 b=0 h 1 = 1 + h 2 b=1 1+ h 1 = h 2 b=-1
35
then case { h 1 = h 2 => b=0 1 +h 1 = h 2 => b=-1 h 1 = 1+ h 2 => b=1} AVL tree with original spec 35 avl root,h,n,B,b root=null h=n=b=0 B={ } root node avl avl D D = (n=1 + n 1 + n 2 B={v} U B 1 U B 2 x B 1.x v x B 2. x > v) FM 2011 Staged formula Case induced specs
36
Instantiations - examples data cell {int val} cellPredroot, i = (root=null i 3) (root cell_ i>3); Early instantiation: p cell_ |- (cellPredp, k k>2) * r k>3 |- k>3 k>2 * r Late instantiation: 36 Both entailments succeed! FM 2011 p cell_ |- ([k] cellPredp, k k>2)* r p cell_ |- k. (k 3 k>2) * r
37
ll = root=null n=0 root node * ll Heap predicate for a singly-linked list data node{ int val; node next} data node{ int val; node next} root ….. q 37 FM 2011
38
Pre and post conditions int length(node x) { if (x==null) then 0 else 1+length(x.next) } requires llx,n ensures llx,n ∧ res=n; 38 FM 2011
39
data cell {int val} cellPredroot, i = (root=null i 3) (root cell_ i>3); Early instantiation: p = null |- k.(cellPredp, k k>2) * r p = null |- k.((p=null k 3) k>2) * r p = null k 3 |- (p=null k 3) k>2 * r p = null k 3 |- k>2 * r Instantiation: k 3 Instantiations - examples 39 Entailment fails! FM 2011
40
Aim Typically, a specification mechanism focuses on: expressiveness: verification of more properties. abstraction: information hiding in spec. modularity: more readable and reusable specs. Our aim is to add structures to the specs for improving: precision: verification succeeds for more scenarios. efficiency: faster verification. conciseness: more concise specifications. 40 FM 2011
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.