Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Automated Verification via Separation Logic Cristian Gherghina (NUS, Singapore) Cristina David(NUS, Singapore) Shengchao Qin(Durham, UK) Wei-Ngan Chin(NUS,

Similar presentations


Presentation on theme: "1 Automated Verification via Separation Logic Cristian Gherghina (NUS, Singapore) Cristina David(NUS, Singapore) Shengchao Qin(Durham, UK) Wei-Ngan Chin(NUS,"— Presentation transcript:

1 1 Automated Verification via Separation Logic Cristian Gherghina (NUS, Singapore) Cristina David(NUS, Singapore) Shengchao Qin(Durham, UK) Wei-Ngan Chin(NUS, Singapore)

2 2 Goal Verify programs involving mutable data structures with invariants and other properties

3 3 Challenges Strong updates in the presence of aliasing User-defined recursive predicates Concise, precise, expressive specs Emphasis : practical verification Our Search for Solution Sized Types  Separation Logic

4 4 Separation Logic Extension to Hoare logic to reason about shared mutable data structures. Foundations O’Hearn and Pym, “The Logic of Bunched Implications”, Bulletin of Symbolic Logic 1999 Reynolds, “Separation Logic: A Logic for Shared Mutable Data Structures”, LICS 2002  : spatial conjunction --  : spatial implication

5 5 Examples (Reynolds LICS 2002) 3 y 3 x xy x  3,y  y  3,x 3 x y x  3,y  y  3,x 3 x x  3,y y Separation FormulaeActual Heap

6 6 Outline Background Our Approach How to Verify? Entailment Approximation Expressiveness Set of States Lemmas

7 7 Overall System code verifier separation logic prover Pre/Post Shape Predicate Lemmas Code range of pure provers e.g. Omega,Mona,Coq, Isabelle,cvc3,redlog,

8 8 Separation Formulae Heap part Describes data structure in heap memory Well-formed : all nodes reachable from “root” pointer Well-founded : no direct looping predicate. No conjunction over heap states. Pure part Size, bag and pointer constraints (that can be handled by pure provers).

9 9 Example Predicates sortl  n,mi,mx   root::node  mi,null   mi=mx Æ n=1  root::node  mi,q   q::sortl  n-1,k,mx   mi  k inv n  1 Æ mi · mx Non-empty sorted list root:: ll  n   root=null  n=0  9 r. root::node  a, r   r::ll  n-1  inv n  0 Singly-linked list derived attribute (c.f. model field) user-supplied invariant root null

10 10 Example Predicates AVL-Tree (near-balanced tree) avl  h   root = null Æ h = 0 Ç root::node h, h, p, q i  p::avl h h1 i  q::avl h h2 i Æ -1 · h1-h2 · 1 Æ h=1+max(h1,h2) inv h ¸ 0

11 11 Example Predicates AVL-Tree with BST property avl  h,S   root = null Æ h = 0 Æ S={} Ç root::node h, v, p, q i  p::avl h h1,S1 i  q::avl h h2,S2 i Æ -1 · h1-h2 · 1 Æ h=1+max(h1,h2) Æ 8 x 2 S1. x · v Æ 8 y 2 S2. v < x Æ S={v} [ S1 [ S2 inv h ¸ 0

12 12 Outline Background Our Approach How to Verify? Entailment Approximation Expressiveness Set of States Lemmas Structured Specs

13 13 Automated Verification Methods and loops are annotated with pre- and post-conditions. Entailment checks Precondition at call site Postcondition at end of method State transition formula (e.g. x’=x+1) initial value : x latest value : x’ (primed variable)

14 14 Verifier based on Hoare-triple ` {  } code {  1 } pre-statepost-state

15 15 Some Verification Rules

16 16 Insert into a Sorted List node insert(node x, node vn) requires x::sortl  n, sm,lg   vn::node  v,_  ensures res::sortl  n+1,min(v,sm),max(v,lg)  { if (vn.val≤x.val) then { vn.next = x; return vn; } else if (x.next=null) then { x.next = vn; vn.next = null; return x; } else { x.next = insert(x.next, vn); return x; } }

17 17 { x’::sortl  vn’::node } vn.next = x; { (x’::node  n=1 Æ mi=mx  x’::node  q::sortl  mi  k  n  2)  vn’::node  v  mi } if (vn.val · x.val) then { return vn; { res::sortl } } { (x’::node  n=1  mi=mx  x’::node  q::sortl  mi  k  n  2)  vn’::node  v  mi } { (x’::node  n=1  mi=mx  x’::node  q::sortl  mi  k  n  2)  vn’::node  v  mi Æ res=vn’ }

18 18 Outline Background Our Approach How to Verify? Entailment Approximation Expressiveness Set of States Lemmas Structured Specs

19 19 Separation Logic Prover  1 `  2   3  1 must “subsumes” all heap nodes in  2. Residual nodes are then kept in  3. ALGORITHM : Ensure all nodes in  2 are subsumed by  1, then convert to an arithmetic implication check. antecedentconsequentresidual

20 20 Entailment Algorithm

21 21 Key Steps of Entailment Matching Aliased data nodes/predicates are matched and their components/arguments unified. Supports implicit instantiation. Unfolding Replaces a predicate on LHS by its definition to match a node on the RHS Folding Triggered by a predicate on the RHS and a data node on the LHS. Supports implicit instantation.

22 22 Extension to Inference Infer pure pre/post conditions 1 Æ  ` 2  3 1 Æ  ` 2  3 Joint work with collaborators at Durham.

23 23 Outline Background Our Approach Why Verification? Entailment Approximation Expressiveness Set of States Lemmas

24 24 Approximation Entailment is reduced to implication of pure constraints when the consequent’s heap is empty. Each predicate is approximated by a pure constraint.

25 25 Approximation: Examples XPure n (x::node h i  y::node h i ) = (ex i. x=i Æ i>0)  ( ex j. y=j Æ j>0) =  i,j. (x=i Æ i>0 Æ y=j Æ j>0 Æ i  j) XPure 0 (x::ll h n i ) = n ¸ 0 XPure 1 (x::ll h n i ) =  i. (x=0 Æ n=0 Ç x=i Æ i>0 Æ n-1 ¸ 0) too weak more info

26 26 Outline Background Our Approach How to Verify? Entailment Approximation Expressiveness Set of States Lemmas Structured Specs

27 27 Proof Search (Set of States)  1 `  2  {  3,..,  n } {  3,..,  n } denotes non-deterministic outcome from proof search. { } means entailment has failed. Modified Hoare triple :  {  } code {  1,..,  n }

28 28 Related Predicates Some predicates may be related. Every sorted list is also an unsorted list. ll  n   root=null  n=0  root::node  _,r   r::ll  n-1  inv n  0 sortl  n,min,max   root::node  min,null   min=max Æ n=1  root::node  min,q   q::sortl  n-1,k,max   min  k inv n  1 Æ min · max root:: sortl  n,min,max  ) root::ll  n  Lemma is used in bubble sorting.

29 29 Idea User : - provide the lemmas Our system automatically : - proves each lemma - applies lemmas where possible during entailment proving

30 30 Lemmas Allowed c 1  v 1 *   ) 9 v * ¢ root::c 2  v 2 *    Æ  Implication c 1  v 1 *    ( 9 v * ¢ root::c 2  v 2 *    Æ  Reverse-Implication c 1  v 1 *   , 9 v * ¢ root::c 2  v 2 *    Æ  Equivalence 8 v *. c 1  v 1 *      1 ) 9 v * ¢ root::c 2  v 2 *     Æ   Complex LHS

31 31 Outline Background Our Approach How to Verify? Entailment Approximation Expressiveness Set of States Lemmas Structured Specs

32 32 Why Structured Specs? Better reuse. Better handling of disjunction. Difference contexts of uses.  Better Precision + Performance

33 33 Syntax

34 34 Unstructured Spec Z is repeated instantiations? disjunctions

35 35 Structured Specification case analysis instantiation staged formula

36 36 Disjunctive Incompleteness Good for searching proof but incomplete … 1 · x · 2 |- x=1 Ç x=2 1 · x · 2 |- x=11 · x · 2 |- x=2 OR

37 37 Solution – Rewrite Specs 1 · x · 2 |- case {x · 1  x=1 ; x>1  x=2} x · 1 Æ 1 · x · 2 |- x=1 x > 1 Æ 1 · x · 2 |- x=2 case enhanced spec

38 38 Conditions for Case Constructs

39 39 Semantics

40 40 Experiments

41 41 Tools Developed SLEEK – Entailment Prover HIP – Verifier for Imperative Language HIPO – Verifier for OO Language.

42 42 Conclusion User-defined data structures with size/bag properties and invariants. Sound and terminating entailment proving Expressive structured specifications with proof search and lemma rules. Future work: inference + static debugging + scalability + concurrency etc.

43 43 Experiments

44 44 Related Works Separation Logic (OHearn, Berdine, Calcagno et al. APLAS05) TVLA/Shape Analysis (Reps, Sagiv et al.) PALE/MONA (Moeller, Schwartzbach) Grammar-based Shape Analysis (Lee, Yang + Yi ESOP05) Quantitative Shape Analysis (Rugina SAS04) ILC (Jia & Walker ESOP06)

45 45 Complex Lemma 8 v *. c 1  v 1 *      1 ) 9 v * ¢ root::c 2  v 2 *     Æ   An Example 8 i,j. x::lseg  n,p  Æ i,j ¸ 0 Æ n=i+j )  9 r. x::lseg  i,r   r::lseg  j,p  x::lseg  n,p  ) 9 i,j,r. x::lseg  i,r   r::lseg  j,p  Æ n=i+j More general

46 46 Experiments

47 47 Experiments Proof search’s overhead is low Proof search is critical

48 48 Experiments

49 49 Scalable Performance Break large predicates into smaller ones

50 50 Experiments

51 51 Multiple Pre/Post void append(node x, node y) { if (x.next  null) then { append(x.next,y) } else { x.next := y } } Any other useful specifications for this method? requires x::lseg  y::lseg Æ n ¸ 1 ensures x::lseg

52 52 What if x and y are aliased? void append(node x, node y) requires x::lseg Æ x=y Æ n ¸ 1 ensures x::clist Æ requires x::lseg Æ n ¸ 1 ensures x::lseg Circular List!

53 53 What if x and y are sorted lists? void append(node x, node y) requires x::sortl  y::sortl Æ b 1 · s 2 ensures x::sortl Æ requires x::sortl  y=null ensures x::sortl

54 54 Example Predicates lseg  n,p   root=p  n=0 Ç root::node  a,r   r::lseg  n-1, p  inv n ¸ 0 List Segment (with a dangling ptr) root p Non-empty Circular list clist  n   root::node  a,r   r::lseg  n-1,root  inv n  1 root r

55 55 Core Language + Specifications

56 56 Matching Object/Predicate x::ll h n iÆ n>1 ` 9 m ¢ x::ll h m iÆ m>0 matching n>1 ` n>0 x::ll h n iÆ n>1 ` x::ll h m iÆ m>0 matching n=m Æ n>1 ` n>0 implicit instantiation of free var mfree var

57 57 Example of Free Variables Specification void insert(node x, int v) requires x::ll h n i Æ n>0 ensures x::ll h n+1 i free variable linking pre and post conditions

58 58 Our Work Size and bag (pure) properties Data structure with derived size/bag properties and invariant. Length, height-balanced, sortedness etc. User-specified predicates can be recursive Entailment prover for separation formulae with lemmas + proof search

59 59 Unfolding x::ll h n iÆ n>1 ` 9 r, m ¢ x::node h _,r i  r::ll h m iÆ m>0 Unfolding 9 q ¢ x::node h _, q i  q::ll h n-1 i Æ n>1 ` 9 r, m ¢ x::node h _, r i  r::ll h m i Æ m>0 Matching q1::ll h n-1 iÆ n>1 ` 9 m ¢ q1::ll Æ m>0 n>1 ` 9 m ¢ m=n-1 Æ m>0

60 60 y=null ` y::ll h m i Æ m=0 Recursive entailment y=null ` y=null Æ m=0 Ç y::node h _,r i  r::ll h m-1 i Back y=null Æ m=0 ` m=0 Folding: Base Case

61 61 x::node h _, r i Æ r=null ` x::ll h n i Æ n>0 Recursive entailment x::node h _, r i Æ r=null ` 9 q,k ¢ x::node h _,q i  q::ll h k i Æ k=n-1 Ç x=null Æ n=0 r=null ` 9 k ¢ r::ll h k i Æ k=n-1 Back from fold: r=null Æ n-1=0 ` n>0 Folding: Recursive Case

62 62 Equivalence Lemma Definition of list segment is inadequate Termination ensured by well-formed and well-founded property Important to have equivalence coercion : lseg  n,p   root=p  n=0  root::node  _,r   r::lseg  n-1,p  inv n  0 basic definition extra property lseg  n,p , 9 i,j,r. root::lseg  i,r   r::lseg  j,p  Æ n=i+j

63 63 Proof Search via Equiv. Lemma x::lseg  n,p  … ` x::lseg  m,r  … match … ` [n/m,p/r] … unfold lseg  n,p  x::lseg  i,q   q::lseg  j,p  Æ n=i+j … ` x::lseg  m,r  … fold lseg  m,r  x::lseg  n,p  … ` x::lseg  i,q   q::lseg  j,r  Æ m=i+j


Download ppt "1 Automated Verification via Separation Logic Cristian Gherghina (NUS, Singapore) Cristina David(NUS, Singapore) Shengchao Qin(Durham, UK) Wei-Ngan Chin(NUS,"

Similar presentations


Ads by Google