Download presentation
Presentation is loading. Please wait.
Published byDerek Cannon Modified over 9 years ago
1
1 Automated Verification via Separation Logic Cristian Gherghina (NUS, Singapore) Cristina David(NUS, Singapore) Shengchao Qin(Durham, UK) Wei-Ngan Chin(NUS, Singapore)
2
2 Goal Verify programs involving mutable data structures with invariants and other properties
3
3 Challenges Strong updates in the presence of aliasing User-defined recursive predicates Concise, precise, expressive specs Emphasis : practical verification Our Search for Solution Sized Types Separation Logic
4
4 Separation Logic Extension to Hoare logic to reason about shared mutable data structures. Foundations O’Hearn and Pym, “The Logic of Bunched Implications”, Bulletin of Symbolic Logic 1999 Reynolds, “Separation Logic: A Logic for Shared Mutable Data Structures”, LICS 2002 : spatial conjunction -- : spatial implication
5
5 Examples (Reynolds LICS 2002) 3 y 3 x xy x 3,y y 3,x 3 x y x 3,y y 3,x 3 x x 3,y y Separation FormulaeActual Heap
6
6 Outline Background Our Approach How to Verify? Entailment Approximation Expressiveness Set of States Lemmas
7
7 Overall System code verifier separation logic prover Pre/Post Shape Predicate Lemmas Code range of pure provers e.g. Omega,Mona,Coq, Isabelle,cvc3,redlog,
8
8 Separation Formulae Heap part Describes data structure in heap memory Well-formed : all nodes reachable from “root” pointer Well-founded : no direct looping predicate. No conjunction over heap states. Pure part Size, bag and pointer constraints (that can be handled by pure provers).
9
9 Example Predicates sortl n,mi,mx root::node mi,null mi=mx Æ n=1 root::node mi,q q::sortl n-1,k,mx mi k inv n 1 Æ mi · mx Non-empty sorted list root:: ll n root=null n=0 9 r. root::node a, r r::ll n-1 inv n 0 Singly-linked list derived attribute (c.f. model field) user-supplied invariant root null
10
10 Example Predicates AVL-Tree (near-balanced tree) avl h root = null Æ h = 0 Ç root::node h, h, p, q i p::avl h h1 i q::avl h h2 i Æ -1 · h1-h2 · 1 Æ h=1+max(h1,h2) inv h ¸ 0
11
11 Example Predicates AVL-Tree with BST property avl h,S root = null Æ h = 0 Æ S={} Ç root::node h, v, p, q i p::avl h h1,S1 i q::avl h h2,S2 i Æ -1 · h1-h2 · 1 Æ h=1+max(h1,h2) Æ 8 x 2 S1. x · v Æ 8 y 2 S2. v < x Æ S={v} [ S1 [ S2 inv h ¸ 0
12
12 Outline Background Our Approach How to Verify? Entailment Approximation Expressiveness Set of States Lemmas Structured Specs
13
13 Automated Verification Methods and loops are annotated with pre- and post-conditions. Entailment checks Precondition at call site Postcondition at end of method State transition formula (e.g. x’=x+1) initial value : x latest value : x’ (primed variable)
14
14 Verifier based on Hoare-triple ` { } code { 1 } pre-statepost-state
15
15 Some Verification Rules
16
16 Insert into a Sorted List node insert(node x, node vn) requires x::sortl n, sm,lg vn::node v,_ ensures res::sortl n+1,min(v,sm),max(v,lg) { if (vn.val≤x.val) then { vn.next = x; return vn; } else if (x.next=null) then { x.next = vn; vn.next = null; return x; } else { x.next = insert(x.next, vn); return x; } }
17
17 { x’::sortl vn’::node } vn.next = x; { (x’::node n=1 Æ mi=mx x’::node q::sortl mi k n 2) vn’::node v mi } if (vn.val · x.val) then { return vn; { res::sortl } } { (x’::node n=1 mi=mx x’::node q::sortl mi k n 2) vn’::node v mi } { (x’::node n=1 mi=mx x’::node q::sortl mi k n 2) vn’::node v mi Æ res=vn’ }
18
18 Outline Background Our Approach How to Verify? Entailment Approximation Expressiveness Set of States Lemmas Structured Specs
19
19 Separation Logic Prover 1 ` 2 3 1 must “subsumes” all heap nodes in 2. Residual nodes are then kept in 3. ALGORITHM : Ensure all nodes in 2 are subsumed by 1, then convert to an arithmetic implication check. antecedentconsequentresidual
20
20 Entailment Algorithm
21
21 Key Steps of Entailment Matching Aliased data nodes/predicates are matched and their components/arguments unified. Supports implicit instantiation. Unfolding Replaces a predicate on LHS by its definition to match a node on the RHS Folding Triggered by a predicate on the RHS and a data node on the LHS. Supports implicit instantation.
22
22 Extension to Inference Infer pure pre/post conditions 1 Æ ` 2 3 1 Æ ` 2 3 Joint work with collaborators at Durham.
23
23 Outline Background Our Approach Why Verification? Entailment Approximation Expressiveness Set of States Lemmas
24
24 Approximation Entailment is reduced to implication of pure constraints when the consequent’s heap is empty. Each predicate is approximated by a pure constraint.
25
25 Approximation: Examples XPure n (x::node h i y::node h i ) = (ex i. x=i Æ i>0) ( ex j. y=j Æ j>0) = i,j. (x=i Æ i>0 Æ y=j Æ j>0 Æ i j) XPure 0 (x::ll h n i ) = n ¸ 0 XPure 1 (x::ll h n i ) = i. (x=0 Æ n=0 Ç x=i Æ i>0 Æ n-1 ¸ 0) too weak more info
26
26 Outline Background Our Approach How to Verify? Entailment Approximation Expressiveness Set of States Lemmas Structured Specs
27
27 Proof Search (Set of States) 1 ` 2 { 3,.., n } { 3,.., n } denotes non-deterministic outcome from proof search. { } means entailment has failed. Modified Hoare triple : { } code { 1,.., n }
28
28 Related Predicates Some predicates may be related. Every sorted list is also an unsorted list. ll n root=null n=0 root::node _,r r::ll n-1 inv n 0 sortl n,min,max root::node min,null min=max Æ n=1 root::node min,q q::sortl n-1,k,max min k inv n 1 Æ min · max root:: sortl n,min,max ) root::ll n Lemma is used in bubble sorting.
29
29 Idea User : - provide the lemmas Our system automatically : - proves each lemma - applies lemmas where possible during entailment proving
30
30 Lemmas Allowed c 1 v 1 * ) 9 v * ¢ root::c 2 v 2 * Æ Implication c 1 v 1 * ( 9 v * ¢ root::c 2 v 2 * Æ Reverse-Implication c 1 v 1 * , 9 v * ¢ root::c 2 v 2 * Æ Equivalence 8 v *. c 1 v 1 * 1 ) 9 v * ¢ root::c 2 v 2 * Æ Complex LHS
31
31 Outline Background Our Approach How to Verify? Entailment Approximation Expressiveness Set of States Lemmas Structured Specs
32
32 Why Structured Specs? Better reuse. Better handling of disjunction. Difference contexts of uses. Better Precision + Performance
33
33 Syntax
34
34 Unstructured Spec Z is repeated instantiations? disjunctions
35
35 Structured Specification case analysis instantiation staged formula
36
36 Disjunctive Incompleteness Good for searching proof but incomplete … 1 · x · 2 |- x=1 Ç x=2 1 · x · 2 |- x=11 · x · 2 |- x=2 OR
37
37 Solution – Rewrite Specs 1 · x · 2 |- case {x · 1 x=1 ; x>1 x=2} x · 1 Æ 1 · x · 2 |- x=1 x > 1 Æ 1 · x · 2 |- x=2 case enhanced spec
38
38 Conditions for Case Constructs
39
39 Semantics
40
40 Experiments
41
41 Tools Developed SLEEK – Entailment Prover HIP – Verifier for Imperative Language HIPO – Verifier for OO Language.
42
42 Conclusion User-defined data structures with size/bag properties and invariants. Sound and terminating entailment proving Expressive structured specifications with proof search and lemma rules. Future work: inference + static debugging + scalability + concurrency etc.
43
43 Experiments
44
44 Related Works Separation Logic (OHearn, Berdine, Calcagno et al. APLAS05) TVLA/Shape Analysis (Reps, Sagiv et al.) PALE/MONA (Moeller, Schwartzbach) Grammar-based Shape Analysis (Lee, Yang + Yi ESOP05) Quantitative Shape Analysis (Rugina SAS04) ILC (Jia & Walker ESOP06)
45
45 Complex Lemma 8 v *. c 1 v 1 * 1 ) 9 v * ¢ root::c 2 v 2 * Æ An Example 8 i,j. x::lseg n,p Æ i,j ¸ 0 Æ n=i+j ) 9 r. x::lseg i,r r::lseg j,p x::lseg n,p ) 9 i,j,r. x::lseg i,r r::lseg j,p Æ n=i+j More general
46
46 Experiments
47
47 Experiments Proof search’s overhead is low Proof search is critical
48
48 Experiments
49
49 Scalable Performance Break large predicates into smaller ones
50
50 Experiments
51
51 Multiple Pre/Post void append(node x, node y) { if (x.next null) then { append(x.next,y) } else { x.next := y } } Any other useful specifications for this method? requires x::lseg y::lseg Æ n ¸ 1 ensures x::lseg
52
52 What if x and y are aliased? void append(node x, node y) requires x::lseg Æ x=y Æ n ¸ 1 ensures x::clist Æ requires x::lseg Æ n ¸ 1 ensures x::lseg Circular List!
53
53 What if x and y are sorted lists? void append(node x, node y) requires x::sortl y::sortl Æ b 1 · s 2 ensures x::sortl Æ requires x::sortl y=null ensures x::sortl
54
54 Example Predicates lseg n,p root=p n=0 Ç root::node a,r r::lseg n-1, p inv n ¸ 0 List Segment (with a dangling ptr) root p Non-empty Circular list clist n root::node a,r r::lseg n-1,root inv n 1 root r
55
55 Core Language + Specifications
56
56 Matching Object/Predicate x::ll h n iÆ n>1 ` 9 m ¢ x::ll h m iÆ m>0 matching n>1 ` n>0 x::ll h n iÆ n>1 ` x::ll h m iÆ m>0 matching n=m Æ n>1 ` n>0 implicit instantiation of free var mfree var
57
57 Example of Free Variables Specification void insert(node x, int v) requires x::ll h n i Æ n>0 ensures x::ll h n+1 i free variable linking pre and post conditions
58
58 Our Work Size and bag (pure) properties Data structure with derived size/bag properties and invariant. Length, height-balanced, sortedness etc. User-specified predicates can be recursive Entailment prover for separation formulae with lemmas + proof search
59
59 Unfolding x::ll h n iÆ n>1 ` 9 r, m ¢ x::node h _,r i r::ll h m iÆ m>0 Unfolding 9 q ¢ x::node h _, q i q::ll h n-1 i Æ n>1 ` 9 r, m ¢ x::node h _, r i r::ll h m i Æ m>0 Matching q1::ll h n-1 iÆ n>1 ` 9 m ¢ q1::ll Æ m>0 n>1 ` 9 m ¢ m=n-1 Æ m>0
60
60 y=null ` y::ll h m i Æ m=0 Recursive entailment y=null ` y=null Æ m=0 Ç y::node h _,r i r::ll h m-1 i Back y=null Æ m=0 ` m=0 Folding: Base Case
61
61 x::node h _, r i Æ r=null ` x::ll h n i Æ n>0 Recursive entailment x::node h _, r i Æ r=null ` 9 q,k ¢ x::node h _,q i q::ll h k i Æ k=n-1 Ç x=null Æ n=0 r=null ` 9 k ¢ r::ll h k i Æ k=n-1 Back from fold: r=null Æ n-1=0 ` n>0 Folding: Recursive Case
62
62 Equivalence Lemma Definition of list segment is inadequate Termination ensured by well-formed and well-founded property Important to have equivalence coercion : lseg n,p root=p n=0 root::node _,r r::lseg n-1,p inv n 0 basic definition extra property lseg n,p , 9 i,j,r. root::lseg i,r r::lseg j,p Æ n=i+j
63
63 Proof Search via Equiv. Lemma x::lseg n,p … ` x::lseg m,r … match … ` [n/m,p/r] … unfold lseg n,p x::lseg i,q q::lseg j,p Æ n=i+j … ` x::lseg m,r … fold lseg m,r x::lseg n,p … ` x::lseg i,q q::lseg j,r Æ m=i+j
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.