1 / 36

Automated Verification with HIP and SLEEK

Automated Verification with HIP and SLEEK. Asankhaya Sharma. Goal. Design and build software that is correct by construction Needed: Automatic tools for establishing software correctness Such tools can Search for standard problems like memory access violations or array index out of bounds

ivory
Download Presentation

Automated Verification with HIP and SLEEK

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automated Verification withHIP and SLEEK Asankhaya Sharma

  2. Goal • Design and build software that is correct by construction • Needed: Automatic tools for establishing software correctness • Such tools can • Search for standard problems like memory access violations or array index out of bounds • Check if a program does what it is supposed to do with respect to a specification

  3. Why a Need for Automatic Tools?

  4. Let the tool fill in the details

  5. A Tale of Two Tools • HIP • Automatically applies a given set of Hoare rules • SLEEK • Discharges the proof obligations resulting from the rule of consequence and the frame rule • Under development since 2006 • 180k lines of OCaml • Currently 6 PhD students; 3 graduated

  6. range of pure provers … Overview Predicates Lemmas Code Pre/Post separation logic prover (SLEEK) code verifier (HIP) Omega, MONA, Isabelle, Coq, SMT, Redlog, MiniSAT, Mathematica

  7. An Example – List Length struct node{intval;struct node* next;};int length(struct node* p){ if(p == NULL) return 0; else return 1 + length(p->next);}

  8. Example of Acyclic List : list(x) x null List Predicate list(self)  self=null  r . self node(_,r)  list(r) pointer to memory spatial conjunction

  9. Syntactic Abbreviation (ASCII) list(self)  self=null  r . self node(_, r)  list(r) list == self=null or self::node_, r  r::list implicit existential instantiation

  10. Verify with Shape Property struct node{intval;struct node* next;};/*@list<> == self=null or self::node<_,q>*q::list<>;*/int length(struct node* p)/*@requires p::list<>ensures p::list<>;*/{ if(p == NULL) return 0; else return 1 + length(p->next);} Predicate Definition Method Pre and Post condition Memory Safety

  11. x null With Size parameter on length of linked list predicate invariant listn == self=null & n=0 or self::node_, r  r::listn-1 inv n >= 0 x::ll5

  12. Verify with Shape and Size int length(struct node* p)/*@requires p::list<n>ensures p::list<n> & res=n;*/{ if(p == NULL) return 0; else return 1 + length(p->next);} Memory Safety Length of the List

  13. With Size and Bag listn,B == self=null & n=0 & B={} or self::nodev, r  r::listn-1,B1 & B = B1 U {v} inv n >= 0 & n=|B|

  14. Verify with Shape, Size and Bag int length(struct node* p)/*@requires p::list<n,B>ensures p::list<n,B> & res=n;*/{ if(p == NULL) return 0; else return 1 + length(p->next);} Memory Safety Length of the List Bag of Values

  15. Automated Verification int length(struct node* p)/*@requires p::list<n>ensures p::list<n> & res=n;*/{ if(p == NULL) return 0; // p=null & n = 0 & res = 0 |- p::list<n> & res = n // p::ll<n> & p!=null |- p::node<val,nxt> // p::node<_,q> * q::ll<n-1> & p!=null & q = r |- r::ll<m> else return 1 + length(p->next); // p::node<_,q> * q::ll<n-1> & x!=null & res = 1 + n – 1 |- p::ll<n> & res = n } Pre condition Checking Memory dereference Checking Post condition Checking

  16. SLEEK • Automatic Checking of Entailment • Custom decision procedure for the spatial fragment (Separation Logic) • Handles user-defined data structures and inductive predicates • Uses off-the-shelf provers to discharge: • Linear Arithmetic (using Omega) • Also available as a tactic in Coq • Bag Expressions (using MONA) • Sound but incomplete

  17. Numerical Examples for SLEEK Checking implications with integer constraints: checkentail x > 5 |- x > 0. checkentail x > 5 |- x < 0. checkentail x > 5 |- x > 6. checkentail x > 1 & y > 1 & r = x + y |- r > 3. SLEEK uses Omega for these examples Valid. InValid. InValid. Valid.

  18. List Examples for SLEEK Valid. checkentail x::node<1,null> |- x::list<n,B>. checkentail x::node<17,null> |- x::list<n,B> & B = {17}. checkentail x::node<2,y> * y::list<m,{2} |- x::list<n,B>. checkentail x::list<1,{2}> |- x::node<2,null>. checkentail x::list<2,{2,3}> |- x::node<2,null>. Valid. Valid. Valid. InValid.

  19. HIP • Automatic checking of pre/post for methods • Handle conditional, loops, methods • With arrays, data structures, dynamic memory allocation • Supports Multiple pre/post specifications, structured specifications, termination specifications • Sound but incomplete • Automated with the help of SLEEK

  20. Append Example with HIP • What should be the specification for the following method ? void append(node* x, node* y)requires ?ensures ?{ if(x->next==NULL) x->next=y; else append(x->next,y);}

  21. Append Example with HIP • Is the following specification which aims to guarantee memory safety correct? void append(node* x, node* y)requires x::list<> * y::list<>ensures x::list<>{ if(x->next==NULL) x->next=y; else append(x->next,y);} No, null pointer dereference possible

  22. Append Example with HIP • Correct specification for safety void append(node* x, node* y)requires x::list<> * y::list<> & x!=nullensures x::list<>{ if(x->next==NULL) x->next=y; else append(x->next,y);}

  23. Append Example with HIP • With size and bag properties void append(node* x, node* y)requires x::list<n1,B1> * y::list<n2,B2> & x!=nullensures{ if(x->next==NULL) x->next=y; else append(x->next,y);} x::list<n1 + n2, B1 U B2>

  24. Multiple Specifications • Same method may be called in different calling contexts • Verify using different specifications for each scenario • Which sorting algorithm may require an append function for two sorted lists ? • Quick Sort (and Merge Sort)

  25. With Bag and Sortedness lsortn,B == self=null & n=0 & B={} or self::nodev, r  r::lsortn-1,B1 & B = B1 U {v} & x B1. v<=x inv n >= 0 & n=|B|

  26. Verify with Multiple Specifications void append(node* x, node* y)requires x::list<n1,B1> * y::list<n2,B2> & x!=nullensures x::list<n1 + n2, B1 U B2> requires x::lsort<n1,B1> * y::lsort<n2,B2> & x!=null & ∀a ∈ B1. ∀b ∈ B2. a<=bensures x::lsort<n1 + n2, B1 U B2>{ if(x->next==NULL) x->next=y; else append(x->next,y);}

  27. x::lsegy,3 x y::lsegx,2 y List Segment with Size lsegp,n == self=p & n=0 or self::node_,r  r::lsegp,n-1 inv n >= 0

  28. Circular List with Size clistn == self::node_,r  r::lsegself,n-1 inv n >= 1 x::clist3 x r r::lsegx,2

  29. Use of Multiple Pre/Post void append(node* x, node* y)requires x::list<n> & x != null & x = yensures requires x::list<n> & x != null ensures{ if(x->next==NULL) x->next=y; else append(x->next,y);} x::clist<n> x::lseg<y,n>

  30. Binary Search Tree How do we express a binary search tree ? tree<> == self=null or self::node<v,l,r> * l::tree<> * r::tree<> Shape Property for Tree

  31. Binary Search Tree 5 bst<B> == self=null & B = {} or self::node<v,l,r> * l::bst<B1> * r::bst<B2> & B = {v} U B1 U B2 & ∀w ∈ B1. v>=w & ∀w ∈ B2. v<=w 3 7 Sortedness property 1 4

  32. AVL Tree How do we specify height balanced trees ? avl<h,B> == self=null & B = {} & h = 0or self::node<v,l,r> * l::avl<h1,B1> * r::avl<h2,B2> & B={v}UB1UB2 & ∀w∈B1.v>=w & ∀w∈B2.v<=w & h = 1 + max(h1,h2) & h2<=h1+1 & h1<=h2+1

  33. Conclusions • HIP and SLEEK Verification System • Automated • Given pre/post and loop invariants • Modular and scalable • Each method verified independently • Expressive • From shape, size, bag properties towards functional correctness • Total correctness with Termination and Non-Termination proving

  34. Perspectives • Hardware community has accepted verification in their design phase • Verified software is the future for guarantying high assurance and reliability • Many challenges remain on scalability, automation, expressivity, concurrency, inference and higher order programs

  35. Questions? • We will try out some examples in Lab tomorrow using TeachHIP • TeachHIP is a Web Interface to • Try out HIP and SLEEK without installing any software • Available athttp://loris-7.ddns.comp.nus.edu.sg/~project/TeachHIP/ • Contact • asankhaya@nus.edu.sg

  36. Further Reading • Chin, Wei-Ngan, Cristina David, Huu Hai Nguyen, and Shengchao Qin. "Automated verification of shape, size and bag properties via user-defined predicates in separation logic." Science of Computer Programming 77, no. 9 (2012): 1006-1036.

More Related