Automated Verification via Separation Logic

1. Automated Verificationvia Separation Logic Cristian Gherghina (NUS, Singapore) Cristina David (NUS, Singapore) Shengchao Qin (Durham, UK) Wei-Ngan Chin (NUS, Singapore)

2. Goal Verify programs involving mutable data structures with invariants and other properties

3. Challenges • Strong updates in the presence of aliasing • User-defined recursive predicates • Concise, precise, expressive specs • Emphasis : practical verification Our Search for Solution Sized Types  Separation Logic

4. Separation Logic • Extension to Hoare logic to reason about shared mutable data structures. • Foundations • O’Hearn and Pym, “The Logic of Bunched Implications”, Bulletin of Symbolic Logic 1999 • Reynolds, “Separation Logic: A Logic for Shared Mutable Data Structures”, LICS 2002  : spatial conjunction -- : spatial implication

5. x  3,y x 3 x y 3 3 x  3,y  y  3,x x y x 3 y x  3,y  y  3,x Examples (Reynolds LICS 2002) Separation Formulae Actual Heap y

6. Outline • Background • Our Approach • How to Verify? • Entailment • Approximation • Expressiveness • Set of States • Lemmas

7. range of pure provers e.g. Omega,Mona,Coq, Isabelle,cvc3,redlog, Overall System Shape Predicate Lemmas Code Pre/Post separation logic prover code verifier

8. Separation Formulae • Heap part • Describes data structure in heap memory • Well-formed : all nodes reachable from “root” pointer • Well-founded : no direct looping predicate. • No conjunction over heap states. • Pure part • Size, bag and pointer constraints (that can be handled by pure provers).

9. root null derived attribute (c.f. model field) user-supplied invariant Non-empty sorted list sortln,mi,mx  root::nodemi,null  mi=mx Æ n=1  root::nodemi,q  q::sortln-1,k,mx  mik inv n1 Æ mi·mx Example Predicates Singly-linked list root::lln  root=null  n=0  9 r . root::nodea,r  r::lln-1 inv n0

10. Example Predicates AVL-Tree (near-balanced tree) avlh root = null Æ h = 0 Ç root::nodeh,h, p, qi p::avlhh1i q::avlhh2i Æ-1 · h1-h2 · 1Æ h=1+max(h1,h2) inv h¸0

11. Example Predicates AVL-Tree with BST property avlh,S root = null Æ h = 0 Æ S={} Ç root::nodeh,v, p, qi p::avlhh1,S1i q::avlhh2,S2i Æ -1 · h1-h2 · 1 Æ h=1+max(h1,h2) Æ8 x 2 S1 . x · vÆ8 y 2 S2 . v < x Æ S={v} [ S1 [ S2 inv h¸0

12. Outline • Background • Our Approach • How to Verify? • Entailment • Approximation • Expressiveness • Set of States • Lemmas • Structured Specs

13. Automated Verification • Methods and loops are annotated with pre- and post-conditions. • Entailment checks • Precondition at call site • Postcondition at end of method • State transition formula (e.g. x’=x+1) • initial value : x • latest value : x’ (primed variable)

14. Verifier based on Hoare-triple ` {  } code { 1 } pre-state post-state

15. Some Verification Rules

16. Insert into a Sorted List node insert(node x, node vn) requires x::sortln, sm,lgvn::nodev,_ensures res::sortln+1,min(v,sm),max(v,lg) {if (vn.val≤x.val) then { vn.next = x; return vn; } else if (x.next=null) then { x.next = vn; vn.next = null; return x; } else {x.next = insert(x.next, vn); return x; } }

17. { x’::sortl<n,mi,mx>  vn’::node<v,_> } if (vn.val · x.val) then { {(x’::node<mi,null>  n=1 Æ mi=mx x’::node<mi,q>  q::sortl<n-1,k,mx>  mik  n2)  vn’::node<v, _>vmi } vn.next = x; {(x’::node<mi,null>  n=1 mi=mx  x’::node<mi,q>  q::sortl<n-1,k,mx>  mik  n2)  vn’::node<v,x’> vmi } return vn; {(x’::node<mi,null>  n=1  mi=mx  x’::node<mi,q>  q::sortl<n-1,k,mx>  mik  n2)  vn’::node<v,x’> vmi Æres=vn’ } } { res::sortl<n+1,min(v,mi),max(v,mx)> }

18. Outline • Background • Our Approach • How to Verify? • Entailment • Approximation • Expressiveness • Set of States • Lemmas • Structured Specs

19. Separation Logic Prover 1`2 3 • 1 must “subsumes” all heap nodes in 2. • Residual nodes are then kept in 3. • ALGORITHM : Ensure all nodes in 2 are subsumed by 1, then convert to an arithmetic implication check. antecedent consequent residual

20. Entailment Algorithm

21. Key Steps of Entailment • Matching • Aliased data nodes/predicates are matched and their components/arguments unified. • Supports implicit instantiation. • Unfolding • Replaces a predicate on LHS by its definition to match a node on the RHS • Folding • Triggered by a predicate on the RHS and a data node on the LHS. • Supports implicit instantation.

22. Extension to Inference • Infer pure pre/post conditions 1Æ`2 3 • Joint work with collaborators at Durham.

23. Outline • Background • Our Approach • Why Verification? • Entailment • Approximation • Expressiveness • Set of States • Lemmas

24. Approximation • Entailment is reduced to implication of pure constraints when the consequent’s heap is empty. • Each predicate is approximated by a pure constraint.

25. too weak more info Approximation: Examples • XPuren(x::nodehi y::nodehi) = (ex i. x=i Æ i>0)  (ex j. y=j Æ j>0) = i,j. (x=i Æ i>0 Æ y=j Æ j>0 Æ ij) • XPure0(x::llhni) = n ¸ 0 • XPure1(x::llhni) = i. (x=0 Æ n=0 Ç x=i Æ i>0 Æ n-1¸0)

26. Outline • Background • Our Approach • How to Verify? • Entailment • Approximation • Expressiveness • Set of States • Lemmas • Structured Specs

27. Proof Search (Set of States) 1`2 {3,.., n} • {3,.., n} denotes non-deterministic outcome from proof search. • { } means entailment has failed. • Modified Hoare triple : {}code {1,..,n}

28. Related Predicates • Some predicates may be related. lln  root=null  n=0  root::node_,r  r::lln-1 inv n0 sortln,min,max  root::nodemin,null  min=max Æ n=1  root::nodemin,q  q::sortln-1,k,max  mink inv n1 Æ min·max • Every sorted list is also an unsorted list. root::sortln,min,max ) root::lln Lemma is used in bubble sorting.

29. Idea User : - provide the lemmas Our system automatically : - proves each lemma - applies lemmas where possible during entailment proving

30. Complex LHS 8 v* . c1v1* 1 1)9 v*¢ root::c2v2*  2Æ2 Lemmas Allowed Implication c1v1*  )9 v*¢ root::c2v2*  Æ Reverse-Implication c1v1*  (9 v*¢ root::c2v2*  Æ Equivalence c1v1*  ,9 v*¢ root::c2v2*  Æ

31. Outline • Background • Our Approach • How to Verify? • Entailment • Approximation • Expressiveness • Set of States • Lemmas • Structured Specs

32. Why Structured Specs? • Better reuse. • Better handling of disjunction. • Difference contexts of uses.  Better Precision + Performance

33. Syntax

34. disjunctions Z is repeated instantiations? Unstructured Spec

35. case analysis instantiation staged formula Structured Specification

36. 1· x ·2 |- x=2 1· x ·2 |- x=1 OR 1· x ·2 |- x=1 Ç x=2 Disjunctive Incompleteness Good for searching proof but incomplete …

37. x > 1 Æ 1·x·2 |- x=2 x · 1 Æ 1·x·2 |- x=1 case enhanced spec Solution – Rewrite Specs 1· x ·2 |- case {x · 1  x=1 ; x>1  x=2}

38. Conditions for Case Constructs

39. Semantics

40. Experiments

41. Tools Developed • SLEEK – Entailment Prover • HIP – Verifier for Imperative Language • HIPO – Verifier for OO Language.

42. Conclusion • User-defined data structures with size/bag properties and invariants. • Sound and terminating entailment proving • Expressive structured specifications with proof search and lemma rules. • Future work: inference + static debugging + scalability + concurrency etc.

43. Experiments

44. Related Works • Separation Logic (OHearn, Berdine, Calcagno et al. APLAS05) • TVLA/Shape Analysis (Reps, Sagiv et al.) • PALE/MONA (Moeller, Schwartzbach) • Grammar-based Shape Analysis (Lee, Yang + Yi ESOP05) • Quantitative Shape Analysis (Rugina SAS04) • ILC (Jia & Walker ESOP06)

45. Complex Lemma 8 v* . c1v1* 1 1)9 v*¢ root::c2v2*  1Æ2C An Example 8 i,j . x::lsegn,p Æ i,j ¸ 0 Æ n=i+j )9 r . x::lsegi,r  r::lsegj,p More general x::lsegn,p )9 i,j,r . x::lsegi,r  r::lsegj,p Æ n=i+j

46. Experiments

47. Experiments Proof search’s overhead is low Proof search is critical

48. Experiments

49. Scalable Performance Break large predicates into smaller ones

50. Experiments