1 / 58

Dependable Software via Automated Verification

Dependable Software via Automated Verification. Huu Hai Nguyen (NUS) Cristina David (NUS) Shengchao Qin (Durham, UK) Wei-Ngan Chin (NUS) . Goal. Verify shapely and mutable data structures with invariants involving size properties. Challenges.

ariane
Download Presentation

Dependable Software via Automated Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dependable Software via Automated Verification Huu Hai Nguyen (NUS) Cristina David (NUS) Shengchao Qin (Durham, UK) Wei-Ngan Chin (NUS)

  2. Goal Verify shapely and mutable data structures with invariants involving size properties

  3. Challenges • Strong updates in the presence of aliasing • Entailment checking with recursive predicates • Emphasis : practical verification

  4. Separation Logic • Foundations • O’Hearn and Pym, “The Logic of Bunched Implications”, Bulletin of Symbolic Logic 1999 • Reynolds, “Separation Logic: A Logic for Shared Mutable Data Structures”, LICS 2002 • Extension to Hoare logic to reason about shared mutable data structures. •  : spatial conjunction -- : spatial implication

  5. x  3,y x 3 x y 3 3 x  3,y  y  3,x x y x 3 y x  3,y  y  3,x Examples (Reynolds LICS 2002) y

  6. Outline • Background • Our Approach • How to Verify? • Entailment • Approximation • Expressiveness • Multiple Pre/Post • Set of States • Coercion Rules

  7. Our Work • Size properties • Data structure with derived size properties and invariant. • Length, height-balanced, sortedness etc. • User-defined inductive predicates • predicates are custom designed • Sound entailment checking (but incomplete)

  8. Overview Shape Predicate Coercion Rule Code Pre/Post entailment prover code verifier

  9. Example Predicates derived attribute (c.f. model field) Singly-linked list self null lln  self=null  n=0  self::node_,r  r::lln-1 inv n0 user-supplied invariant Non-empty sorted list sortln,min,max  self::nodemin,null  min=max Æ n=1  self::nodemin,q  q::sortln-1,k,max  mink inv n1 Æ min·max

  10. Example Predicates self p List Segment lsegn,p  self=p n=0  self::node_,r  r::lsegn-1,p inv n0 Non-empty Circular list clistn  self::node_,r  r::lsegn-1,self inv n1 self r

  11. Example Predicates AVL Tree (near-balanced tree) avlh self = null Æ h = 0 Ç self::nodeh,h, p, qi p::avlhh1i q::avlhh2i Æ-1 · h1-h2 · 1Æ h = max(h1,h2) + 1 inv h¸0

  12. What Can Be Written? • Heap part • Describes shapes using separation logic • Pure part • Size properties (arithmetic constraints) • Pointer constraint • self points to the “root” of data structure • A “root” pointer is a pointer from which every node is reachable.

  13. Ensuring Automation & Termination • Well-formed • A predicate captures a set of nodes reachable from self. • Applied to predicate defns + specifications • Well-founded • self bound to a data node, not predicate • At most one data node for each conjunct in a predicate • Applied to predicate defns

  14. Outline • Background • Our Approach • How to Verify? • Entailment • Approximation • Expressiveness • Multiple Pre/Post • Set of States • Coercion Rules

  15. Verification • Methods and loops are annotated with pre- and post-conditions. • Entailment checks • Precondition at call site • Postcondition at end of method

  16. Verification Rules

  17. Core Language

  18. Insert into a Sorted List node insert(node x, node vn) requires x::sortln, sm,lgvn::nodev,_ensures res::sortln+1,min(v,sm),max(v,lg) {if (vn.val≤x.val) { vn.next = x; return vn; } else if (x.next=null) then { x.next = vn; vn.next = null; return x; } else {x.next = insert(x.next, vn); return x; } }

  19. { x’::sortl<n,mi.mx>  vn’::node<v,_> } if (vn.val <= x.val) { {(x’::node<mi,null>  n=1 Æ mi=mx x’::node<mi,q>  q::sortl<n-1,k,mx>  mik  n2)  vn’::node<v, _>vmi } vn.next = x; {(x’::node<mi,null>  n=1 mi=mx  x’::node<mi,q>  q::sortl<n-1,k,mx>  mik  n2)  vn’::node<v,x’> vmi } return vn; {(x’::node<mi,null>  n=1  mi=mx  x’::node<mi,q>  q::sortl<n-1,k,mx>  mik  n2)  vn’::node<v,x’> vmi Æres=vn’ } } { res::sortl<n+1,min(v,mi),max(v,mx)> }

  20. Outline • Background • Our Approach • How to Verify? • Entailment • Approximation • Expressiveness • Multiple Pre/Post • Set of States • Coercion Rules

  21. Entailment 1`2 3 • 1 “subsumes” all heap nodes “present” in 2. • Remaining nodes are kept in 3. • ALGO : Cover all nodes in 2 that are subsumed by 1, then convert to an arithmetic implication check. • A smart “frame inferring” prover.

  22. Key Steps of Entailment • Matching • Aliased data nodes/predicates are matched and their components/arguments unified • Unfolding • Replaces a predicate on LHS by its definition to match a node on the RHS • Folding • Triggered by a predicate on the RHS and a data node on the LHS. • Recursive invocation.

  23. Entailment Algorithm

  24. free var defn moved to current state in LHS Matching x::llhniÆ n>1 `9 m ¢x::llhmiÆ m>0 matching n>1 ` n>0 x::llhniÆ n>1 ` x::llhmiÆ m>0 matching n=m Æ n>1 ` n>0

  25. Preserving Free Variables Specification void insert(node x, int v) requires x::llhniÆ n>0 ensuresx::llhn+1i Call x = new node(0, null); insert(x, 1); free variable linking pre and post conditions Preconditioncheck x’::nodeh0,nulli` x’::llhniÆ n>0 n=1 ` n>0 Programstateafter addingpostcondition x’::llhn+1iÆ n=1

  26. Unfolding x::llhniÆ n>1 ` 9r, m ¢ x::nodeh_,ri r::llhmiÆ m>0 Unfolding 9q ¢ x::nodeh_, qi q::llhn-1iÆ n>1 ` 9r, m ¢ x::nodeh_, ri r::llhmiÆ m>0 Matching q1::llhn-1iÆ n>1 ` 9m ¢ q1::ll<m> Æ m>0

  27. Folding: Base Case y=null ` y::llhmi Æ m=0 Recursive entailment y=null ` y=null Æm=0 Ç y::nodeh_,ri r::llhm-1i Back y=null Æm=0` m=0

  28. Folding: Recursive Case x::nodeh_, riÆ r=null ` x::llhniÆ n>0 Recursive entailment x::nodeh_, riÆ r=null ` 9q,k ¢ x::nodeh_,qi  q::llhkiÆ k=n-1 Ç x=null Æ n=0 r=null `9k ¢ r::llhkiÆk=n-1 Back r=null Æn-1=0` n>0

  29. Outline • Background • Our Approach • Why Verification? • Entailment • Approximation • Expressiveness • Multiple Pre/Post • Set of States • Coercion Rules

  30. Approximation • Each predicate is approximated by a pure constraint. • When the consequent’s heap is empty, the antecedent is approximated by a pure constraint. • Entailment is reduced to entailment of pure constraints.

  31. Approximation: Examples • XPure(x::nodeh i y::nodeh i) = ex i. x=i Æ i>0  ex j. x=j Æ j>0 = i,j. (x=i Æ i>0 Æ y=j Æ j>0 Æ ij) • XPure0(x::llhni) = n ¸ 0 (too weak) • XPure1(x::llhni) = i. (x=0 Æ n=0 Ç x=i Æ i>0 Æ n>0)

  32. Translating to Pure Form

  33. Outline • Background • Our Approach • How to Verify? • Entailment • Approximation • Expressiveness • Multiple Pre/Post • Set of States • Coercion Rules

  34. Multiple Pre/Post • Each method may have multiple pre/post conditions. node append (node x, node y) requires x::llny::llm ensures res::lln+m Ærequires x::sortln,a1,a2y::sortlm,b1,b2 & a2 · b1 ensures res::sortln+m,a1,b2 {if x=null then { return y} else { x.next = append(x.next,y); return x; } }

  35. Multiple Pre/Post • More pre/post for append possible! node append (node x, node y) requires x::llnÆx=y Æ n>0 ensures res::clistn Ærequires x::sortln,a1,a2Æ y=null ensures res::sortln,a1,a2 … requires x::llnÆxy ensures res::lsegn,y

  36. Set of States 1`2 {3,.., n} • {3,.., n} denotes non-deterministic outcome from proof search. • { } means entailment has failed. • Modified Floyd-Hoare style forward reasoning : {}code {1,..,n}

  37. Related Predicates • Some predicates may be related. lln  self=null  n=0  self::node_,r  r::lln-1 inv n0 sortln,min,max  self::nodemin,null  min=max Æ n=1  self::nodemin,q  q::sortln-1,k,max  mink inv n1 Æ min·max • Every sorted list is also an unsorted list. sortln,min,max ) self::lln This coercion is used in bubble sorting.

  38. Coercion Rules Allowed Implication c1v1*  )9 v*¢ self::c2v2*  Æ Reverse-Implication c1v1*  (9 v*¢ self::c2v2*  Æ Equivalence c1v1*  ,9 v*¢ self::c2v2*  Æ

  39. Equivalence Coercion Definition of list segment is inadequate basic definition lsegn,p  self=p n=0  self::node_,r  r::lsegn-1,p inv n0 Important to have equivalence coercion : extra property Termination ensured by well-formed and well-founded property

  40. match … ` [n/m,p/r] … fold lsegm,r unfold lsegn,p x::lsegi,q q::lsegj,p Æ n=i+j … ` x::lsegm,r … x::lsegn,p … `x::lsegi,q  q::lsegj,r Æ m=i+j Proof Search via Equiv. Coercion x::lsegn,p … ` x::lsegm,r …

  41. Experiments

  42. Conclusion • User-defined data structures with size-based invariants • Sound and terminating entailment checking • Expressive verification with proof search and coercion rules. • Future work: inference + debugging + extensions.

  43. Termination • Each step reduces consequent or antecedent. • No infinite unfolding • self must point to a data node • Consequent is reduced with after each unfold • No infinite folding • Antecedent is reduced with each folding.

  44. Handling Multiple Pre/Post

  45. Verification of Shared Mutable Data Structures • Hoare and He, “A Trace Model for Pointers and Objects”, ECOOP 1999 • The complexity of pointer swing • “perhaps a crippling disadvantage” • Bornat, “Proving Pointer Programs in Hoare Logic”, MPC 2000 • Aliasing • Inductive formulae • Complexity of proof

  46. Existential Variables

  47. Example: how to compare these two? • x::ll<1> |- x::ll<m> & m>0 • Precondition • m must be a fresh variable • x::ll<1> |- ex m. x::ll<m> & m>0

  48. Matching

  49. Folding • Summarize a heap configuration to a predicate • May result in multiple instances of the predicate • All resulted possibilities are explored

  50. Example • x::ll<n> & n>1 |- ex r. x::node<_,r> & r!=null

More Related