1 / 38

SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic

SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic. Daniel Kröning (currently visiting CBL) Joint work with B. Cook and J. Berdine. Program Verification. Goal: Editor that highlights programming errors Not syntax, but semantics. Like what?. Verification Engines.

jolie
Download Presentation

SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook and J. Berdine

  2. Program Verification • Goal:Editor that highlights programming errors • Not syntax, but semantics

  3. Like what?

  4. Verification Engines • Bounded Model Checking (BMC) • No invariant discovery • One very largeconstraint problem • A lot of case-splitting Unwinding Abstraction • Abstract interpretation • Predicate abstraction • Attemptinginvariant discovery • Manysmall constraint problems • Little case-splitting

  5. Program Analysis: BMC Program BMC CBMC, … Model VC CONSTRAINT SOLVER SAT solver,CVC-Lite, Math-SAT, …

  6. BMC Overview ANSI-CProgram parsing unwind SATSolver = = CNF * * + +   ConstraintProblem Parse tree

  7. ANSI-C Transformation • Preparation • Side effect removal • continue, break replaced by goto • for, do while replaced by while • Unwinding • Loops are unwound • Same for backward goto jumps and recursive functions

  8. Implementation • Transformation into Equation • After unwinding: Transform into SSAExample: • Generate constraints by simply conjoiningequations resulting from assignments • For arrays, use simple lambda notation

  9. Example

  10. Required Theories  • Bit vector • Arrays • Pointers (pair of object/offset) • Floating Point • If contained in assertion: • Quantifiers • Data type predicates (lists, trees, …)     

  11. Example int *p, x, y; int main(){ int z; y=z; p=&y; x=*p; assert(x==z); } cbmc test.c –cvc –outfile test

  12. p0: [# object: INT, offset: BITVECTOR(32) #] =(# object:=0, offset:=0bin00000000000000000000000000000000 #); x0: BITVECTOR(32) = 0bin00000000000000000000000000000000; y0: BITVECTOR(32) = 0bin00000000000000000000000000000000; z1: BITVECTOR(32); z0: BITVECTOR(32); y1: BITVECTOR(32) = z0; p1: [# object: INT, offset: BITVECTOR(32) #] =(# object:=3, offset:=0bin00000000000000000000000000000000 #); x1: BITVECTOR(32) = y1; l1: BOOLEAN; ASSERT l1 <=> (x1=z0); ASSERT (NOT l1); QUERY FALSE; • Download me! • We have ~300 MB of benchmark files available • Soon: SMT-Lib format

  13. Program Analysis: Abstraction Program PROGRAM ANALYSISENGINE SLAM, … VCs , T ’ Model CONSTRAINT SOLVER WIDENING Simplify, Zapato,Cogent,CPLEX, … Pre-, Post-,Proof-based, …

  14. Existing Tools • Implement • Fragments of linear arithmetic, • Maybe arrays, maybe pointers • Sometimes float

  15. Extending the Assertion Logic Program PROGRAM ANALYSISENGINE VCCs , T ’ Model CONSTRAINT SOLVER WIDENING Linear Arithmetic,Arrays, Float, … Linear Arithmetic,Arrays, Float, …

  16. Existing Tools • Biggest challenge for mass-market:dynamic data structures • Fix with choice of assertion logic, e.g.,Reynolds’ Separation Logic • E.g., add separating conjunction andpredicates for linked list

  17. Separation Logic • A logic for heap data structures • NOT the same as the fragment of linear arithmetic called difference logic • Due to Reynolds/O’Hearn

  18. Separation Logic “next” pointer 0 … … . . . . Main problem: Need to specify that allheap cells are disjoint Payload

  19. Separation Logic • In general, one needs to express constraints that a data structure does not share cells with any other data structure • Key idea: new logical operator P * Q “Separating Conjunction”

  20. Separation Logic • Semantics of expressions defined over valuations of heaps(maps from addresses to values) • Obvious meaning for State Heap Pointer Value

  21. Separation Logic • Define disjoint heaps: • Separating conjunction:

  22. Separation Logic: Lists • Notation for sequences • : empty sequence • x¢: concatenation • Define list:

  23. Extending the Assertion Logic Program PROGRAM ANALYSISENGINE VCCs , T ’ Model CONSTRAINT SOLVER WIDENING Linear Arithmetic,Arrays, Float, … Linear Arithmetic,Arrays, Float, … +Separation Logic +Separation Logic

  24. Who does the assertions? • Manual annotations • Automatic discovery • Standard Template Library • Data in containers is implicitlyin separate heap cells typedef std::hash_map<std::string, symbolt, string_hash> symbolst; . . . typedef std::vector<nodet> nodest;

  25. Requirements for Constraint Solvers • Constraint solver must supportvery rich logic • Data types might even be application-specific • But most queries are simple! • Extending custom-made constraint solveris tedious

  26. Proposed Solution • Assumption: we have a (partial) axiomatization of all logics • Goal: high performance constraint solver 1st step: define language for axioms

  27. Example: Equality Logic equality_transitivity: A "=" B, B "=" C -> A "=" C; equality_commutativity: A "=" B <-> B "=" A; equality: A "=" A; disequality: A "!=" B<->NOTA "=" B; emp: rewrite h"|=""emp" <-> h"="["semp""**""semp"];

  28. Build a Compiler! 2nd step: build a compiler VCC Axioms codegen g++ Binary C++code SAT/UNSAT

  29. Multiple Theories • Note that one can combine multiple theories • Interfacing through arbitrary propositions, not just equalities • Convexity requirement?

  30. What about OR? • We could build case-splitting into the generated code • However, we will never be able to implement • Proper decision heuristics • Non-chronological back-tracking • Learning

  31. What about OR? • Alternative: producereduction to propositional logic • Generate CNF, and pass formula to SAT solver • The formula is unsatisfiable iff there exists a deduction that shows a contradiction

  32. What about OR? 3nd step: add SAT solver VCC Axioms codegen SATSolver g++ Binary CNF C++code This is the eager version – lazy version straight-forward.

  33. What about OR? • Maintain truth value with each fact: • Set new facts to unknown • Assign a literal to each fact that has truth value unknown • For each deduction step,generate constraint emp: rewrite h"|=""emp" <-> h"="["semp""**""semp"];

  34. Separation Logic disjoint_not_self: h“!=““emp” -> not [h"#“h]; and: h"|=" [P"^"Q] <-> h"|="P, h"|="Q; not: h"|=" ["!"P] <-> not [h"|="P]; conditional: h"|=" [P"?"Q":"R] <-> (h"|="P -> h"|="Q), (h"|=""!"P -> h"|="R);

  35. Separation Logic star: h"|=" [P"*"Q]<->NEW h0"|="P, NEW h1"|="Q,h "=" [NEW h0"**" NEW h1],NEW h0"#" NEW h1; emp: rewrite h"|=""emp" <-> h"="["semp""**""semp"];

  36. Obtaining Invariants • Again, could be custom-made • Instead: inspect proofs of failedrefutation-attempts • Paper available on doing this for bit-vectors • E.g., for constructing interpolants

  37. Conclusion • Generic constraint solver with propositional SAT as backend • Especially for complicated logics • Extensions of logic are easy • All case-splitting is pushed intopropositional SAT solver

  38. Cross-Advertising • TACAS: this can be used for–quantification over predicates • CAV: Predicate abstraction for deep loops • PDPAR: Completeness • How to tell for sure that no proof exists?

More Related