1 / 20

Verifying Programs with Knuth-Bendix: A Focus on Data Structures and Disequalities

This outline explores the use of the Knuth-Bendix semi-algorithm for verifying program correctness through equality entailment in data structures. It introduces axioms to describe data structures while ensuring the termination of the Knuth-Bendix process using offline pre-processing. The presentation includes scenarios illustrating time-dependent properties and proofs of disequalities. Various approaches, such as injectivity and transitivity, are discussed, alongside challenges in decision problems associated with program hypotheses. The importance of confluence in achieving program correctness is emphasized.

rufina
Download Presentation

Verifying Programs with Knuth-Bendix: A Focus on Data Structures and Disequalities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using Knuth-Bendix toVerify Programs Scott McPeak OSQ 2/23/04

  2. Outline • Use axioms to describe data structures • Knuth-Bendix: semi-algorithm to decide equality entailment • Ensure termination of KB with offline pre-processing

  3. Need Precise Pointer Info • Scenario: • time 1: P(x) holds • time 2: (the object pointed to by) y is modified • time 3: assert(P(x)) • P(x) might be any time-dependent prop. • e.g. locked(x), opened(x), allocated(x), etc. • How can we prove x ¹ y?

  4. Data Structures ) Disequalities • Will prove x ¹ y using data str. knowledge • Injectivity • 8 p. p->next ¹ 0 ) p->next->prev = p • consequence: x ¹ y ) x->next ¹ y->next • Transitivity • 8 p. p->next ¹ 0 ) p->next->head = p->head • consequence: x->head ¹ y->head ) x->next*¹ y->next*

  5. Short Example assume(x ¹ y); x = x->next; y = y->next; assert(x ¹ y);

  6. Short Example assume(x ¹ y); x = x->next; y = y->next; assert(x ¹ y); 8 p. p->next->prev = p x1 = x0->next y1 = y0->next x1 = y1 (: goal) x0 = y0 ? (contr.?)

  7. Short Example 8 p. p->next->prev = p x1 = x0->next y1 = y0->next x1 = y1 (: goal) x0 = y0 ? (contr.?) x0->next = x1 x0->next->prev = x1->prev x0 = y1->prev x0 = y0->next->prev x0 = y0

  8. Decision Problem • Given a data structure specification • set of: 8 p. p->a = p->g • and hypotheses derived from program, • set of: x->d = y->e • are terms t1 and t2 entailed equal? • (Undecidable in general)

  9. Knuth-Bendix (1970) F ` t1 = t2? F = facts (ax+hyp) rewrite rules KBcompletion rewrite engine 8 x. f(x) = g(g(x)) g(g(x)) ! f(x) t1* = t2*? “non-orientable equation” non-termination...

  10. Orienting Rules • Start with a well-order on ground terms • Conservatively extend to quantified s.t. • Rules rewrite big to small • Some choices • KBO: length, then lexicographic • RPO: “inclusion”, then (e.g.) lexicographic

  11. reduce if necessary triv: discard nontriv: keep KB Completion: Mixing (1) 8 p. p->a->b = p->g (2) 8 p. p->b->d = p->e 8 p. p->a->b->d = p->g->d 8 p. p->a->e = p->g->d

  12. 8 p. p->A->B->C = p->A->C (3) 8 p. p->A->A = p->A->C 8 p. p->A->A->B = p->A->C->B 8 p. p->A->A = p->A->C->B 8 p. p->A->C = p->A->C->B (4) 8 p. p->A->C->B = p->A->C 8 p. p->A->C->B->C = p->A->C->C (5) 8 p. p->A->C->A = p->A->C->C Mixing Example (1) 8 p. p->B->C = p->A (2) 8 p. p->A->B = p->A

  13. Confluence • Completed system has confluence property: • t ß t1Æ t ß t2) 9 t3. t1ß* t3Æ t2ß* t3 • Proof • Case 1: t = x->a->b->g->d->e (1) bßb’ (2) dßd’ (1) (2) t2 = x->a->b->g->d’->e t1 = x->a->b’->g->d->e (2) (1) t3 = x->a->b’->g->d’->e t3 = x->a->b’->g->d’->e

  14. (3) Because the axioms have been mixed: (1) 8 p. p->b->g = p->h (2) 8 p. p->g->d = p->q (1)+d 8 p. p->b->g->d = p->h->d (3) 8 p. p->b->q = p->h->d Confluence Proof, Case 2 t = x->a->b->g->d->e (1) b->gßh (2) g->dßq (2) (1) t1 = x->a->h->d->e t2 = x->a->b->q->e

  15. Why Confluence is Useful • Suppose F ` s = t • Then s = t1 = t2 = ... = tn-1 = tn = t • where each equality justified by an axiom • Then tiß ti+1 or ti+1ß ti, for all i • But x ß y ) 9 z. x ß* z Æ y ß* z • Then 9 u. x ß* u Æ y ß* u, induction on n • Also, confluence+term. ) normal form

  16. Ensuring Termination • Axioms correspond to data structures • change rarely: process off-line • Hypotheses correspond to program stmts • change frequently: must handle on-line • Q: Can we restrict axioms s.t. KB(ax+hyp) terminates for all hypotheses?

  17. Attempt #1 • Theorem: If KB(ax) terminates, then KB(ax+hyp) terminates Wrong! (a) 8 p. p->C->A->B = p->D->D->C (1) x->C->C = y x->C->C->A->B = y->A->B (2) x->C->D->D->C = y->A->B x->C->D->D->C->A->B = y->A->B->A->B (3) x->C->D->D->D->D->C = y->A->B->A->B

  18. (1) 8 p. p->C->A = p->C->C (2) 8 p. p->A->B = p->B->B (3) i->C->C = j (4) k->B->B = m (5) x->C->B = y terminates nontermination (6) 8 p. p->C->B->B = p->C->C->B Attempt #2 • Theorem: If KB(ax+RHSs) terminates, then KB(ax+hyp) terminates Wrong!

  19. Yes; proof: b is i’s RHS ( i ) Case 1: j’s LHSmatches part of a x->a->b ( j ) x->(a- ?)->g a consumed but a finite; ) terminates Attempt #3 • Theorem: If KB(ax+compl_RHSs) terminates, then KB(ax+hyp) terminates Case 2: j’s LHS does not match part of a Then a is irrelevant, so b alone sufficient. Orients backwards? Then b is LHS, same argument applies.

  20. Conclusion • Useful theory: equalities among exps w/unary function symbols (model ptrs) • KB semi-decides the theory • We can move nontermination potentialoff-line

More Related