1 Dependable Software via Automated Verification Huu Hai Nguyen(NUS) Cristina David(NUS) Shengchao...

1

Dependable Software via Automated Verification

Huu Hai Nguyen (NUS)Cristina David (NUS)Shengchao Qin (Durham, UK)Wei-Ngan Chin (NUS)

2

Goal

Verify shapely and mutable

data structures with

invariants involving size properties

3

Challenges

• Strong updates in the presence of aliasing

• Entailment checking with recursive predicates

• Emphasis : practical verification

4

Separation Logic

• Foundations• O’Hearn and Pym, “The Logic of Bunched

Implications”, Bulletin of Symbolic Logic 1999• Reynolds, “Separation Logic: A Logic for Shared

Mutable Data Structures”, LICS 2002

• Extension to Hoare logic to reason about shared mutable data structures.

• : spatial conjunction -- : spatial implication

5

Examples (Reynolds LICS 2002)

3

y

3

x

x y

x 3,y y 3,x

3x

yx 3,y y 3,x

3x

x 3,y

y

6

Outline• Background• Our Approach• How to Verify?• Entailment• Approximation• Expressiveness

• Multiple Pre/Post• Set of States• Coercion Rules

7

Our Work• Size properties

• Data structure with derived size properties and invariant.

• Length, height-balanced, sortedness etc.

• User-defined inductive predicates• predicates are custom designed

• Sound entailment checking (but incomplete)

8

Overview

code verifier entailmentprover

Pre/PostShapePredicate

CoercionRuleCode

9

Example Predicates

sortln,min,max self::nodemin,null min=max Æ n=1

self::nodemin,q q::sortln-1,k,max mink

inv n1 Æ min·max

Non-empty sorted list

lln self=null n=0 self::node_,r r::lln-1 inv n0

Singly-linked listderived attribute (c.f. model field)

user-supplied invariant

selfnull

10

Example Predicates

lsegn,p self=p n=0 self::node_,r r::lsegn-1,p inv n0

List Segment

Non-empty Circular list

clistn self::node_,r r::lsegn-1,self inv n1

selfp

selfr

11

Example Predicates

AVL Tree (near-balanced tree)

avlh self = null Æ h = 0 Ç self::nodeh,h, p, qi p::avlhh1i q::avlhh2i

Æ -1 · h1-h2 · 1 Æ h = max(h1,h2) + 1 inv h¸0

12

What Can Be Written?

• Heap part• Describes shapes using separation logic

• Pure part• Size properties (arithmetic constraints)• Pointer constraint

• self points to the “root” of data structure• A “root” pointer is a pointer from which every node

is reachable.

13

Ensuring Automation & Termination• Well-formed

• A predicate captures a set of nodes reachable from self.

• Applied to predicate defns + specifications

• Well-founded• self bound to a data node, not predicate• At most one data node for each conjunct in

a predicate• Applied to predicate defns

14



15

Verification

• Methods and loops are annotated with pre- and post-conditions.

• Entailment checks• Precondition at call site• Postcondition at end of method

16

Verification Rules

17

Core Language

18

Insert into a Sorted List

node insert(node x, node vn)requires x::sortln, sm,lg vn::nodev,_

ensures res::sortln+1,min(v,sm),max(v,lg){ if (vn.val≤x.val) {

vn.next = x;return vn; }

else if (x.next=null) then {x.next = vn; vn.next = null; return x; }

else { x.next = insert(x.next, vn); return x; }

}

19

{ x’::sortl<n,mi.mx> vn’::node<v,_> }

vn.next = x;

{ (x’::node<mi,null> n=1 Æ mi=mx x’::node<mi,q> q::sortl<n-1,k,mx> mik n2)

vn’::node<v, _> vmi }

if (vn.val <= x.val) {

return vn;

{ res::sortl<n+1,min(v,mi),max(v,mx)> }

}

{ (x’::node<mi,null> n=1 mi=mx x’::node<mi,q> q::sortl<n-1,k,mx> mik n2)

vn’::node<v,x’> vmi }

{ (x’::node<mi,null> n=1 mi=mx x’::node<mi,q> q::sortl<n-1,k,mx> mik n2)

vn’::node<v,x’> vmi Æ res=vn’ }

20



21

Entailment

1 ` 2 3

• 1 “subsumes” all heap nodes “present” in 2.

• Remaining nodes are kept in 3.

• ALGO : Cover all nodes in 2 that are subsumed by 1, then convert to an arithmetic implication check.

• A smart “frame inferring” prover.

22

Key Steps of Entailment

• Matching• Aliased data nodes/predicates are matched and

their components/arguments unified

• Unfolding• Replaces a predicate on LHS by its definition to

match a node on the RHS

• Folding• Triggered by a predicate on the RHS and a data

node on the LHS. • Recursive invocation.

23

Entailment Algorithm

24

Matching

x::llhniÆ n>1 ` 9 m ¢ x::llhmiÆ m>0matching

n>1 ` n>0

x::llhniÆ n>1 ` x::llhmiÆ m>0matching

n=m Æ n>1 ` n>0

free var defn moved to current state in LHS

25

Preserving Free VariablesSpecification

void insert(node x, int v)requires x::llhni Æ n>0ensures x::llhn+1i

Callx = new node(0, null);insert(x, 1);

Precondition checkx’::nodeh0,nulli ` x’::llhni Æ n>0n=1 ` n>0

Program state after adding postconditionx’::llhn+1i Æ n=1

free variable linkingpre and post conditions

26

Unfolding

x::llhniÆ n>1 ` 9r, m ¢ x::nodeh_,ri r::llhmiÆ m>0

Unfolding9q ¢ x::nodeh_, qi q::llhn-1i Æ n>1 `

9r, m ¢ x::nodeh_, ri r::llhmi Æ m>0

Matchingq1::llhn-1iÆ n>1 ` 9m ¢ q1::ll<m> Æ m>0

27

y=null ` y::llhmi Æ m=0

Recursive entailmenty=null ` y=null Æ m=0

Ç y::nodeh_,ri r::llhm-1i

Backy=null Æ m=0 ` m=0

Folding: Base Case

28

x::nodeh_, ri Æ r=null ` x::llhni Æ n>0

Recursive entailmentx::nodeh_, ri Æ r=null `

9q,k ¢ x::nodeh_,qi q::llhki Æ k=n-1Ç x=null Æ n=0

r=null ` 9k ¢ r::llhki Æ k=n-1

Backr=null Æ n-1=0 ` n>0

Folding: Recursive Case

29

Outline• Background• Our Approach• Why Verification?• Entailment• Approximation• Expressiveness


30

Approximation

• Each predicate is approximated by a pure constraint.

• When the consequent’s heap is empty, the antecedent is approximated by a pure constraint.

• Entailment is reduced to entailment of pure constraints.

31

Approximation: Examples

• XPure(x::nodeh i y::nodeh i) = ex i. x=i Æ i>0 ex j. x=j Æ j>0 = i,j. (x=i Æ i>0 Æ y=j Æ j>0 Æ ij)

• XPure0(x::llhni)= n ¸ 0 (too weak)

• XPure1(x::llhni)= i. (x=0 Æ n=0 Ç x=i Æ i>0 Æ n>0)

32

Translating to Pure Form

33



34

Multiple Pre/Post• Each method may have multiple

pre/post conditions.

node append (node x, node y)requires x::lln y::llm ensures res::lln+m

Æ requires x::sortln,a1,a2 y::sortlm,b1,b2

& a2 · b1 ensures res::sortln+m,a1,b2

{ if x=null then { return y} else { x.next = append(x.next,y);

return x; }}

35

Multiple Pre/Post

• More pre/post for append possible!

node append (node x, node y)requires x::lln Æ x=y Æ n>0 ensures res::clistn

Æ requires x::sortln,a1,a2 Æ y=null ensures res::sortln,a1,a2 …

requires x::lln Æ xy ensures res::lsegn,y

36

Set of States 1 ` 2 {3,.., n}

• {3,.., n} denotes non-deterministic outcome from proof search.

• { } means entailment has failed.

• Modified Floyd-Hoare style forward reasoning :{} code {1,..,n}

37

Related Predicates• Some predicates may be related.

• Every sorted list is also an unsorted list.

lln self=null n=0 self::node_,r r::lln-1 inv n0

sortln,min,max self::nodemin,null min=max Æ n=1

self::nodemin,q q::sortln-1,k,max mink inv n1 Æ min·max

sortln,min,max ) self::lln

This coercion is used in bubble sorting.

38

Coercion Rules Allowed

c1v1* ) 9 v* ¢ self::c2v2

* Æ

Implication

c1v1* ( 9 v* ¢ self::c2v2

* Æ

Reverse-Implication

c1v1* , 9 v* ¢ self::c2v2

* Æ

Equivalence

39

Equivalence Coercion

Definition of list segment is inadequate

Termination ensured by well-formed and well-founded property

Important to have equivalence coercion :

lsegn,p self=p n=0 self::node_,r r::lsegn-1,p inv n0

basicdefinition

extraproperty

40

Proof Search via Equiv. Coercion

x::lsegn,p … ` x::lsegm,r …

match

… ` [n/m,p/r] … unfold lsegn,p

x::lsegi,q q::lsegj,p Æ n=i+j …

` x::lsegm,r …

fold lsegm,r

x::lsegn,p … ` x::lsegi,q q::lsegj,r Æ m=i+j

41

Experiments

42

Conclusion

• User-defined data structures with size-based invariants

• Sound and terminating entailment checking

• Expressive verification with proof search and coercion rules.

• Future work: inference + debugging + extensions.

43

Termination

• Each step reduces consequent or antecedent.

• No infinite unfolding• self must point to a data node• Consequent is reduced with after each

unfold

• No infinite folding• Antecedent is reduced with each folding.

44

Handling Multiple Pre/Post

45

Verification of Shared Mutable Data Structures

• Hoare and He, “A Trace Model for Pointers and Objects”, ECOOP 1999• The complexity of pointer swing

• “perhaps a crippling disadvantage”

• Bornat, “Proving Pointer Programs in Hoare Logic”, MPC 2000• Aliasing• Inductive formulae• Complexity of proof

46

Existential Variables

47

Example: how to compare these two?• x::ll<1> |- x::ll<m> & m>0

• Precondition• m must be a fresh variable

• x::ll<1> |- ex m. x::ll<m> & m>0

48

Matching

49

Folding

• Summarize a heap configuration to a predicate

• May result in multiple instances of the predicate

• All resulted possibilities are explored

50

Example

• x::ll<n> & n>1 |- ex r. x::node<_,r> & r!=null

51

Example (animated steps)

• y=null |- y::ll<n> & n>0

• x::node<..> * r::sortl<> & … |- x::sortl<..>

52

Soundness

• What are the issues with soundness:• Free variables are fresh

53

Predicate Definition

• Need to make clear the distinction between self and other arguments

• This helps explain why “free” arguments can be treated that way

54

Related Works

• Berdine, Calcagno, O’Hearn, “Symbolic Execution with Separation Logic”, APLAS 2005• Fixed set of predicates without size properties• Complete semantics for these predicates

• Sims, “Extending Separation Logic with Fixpoints and Postponed Substitution”, AMAST 2004• Formulated using least/greatest fixpoint operators• Unclear how to carry out entailment/analysis

55

Set of States

56

Why Verification? Annotation versus Analysis

• Scope for user-guidance

• Improved expressivity.

• Validator for analysis.

• Towards Grand Challenge of verified software.

• Utopia : Marriage of annotation and analysis

57

AVL treeavlh self = null Æ h = 0 Ç self::nodeh,h, p, qi p::avlhh1i q::avlhh2i

Æ -1 · h1-h2 · 1 Æ h = max(h1,h2) + 1 inv h¸0

avlh,b self = null Æ h = 0 Æ b=0 Ç self::nodeh,h, p, qi p::avlhh1,b1i q::avlhh2,b2i

Æ -1 · h1-h2 · 1 Æ h = max(h1,h2) + 1 Æ b = h1 - h2 inv h¸0 Æ -1·b·1

derived attribute captures more informationwhich may be needed for some verification tasks

58

AVL Insertnode insert(node t, int x) requires t::avlhth, bi ensures res::avlhresh, resbi Æ (tnull Æ (th=resh Ç resh=th+1 Æ resb0) Ç t=null Æ resh=1 Æ resb=0);{ if (t==null) {…} else if (x < t.ele) { t.left = insert(t.left, x); if (height(t.left) - height(t.right) == 2) { if (height(t.left.left) > height(t.left.right))

t = rotate_left_child(t); else t = double_left_child(t); } } …}

t’::nodeh_,th,l,ri l::avlhlh,lbi r::avlhrh,rbi

t’::nodeh_,h,l1,ri l1::avlhlh1,lb1i r::avlhrh,rbi Æ lh1 – rh = 2 Æ (l null Æ (lh1 = lh Ç lh1 = lh + 1 Æ lb1 0) Æ -1 · lh –

rh · 1 Ç lh1=1Æ l = null)

1 Dependable Software via Automated Verification Huu Hai Nguyen(NUS) Cristina David(NUS) Shengchao...

Documents

Transcript of 1 Dependable Software via Automated Verification Huu Hai Nguyen(NUS) Cristina David(NUS) Shengchao...