Checking Reachability using Matching Logic

Grigore Rosu and Andrei StefanescuUniversity of Illinois, USA

2

Main GoalLanguage-independent program verification

frameworkDerive program properties from operational semanticsQuestions:

Is it possible? Is it practical?

Answers: Sound and complete proof system, so YES, it is possible! Efficient automated verifier MatchC, so YES, it is practical!

Overview

State-of-the-art in Certifiable Verification

Our ApproachSpecifying Reachability PropertiesReasoning about Reachability

4

Operational SemanticsEasy to define and understand

Can be regarded as formal “implementations”Require little mathematical knowledge

Great introductory topics in PL coursesScale up well

C (>1000 rules), Java, Scheme, Verilog, …, definedExecutable, so testable

C semantics tested against real benchmarks

5

Operational SemanticsSample rule (may require a configuration

context)

Define languages only with rules of the form

l, r are configuration termsb is a Boolean side condition

6

Unfortunately …Operational semantics considered inappropriate

for program verification; proofs are low-level and tedious:Formalization of and working with transition systemTypically by induction

on the structure of the programon the number of execution stepsetc.

7

Axiomatic Semantics(Hoare Logic)

Emphasis on program verificationProgramming language captured as a formal proof

system deriving Hoare triples

precondition postcondition

8

Axiomatic SemanticsNot easy to define and understand, error-prone

Not executable, hard to testRequire program transformations, behavior loss

Write e = 1 and you’ve got a wrong semantics!

9

State-of-the-art inCertifiable Verification

Define an operational semantics: trusted language model

Define an axiomatic semantics: for verification purposesProve axiomatic semantics sound for operational

semanticsNow we have trusted verification … BUT

Requires two semantics of the same language C operational semantics took more than 2 years!

Must be done individually for each language

Overview

State-of-the-art in Certifiable Verification

Our ApproachSpecifying Reachability PropertiesReasoning about Reachability

11

Our ApproachUnderlying belief: one semantics for each

language! Executable (testable), easy to define and understand Suitable for program verification, “as is”

Approach: language-independent proof system Takes operational semantics unchanged Derives program properties Both operational semantics rules and program

specifications stated as reachability rules

12

Reachability RulesPairs of configuration predicates

Reachability: Any concrete configuration satisfying and terminating reaches a configuration satisfying , in the transition system induced by the operational semantics .

Overview

State-of-the-art in Certifiable Verification

Our ApproachSpecifying Reachability

Properties Reasoning about Reachability

14

Reachability Rules- Operational + Axiomatic

-Operational flavor

Axiomatic flavor

15

Hoare Triple = Syntactic Sugar

16

Matching LogicState static properties of program configurations

Parametric in a model of configurationsExtends first-order logic with patterns

Special predicates which are configuration termsConfigurations satisfy patterns iff they match them

C Configurations Extra 70 cells

17

Model of Configurations- Properties -

Configuration abstraction (list)“Separation” achieved at term level

Operations (reverse)

18

Separation Logic =Matching Logic Instance

Separation logic: popular logic for heap propertiesMechanical translation to matching logic (see

paper)Configuration:Separation encoded using different sub-terms

No expressiveness loss from using matching logicMatching logic gives “structural separation”

anywhere in the configuration, not only in the heap

19

Operational and Axiomatic Semantics Rules as Reachability Rules

Reachability rules generalizeOperational semantics rulesHoare triples

Operational semantics rule is syntactic sugar for reachability rule

Hoare triple encoded in a reachability rule with the empty code in the right-hand-side (see FM’12)

Overview

State-of-the-art in Certifiable Verification

Our ApproachSpecifying Reachability PropertiesReasoning about Reachability

21

Reasoning about Reachability

The main result of our paper is a proof system deriving reachability rules from reachability rules:

Trusted reachability rules(starts with operational

semantics)

Target reachability rule

Claimed reachability rules

22

Reachability Proof System- 8 Rules -

Symbolic execution (multiple steps) Symbolic execution (one step)Code with circular behavior

23

Circular behaviorsCircularity and Transitivity proof rules

Hoare logic rule for while loops

Language-independent

Language-specific

24

Soundness

Theorem: If is derivable by the proof system, then is semantically valid.

25

Relative Completeness

RelativityValidity oracle for static configuration properties

Language-independent result, unlike Hoare logics

Theorem: If is semantically valid, then is derivable by the proof system, with the operational semantics of a language.

26

MatchCProof-of-concept verifier for a C fragmentDerives program specifications from the

operational semantics (in K framework) using the proof systemNo Hoare/separation logic, no WP, no VC generation

Automated, user only provideSpecifications for recursive functions and loops

27

MatchC Snapshot

List reverse: code + invariant

28

ImplementationHeuristics for applying the proof system

(forward) symbolic executionMatching logic reasoning

Maude: efficient structure matching and rearrangingmatching a list the heap, …

SMTs (CVC3, Z3): simplifying constraintssmall queries (milliseconds each)

29

Preliminary EvaluationProgram Time (s)Buffered read-write 0.15Stack inspection 0.24Insertion sort 0.41Merge sort 0.47Quicksort 1.97AVL find 0.15AVL insert 43.5AVL delete 133.58Schorr-Waite (tree) 0.28Schorr-Waite (graph) 1.73… …

Dozens more programs at matching-logic.org

Only annotated main functions (insert/delete).

Inlined auxiliary functions (balance, rotate, …).

30

ConclusionsMatching logic reachability proof system

Sound and (relatively) completePractical

MatchC, an automated verifierExpressiveEfficient

Operational semantics based verification is viable!

matching-logic.org