1 / 58

Modular Verification via Separation Logic

Modular Verification via Separation Logic. Wei-Ngan Chin National University of Singapore ( joint work with Cristian, Cristina, Le Binh, Huu Hai, Shengchao). Quote. “Trust but Verify.” by Ronald Reagan. “The Goliath of totalitarianism will be

giselle-avery
Télécharger la présentation

Modular Verification via Separation Logic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modular Verification via Separation Logic Wei-Ngan Chin National University of Singapore ( joint work with Cristian, Cristina, Le Binh, Huu Hai, Shengchao)

  2. Quote “Trust but Verify.” by Ronald Reagan. “The Goliath of totalitarianism will be brought down by the David of the microchip.” by Ronald Reagan.

  3. Paraphrase “The reputation of corporations can be brought down by software and other bugs.”

  4. MAS near accident Aug 2005 Boeing 777-200 Software took readings from a faulty accelerometer when a second one failed

  5. Proposition Design and build software that are correct by construction. Use tools to find bugs early.

  6. Background • 2000’s : impressive practical advances in automatic program verification • SLAM : verified safety protocol properties of device drivers in Windows (now as a library in Windows 7) • ASTREE : no runtime errors in Airbus • Missing Link : • ASTREE : no dynamic pointer allocation • SLAM : assumes memory safety • Many important programs make serious use of heap .. but heap verification is hard.

  7. Challenges • Aliasing, heap/memory and recursion. • Complex data structures with invariants. Our Search for Solution Types  Separation Logic

  8. Outline • Introducing Separation Logic • Modularity 1 : Leveraging Pure Provers • Modularity 2 : Structured Specs • Modularity 3 : OO Verification • Conclusion

  9. Separation Logic • Extension to Hoare logic to reason about shared mutable data structures. • Foundations • O’Hearn and Pym, “The Logic of Bunched Implications”, Bulletin of Symbolic Logic 1999 • Reynolds, “Separation Logic: A Logic for Shared Mutable Data Structures”, LICS 2002

  10. Separation Logic Formula : x  y  y  x x y Heap :

  11. Separation Logic Formula : x  y x y Heap :

  12. Separation Logic Formula : y  x x y Heap :

  13. 10 20 x=10 y=20 20 10 Separation Logic Formula : x  y  y  x x y Heap :

  14. Separation Logic Formula : x  y x y Heap : 10 x=10 y=20 20

  15. Separation Logic Formula : y  x x y Heap : 20 x=10 y=20 10

  16. Separation Logic Formula : x  y  y  x x y Heap :

  17. not multiply! Formula for Heaplet • Add to Classical Logic • emp // heaplet is empty • x  y // heaplet has exactly one cell • A * B // heaplet is divided so that A holds in // one partition, while B the other • Add inductive definitions, lemmas and other fancy operators.

  18. No duplication A ` A * A (10  2) ` (10  2) * (10  2) No Loss A * B ` A A Substructural Logic • Logic for resources (i.e. memory) unless we use intuitionistic logic (10  2) * (20  3) ` (10  2)

  19. 10 10 2 2 An Inconsistency • Trying to be two places at same time! (x  2) * (x  2) (x  2) * (x  2) ` false

  20. Alternative View More generally : x  y (x  _) * (y  _) `

  21. unchanged frame Using frame rule : { x  _ } [x]:=7 { x  7 } Reasoning over Heap Update { (x  _) * R } [x]:=7 { (x  7) * R } { true } [x]:=7 { ??}

  22. Deallocation/Allocation { x  _ } dispose(x) { emp } { true } dispose(x) { ?? } { emp } x=cons(a,b) { x  a,b }

  23. Sequential Composition Intermediate state • Intermediate state computed in a forward manner.

  24. footprint Frame Rule • Memory footprint captures the heap state that is accessed by a given code.

  25. With Separation Logic { list(x) } deleteNodes(x) { emp } Before Separation Logic Example : to dispose all nodes in a linked list. { list(x) Æ reach(p,n) } deleteNodes(x) { : allocated(n) }

  26. Outline • Introducing Separation Logic • Modularity 1 : Leveraging Pure Provers • Modularity 2 : Structured Specs • Modularity 3 : OO Verification • Conclusion

  27. range of pure provers … Overall System Predicates Lemmas Code Pre/Post separation logic prover (SLEEK) code verifier (HIP) Omega, MONA, Coq, SMT, Redlog

  28. x::lsegy x y::lsegx y Inductive Predicates root::lsegp  root=p  9 r . root::node_,r  r::lsegp x::lsegy * y::lseg x

  29. y::lsegx,2 … with Size root::lsegp,n  root=p Æ n=0  9 r . root::node_,r  r::lsegp,n-1 inv n ¸ 0 x::lsegy,3 x y

  30. … with Size & Bag root::lsegp,n,S  root=p Æ n=0 Æ S={}  9 r . root::nodev, r  r::lsegp,n-1,S1 Æ S={v} [ S1 inv n ¸ 0 & n=|S|

  31. .. with Sortedness root::lsortp,S  root=p Æ S={}  9 r . root::nodev, r  r::lsortp,S1 Æ S={v} [ S1 Æ8 x 2 S1. v · x

  32. .. with AVL balancing root::avlh root = null Æ h = 0 Ç root::nodeh_, p, qi p::avlhh1i q::avlhh2i Æ-1 · h1-h2 · 1Æ h=1+max(h1,h2) inv h¸0

  33. Lemmas • Used to relate predicates x::lsortp,S ) x::lseg<p,n,S> Æ n=|S| Philosophy : Lemmas invented by users but automatically proven and applied by our system.

  34. Example of Code Specification node insert(node x, node vn) requiresx::lsortnull,Svn::nodev,_Æxnullensuresres::lsortnull,S [ {v} {if (vn.val≤x.val) then { vn.next = x; return vn; } else if (x.next=null) then { x.next = vn; vn.next = null; return x; } else {x.next = insert(x.next, vn); return x; } }

  35. Separation Logic Entailment 1`2 3 • 1 must “subsumes” all heap nodes in 2. antecedent consequent residual • Residual nodes are then kept in 3. • ALGORITHM : Ensure all nodes in 2 are subsumed by 1, then convert to an arithmetic implication check.

  36. Features • Unfold/Fold Transformation. • Supports Existential Instantiation • Supports Proof Search (with Lemmas) • Approximation to Pure Provers

  37. Approximation to Pure Form • Entailment is reduced to implication of pure constraints when the consequent’s heap is empty. • Each predicate is approximated by a pure constraint (based on its invariant).

  38. XPure0(x::lseghnull,ni) = n ¸ 0 too weak more info Approximation XPuren(x::nodehi y::nodehi) = (ex i. x=i Æ i>0)  (ex j. y=j Æ j>0) = i,j. (x=i Æ i>0 Æ y=j Æ j>0 Æ ij) XPure1(x::lseghnull,ni) = i. (x=0 Æ n=0 Ç x=i Æ i>0 Æ n-1¸0)

  39. Outline • Introducing Separation Logic • Modularity 1 : Leveraging Pure Provers • Modularity 2 : Structured Specs • Modularity 3 : OO Verification • Conclusion

  40. disjunctive normal form pure logic heap logic Flat Specification Simple but less readable and less modular.

  41. Example with Original Spec root::avlh,n,S,b root=null Æ h=n=b=0 Æ S={ } Ç root::nodehv, p, qi p::avlhh1,n1,S1,b1i  q::avlhh2,n2,S2,b2iÆh1=h2 Æ b=0Æ D Ç root::nodehv, p, qi p::avlhh1,n1,S1,b1i  q::avlhh2,n2,S2,b2iÆ1+h1=h2 Æ b=-1Æ D Ç root::nodehv, p, qi p::avlhh1,n1,S1,b1i  q::avlhh2,n2,S2,b2iÆh1=1+h2 Æ b=1Æ D inv h¸0 Æ n ¸ 0 Æ -1· b· 1 D = (n=1+n1+n2 Æ S={v} [ S1 [ S2 Æ 8 x 2 S1. x · v Æ8 x 2 S2 x ¸ v)

  42. case analysis staged formula with Structured Spec root::avlh,n,S,b case root=null! h=n=b=0 Æ S={ } root null! root::nodehv, p, qip::avlhh1,n1,S1,b1i  q::avlhh2,n2,S2,b2iÆ n=1+n1+n2 Æ S={v}[S1 [S2 Æ8 x2S1.x · v Æ8 x2S2.x ¸ v case h1=h2! b=0 1+h1=h2! b=-1 h1=1+h2! b=1 inv h¸0 Æ n ¸ 0 Æ -1· b· 1

  43. Structured Spec • More readable. • Better sharing. • More precise ‘cos of case analysis. • Better scalability

  44. Experiment

  45. Better Scalability • Explicitly break into smaller proofs. • Modularity allows down-sized formula. Important when pure provers are unscalable. • AVL example : 987 sec  76 sec.

More Related