1 / 31

Decidable Logics Combining Heap Structures and Data

Gennaro Parlato (LIAFA, Paris , France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign. Decidable Logics Combining Heap Structures and Data. What is this talk about …. A new logic to reason with programs that manipulate heap + data using

lilika
Télécharger la présentation

Decidable Logics Combining Heap Structures and Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan XiaokangQie Universityof Illinois at Urbana-Champaign DecidableLogicsCombiningHeapStructures and Data

  2. Whatisthis talk about… A newlogictoreasonwithprogramsthatmanipulateheap + data using • deductiveverification • SMT solvers • Program • … • new(x); • … • x->next=y->next->next; • … • y=nil; • … • x->data = y->data +1; • … • free(x); • … 75 157 14 5 15 23 1000 7 1 90

  3. It’s a difficult problem! • Analysisofprogramsthat • Dynamicallyallocatedmemory • Mantaindata-structureinvariants (ex. BinarySearchTree) requirestoreasonwithunboundedheapswithunbounded data • Thisroles out classicalcombinationoftheories • likeNelson-Oppenscheme

  4. Whatwouldbedesirable ? A logicthatis: • Decidable • Expressiveenoughto state usefulproperties • Efficientin practice on real-worldprograms Wetrytogive a solutionthathas a goodbalanceoverall the goals!

  5. Reletedworks • HAVOC (Lahiri, Qadeer: POPL’08) • Decidable:YES • Expressive:NO (doubly-linkedlistscannotbeexpressed) • Efficient: YES on simpleprograms • CSL (Bouajjani,Dragoi, Enea, Sighireanu: CONCUR’09) • Decidable:YES • Expressive:NO • extends HAVAC tohandleconstraints on sizesofstructures • stillweak (propertiesofbinarytreesofunboundeddepthcannotbeexpressed) • Efficient: ?(no implementationisprovided) • The technique to decide the logics is encoded in the syntax • Hard to extend or generalize

  6. STRANDLogic

  7. Recursive data structures Defines a set ofgraphsthatwhich are interpretedover regular trees R = ( ψTr, validnode, {nodea}a∈ Lv, {edgeb}b∈Le ) • Family ofbinary • predicates • Leis a finite set of • edgelabels • Family ofunary • predicates. • Lvis a finite set of • nodelabels labedgeb(u,v) =true <=> u,v∈ N ∧ edgeb(u,v)=true labnodea(v) =true <=> v∈ N ∧ nodea(v)=true { v ∈ V | validnode(v) } MSO formula on k-ary Σ-lab trees {(u,v) | b∈Le & edgeb(u,v) } Unary predicate Rdefines a classofgraphs For every tree T=(V,->) accepted by ψTr, graph(T) = ( N, E, labnodea, labedgeb)

  8. Examplesof data stuctures En (s,t)= leaf(s) ∧ leaf(t) ∧∃ z1, z2, z3. ( El(z3,z1) ∧ RightMostPath( z1, s) ∧ Er(z3,z2) ∧ LeftMostPath( z2, t) ) z3 z1 z2 t s • Some data structuresthat can beexpressed: • Nestedlists • Cyclic and doubly-linkedlists • Threadedtrees

  9. STRANDlogic (STRuctureANd Data) ∃xn. ∀ym. φ(xn,ym) φ is an Monadic Second Order (MSO) formula that combines • heapstructuresand • data, where the data-constraints are only allowed to refer to xnand ym Syntaxof STRAND • DATAExpression e::= data(x) | data(y) | c | g(e1,...,en) • φFormula φ::= γ(e1,...,en) | α(v1,...,vn) • | ¬φ | φ1 ∧φ2 | φ1 ∨φ2 | z ∈ S | ∃z. φ | ∀z. φ | ∃S. φ | ∀S. φ • ∀Formula ω::= φ | ∀y.ω • STRAND ψ::= ω|∃x.ψ MSO

  10. ExpressingBinarySearchTree (BST) left right right left right left right left right right right left left leftbranch(y1, y2) ≡ ∃z. (left(y1, z) ∧ z →∗ y2) rightbranch(y1, y2) ≡ ∃z. (right(y1, z) ∧ z →∗ y2) ψbst ≡ ∀y1∀y2. ( leftbranch(y1,y2) ⇒ data(y2) < data(y1) ) ∧ ( rightbranch(y1,y2) ⇒ data(y1) ≤ data(y2) )

  11. VerificationConditions in STRAND(bst-search procedure) bstSearch PRE: ψbst ∧ ∃x.( key(root)=k ) Node curr=root; LOOP-INV: ψbst ∧ ∃x.(reach(curr,x)∧key(curr)=k) while ( curr.key!=k && curr!=null ) { if (curr.key>k) curr=curr.left; else curr=curr.right; } POST: ψbst ∧ key(curr)=k

  12. Deciding STRANDfragments

  13. Overview Given • a linear block ofstatementss • a STRANDpre-conditionPand a post-conditionQexpressedas a Booleancombinationof STRANDformulasof the form • ∃xn.φ(xn), ∀ym. φ( ym) checking the validityof the Hoare triple {P} s {Q} reducesto thesatisfiabilityof STRAND • Satisfiabilityof STRANDisundecidable • Weidentify a decidablefragmentof STRANDsemanticallydefinedbyusing the notionofsatisfiability-presevingembeddings

  14. Romovingexistentialquantifications Let ψ=∃xn.∀ym. φ(xn, ym) be a STRAND formula over a recursively data-structure R • define a newrec. data-structureR’ thatencoperates the existentallyquantifiedvariablesofxnaspointers in R’ (unary predicate Valifor the varxi ) • define ψ’= ∀xn∀ym. ((∧i=1,…,n Vali(xi)) => φ(xn, ym)) Claim: ψ’ is satisfiable on R’ iffψ is satisfiable on R

  15. Decidability: finite modelproperty Wedefine a partialorderoverheapsthatcaptures the followingintuition S< T(Ssatisfiability-preservinglyembedsintoT) if - SissmallerthanT (fewernodes) - EachnodeofSismatchedwith a distinctnodeofT - no mutterhow data are associatedto the nodesofT if Tsatisfies ψthen also S satisfies ψby inhering the data-values T S

  16. STRANDdec • Checkingthesatisfiability • weignoreT and • checkonlyS • Satisfiabilityisdoneonly on the minimalmodels • STRANDdecis the classof the formulasthathas a finite set of minimal models • Satisfiabilityreducesto the satisfiabilityof the quantifier-freetheoryof the data-logic

  17. Definingsatisfiability-preservinglyembeddings: sub-models LetTbe a treedefining a graphof the givenRec. Data-structure A subset SofnodesofTisvalid: • Not-empty & least-ancestorclosed • The subtreedefinedbySalsodefinesa data-structure Submodels can bedefined in MSO

  18. Definingsatisfiability-preservinglyembeddings: abstractingdata Let ψ=∀yn. φ(yn) be a STRAND formula, and γ1, …,γrbe the atomic relational formulas of the data-logic. • Example: ψsorted : ∀y1,y2. ( (y1->*y2 ) => (data(y1) ≤ data(y2)) ) Define the pure MSO formula ψ’=∀yn. ∃b1, …, br.φ’ (yn,b1, …, br) where φ’ is obtainedfromφ by replacingγiwith the predicate bi • Example: ψsorted : ∀y1,y2. ( (y1->*y2 ) => data(y1) ≤ data(y2) ) ψ’sorted : ∀y1,y2.∃b. ( (y1->*y2 ) => b) • Claim: ifψ is satisfiable on a recursive data-structure R thenψ’ is also satisfiable on R. • The other direction doesnothold OVER-APPROXIMATION

  19. MinModels &Satisfiability-PreservingEmbeddings T • ψ=∀yn. φ(yn) • ψ’=∀yn. ∃b1, …, br.φ’ (yn,b1, …, br) • MinModelψ= \* pure MSO formula *\ • ψTr// the tree defines a valide heap T • ∧interpret(ψ’) // ψ’ holds true on T • ∧ // NO satisfiability-preserving embeddings in T • ¬∃S. ( NonEmpty(S) ∧ ValidSubModel(S) • ∧ (∀ym. ∀b1, …, br. • (∧i∈ [m] (yi∈ S) ∧ interpret(φ’ (yn,b1, …, br)) • => interpret( S, φ’ (yn,b1, …, br) ) • ) ) S

  20. Decision procedure • TransformMinModelstotree-automatonTA MinModels -> TA • Checkfinitenessfor TA • Extract all trees accepted by TA: TA -> T1, …, Tt • For eachTi build the finite graph Gi Ti -> Gi • Create a quantifier-free formula λi for GiGi -> λi • a data-variableforeachnode • ∀’s are “expanded” in conjunctions • ∃’s are “expanded” in disjunctions • data-constraints in STRAND are directlywritten in the data-logic • The quantifier-free formula∨i=1,…,tλiis a pure data-logic formula that is satisfiable iff the original formula ψ is satisfiable on R

  21. ProgramVerificationwith STRAND

  22. idea Hoare-triples: ( (R, Pre), P, Post ) • R • Pre ∈ STRAND∃,∀ • P: • Node t = newhead; • newhead = head; • head = head.next; • newhead.next = t; • Post ∈STRAND∃,∀ ⇒ Is ψ ∈ Strand Satisfiable over RP ? • Idea: capture the entirecomputationofPstartingfrom a particularrecursivedata-structureRusing a single data-structureRP

  23. The reductionto the satisfiability Error = ∨i ∈[m](PreRp ∧∧j∈[i −1] πj ∧ errori ) ViolatePost = PreRp∧ ∧j∈[m] πj∧¬PostRp Theorem The Hoare-triple (R, Pre, P, Post) does not hold iff the STRAND formula Error ∨ ViolatePost is satisfiable on the trail RP

  24. Evaluation

  25. Experiments

  26. bst-search procedure bstSearch (pre: ψbst ∧ ∃x.(key(root) = k)) Node curr=root; (loop-inv: ψbst ∧∃x.(reach(curr,x)∧key(curr)=k)) while ( curr.key!=k && curr!=null ){ if (curr.key>k) curr=curr.left; else curr=curr.right; } (post: ψbst ∧ key(curr) = k)

  27. MONA formula forbst-search

  28. Webpageof STRAND http://cs.uiuc.edu/~qiu2/strand/ • Code • Experiments • Tableof the experiments

  29. Conclusions & Future Work

  30. Conclusions WehavepresentedSTRAND a logicforreasoningaboutstructures and data whichhasgoodbalanceamong • Decidability • Expressiveness • Efficiency • Webelievethis work • breaksnewground in combiningstructures and data • maypave the way fordefiningdecidablefragmentsofotherlogics

  31. Future Work • Alternative to MONA? • Syntacticdecidablefragments • Back-and-forth connection between the structural part and the data part

More Related