# Automated Verification with HIP and SLEEK Asankhaya Sharma.

## Presentation on theme: "Automated Verification with HIP and SLEEK Asankhaya Sharma."— Presentation transcript:

Automated Verification with HIP and SLEEK Asankhaya Sharma

Recall the List length Example int length(struct node* p) /*@ requires p::list ensures p::list & res=n; */ { if(p == NULL) return 0; else return 1 + length(p->next); } Memory Safety Length of the List Bag of Values

Total Correctness int length(struct node* p) /*@ requires p::list & Term[n] ensures p::list & res=n; */ { if(p == NULL) return 0; else return 1 + length(p->next); } Termination Metric A ranking function which decreases with each recursive call (or loop iteration)

Termination Examples for SLEEK checkentail Term[m] & m > n |- Term[n]. checkentail x::list & x !=null & Term[n] |- x::node * p::list & Term[m]. checkentail Term[m] |- Loop. checkentail Term[m] |- MayLoop. Valid. InValid.

Structured Specifications Richer specifications that provide guidance to automated verification Support automatic case analysis Support Reuse of Verification Support Multiple specifications

Trivial Loop Example while(z!=n) requires true ensures z’ = n { z = z + 1; } Precondition same as loop invariant Postcondition of loop is final state when loop terminates When does this loop terminate ?

With Termination while(z!=n) requires z <= n & Term[n-z] ensures z’ = n { z = z + 1; } Specify ranking function Term[R]

With Non-Termination while(z!=n) requires z > n & Loop ensures false { z = z + 1; } Post condition is false which signifies unreachable exit

Recall Multiple Specs while(z!=n) requires z n & Loop ensures false { z = z + 1; } Case Analysis

Case Structure Case Specification case { p1  requires R1 ensures Q1; p2  requires R2 ensures Q2; } Analogous to LEM – It can be applied during verification to support more comprehensive reasoning

Why Case ? The presence of case structures enables: – Automatic case analysis – Clearer and more concise specifications

Case Specs for Scenario Analysis Trivial loop with multiple scenarios revisited: while(z!=n) case{ z n  requires Loop ensures false } { z = z + 1; }

A Tricky Loop What termination spec to give to this loop ? while(x>0) { x = x + y; }

Case Specs for Scenario Analysis Three Scenarios while(x>0) case{ x<=0  ensures x’ = x x > 0  case { y >= 0  ensures false y <0  ensures y { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/8/2352376/slides/slide_14.jpg", "name": "Case Specs for Scenario Analysis Three Scenarios while(x>0) case{ x<=0  ensures x’ = x x > 0  case { y >= 0  ensures false y <0  ensures y0) case{ x<=0  ensures x’ = x x > 0  case { y >= 0  ensures false y <0  ensures y

With Termination Specs while(x>0) case{ x<=0  requires Term[] ensures x’ = x x > 0  case{ y >= 0  requires Loop ensures false y <0  requires Term[x] ensures y { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/8/2352376/slides/slide_15.jpg", "name": "With Termination Specs while(x>0) case{ x<=0  requires Term[] ensures x’ = x x > 0  case{ y >= 0  requires Loop ensures false y <0  requires Term[x] ensures y0) case{ x<=0  requires Term[] ensures x’ = x x > 0  case{ y >= 0  requires Loop ensures false y <0  requires Term[x] ensures y

McCarthy 91 Function This function always returns 91 when input is less than or equal to 100 int mcCarthy(int n) { if (n>100) return n-10; else return mcCarthy(mcCarthy(n+11)); } Nested recursion. Does it terminate ?

Termination int mcCarthy(int n) case{ n > 100  requires Term[] ensures res=n-10 n<=100  requires Term[100-n] ensures res = 91 }{}{ if (n>100) return n-10; else return mcCarthy(mcCarthy(n+11)); }

Further Reading Gherghina, Cristian, Cristina David, Shengchao Qin, and Wei-Ngan Chin. "Structured specifications for better verification of heap- manipulating programs." In FM 2011: Formal Methods, pp. 386-401. Springer Berlin Heidelberg, 2011.