Download presentation

Presentation is loading. Please wait.

Published bySheldon Damask Modified over 2 years ago

1
Automated Verification with HIP and SLEEK Asankhaya Sharma

2
Recall the List length Example int length(struct node* p) /*@ requires p::list ensures p::list & res=n; */ { if(p == NULL) return 0; else return 1 + length(p->next); } Memory Safety Length of the List Bag of Values

3
Total Correctness int length(struct node* p) /*@ requires p::list & Term[n] ensures p::list & res=n; */ { if(p == NULL) return 0; else return 1 + length(p->next); } Termination Metric A ranking function which decreases with each recursive call (or loop iteration)

4
Termination Examples for SLEEK checkentail Term[m] & m > n |- Term[n]. checkentail x::list & x !=null & Term[n] |- x::node * p::list & Term[m]. checkentail Term[m] |- Loop. checkentail Term[m] |- MayLoop. Valid. InValid.

5
Structured Specifications Richer specifications that provide guidance to automated verification Support automatic case analysis Support Reuse of Verification Support Multiple specifications

6
Trivial Loop Example while(z!=n) requires true ensures z’ = n { z = z + 1; } Precondition same as loop invariant Postcondition of loop is final state when loop terminates When does this loop terminate ?

7
With Termination while(z!=n) requires z <= n & Term[n-z] ensures z’ = n { z = z + 1; } Specify ranking function Term[R]

8
With Non-Termination while(z!=n) requires z > n & Loop ensures false { z = z + 1; } Post condition is false which signifies unreachable exit

9
Recall Multiple Specs while(z!=n) requires z n & Loop ensures false { z = z + 1; } Case Analysis

10
Case Structure Case Specification case { p1 requires R1 ensures Q1; p2 requires R2 ensures Q2; } Analogous to LEM – It can be applied during verification to support more comprehensive reasoning

11
Why Case ? The presence of case structures enables: – Automatic case analysis – Clearer and more concise specifications

12
Case Specs for Scenario Analysis Trivial loop with multiple scenarios revisited: while(z!=n) case{ z n requires Loop ensures false } { z = z + 1; }

13
A Tricky Loop What termination spec to give to this loop ? while(x>0) { x = x + y; }

14
Case Specs for Scenario Analysis Three Scenarios while(x>0) case{ x<=0 ensures x’ = x x > 0 case { y >= 0 ensures false y <0 ensures y

15
With Termination Specs while(x>0) case{ x<=0 requires Term[] ensures x’ = x x > 0 case{ y >= 0 requires Loop ensures false y <0 requires Term[x] ensures y

16
McCarthy 91 Function This function always returns 91 when input is less than or equal to 100 int mcCarthy(int n) { if (n>100) return n-10; else return mcCarthy(mcCarthy(n+11)); } Nested recursion. Does it terminate ?

17
Termination int mcCarthy(int n) case{ n > 100 requires Term[] ensures res=n-10 n<=100 requires Term[100-n] ensures res = 91 }{}{ if (n>100) return n-10; else return mcCarthy(mcCarthy(n+11)); }

18
Further Reading Gherghina, Cristian, Cristina David, Shengchao Qin, and Wei-Ngan Chin. "Structured specifications for better verification of heap- manipulating programs." In FM 2011: Formal Methods, pp. 386-401. Springer Berlin Heidelberg, 2011.

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google