Download presentation

Presentation is loading. Please wait.

Published bySheldon Damask Modified over 4 years ago

1
Automated Verification with HIP and SLEEK Asankhaya Sharma

2
Recall the List length Example int length(struct node* p) /*@ requires p::list ensures p::list & res=n; */ { if(p == NULL) return 0; else return 1 + length(p->next); } Memory Safety Length of the List Bag of Values

3
Total Correctness int length(struct node* p) /*@ requires p::list & Term[n] ensures p::list & res=n; */ { if(p == NULL) return 0; else return 1 + length(p->next); } Termination Metric A ranking function which decreases with each recursive call (or loop iteration)

4
Termination Examples for SLEEK checkentail Term[m] & m > n |- Term[n]. checkentail x::list & x !=null & Term[n] |- x::node * p::list & Term[m]. checkentail Term[m] |- Loop. checkentail Term[m] |- MayLoop. Valid. InValid.

5
Structured Specifications Richer specifications that provide guidance to automated verification Support automatic case analysis Support Reuse of Verification Support Multiple specifications

6
Trivial Loop Example while(z!=n) requires true ensures z’ = n { z = z + 1; } Precondition same as loop invariant Postcondition of loop is final state when loop terminates When does this loop terminate ?

7
With Termination while(z!=n) requires z <= n & Term[n-z] ensures z’ = n { z = z + 1; } Specify ranking function Term[R]

8
With Non-Termination while(z!=n) requires z > n & Loop ensures false { z = z + 1; } Post condition is false which signifies unreachable exit

9
Recall Multiple Specs while(z!=n) requires z n & Loop ensures false { z = z + 1; } Case Analysis

10
Case Structure Case Specification case { p1 requires R1 ensures Q1; p2 requires R2 ensures Q2; } Analogous to LEM – It can be applied during verification to support more comprehensive reasoning

11
Why Case ? The presence of case structures enables: – Automatic case analysis – Clearer and more concise specifications

12
Case Specs for Scenario Analysis Trivial loop with multiple scenarios revisited: while(z!=n) case{ z n requires Loop ensures false } { z = z + 1; }

13
A Tricky Loop What termination spec to give to this loop ? while(x>0) { x = x + y; }

14
Case Specs for Scenario Analysis Three Scenarios while(x>0) case{ x<=0 ensures x’ = x x > 0 case { y >= 0 ensures false y <0 ensures y<x’<=0; } } { x = x + y;} Base Case Non-terminating Recursive but terminating

15
With Termination Specs while(x>0) case{ x<=0 requires Term[] ensures x’ = x x > 0 case{ y >= 0 requires Loop ensures false y <0 requires Term[x] ensures y<x’<=0} } { x = x + y;}

16
McCarthy 91 Function This function always returns 91 when input is less than or equal to 100 int mcCarthy(int n) { if (n>100) return n-10; else return mcCarthy(mcCarthy(n+11)); } Nested recursion. Does it terminate ?

17
Termination int mcCarthy(int n) case{ n > 100 requires Term[] ensures res=n-10 n<=100 requires Term[100-n] ensures res = 91 }{}{ if (n>100) return n-10; else return mcCarthy(mcCarthy(n+11)); }

18
Further Reading Gherghina, Cristian, Cristina David, Shengchao Qin, and Wei-Ngan Chin. "Structured specifications for better verification of heap- manipulating programs." In FM 2011: Formal Methods, pp. 386-401. Springer Berlin Heidelberg, 2011.

Similar presentations

OK

Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA.

Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA.

© 2019 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google