Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automated Verification with HIP and SLEEK Asankhaya Sharma.

Published byGunner Hall Modified over 9 years ago

Similar presentations

Presentation on theme: "Automated Verification with HIP and SLEEK Asankhaya Sharma."— Presentation transcript:

1 Automated Verification with HIP and SLEEK Asankhaya Sharma

2 Goal Design and build software that is correct by construction Needed: Automatic tools for establishing software correctness Such tools can – Search for standard problems like memory access violations or array index out of bounds – Check if a program does what it is supposed to do with respect to a specification

3 Why a Need for Automatic Tools?

4 Let the tool fill in the details

5 A Tale of Two Tools HIP – Automatically applies a given set of Hoare rules SLEEK – Discharges the proof obligations resulting from the rule of consequence and the frame rule Under development since 2006 – 180k lines of OCaml – Currently 6 PhD students; 3 graduated

6 Overview code verifier (HIP) separation logic prover (SLEEK) Pre/Post PredicatesLemmas Code range of pure provers … Omega, MONA, Isabelle, Coq, SMT, Redlog, MiniSAT, Mathematica

7 An Example – List Length struct node{ int val; struct node* next; }; int length(struct node* p) { if(p == NULL) return 0; else return 1 + length(p->next); }

8 List Predicate Example of Acyclic List : list(x ) x null pointer to memoryspatial conjunction

9 Syntactic Abbreviation (ASCII) list  == self=null or self::node  _, r   r::list  implicit existential instantiation

10 Verify with Shape Property struct node{ int val; struct node* next; }; /*@ list<> == self=null or self::node *q::list<>; */ int length(struct node* p) /*@ requires p::list<> ensures p::list<>; */ { if(p == NULL) return 0; else return 1 + length(p->next); } Predicate Definition Method Pre and Post condition Memory Safety

11 With Size list  n  == self=null & n=0 or self::node  _, r   r::list  n-1  inv n >= 0 parameter on length of linked list predicate invariant x::ll  5  x null

12 Verify with Shape and Size int length(struct node* p) /*@ requires p::list ensures p::list & res=n; */ { if(p == NULL) return 0; else return 1 + length(p->next); } Memory Safety Length of the List

13 With Size and Bag list  n,B  == self=null & n=0 & B={} or self::node  v, r   r::list  n-1,B1  & B = B1 U {v} inv n >= 0 & n=|B|

14 Verify with Shape, Size and Bag int length(struct node* p) /*@ requires p::list ensures p::list & res=n; */ { if(p == NULL) return 0; else return 1 + length(p->next); } Memory Safety Length of the List Bag of Values

15 Automated Verification int length(struct node* p) /*@ requires p::list ensures p::list & res=n; */ { if(p == NULL) return 0; // p=null & n = 0 & res = 0 |- p::list & res = n // p::ll & p!=null |- p::node // p::node * q::ll & p!=null & q = r |- r::ll else return 1 + length(p->next); // p::node * q::ll & x!=null & res = 1 + n – 1 |- p::ll & res = n } Pre condition Checking Post condition Checking Memory dereference Checking

16 SLEEK Automatic Checking of Entailment Custom decision procedure for the spatial fragment (Separation Logic) – Handles user-defined data structures and inductive predicates Uses off-the-shelf provers to discharge: – Linear Arithmetic (using Omega) Also available as a tactic in Coq – Bag Expressions (using MONA) Sound but incomplete

17 Numerical Examples for SLEEK Checking implications with integer constraints: checkentail x > 5 |- x > 0. checkentail x > 5 |- x < 0. checkentail x > 5 |- x > 6. checkentail x > 1 & y > 1 & r = x + y |- r > 3. SLEEK uses Omega for these examples Valid. InValid. Valid.

18 List Examples for SLEEK checkentail x::node |- x::list. checkentail x::node |- x::list & B = {17}. checkentail x::node * y::list. checkentail x::list |- x::node. Valid. InValid. Valid.

19 HIP Automatic checking of pre/post for methods – Handle conditional, loops, methods – With arrays, data structures, dynamic memory allocation – Supports Multiple pre/post specifications, structured specifications, termination specifications Sound but incomplete Automated with the help of SLEEK

20 Append Example with HIP What should be the specification for the following method ? void append(node* x, node* y) requires ? ensures ? { if(x->next==NULL) x->next=y; else append(x->next,y); }

21 Append Example with HIP Is the following specification which aims to guarantee memory safety correct? void append(node* x, node* y) requires x::list<> * y::list<> ensures x::list<> { if(x->next==NULL) x->next=y; else append(x->next,y); } No, null pointer dereference possible

22 Append Example with HIP Correct specification for safety void append(node* x, node* y) requires x::list<> * y::list<> & x!=null ensures x::list<> { if(x->next==NULL) x->next=y; else append(x->next,y); }

23 Append Example with HIP With size and bag properties void append(node* x, node* y) requires x::list * y::list & x!=null ensures { if(x->next==NULL) x->next=y; else append(x->next,y); } x::list

24 Multiple Specifications Same method may be called in different calling contexts Verify using different specifications for each scenario Which sorting algorithm may require an append function for two sorted lists ? – Quick Sort (and Merge Sort)

25 With Bag and Sortedness

26 Verify with Multiple Specifications void append(node* x, node* y) requires x::list * y::list & x!=null ensures x::list requires x::lsort * y::lsort & x!=null & ∀ a ∈ B1. ∀ b ∈ B2. a { if(x->next==NULL) x->next=y; else append(x->next,y); }

27 List Segment with Size lseg  p,n  == self=p & n=0 or self::node  _, r   r::lseg  p,n-1  inv n >= 0 x y x::lseg  y,3  y::lseg  x,2 

28 Circular List with Size x r::lseg  x,2  r x::clist  3  clist  n  == self::node  _, r   r::lseg  self,n-1  inv n >= 1

29 Use of Multiple Pre/Post void append(node* x, node* y) requires x::list & x != null & x = y ensures requires x::list & x != null ensures { if(x->next==NULL) x->next=y; else append(x->next,y); } x::clist x::lseg

30 Binary Search Tree How do we express a binary search tree ? tree<> == self=null or self::node * l::tree<> * r::tree<> Shape Property for Tree

31 Binary Search Tree bst == self=null & B = {} or self::node * l::bst * r::bst & B = {v} U B1 U B2 & ∀ w ∈ B1. v>=w & ∀ w ∈ B2. v<=w 5 37 14 Sortedness property

32 AVL Tree How do we specify height balanced trees ? avl == self=null & B = {} & h = 0 or self::node * l::avl * r::avl & B={v}UB1UB2 & ∀ w ∈ B1.v>=w & ∀ w ∈ B2.v<=w & h = 1 + max(h1,h2) & h2<=h1+1 & h1<=h2+1

33 Conclusions HIP and SLEEK Verification System – Automated Given pre/post and loop invariants – Modular and scalable Each method verified independently – Expressive From shape, size, bag properties towards functional correctness Total correctness with Termination and Non- Termination proving

34 Perspectives Hardware community has accepted verification in their design phase Verified software is the future for guarantying high assurance and reliability Many challenges remain on scalability, automation, expressivity, concurrency, inference and higher order programs

35 Questions? We will try out some examples in Lab tomorrow using TeachHIP TeachHIP is a Web Interface to – Try out HIP and SLEEK without installing any software – Available at http://loris-7.ddns.comp.nus.edu.sg/~project/TeachHIP/ http://loris-7.ddns.comp.nus.edu.sg/~project/TeachHIP/ Contact – asankhaya@nus.edu.sg

36 Further Reading Chin, Wei-Ngan, Cristina David, Huu Hai Nguyen, and Shengchao Qin. "Automated verification of shape, size and bag properties via user-defined predicates in separation logic." Science of Computer Programming 77, no. 9 (2012): 1006-1036.

Download ppt "Automated Verification with HIP and SLEEK Asankhaya Sharma."

Similar presentations

A Framework for describing recursive data structures Kenneth Roe Scott Smith.

A Framework for describing recursive data structures Kenneth Roe Scott Smith.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Linked Lists CSE 2451 Matt Boggus. Dynamic memory reminder Allocate memory during run-time malloc() and calloc() – return a void pointer to memory or.

Linked Lists CSE 2451 Matt Boggus. Dynamic memory reminder Allocate memory during run-time malloc() and calloc() – return a void pointer to memory or.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 8.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
Introduction to Algorithms Quicksort

Introduction to Algorithms Quicksort
Automated Verification with HIP and SLEEK Asankhaya Sharma.

Automated Verification with HIP and SLEEK Asankhaya Sharma.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.

Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.
Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.

Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.
Introduction to Linked Lists In your previous programming course, you saw how data is organized and processed sequentially using an array. You probably.

Introduction to Linked Lists In your previous programming course, you saw how data is organized and processed sequentially using an array. You probably.
Verification of Functional Programs in Scala Philippe Suter (joint work w/ Ali Sinan Köksal and Viktor Kuncak) ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE,

Verification of Functional Programs in Scala Philippe Suter (joint work w/ Ali Sinan Köksal and Viktor Kuncak) ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE,
Automated Verification with HIP and SLEEK Asankhaya Sharma.

Automated Verification with HIP and SLEEK Asankhaya Sharma.
HIP/SLEEK11 HIP/SLEEK :Automatic Verification and Specification Inference System Wei-Ngan Chin & Asankhaya Sharma Dept of Computer Science National University.

HIP/SLEEK11 HIP/SLEEK :Automatic Verification and Specification Inference System Wei-Ngan Chin & Asankhaya Sharma Dept of Computer Science National University.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

Similar presentations

Ads by Google