Download presentation

Presentation is loading. Please wait.

Published byKatie Bosworth Modified about 1 year ago

1
Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign

2
A new logic to reason with programs that manipulate heap + data using deductive verification SMT solvers Program … new(x); … x->next=y->next->next; … y=nil; … x->data = y->data +1; … free(x); …

3
Analysis of programs that Dynamically allocated memory Mantain data-structure invariants (ex. Binary Search Tree) requires to reason with unbounded heaps with unbounded data This roles out classical combination of theories ▪ like Nelson-Oppen scheme

4
A logic that is: Decidable Expressive enough to state useful properties Efficient in practice on real-world programs We try to give a solution that has a good balance overall the goals!

5
HAVOC (Lahiri, Qadeer: POPL’08) Decidable: YES Expressive: NO (doubly-linked lists cannot be expressed) Efficient: YES on simple programs CSL (Bouajjani, Dragoi, Enea, Sighireanu: CONCUR’09) Decidable: YES Expressive: NO ▪ extends HAVAC to handle constraints on sizes of structures ▪ still weak (properties of binary trees of unbounded depth cannot be expressed) Efficient: ? (no implementation is provided) The technique to decide the logics is encoded in the syntax Hard to extend or generalize

6

7
Defines a set of graphs that which are interpreted over regular trees R = ( ψ Tr, validnode, {node a } a ∈ Lv, {edge b } b ∈ Le ) MSO formula on k-ary Σ-lab trees Unary predicate Family of unary predicates. Lv is a finite set of node labels Family of binary predicates Le is a finite set of edge labels R defines a class of graphs For every tree T=(V,->) accepted by ψ Tr, graph(T) = ( N, E, labnode a, labedge b ) { v ∈ V | validnode(v) }{(u,v) | b ∈ Le & edge b (u,v) } labnode a (v) =true v ∈ N ∧ node a (v)=true labedge b (u,v) =true u,v ∈ N ∧ edge b (u,v)=true

8
E n (s,t)= leaf(s) ∧ leaf(t) ∧∃ z 1, z 2, z 3. ( E l (z 3,z 1 ) ∧ RightMostPath( z 1, s) ∧ E r (z 3,z 2 ) ∧ LeftMostPath( z 2, t) ) s t z3z3 z1z1 z2z2 Some data structures that can be expressed: Nested lists Cyclic and doubly-linked lists Threaded trees

9
∃ x n. ∀ y m. φ(x n,y m ) φ is an Monadic Second Order (MSO) formula that combines heap structures and data, where the data-constraints are only allowed to refer to x n and y m Syntax of S TRAND DATAExpression e::= data(x) | data(y) | c | g(e 1,...,e n ) φ Formula φ::= γ(e 1,...,e n ) | α(v 1,...,v n ) | ¬φ | φ 1 ∧ φ 2 | φ 1 ∨ φ 2 | z ∈ S | ∃ z. φ | ∀ z. φ | ∃ S. φ | ∀ S. φ ∀ Formula ω::= φ | ∀ y.ω S TRAND ψ::= ω| ∃ x.ψ MSO

10
leftbranch(y1, y2) ≡ ∃ z. (left(y1, z) ∧ z → ∗ y2) rightbranch(y1, y2) ≡ ∃ z. (right(y1, z) ∧ z → ∗ y2) ψ bst ≡ ∀ y1 ∀ y2. ( leftbranch(y1,y2) ⇒ data(y2) < data(y1) ) ∧ ( rightbranch(y1,y2) ⇒ data(y1) ≤ data(y2) ) left right

11
bstSearch PRE: ψ bst ∧ ∃ x.( key(root)=k ) Node curr = root; LOOP-INV: ψ bst ∧ ∃ x.(reach(curr,x) ∧ key(curr)=k) while ( curr.key != k && curr != null ) { if (curr.key > k) curr = curr.left; else curr = curr.right; } POST: ψ bst ∧ key(curr)=k

12

13
Given a linear block of statements s a S TRAND pre-condition P and a post-condition Q expressed as a Boolean combination of S TRAND formulas of the form ▪ ∃ x n. φ(x n ), ∀ y m. φ( y m ) checking the validity of the Hoare triple {P} s {Q} reduces to the satisfiability of STRAND Satisfiability of S TRAND is undecidable We identify a decidable fragment of S TRAND semantically defined by using the notion of satisfiability-preseving embeddings

14
Let ψ= ∃ x n. ∀ y m. φ(x n, y m ) be a S TRAND formula over a recursively data-structure R define a new rec. data-structure R ’ that encoperates the existentally quantified variables of x n as pointers in R ’ (unary predicate Val i for the var x i ) define ψ’ = ∀ x n ∀ y m. (( ∧ i=1,…,n Val i (x i )) => φ(x n, y m )) Claim: ψ’ is satisfiable on R ’ iff ψ is satisfiable on R

15
We define a partial order over heaps that captures the following intuition S < T (S satisfiability-preservingly embeds into T) if - S is smaller than T (fewer nodes) - Each node of S is matched with a distinct node of T - no mutter how data are associated to the nodes of T if T satisfies ψ then also S satisfies ψ by inhering the data-values T T S S

16
Checking the satisfiability we ignore T and check only S Satisfiability is done only on the minimal models S TRAND dec is the class of the formulas that has a finite set of minimal models Satisfiability reduces to the satisfiability of the quantifier- free theory of the data-logic

17
Let T be a tree defining a graph of the given Rec. Data-structure A subset S of nodes of T is valid : Not-empty & least-ancestor closed The subtree defined by S also defines a data- structure Submodels can be defined in MSO

18
Let ψ = ∀ y n. φ(y n ) be a S TRAND formula, and γ 1, …,γ r be the atomic relational formulas of the data- logic. Example: ψ sorted : ∀ y 1,y 2. ( (y 1 ->*y 2 ) => (data(y 1 ) ≤ data(y 2 )) ) Define the pure MSO formula ψ’ = ∀ y n. ∃ b 1, …, b r. φ’ (y n, b 1, …, b r ) where φ’ is obtained from φ by replacing γ i with the predicate b i Example: ψ sorted : ∀ y 1,y 2. ( (y 1 ->*y 2 ) => data(y 1 ) ≤ data(y 2 ) ) ψ’ sorted : ∀ y 1,y 2. ∃ b. ( (y 1 ->*y 2 ) => b ) Claim: if ψ is satisfiable on a recursive data-structure R then ψ ’ is also satisfiable on R. The other direction does not hold OVER-APPROXIMATION

19
T T S S ψ = ∀ y n. φ(y n ) ψ’ = ∀ y n. ∃ b 1, …, b r. φ’ (y n, b 1, …, b r ) MinModel ψ = \* pure MSO formula *\ ψ Tr // the tree defines a valide heap T ∧ interpret(ψ’) // ψ’ holds true on T ∧ // NO satisfiability-preserving embeddings in T ¬ ∃ S. ( NonEmpty(S) ∧ ValidSubModel(S) ∧ ( ∀ y m. ∀ b 1, …, b r. ( ∧ i ∈ [m] (y i ∈ S) ∧ interpret( φ’ (y n, b 1, …, b r )) => interpret( S, φ’ (y n, b 1, …, b r ) ) ) )

20
Transform MinModels to tree-automaton TA MinModels -> TA Check finiteness for TA Extract all trees accepted by TA: TA -> T 1, …, T t For each T i build the finite graph G i T i -> G i Create a quantifier-free formula λ i for G i G i -> λ i a data-variable for each node ∀ ’s are “expanded” in conjunctions ∃ ’s are “expanded” in disjunctions data-constraints in S TRAND are directly written in the data-logic The quantifier-free formula ∨ i=1,…,t λ i is a pure data-logic formula that is satisfiable iff the original formula ψ is satisfiable on R

21

22
Hoare-triples: ( ( R, Pre), P, Post ) R Pre ∈ S TRAND ∃, ∀ P: Node t = newhead; newhead = head; head = head.next; newhead.next = t; Post ∈ S TRAND ∃, ∀ Idea: capture the entire computation of P starting from a particular recursive data-structure R using a single data-structure R P ⇒ Is ψ ∈ Strand Satisfiable over R P ?

23
Error = ∨ i ∈ [m] (Pre R p ∧ ∧ j ∈ [i −1] π j ∧ error i ) Violate Post = Pre R p ∧ ∧ j ∈ [m] π j ∧ ¬Post R p Theorem The Hoare-triple ( R, Pre, P, Post) does not hold iff the S TRAND formula Error ∨ ViolatePost is satisfiable on the trail R P

24

25
Programs Verification Condition Structural Solving (MONA)Data Constraint Solving (Z3) In S TRAND dec ? # states Final BDD size Time (sec) Graph model Exists? Bound #nodes Formula size (kB) Satisfiable ? Time (sec) sorted- list-search before-loop in-loop after-loop Yes No sorted- List-insert before-head before-loop in-loop after-loop Yes Yes No Yes No - No sorted-list- insert -err before-loopYes Yes79.5Yes0.02 sorted-list- reverse before-loop in-loop after-loop Yes No Bst-search before-loop in-loop after-loop Yes No Yes No N Bst-insert before-loop in-loop after-loop Yes No

26
bstSearch (pre: ψ bst ∧ ∃ x.(key(root) = k)) Node curr = root; (loop-inv: ψ bst ∧∃ x.(reach(curr,x) ∧ key(curr)=k)) while ( curr.key != k && curr != null ){ if (curr.key > k) curr = curr.left; else curr = curr.right; } (post: ψ bst ∧ key(curr) = k)

27

28
Code Experiments Table of the experiments

29

30
We have presented S TRAND a logic for reasoning about structures and data which has good balance among Decidability Expressiveness Efficiency We believe this work breaks new ground in combining structures and data may pave the way for defining decidable fragments of other logics

31
Alternative to MONA? Syntactic decidable fragments Back-and-forth connection between the structural part and the data part

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google