Presentation is loading. Please wait.

Presentation is loading. Please wait.

Changing perspective can be useful Relating alternative logics for automatic software verification Alex Summers (ETH Zurich) partly based on joint work.

Published byShauna Briggs Modified over 9 years ago

Similar presentations

Presentation on theme: "Changing perspective can be useful Relating alternative logics for automatic software verification Alex Summers (ETH Zurich) partly based on joint work."— Presentation transcript:

1 Changing perspective can be useful Relating alternative logics for automatic software verification Alex Summers (ETH Zurich) partly based on joint work with Matthew Parkinson and Daniel Jost

2 Topic This talk is concerned with specification logics – heap-based (usually concurrent) programs – aimed at automatic verification There are many alternative logics out there; investigating their relationships can – be helpful for comparing expressiveness/usability – promote understanding between research groups – suggest adapting features from one to another I’ll talk about some work relating two logics: separation logic and implicit dynamic frames

3 Separation Logic Idea: reason in terms of heap fragments Specialised connectives for describing heaps e.g., x.f ↦ v (“points-to predicate”) – The only way for an assertion to dereference x.f – Specifies value v currently stored at the location v x.f

4 Separation Logic Separating conjunction connective * A*B means A and B hold in disjoint heaps e.g., x.f ↦ v * y.f ↦ 5 the disjointness guarantees: x and y are not aliases h ⊨ A*B iff ∃ h 1,h 2.(h=h 1 ⊎ h 2 and h 1 ⊨ A and h 2 ⊨ B) y.f v x.f 5

5 Implicit Dynamic Frames Extend standard first-order assertions to additionally include “accessibility predicates”: acc(x.f) is an assertion; we have permission to x.f Unlike in sep. logic, assertions can also include heap-dependent expressions: e.g., x.f > 3 Idea: verification based on a total heap – prover “sees” a value for every heap location – but these values are only guaranteed meaningful if the thread also holds permission to the location

6 For example acc(x.f) * x.f = 4 * acc(x.g) Implicit Dynamic Frames

7 For example acc(x.f) * x.f = 4 * acc(x.g) x.f Implicit Dynamic Frames

8 For example acc(x.f) * x.f = 4 * acc(x.g) x.f Implicit Dynamic Frames

9 For example acc(x.f) * x.f = 4 * acc(x.g) 4 x.f Implicit Dynamic Frames

10 For example acc(x.f) * x.f = 4 * acc(x.g) 4 x.f x.g

11 Implicit Dynamic Frames For example acc(x.f) * x.f = 4 * acc(x.g) Expressions include heap dereferences 4 x.f x.g

12 Implicit Dynamic Frames For example acc(x.f) * x.f = 4 * acc(x.g) Expressions include heap dereferences Permissions need not match “read footprint” 4 x.f x.g

13 Implicit Dynamic Frames For example acc(x.f) * x.f = 4 * acc(x.g) * y.f = 3 Expressions include heap dereferences Permissions need not match “read footprint” 4 x.f x.g

14 Implicit Dynamic Frames For example acc(x.f) * x.f = 4 * acc(x.g) * y.f = 3 Expressions include heap dereferences Permissions need not match “read footprint” 3 y.f x.g 4 x.f

15 Self-framing assertions An IDF assertion is self- framing if: For any state in which the assertion is true,

16 Self-framing assertions IDF total heap 4 3 2 7 4 3 2 7 0 0 An IDF assertion is self- framing if: For any state in which the assertion is true, it remains true if we replace the heap with any that agrees on the locations to which it requires permissions

17 IDF total heap 4 3 2 7 9 3 2 1 4 1 Self-framing assertions An IDF assertion is self- framing if: For any state in which the assertion is true, it remains true if we replace the heap with any that agrees on the locations to which it requires permissions

18 Self-framing assertions IDF total heap 4 3 2 7 8 4 2 1 6 2 5 An IDF assertion is self- framing if: For any state in which the assertion is true, it remains true if we replace the heap with any that agrees on the locations to which it requires permissions

19 Self-framing assertions IDF total heap 4 3 2 7 4 3 2 7 0 0 An IDF assertion is self- framing if: For any state in which the assertion is true, it remains true if we replace the heap with any that agrees on the locations to which it requires permissions

20 Self-framing assertions Separation Logic partial heap 4 3 2 7 In Separation Logic, there would be partial heap which canonically represents all of these total heaps An IDF assertion is self- framing if: For any state in which the assertion is true, it remains true if we replace the heap with any that agrees on the locations to which it requires permissions

21 A*B Separation Logic partial heap A B IDF total heap A B

22 A*B Separation Logic partial heapIDF total heap A B A B

23 A*B Separation Logic partial heapIDF total heap A B A B 4 3 2 7 4 3 2 7 4 3 2 7 0 0 Idea: x.f ↦ v ⇔ acc(x.f) * x.f = v

24 The “Magic Wand” Separation Logic partial heap An assertion A ― B means: “If, to the current heap, we add a disjoint heap satisfying A then the resulting heap is guaranteed to satisfy B” Or: h ⊨ A ― B iff ∀ h’ ⊥ h.( h’ ⊨ A ⇒ h ⊎ h’ ⊨ B)  

25 Separation Logic partial heap A The “Magic Wand” An assertion A ― B means: “If, to the current heap, we add a disjoint heap satisfying A then the resulting heap is guaranteed to satisfy B” Or: h ⊨ A ― B iff ∀ h’ ⊥ h.( h’ ⊨ A ⇒ h ⊎ h’ ⊨ B)  

26 Separation Logic partial heap A The “Magic Wand” An assertion A ― B means: “If, to the current heap, we add a disjoint heap satisfying A then the resulting heap is guaranteed to satisfy B” Or: h ⊨ A ― B iff ∀ h’ ⊥ h.( h’ ⊨ A ⇒ h ⊎ h’ ⊨ B)  

27 Separation Logic partial heap A B The “Magic Wand” An assertion A ― B means: “If, to the current heap, we add a disjoint heap satisfying A then the resulting heap is guaranteed to satisfy B” Or: h ⊨ A ― B iff ∀ h’ ⊥ h.( h’ ⊨ A ⇒ h ⊎ h’ ⊨ B)  

28 Separation Logic partial heapIDF total heap A B The “Magic Wand”

29 Separation Logic partial heapIDF total heap A ? B A The “Magic Wand”

30 IDF total heap A ? How to model heap extension?

31 Idea 1: Just add extra permissions to the original state Problem: We attach significance to the values that were previously stored in the heap, at the new locations IDF total heap A ? How to model heap extension?

32 Idea 2: Assign new (arbitrary) values to unreadable heap locations, and then add new permissions Problem: In IDF, A may involve heap-dependent expressions IDF total heap A ? How to model heap extension?

33 Idea 2: Assign new (arbitrary) values to unreadable heap locations, and then add new permissions Problem: In IDF, A may involve heap-dependent expressions IDF total heap A ? How to model heap extension?

34 Idea 2: Assign new (arbitrary) values to unreadable heap locations, and then add new permissions Problem: In IDF, A may involve heap-dependent expressions IDF total heap A ? How to model heap extension?

35 Idea 2: Assign new (arbitrary) values to unreadable heap locations, and then add new permissions Problem: In IDF, A may involve heap-dependent expressions IDF total heap A ? How to model heap extension?

36 Idea 2: Assign new (arbitrary) values to unreadable heap locations, and then add new permissions Problem: In IDF, A may involve heap-dependent expressions IDF total heap A ? How to model heap extension?

37 Idea 2: Assign new (arbitrary) values to unreadable heap locations, and then add new permissions Problem: In IDF, A may involve heap-dependent expressions IDF total heap A ? How to model heap extension?

38 Idea 2: Assign new (arbitrary) values to unreadable heap locations, and then add new permissions Problem: In IDF, A may involve heap-dependent expressions IDF total heap A ? How to model heap extension?

39 For example, acc(x.f) * (x.f ≠ null ― acc(x.f.g)) The intention is that the meaning of x.f is fixed by the permission “elsewhere” When we judge the magic wand, if we consider assigning arbitrary values to x.f, then we lose the meaning Idea 2: Assign new (arbitrary) values to unreadable heap locations, and then add new permissions Problem: In IDF, A may involve heap-dependent expressions IDF total heap How to model heap extension? 

40 Minimal State Extensions Idea: only consider “extending” the state by the smallest amount possible We modify the original semantics: h ⊨ A ― B iff ∀ h’ ⊥ h. (h’ ⊨ A ⇒ h ⊎ h’ ⊨ B) ⇒ h ⊎ h’ ⊨ B) A kind of “optimised” semantics for Separation Logic (but still equivalent, for SL assertions) For IDF, we can analogously take new values for exactly the new permissions required by A 

41 Minimal State Extensions Idea: only consider “extending” the state by the smallest amount possible We modify the original semantics to be: h ⊨ A ― B iff ∀ h’ ⊥ h. (h’ ⊨ A ∧ ∀ h’’(h’’ ⊂ h’ ⇒ h’’ ⊨ A) ⇒ h ⊎ h’ ⊨ B) A kind of “optimised” semantics for Separation Logic (but still equivalent, for SL assertions) For IDF, we can analogously take new values for exactly the new permissions required by A / 

42 Where did this get us? well, we wrote some papers – joint with Matthew Parkinson: ESOP’11,LMCS’12 Gave formal assertion semantics to IDF logic – new connectives “migrated” from SL (e.g., A ― B ) We gave translation from SL assertions to IDF – formally relates the semantics of each We gave a total heaps semantics for Sep. Logic – suggests new implementation strategies 

43 But, it gets (even) better.. Making the comparison practical, required a story for recursive predicates/functions In joint work with Daniel Jost, we translate VeriFast examples to Chalice (VSTTE’13) – we can encode SL verification for Z3 SMT solver – required static analysis for recursive definitions Pulling ideas from both sides is productive – Kassios/Kritikos: [ESOP’13] add backpointers to SL – “magic wand” handling might be implementable.. – other fun ideas in infancy (stay tuned)

44 Ways of investigating relationships Formalising and proving relationships between semantics of specification logics (e.g., described) – joint work with Matthew Parkinson: ESOP’11,LMCS’12 Providing encodings/translations between languages of different implemented verifiers – Joint work with Daniel Jost: VSTTE’13 (this weekend!) Specifying and verifying challenging examples using multiple different approaches/tools e.g., verification competitions for VSTTE and FM events interesting to try out variety of methodologies by hand

Download ppt "Changing perspective can be useful Relating alternative logics for automatic software verification Alex Summers (ETH Zurich) partly based on joint work."

Similar presentations

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 10.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 10.
Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.

Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.
Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,

Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.

Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011.

Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011.
Chapter 1 Using Geogebra Exploration and Conjecture.

Chapter 1 Using Geogebra Exploration and Conjecture.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.

Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
CS 355 – Programming Languages

CS 355 – Programming Languages
1 Conditional XPath, the first order complete XPath dialect Maarten Marx Presented by: Einav Bar-Ner.

1 Conditional XPath, the first order complete XPath dialect Maarten Marx Presented by: Einav Bar-Ner.
Fractional Permissions without the Fractions Alex Summers ETH Zurich Joint work with: Stefan Heule, Rustan Leino, Peter Müller ETH Zurich MSR Redmond ETH.

Fractional Permissions without the Fractions Alex Summers ETH Zurich Joint work with: Stefan Heule, Rustan Leino, Peter Müller ETH Zurich MSR Redmond ETH.
Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,

Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,
On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.

On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman Cornell University.

A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman Cornell University.

Similar presentations

Ads by Google