Automated Verification with HIP and SLEEK Asankhaya Sharma

Goal Design and build software that is correct by construction Needed: Automatic tools for establishing software correctness Such tools can – Search for standard problems like memory access violations or array index out of bounds – Check if a program does what it is supposed to do with respect to a specification

Why a Need for Automatic Tools?

Let the tool fill in the details

A Tale of Two Tools HIP – Automatically applies a given set of Hoare rules SLEEK – Discharges the proof obligations resulting from the rule of consequence and the frame rule Under development since 2006 – 180k lines of OCaml – Currently 6 PhD students; 3 graduated

Overview code verifier (HIP) separation logic prover (SLEEK) Pre/Post PredicatesLemmas Code range of pure provers … Omega, MONA, Isabelle, Coq, SMT, Redlog, MiniSAT, Mathematica

An Example – List Length struct node{ int val; struct node* next; }; int length(struct node* p) { if(p == NULL) return 0; else return 1 + length(p->next); }

List Predicate Example of Acyclic List : list(x ) x null pointer to memoryspatial conjunction

Syntactic Abbreviation (ASCII) list  == self=null or self::node  _, r   r::list  implicit existential instantiation

Verify with Shape Property struct node{ int val; struct node* next; }; list<> == self=null or self::node *q::list<>; */ int length(struct node* p) requires p::list<> ensures p::list<>; */ { if(p == NULL) return 0; else return 1 + length(p->next); } Predicate Definition Method Pre and Post condition Memory Safety

With Size list  n  == self=null & n=0 or self::node  _, r   r::list  n-1  inv n >= 0 parameter on length of linked list predicate invariant x::ll  5  x null

Verify with Shape and Size int length(struct node* p) requires p::list ensures p::list & res=n; */ { if(p == NULL) return 0; else return 1 + length(p->next); } Memory Safety Length of the List

With Size and Bag list  n,B  == self=null & n=0 & B={} or self::node  v, r   r::list  n-1,B1  & B = B1 U {v} inv n >= 0 & n=|B|

Verify with Shape, Size and Bag int length(struct node* p) requires p::list ensures p::list & res=n; */ { if(p == NULL) return 0; else return 1 + length(p->next); } Memory Safety Length of the List Bag of Values

Automated Verification int length(struct node* p) requires p::list ensures p::list & res=n; */ { if(p == NULL) return 0; // p=null & n = 0 & res = 0 |- p::list & res = n // p::ll & p!=null |- p::node // p::node * q::ll & p!=null & q = r |- r::ll else return 1 + length(p->next); // p::node * q::ll & x!=null & res = 1 + n – 1 |- p::ll & res = n } Pre condition Checking Post condition Checking Memory dereference Checking

SLEEK Automatic Checking of Entailment Custom decision procedure for the spatial fragment (Separation Logic) – Handles user-defined data structures and inductive predicates Uses off-the-shelf provers to discharge: – Linear Arithmetic (using Omega) Also available as a tactic in Coq – Bag Expressions (using MONA) Sound but incomplete

Numerical Examples for SLEEK Checking implications with integer constraints: checkentail x > 5 |- x > 0. checkentail x > 5 |- x < 0. checkentail x > 5 |- x > 6. checkentail x > 1 & y > 1 & r = x + y |- r > 3. SLEEK uses Omega for these examples Valid. InValid. Valid.

List Examples for SLEEK checkentail x::node |- x::list. checkentail x::node |- x::list & B = {17}. checkentail x::node * y::list. checkentail x::list |- x::node. Valid. InValid. Valid.

HIP Automatic checking of pre/post for methods – Handle conditional, loops, methods – With arrays, data structures, dynamic memory allocation – Supports Multiple pre/post specifications, structured specifications, termination specifications Sound but incomplete Automated with the help of SLEEK

Append Example with HIP What should be the specification for the following method ? void append(node* x, node* y) requires ? ensures ? { if(x->next==NULL) x->next=y; else append(x->next,y); }

Append Example with HIP Is the following specification which aims to guarantee memory safety correct? void append(node* x, node* y) requires x::list<> * y::list<> ensures x::list<> { if(x->next==NULL) x->next=y; else append(x->next,y); } No, null pointer dereference possible

Append Example with HIP Correct specification for safety void append(node* x, node* y) requires x::list<> * y::list<> & x!=null ensures x::list<> { if(x->next==NULL) x->next=y; else append(x->next,y); }

Append Example with HIP With size and bag properties void append(node* x, node* y) requires x::list * y::list & x!=null ensures { if(x->next==NULL) x->next=y; else append(x->next,y); } x::list

Multiple Specifications Same method may be called in different calling contexts Verify using different specifications for each scenario Which sorting algorithm may require an append function for two sorted lists ? – Quick Sort (and Merge Sort)

With Bag and Sortedness

Verify with Multiple Specifications void append(node* x, node* y) requires x::list * y::list & x!=null ensures x::list requires x::lsort * y::lsort & x!=null & ∀ a ∈ B1. ∀ b ∈ B2. a { if(x->next==NULL) x->next=y; else append(x->next,y); }

List Segment with Size lseg  p,n  == self=p & n=0 or self::node  _, r   r::lseg  p,n-1  inv n >= 0 x y x::lseg  y,3  y::lseg  x,2 

Circular List with Size x r::lseg  x,2  r x::clist  3  clist  n  == self::node  _, r   r::lseg  self,n-1  inv n >= 1

Use of Multiple Pre/Post void append(node* x, node* y) requires x::list & x != null & x = y ensures requires x::list & x != null ensures { if(x->next==NULL) x->next=y; else append(x->next,y); } x::clist x::lseg

Binary Search Tree How do we express a binary search tree ? tree<> == self=null or self::node * l::tree<> * r::tree<> Shape Property for Tree

Binary Search Tree bst == self=null & B = {} or self::node * l::bst * r::bst & B = {v} U B1 U B2 & ∀ w ∈ B1. v>=w & ∀ w ∈ B2. v<=w Sortedness property

AVL Tree How do we specify height balanced trees ? avl == self=null & B = {} & h = 0 or self::node * l::avl * r::avl & B={v}UB1UB2 & ∀ w ∈ B1.v>=w & ∀ w ∈ B2.v<=w & h = 1 + max(h1,h2) & h2<=h1+1 & h1<=h2+1

Conclusions HIP and SLEEK Verification System – Automated Given pre/post and loop invariants – Modular and scalable Each method verified independently – Expressive From shape, size, bag properties towards functional correctness Total correctness with Termination and Non- Termination proving

Perspectives Hardware community has accepted verification in their design phase Verified software is the future for guarantying high assurance and reliability Many challenges remain on scalability, automation, expressivity, concurrency, inference and higher order programs

Questions? We will try out some examples in Lab tomorrow using TeachHIP TeachHIP is a Web Interface to – Try out HIP and SLEEK without installing any software – Available at Contact –

Further Reading Chin, Wei-Ngan, Cristina David, Huu Hai Nguyen, and Shengchao Qin. "Automated verification of shape, size and bag properties via user-defined predicates in separation logic." Science of Computer Programming 77, no. 9 (2012):