Checking Reachability using Matching Logic Grigore Rosu and Andrei Stefanescu University of Illinois, USA.

Slides:

Advertisements

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Advertisements

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

Semantics Static semantics Dynamic semantics attribute grammars

Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.

1 Dependent Types for Termination Verification Hongwei Xi University of Cincinnati.

Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.

Partial correctness © Marcelo d’Amorim 2010.

ISBN Chapter 3 Describing Syntax and Semantics.

Prof. Necula CS Lecture 91 Theorem Proving CS Lecture 9.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI

ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.

Describing Syntax and Semantics

THE TRANSITION FROM ARITHMETIC TO ALGEBRA: WHAT WE KNOW AND WHAT WE DO NOT KNOW (Some ways of asking questions about this transition)‏

Matching Logic Grigore Rosu University of Illinois at Urbana-Champaign, USA 1.

Cristian Gherghina Joint work with: Wei-Ngan Chin, Razvan Voicu, Quang Loc Le Florin Craciun, Shengchao Qin TexPoint fonts used in EMF. Read the TexPoint.

Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 2: Operational Semantics I Roman Manevich Ben-Gurion University.

Overview of Formal Methods. Topics Introduction and terminology FM and Software Engineering Applications of FM Propositional and Predicate Logic Program.

Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.

ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.

Formal Verification Lecture 9. Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems.

Efficient RDF Storage and Retrieval in Jena2 Written by: Kevin Wilkinson, Craig Sayers, Harumi Kuno, Dave Reynolds Presented by: Umer Fareed 파리드.

Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University.

ARTIFICIAL INTELLIGENCE [INTELLIGENT AGENTS PARADIGM] Professor Janis Grundspenkis Riga Technical University Faculty of Computer Science and Information.

3.2 Semantics. 2 Semantics Attribute Grammars The Meanings of Programs: Semantics Sebesta Chapter 3.

ISBN Chapter 3 Describing Semantics.

Chapter 3 Part II Describing Syntax and Semantics.

Semantics In Text: Chapter 3.

1 Chapter 26 Cleanroom Software Engineering Cleanroom Developed in early 80’s by Harlan Mills Reported very good results –reliable, high-quality.

Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.

Verification & Validation By: Amir Masoud Gharehbaghi

From Hoare Logic to Matching Logic Reachability Grigore Rosu and Andrei Stefanescu University of Illinois, USA.

Automated tactics for separation logic VeriML Reconstruct Z3 Proof Safe incremental type checker Certifying code transformation Proof carrying hardware.

Lightweight Support for Magic Wands in an Automatic Verifier Malte Schwerhoff and Alexander J. Summers 10 th July 2015, ECOOP, Prague.

Principle of Programming Lanugages 3: Compilation of statements Statements in C Assertion Hoare logic Department of Information Science and Engineering.

All-Path Reachability Logic Andrei Stefanescu 1, Stefan Ciobaca 2, Radu Mereuta 1,2, Brandon Moore 1, Traian Serbanuta 3, Grigore Rosu 1 1 University of.

Formal Specification: a Roadmap Axel van Lamsweerde published on ICSE (International Conference on Software Engineering) Jing Ai 10/28/2003.

CSE Winter 2008 Introduction to Program Verification for-loops; review.

Specify and Verify Your Language using K Grigore Rosu University of Illinois at Urbana-Champaign Joint project between the FSL group at UIUC (USA) and.

1 Propositional Logic Limits The expressive power of propositional logic is limited. The assumption is that everything can be expressed by simple facts.

Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists Pranav Garg 1, P. Madhusudan 1 and Gennaro Parlato 2 1 University of Illinois at.

Class Diagrams. Terms and Concepts A class diagram is a diagram that shows a set of classes, interfaces, and collaborations and their relationships.

Logical Agents Chapter 7. Outline Knowledge-based agents Propositional (Boolean) logic Equivalence, validity, satisfiability Inference rules and theorem.

CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University

Operational Semantics Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.

K Framework Grigore Rosu University of Illinois at Urbana-Champaign, USA Traian-Florin Serbanuta Alexandru Ioan-Cuza University, Iasi, Romania Joint work.

Formal Verification – Robust and Efficient Code Lecture 1

Certifying and Synthesizing Membership Equational Proofs Patrick Lincoln (SRI) joint work with Steven Eker (SRI), Jose Meseguer (Urbana) and Grigore Rosu.

Model Checking Early Requirements Specifications in Tropos Presented by Chin-Yi Tsai.

Further with Hoare Logic Sections 6.12, 6.10, 6.13

Matching Logic An Alternative to Hoare/Floyd Logic

Towards trustworthy refactoring in Erlang

(One-Path) Reachability Logic

Formal Methods in Software Engineering 1

Matching Logic - A New Program Verification Approach -

Lecture 5 Floyd-Hoare Style Verification

Generating Optimal Linear Temporal Logic Monitors by Coinduction

Predicate Transformers

Formal Methods in software development

Towards a Unified Theory of Operational and Axiomatic Semantics

Language-Independent Verification Framework

Presentation transcript:

Checking Reachability using Matching Logic Grigore Rosu and Andrei Stefanescu University of Illinois, USA

Main Goal Language-independent program verification framework Derive program properties from operational semantics Questions: Is it possible? Is it practical? Answers: Sound and complete proof system, so YES, it is possible! Efficient automated verifier MatchC, so YES, it is practical! 1

Overview State-of-the-art in Certifiable Verification Our Approach Specifying Reachability Properties Reasoning about Reachability

Operational Semantics Easy to define and understand Can be regarded as formal “implementations” Require little mathematical knowledge Great introductory topics in PL courses Scale up well C (>1000 rules), Java, Scheme, Verilog, …, defined Executable, so testable C semantics tested against real benchmarks 3

Operational Semantics Sample rule (may require a configuration context) Define languages only with rules of the form l, r are configuration terms b is a Boolean side condition 4

Unfortunately … Operational semantics considered inappropriate for program verification; proofs are low-level and tedious: Formalization of and working with transition system Typically by induction on the structure of the program on the number of execution steps etc. 5

Axiomatic Semantics (Hoare Logic) Emphasis on program verification Programming language captured as a formal proof system deriving Hoare triples 6

Axiomatic Semantics Not easy to define and understand, error-prone Not executable, hard to test Require program transformations, behavior loss 7 Write e = 1 and you’ve got a wrong semantics!

State-of-the-art in Certifiable Verification Define an operational semantics: trusted language model Define an axiomatic semantics: for verification purposes Prove axiomatic semantics sound for operational semantics Now we have trusted verification … BUT Requires two semantics of the same language C operational semantics took more than 2 years! Must be done individually for each language 8

Overview State-of-the-art in Certifiable Verification Our Approach Specifying Reachability Properties Reasoning about Reachability

Our Approach Underlying belief: one semantics for each language! Executable (testable), easy to define and understand Suitable for program verification, “as is” Approach: language-independent proof system Takes operational semantics unchanged Derives program properties Both operational semantics rules and program specifications stated as reachability rules 10

Reachability Rules Pairs of configuration predicates 11 Reachability: Any concrete configuration satisfying and terminating reaches a configuration satisfying, in the transition system induced by the operational semantics.

Overview State-of-the-art in Certifiable Verification Our Approach Specifying Reachability Properties Reasoning about Reachability

Reachability Rules - Operational + Axiomatic - Operational flavor Axiomatic flavor 13

Hoare Triple = Syntactic Sugar 14

Matching Logic State static properties of program configurations Parametric in a model of configurations Extends first-order logic with patterns Special predicates which are configuration terms Configurations satisfy patterns iff they match them C Configurations 15 Extra 70 cells

Model of Configurations - Properties - Configuration abstraction (list) “Separation” achieved at term level Operations (reverse) 16

Separation Logic = Matching Logic Instance Separation logic: popular logic for heap properties Mechanical translation to matching logic (see paper) Configuration: Separation encoded using different sub-terms No expressiveness loss from using matching logic Matching logic gives “structural separation” anywhere in the configuration, not only in the heap 17

Operational and Axiomatic Semantics Rules as Reachability Rules Reachability rules generalize Operational semantics rules Hoare triples Operational semantics rule is syntactic sugar for reachability rule Hoare triple encoded in a reachability rule with the empty code in the right-hand-side (see FM’12) 18

Overview State-of-the-art in Certifiable Verification Our Approach Specifying Reachability Properties Reasoning about Reachability

The main result of our paper is a proof system deriving reachability rules from reachability rules: 20 Trusted reachability rules (starts with operational semantics) Target reachability rule Claimed reachability rules

Reachability Proof System - 8 Rules - 21 Code with circular behavior

Circular behaviors Circularity and Transitivity proof rules Hoare logic rule for while loops 22 Language-independent Language-specific

Soundness Theorem: If is derivable by the proof system, then is semantically valid. 23

Relative Completeness Relativity Validity oracle for static configuration properties Language-independent result, unlike Hoare logics Theorem: If is semantically valid, then is derivable by the proof system, with the operational semantics of a language. 24

MatchC Proof-of-concept verifier for a C fragment Derives program specifications from the operational semantics (in K framework) using the proof system No Hoare/separation logic, no WP, no VC generation Automated, user only provide Specifications for recursive functions and loops 25

MatchC Snapshot 26 List reverse: code + invariant

Implementation Heuristics for applying the proof system (forward) symbolic execution Matching logic reasoning Maude: efficient structure matching and rearranging matching a list the heap, … SMTs (CVC3, Z3): simplifying constraints small queries (milliseconds each) 27

Preliminary Evaluation 28 ProgramTime (s) Buffered read-write0.15 Stack inspection0.24 Insertion sort0.41 Merge sort0.47 Quicksort1.97 AVL find0.15 AVL insert43.5 AVL delete Schorr-Waite (tree)0.28 Schorr-Waite (graph)1.73 …… Dozens more programs at matching-logic.orgmatching-logic.org Only annotated main functions (insert/delete). Inlined auxiliary functions (balance, rotate, …).

Conclusions Matching logic reachability proof system Sound and (relatively) complete Practical MatchC, an automated verifier Expressive Efficient Operational semantics based verification is viable! 29 matching-logic.org