Lightweight Support for Magic Wands in an Automatic Verifier Malte Schwerhoff and Alexander J. Summers 10 th July 2015, ECOOP, Prague

Frame Problem Modular, static verification of imperative programs Frame problem: Which memory locations change? Automated verification: Pre-/Postconditions, invariants, ghost code Well-known approach: Permissions ( ≈ Separation Logic) 2

3 callercallee Permission Transfer

4 ? callercallee

5 ? callercallee Permission Transfer

Permissions ( ≈ Separation Logic) 6 (≈) acc(x.f) ∗ x.f == 0 x.f ⟼ 0 Logical properties 0 (≈) acc(x.f) ∗ acc(y.f)x.f ⟼ _ ∗ y.f ⟼ _ Disjointness: x ≠ y Syntax & Properties

7 A ∗ B describes the current state in terms of disjoint substates Separating Conjunction

8 A ∗ B describes the current state in terms of disjoint substates Is at the heart of verifiers based on separation logic Separating Conjunction

9 A —∗ B describes hypothetical states Read as a promise: “In any state, if you provide A, then you will get B ” Magic Wands

10 Scenario: Iteratively traverse a recursively defined tree (Verification Challenge at Partial Data Structures

11 Scenario: Iteratively traverse a recursively defined tree Loop invariant: Describe partial data structure Partial Data Structures

12 Indirectly describe partial data structure as a promise ---—∗ Partial Data Structures as Magic Wands

13 Modus-Ponens-like rule makes promise applicable ---—∗∗ Partial Data Structures as Magic Wands

14 ---—∗∗ σ ⊨ A —∗ B ⇔ ∀ σ ’ · ( σ ’ ⊨ A ⇒ σ ⊎ σ ’ ⊨ B) Partial Data Structures as Magic Wands

15 Used in various pen & paper proofs −Partial data structures −Usage protocols for data structures −Synchronisation barriers −…−… Typically* not supported in automatic verifiers * Only exception we are aware of is VerCors; developed in parallel σ ⊨ A —∗ B ⇔ ∀ σ ’ · ( σ ’ ⊨ A ⇒ σ ⊎ σ ’ ⊨ B) Magic Wands in Proofs and Tools

16 Entailment of magic wand formulas is undecidable Lightweight user guidance to direct verification Automating Magic Wand Reasoning

17 package A —∗ B apply A —∗ B Use it Pass it around Make a promise ---—∗∗ Opaque resource; Specifications Guidance: Ghost Operations + Specifications

18 package A —∗ B apply A —∗ B Use it Pass it around Make a promise ---—∗∗ Opaque resource; Specifications Guidance: Ghost Operations + Specifications Challenge: Ensure soundness of apply in any (future) state

19 Permissions guaranteeing that giving up A ∗ ( A —∗ B ) and obtaining B is sound ---—∗ carved out effectively immutable Footprints of A —∗ B

20 Footprints are not unique ---—∗ or or all available permissions Footprints of A —∗ B

21 Footprints are not unique ---—∗ or or all available permissions How to choose a footprint? Footprints of A —∗ B

package A —∗ ( B 1 ∗ B 2 ∗ … ∗ B n ) given current state v1v1 v2v2 v3v3 v5v5 v4v4 Footprint Computation Algorithm: Setup

package A —∗ ( B 1 ∗ B 2 ∗ … ∗ B n ) create LHS state current state ⊨ A v1v1 v2v2 v3v3 v5v5 w2w2 w3w3 w1w1 v4v4 w3w3 Footprint Computation Algorithm: Setup

package A —∗ ( B 1 ∗ B 2 ∗ … ∗ B n ) 24 LHS state current state ⊨ A v1v1 v2v2 v3v3 v5v5 w2w2 w3w3 w1w1 v4v4 w3w3 Footprint Computation Algorithm: Setup 2. create empty RHS state

package A —∗ ( B 1 ∗ B 2 ∗ … ∗ B n ) 25 LHS state current state RHS state v1v1 v2v2 v3v3 v5v5 w2w2 w3w3 w1w1 v4v4 w3w3 3. iterate over B i ’s:If B i is acc( x.f ) then transfer permissions and assumptions Footprint Computation Algorithm: Execution

package A —∗ ( B 1 ∗ B 2 ∗ … ∗ B n ) 26 LHS state current state RHS state v1v1 v2v2 v3v3 v5v5 w2w2 w3w3 3. iterate over B i ’s:If B i is acc(x.f) then transfer permissions and assumptions w1w1 v4v4 w3w3 w1w1 X w3w3 X v2v2 X Footprint Computation Algorithm: Execution

package A —∗ ( B 1 ∗ B 2 ∗ … ∗ B n ) 27 LHS state current state RHS state v1v1 v2v2 v3v3 v5v5 w2w2 w3w3 w1w1 v4v4 w3w3 w1w1 X w3w3 X v2v2 X 3. iterate over B i ’s:If B i is a logical property P, e.g. x.f == 0, then check P ⊨ P ? Footprint Computation Algorithm: Execution

package acc(x.f) —∗ acc(x.f) 28 LHS state current state RHS state Examples

package true —∗ acc(x.f) 29 LHS state current state RHS state Examples

package true —∗ acc(x.f) ∗ x.f == 0 30 LHS state current state RHS state ⊨ x.f == 0 0 Examples

package acc(x.f) —∗ acc(x.f) ∗ x.f == 0 31 LHS state current state RHS state ⊭ x.f == 0 0 ? Examples

Abstract predicates for recursive data structures 32 x == null ∗ x l xx r Existing Features

Abstract predicates plus ghost operations 33 ∗ x l x r fold tree(x) unfold tree(x) Existing Ghost Operations

package —∗ xxxxx 34 Integrating Existing Ghost Operations

package —∗ (fold tree(x) in ) 35 Integrating Existing Ghost Operations

36 LHS state current state RHS state package —∗ (fold tree(x) in ) Integrating Existing Ghost Operations

37 LHS state current state RHS state package —∗ (fold tree(x) in ) Integrating Existing Ghost Operations

Part of Viper verification infrastructure −Implementation based on symbolic execution −Rich logic: unrestricted abstract predicates, abstraction functions, quantifiers, sets, sequences, custom mathematical domains, flexible permission model, … Set of interesting examples; 1.6 to 3 seconds Verification challenge from VerifyThis’12 −Verifies in 3s −VerCors: −6 minutes (originally, using Chalice/Boogie) −60 seconds (currently, using Viper) 38 Implementation

Simple heuristics to infer package and apply statements Infers all package and apply statements in our examples Verification time: +0.5s or less 39 Annotation Inference Heuristics

40 Scenario: Iteratively traverse a recursively defined tree Loop invariant: Describe partial data structure A A ---—∗ B B VerifyThis’12 Challenge Revisited

41 VerifyThis’12 Challenge Encoded

42 Named shorthand, could be inlined Inferred by heuristics Required in either case VerifyThis’12 Challenge Encoded

Algorithm for computing wand footprints −Sound (proof sketch) −Permissive and predictable Formalised verifier-independently Implementation −Co-first* to support magic wands in an automatic verifier −Lightweight user annotations −Convincing initial results (expressiveness, performance) 43 * VerCors