All-Path Reachability Logic Andrei Stefanescu 1, Stefan Ciobaca 2, Radu Mereuta 1,2, Brandon Moore 1, Traian Serbanuta 3, Grigore Rosu 1 1 University of.

Slides:

Advertisements

Similar presentations

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 12.

Semantics Static semantics Dynamic semantics attribute grammars

Certified Typechecking in Foundational Certified Code Systems Susmit Sarkar Carnegie Mellon University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.

1 Dependent Types for Termination Verification Hongwei Xi University of Cincinnati.

Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.

CS 330 Programming Languages 09 / 19 / 2006 Instructor: Michael Eckmann.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

CS 355 – Programming Languages

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.

CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://

PSUCS322 HM 1 Languages and Compiler Design II Formal Semantics Material provided by Prof. Jingke Li Stolen with pride and modified by Herb Mayer PSU Spring.

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.

CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.

Describing Syntax and Semantics

Matching Logic Grigore Rosu University of Illinois at Urbana-Champaign, USA 1.

Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 2: Operational Semantics I Roman Manevich Ben-Gurion University.

A Z Approach in Validating ORA-SS Data Models Scott Uk-Jin Lee Jing Sun Gillian Dobbie Yuan Fang Li.

ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.

CS 363 Comparative Programming Languages Semantics.

Checking Reachability using Matching Logic Grigore Rosu and Andrei Stefanescu University of Illinois, USA.

Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University.

ARTIFICIAL INTELLIGENCE [INTELLIGENT AGENTS PARADIGM] Professor Janis Grundspenkis Riga Technical University Faculty of Computer Science and Information.

3.2 Semantics. 2 Semantics Attribute Grammars The Meanings of Programs: Semantics Sebesta Chapter 3.

ISBN Chapter 3 Describing Semantics.

Chapter 3 Part II Describing Syntax and Semantics.

Programming Languages and Design Lecture 3 Semantic Specifications of Programming Languages Instructor: Li Ma Department of Computer Science Texas Southern.

Semantics In Text: Chapter 3.

Verification & Validation By: Amir Masoud Gharehbaghi

From Hoare Logic to Matching Logic Reachability Grigore Rosu and Andrei Stefanescu University of Illinois, USA.

Automated tactics for separation logic VeriML Reconstruct Z3 Proof Safe incremental type checker Certifying code transformation Proof carrying hardware.

Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.

Specify and Verify Your Language using K Grigore Rosu University of Illinois at Urbana-Champaign Joint project between the FSL group at UIUC (USA) and.

Duminda WijesekeraSWSE 623: Introduction1 Introduction to Formal and Semi- formal Methods Based on A Specifier's Introduction to Formal Methods (J. Wing)

Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications Chapter.

CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University

Course: Software Engineering – Design I IntroductionSlide Number 1 What is a specification Description of a (computer) system, which:  is precise;  defines.

Operational Semantics Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.

Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson

K Framework Grigore Rosu University of Illinois at Urbana-Champaign, USA Traian-Florin Serbanuta Alexandru Ioan-Cuza University, Iasi, Romania Joint work.

Formal Verification – Robust and Efficient Code Lecture 1

Certifying and Synthesizing Membership Equational Proofs Patrick Lincoln (SRI) joint work with Steven Eker (SRI), Jose Meseguer (Urbana) and Grigore Rosu.

Model Checking Early Requirements Specifications in Tropos Presented by Chin-Yi Tsai.

Describing Syntax and Semantics

Grigore Rosu University of Illinois at Urbana-Champaign, USA

Further with Hoare Logic Sections 6.12, 6.10, 6.13

Matching Logic An Alternative to Hoare/Floyd Logic

Towards trustworthy refactoring in Erlang

(One-Path) Reachability Logic

Syntax Questions 6. Define a left recursive grammar rule.

Matching Logic - A New Program Verification Approach -

Lecture 5 Floyd-Hoare Style Verification

Generating Optimal Linear Temporal Logic Monitors by Coinduction

Semantics In Text: Chapter 3.

Predicate Transformers

Towards a Unified Theory of Operational and Axiomatic Semantics

Language-Independent Verification Framework

Program correctness Axiomatic semantics

Presentation transcript:

All-Path Reachability Logic Andrei Stefanescu 1, Stefan Ciobaca 2, Radu Mereuta 1,2, Brandon Moore 1, Traian Serbanuta 3, Grigore Rosu 1 1 University of Illinois, USA 2 University of Iasi, Romania 3 University of Bucharest, Romania

Main Goal Language-independent program verification framework Prove program properties from operational semantics Proof system Operational semantics ⊢ program properties 1

Overview State-of-the-art in Certifiable Verification All-Path Reachability Specifying State Properties Specifying Reachability Properties Reasoning about Reachability

Operational Semantics Easy to define and understand Can be regarded as formal “implementations” Require little mathematical knowledge Great introductory topics in PL courses Executable, so testable Can be tested against real benchmarks 3

Operational Semantics Frameworks PLT-Redex/Racket (Findler et al.) Raskal (Klint et al.) RLS-Maude (Meseguer et al.) PLanComps (Mosses et al.) K (Rosu et al.) OTT (Sewell et al.) 4

Operational Semantics Scale C (Ellison and Rosu, POPL’12) GCC torture test suite JavaScript (Bodin et al., POPL’14) ECMA test262 suite Python (Politz et al., OOPSLA’13) CPython test suite PHP (Filaretti and Maffeis, ECOOP’14) Zend test suite 5

Operational Semantics Sample rule (may require a configuration context) Define languages only with rules of the form l, r are configuration terms b is a Boolean side condition 6

Unfortunately … Operational semantics considered inappropriate for program verification; proofs are low-level and tedious: Formalization of and working with transition system Typically by induction on the structure of the program on the number of execution steps etc. Done in ACL2 before 7

Axiomatic Semantics (Hoare Logic) Emphasis on program verification Programming language captured as a formal proof system deriving Hoare triples 8

Axiomatic Semantics Not easy to define and understand, error-prone Not executable, hard to test Require program transformations, behavior loss 9 Write e = 1 and you’ve got a wrong semantics!

State-of-the-art in Certifiable Verification Languages C (Appel et al.) – CompCert operational semantics Java (Jacobs et al.) Approach Define an operational semantics: trusted language model Define an axiomatic semantics: for verification purposes Prove axiomatic semantics sound for operational semantics Now we have trusted verification … BUT Requires two semantics of the same language C operational semantics took more than 2 years! Must be done individually for each language 10

Overview State-of-the-art in Certifiable Verification All-Path Reachability Specifying State Properties Specifying Reachability Properties Reasoning about Reachability

Our Approach Underlying belief: one semantics for each language! Executable (testable), easy to define and understand Suitable for program verification, “as is” Approach: language-independent proof system Takes operational semantics unchanged Derives program properties Both operational semantics rules and program specifications stated as reachability rules Sound and relatively complete 12

Overview State-of-the-art in Certifiable Verification All-Path Reachability Specifying State Properties Specifying Reachability Properties Reasoning about Reachability

Matching Logic Logic for specifying static properties about program configurations and reasoning about them Key insight: Configuration terms with variables are allowed to be used as predicates, called patterns Semantically, their satisfaction means matching Matching logic is parametric in a (first-order) configuration model: typically the underlying model of the operational semantics 14 [Rosu, Ellison, Schulte 2010]

Patterns C configurations Example of a pattern 15 Extra 70 cells

Model of Configurations - Properties - Configuration abstraction (list) “Separation” achieved at term level Operations (reverse) 16

Separation Logic = Matching Logic Instance Separation logic: popular logic for heap properties Mechanical translation to matching logic Configuration: Separation encoded using different sub-terms Example SL ML No expressiveness loss from using matching logic Matching logic gives “structural separation” anywhere in the configuration, not only in the heap 17 [OOPSLA’12]

Overview State-of-the-art in Certifiable Verification All-Path Reachability Specifying State Properties Specifying Reachability Properties Reasoning about Reachability

One-Path Reachability Rules Pairs of matching logic patterns 19 One-Path Reachability: Any terminating concrete configuration satisfying reaches, on some execution path, some configuration satisfying, in the transition system induced by the operational semantics.

All -Path Reachability Rules Pairs of matching logic patterns 20 All-Path Reachability: Any concrete configuration satisfying reaches, on any terminating execution path, some configuration satisfying, in the transition system induced by the operational semantics. …

Reachability Rules - Operational + Axiomatic - Operational flavor Axiomatic flavor 21

Hoare Triple = Syntactic Sugar 22

Operational and Axiomatic Semantics Rules as Reachability Rules Reachability rules generalize Operational semantics rules Hoare triples Operational semantics rule is syntactic sugar for reachability rule Hoare triple encoded in a reachability rule with the empty code in the right-hand-side 23

Overview State-of-the-art in Certifiable Verification All-Path Reachability Specifying State Properties Specifying Reachability Properties Reasoning about Reachability

Reasoning about All-Path Reachability The main result of this section is a proof system deriving reachability rules from reachability rules: 25 Operational semanticsTarget reachability rule Claimed reachability rules (Coinductively) trusted reachability rules

Reachability Proof System - In Two Sentences - Symbolic execution based on operational semantics Coinductive proof rule for repetitive behavior Generalizes invariant rules from Hoare logic Sound and (relatively) complete 26

Reachability Proof System - 8 Rules - 27 Code with circular behavior

Reachability Proof System 28 Each configuration has some successor Each successor of a configuration satisfies

Circular behaviors Circularity, Transitivity and Axiom proof rules Hoare logic rule for while loops Language-independent Language-specific Claim (cannot use yet)! Enable! Use! 29

Reachability Proof System 30

Soundness 31 Theorem: If is derivable by the proof system, then is semantically valid.

Relative Completeness Relativity Validity oracle for static configuration properties Language-independent result, unlike Hoare logics 32 Theorem: If is semantically valid, then is derivable by the proof system, with the operational semantics of a language.

Implementation Part of the K framework (k-framework.org)k-framework.org Operational semantics and program properties represented as K rules Automatic prover (user specified properties) symbolic execution based on the K semantics Circularity for repetitive behaviors custom prover for matching logic implications Java (mostly) and Z3 (for theory reasoning) 33

Narrowing Concrete execution ground configuration rewriting Symbolic execution symbolic configuration narrowing unification modulo theories Narrowing generalizes control flow proof rules code sample construct operational semantics 34

Conclusion Sound and relatively complete proof system Circularity generalizes language specific proof rules for repetitive behaviors (loops, recursive functions, …) Implemented as part of the K framework Language independent program verification based solely on operational semantics is possible 35