Presentation is loading. Please wait.

Presentation is loading. Please wait.

Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.

Published byKatie Bosworth Modified over 9 years ago

Similar presentations

Presentation on theme: "Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign."— Presentation transcript:

1 Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign

2 A new logic to reason with programs that manipulate heap + data using  deductive verification  SMT solvers 157 75 5 14 15 1000 190 23 7 Program … new(x); … x->next=y->next->next; … y=nil; … x->data = y->data +1; … free(x); …

3  Analysis of programs that  Dynamically allocated memory  Mantain data-structure invariants (ex. Binary Search Tree) requires to reason with unbounded heaps with unbounded data  This roles out classical combination of theories ▪ like Nelson-Oppen scheme

4 A logic that is:  Decidable  Expressive enough to state useful properties  Efficient in practice on real-world programs We try to give a solution that has a good balance overall the goals!

5  HAVOC (Lahiri, Qadeer: POPL’08)  Decidable: YES  Expressive: NO (doubly-linked lists cannot be expressed)  Efficient: YES on simple programs  CSL (Bouajjani, Dragoi, Enea, Sighireanu: CONCUR’09)  Decidable: YES  Expressive: NO ▪ extends HAVAC to handle constraints on sizes of structures ▪ still weak (properties of binary trees of unbounded depth cannot be expressed)  Efficient: ? (no implementation is provided) The technique to decide the logics is encoded in the syntax  Hard to extend or generalize

6

7 Defines a set of graphs that which are interpreted over regular trees R = ( ψ Tr, validnode, {node a } a ∈ Lv, {edge b } b ∈ Le ) MSO formula on k-ary Σ-lab trees Unary predicate Family of unary predicates. Lv is a finite set of node labels Family of binary predicates Le is a finite set of edge labels R defines a class of graphs For every tree T=(V,->) accepted by ψ Tr, graph(T) = ( N, E, labnode a, labedge b ) { v ∈ V | validnode(v) }{(u,v) | b ∈ Le & edge b (u,v) } labnode a (v) =true v ∈ N ∧ node a (v)=true labedge b (u,v) =true u,v ∈ N ∧ edge b (u,v)=true

8 E n (s,t)= leaf(s) ∧ leaf(t) ∧∃ z 1, z 2, z 3. ( E l (z 3,z 1 ) ∧ RightMostPath( z 1, s) ∧ E r (z 3,z 2 ) ∧ LeftMostPath( z 2, t) ) s t z3z3 z1z1 z2z2 Some data structures that can be expressed: Nested lists Cyclic and doubly-linked lists Threaded trees

9 ∃ x n. ∀ y m. φ(x n,y m ) φ is an Monadic Second Order (MSO) formula that combines  heap structures and  data, where the data-constraints are only allowed to refer to x n and y m Syntax of S TRAND  DATAExpression e::= data(x) | data(y) | c | g(e 1,...,e n )  φ Formula φ::= γ(e 1,...,e n ) | α(v 1,...,v n ) | ¬φ | φ 1 ∧ φ 2 | φ 1 ∨ φ 2 | z ∈ S | ∃ z. φ | ∀ z. φ | ∃ S. φ | ∀ S. φ  ∀ Formula ω::= φ | ∀ y.ω  S TRAND ψ::= ω| ∃ x.ψ MSO

10 leftbranch(y1, y2) ≡ ∃ z. (left(y1, z) ∧ z → ∗ y2) rightbranch(y1, y2) ≡ ∃ z. (right(y1, z) ∧ z → ∗ y2) ψ bst ≡ ∀ y1 ∀ y2. ( leftbranch(y1,y2) ⇒ data(y2) < data(y1) ) ∧ ( rightbranch(y1,y2) ⇒ data(y1) ≤ data(y2) ) left right

11 bstSearch PRE: ψ bst ∧ ∃ x.( key(root)=k ) Node curr = root; LOOP-INV: ψ bst ∧ ∃ x.(reach(curr,x) ∧ key(curr)=k) while ( curr.key != k && curr != null ) { if (curr.key > k) curr = curr.left; else curr = curr.right; } POST: ψ bst ∧ key(curr)=k

12

13 Given  a linear block of statements s  a S TRAND pre-condition P and a post-condition Q expressed as a Boolean combination of S TRAND formulas of the form ▪ ∃ x n. φ(x n ), ∀ y m. φ( y m ) checking the validity of the Hoare triple {P} s {Q} reduces to the satisfiability of STRAND  Satisfiability of S TRAND is undecidable  We identify a decidable fragment of S TRAND semantically defined by using the notion of satisfiability-preseving embeddings

14 Let ψ= ∃ x n. ∀ y m. φ(x n, y m ) be a S TRAND formula over a recursively data-structure R  define a new rec. data-structure R ’ that encoperates the existentally quantified variables of x n as pointers in R ’ (unary predicate Val i for the var x i )  define ψ’ = ∀ x n ∀ y m. (( ∧ i=1,…,n Val i (x i )) => φ(x n, y m )) Claim: ψ’ is satisfiable on R ’ iff ψ is satisfiable on R

15 We define a partial order over heaps that captures the following intuition S < T (S satisfiability-preservingly embeds into T) if - S is smaller than T (fewer nodes) - Each node of S is matched with a distinct node of T - no mutter how data are associated to the nodes of T if T satisfies ψ then also S satisfies ψ by inhering the data-values T T S S

16 Checking the satisfiability we ignore T and check only S Satisfiability is done only on the minimal models S TRAND dec is the class of the formulas that has a finite set of minimal models Satisfiability reduces to the satisfiability of the quantifier- free theory of the data-logic

17 Let T be a tree defining a graph of the given Rec. Data-structure A subset S of nodes of T is valid :  Not-empty & least-ancestor closed  The subtree defined by S also defines a data- structure Submodels can be defined in MSO

18 Let ψ = ∀ y n. φ(y n ) be a S TRAND formula, and γ 1, …,γ r be the atomic relational formulas of the data- logic.  Example: ψ sorted : ∀ y 1,y 2. ( (y 1 ->*y 2 ) => (data(y 1 ) ≤ data(y 2 )) ) Define the pure MSO formula ψ’ = ∀ y n. ∃ b 1, …, b r. φ’ (y n, b 1, …, b r ) where φ’ is obtained from φ by replacing γ i with the predicate b i  Example: ψ sorted : ∀ y 1,y 2. ( (y 1 ->*y 2 ) => data(y 1 ) ≤ data(y 2 ) ) ψ’ sorted : ∀ y 1,y 2. ∃ b. ( (y 1 ->*y 2 ) => b ) Claim: if ψ is satisfiable on a recursive data-structure R then ψ ’ is also satisfiable on R. The other direction does not hold OVER-APPROXIMATION

19 T T S S ψ = ∀ y n. φ(y n ) ψ’ = ∀ y n. ∃ b 1, …, b r. φ’ (y n, b 1, …, b r ) MinModel ψ = \* pure MSO formula *\ ψ Tr // the tree defines a valide heap T ∧ interpret(ψ’) // ψ’ holds true on T ∧ // NO satisfiability-preserving embeddings in T ¬ ∃ S. ( NonEmpty(S) ∧ ValidSubModel(S) ∧ ( ∀ y m. ∀ b 1, …, b r. ( ∧ i ∈ [m] (y i ∈ S) ∧ interpret( φ’ (y n, b 1, …, b r )) => interpret( S, φ’ (y n, b 1, …, b r ) ) ) )

20  Transform MinModels to tree-automaton TA MinModels -> TA  Check finiteness for TA  Extract all trees accepted by TA: TA -> T 1, …, T t  For each T i build the finite graph G i T i -> G i  Create a quantifier-free formula λ i for G i G i -> λ i  a data-variable for each node  ∀ ’s are “expanded” in conjunctions  ∃ ’s are “expanded” in disjunctions  data-constraints in S TRAND are directly written in the data-logic  The quantifier-free formula ∨ i=1,…,t λ i is a pure data-logic formula that is satisfiable iff the original formula ψ is satisfiable on R

21

22 Hoare-triples: ( ( R, Pre), P, Post ) R Pre ∈ S TRAND ∃, ∀ P: Node t = newhead; newhead = head; head = head.next; newhead.next = t; Post ∈ S TRAND ∃, ∀ Idea: capture the entire computation of P starting from a particular recursive data-structure R using a single data-structure R P ⇒ Is ψ ∈ Strand Satisfiable over R P ?

23 Error = ∨ i ∈ [m] (Pre R p ∧ ∧ j ∈ [i −1] π j ∧ error i ) Violate Post = Pre R p ∧ ∧ j ∈ [m] π j ∧ ¬Post R p Theorem The Hoare-triple ( R, Pre, P, Post) does not hold iff the S TRAND formula Error ∨ ViolatePost is satisfiable on the trail R P

24

25 Programs Verification Condition Structural Solving (MONA)Data Constraint Solving (Z3) In S TRAND dec ? # states Final BDD size Time (sec) Graph model Exists? Bound #nodes Formula size (kB) Satisfiable ? Time (sec) sorted- list-search before-loop in-loop after-loop Yes 67 131 67 264 585 264 0.34 0.59 0.18 No ------ ------ ------ ------ sorted- List-insert before-head before-loop in-loop after-loop Yes 73 259 1027 146 298 1290 6156 680 1.66 0.38 4.46 13.93 Yes No Yes 5--75--7 6.2 - 14.5 No - No 0.02 - 0.02 sorted-list- insert -err before-loopYes29815190.34Yes79.5Yes0.02 sorted-list- reverse before-loop in-loop after-loop Yes 35 513 129 119 2816 576 0.24 2.79 0.35 No ------ ------ ------ ------ Bst-search before-loop in-loop after-loop Yes 52 160 52 276 1132 276 5.03 32.80 3.27 No Yes No -9--9- - 7.7 - N0 - 0.02 - Bst-insert before-loop in-loop after-loop Yes 36 68 20 196 452 84 1.34 9.84 1.76 No ------ ------ ------ ------

26 bstSearch (pre: ψ bst ∧ ∃ x.(key(root) = k)) Node curr = root; (loop-inv: ψ bst ∧∃ x.(reach(curr,x) ∧ key(curr)=k)) while ( curr.key != k && curr != null ){ if (curr.key > k) curr = curr.left; else curr = curr.right; } (post: ψ bst ∧ key(curr) = k)

27

28 http://cs.uiuc.edu/~qiu2/strand/  Code  Experiments  Table of the experiments

29

30 We have presented S TRAND a logic for reasoning about structures and data which has good balance among  Decidability  Expressiveness  Efficiency  We believe this work  breaks new ground in combining structures and data  may pave the way for defining decidable fragments of other logics

31  Alternative to MONA?  Syntactic decidable fragments  Back-and-forth connection between the structural part and the data part

Download ppt "Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Automated Verification with HIP and SLEEK Asankhaya Sharma.

Automated Verification with HIP and SLEEK Asankhaya Sharma.
SLD-resolution Introduction Most general unifiers SLD-resolution

SLD-resolution Introduction Most general unifiers SLD-resolution
Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.

Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Introduction to Computer Science 2 Lecture 7: Extended binary trees

Introduction to Computer Science 2 Lecture 7: Extended binary trees
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.

Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Getting started with ML ML is a functional programming language. ML is statically typed: The types of literals, values, expressions and functions in a.

Getting started with ML ML is a functional programming language. ML is statically typed: The types of literals, values, expressions and functions in a.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
AVL Trees1 Part-F2 AVL Trees 6 3 8 4 v z. AVL Trees2 AVL Tree Definition (§ 9.2) AVL trees are balanced. An AVL Tree is a binary search tree such that.

AVL Trees1 Part-F2 AVL Trees v z. AVL Trees2 AVL Tree Definition (§ 9.2) AVL trees are balanced. An AVL Tree is a binary search tree such that.
A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)

A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)
1 A Logic of Reachable Patterns in Linked Data-Structures Greta Yorsh joint work with Alexander Rabinovich, Mooly Sagiv Tel Aviv University Antoine Meyer,

1 A Logic of Reachable Patterns in Linked Data-Structures Greta Yorsh joint work with Alexander Rabinovich, Mooly Sagiv Tel Aviv University Antoine Meyer,
Binary Trees, Binary Search Trees CMPS 2133 Spring 2008.

Binary Trees, Binary Search Trees CMPS 2133 Spring 2008.
CS 171: Introduction to Computer Science II

CS 171: Introduction to Computer Science II
1 Conditional XPath, the first order complete XPath dialect Maarten Marx Presented by: Einav Bar-Ner.

1 Conditional XPath, the first order complete XPath dialect Maarten Marx Presented by: Einav Bar-Ner.

Similar presentations

Ads by Google