Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences.

Published byBrent Dean Modified over 8 years ago

Similar presentations

Presentation on theme: "© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences."— Presentation transcript:

1 © Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh

2 © Andrew IrelandDependable Systems Group Outline Separation logic Automatic software verification challenges Cooperative reasoning proposal

3 © Andrew IrelandDependable Systems Group Separation Logic John Reynolds (CMU) and Peter O’Hearn (QMU) Extends Hoare’s axiomatic basis so as to simplify pointer program proofs Deals smoothly with “dirty features” such as memory disposal and address arithmetic Focuses the reasoning effort on only those parts of the heap that are relevant to a program unit, i.e. local reasoning

4 © Andrew IrelandDependable Systems Group Logical Conjunction P ∧ Q Heap

5 © Andrew IrelandDependable Systems Group Separating Conjunction P ∗ Q Heap

6 © Andrew IrelandDependable Systems Group An Example x := cons(1,2); y := cons(3,4); [x+1] := y; [y+1] := x; store heap

7 © Andrew IrelandDependable Systems Group x := cons(1,2); y := cons(3,4); [x+1] := y; [y+1] := x; store x 12 heap (x ↦ 1, 2) An Example

8 © Andrew IrelandDependable Systems Group x := cons(1,2); y := cons(3,4); [x+1] := y; [y+1] := x; x y store heap 1234 (x ↦ 1, 2) ∗ (y ↦ 3, 4) An Example

9 © Andrew IrelandDependable Systems Group x := cons(1,2); y := cons(3,4); [x+1] := y; [y+1] := x; x y store heap 134 (x ↦ 1, y) ∗ (y ↦ 3, 4) An Example

10 © Andrew IrelandDependable Systems Group x := cons(1,2); y := cons(3,4); [x+1] := y; [y+1] := x; x y store heap 13 (x ↦ 1, y) ∗ (y ↦ 3, x) An Example

11 © Andrew IrelandDependable Systems Group Frame Rule {P} C {Q} {R*P} C {R*Q} where no variable occurring free in R is modified by C

12 © Andrew IrelandDependable Systems Group Singly-linked Lists list ( [],Y,Z ) ↔ emp  Y=Z list ( [W|X],Y,Z)↔ ( ∃ p.( Y ↦ W,p ) *list ( X,p,Z )) a1a1 a2a2 anan … i list([a 1, a 2, …, a n ],i,j) j

13 © Andrew IrelandDependable Systems Group {list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(A t,i t,nil)} copylist(it; jt); {R ∗ list(A t,i t,nil) * list(A t,j t,nil)} j := cons(ih, jt) end if end copylist {list(A,i,nil) * list(A,j,nil)} { ∃ A h, A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil)} copylist(it; jt); { ∃ A h,A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil) ∗ list(A t,j t,nil)} Frame Axiom Discovery

14 © Andrew IrelandDependable Systems Group {list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(A t,i t,nil)} copylist(it; jt); {R ∗ list(A t,i t,nil) * list(A t,j t,nil} j := cons(ih, jt) end if end copylist {list(A,i,nil) * list(A,j,nil)} { ∃ A h, A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil)} copylist(it; jt); { ∃ A h,A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil) ∗ list(A t,j t,nil)} shape Frame Axiom Discovery

15 © Andrew IrelandDependable Systems Group {list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(A t,i t,nil)} copylist(it; jt); {R ∗ list(A t,i t,nil) * list(A t,j t,nil} j := cons(ih, jt) end if end copylist {list(A,i,nil) * list(A,j,nil)} { ∃ A h, A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil)} copylist(it; jt); { ∃ A h,A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil) ∗ list(A t,j t,nil)} content Frame Axiom Discovery

16 © Andrew IrelandDependable Systems Group { ∃ A. list(A,i,nil) ∧ A init = A} j := nil; {R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop { ∃ B.list(B,j,nil) ∧ rev(A init )= B)} Loop Invariant Discovery R : { ∃ A,B.list(A,i,nil)*list(B,j,nil) ∧ rev(A init )=app(rev(A),B)}

17 © Andrew IrelandDependable Systems Group { ∃ A. list(A,i) ∧ A init = A} j := nil; {R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop { ∃ B.list(B,j,nil) ∧ rev(A init )= B)} R : { ∃ A,B.list(A,i,nil)*list(B,j,nil) ∧ rev(A init )=app(rev(A),B)} Loop Invariant Discovery shape

18 © Andrew IrelandDependable Systems Group { ∃ A. list(A,i) ∧ A init = A} j := nil; {R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop { ∃ B.list(B,j,nil) ∧ rev(A init )= B)} R : { ∃ A,B.list(A,i,nil)*list(B,j,nil) ∧ rev(A init )=app(rev(A),B)} Loop Invariant Discovery content

19 © Andrew IrelandDependable Systems Group { ∃ A,B. list(A,x,nil)* list(B,y,nil) ∧ A = A init ∧ B = B init } if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y; { ∃ C.list(C,x,nil) ∧ C = app(A init,B init )} Inductive Lemma Discovery list(X,V,W)*list(Y,W,nil) ↔ list(app(X,Y),V,nil)

20 © Andrew IrelandDependable Systems Group { ∃ A,B. list(A,x,nil)* list(B,y,nil) ∧ A = A init ∧ B = B init } if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y; { ∃ C.list(C,x,nil) ∧ C = app(A init,B init )} Inductive Lemma Discovery list(X,V,W)*list(Y,W,nil) ↔ list(app(X,Y),V,nil) shape

21 © Andrew IrelandDependable Systems Group { ∃ A,B. list(A,x,nil)* list(B,y,nil) ∧ A = A init ∧ B = B init } if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y; { ∃ C.list(C,x,nil) ∧ C = app(A init,B init )} Inductive Lemma Discovery list(X,V,W)*list(Y,W,nil) ↔ list(app(X,Y),V,nil) content

22 © Andrew IrelandDependable Systems Group Symbolic Execution Smallfoot: implements a symbolic execution method that automates the verification of shape properties for loop-free code SpaceInvader: extends Smallfoot so as to deal with loops, i.e. uses abstraction to discovery loop (shape) invariants Tools lack extensibility, i.e. fixed number of data types and inductive properties

23 © Andrew IrelandDependable Systems Group Automatic Theorem Proving Proof planning Methods + Critics Proof checking Tactics Conjectures Theory Proof plans promote reuse, robustness and tool integration

24 © Andrew IrelandDependable Systems Group Proof Planning Middle-out reasoning: use of meta-variables in delaying choice during proof planning Proof critics: automatic proof patching via proof- failure analysis, e.g. generalization, lemma and loop invariant discovery Cooperative reasoning: –Clam/HOL: proof by mathematical induction –SPADEase: program analysis & proof planning for SPARK

25 © Andrew IrelandDependable Systems Group Cooperative Reasoning +=

26 © Andrew IrelandDependable Systems Group Cooperative Reasoning += = Complementary techniques compensating for each other’s weaknesses

27 © Andrew IrelandDependable Systems Group Symbolic ExecutionProof Planning shape invariants content invariants soundness extensibility Compensating for Weaknesses?

28 © Andrew IrelandDependable Systems Group Executive Summary Adapt and extend existing proof plans for use within separation logic – IsaPlanner/Isabelle. Build upon off-the-shelf shape analysis tools from Peter O’Hearn’s group (QMU) – Smallfoot etc. Hypothesis: Proposed cooperation will improve state-of-the-art for verification automation. Specification = shape + content

Download ppt "© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences."

Similar presentations

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Techniques for proving programs with pointers A. Tikhomirov.

Techniques for proving programs with pointers A. Tikhomirov.
Automated Verification with HIP and SLEEK Asankhaya Sharma.

Automated Verification with HIP and SLEEK Asankhaya Sharma.
PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, 2000 1 PZ03D - Program verification Programming Language Design.

PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, PZ03D - Program verification Programming Language Design.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
11111 Functional Program Verification CS 4311 A. M. Stavely, Toward Zero Defect Programming, Addison-Wesley, 1999. Y. Cheon and M. Vela, A Tutorial on.

11111 Functional Program Verification CS 4311 A. M. Stavely, Toward Zero Defect Programming, Addison-Wesley, Y. Cheon and M. Vela, A Tutorial on.
Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.

Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.
Local Reasoning Peter O’Hearn John Reynolds Hongseok Yang.

Local Reasoning Peter O’Hearn John Reynolds Hongseok Yang.
Separation Logic A Logic of Shared Mutable Data Structures John Reynolds CMU Extended subset Mooly Sagiv.

Separation Logic A Logic of Shared Mutable Data Structures John Reynolds CMU Extended subset Mooly Sagiv.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Semantics with Applications Mooly Sagiv Schrirber 317 03-640-7606 html://www.cs.tau.ac.il/~msagiv/courses/sem08.html Textbooks:Winskel The.

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Describing Syntax and Semantics

Describing Syntax and Semantics

Similar presentations

Ads by Google