Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lightweight Support for Magic Wands in an Automatic Verifier Malte Schwerhoff and Alexander J. Summers 10 th July 2015, ECOOP, Prague.

Published byOsborne Park Modified over 8 years ago

Similar presentations

Presentation on theme: "Lightweight Support for Magic Wands in an Automatic Verifier Malte Schwerhoff and Alexander J. Summers 10 th July 2015, ECOOP, Prague."— Presentation transcript:

1 Lightweight Support for Magic Wands in an Automatic Verifier Malte Schwerhoff and Alexander J. Summers 10 th July 2015, ECOOP, Prague

2 Frame Problem Modular, static verification of imperative programs Frame problem: Which memory locations change? Automated verification: Pre-/Postconditions, invariants, ghost code Well-known approach: Permissions ( ≈ Separation Logic) 2

3 3 callercallee Permission Transfer

4 4 ? callercallee

5 5 ? callercallee Permission Transfer

6 Permissions ( ≈ Separation Logic) 6 (≈) acc(x.f) ∗ x.f == 0 x.f ⟼ 0 Logical properties 0 (≈) acc(x.f) ∗ acc(y.f)x.f ⟼ _ ∗ y.f ⟼ _ Disjointness: x ≠ y Syntax & Properties

7 7 A ∗ B describes the current state in terms of disjoint substates Separating Conjunction

8 8 A ∗ B describes the current state in terms of disjoint substates Is at the heart of verifiers based on separation logic Separating Conjunction

9 9 A —∗ B describes hypothetical states Read as a promise: “In any state, if you provide A, then you will get B ” Magic Wands

10 10 Scenario: Iteratively traverse a recursively defined tree (Verification Challenge at VerifyThis@FM’12) Partial Data Structures

11 11 Scenario: Iteratively traverse a recursively defined tree Loop invariant: Describe partial data structure Partial Data Structures

12 12 Indirectly describe partial data structure as a promise ---—∗ Partial Data Structures as Magic Wands

13 13 Modus-Ponens-like rule makes promise applicable ---—∗∗ Partial Data Structures as Magic Wands

14 14 ---—∗∗ σ ⊨ A —∗ B ⇔ ∀ σ ’ · ( σ ’ ⊨ A ⇒ σ ⊎ σ ’ ⊨ B) Partial Data Structures as Magic Wands

15 15 Used in various pen & paper proofs −Partial data structures −Usage protocols for data structures −Synchronisation barriers −…−… Typically* not supported in automatic verifiers * Only exception we are aware of is VerCors; developed in parallel σ ⊨ A —∗ B ⇔ ∀ σ ’ · ( σ ’ ⊨ A ⇒ σ ⊎ σ ’ ⊨ B) Magic Wands in Proofs and Tools

16 16 Entailment of magic wand formulas is undecidable Lightweight user guidance to direct verification Automating Magic Wand Reasoning

17 17 package A —∗ B apply A —∗ B Use it Pass it around Make a promise ---—∗∗ Opaque resource; Specifications Guidance: Ghost Operations + Specifications

18 18 package A —∗ B apply A —∗ B Use it Pass it around Make a promise ---—∗∗ Opaque resource; Specifications Guidance: Ghost Operations + Specifications Challenge: Ensure soundness of apply in any (future) state

19 19 Permissions guaranteeing that giving up A ∗ ( A —∗ B ) and obtaining B is sound ---—∗ carved out effectively immutable Footprints of A —∗ B

20 20 Footprints are not unique ---—∗ or or all available permissions Footprints of A —∗ B

21 21 Footprints are not unique ---—∗ or or all available permissions How to choose a footprint? Footprints of A —∗ B

22 package A —∗ ( B 1 ∗ B 2 ∗ … ∗ B n ) 22 0. given current state v1v1 v2v2 v3v3 v5v5 v4v4 Footprint Computation Algorithm: Setup

23 package A —∗ ( B 1 ∗ B 2 ∗ … ∗ B n ) 23 1. create LHS state current state ⊨ A v1v1 v2v2 v3v3 v5v5 w2w2 w3w3 w1w1 v4v4 w3w3 Footprint Computation Algorithm: Setup

24 package A —∗ ( B 1 ∗ B 2 ∗ … ∗ B n ) 24 LHS state current state ⊨ A v1v1 v2v2 v3v3 v5v5 w2w2 w3w3 w1w1 v4v4 w3w3 Footprint Computation Algorithm: Setup 2. create empty RHS state

25 package A —∗ ( B 1 ∗ B 2 ∗ … ∗ B n ) 25 LHS state current state RHS state v1v1 v2v2 v3v3 v5v5 w2w2 w3w3 w1w1 v4v4 w3w3 3. iterate over B i ’s:If B i is acc( x.f ) then transfer permissions and assumptions Footprint Computation Algorithm: Execution

26 package A —∗ ( B 1 ∗ B 2 ∗ … ∗ B n ) 26 LHS state current state RHS state v1v1 v2v2 v3v3 v5v5 w2w2 w3w3 3. iterate over B i ’s:If B i is acc(x.f) then transfer permissions and assumptions w1w1 v4v4 w3w3 w1w1 X w3w3 X v2v2 X Footprint Computation Algorithm: Execution

27 package A —∗ ( B 1 ∗ B 2 ∗ … ∗ B n ) 27 LHS state current state RHS state v1v1 v2v2 v3v3 v5v5 w2w2 w3w3 w1w1 v4v4 w3w3 w1w1 X w3w3 X v2v2 X 3. iterate over B i ’s:If B i is a logical property P, e.g. x.f == 0, then check P ⊨ P ? Footprint Computation Algorithm: Execution

28 package acc(x.f) —∗ acc(x.f) 28 LHS state current state RHS state Examples

29 package true —∗ acc(x.f) 29 LHS state current state RHS state Examples

30 package true —∗ acc(x.f) ∗ x.f == 0 30 LHS state current state RHS state ⊨ x.f == 0 0 Examples

31 package acc(x.f) —∗ acc(x.f) ∗ x.f == 0 31 LHS state current state RHS state ⊭ x.f == 0 0 ? Examples

32 Abstract predicates for recursive data structures 32 x == null ∗ x l xx r Existing Features

33 Abstract predicates plus ghost operations 33 ∗ x l x r fold tree(x) unfold tree(x) Existing Ghost Operations

34 package —∗ xxxxx 34 Integrating Existing Ghost Operations

35 package —∗ (fold tree(x) in ) 35 Integrating Existing Ghost Operations

36 36 LHS state current state RHS state package —∗ (fold tree(x) in ) Integrating Existing Ghost Operations

37 37 LHS state current state RHS state package —∗ (fold tree(x) in ) Integrating Existing Ghost Operations

38 Part of Viper verification infrastructure −Implementation based on symbolic execution −Rich logic: unrestricted abstract predicates, abstraction functions, quantifiers, sets, sequences, custom mathematical domains, flexible permission model, … Set of interesting examples; 1.6 to 3 seconds Verification challenge from VerifyThis’12 −Verifies in 3s −VerCors: −6 minutes (originally, using Chalice/Boogie) −60 seconds (currently, using Viper) 38 Implementation

39 Simple heuristics to infer package and apply statements Infers all package and apply statements in our examples Verification time: +0.5s or less 39 Annotation Inference Heuristics

40 40 Scenario: Iteratively traverse a recursively defined tree Loop invariant: Describe partial data structure A A ---—∗ B B VerifyThis’12 Challenge Revisited

41 41 VerifyThis’12 Challenge Encoded

42 42 Named shorthand, could be inlined Inferred by heuristics Required in either case VerifyThis’12 Challenge Encoded

43 Algorithm for computing wand footprints −Sound (proof sketch) −Permissive and predictable Formalised verifier-independently Implementation −Co-first* to support magic wands in an automatic verifier −Lightweight user annotations −Convincing initial results (expressiveness, performance) 43 * VerCors www.pm.inf.ethz.ch/research/viper.html

Download ppt "Lightweight Support for Magic Wands in an Automatic Verifier Malte Schwerhoff and Alexander J. Summers 10 th July 2015, ECOOP, Prague."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat.

Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat.
Automated Verification with HIP and SLEEK Asankhaya Sharma.

Automated Verification with HIP and SLEEK Asankhaya Sharma.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.

Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.
Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,

Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.

Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
CS 355 – Programming Languages

CS 355 – Programming Languages
Changing perspective can be useful Relating alternative logics for automatic software verification Alex Summers (ETH Zurich) partly based on joint work.

Changing perspective can be useful Relating alternative logics for automatic software verification Alex Summers (ETH Zurich) partly based on joint work.
Logic in general Logics are formal languages for representing information such that conclusions can be drawn Syntax defines the sentences in the language.

Logic in general Logics are formal languages for representing information such that conclusions can be drawn Syntax defines the sentences in the language.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Describing Syntax and Semantics

Describing Syntax and Semantics

Similar presentations

Ads by Google