Post on 21-Jan-2016
transcript
Lightweight Support forMagic Wands in anAutomatic Verifier
Malte Schwerhoff and Alexander J. Summers
10th July 2015, ECOOP, Prague
Frame Problem
Modular, static verification of imperative programs
⤷ Frame problem: Which memory locations change?
Automated verification: Pre-/Postconditions, invariants, ghost code
Well-known approach: Permissions (≈ Separation Logic)
2
3
caller callee
Permission Transfer
4
Permission Transfer
?
caller callee
?
5
?
caller callee
?
Permission Transfer
Permissions (≈ Separation Logic)
6
(≈ )acc(x.f) ∗ x.f == 0
x.f ⟼ 0Logical properties0
(≈ )acc(x.f) ∗ acc(y.f)
x.f ⟼ _ ∗ y.f ⟼ _
Disjointness: x ≠ y
Syntax & Properties
7
A ∗ B
describes the current state in terms of disjoint substates
Separating Conjunction
8
A ∗ B
describes the current state in terms of disjoint substates
?Is at the heart of verifiers based on separation logic
Separating Conjunction
9
A —∗ Bdescribes hypothetical states
Read as a promise: “In any state, if you provide A,
then you will get B”
Magic Wands
10
Scenario: Iteratively traverse a recursively defined tree (Verification Challenge at
VerifyThis@FM’12)
Partial Data Structures
11
Scenario: Iteratively traverse a recursively defined tree
⤷ Loop invariant: Describe partial data structure
Partial Data Structures
12
Indirectly describe partial data structure as a promise
---—∗
Partial Data Structures as Magic Wands
13
Modus-Ponens-like rule makes promise applicable
---—∗
∗
Partial Data Structures as Magic Wands
14
---—∗
∗
σ ⊨ A —∗ B ⇔ ∀σ’ · (σ’ ⊨ A ⇒ σ ⊎σ’ ⊨ B)
Partial Data Structures as Magic Wands
15
Used in various pen & paper proofs−Partial data structures−Usage protocols for data structures−Synchronisation barriers−…
Typically* not supported in automatic verifiers
* Only exception we are aware of is VerCors; developed in parallel
σ ⊨ A —∗ B ⇔ ∀σ’ · (σ’ A ⊨ ⇒ σ ⊎σ’ B)⊨
Magic Wands in Proofs and Tools
16
Entailment of magic wand formulas is undecidable⤷ Lightweight user guidance to direct verification
Automating Magic Wand Reasoning
17
package A —∗ B
apply A —∗ BUse it
Pass it
around
Make apromis
e
---—∗∗
---—∗
Opaque resource;
Specifications
Guidance: Ghost Operations + Specifications
18
package A —∗ B
apply A —∗ BUse it
Pass it
around
Make apromis
e
---—∗∗
---—∗
Opaque resource;
Specifications
Guidance: Ghost Operations + Specifications
Challenge:
Ensure soundness of apply in
any (future) state
19
Permissions guaranteeing that giving up A ∗ (A —∗ B) and obtaining B is sound
---—∗
carved out ⤷ effectively immutable
Footprints of A —∗ B
20
Footprints are not unique
---—∗
or or all available permissions
Footprints of A —∗ B
21
Footprints are not unique
---—∗
or or all available permissions
How to choosea footprint?
Footprints of A —∗ B
package A —∗ (B1 ∗ B2 ∗ … ∗ Bn)
22
0. givencurrentstate
v1 v2
v3v5v4
Footprint Computation Algorithm: Setup
package A —∗ (B1 ∗ B2 ∗ … ∗ Bn)
23
1. createLHSstate
currentstate
⊨ A
v1 v2
v3v5
w2
w3
w1
v4
w3
Footprint Computation Algorithm: Setup
package A —∗ (B1 ∗ B2 ∗ … ∗ Bn)
24
LHSstate
currentstate
⊨ A
v1 v2
v3v5
w2
w3
w1
v4
w3
Footprint Computation Algorithm: Setup
2. create empty RHS
state
package A —∗ (B1 ∗ B2 ∗ … ∗ Bn)
25
LHSstate
currentstate RHS state
v1 v2
v3v5
w2
w3
w1
v4
w3
3. iterate over Bi’s: If Bi is acc(x.f) then transfer
permissions and assumptions
Footprint Computation Algorithm: Execution
package A —∗ (B1 ∗ B2 ∗ … ∗ Bn)
26
LHSstate
currentstate RHS state
v1 v2
v3v5
w2
w3
3. iterate over Bi’s: If Bi is acc(x.f) then transfer
permissions and assumptions
w1
v4
w3
w1
Xw3
X
v2
X
Footprint Computation Algorithm: Execution
package A —∗ (B1 ∗ B2 ∗ … ∗ Bn)
27
LHSstate
currentstate RHS state
v1 v2
v3v5
w2
w3
w1
v4
w3
w1
Xw3
X
v2
X
3. iterate over Bi’s: If Bi is a logical property P,
e.g. x.f == 0, then check P
⊨ P?
Footprint Computation Algorithm: Execution
package acc(x.f) —∗ acc(x.f)
28
LHSstate
currentstate RHS state
Examples
package true —∗ acc(x.f)
29
LHSstate
currentstate RHS state
Examples
package true —∗ acc(x.f) ∗ x.f == 0
30
LHSstate
currentstate RHS state
⊨ x.f == 0
0
Examples
package acc(x.f) —∗ acc(x.f) ∗ x.f == 0
31
LHSstate
currentstate RHS state
⊭ x.f == 0
0
?
Examples
Abstract predicates for recursive data structures
32
x == null∗
xl
xx
r
Existing Features
Abstract predicates plus ghost operations
33
∗
xl
x
r
foldtree(x)
unfoldtree(x)
Existing Ghost Operations
package —∗ xxxxx
34
Integrating Existing Ghost Operations
package —∗ (fold tree(x) in )
35
Integrating Existing Ghost Operations
36
LHSstate
currentstate RHS state
package —∗ (fold tree(x) in )
Integrating Existing Ghost Operations
37
LHSstate
currentstate RHS state
package —∗ (fold tree(x) in )
Integrating Existing Ghost Operations
Part of Viper verification infrastructure− Implementation based on symbolic execution−Rich logic: unrestricted abstract predicates,
abstraction functions, quantifiers, sets, sequences, custom mathematical domains, flexible permission model, …
Set of interesting examples; 1.6 to 3 seconds
Verification challenge from VerifyThis’12−Verifies in 3s−VerCors:−6 minutes (originally, using Chalice/Boogie)−60 seconds (currently, using Viper)
38
Implementation
Simple heuristics to infer package and apply statements
Infers all package and apply statements in our examples
Verification time: +0.5s or less
39
Annotation Inference Heuristics
40
Scenario: Iteratively traverse a recursively defined tree
⤷ Loop invariant: Describe partial data structure
A
A ---—∗
BB
VerifyThis’12 Challenge Revisited
41
VerifyThis’12 Challenge Encoded
42
Named shorthand,could be inlined
Inferred byheuristics
Required ineither case
VerifyThis’12 Challenge Encoded
Algorithm for computing wand footprints−Sound (proof sketch)−Permissive and predictable
Formalised verifier-independently
Implementation−Co-first* to support magic wands in an automatic
verifier−Lightweight user annotations−Convincing initial results (expressiveness,
performance)
43* VerCors
www.pm.inf.ethz.ch/research/viper.html