Date post: | 20-Dec-2015 |
Category: |
Documents |
View: | 218 times |
Download: | 0 times |
1
Verifying Temporal Heap Properties Specified via Evolution Logic
Eran Yahav, Tom Reps, Mooly Sagiv and Reinhard Wilhelm
http://www.cs.tau.ac.il/~yahave
ESOP 2003
2
Introduction
Goals: specify and verify temporal properties of
sequential and concurrent heap manipulating programs
specify the way objects evolve across program execution
focus on Java-like programssupport the following
Java-like Concurrency Dynamic allocation/deallocation of objects Dynamic allocation/deallocation of threads
3
Relate memory locations across program configurations
Allow specification relating to allocation and deallocation of objects
Example: concurrent GC Safety – only objects not reachable from the roots are
collected Liveness – all garbage objects are eventually collected
Propositional temporal logic is not enoughMotivate use of more expressive specification
language
Spatial and Temporal Properties
spatial temporal
4
Spatial and Temporal Properties
L1: while (x != null) {L2: e = xL3: x = x.nL4: e.n = nullL5: free(e) }
n
x
n
at[L1]
Every object is eventually pointed-to by x
…n
x
n
x
at[L1] at[L1]
…
5
Spatial and Temporal Properties
Every allocated object is eventually deallocated
Every allocated request is eventually assigned handler thread
An object is eventually removed from pointer-based data structure
Each opened file remains open until used…
6
Challenges
Varying domains Set of objects in the heap likely to change
during program execution• Dynamic allocation and deallocation
• No a priori bound on number of objects/threads
Progress Abstraction of transitions/traces Progress may be lost under abstraction
7
Plan
Program Configurations and TracesSpecification
Evolution Temporal Logic (ETL) Meaning of ETL formulae
Verification Reducing ETL to FOTC
• Representing ETL Traces via FO Structures• Compiling ETL formulae to FOTC formulae
Abstract Interpretation Prototype implementation
Summary
8
Program Configurations
A concrete program configuration encodes global store program-location of every thread status of locks and threads
First-order logical structures used to represent program configurations
10
Concrete Configuration
at[l_C]
rval[f]
held_byblocked
at[l_1]
rval[f]
at[l_0]at[l_0]
at[l_1]
rval[f]
blocked
11
Program Traces
Infinite sequence of program configurationsEach step is a single program actionIndividuals may vary between configurations
Dynamic allocation / deallocation
…x x x e e x
at[L1] at[L2] at[L3] at[L4] at[L5] at[L1]
e x x
12
Evolution Temporal Logic (ETL)
Based on first-order linear temporal logic v.(v), v.(v), TC X,U,,
State formulae may include free variables Relate memory locations across configurations (worlds) v. x(v)e(v)
Special operators v object v allocated v object v deallocated
Predicates represent properties of interest For heap references – x(v),n(v1,v2),… for threads and locks – blocked(t,l), held_by(l,t),…
13
ETL Examples
Every object is eventually pointed-to by x v.x(v)
Every allocated object is eventually deallocated (v.v v)
Every allocated request is eventually assigned handler thread r:request. r t:thread. handles(t,r)
An object v is eventually removed from a pointer-based data structure s … u:s(u) n*(u,v)…
14
ETL Semantics
Infinite sequence of configurations World locality
An individual may exist in at most one world Equality is world-local
Evolution Explicit representation of evolution relation of
individuals across worlds Explicitly represent allocated and deallocated
individuals
15
ETL Traces
deallocatedobject evolution edge
…xat[L1]
xat[L2]
xat[L1]
xat[L3]
e eat[L4]
x eat[L5]
x
17
Temporally Separable Properties
Properties which do not relate individuals of different configurations
Temporal operators only over closed FO formulae
Corresponds to propositional temporal logic v.x(v)v’.n(v,v’) P, P=v.x(v)v’.n(v,v’)
P
…x x x e x
at[L1] at[L2] at[L3] at[L5] at[L1]
e x…
18
Spatially Separable Properties
Universally quantified propositional specification
Each object should obey the specification separately Typestate verification
Examples: v.x(v) f:file. (read(f) closed(f))
…xat[L1]
xat[L2]
xat[L1]
xat[L3]
e eat[L4]
x eat[L5]
x
20
ETL Traces as FO Structures
…x x xx e e x e x
at[L1] at[L2] at[L1]at[L3] at[L4] at[L5]
deallocationobject world
existence edge
evolution edge
succ succ succ succ succ
22
Representing ETL Traces via First-order Structures
Explicitly encode possible worlds and accessibility relation World individuals Successor edges relate worlds Each non-world individual exists in at most one world Existence predicate relates non-world individuals to the
world in which they existDesignated predicates
succ(w1,w2) exists(o,w) evolves(o1,o2)
Adapted from Lewis’s “counterpart semantics”
23
Extracting ETL properties
ETL properties compiled into plain FOTC formulae
ETL trace encoded as FO structureEvaluate ETL over ETL-trace by evaluating
corresponding FOTC formula over FO structure
25
Abstract Interpretation
(Over-) Approximate possibly infinite set of infinite traces by finite set of finite abstract traces
Successive Approximations Compute the greatest fixed point Start with an abstract trace representing initial
configuration with all possible suffixes Repeatedly refine the results by exploring longer finite
prefixes Longer abstract trace represents fewer concrete traces
Evaluate property over abstract traces in the fixed point
Use 3-valued logical structures for abstract traces
26
Canonic Abstraction
xat[L1]
currWorld
xat[L1]
xat[L2]
succx
at[L3]e
succ …
succ
currWorld
succx
at[L2]x
at[L3]e
succ
27
Abstraction Example
rval[v]
rval[v]
rval[v]
heldBy
blocked
blocked
rval[v]
rval[v]
rval[v]
succsucc
rval[v]
rval[v]
rval[v]
heldBy
rval[v]
rval[v]
rval[v]
heldBy
blockedt0
at[l_1]
at[l_1]
at[l_1]
t0at[l_1]
at[l_1]
at[l_c]
t0at[l_1]
t0at[l_1]
at[l_1]at[l_1]
at[l_c] at[l_c]
currWorldinitialWorld
rval[v]
succ
rval[v]
heldBy
rval[v]
rval[v]
blockedat[l_1] at[l_1]
at[l_2]at[l_c]
t0at[l_1]
rval[v]
t0at[l_1]
rval[v]
blockedblocked
initialWorld
rval[v]
rval[v]
at[l_1]
at[l_1]
t0at[l_1]
rval[v]
succsucc
currWorld
…succ
succ succ
28
Growing Abstract Traces
Partial Concretization (Focus)Apply update
Append new configuration to abstract trace New configuration reflects update effect Add
• Successor edge into new configuration• Evolution edges into evolved individuals
Update currWorld predicate
Abstraction
29currWorld
xat[L1]
succ
concretization abstraction
update
…
xat[L1]
xat[L2] at[L3]
xat[L3]
x …
xat[L1] at[L2] at[L3]
xat[L3]
x …x e
xat[L1] at[L2] at[L3]
xat[L4]
x …x e
currWorld
currWorld
currWorld
…
xat[L1] at[L3]
xat[L3]
x …
xat[L1] at[L2] at[L3]
xat[L3]
x …x e
xat[L1] at[L3]
xat[L4]
x …e
at[L2]x
at[L2]x
currWorld
currWorld
currWorld
currWorld
xat[L1]
succxat[L2]
succ
30
Greatest Fixed Point
xat[L1]
succ
…
xat[L1]
xat[L2] at[L3]
xat[L3]
x …
xat[L1] at[L2] at[L3]
xat[L3]
x …x e
xat[L1] at[L2] at[L3]
xat[L4]
x …x e
31
Greatest Fixed Point
…
xat[L1]
xat[L2] at[L3]
xat[L3]
x …
xat[L1] at[L2] at[L3]
xat[L3]
x …x e
xat[L1] at[L2] at[L3]
xat[L4]
x …x e
xat[L1]
succxat[L2]
succ
32
Recording History
Improve precisionadd predicates for subformulae of the ETL
formulaRecord state of subformulae satisfaction
over the traceTailor abstraction according to property of
interest
33
Progress
Progress may be lost under abstractionCommon for liveness to require
augmentation with progress information Can express progress measure for linked data
structures in ETL e.g., progress of a linked data structure
traversal• Number of items reachable from a program variable
decreases
34
Implementation
Manually Convert ETL to FOTC
Define instrumentation predicates for temporal subformulae
Let TVLA do the restProperties proved
Termination of linked list manipulation Response (fair/unfair)
Takes a lot of time
36
Related Work
Model Checking Birth and Death / Distefano,Rensink,Katoen [TCS ‘02] Decidable temporal logic Allows referring to moment of allocation and
deallocation Does not allow relationships between objects Simple abstraction – collapse all non-reachable
objects
37
Summary
ETL allows specification of heap evolution properties
Automatically verify ETL properties Represent ETL traces via FO structures Represent ETL properties as FOTC formulae Evaluate FOTC formula over 3-valued FO
structures representing sets of tracesCommon for liveness properties to require
reduction or progress monitors Progress expressed as ETL formulae
38
Future Work
More precise and efficient algorithms for verifying ETL Tableau-like verification method
ETL subclasses Already used spatially separable properties for
memory management properties [SAS’03]
43
Subtle Issues
Fairness We can express explicit scheduling queue Other notions of fairness under dynamic allocation? Reduction
Constant domain semantics Requires user to specify existence or use
syntactically different quantifiers for global/local quantification
Monotone domain semantics Easy to understand, a viable alternative
45
ExampleWhile (x != null) {
e = xx = x.ne.n = nullfree(e)
}
n
e
n
x
e
n
x
n
x e
n
x
n
e x
e x
Empty list
…
e = x
x = x.nx = x.n
e.n = null e.n = null
free(e)
46
Why not Constant Domains?
Requires user to explicitly specify existence or use syntactically different quantifiers for
global/local quantification
Explicit evolution edges allow to abstract away from implementation details Can handle various allocation semantics Can handle copy-garbage-collector
47
ETL to FOTC
vw0 initialWorld(w0) exists(w0,v) w,v’ succ*(w0,w) evolution*(v,v’) exists(w,v’) P(v)