Lightweight Support for Magic Wands in an Automatic Verifier Malte Schwerhoff and Alexander J....

Lightweight Support forMagic Wands in anAutomatic Verifier

Malte Schwerhoff and Alexander J. Summers

10th July 2015, ECOOP, Prague

Frame Problem

Modular, static verification of imperative programs

⤷ Frame problem: Which memory locations change?

Automated verification: Pre-/Postconditions, invariants, ghost code

Well-known approach: Permissions (≈ Separation Logic)

2

3

caller callee

Permission Transfer

4

Permission Transfer

?

caller callee

?

5

?

caller callee

?

Permission Transfer

Permissions (≈ Separation Logic)

6

(≈ )acc(x.f) ∗ x.f == 0

x.f ⟼ 0Logical properties0

(≈ )acc(x.f) ∗ acc(y.f)

x.f ⟼ _ ∗ y.f ⟼ _

Disjointness: x ≠ y

Syntax & Properties

7

A ∗ B

describes the current state in terms of disjoint substates

Separating Conjunction

8

A ∗ B

describes the current state in terms of disjoint substates

?Is at the heart of verifiers based on separation logic

Separating Conjunction

9

A —∗ Bdescribes hypothetical states

Read as a promise: “In any state, if you provide A,

then you will get B”

Magic Wands

10

Scenario: Iteratively traverse a recursively defined tree (Verification Challenge at

VerifyThis@FM’12)

Partial Data Structures

11

Scenario: Iteratively traverse a recursively defined tree

⤷ Loop invariant: Describe partial data structure

Partial Data Structures

12

Indirectly describe partial data structure as a promise

---—∗

Partial Data Structures as Magic Wands

13

Modus-Ponens-like rule makes promise applicable

---—∗

∗


14

---—∗

∗

σ ⊨ A —∗ B ⇔ ∀σ’ · (σ’ ⊨ A ⇒ σ ⊎σ’ ⊨ B)


15

Used in various pen & paper proofs−Partial data structures−Usage protocols for data structures−Synchronisation barriers−…

Typically* not supported in automatic verifiers

* Only exception we are aware of is VerCors; developed in parallel

σ ⊨ A —∗ B ⇔ ∀σ’ · (σ’ A ⊨ ⇒ σ ⊎σ’ B)⊨

Magic Wands in Proofs and Tools

16

Entailment of magic wand formulas is undecidable⤷ Lightweight user guidance to direct verification

Automating Magic Wand Reasoning

17

package A —∗ B

apply A —∗ BUse it

Pass it

around

Make apromis

e

---—∗∗

---—∗

Opaque resource;

Specifications

Guidance: Ghost Operations + Specifications

18

package A —∗ B

apply A —∗ BUse it

Pass it

around

Make apromis

e

---—∗∗

---—∗

Opaque resource;

Specifications

Guidance: Ghost Operations + Specifications

Challenge:

Ensure soundness of apply in

any (future) state

19

Permissions guaranteeing that giving up A ∗ (A —∗ B) and obtaining B is sound

---—∗

carved out ⤷ effectively immutable

Footprints of A —∗ B

20

Footprints are not unique

---—∗

or or all available permissions


21

Footprints are not unique

---—∗

or or all available permissions

How to choosea footprint?


package A —∗ (B1 ∗ B2 ∗ … ∗ Bn)

22

0. givencurrentstate

v1 v2

v3v5v4

Footprint Computation Algorithm: Setup

package A —∗ (B1 ∗ B2 ∗ … ∗ Bn)

23

1. createLHSstate

currentstate

⊨ A

v1 v2

v3v5

w2

w3

w1

v4

w3


package A —∗ (B1 ∗ B2 ∗ … ∗ Bn)

24

LHSstate

currentstate

⊨ A

v1 v2

v3v5

w2

w3

w1

v4

w3


2. create empty RHS

state

package A —∗ (B1 ∗ B2 ∗ … ∗ Bn)

25

LHSstate

currentstate RHS state

v1 v2

v3v5

w2

w3

w1

v4

w3

3. iterate over Bi’s: If Bi is acc(x.f) then transfer

permissions and assumptions

Footprint Computation Algorithm: Execution

package A —∗ (B1 ∗ B2 ∗ … ∗ Bn)

26

LHSstate


v1 v2

v3v5

w2

w3

3. iterate over Bi’s: If Bi is acc(x.f) then transfer

permissions and assumptions

w1

v4

w3

w1

Xw3

X

v2

X


package A —∗ (B1 ∗ B2 ∗ … ∗ Bn)

27

LHSstate


v1 v2

v3v5

w2

w3

w1

v4

w3

w1

Xw3

X

v2

X

3. iterate over Bi’s: If Bi is a logical property P,

e.g. x.f == 0, then check P

⊨ P?


package acc(x.f) —∗ acc(x.f)

28

LHSstate


Examples

package true —∗ acc(x.f)

29

LHSstate


Examples

package true —∗ acc(x.f) ∗ x.f == 0

30

LHSstate


⊨ x.f == 0

0

Examples

package acc(x.f) —∗ acc(x.f) ∗ x.f == 0

31

LHSstate


⊭ x.f == 0

0

?

Examples

Abstract predicates for recursive data structures

32

x == null∗

xl

xx

r

Existing Features

Abstract predicates plus ghost operations

33

∗

xl

x

r

foldtree(x)

unfoldtree(x)

Existing Ghost Operations

package —∗ xxxxx

34

Integrating Existing Ghost Operations

package —∗ (fold tree(x) in )

35


36

LHSstate




37

LHSstate




Part of Viper verification infrastructure− Implementation based on symbolic execution−Rich logic: unrestricted abstract predicates,

abstraction functions, quantifiers, sets, sequences, custom mathematical domains, flexible permission model, …

Set of interesting examples; 1.6 to 3 seconds

Verification challenge from VerifyThis’12−Verifies in 3s−VerCors:−6 minutes (originally, using Chalice/Boogie)−60 seconds (currently, using Viper)

38

Implementation

Simple heuristics to infer package and apply statements

Infers all package and apply statements in our examples

Verification time: +0.5s or less

39

Annotation Inference Heuristics

40

Scenario: Iteratively traverse a recursively defined tree

⤷ Loop invariant: Describe partial data structure

A

A ---—∗

BB

VerifyThis’12 Challenge Revisited

41

VerifyThis’12 Challenge Encoded

42

Named shorthand,could be inlined

Inferred byheuristics

Required ineither case

VerifyThis’12 Challenge Encoded

Algorithm for computing wand footprints−Sound (proof sketch)−Permissive and predictable

Formalised verifier-independently

Implementation−Co-first* to support magic wands in an automatic

verifier−Lightweight user annotations−Convincing initial results (expressiveness,

performance)

43* VerCors

www.pm.inf.ethz.ch/research/viper.html

Date post:	21-Jan-2016
Category:	Documents
Upload:	osborne-park
View:	215 times
Download:	0 times

Lightweight Support for Magic Wands in an Automatic Verifier Malte Schwerhoff and Alexander J....

Documents