predefenseslide

Motivation and Goal Related Work HR′ H∗R′ Appendix

Completeness of Verification System withSeparation Logic for Recursive Procedures

Mahmudul Faisal Al Ameen

Department of InformaticsSOKENDAI (The Graduate University for Advanced Studies)

June 3, 2015

Mahmudul Faisal Al Ameen — Completeness of Verification System with Separation Logic for Recursive Procedures 1/44


Contents

1 Motivation and Goal

2 Related Work

3 HR′SystemAchivement

4 H∗R′SystemChallenges and SolutionExpressiveness and Completeness

5 Appendix



Motivation and Goal

MotivationEnsure safety of mission critical programs

Verify program’s correctness with its execution safety

GoalA verification system for simple imperative programs with

recursive procedures, and

commands for explicitly allocate, read, write anddeallocate memory.



Related Work

An axiomatic basis for computer programming by C.A.R.

Hoare at 1969

Soundness and completeness of an axiom system forprogram verification by S.A. Cook at 1978

Ten Years of Hoares Logic by K.R. Apt at 1981

Separation logic: a logic for shared mutable datastructures by J.C. Reynolds at 2002

Completeness of pointer program verification byseparation logic by Tatsuta et el. at 2009



New Hoare’s Logic for RecursiveProcedures (HR′)



Goal and The System

GoalA Hoare’s logic for recursive procedure that can be extended toseparation logic.

Language

Similar to Hoare’s Logic for Recursive Procedures in [Apt, 1981]

Programming languageRecursive procedures in the context areProcedure R1(Q1), . . . ,Procedure Rnproc

(Qnproc)

Assertion language

Semantics of programming language

Semantics of assertion language



Logical System - Part I

SKIP:

Γ ` A skipA

AXIOM:

Γ , A P B ` A P B

ASSIGNMENT:

Γ ` A [x := e]x := eA

COMPOSITION:

Γ ` A P1C Γ ` C P2B Γ ` A P1;P2B

CONSEQ:

Γ ` A1P B1Γ ` A P B (A→A1, B1→B )

IF:

Γ ` A ∧ b P1B Γ ` A ∧¬b P2B Γ ` A if (b) then (P1) else (P2)B

WHILE:

Γ ` A ∧ b P A Γ ` A while (b) do (P)A ∧¬b

RECURSION:

Γ ∪ Ai Ri Bi |i = 1, . . . ,nproc ` A1Q1B1...

Γ ∪ Ai Ri Bi |i = 1, . . . ,nproc ` Anproc Qnproc Bnproc

Γ ` Aj Rj Bj



Logical System - Part II

HR′INV-CONJ:

Γ ` A P C Γ ` A ∧B P C ∧B

(FV(B)∩Mod(P) = ∅)

EXISTS:

Γ ` A P B Γ ` ∃x .A P B

(x < FV(B)∪ EFV(P))

Replaces

HR [Apt, 1981]INVARIANCE AXIOM:

Γ ` A P A (FV(A)∩ EFV(P) = ∅)

SUBSTITUTION RULE I:

Γ ` A P B Γ ` A [y/z]P B [y/z]

(y ,z < EFV(P))

SUBSTITUTION RULE II:

Γ ` A P B Γ ` A [y/z]P B

(z < EFV(P)∪ FV(B))

CONJUNCTION RULE:

Γ ` A P B Γ ` C P D Γ ` A ∧C P B ∧D



Derivability of SUBSTITUTION RULE I

PropositionSUBSTITUTION RULE I,

Γ ` A P B Γ ` A [~y/~z]P B [~y/~z]

(~y ,~z < EFV(P))

, is derivable.

Proof:Assumption: Γ ` A P B INV-CONJ (~z ,~y < EFV(P)): Γ ` A ∧~y = ~zP B ∧~y = ~zCONSEQ (B ∧~y = ~z→B [~z/~y]): Γ ` A ∧~y = ~zP B [~z/~y]EXISTS (~y < FV(B [~z/~y])): Γ ` ∃~y(A ∧~y = ~z)P B [~z/~y]CONSEQ (A [~z/~y]→∃~y(A ∧~y = ~z)) Γ ` A [~z/~y]P B [~z/~y]



Results

Theorem: Completeness

If A P B is true then ` A P B is provable.

Completeness in the sense of Cook

We assume that

the assertion language is expressive relative to theprograms for all interpretation.

all the true assertions are given.

Theorem: Equivalence

Γ `HR A P B if and only if Γ `HR′ A P B .



A Verification System for PointerPrograms with Recursive Procedures

(H∗R′)



Assertion Language

Assertion language is the same as that of Separation logic,that isA with special connectives to assert about heap.

Assertion Language,A∗

A ::= emp (empty heap)

| e 7→ e (singleton heap)

| e = e | e < e | ¬A | A ∧A | A ∨A | A→A (boolean formula)

| ∀xA | ∃xA (quantifiers)

| A ∗A (separating conjunction)

| A −∗ A (separating implication)

A pure formula does not assert about heap, which isconstructed by the first order language with equality.



Languages

Programming language is obtained from while programs withrecursive procedures and commands for memory allocation,access, change and deallocation.

Programming Language, LProcedure R1(Q1), . . ., Procedure Rnproc (Qnproc )

P ,Q ::= x := e (assignment)| if (b) then (P) else (P) (condition)| while (b) do (P) (iteration)| P ;P (composition)| skip (no operation)| x := cons(e ,e) (allocation)| x := [e] (read)| [e] := e (write)| dispose(e) (deallocation)| Ri (procedure name)

L− is obtained from removing the construct for procedure names (Ri ) from L.



Semantics

Heap, h : Locs→fin Nl1 m1l2 m2. . . . . .lk mk

A state is a pair of store s and heap h , (s ,h).

Example of semantics: Mutation

x 3. . . . . .

3 04 0

[x] := 5

(mutation)

x 3. . . . . .

3 54 0

store, s heap, h store, s

heap, h [~xs := 5]



Semantics of Programs (Example)

Non-deterministic semantics

x 0. . . . . .

(empty heap)

x :=cons(97,101)x 2. . . . . .

2 973 101

or

x 1. . . . . .

1 972 101

or

x 3. . . . . .

3 974 101

. . .

How abort occurs

x 3. . . . . .

4 0 [x] := 5 abort



Semantics of Programs in L−

~P−(abort) = abort,~x := e−((s ,h)) = (s[x := ~es ],h),

~if (b) then (P1) else (P2)−((s ,h)) =

~P1((s ,h)) if ~bs =True~P2((s ,h)) otherwise,

~while (b) do (P)− is the least function satisfying

~while (b) do (P)−(abort) = abort,~while (b) do (P)−((s ,h)) = (s ,h) if ~bs = False,~while (b) do (P)−((s ,h)) =

⋃~while (b) do (P)−(r) | r ∈ ~P−((s ,h)) otherwise

~P1;P2−((s ,h)) =

⋃~P2

−(r) | r ∈ ~P1−((s ,h)) ,

~skip−((s ,h)) = (s ,h),~x := cons(e1,e2)

−((s ,h)) =(s[x := n],h [n := ~e1s ,n +1 := ~e2s ])|n > 0,n ,n +1 < Dom(h),

~x := [e]−((s ,h)) = (s[x := h(~es )],h) if ~es ∈ Dom(h), abort otherwise,

~[e1] := e2−((s ,h)) = (s ,h [~e1s := ~e2s ]) if ~e1s ∈ Dom(h), abort otherwise,

~dispose(e)−((s ,h)) = (s ,h |Dom(h)−~es ) if ~es ∈ Dom(h), abort otherwise



Semantics of Programs in L

Type of Semantics of P

~P : States ∪ abort → p(States ∪ abort)

Program unfolding:

Ω ≡ while (0 = 0) do (skip),P (0) = P [Ω, . . . ,Ω],P (k+1) = P [Q (k)~].

Definition of ~P

~P(r) =⋃∞

i=0(~P(i)−(r))



Semantics of Assertions inA∗

~emp(s ,h) = True if Dom(h) = ∅,~e1 = e2(s ,h) = (~e1s = ~e2s ),~e1 < e2(s ,h) = (~e1s < ~e2s ),~e1 7→ e2(s ,h) = True if Dom(h) = ~e1s and h(~e1s ) = ~e2s ,~¬A(s ,h) = (not ~A(s ,h)),~A ∧B(s ,h) = (~A(s ,h) and ~B(s ,h)),~A ∨B(s ,h) = (~A(s ,h) or ~B(s ,h)),~A→B(s ,h) = (~A(s ,h) implies ~B(s ,h)),~∀xA(s ,h) = True if ~A(s[x:=m],h) = True for all m ∈ N ,~∃xA(s ,h) = True if ~A(s[x:=m],h) = True for some m ∈ N ,~A ∗B(s ,h) = True if h = h1 +h2,

~A(s ,h1)= ~B(s ,h2)

= True for some h1,h2,~A −∗ B(s ,h) = True if h2 = h1 +h and

~A(s ,h1)= True implies ~B(s ,h2)

= True for all h1,h2



An Asserted Program

Asserted Program: A P B Precondition: AProgram: PPostcondition: B

SemanticsA P B is defined to be True if both of the following hold.

1 ∀(s ,h) (~A(s ,h) = True→ ~P((s ,h)) = abort).

2 ∀(s ,h),(s ′ ,h ′)(~A(s ,h) = True∧ ~P((s ,h)) 3 (s ′ ,h ′)→ ~B(s ′ ,h ′) = True).



Challenges

We need –Hoare’s logic for recursive procedures + Separation logic

Choices of Logical System Construction

1 HR in [Apt, 1981], or our newHR′ .

2 Local, global or backwards reasoning inference rules ofSeparation logic in [Reynolds, 2002].

Other Challenges

1 The expression ~x = ~z

is necessary to prove the completenesscannot be used for heap information

2 Existence of abort made it difficult to utilize the strongestpostcondition in separation logic.



Logical System Construction

Issues1 INVARIANCE AXIOM inHR is not sound in Separation logic.

` empcons(0,0)emp is provable but false` x = 0[0] := 0x = 0 is provable but false

2 SUBSTITUTION RULE I inHR is derivable inHR′ .3 Backwards reasoning rules are chosen in [Tatsuta, 2009]

to show completeness.

Our Choice1 The new and complete logical systemHR′ .2 Backwards reasoning rules for pointer programs.



Logical System -H∗R′

H∗R′ (The extension of Hoare’s logic and separation logic to recursive procedures) is obtained fromHR′ .SKIP:

Γ ` A skipA

AXIOM:

Γ , A P B ` A P B

ASSIGNMENT:

Γ ` A [x := e]x := eA

COMPOSITION:

Γ ` A P1C Γ ` C P2B Γ ` A P1;P2B

CONSEQ:

Γ ` A1P B1Γ ` A P B (A→A1, B1→B )

IF:

Γ ` A ∧ b P1B Γ ` A ∧¬b P2B Γ ` A if (b) then (P1) else (P2)B

WHILE:

Γ ` A ∧ b P A Γ ` A while (b) do (P)A ∧¬b

RECURSION:

Γ ∪ Ai Ri Bi |i = 1, . . . ,nproc ` A1Q1B1...

Γ ∪ Ai Ri Bi |i = 1, . . . ,nproc ` Anproc Qnproc Bnproc

Γ ` Aj Rj Bj



Logical System -H∗R′INV-CONJ:

Γ ` A P C Γ ` A ∧B P C ∧B

(FV(B)∩Mod(P) = ∅,B is pure)

EXISTS:

Γ ` A P B Γ ` ∃x .A P B

(x < FV(B)∪ EFV(P))

added with the following backwards reasoning rules

CONS:

Γ ` ∀x ′((x ′ 7→ e1,e2) −∗ A [x := x ′ ])x := cons(e1,e2)A (x ′ < FV(e1,e2,A))

LOOKUP:

Γ ` ∃x ′(e 7→ x ′ ∗ (e 7→ x ′ −∗ A [x := x ′ ]))x := [e]A (x ′ < FV(e ,A))

MUTATION:

Γ ` (∃x(e1 7→ x)) ∗ (e1 7→ e2 −∗ A)[e1] := e2A (x < FV(e1))

DISPOSE:

Γ ` (∃x(e 7→ x)) ∗A dispose(e)A (x < FV(e))



Expressiveness: Coding

Coding in Peano Arithmetic

(n ,m): code of pair of n and m

〈n1, . . . ,nk 〉: code of sequence n1, . . . ,nk

A store s of x1, . . . ,xk : s = 〈n1, . . . ,nk 〉 where xi = nk

Heap h : h = 〈(l1,v1), . . . ,(lk ,vk )〉 where h(li ) = vi , l1 > 0, li < li+1

State (s ,h): (s , h)+1. abort: 0.



Formalization of Assertions

Coding

HEvalA (m): A is true in the state where m is the codedheap and store is the current store.

EvalA ,~x(n ,m): A is true at the state coded by (n ,m)+1.

Example 1: HEvalA∗B (m) = ∃y1y2(Separate(m ,y1,y2)∧HEvalA (y1)∧HEvalB (y2))

y1 and y2 represents two disjoint heaps where their concatenation is m and A and B istrue at y1 and y2 respectively.

Example 2: HEvalA−∗B (m) = ∀y1y2(HEvalA (y2)∧Separate(y1,m ,y2)→HEvalB (y1))

If m and y2 represents two disjoint heaps and their concatenation is y1 and A is true

at y2 then B is true at y2.



Representation Lemma: Assertions

Representation

Relation of computation between real world and representationworld.

EvalA ,~x(n ,m) means ~A(s ,h) for s = n and h = m .

Lemma A: Representation Lemma for Assertions

1 If Heapcode(m ,h) holds then ~HEvalA (m)s = ~A(s ,h) alsoholds.

2 EvalA ,~x(n ,m) is true if and only if∃sh(Storecode~x(n ,s)∧Heapcode(m ,h)∧ ~A(s ,h) = True)holds.



Formalization of Programs

Coding: ExecUP ,~x(m ,n1,n2)

Execution of k level unfolding of P at the state coded by n1gives a state coded by n2

Example 1: ExecUwhile (b) do (P),~x(m ,n1,n2)

n1 = 0 gives n2 = 0n1 > 0 gives the following:

n1 = w1, . . .,wk = n2;∀i < k , b is true at wi and ExecUP ,~x(m ,wi ,wi+1));wk > 0 implies ¬b at wk .




Example 2: ExecUx:=cons(e1,e2),~x(m ,n1,n2)

n1 = 0 gives n2 = 0n1 > 0 gives the following:

n1 = (p ,q)+1;e1 is w1 and e2 is w2 at the store coded by p ;w ,w +1 isn’t in domain of heap, coded by q ;p ′ = 〈p1, . . .,p i−1,w , . . .〉 where x = xi ;q ′ = q + 〈(w ,w1),(w +1,w2)〉;n2 = (p ′ ,q ′)+1.

Example 3:

ExecURi ,~x(m ,n1,n2) =

n1 = 0∧n2 = 0 m = 0ExecUQi ,~x(m −1,n1,n2) m > 0




Coding: ExecP ,~x(n1,n2)

Execution of P for the state coded by n1 gives a state coded byn2 for some level of unfolding of P .

ExecP ,~x(n1,n2) = ∃k(ExecUP ,~x(k ,n1,n2))

Representation world and Real world

Relation of computation between real world andrepresentation worldExecP ,~x(n1,n2) means r1 = n1, r2 = n2 and ~P(r1) 3 r2.



Representation Lemmas of Programs

Lemma P-I: Representation Lemmas

1 If ExecUP ,~x(k ,n1,n2) is true, then for all r1 such thatResult~x(n1,r1), we have r2 such that Result~x(n2,r2) and~P (k)−(r1) 3 r2.

2 If ~P (k)−(r1) 3 r2, Result~x(n1,r1), and Result~x(n2,r2) hold, thenExecUP ,~x(k ,n1,n2) is true.

Lemma P-II: Representation Lemmas

1 If ExecP ,~x(n1,n2) is true, then for all r1 such that Result~x(n1,r1),we have r2 such that Result~x(n2,r2) and ~P(r1) 3 r2.

2 If ~P(r1) 3 r2, Result~x(n1,r1), and Result~x(n2,r2) hold, thenExecP ,~x(n1,n2) is true.



Expressiveness

Lemma WP: Lemmas for the Weakest Precondition

WP ,A (~x) gives the weakest assertion such that

1 WP ,A (~x)P A is true.

2 If ~P((s ,h)) 3 r implies r , abort and ~Ar = True for all r , then~WP ,A (~x)(s ,h) = True.

3 If A P B is true, then A→WP ,B (~x) is true.

Theorem: ExpressivenessA∗ is expressive relative to the set of programs L under standardinterpretation.∀P ∈ L,A ∈ A∗,∃W ∈ A∗~W(s ,h) = True ⇐⇒ (s ,h) ∈ (s ,h) | ∀r(~P((s ,h)) 3 r→ ~Ar)



Completeness

Idea:

Extending the completeness proof ofHoare’s Logic with recursive procedureSeparation Logic

Utilizing the strongest postcondition in separation logicUsing A P True as the abort-free condition for a programand an assertion

To express general information about a stateUsing Heap(xh ) to express the general information of aheap by coding in xh .Using WP ,True(~x) to ensure execution of P without abort.

Relative completeness: we assume all the true assertionsare given



Lemmas for Completeness

SA ,P (~x)

∃xyzw(EvalA ,~x(x ,y)∧ Pair2(z ,x ,y)∧ ExecP ,~x(z ,w)∧∃y1z1(Pair2(w ,y1,z1)∧Store~x(y1)∧Heap(z1))).

Lemma SP: Lemmas for Strongest Postcondition

1 If A P True is true then A P SA ,P (~x) is true.

2 ~SA ,P (~x)(s ′ ,h ′) implies ∃s ,h(~Ar ∧ ~P((s ,h)) 3 (s ′ ,h ′)).



Completeness

~y = ∪nproci=1 EFV(Ri )

~x ′ ⊇ ~y ∪ FV(A)∪ EFV(P) for all A ∈ A∗ and P ∈ L

(~z ∪ xh )∩ ~x ′ = ∅

~x = ~x ′ ∪~z ∪ xGi is ~y = ~z ∧Heap(xh )∧WRi ,True(~x)

Fi is Gi Ri SGi ,Ri (~x)

Key Lemmas:

Lemma 1If A P B is true then F1, . . . ,Fnproc

` A P B .

Lemma 2` Fi is provable for all i = 1, . . . ,nproc.



Completeness

~y = ∪nproci=1 EFV(Ri ) and ~z ∩~y = ∅ Gi is ~y = ~z ∧Heap(xh )∧WRi ,True(~x) Fi = Gi Ri SGi ,Ri (~x)

Lemma 1

If A P B is true then F1, . . . ,Fnproc ` A P B .

Proof.Proved by induction on P . Here we will present most interesting cases of P , Ri .

Let H be HEvalA [~y:=~z](xh )

Assume that A Ri B is true.Naturally F1, . . . ,Fnproc ` Gi Ri SGi ,Ri (~x)INV-CONJ (EFV(Ri )∩ FV(H) = ∅): F1, . . . ,Fnproc ` Gi ∧H Ri SGi ,Ri (~x)∧H To be proved: SGi ,Ri (~x)∧H→BAssume ~SGi ,Ri (~x)∧H(s ′ ,h ′) = TrueLemma SP(2): ∃s ,h(~Ri ((s ,h)) 3 (s ′ ,h ′) and ~Gi (s ,h) = True)We have ~H(s ,h) = TrueSince s(~z) = s(~y) ~Heap(xh )∧WRi ,True(~x)∧HEvalA (xh )(s ,h) = TrueLemma A(1): ~A(s ,h) = TrueSince ~Ri ((s ,h)) 3 (s′ ,h ′) ~B(s ′ ,h ′) = True



Completeness

~y = ∪nproci=1 EFV(Ri ) and ~z ∩~y = ∅ Gi is ~y = ~z ∧Heap(xh )∧WRi ,True(~x) Fi = Gi Ri SGi ,Ri (~x)

Lemma 1

If A P B is true then F1, . . . ,Fnproc ` A P B .

Proof.Proved by induction on P . Here we will present most interesting cases of P , Ri .

Let H be HEvalA [~y:=~z](xh )

Assume that A Ri B is true.Naturally F1, . . . ,Fnproc ` Gi Ri SGi ,Ri (~x)INV-CONJ (EFV(Ri )∩ FV(H) = ∅): F1, . . . ,Fnproc ` Gi ∧H Ri SGi ,Ri (~x)∧H Now Proved: SGi ,Ri (~x)∧H→BCONSEQ: F1, . . . ,Fnproc ` Gi ∧H Ri B EXISTS: F1, . . . ,Fnproc ` ∃~z ,xh (Gi ∧H)Ri B Lemma WP(3) (A P True): A→WRi ,True(~x)A→∃x(Heap(x)∧HEvalA (x): A→∃~z ,xh (~y = ~z ∧Heap(xh )∧HEvalA [~y:=~z](xh )∧WRi ,True(~x))CONSEQ: F1, . . . ,Fnproc ` A Ri B



Completeness

Lemma 2

` Fi is provable for all i = 1, . . . ,nproc.

Proof.Fix i .~z ′ ,x ′h : fresh variables.

G ′i is Gi [~z := ~z ′ ,xh := x ′h ].S ′Gi ,Ri

(~x) is SGi ,Ri (~x)[~z := ~z ′ ,xh := x ′h ].

Lemma WP(1): WRi ,True(~x)Ri True is true.∴ Gi Ri True is true.Lemma SP(1): Gi Ri SGi ,Ri (~x) is true.Since ~Ri = ~Qi Gi Qi SGi ,Ri (~x) is true.Truthness of Proposition: G ′i Qi S ′Gi ,Ri

(~x) is true.Lemma 1 F1, . . . ,Fnproc ` G

′i Qi S ′Gi ,Ri

(~x) is provable.Proposition: F1, . . . ,Fnproc ` Gi Qi SGi ,Ri (~x) is provable.RECURSION: ` Fi is provable.



Theorems

Theorem: Completeness

If A P B is true then ` A P B is provable.

Proof.Assume A P B is trueLemma 1: F1, . . . ,Fnproc

` A P B Lemma 2: ` Fi is provable for all i = 1, . . . ,nproc.∴ ` A P B is provable.



Conclusion

Result

1 A new Hoare’s logic for recursive procedure (HR′ )Introduction of two new inference rules.Derivability of an inference rule ofHR inHR′ .Completeness in the sense of Cook.

2 A verification system for Hoare’s logic and separation logic forrecursive procedures.

Proved inconsistency of an axiom ofHR in the separationlogic. HR′ is extended instead.Heap(xh ): to express general information of heapA P True and WP ,True(~x): to reason about abort-freeexecutionProof of soundness and expressiveness for standardinterpretationProof of relative completeness



Thank you very much



Example of Verification

Let A be ∀y(y ≥ x ∧ y < z ⇐⇒ ∃(y 7→ w) ∗True)Procedure R1(if (x < z) then (dispose(x);x := x +1;R1) else (skip))

Γ ` A [x := x +1]x := x +1A assignment

Γ ` A R1emp axiom

Γ ` A [x := x +1]x := x +1;R1empcomp






Γ ` A R1emp axiom

Γ ` A [x := x +1]x := x +1;R1empcomp

Γ ` (∃y(x 7→ y)) ∗A [x := x +1]dispose(x)A [x := x +1]dispose

Γ ` A [x := x +1]x := x +1;R1empΓ ` (∃y(x 7→ y)) ∗A [x := x +1]dispose(x);x := x +1;R1emp

comp






Γ ` A R1emp axiom

Γ ` A [x := x +1]x := x +1;R1empcomp



comp

Γ ` A ∧¬(x < z)skipA ∧¬(x < z)skip

A ∧¬(x < z)→ emp

Γ ` A ∧¬(x < z)skipempconseq






Γ ` A R1emp axiom

Γ ` A [x := x +1]x := x +1;R1empcomp



comp

Γ ` A ∧¬(x < z)skipA ∧¬(x < z)skip

A ∧¬(x < z)→ emp

Γ ` A ∧¬(x < z)skipempconseq

Γ ` A ∧ x < zdispose(x);x := x +1;R1emp Γ ` A ∧¬(x < z)skipempΓ ` A if (x < z) then (dispose(x);x := x +1;R1) else (skip)emp if

` A R1emprec


Date post:	12-Apr-2017
Category:	Documents
Upload:	mahmudul-faisal
View:	90 times
Download:	0 times

predefenseslide

Documents