Automated Verification via Separation Logic

1

Automated Verificationvia Separation Logic

Cristian Gherghina (NUS, Singapore)Cristina David (NUS, Singapore)Shengchao Qin (Durham, UK)Wei-Ngan Chin (NUS, Singapore)

2

Goal

Verify programs involving

mutable data structures

with invariants and other properties

3

Challenges

• Strong updates in the presence of aliasing

• User-defined recursive predicates• Concise, precise, expressive specs

• Emphasis : practical verificationOur Search for Solution

Sized Types Separation Logic

4

Separation Logic• Extension to Hoare logic to reason about

shared mutable data structures.

• Foundations• O’Hearn and Pym, “The Logic of Bunched

Implications”, Bulletin of Symbolic Logic 1999

• Reynolds, “Separation Logic: A Logic for Shared Mutable Data Structures”, LICS 2002

: spatial conjunction -- : spatial implication

5

Examples (Reynolds LICS 2002)

3

y

3

x

x y

x 3,y y 3,x

3x

yx 3,y y 3,x

3x

x 3,y

y

Separation Formulae Actual Heap

6

Outline• Background• Our Approach• How to Verify?• Entailment• Approximation• Expressiveness

• Set of States• Lemmas

7

Overall System

code verifier separationlogic prover

Pre/PostShape

Predicate LemmasCode

range of pure provers e.g. Omega,Mona,Coq,Isabelle,cvc3,redlog,

8

Separation Formulae

• Heap part• Describes data structure in heap memory

• Well-formed : all nodes reachable from “root” pointer

• Well-founded : no direct looping predicate.• No conjunction over heap states.

• Pure part• Size, bag and pointer constraints (that can

be handled by pure provers).

9

Example Predicates

sortln,mi,mx root::nodemi,null mi=mx Æ n=1

root::nodemi,q q::sortln-1,k,mx mik inv n1 Æ mi·mx

Non-empty sorted list

root:: lln root=null n=0 9 r . root::nodea,r r::lln-

1 inv n0

Singly-linked list

derived attribute (c.f. model field) user-supplied invariant

rootnull

10

Example Predicates

AVL-Tree (near-balanced tree)

avlh root = null Æ h = 0 Ç root::nodeh,h, p, qi p::avlhh1i q::avlhh2i

Æ -1 · h1-h2 · 1 Æ h=1+max(h1,h2) inv h¸0

11

Example Predicates

AVL-Tree with BST property

avlh,S root = null Æ h = 0 Æ S={} Ç root::nodeh,v, p, qi p::avlhh1,S1i q::avlhh2,S2i

Æ -1 · h1-h2 · 1 Æ h=1+max(h1,h2)Æ 8 x 2 S1 . x · v Æ 8 y 2 S2 . v < x Æ S={v} [ S1

[ S2 inv h¸0

12


• Set of States• Lemmas• Structured Specs

13

Automated Verification

• Methods and loops are annotated with pre- and post-conditions.

• Entailment checks• Precondition at call site• Postcondition at end of method

• State transition formula (e.g. x’=x+1)• initial value : x• latest value : x’ (primed variable)

14

Verifier based on Hoare-triple

` { } code { 1 }

pre-state post-state

15

Some Verification Rules

16

Insert into a Sorted List

node insert(node x, node vn)requires x::sortln, sm,lg vn::nodev,_

ensures res::sortln+1,min(v,sm),max(v,lg){ if (vn.val≤x.val) then {

vn.next = x;return vn; }

else if (x.next=null) then {x.next = vn; vn.next = null; return x; }

else { x.next = insert(x.next, vn); return x; }

}

17

{ x’::sortl<n,mi,mx> vn’::node<v,_> }

vn.next = x;

{ (x’::node<mi,null> n=1 Æ mi=mx x’::node<mi,q> q::sortl<n-1,k,mx> mik n2)

vn’::node<v, _> vmi }

if (vn.val · x.val) then {

return vn;

{ res::sortl<n+1,min(v,mi),max(v,mx)> }

}

{ (x’::node<mi,null> n=1 mi=mx x’::node<mi,q> q::sortl<n-1,k,mx> mik n2)

vn’::node<v,x’> vmi }

{ (x’::node<mi,null> n=1 mi=mx x’::node<mi,q> q::sortl<n-1,k,mx> mik n2)

vn’::node<v,x’> vmi Æ res=vn’ }

18



19

Separation Logic Prover

1 ` 2 3

• 1 must “subsumes” all heap nodes in 2.

• Residual nodes are then kept in 3.

• ALGORITHM : Ensure all nodes in 2 are subsumed by 1, then convert to an arithmetic implication check.

antecedent consequent residual

20

Entailment Algorithm

21

Key Steps of Entailment

• Matching• Aliased data nodes/predicates are matched and

their components/arguments unified.• Supports implicit instantiation.

• Unfolding• Replaces a predicate on LHS by its definition to

match a node on the RHS

• Folding• Triggered by a predicate on the RHS and a data

node on the LHS. • Supports implicit instantation.

22

Extension to Inference

• Infer pure pre/post conditions

1 Æ ` 2 3

• Joint work with collaborators at Durham.

23

Outline• Background• Our Approach• Why Verification?• Entailment• Approximation• Expressiveness

• Set of States• Lemmas

24

Approximation

• Entailment is reduced to implication of pure constraints when the consequent’s heap is empty.

• Each predicate is approximated by a pure constraint.

25

Approximation: Examples

• XPuren(x::nodeh i y::nodeh i) = (ex i. x=i Æ i>0) (ex j. y=j Æ j>0) = i,j. (x=i Æ i>0 Æ y=j Æ j>0 Æ ij)

• XPure0(x::llhni)= n ¸ 0

• XPure1(x::llhni)= i. (x=0 Æ n=0 Ç x=i Æ i>0 Æ n-1¸0)

too weak

more info

26



27

Proof Search (Set of States) 1 ` 2 {3,.., n}

• {3,.., n} denotes non-deterministic outcome from proof search.

• { } means entailment has failed.

• Modified Hoare triple :{} code {1,..,n}

28

Related Predicates• Some predicates may be related.

• Every sorted list is also an unsorted list.

lln root=null n=0 root::node_,r r::lln-1 inv n0

sortln,min,max root::nodemin,null min=max Æ n=1

root::nodemin,q q::sortln-1,k,max mink inv n1 Æ min·max

root::sortln,min,max ) root::lln

Lemma is used in bubble sorting.

29

Idea

User : - provide the lemmas

Our system automatically :- proves each lemma- applies lemmas where possible during entailment proving

30

Lemmas Allowed

c1v1* ) 9 v* ¢ root::c2v2

* Æ

Implication

c1v1* ( 9 v* ¢ root::c2v2

* Æ

Reverse-Implication

c1v1* , 9 v* ¢ root::c2v2

* Æ

Equivalence

8 v* . c1v1* 1 ) 9 v* ¢ root::c2v2

* Æ

Complex LHS

31



32

Why Structured Specs? • Better reuse.

• Better handling of disjunction.

• Difference contexts of uses.

Better Precision + Performance

33

Syntax

34

Unstructured Spec

Z is repeatedZ is repeated

instantiations?instantiations?

disjunctionsdisjunctions

35

Structured Specification

case analysiscase analysis

instantiationinstantiation

staged formulastaged formula

36

Disjunctive Incompleteness

Good for searching proof but incomplete …

1· x ·2 |- x=1 Ç x=2

1· x ·2 |- x=11· x ·2 |- x=2 OR

37

Solution – Rewrite Specs

1· x ·2 |- case {x · 1 x=1 ; x>1 x=2}

x · 1 Æ 1·x·2 |- x=1

x > 1 Æ 1·x·2 |- x=2

case enhanced spec

38

Conditions for Case Constructs

39

Semantics

40

Experiments

41

Tools Developed

• SLEEK – Entailment Prover

• HIP – Verifier for Imperative Language

• HIPO – Verifier for OO Language.

42

Conclusion

• User-defined data structures with size/bag properties and invariants.

• Sound and terminating entailment proving

• Expressive structured specifications with proof search and lemma rules.

• Future work: inference + static debugging + scalability + concurrency etc.

43

Experiments

44

Related Works

• Separation Logic (OHearn, Berdine, Calcagno et al. APLAS05)

• TVLA/Shape Analysis (Reps, Sagiv et al.)

• PALE/MONA (Moeller, Schwartzbach)• Grammar-based Shape Analysis (Lee,

Yang + Yi ESOP05)• Quantitative Shape Analysis (Rugina

SAS04)• ILC (Jia & Walker ESOP06)

45

Complex Lemma

8 v* . c1v1* 1 ) 9 v* ¢ root::c2v2

* Æ

An Example

8 i,j . x::lsegn,p Æ i,j ¸ 0 Æ n=i+j ) 9 r . x::lsegi,r r::lsegj,p

x::lsegn,p ) 9 i,j,r . x::lsegi,r r::lsegj,p Æ n=i+j

More general

46

Experiments

47

Experiments

Proof search’soverhead

is low

Proof search is critical

48

Experiments

49

Scalable Performance

Break large predicates into smaller ones

50

Experiments

51

Multiple Pre/Post

void append(node x, node y)

{ if (x.nextnull) then { append(x.next,y) }else { x.next := y }

}

Any other useful specifications for this method?

requires x::lseg<n,null> y::lseg<m,null> Æ n¸1ensures x::lseg<n+m,null>

52

What if x and y are aliased?


requires x::lseg<n,null> Æ x=y Æ n¸1 ensures x::clist<n>

Æ requires x::lseg<n,null> Æ n¸1 ensures x::lseg<n,y>

Circular List!

53

What if x and y are sorted lists?


requires x::sortl<n,s1,b1> y::sortl<m,s2,b2> Æ b1·s2

ensures x::sortl<n+m,s1,b2>

Æ requires x::sortl<n,s1,b1> y=null ensures x::sortl<n,s1,b1>

54

Example Predicates

lsegn,p root=p n=0 Ç root::nodea,r r::lsegn-1, p

inv n¸0

List Segment (with a dangling ptr)

rootp

Non-empty Circular list

clistn root::nodea,r r::lsegn-1,root inv n1

rootr

55

Core Language + Specifications

56

Matching Object/Predicate

x::llhniÆ n>1 ` 9 m ¢ x::llhmiÆ m>0matching

n>1 ` n>0

x::llhniÆ n>1 ` x::llhmiÆ m>0matching

n=m Æ n>1 ` n>0

implicit instantiation of free var m

free var

57

Example of Free Variables

Specificationvoid insert(node x, int v)

requires x::llhni Æ n>0ensures x::llhn+1i

free variable linkingpre and post conditions

58

Our Work• Size and bag (pure) properties

• Data structure with derived size/bag properties and invariant.

• Length, height-balanced, sortedness etc.

• User-specified predicates• can be recursive

• Entailment prover for separation formulae • with lemmas + proof search

59

Unfolding

x::llhniÆ n>1 ` 9r, m ¢ x::nodeh_,ri r::llhmiÆ m>0

Unfolding9q ¢ x::nodeh_, qi q::llhn-1i Æ n>1 `

9r, m ¢ x::nodeh_, ri r::llhmi Æ m>0

Matchingq1::llhn-1iÆ n>1 ` 9m ¢ q1::ll<m> Æ m>0

n>1 ` 9m ¢ m=n-1 Æ m>0

60

y=null ` y::llhmi Æ m=0

Recursive entailmenty=null ` y=null Æ m=0

Ç y::nodeh_,ri r::llhm-1i

Backy=null Æ m=0 ` m=0

Folding: Base Case

61

x::nodeh_, ri Æ r=null ` x::llhni Æ n>0

Recursive entailmentx::nodeh_, ri Æ r=null `

9q,k ¢ x::nodeh_,qi q::llhki Æ k=n-1Ç x=null Æ n=0

r=null ` 9k ¢ r::llhki Æ k=n-1

Back from fold:r=null Æ n-1=0 ` n>0

Folding: Recursive Case

62

Equivalence Lemma

Definition of list segment is inadequate

Termination ensured by well-formed and well-founded property

Important to have equivalence coercion :

lsegn,p root=p n=0 root::node_,r r::lsegn-1,p inv n0

basicdefinition

extraproperty

lsegn,p , 9 i,j,r . root::lsegi,r r::lsegj,p Æ n=i+j

63

Proof Search via Equiv. Lemma

x::lsegn,p … ` x::lsegm,r …

match

… ` [n/m,p/r] … unfold lsegn,p

x::lsegi,q q::lsegj,p Æ n=i+j …

` x::lsegm,r …

fold lsegm,r

x::lsegn,p … ` x::lsegi,q q::lsegj,r Æ m=i+j

Automated Verification via Separation Logic

Documents