Josh Berdine, Cristiano Calcagno, Peter O’Hearn 1 July ...oliveras/espai/smtSlides/peter.pdf · Proof Procedures for Separated Heap Abstractions Josh Berdine, Cristiano Calcagno,

Proof Procedures for Separated Heap Abstractions

Josh Berdine, Cristiano Calcagno, Peter O’Hearn

1 July, 2007 (Canada day)

Part 0

Pre-Intro

2

Separation Logic

x|->y * y|-> x

x y

3

Separation Logic

x|->y * y|-> x

x y

4

Separation Logic

x|->y

x y

5

Separation Logic

y|-> x

x y

6

Separation Logic

x|->y * y|-> x

x y

7

Separation Logic

x|->y * y|-> x

x y

x=10

y=4242

10 42

10

8

Separation Logic

x|->y * y|-> x

x y

x=10

y=4242

10 42

10

9

Separation Logic

x|->y

x y

x=10

y=4242

10

10

Separation Logic

y|-> x

x y

x=10

y=42

42

10

11

Separation Logic

x|->y * y|-> x

x y

12

Part I

Introduction

13

Example: DisposeTree

I procedure DispTree(p)local i , j ;if p 6=nil then

i = p�l ; j := p�r ;DispTree(i);DispTree(j);dispose(p)

14


II procedure DispTree(p)local i , j ;if p 6=nil then


I An Unhappy Attempt to Specify

{tree(p) ∧ reach(p, n)}DispTree(p){¬allocated(n)}

14


I procedure DispTree(p)local i , j ;if p 6=nil then


I An Unfortunate Fix

{tree(p) ∧ reach(p, n)∧¬reach(p,m) ∧ allocated(m) ∧m.f = m′ ∧ ¬allocated(q)}DispTree(p){¬allocated(n)∧¬reach(p,m) ∧ allocated(m) ∧m.f = m′ ∧ ¬allocated(q)}

14

Separation Logic

I In Separation Logic, the spec is just

{tree(p)} DispTree(p) {emp}

I Key part of proof

{p 7→[l : i , r : j ] ∗ tree(i) ∗ tree(j)}DispTree(i);{p 7→[l : i , r : j ] ∗ tree(j)}DispTree(j);{p 7→[l : i , r : j ]}dispose(p){emp}

{P}C{Q}{P ∗ R}C{Q ∗ R} Frame Rule

15

Some Background on Heap Verification

I Pointer Assertion Logic EngineI Uses MSOL. High complexity, good completeness.I (Intentionally) unsound treatment of procedures (framing)I No disposal or address arithmetic

I Boogie.I SoundI Improving treatment of frames...I Limited inductionI Class InvariantsI Relative of ESCI No disposal or address arithmetic

I Sagiv et. al. 3-valued shape analysisI Inferring invariants, good automationI Limited treatment of procedures (so far); global, and hard to make localI No disposal or address arithmetic

16

Context/Summary

I Sep logic has a lot of locality built in.


{P1}C1{Q1} {P2}C2{Q2}{P1 ∗ P2}C1 ‖ C2{Q1 ∗ Q2}

Concurrency Rule

I Happy with disposal and address arithmetic.I Simple aim: try and see what we can do. So far..

I Static assertion checking: Smallfoot.I Program analysis: Space Invader.

17

Context/Summary



{P1}C1{Q1} {P2}C2{Q2}{P1 ∗ P2}C1 ‖ C2{Q1 ∗ Q2}

Concurrency Rule

I Happy with disposal and address arithmetic.

I Simple aim: try and see what we can do. So far..I Static assertion checking: Smallfoot.I Program analysis: Space Invader.

17

Context/Summary



{P1}C1{Q1} {P2}C2{Q2}{P1 ∗ P2}C1 ‖ C2{Q1 ∗ Q2}

Concurrency Rule

I Happy with disposal and address arithmetic.I Simple aim: try and see what we can do. So far..

I Static assertion checking: Smallfoot.I Program analysis: Space Invader.

17

Part II

Smallfoot Basics

18

Smallfoot AssertionsA special form1

(B1 ∧ · · · ∧ Bn)∧(H1 ∗ · · · ∗ Hm)

where

H ::= E 7→ρ | tree(E ) | lseg(E ,E )B ::= E=E | E 6=E

E ::= x | nil

ρ ::= f1 : E1, . . . , fn : En

B ::= E=E | E 6=E

Smallfoot also has predicates for doubly- and xor-linked lists, but I’ll ignorethose.

1assertional if-then-else as well19

Smallfoot Programs

Procedure declarationsf (~p ; ~v)[Pf ] Cf [Qf ]

with pre/post and reference params ~p and value params ~v

Commands include

x :=E�f E�f :=E x := new() dispose (E )

Loops come with invariants (inferred in Space Invader)

20

Verification = Symbolic Execution + Entailment Checking

I Inductive Definitions unrolled only on demand (on heap access)during execution.

I Rolled up only after execution, during entailment checking

I The tree definition

tree(E ) ⇐⇒ if E=nil then emp

else ∃x , y . (E 7→l : x , r : y) ∗ tree(x) ∗ tree(y)

21

Copytree Verification

Just inside the if (where p 6= nil)...

{p 6= nil ∧ tree(p)}



22



{p 6= nil ∧ tree(p)} unroll it...



22



{p 6= nil ∧ tree(p)} unroll it...{p 7→[l : x , r : y ] ∗ tree(x) ∗ tree(y)}



22



{p 6= nil ∧ tree(p)} unroll it...{p 7→[l : x , r : y ] ∗ tree(x) ∗ tree(y)}i := p�l ; j := p�r ;{p 7→[l : i , r : j ]∗tree(i) ∗ tree(j)}



22



{p 6= nil ∧ tree(p)} unroll it...{p 7→[l : x , r : y ] ∗ tree(x) ∗ tree(y)}i := p�l ; j := p�r ;{p 7→[l : i , r : j ]∗tree(i) ∗ tree(j)}tree copy(ii ; i) ; tree copy(jj ; j)s:= new() ; s�l := ii ; s�r := jj ;



22



{p 6= nil ∧ tree(p)} unroll it...{p 7→[l : x , r : y ] ∗ tree(x) ∗ tree(y)}i := p�l ; j := p�r ;{p 7→[l : i , r : j ]∗tree(i) ∗ tree(j)}tree copy(ii ; i) ; tree copy(jj ; j)s:= new() ; s�l := ii ; s�r := jj ;{p 7→[l : i , r : j ] ∗ tree(i) ∗ tree(j) ∗ s 7→[l : ii , r : jj ] ∗ tree(ii) ∗ tree(jj)}



22


We are left with an entailment

p 7→[l : i , r : j ] ∗ tree(i) ∗ tree(j)∗s 7→[l : ii , r : jj ] ∗ tree(ii) ∗ tree(jj)

` tree(p)∗tree(s)



22


We are left with an entailment

p 7→[l : i , r : j ] ∗ tree(i) ∗ tree(j)∗s 7→[l : ii , r : jj ] ∗ tree(ii) ∗ tree(jj)

` tree(p)∗tree(s)

let me roll it...



22

Flawed Copytree Failed Verification

When we mistakenly point back into the source tree

we are left with an entailment

p 7→[l : i , r : j ] ∗ tree(i) ∗ tree(j)∗s 7→[l : i , r : j ]∗tree(ii) ∗ tree(jj)

` tree(p)∗tree(s)

that we can’t roll up...

23

Part III

Proving Entailments

24

Induction and Linked ListsList segments (list(E ) is shorthand for lseg(E , nil))

lseg(E ,F ) ⇐⇒ if E = F then emp

else ∃y .E 7→tl : y ∗ lseg(y ,F )

lseg(x , y) ∗ lseg(y , x)

x

y

25




lseg(x , t) ∗ t 7→[tl : y ] ∗ list(y)

x t y

25




Entailment lseg(x , t) ∗ t 7→[tl : y ] ∗ list(y) ` list(x)

x t y

25




Non-Entailment lseg(x , t) ∗ t 7→nil ∗ list(y) 6` list(x)

x t y

25

Solution (Berdine and Calcagno)

I A proof theory oriented around Abstraction and Subtraction.

I Sample Abstraction Rule

lseg(x , t) ∗ list(t) ` list(x)

I Subtraction RuleQ1 ` Q2

Q1 ∗ S ` Q2 ∗ S

I Try to reduce an entailment to the axiom

B ∧ emp ` true ∧ emp

26






Q1 ∗ S ` Q2 ∗ S



26






Q1 ∗ S ` Q2 ∗ S



26






Q1 ∗ S ` Q2 ∗ S



26

Works great!

lseg(x , t) ∗ t 7→[tl : y ] ∗ list(y) ` list(x) Abstract (Roll)

27

Works great!

lseg(x , t) ∗ list(t) ` list(x) Abstract (Inductive)lseg(x , t) ∗ t 7→[tl : y ] ∗ list(y) ` list(x) Abstract (Roll)

27

Works great!

list(x) ` list(x) Subtractlseg(x , t) ∗ list(t) ` list(x) Abstract (Inductive)lseg(x , t) ∗ t 7→[tl : y ] ∗ list(y) ` list(x) Abstract (Roll)

27

Works great!

¨̂

emp ` emp Axiom!list(x) ` list(x) Subtractlseg(x , t) ∗ list(t) ` list(x) Abstract (Inductive)lseg(x , t) ∗ t 7→[tl : y ] ∗ list(y) ` list(x) Abstract (Roll)

27

Works great!

¨̂


lseg(x , t) ∗ t 7→nil ∗ list(y) ` list(x) Abstract (Inductive)

27

Works great!

¨̂


list(x) ∗ list(y) ` list(x) Subtractlseg(x , t) ∗ t 7→nil ∗ list(y) ` list(x) Abstract (Inductive)

27

Works great!

¨̂


_̈

list(y) ` emp Junk: Not Axiom!list(x) ∗ list(y) ` list(x) Subtractlseg(x , t) ∗ t 7→nil ∗ list(y) ` list(x) Abstract (Inductive)

27

List of abstraction rules for lseg

Rolling

emp → lseg(E ,E )

E1 6=E3 ∧ E1 7→[tl :E2, ρ] ∗ lseg(E2,E3) → lseg(E1,E3)

Induction Avoidance

lseg(E1,E2) ∗ lseg(E2, nil) → lseg(E1, nil)

lseg(E1,E2) ∗ E2 7→[t : nil] → lseg(E1, nil)

lseg(E1,E2) ∗ lseg(E2,E3) ∗ E3 7→[ρ] → lseg(E1,E3) ∗ E3 7→[ρ]

E3 6=E4 ∧ lseg(E1,E2) ∗ lseg(E2,E3) ∗ lseg(E3,E4)

→ lseg(E1,E3) ∗ lseg(E3,E4)

28

Proof Procedure for Q1 ` Q2, Normalization Phase

I Substitute out all equalities

Q1[E/x ] ` Q2[E/x ]

x = E ∧ Q1 ` Q2

I Generate disequalities. E.g., using

x 7→[ρ] ∗ y 7→[ρ′] → x 6= y

I Remove empty lists and trees: lseg(x , x), tree(nil)

I Check antecedent for inconsistency, if so, return “valid”.Inconcistencies: x 7→[ρ] ∗ x 7→[ρ′] nil 7→ − x 6= x · · ·

I Check pure consequences (easy inequational logic), if failed then“invalid”

This is cubic.29

Proof Procedure for Q1 ` Q2, Abstract/Subtract Phase

Trying to prove B1 ∧ H1 ` H2

I For each spatial predicate in H2, try to apply abstraction rules tomatch it with things in H1.

I Then, apply subtraction rule.

Q1 ` Q2

Q1 ∗ S ` Q2 ∗ S

I If you are left withB ∧ emp ` true ∧ emp

report “valid”, else “invalid”

This is cubic.

30

Completeness?

I Question: from O’Hearn to Berdine/Calcago (circa 2002):

Is your procedure complete (and if not can you proveundecidability)?

I Immediate Answer: silence

I A little later: Doh!

31

Completeness?





31

Completeness?





31

Spooky Disjunctions

I The fragment does not have disjunction in it. However,

y 6=z ∧ (ls(x , y) ∗ ls(x , z))

implies that either ls(x , y) or ls(x , z) is nonempty, but we do notknow which. So it also implies x 6= y ∨ x 6= z .

I This issue can show up in an entailment

y 6=z ∧ (ls(x , y) ∗ ls(x , z)∗x 7→−)`x 6=x

which tricks the proof procedure.

I We have never fallen foul of this incompleteness in a natural examplein program verification.

I Still...

32

Spooky Disjunctions


y 6=z ∧ (ls(x , y) ∗ ls(x , z))



y 6=z ∧ (ls(x , y) ∗ ls(x , z)∗x 7→−)`x 6=x



I Still...

32

Spooky Disjunctions


y 6=z ∧ (ls(x , y) ∗ ls(x , z))



y 6=z ∧ (ls(x , y) ∗ ls(x , z)∗x 7→−)`x 6=x



I Still...

32

Spooky Disjunctions


y 6=z ∧ (ls(x , y) ∗ ls(x , z))



y 6=z ∧ (ls(x , y) ∗ ls(x , z)∗x 7→−)`x 6=x



I Still...

32

Exorcising Spooky Disjunctions

I Cubic proof procedure is complete when we know all the listsegs arenonempty (when x 6= y is there for each lseg(x , y)).

I Complete procedure for general case, using excluded middle

x = y ∧ Q1 ` Q2 x 6=y ∧ Q1 ` Q2

Q1 ` Q2

I The resulting proof procedure is exponential.

I Calcagno has a polynomial procedure which uses constraints, andwhich handles spooky disjunctions. Don’t know if complete.

33




x = y ∧ Q1 ` Q2 x 6=y ∧ Q1 ` Q2

Q1 ` Q2



33




x = y ∧ Q1 ` Q2 x 6=y ∧ Q1 ` Q2

Q1 ` Q2



33




x = y ∧ Q1 ` Q2 x 6=y ∧ Q1 ` Q2

Q1 ` Q2



33

Perspective

I The interesting part is the abstraction rules replacing induction, like


I We can replay this work for other data structures, but (presently)some invention is needed to choose abstraction rules.

I We can infer loop invariants (abstract interpretation) by selective useof the abstraction rules .

I Distefano et al, TACAS’06I Termination analysis: Berdine et al, CAV’06 (see Cook CAV invited)

Interprocedural shape analysis: Gotsman et al, SAS’06Pointer Arithmetic: Calcagno et al, SAS’06Thread-modular shape analysis: Gotsman et al, PLDI’07Induction Synthesis: Guo et al, PLDI’07Adaptive analysis: Bertine et al, CAV’07(see Distefano CAV talk)+ 5 SAS’07 papers

34

Perspective





I Distefano et al, TACAS’06

I Termination analysis: Berdine et al, CAV’06 (see Cook CAV invited)Interprocedural shape analysis: Gotsman et al, SAS’06Pointer Arithmetic: Calcagno et al, SAS’06Thread-modular shape analysis: Gotsman et al, PLDI’07Induction Synthesis: Guo et al, PLDI’07Adaptive analysis: Bertine et al, CAV’07(see Distefano CAV talk)+ 5 SAS’07 papers

34

Perspective





I Distefano et al, TACAS’06I Termination analysis: Berdine et al, CAV’06 (see Cook CAV invited)

Interprocedural shape analysis: Gotsman et al, SAS’06Pointer Arithmetic: Calcagno et al, SAS’06Thread-modular shape analysis: Gotsman et al, PLDI’07Induction Synthesis: Guo et al, PLDI’07Adaptive analysis: Bertine et al, CAV’07(see Distefano CAV talk)+ 5 SAS’07 papers

34

Coalescing

I Freeing sometimes causes adjacent nodes to be coalesced in the freelist.

I For example,

x

y z

x+1 x+2 x+z

a b

x+z+b

[x+1]:= [x+1]+[x+z+1]

35

Coalescing


I For example,

x

y z

x+1 x+2 x+z

a b

x+z+b

[x+1]:= [x+1]+[x+z+1]

x

yz+b

x+1 x+2 x+z

a b

x+z+b

35

Coalescing


I For example,

x

y z

x+1 x+2 x+z

a b

x+z+b

[x+1]:= [x+1]+[x+z+1]

x

yz+b

x+1 x+2 x+z+b

35

RAM to Node transit

I Abstraction for transit from

x

yz+b

x+1 x+2 x+z

a b

x+z+b

tox

yz+b

x+1 x+2 x+z+b

is an implication

(x 7→y) ∗ (x+17→z + b) ∗ blk(x+2, x+z)

∗ (x+z 7→a) ∗ (x+z+17→b) ∗ blk(x+z+2, x+z+b)

=⇒nd(x , y , z + b)

36

Program LOC Heap (KB) States (Inv) States (Post) Time (sec)2

malloc firstfit 42 240 18 3 0.05

free acyclic 55 240 6 2 0.09

malloc besttfit 46 480 90 3 1.19

malloc roving 61 240 33 5 0.13

free roving 68 720 16 2 0.84

malloc K&R 179 26880 384 66 502.23

free K&R 58 3840 89 5 9.69

2Pentium 2.3GHz, 4GB RAM37

Josh Berdine, Cristiano Calcagno, Peter O’Hearn 1 July ...oliveras/espai/smtSlides/peter.pdf · Proof Procedures for Separated Heap Abstractions Josh Berdine, Cristiano Calcagno,

Documents