Theorem Proving and Data Structure Verification Charles Bouillaguet Viktor Kuncak, MIT Computer Science and Artificial Intelligence Lab Spring-Summer 2006.

Theorem Proving and Data Structure

Verification

Charles BouillaguetViktor Kuncak,

MIT Computer Science and Artificial Intelligence Lab

Spring-Summer 2006

Starters

You You MUSTMUST ask ask

questionsquestions

(c) Jean Daligault

• Can cause program crashes

• Looping

Inconsistent data structures

next

prev

next

prev

next

prev

Unexpected outcome of operations

Removing two instead of one element

Implementing Data structure is hard

• Often small but complex code

• Lots of pointers

• Unbounded, dynamic allocation

• Complex shape invariants

• Trees, directed acyclic graphs, parent pointers

• Properties involving arithmetic (ordering)

• Need strong invariant to guarantee correctness

• e.g. lookup in ordered tree need sortedness

How to obtain reliable data structure implementations?

• Formal method:

• Build a proof that the program is correct

• for all possible program executions (sound)

• Verified properties:

• Program do not crash

• Data structure invariants are preserved

• Data structure content is correctly updated

• Goal: automated verification

Abstract view of a program• Sequence of instructions

• Instructions mutate the program state

• State = values of the variables

• We want to avoid some states

• {x = null} before y = x.next

• {n = 0} before m = k / n

• for a program point, defines set of acceptable states we want to stay in to avoid crashes

• try to prove property: all instructions yield an acceptable state

Not enough

• Avoiding crashes is good

• Checking that the program does what it is supposed to do is better !

• for some def. of “checking”, undecidable problem

• ie no algorithm can do it in all cases

• We don’t care :-)

• How to do that

• see rest of the presentation ?

Checking correction of behavior

• Procedure have contracts

• Contracts have 2 parts

• a require clause (precondition):

• property of the state at call site (what the procedures needs)

• an ensure clause (postcondition):

• property of the returned state (what the procedure provides)

• Contracts (specification) describe what the code (implementation) is supposed to do

Examples

• Euclidean division

• Requires a state where 0 ≤ m ≤ n

• Ensures a state where n = q m + r (m≠0 ⋅ ∧ 0⇒ ≤r<m)

• Removal in a linked list

• Requires a state where

• following field next from object first defines a list (no loop, unique parent...)

• object o is in content of the list

• Ensures a state where

• the list is still a list (looks simple, but tricky in practice)

• new content = old content - {o}

Assume-guarantee verification

• Check that code does what contract says !

• All state satisfying precondition must result in state satisfying postcondition

divdiv0<m<n

div’div’0<m<n

correct

Incorrect

set of correct states(post-condition)

set of resulting states

set of input states(pre-condition)

some resulting state do not satisfy post-

condition

all resulting states satisfy the post-

condition

How to check that ?

• Set of states = logic formula

• free variables = variables of the program

• set inclusion = implication

• To verify procedure:

• compute φ (depends on F and pre)

4. check that φ post⇒

φpost φ⇒post

¬(φ⇒post)

FFpre

φ

post

(φ ≡ {x | φ})

Computing reachable states

• How to compute set of reachable states ?

• Strongest Post-condition

• smallest set containing all the possibles outcomes of F starting from precondition ϑ.

sp(F, ϑ)post

FFpre

• Other possibility: Weakest Precondition

• symmetric: biggest set of states from which post-condition is enforced (depends on F and post)

Alternative verification approach

FF

F’F’

correct

Incorrect

post

wp(F, post)

pre

post

wp(F’, post)

pre⇒ wp(F, post)

¬(pre⇒ wp(F’, post))

all states satisfying precondition lead to states

satisfying postcondition

some state statisfying precondition lead to

postcondition violation

pre

• Instruction by instruction

• wp(wp(II11; I; I22, post, post) = wp() = wp(II1, 1, wp(wp(II22, post, post))))

• Starting from the end

•F = I1; ... ; In-1 ; In

Weakest Precondition computation

post...

IInnIIn-1n-1IIn-2n-2II11

wp(In ,post)wp(In-1;In ,post)wp(F,post)

• some instructions are easy (assignment)

• some are hard

• if

• loops

• procedure calls

• exceptions

WP for individual instructions

multiple possible multiple possible outcomesoutcomes

can completely can completely change statechange state

Loop problems

• example loop

• Problems

• Properties of x and y after n iterations ?

• Depends on properties after (n-1) iterations

• Depends on properties after (n-2) iterations

• ....

• And n only known at run-time

• possibly unbounded number of iterations

Loop problems

• example loop

• prog. state after the loop ?

?

uncontrained - 0 knowledge

initial

cannot simulate an unbounded number of iterations by symbolic execution

Solution

• Describe state mutations by loop invariant

• Property I of state

• true at the beginning of any number of loop iterations

• therefore true when loop end

• constrain state space during and after loop

• by induction, reduces to

• I(state0)

• ∀n. I(staten) ⇒ I(staten+1)

∀k. I(xk, yk)

II hold initially hold initially

II is inductive is inductive+

Back to example

I(i, xi, yi)

5 iterations 15 iterations

Restrain domain of Restrain domain of (x, y)(x, y)

0 iterations

• Unrealisticdrawing

Back to example

Fantasy invariant real invariant

xi2 + xiyi+ yi

2=x02 + x0y0+

y02

I(xi, yi) ≡

xi2 + xiyi+ yi

2=x02 + x0y0+

y02

Small notes on loop invariants

• There is always one (“True”)

• There is a strongest one (ie smallest set)

• Take (infinite ?) conjunction of all of them (aouch)

• Need a strong enough to prove postcondition

• “True” usually not strong enough

• Techniques to find them automatically

• Slow, do not always work, interesting, out of scope

• Recursive code eliminates problem

• but create some others

Real-life loop invariant

• Removal of an element in a linked list

public void remove (Object o1){ Node prev = null; Node current = first; while (current.data != o1) {

prev = current; current = current.next;

} ...}

current ≠ null ∃n. n ≠ null ∧ o1 = n.data ∧ n ∈ current.next*current ∈ first.next* prev ≠ null ⇒ prev.next = currentprev = null ⇒ current = first

scan the list to scan the list to find element to find element to

removeremove

prevprev points to points to nextnext

+ special empty + special empty casecase

end of loop: knows that prev.next = currentcurrent ≠ null

current.data = o1

How (most) verification system work ?

• Compute weakest precondition

• prove resulting formula

• external theorem prover

• Weakest preconditiondirectly from Java: hard

• Simplification passes before

weakest precondition

Three-address code

new_left = remove(k, t.left);r.data = t.data;

tmp_27 = t.left;tmp_28 = FuncTree.remove(k,tmp_27);new_left = tmp_28;

tmp_35 = t.data; r.data = tmp_35;

expressions simplification by introduction of fresh

variables

sequentialize side effectsMakes null pointer check easier to insert

Guarded Command Language

• Java contains nasty things

• if, while loops, method calls

• exceptions, dynamic dispatch

• First, convert Java tosimpler, more abstractlanguage

• Then, use simpler language tocompute weakest preconditions

Guarded Command Language

• Adapted from Dijkstra ‘76

StatementStatement MeaningMeaning

assert φ if φ is true, continue. Fail otherwise

assume φ if φ is false, succeeds. Continue otherwise

stmt1 ; stmt2 sequential composition

stmt1⎮stmt2 non-deterministic choice

havoc xnon-deterministically change variable x

x := e assign e to x

if, calls, Loops ?

• ...can be expressed

• using contracts and loop invariants

• IF encoded usingnon-deterministic choice

• both case can happens

[| if (cond) then branchtrue else branchfalse |]

(assume cond ; [| branchtrue |])| (assume ¬cond ; [| branchfalse |])

if, calls, Loops ?

• Procedure calls

• could be inlined

• exponential blowup !

• encoded using contracts

• modularity ! Check 1 proc. at a time

• assume that all others proc. are correct

[| r = m(x, y, z) |]

assert m.precondition;havoc r;havoc {vars modified by m};assume m.postcondition;

if, calls, Loops ?

• loops... induction on invariant (no term. check)

assert invariant;havoc vars(body);assume invariant;((assume condition; [| body |]; assert invariant; assume False)| assume not condition);

[| while (condition) /*: invariant */ {body} |]

invariant hold initiallyno assumptions on loop

variables except that invariant hold

loop condition hold before loop body

invariant still hold

branch succeeds

condition does not holdand verification continue

WP from guarded command language

• Easy from guarded command

• Note

• do not enforce loop/recursion termination...

stmtstmt wlp(stmt, ψ)wlp(stmt, ψ)assert φ φ ∧ ψ

assume φ φ ⇒ ψstmt1 ; stmt2 wlp(stmt1, wlp(stmt2, ψ))

stmt1⎮stmt2 wlp(stmt1,ψ) ∧ wlp(stmt2, ψ)

havoc x ∀x. ψ

x := e ψ{x ↦ e}

Real life verification condition

• Same List.remove method((List_inlist = (% this. {n. ((rtrancl_pt (% x y. ((Node_next x) = y)) (List_first this) n) & (n ~= null))})) --> ((List_content = (% this. {x. ((x ~= null) & (EX n. ((x = (Node_data n)) & (n : (List_inlist this)))))})) --> ((((Node_data null) = null) & ((Node_next null) = null) & ((List_first null) = null) & (ALL xObj. (xObj : Object)) & ((Node Int List) = {null}) & ((Array Int List) = {null}) & ((Array Int Node) = {null}) & (null : Object_alloc) & (pointsto Node Node_data Object) & (pointsto Node Node_next Node) & (pointsto List List_first Node) & comment ''unalloc_lonely'' (ALL x. ((x ~: Object_alloc) --> ((ALL y. ((Node_data y) ~= x)) & (ALL y. ((Node_next y) ~= x)) & (ALL y. ((List_first y) ~= x)) & ((Node_data x) = null) & ((Node_next x) = null) & ((List_first x) = null)))) & (o1 : (List_content this)) & comment ''List_PrivateInv '' (ALL this. (((this : Object_alloc) & (this : List)) --> (ALL n. ((n : (List_inlist this)) --> ((Node_data n) ~= null))))) & comment ''List_PrivateInv '' (tree [List_first, Node_next]) & comment ''List_PrivateInv '' (ALL this. (((this : Object_alloc) & (this : List)) --> (ALL n m. (((n : (List_inlist this)) & (m : (List_inlist this)) & ((Node_data n) = (Node_data m))) --> (n = m)))))) --> ((comment ''thisNotNull'' (this ~= null) & comment ''thisType'' ((this : List) & (this : Object_alloc)) & comment ''o1_type'' ((o1 : Object) & (o1 : Object_alloc))) --> (comment ''InvHoldsInitially'' (((List_inlist this) = {n. ((rtrancl_pt (% x y. ((Node_next x) = y)) (List_first this) n) & (n ~= null))}) & ((List_first this) ~= null) & (EX n. ((o1 = (Node_data n)) & (n : (List_inlist this)))) & (rtrancl_pt (% x y. ((Node_next x) = y)) (List_first this) (List_first this)) & ((null ~= null) --> ((Node_next null) = (List_first this))) & ((null = null) --> ((List_first this) = (List_first this)))) & (((inlist_curr_28 = {n. ((rtrancl_pt (% x y. ((Node_next x) = y)) current_25 n) & (n ~= null))}) & (current_25 ~= null) & (EX n. ((o1 = (Node_data n)) & (n : inlist_curr_28))) & (rtrancl_pt (% x y. ((Node_next x) = y)) (List_first this) current_25) & ((prev_27 ~= null) --> ((Node_next prev_27) = current_25)) & ((prev_27 = null) --> (current_25 = (List_first this)))) --> (comment ''NullCheckFieldNode_data'' (current_25 ~= null) & (((Node_data current_25) ~= o1) --> (comment ''NullCheckFieldNode_next'' (current_25 ~= null) & (EX n. ((o1 = (Node_data n)) & (n : (inlist_curr_28 - {current_25})))) & ((EX n. ((o1 = (Node_data n)) & (n : (inlist_curr_28 - {current_25})))) --> comment ''InvPreservation'' (((inlist_curr_28 - {current_25}) = {n. ((rtrancl_pt (% x y. ((Node_next x) = y)) (Node_next current_25) n) & (n ~= null))}) & ((Node_next current_25) ~= null) & (EX n. ((o1 = (Node_data n)) & (n : (inlist_curr_28 - {current_25})))) & (rtrancl_pt (% x y. ((Node_next x) = y)) (List_first this) (Node_next current_25)) & ((current_25 ~= null) --> ((Node_next current_25) = (Node_next current_25))) & ((current_25 = null) --> ((Node_next current_25) = (List_first this))))))) & ((~((Node_data current_25) ~= o1)) --> (((prev_27 ~= null) --> (comment ''NullCheckFieldNode_next'' (current_25 ~= null) & comment ''ObjNullCheck'' (prev_27 ~= null) & comment ''ObjNullCheck'' (current_25 ~= null) & ((List_inlist_10 = (% this__9. {n. ((rtrancl_pt (% x y. ((((Node_next(prev_27 := (Node_next current_25)))(current_25 := null)) x) = y)) (List_first this__9) n) & (n ~= null))})) --> ((List_content_9 = (% this__10. {x. ((x ~= null) & (EX n. ((x = (Node_data n)) & (n : (List_inlist_10 this__10)))))})) --> (comment ''currentNotInInlist'' ((List_inlist_10 this) = ((List_inlist this) - {current_25})) & (comment ''currentNotInInlist'' ((List_inlist_10 this) = ((List_inlist this) - {current_25})) --> (comment ''otherInlistSame'' (ALL x. (((x : Object_alloc) & (x : List) & (x ~= this)) --> ((List_inlist_10 x) = (List_inlist x)))) & (comment ''otherInlistSame'' (ALL x. (((x : Object_alloc) & (x : List) & (x ~= this)) --> ((List_inlist_10 x) = (List_inlist x)))) --> (comment ''otherContentSame'' (ALL x. (((x : Object_alloc) & (x : List) & (x ~= this)) --> ((List_content_9 x) = (List_content x)))) & (comment ''otherContentSame'' (ALL x. (((x : Object_alloc) & (x : List) & (x ~= this)) --> ((List_content_9 x) = (List_content x)))) --> ((((List_content_9 this) = ((List_content this) - {o1})) & (ALL framedObj. (((framedObj : Object_alloc) & (framedObj : List) & (framedObj ~= this)) --> ((List_content_9 framedObj) = (List_content framedObj))))) & comment ''List_PrivateInv '' (ALL this__11. (((this__11 : Object_alloc) & (this__11 : List)) --> (ALL n. ((n : (List_inlist_10 this__11)) --> ((Node_data n) ~= null))))) & comment ''List_PrivateInv '' (tree [List_first, ((Node_next(prev_27 := (Node_next current_25)))(current_25 := null))]) & comment ''List_PrivateInv '' (ALL this__12. (((this__12 : Object_alloc) & (this__12 : List)) --> (ALL n m. (((n : (List_inlist_10 this__12)) & (m : (List_inlist_10 this__12)) & ((Node_data n) = (Node_data m))) --> (n = m)))))))))))))))) & ((~(prev_27 ~= null)) --> (comment ''NullCheckFieldNode_next'' ((List_first this) ~= null) & comment ''ObjNullCheck'' (current_25 ~= null) & ((List_inlist_2 = (% this__5. {n. ((rtrancl_pt (% x y. (((Node_next(current_25 := null)) x) = y)) ((List_first(this := (Node_next (List_first this)))) this__5) n) & (n ~= null))})) --> ((List_content_1 = (% this__6. {x. ((x ~= null) & (EX n. ((x = (Node_data n)) & (n : (List_inlist_2 this__6)))))})) --> (comment ''currentNotInInlist'' ((List_inlist_2 this) = ((List_inlist this) - {current_25})) & (comment ''currentNotInInlist'' ((List_inlist_2 this) = ((List_inlist this) - {current_25})) --> (comment ''otherInlistSame'' (ALL x. (((x : Object_alloc) & (x : List) & (x ~= this)) --> ((List_inlist_2 x) = (List_inlist x)))) & (comment ''otherInlistSame'' (ALL x. (((x : Object_alloc) & (x : List) & (x ~= this)) --> ((List_inlist_2 x) = (List_inlist x)))) --> (comment ''otherContentSame'' (ALL x. (((x : Object_alloc) & (x : List) & (x ~= this)) --> ((List_content_1 x) = (List_content x)))) & (comment ''otherContentSame'' (ALL x. (((x : Object_alloc) & (x : List) & (x ~= this)) --> ((List_content_1 x) = (List_content x)))) --> ((((List_content_1 this) = ((List_content this) - {o1})) & (ALL framedObj. (((framedObj : Object_alloc) & (framedObj : List) & (framedObj ~= this)) --> ((List_content_1 framedObj) = (List_content framedObj))))) & comment ''List_PrivateInv '' (ALL this__7. (((this__7 : Object_alloc) & (this__7 : List)) --> (ALL n. ((n : (List_inlist_2 this__7)) --> ((Node_data n) ~= null))))) & comment ''List_PrivateInv '' (tree [(List_first(this := (Node_next (List_first this)))), (Node_next(current_25 := null))]) & comment ''List_PrivateInv '' (ALL this__8. (((this__8 : Object_alloc) & (this__8 : List)) --> (ALL n m. (((n : (List_inlist_2 this__8)) & (m : (List_inlist_2 this__8)) & ((Node_data n) = (Node_data m))) --> (n = m)))))))))))))))))))))))))

7 ko7 ko

My work begins NOW

• We have generated a big formula

• We need to prove that it is valid (ie True).

• But first, a word about the system itself

• Jahob system for verifying data structures and programs.

• Input language: subset of Java

• Specification language: subset of Isabelle

• implementation of the previous verification schema

Jahob system, in theory...

Automated Automated reasoning reasoning

infrastructureinfrastructure

=

• Written in OCaml

• 4 active developers

• in 3 countries

• including myself

• 44.5 k lines of code

• 96 modules

• CVS repository

• big test suite

...And in practice

automated automated reasoningreasoning

Why automated reasoning ?

• Generating the formula was EASY !

• Polynomial time if we fix the system

• Proving it is hard

• complexity: reasonable tower of exponential (or worse)

• How do we prove it ?

• humans cannot program correctly, how could they prove correctly ?

• Machine-checked proof: use of proof assistants

• COQ, Isabelle, ACL2, Nuprl, HOL, ...

Proof assistants ?

• Check that a “proof” is correct

• “proof” of a part of a VC from Jahob, in COQeauto ; intros. intuition ; subst . apply Extensionality_Ensembles. unfold Same_set. unfold Included. unfold In. unfold In in H1. intuition. destruct H0. destruct (eq_nat_dec x1 ArraySet_size). subst. rewrite arraywrite_match in H0 ; auto. intuition. subst. apply Union_intror. auto with sets. assert (x1 < ArraySet_size). omega. clear n. apply Union_introl. rewrite arraywrite_not_same_i in H0. unfold In. exists x1. intuition. omega.

inversion H0 ; subst ; clear H0. unfold In in H3. destruct H3. exists x1. intuition. rewrite arraywrite_not_same_i. intuition ; omega. omega. exists ArraySet_size. intuition. inversion H3. subst. rewrite arraywrite_match ; trivial.

1 hour to write.

To verify a whole procedure, dozens of these

Proof assistants VS Theorem provers

• Proof assistants: check correctness of a proof

• good point: no complexity limit for proofs

• bad point: long and painful to use (wizardry required)

• Theorem provers: check validity of formula

• good point: no need to write proof ! Automatic !

• bad point: sometimes takes forever and crash

• not surprising: problem is undecidable...

• In practice: can work, but can take long without hacks

• I worked here

• Main work

• translation HOL->FOL

• interface to E, Vampire, SPASS

• 6 modules

• 3k lines of code

• Various hacks

• COQ interface

• bugfixes

• improvements

My contributions

HOL ? FOL ? E ? SPASS ?

your usual mathematical language(Convenient to write specification)expressive, but hard to prove automatically

restricted logic (no sets,...)but has better theorem provers

1st-order Theorem proversVery efficient on “easy” formulas(provable with low number of deduction steps)re

ac

ha

bili

ty

reachability reasoning in trees

ari

thm

eti

c(q

ua

ntif

ier-

fre

e)

proof assistants

cardinality constraints

A Hack: making formula easier

• HOL formulas have type decorations

• Object, Integer, ...

• In general, this information is important (x,y : S), x = y∀ (u,v : T), u ≠ y∃

• Satisfiable with sorts (S={a}, T={c,d})

• Unsatisfiable without

• But sort informations make proofs longer !

Striping sorts

• Lemma: If sorts are

•pairwise disjoint

•of same cardinality

•Then we can forget about them

• Moreover, shortest proof is always shorter without sorts

• Removing sorts:

•important speed-up of proof process

OK for Object, OK for Object, Integer Integer

Effectiveness

benchmarkbenchmark Time (s)Time (s) Proof lengthProof length generated generated clausesclauses

sortssorts with w/o with w/o with w/o

Tree.removeTree.remove

4.5 0.53 250 154 14 348 5 959

44.0 0.46 1082 315 97 672 5 505

5.2 0.75 209 201 17 081 6 597

30.1 0.38 869 266 77 091 5 474

5.8 0.75 249 167 18 065 6 365

7.3 0.28 863 231 34 032 3 492

Tree.remove_Tree.remove_maxmax

83.1 4.8 797 314 118 364 28 478

37.9 0.85 2622 502 115 928 8 289

Summary of verified data structures

• Using Jahob system with 1st-order provers

• no automatic verification before

BenchmarkBenchmark lines of lines of codecode

lines of lines of spec. spec.

# of # of methodsmethods verif. timeverif. time

Association Association list (fun.)list (fun.)

76 26 9 50s

Functional Functional ordered treeordered tree

186 38 10 4min 16s

Imperative Imperative linked listlinked list

60 24 9 17.9s

LibraryLibrary 97 63 9 31.5s

Hash tableHash table 41 39 6 38s

LIVE DEMO !!!!

MIT, STATA center

MIT, STATA center

Inside

Conclusion

• Developing a full system is hard

• Watching it in action is cool !

• Formal methods are the future of Comp. Sci.

• Always have been...

• Always will be

• Questions ?