1
Automated Verificationvia Separation Logic
Cristian Gherghina (NUS, Singapore)Cristina David (NUS, Singapore)Shengchao Qin (Durham, UK)Wei-Ngan Chin (NUS, Singapore)
2
Goal
Verify programs involving
mutable data structures
with invariants and other properties
3
Challenges
• Strong updates in the presence of aliasing
• User-defined recursive predicates• Concise, precise, expressive specs
• Emphasis : practical verificationOur Search for Solution
Sized Types Separation Logic
4
Separation Logic• Extension to Hoare logic to reason about
shared mutable data structures.
• Foundations• O’Hearn and Pym, “The Logic of Bunched
Implications”, Bulletin of Symbolic Logic 1999
• Reynolds, “Separation Logic: A Logic for Shared Mutable Data Structures”, LICS 2002
: spatial conjunction -- : spatial implication
5
Examples (Reynolds LICS 2002)
3
y
3
x
x y
x 3,y y 3,x
3x
yx 3,y y 3,x
3x
x 3,y
y
Separation Formulae Actual Heap
6
Outline• Background• Our Approach• How to Verify?• Entailment• Approximation• Expressiveness
• Set of States• Lemmas
7
Overall System
code verifier separationlogic prover
Pre/PostShape
Predicate LemmasCode
range of pure provers e.g. Omega,Mona,Coq,Isabelle,cvc3,redlog,
8
Separation Formulae
• Heap part• Describes data structure in heap memory
• Well-formed : all nodes reachable from “root” pointer
• Well-founded : no direct looping predicate.• No conjunction over heap states.
• Pure part• Size, bag and pointer constraints (that can
be handled by pure provers).
9
Example Predicates
sortln,mi,mx root::nodemi,null mi=mx Æ n=1
root::nodemi,q q::sortln-1,k,mx mik inv n1 Æ mi·mx
Non-empty sorted list
root:: lln root=null n=0 9 r . root::nodea,r r::lln-
1 inv n0
Singly-linked list
derived attribute (c.f. model field) user-supplied invariant
rootnull
10
Example Predicates
AVL-Tree (near-balanced tree)
avlh root = null Æ h = 0 Ç root::nodeh,h, p, qi p::avlhh1i q::avlhh2i
Æ -1 · h1-h2 · 1 Æ h=1+max(h1,h2) inv h¸0
11
Example Predicates
AVL-Tree with BST property
avlh,S root = null Æ h = 0 Æ S={} Ç root::nodeh,v, p, qi p::avlhh1,S1i q::avlhh2,S2i
Æ -1 · h1-h2 · 1 Æ h=1+max(h1,h2)Æ 8 x 2 S1 . x · v Æ 8 y 2 S2 . v < x Æ S={v} [ S1
[ S2 inv h¸0
12
Outline• Background• Our Approach• How to Verify?• Entailment• Approximation• Expressiveness
• Set of States• Lemmas• Structured Specs
13
Automated Verification
• Methods and loops are annotated with pre- and post-conditions.
• Entailment checks• Precondition at call site• Postcondition at end of method
• State transition formula (e.g. x’=x+1)• initial value : x• latest value : x’ (primed variable)
14
Verifier based on Hoare-triple
` { } code { 1 }
pre-state post-state
15
Some Verification Rules
16
Insert into a Sorted List
node insert(node x, node vn)requires x::sortln, sm,lg vn::nodev,_
ensures res::sortln+1,min(v,sm),max(v,lg){ if (vn.val≤x.val) then {
vn.next = x;return vn; }
else if (x.next=null) then {x.next = vn; vn.next = null; return x; }
else { x.next = insert(x.next, vn); return x; }
}
17
{ x’::sortl<n,mi,mx> vn’::node<v,_> }
vn.next = x;
{ (x’::node<mi,null> n=1 Æ mi=mx x’::node<mi,q> q::sortl<n-1,k,mx> mik n2)
vn’::node<v, _> vmi }
if (vn.val · x.val) then {
return vn;
{ res::sortl<n+1,min(v,mi),max(v,mx)> }
}
{ (x’::node<mi,null> n=1 mi=mx x’::node<mi,q> q::sortl<n-1,k,mx> mik n2)
vn’::node<v,x’> vmi }
{ (x’::node<mi,null> n=1 mi=mx x’::node<mi,q> q::sortl<n-1,k,mx> mik n2)
vn’::node<v,x’> vmi Æ res=vn’ }
18
Outline• Background• Our Approach• How to Verify?• Entailment• Approximation• Expressiveness
• Set of States• Lemmas• Structured Specs
19
Separation Logic Prover
1 ` 2 3
• 1 must “subsumes” all heap nodes in 2.
• Residual nodes are then kept in 3.
• ALGORITHM : Ensure all nodes in 2 are subsumed by 1, then convert to an arithmetic implication check.
antecedent consequent residual
20
Entailment Algorithm
21
Key Steps of Entailment
• Matching• Aliased data nodes/predicates are matched and
their components/arguments unified.• Supports implicit instantiation.
• Unfolding• Replaces a predicate on LHS by its definition to
match a node on the RHS
• Folding• Triggered by a predicate on the RHS and a data
node on the LHS. • Supports implicit instantation.
22
Extension to Inference
• Infer pure pre/post conditions
1 Æ ` 2 3
• Joint work with collaborators at Durham.
23
Outline• Background• Our Approach• Why Verification?• Entailment• Approximation• Expressiveness
• Set of States• Lemmas
24
Approximation
• Entailment is reduced to implication of pure constraints when the consequent’s heap is empty.
• Each predicate is approximated by a pure constraint.
25
Approximation: Examples
• XPuren(x::nodeh i y::nodeh i) = (ex i. x=i Æ i>0) (ex j. y=j Æ j>0) = i,j. (x=i Æ i>0 Æ y=j Æ j>0 Æ ij)
• XPure0(x::llhni)= n ¸ 0
• XPure1(x::llhni)= i. (x=0 Æ n=0 Ç x=i Æ i>0 Æ n-1¸0)
too weak
more info
26
Outline• Background• Our Approach• How to Verify?• Entailment• Approximation• Expressiveness
• Set of States• Lemmas• Structured Specs
27
Proof Search (Set of States) 1 ` 2 {3,.., n}
• {3,.., n} denotes non-deterministic outcome from proof search.
• { } means entailment has failed.
• Modified Hoare triple :{} code {1,..,n}
28
Related Predicates• Some predicates may be related.
• Every sorted list is also an unsorted list.
lln root=null n=0 root::node_,r r::lln-1 inv n0
sortln,min,max root::nodemin,null min=max Æ n=1
root::nodemin,q q::sortln-1,k,max mink inv n1 Æ min·max
root::sortln,min,max ) root::lln
Lemma is used in bubble sorting.
29
Idea
User : - provide the lemmas
Our system automatically :- proves each lemma- applies lemmas where possible during entailment proving
30
Lemmas Allowed
c1v1* ) 9 v* ¢ root::c2v2
* Æ
Implication
c1v1* ( 9 v* ¢ root::c2v2
* Æ
Reverse-Implication
c1v1* , 9 v* ¢ root::c2v2
* Æ
Equivalence
8 v* . c1v1* 1 ) 9 v* ¢ root::c2v2
* Æ
Complex LHS
31
Outline• Background• Our Approach• How to Verify?• Entailment• Approximation• Expressiveness
• Set of States• Lemmas• Structured Specs
32
Why Structured Specs? • Better reuse.
• Better handling of disjunction.
• Difference contexts of uses.
Better Precision + Performance
33
Syntax
34
Unstructured Spec
Z is repeatedZ is repeated
instantiations?instantiations?
disjunctionsdisjunctions
35
Structured Specification
case analysiscase analysis
instantiationinstantiation
staged formulastaged formula
36
Disjunctive Incompleteness
Good for searching proof but incomplete …
1· x ·2 |- x=1 Ç x=2
1· x ·2 |- x=11· x ·2 |- x=2 OR
37
Solution – Rewrite Specs
1· x ·2 |- case {x · 1 x=1 ; x>1 x=2}
x · 1 Æ 1·x·2 |- x=1
x > 1 Æ 1·x·2 |- x=2
case enhanced spec
38
Conditions for Case Constructs
39
Semantics
40
Experiments
41
Tools Developed
• SLEEK – Entailment Prover
• HIP – Verifier for Imperative Language
• HIPO – Verifier for OO Language.
42
Conclusion
• User-defined data structures with size/bag properties and invariants.
• Sound and terminating entailment proving
• Expressive structured specifications with proof search and lemma rules.
• Future work: inference + static debugging + scalability + concurrency etc.
43
Experiments
44
Related Works
• Separation Logic (OHearn, Berdine, Calcagno et al. APLAS05)
• TVLA/Shape Analysis (Reps, Sagiv et al.)
• PALE/MONA (Moeller, Schwartzbach)• Grammar-based Shape Analysis (Lee,
Yang + Yi ESOP05)• Quantitative Shape Analysis (Rugina
SAS04)• ILC (Jia & Walker ESOP06)
45
Complex Lemma
8 v* . c1v1* 1 ) 9 v* ¢ root::c2v2
* Æ
An Example
8 i,j . x::lsegn,p Æ i,j ¸ 0 Æ n=i+j ) 9 r . x::lsegi,r r::lsegj,p
x::lsegn,p ) 9 i,j,r . x::lsegi,r r::lsegj,p Æ n=i+j
More general
46
Experiments
47
Experiments
Proof search’soverhead
is low
Proof search is critical
48
Experiments
49
Scalable Performance
Break large predicates into smaller ones
50
Experiments
51
Multiple Pre/Post
void append(node x, node y)
{ if (x.nextnull) then { append(x.next,y) }else { x.next := y }
}
Any other useful specifications for this method?
requires x::lseg<n,null> y::lseg<m,null> Æ n¸1ensures x::lseg<n+m,null>
52
What if x and y are aliased?
void append(node x, node y)
requires x::lseg<n,null> Æ x=y Æ n¸1 ensures x::clist<n>
Æ requires x::lseg<n,null> Æ n¸1 ensures x::lseg<n,y>
Circular List!
53
What if x and y are sorted lists?
void append(node x, node y)
requires x::sortl<n,s1,b1> y::sortl<m,s2,b2> Æ b1·s2
ensures x::sortl<n+m,s1,b2>
Æ requires x::sortl<n,s1,b1> y=null ensures x::sortl<n,s1,b1>
54
Example Predicates
lsegn,p root=p n=0 Ç root::nodea,r r::lsegn-1, p
inv n¸0
List Segment (with a dangling ptr)
rootp
Non-empty Circular list
clistn root::nodea,r r::lsegn-1,root inv n1
rootr
55
Core Language + Specifications
56
Matching Object/Predicate
x::llhniÆ n>1 ` 9 m ¢ x::llhmiÆ m>0matching
n>1 ` n>0
x::llhniÆ n>1 ` x::llhmiÆ m>0matching
n=m Æ n>1 ` n>0
implicit instantiation of free var m
free var
57
Example of Free Variables
Specificationvoid insert(node x, int v)
requires x::llhni Æ n>0ensures x::llhn+1i
free variable linkingpre and post conditions
58
Our Work• Size and bag (pure) properties
• Data structure with derived size/bag properties and invariant.
• Length, height-balanced, sortedness etc.
• User-specified predicates• can be recursive
• Entailment prover for separation formulae • with lemmas + proof search
59
Unfolding
x::llhniÆ n>1 ` 9r, m ¢ x::nodeh_,ri r::llhmiÆ m>0
Unfolding9q ¢ x::nodeh_, qi q::llhn-1i Æ n>1 `
9r, m ¢ x::nodeh_, ri r::llhmi Æ m>0
Matchingq1::llhn-1iÆ n>1 ` 9m ¢ q1::ll<m> Æ m>0
n>1 ` 9m ¢ m=n-1 Æ m>0
60
y=null ` y::llhmi Æ m=0
Recursive entailmenty=null ` y=null Æ m=0
Ç y::nodeh_,ri r::llhm-1i
Backy=null Æ m=0 ` m=0
Folding: Base Case
61
x::nodeh_, ri Æ r=null ` x::llhni Æ n>0
Recursive entailmentx::nodeh_, ri Æ r=null `
9q,k ¢ x::nodeh_,qi q::llhki Æ k=n-1Ç x=null Æ n=0
r=null ` 9k ¢ r::llhki Æ k=n-1
Back from fold:r=null Æ n-1=0 ` n>0
Folding: Recursive Case
62
Equivalence Lemma
Definition of list segment is inadequate
Termination ensured by well-formed and well-founded property
Important to have equivalence coercion :
lsegn,p root=p n=0 root::node_,r r::lsegn-1,p inv n0
basicdefinition
extraproperty
lsegn,p , 9 i,j,r . root::lsegi,r r::lsegj,p Æ n=i+j
63
Proof Search via Equiv. Lemma
x::lsegn,p … ` x::lsegm,r …
match
… ` [n/m,p/r] … unfold lsegn,p
x::lsegi,q q::lsegj,p Æ n=i+j …
` x::lsegm,r …
fold lsegm,r
x::lsegn,p … ` x::lsegi,q q::lsegj,r Æ m=i+j