10.8.2006 sat-based methods for proving properties in reynolds/o'hearn separation logic daniel...
TRANSCRIPT
10.8.2006
SAT-based methods for proving properties in Reynolds/O'Hearn
Separation Logic
Daniel Kröning(currently visiting CBL)
Joint work with B. Cook and J. Berdine
10.8.2006 Daniel Kroening 2
Program Verification
Goal:
Editor that highlights programming errors
Not syntax, but semantics
10.8.2006 Daniel Kroening 3
Like what?
10.8.2006 Daniel Kroening 4
Verification Engines
Unwinding Abstraction
Bounded Model Checking (BMC)
No invariant discovery
One very largeconstraint problem
A lot of case-splitting
Abstract interpretation
Predicate abstraction
Attemptinginvariant discovery
Many small constraint problems
Little case-splitting
10.8.2006 Daniel Kroening 5
Program Analysis: BMC
BMCBMC
Program
CONSTRAINT SOLVERCONSTRAINT SOLVER
VC Model
SAT solver,CVC-Lite, Math-SAT, …
CBMC, …
10.8.2006 Daniel Kroening 6
BMC Overview
ANSI-CProgramANSI-CProgram unwindunwindparsingparsing +
*
=
Parse tree
+*
=
ConstraintProblem
CNF SATSolver
SATSolver
10.8.2006 Daniel Kroening 7
ANSI-C Transformation
1. Preparation Side effect removal continue, break replaced by goto for, do while replaced by while
2. Unwinding Loops are unwound Same for backward goto jumps and
recursive functions
10.8.2006 Daniel Kroening 8
Implementation
3. Transformation into Equation After unwinding: Transform into SSA
Example:
Generate constraints by simply conjoiningequations resulting from assignments
For arrays, use simple lambda notation
10.8.2006 Daniel Kroening 9
Example
10.8.2006 Daniel Kroening 10
Required Theories
Bit vector
Arrays
Pointers (pair of object/offset)
Floating Point
If contained in assertion: Quantifiers Data type predicates (lists, trees, …)
10.8.2006 Daniel Kroening 11
int *p, x, y;
int main() {
int z;
y=z;
p=&y;
x=*p;
assert(x==z);
}
cbmc test.c –cvc –outfile test
Example
10.8.2006 Daniel Kroening 12
p0: [# object: INT, offset: BITVECTOR(32) #] = (# object:=0, offset:=0bin00000000000000000000000000000000 #);
x0: BITVECTOR(32) = 0bin00000000000000000000000000000000;
y0: BITVECTOR(32) = 0bin00000000000000000000000000000000;
z1: BITVECTOR(32);
z0: BITVECTOR(32);
y1: BITVECTOR(32) = z0;
p1: [# object: INT, offset: BITVECTOR(32) #] = (# object:=3, offset:=0bin00000000000000000000000000000000 #);
x1: BITVECTOR(32) = y1;
l1: BOOLEAN;
ASSERT l1 <=> (x1=z0);
ASSERT (NOT l1);
QUERY FALSE;
Download me!
We have ~300 MB of benchmark files available
Soon: SMT-Lib format
10.8.2006 Daniel Kroening 13
Program Analysis: Abstraction
PROGRAM ANALYSIS
ENGINE
PROGRAM ANALYSIS
ENGINE
Program
CONSTRAINT SOLVERCONSTRAINT SOLVER
VCsModel
WIDENINGWIDENING
T ’
Simplify, Zapato,Cogent,CPLEX, …
Pre-, Post-,Proof-based, …
SLAM, …
10.8.2006 Daniel Kroening 14
Existing Tools
Implement
Fragments of linear arithmetic,
Maybe arrays, maybe pointers
Sometimes float
10.8.2006 Daniel Kroening 15
Extending the Assertion Logic
PROGRAM ANALYSIS
ENGINE
PROGRAM ANALYSIS
ENGINE
Program
CONSTRAINT SOLVERCONSTRAINT SOLVER
VCCsModel
WIDENINGWIDENING
T ’
Linear Arithmetic,Arrays, Float, …
Linear Arithmetic,Arrays, Float, …
10.8.2006 Daniel Kroening 16
Existing Tools
Biggest challenge for mass-market:
dynamic data structures
Fix with choice of assertion logic, e.g.,
Reynolds’ Separation Logic
E.g., add separating conjunction and
predicates for linked list
10.8.2006 Daniel Kroening 17
Separation Logic
A logic for heap data structures
NOT the same as the fragment of linear
arithmetic called difference logic
Due to Reynolds/O’Hearn
10.8.2006 Daniel Kroening 18
Separation Logic
. .
Payload
“next” pointer
…. .
…
Main problem:
Need to specify that allheap cells are disjoint
10.8.2006 Daniel Kroening 19
Separation Logic
In general, one needs to express constraints
that a data structure does not share cells
with any other data structure
Key idea: new logical operator
P * Q
“Separating Conjunction”
10.8.2006 Daniel Kroening 20
Separation Logic
Semantics of expressions defined over
valuations of heaps
(maps from addresses to values)
Obvious meaning for
State Heap Pointer Value
10.8.2006 Daniel Kroening 21
Separation Logic
Define disjoint heaps:
Separating conjunction:
10.8.2006 Daniel Kroening 22
Separation Logic: Lists
Notation for sequences
: empty sequence
x¢: concatenation
Define list:
10.8.2006 Daniel Kroening 23
Extending the Assertion Logic
PROGRAM ANALYSIS
ENGINE
PROGRAM ANALYSIS
ENGINE
Program
CONSTRAINT SOLVERCONSTRAINT SOLVER
VCCsModel
WIDENINGWIDENING
T ’
Linear Arithmetic,Arrays, Float, …
Linear Arithmetic,Arrays, Float, …
+Separation Logic +Separation Logic
10.8.2006 Daniel Kroening 24
Who does the assertions?
Manual annotations
Automatic discovery
Standard Template Library Data in containers is implicitly
in separate heap cells
typedef std::hash_map <std::string, symbolt, string_hash> symbolst;
. . .
typedef std::vector<nodet> nodest;
10.8.2006 Daniel Kroening 25
Requirements for Constraint Solvers
Constraint solver must support
very rich logic
Data types might even be application-specific
But most queries are simple!
Extending custom-made constraint solver
is tedious
10.8.2006 Daniel Kroening 26
Proposed Solution
Assumption: we have a (partial)
axiomatization of all logics
Goal: high performance constraint solver
1st step: define language for axioms
10.8.2006 Daniel Kroening 27
Example: Equality Logic
equality_transitivity:
A "=" B, B "=" C -> A "=" C;
equality_commutativity:
A "=" B <-> B "=" A;
equality:
A "=" A;
disequality:
A "!=" B <-> NOT A "=" B;
10.8.2006 Daniel Kroening 28
Build a Compiler!
2nd step: build a compiler
AxiomsAxiomsg++g++codegencodegen C++
code BinaryBinary
VCC
SAT/UNSAT
10.8.2006 Daniel Kroening 29
Multiple Theories
Note that one can combine multiple theories
Interfacing through arbitrary propositions,
not just equalities
Convexity requirement?
10.8.2006 Daniel Kroening 30
What about OR?
We could build case-splitting into the
generated code
However, we will never be able to implement
Proper decision heuristics
Non-chronological back-tracking
Learning
10.8.2006 Daniel Kroening 31
What about OR?
Alternative: produce
reduction to propositional logic
Generate CNF, and pass formula to SAT
solver
The formula is unsatisfiable iff there exists a
deduction that shows a contradiction
10.8.2006 Daniel Kroening 32
What about OR?
3nd step: add SAT solver
AxiomsAxiomsg++g++codegencodegen C++
code BinaryBinary
VCC
CNF SATSolver
SATSolver
This is the eager version – lazy version straight-forward.
10.8.2006 Daniel Kroening 33
What about OR?
1. Maintain truth value with each fact:
2. Set new facts to unknown
3. Assign a literal to each fact that has truth value unknown
4. For each deduction step,generate constraint
10.8.2006 Daniel Kroening 34
Separation Logic
disjoint_not_self:
h “!=“ “emp” -> not [h "#“ h];
not:
h "|=" ["!" P] <-> not [h "|=" P];
and:
h "|=" [P "^" Q] <-> h "|=" P, h "|=" Q;
conditional:
h "|=" [P "?" Q ":" R] <-> (h "|=" P -> h "|=" Q), (h "|=" "!" P -> h "|=" R);
10.8.2006 Daniel Kroening 35
Separation Logic
star:
h "|=" [P "*" Q] <-> NEW h0 "|=" P, NEW h1 "|=" Q, h "=" [NEW h0 "**" NEW h1], NEW h0 "#" NEW h1;
10.8.2006 Daniel Kroening 36
Obtaining Invariants
Again, could be custom-made
Instead: inspect proofs of failed
refutation-attempts
Paper available on doing this for bit-vectors
E.g., for constructing interpolants
10.8.2006 Daniel Kroening 37
Conclusion
Generic constraint solver with propositional
SAT as backend
Especially for complicated logics
Extensions of logic are easy
All case-splitting is pushed into
propositional SAT solver
10.8.2006 Daniel Kroening 38
Cross-Advertising
TACAS: this can be used for
–quantification over predicates
CAV: Predicate abstraction for deep loops
PDPAR: Completeness
How to tell for sure that no proof exists?