automated verification with hip and sleek
DESCRIPTION
Automated Verification with HIP and SLEEK. Asankhaya Sharma. Recall the List length Example. int length( struct node* p) /*@ requires p::list ensures p::list & res=n; */ { if(p == NULL) return 0; else return 1 + length(p->next); }. Memory Safety. Length of the List. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/1.jpg)
Automated Verification withHIP and SLEEK
Asankhaya Sharma
![Page 2: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/2.jpg)
Recall the List length Example
int length(struct node* p)/*@requires p::list<n,B>ensures p::list<n,B> & res=n;*/{ if(p == NULL) return 0; else return 1 + length(p->next);}
Memory Safety
Length of the List
Bag of Values
![Page 3: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/3.jpg)
With Inference
int length(struct node* p)/*@infer [H,G]requires H(p)ensures G(p);*/{ if(p == NULL) return 0; else return 1 + length(p->next);}
Second Order Variables for Unknown Predicates
Modular Shape Inference
![Page 4: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/4.jpg)
Relational Assumptions
// Post (1)H(p) & x = null => G(p)// Bind (2)H(p) & x != null => x::node<_,q> * HP(q)// Pre-Rec (3)HP(q) => H(p)//Post (4)x::node<_,q> * G(q) => G(p)
![Page 5: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/5.jpg)
Predicate Derivation
For Pre ConditionH(p) == emp & p = null
or p::node<_,q> * H(q)
For Post ConditionG(p) == emp * p = null
or p::node<_,q> * G(q)
Linked List Predicate Inferred
Automatically
![Page 6: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/6.jpg)
Bi-Abduction
1 4 2 R3
antecedent consequent residue
Compositional shape analysis by means of bi-abduction Calcagno C, Distefano D, O'Hearn P W and Yang HPOPL 2009
Achievement : Scalable automated shape analysis!
precondition
![Page 7: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/7.jpg)
Incremental Specification• Formal specs are important for verification
and documentation.• Tedious for legacy system and maintenance
efforts.• Users role to guide inference process• Our thesis : Specification can be developed
incrementally and when needed.
![Page 8: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/8.jpg)
Inference Exampleinfer [x,Q3]requires x::lln1 y::lln2 ensures x::lln3 & Q3(n1,n2,n3)
requires x::lln1 y::lln2 & x nullensures x::lln3 & n1+n2=n3
![Page 9: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/9.jpg)
Inference Exampleinfer [R]requires x::lln1 y::lln2 & n null & Term[R(n1, n2)]
ensures x::lln3 & n1+n2=n3
requires x::lln1 y::lln2 & n null & Term[n1]
ensures x::lln3 & n1+n2=n3
![Page 10: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/10.jpg)
Selective Entailment
[v*] 1 4 2 3 dantecedent consequent residue
precondition
definitions
![Page 11: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/11.jpg)
Key Principles• Selective Inference• Inferable Heap Locations• Never Inferring False • Antecedent Contradiction• Unknown Relation/Function Derivation
![Page 12: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/12.jpg)
Selective Inference[x] x::lln
x::node<_,q>
[n] x::lln
x::node<_,q>
x null
q:: lln-1
q:: lln-1n > 0
![Page 13: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/13.jpg)
Selective Inference[x] x::lln
x::node<_,null>
[n] x::lln
x::node<_,null>
FAIL
empn=1
![Page 14: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/14.jpg)
Inferring Heap Locations• Heap state may be inferred
[x] emp
x::node<_,null> x ::node<_,null>
Allows predicates to be inferredAllows cascaded heaps by adding auxiliary variables
emp
![Page 15: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/15.jpg)
Never Inferring False[x] true
x>x
[x] true x::node<_,_> x::node<_,_>
FAIL
FAIL
![Page 16: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/16.jpg)
Antecedent Contradiction• What if contradiction detected between 1
and 2 ?[v*] 1
2
Add pre over v* to support contradicted antecedent.
![Page 17: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/17.jpg)
Antecedent Contradiction[b] x=1 & b>0
x=2 b0
false
[x] x=null
x::node<_,q> x null
false
![Page 18: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/18.jpg)
Selective Inference[Q] x::node(_,y) y::lln2 & n1=1
x::lln3 & Q(n1 ,n2, n3)
[Q] x::node(_,y) y::lln2 & Q(n1-1,n2,n3) x::lln3 & Q(n1 ,n2, n3)
n1=1 & n3= n2+1 Q(n1,n2,n3)
n3= n2+1 & n1>0 & Q(n1-1,n2,n3) Q(n1,n2,n3)
![Page 19: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/19.jpg)
FixPoint Calculationn1=1 & n3= n2+1Q(n1,n2,n3)
n3= n2+1 & n1>0 & Q(n1-1,n2,n3) Q(n1,n2,n3)
n1>0 & n2 0 & n3= n2+ n2 Q(n1,n2,n3)
![Page 20: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/20.jpg)
Inferring Heap Locations• Auxiliary variables may be added
[x] emp
x::node<_,q> q::node<_,null>
[x, x1] emp
x::node<_,q> q::node<_,null> x ::node<_,x1> x1::node<_,null> & x1=q
[x, x1] emp
x::node<_,q> q::node<_,null> x ::node<_,x1> & x1=q
![Page 21: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/21.jpg)
Inferring Unknown Relations• Two kinds of relationships inferred
R(..) c
Relational Obligation:
R(..) & c R(…)
Relational Definition:
![Page 22: Automated Verification with HIP and SLEEK](https://reader035.vdocument.in/reader035/viewer/2022062323/56815f10550346895dcdcff6/html5/thumbnails/22.jpg)
Further Reading
• Trinh, Minh-Thai, Quang Loc Le, Cristina David, and Wei-Ngan Chin. "Bi-Abduction with Pure Properties for Specification Inference." In Programming Languages and Systems, pp. 107-123. Springer International Publishing, 2013.