lightweight support for magic wands in an automatic verifier malte schwerhoff and alexander j....
TRANSCRIPT
Lightweight Support forMagic Wands in anAutomatic Verifier
Malte Schwerhoff and Alexander J. Summers
10th July 2015, ECOOP, Prague
Frame Problem
Modular, static verification of imperative programs
⤷ Frame problem: Which memory locations change?
Automated verification: Pre-/Postconditions, invariants, ghost code
Well-known approach: Permissions (≈ Separation Logic)
2
3
caller callee
Permission Transfer
4
Permission Transfer
?
caller callee
?
5
?
caller callee
?
Permission Transfer
Permissions (≈ Separation Logic)
6
(≈ )acc(x.f) ∗ x.f == 0
x.f ⟼ 0Logical properties0
(≈ )acc(x.f) ∗ acc(y.f)
x.f ⟼ _ ∗ y.f ⟼ _
Disjointness: x ≠ y
Syntax & Properties
7
A ∗ B
describes the current state in terms of disjoint substates
Separating Conjunction
8
A ∗ B
describes the current state in terms of disjoint substates
?Is at the heart of verifiers based on separation logic
Separating Conjunction
9
A —∗ Bdescribes hypothetical states
Read as a promise: “In any state, if you provide A,
then you will get B”
Magic Wands
10
Scenario: Iteratively traverse a recursively defined tree (Verification Challenge at
VerifyThis@FM’12)
Partial Data Structures
11
Scenario: Iteratively traverse a recursively defined tree
⤷ Loop invariant: Describe partial data structure
Partial Data Structures
12
Indirectly describe partial data structure as a promise
---—∗
Partial Data Structures as Magic Wands
13
Modus-Ponens-like rule makes promise applicable
---—∗
∗
Partial Data Structures as Magic Wands
14
---—∗
∗
σ ⊨ A —∗ B ⇔ ∀σ’ · (σ’ ⊨ A ⇒ σ ⊎σ’ ⊨ B)
Partial Data Structures as Magic Wands
15
Used in various pen & paper proofs−Partial data structures−Usage protocols for data structures−Synchronisation barriers−…
Typically* not supported in automatic verifiers
* Only exception we are aware of is VerCors; developed in parallel
σ ⊨ A —∗ B ⇔ ∀σ’ · (σ’ A ⊨ ⇒ σ ⊎σ’ B)⊨
Magic Wands in Proofs and Tools
16
Entailment of magic wand formulas is undecidable⤷ Lightweight user guidance to direct verification
Automating Magic Wand Reasoning
17
package A —∗ B
apply A —∗ BUse it
Pass it
around
Make apromis
e
---—∗∗
---—∗
Opaque resource;
Specifications
Guidance: Ghost Operations + Specifications
18
package A —∗ B
apply A —∗ BUse it
Pass it
around
Make apromis
e
---—∗∗
---—∗
Opaque resource;
Specifications
Guidance: Ghost Operations + Specifications
Challenge:
Ensure soundness of apply in
any (future) state
19
Permissions guaranteeing that giving up A ∗ (A —∗ B) and obtaining B is sound
---—∗
carved out ⤷ effectively immutable
Footprints of A —∗ B
20
Footprints are not unique
---—∗
or or all available permissions
Footprints of A —∗ B
21
Footprints are not unique
---—∗
or or all available permissions
How to choosea footprint?
Footprints of A —∗ B
package A —∗ (B1 ∗ B2 ∗ … ∗ Bn)
22
0. givencurrentstate
v1 v2
v3v5v4
Footprint Computation Algorithm: Setup
package A —∗ (B1 ∗ B2 ∗ … ∗ Bn)
23
1. createLHSstate
currentstate
⊨ A
v1 v2
v3v5
w2
w3
w1
v4
w3
Footprint Computation Algorithm: Setup
package A —∗ (B1 ∗ B2 ∗ … ∗ Bn)
24
LHSstate
currentstate
⊨ A
v1 v2
v3v5
w2
w3
w1
v4
w3
Footprint Computation Algorithm: Setup
2. create empty RHS
state
package A —∗ (B1 ∗ B2 ∗ … ∗ Bn)
25
LHSstate
currentstate RHS state
v1 v2
v3v5
w2
w3
w1
v4
w3
3. iterate over Bi’s: If Bi is acc(x.f) then transfer
permissions and assumptions
Footprint Computation Algorithm: Execution
package A —∗ (B1 ∗ B2 ∗ … ∗ Bn)
26
LHSstate
currentstate RHS state
v1 v2
v3v5
w2
w3
3. iterate over Bi’s: If Bi is acc(x.f) then transfer
permissions and assumptions
w1
v4
w3
w1
Xw3
X
v2
X
Footprint Computation Algorithm: Execution
package A —∗ (B1 ∗ B2 ∗ … ∗ Bn)
27
LHSstate
currentstate RHS state
v1 v2
v3v5
w2
w3
w1
v4
w3
w1
Xw3
X
v2
X
3. iterate over Bi’s: If Bi is a logical property P,
e.g. x.f == 0, then check P
⊨ P?
Footprint Computation Algorithm: Execution
package acc(x.f) —∗ acc(x.f)
28
LHSstate
currentstate RHS state
Examples
package true —∗ acc(x.f)
29
LHSstate
currentstate RHS state
Examples
package true —∗ acc(x.f) ∗ x.f == 0
30
LHSstate
currentstate RHS state
⊨ x.f == 0
0
Examples
package acc(x.f) —∗ acc(x.f) ∗ x.f == 0
31
LHSstate
currentstate RHS state
⊭ x.f == 0
0
?
Examples
Abstract predicates for recursive data structures
32
x == null∗
xl
xx
r
Existing Features
Abstract predicates plus ghost operations
33
∗
xl
x
r
foldtree(x)
unfoldtree(x)
Existing Ghost Operations
package —∗ xxxxx
34
Integrating Existing Ghost Operations
package —∗ (fold tree(x) in )
35
Integrating Existing Ghost Operations
36
LHSstate
currentstate RHS state
package —∗ (fold tree(x) in )
Integrating Existing Ghost Operations
37
LHSstate
currentstate RHS state
package —∗ (fold tree(x) in )
Integrating Existing Ghost Operations
Part of Viper verification infrastructure− Implementation based on symbolic execution−Rich logic: unrestricted abstract predicates,
abstraction functions, quantifiers, sets, sequences, custom mathematical domains, flexible permission model, …
Set of interesting examples; 1.6 to 3 seconds
Verification challenge from VerifyThis’12−Verifies in 3s−VerCors:−6 minutes (originally, using Chalice/Boogie)−60 seconds (currently, using Viper)
38
Implementation
Simple heuristics to infer package and apply statements
Infers all package and apply statements in our examples
Verification time: +0.5s or less
39
Annotation Inference Heuristics
40
Scenario: Iteratively traverse a recursively defined tree
⤷ Loop invariant: Describe partial data structure
A
A ---—∗
BB
VerifyThis’12 Challenge Revisited
41
VerifyThis’12 Challenge Encoded
42
Named shorthand,could be inlined
Inferred byheuristics
Required ineither case
VerifyThis’12 Challenge Encoded
Algorithm for computing wand footprints−Sound (proof sketch)−Permissive and predictable
Formalised verifier-independently
Implementation−Co-first* to support magic wands in an automatic
verifier−Lightweight user annotations−Convincing initial results (expressiveness,
performance)
43* VerCors
www.pm.inf.ethz.ch/research/viper.html