techniques for proving programs with pointers a. tikhomirov
TRANSCRIPT
![Page 1: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/1.jpg)
Techniques for proving programs with pointers
A. Tikhomirov
![Page 2: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/2.jpg)
2
Why is it important?
• Every program works not only with stack but stores intermediate data in heap and use pointers to operate with heap.
• Common program verification techniques couldn’t work with pointers and heap.
![Page 3: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/3.jpg)
3
SEPARATION LOGICJohn C. Reynolds, Peter O’Hearn
![Page 4: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/4.jpg)
4
Fail using Hoare Logic
• Structure of Hoare Logic assignment judgment couldn't work with heap.
int x = 5;int *y = &x; // *y = 5 x = 3; // *y = 3 Hoare logic doesn’t specify
holding of *y
FAIL
![Page 5: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/5.jpg)
5
Separation Logic
• Representing the Heap• Assertions
empty heap singleton heap separating
conjunction separating implication
assertassert
assertassert
emp
assert
*
*
expexp
:
![Page 6: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/6.jpg)
6
Separation Logic
• Asserts that x points to an adjacent pair of cells containing u, v (x stores address α and the heap maps α into u and (α +1) into v)
;]1[; ][:
,
vu
vux
![Page 7: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/7.jpg)
7
Singleton heap
• Reference pointer to some cell• Asserts that x points to an adjacent pair of
sells containing 1 and y.
yx ,1 xy ,1
![Page 8: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/8.jpg)
8
Separating conjunction
xyyx ,1*,1
• The separating conjunction constructs a heap property from two disjoint heaps
![Page 9: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/9.jpg)
9
Logical conjunction
• Could be ambiguous in heap, x and y could be aliases ,or disjoint.
xyyx ,1,1
![Page 10: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/10.jpg)
10
Lists
• List representation
![Page 11: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/11.jpg)
11
Frame rule
• Frame rule:
This rule holds as long as free variables in s not mentioned in R.
}*{}*{
}{}{
QRsPR
QsP
![Page 12: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/12.jpg)
12
Allocation
• Allocation rule (local):
• Allocation rule (global):
}{)(:}{ eveallocv emp
}*){()(:}{ reveallocvr
![Page 13: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/13.jpg)
13
Deallocation
• Dispose rule (local):
• Dispose rule (global):
}{}{ empedisposee
}{}*){( redisposere
![Page 14: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/14.jpg)
14
Heap write (mutation)
• Mutation forward rule (local):
• Mutation forward rule (global):
}{:][}{ eeeee
}*){(:][}*){( reeeere
![Page 15: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/15.jpg)
15
Examples of Operational Semantics
• Allocation x := cons(y, z)
• Heap lookup y := [x+1]
• Mutation [x + 1] := 3
• Deallocation dispose(x+1)
Store: [x:3, y:40, z:17]
Heap: empty
Store: [x:37, y:40, z:17]
Heap: [37:40, 38:17]
Store: [x:37, y:17, z:17]
Heap: [37:40, 38:3]
Store: [x:37, y:17, z:17]
Heap: [37:40, 38:17]
Store: [x:37, y:17, z:17]
Heap: [37:40]
![Page 16: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/16.jpg)
16
Example: Swap
• Function in which the contents of two heap cells are swapped:
t1 := [v1]t2 := [v2][v1] := t2[v2] := t1
}*/{***/*}*{ 12212211 vvvvncomputatiovvvv
![Page 17: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/17.jpg)
17
Example: Swapvoid swap (int* v1, int* v2) {
t1:= [v1]
t2 := [v2]
[v1] := t2
[v2] := t1
}
// {v1 > v1’ * v2 > v2’}
// {t1 = v1’ & v1 > v1’ * v2 > v2’}
// {t1 = v1’ & t2 = v2’ & v1 > v1’ * v2 > v2’}
// {t1 = v1’ & t2 = v2’ & v1 > v2’ * v2 > v2’}
// {t1 = v1’ & t2 = v2’ & v1 > v2’ * v2 > v1’}
![Page 18: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/18.jpg)
18
Example: Doubly Indirect References
• Mutating the value of a double indirect reference (a pointer to a pointer):
}*/{***/*}*{ vwwpncomputatiowwp
![Page 19: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/19.jpg)
19
Example: Doubly Indirect References
void write (int** p, int v) {
t:= [p]
[t] := v
}
// {p > w * w > —}
// {p > w} Frame rule – begin
// {t = w & p > w} Mutation// {t = w & p > w * w > —} Frame rule — end
// {t = w & w > —} Frame rule — begin
// {t = w & w > v} Mutation
// {t = W & p > w * w > v} Frame rule — end// {p > w * w > v} Remove extra stack assertion
![Page 20: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/20.jpg)
20
Example: Doubly Indirect References
• Attempting to aggressively apply Frame rule to entire block would result in a stuck proof.
void write (int** p, int v) {
// {p > w * w > —}// {p > w} Frame rule – begin t:= [p]// {t = w & p > w} Mutation [t] := v// {??} Stuck – no mapping for w// {t = W & p > w * w > v} Frame rule — end
}
![Page 21: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/21.jpg)
21
Example: DeleteTree
void deleteTree (t) {
local i,j; if (t != nil) {
i = [t] j = [t+1]
deleteTree(j) deleteTree(i)
dispose(t) }
}
// {tree(t)}
// {tree(t) ^ t != nil}
// {∃x,y. t > (x,y) * tree(x) * tree(y)}
// {emp}
// {t > (i,j) * tree(i) * tree(j)}
// {t > (i,j) * tree(i)}// {t > (i,j) * nil}
// {emp}
![Page 22: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/22.jpg)
22
Example: List reverse
list reverse (x) {
y = nil; while (x != nil) {
t := [x]; x := [y];
y := x; x := t; } return y;
}
// {list(x)}
// {list(y)}
// {list(x) * list(y)}// {x != nil ^ list(x) * list(y)}
// {x > t ^ list(t) * list(y)}// {x > y ^ list(x) * list(y)}
// {list(t) * list(x)}
// {list(t) * list(y)}
// {list(x) * list(y)}
// {x = nil ^ list(x) * list(y)}
![Page 23: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/23.jpg)
23
Conclusion
• Extension of Hoare logic– Could use verification tools, that work with Hoare
logic• For automatic proving– Assertions– Pre and post-conditions
![Page 24: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/24.jpg)
24
SHAPE ANALYSISReinhard Wilhelm, Mooly Sagiv, Thomas Reps
![Page 25: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/25.jpg)
25
Shape Analysis
• Somewhat constrained view of programs• Static code analysis• Program verification
![Page 26: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/26.jpg)
26
Destructive Reverse
![Page 27: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/27.jpg)
27
Input to reverse
• (a) lists of length at least 2• (b) list of length 1
![Page 28: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/28.jpg)
28
Input to reverse
• List structure of size from 0 to 4
![Page 29: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/29.jpg)
29
Graph interpretation
• Rectangle box containing p represent pointer variable p
• Ovals – abstract locations– solid – represents exactly one heap cell– dotted – represent one or more heap cells
• Edge – label c between locations m and m’– solid – c component of m will point to m’– dotted - c component of m may point to m’
![Page 30: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/30.jpg)
30
3-value logic
• solid means “always holds”• absent means “never hold”• dotted means “don’t know”
![Page 31: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/31.jpg)
31
Execution states
• (a) – shape arise before executing x=x->n• (b) & – (c) after executing x=x->n on shape (a)
![Page 32: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/32.jpg)
32
Insert algorithm
• The same list structure
![Page 33: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/33.jpg)
33
Execution States (1)
y = x;
while (y->n != NULL) {y = y->n}
![Page 34: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/34.jpg)
34
Execution States (2)
t = malloc();
t -> data = n
![Page 35: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/35.jpg)
35
Execution States (3)
e = y->n;
![Page 36: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/36.jpg)
36
Execution States (4)
t->n = NULL;
t->n = e;
![Page 37: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/37.jpg)
37
Execution States (5)
y->n = NULL;
![Page 38: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/38.jpg)
38
Execution States (6)
y->n = t;
![Page 39: Techniques for proving programs with pointers A. Tikhomirov](https://reader036.vdocument.in/reader036/viewer/2022062313/56649c725503460f94923404/html5/thumbnails/39.jpg)
39
Conclusion
• Code analysis– NULL-pointers;– May-Alias;– Must-Alias;– Sharing;– Reachability;– Disjointness;– Cyclicity;– Shape;