A Constructor-Based Reachability Logic for Rewrite Theories Stephen - PowerPoint PPT Presentation

A Constructor-Based Reachability Logic for Rewrite Theories Stephen Skeirik, Andrei Stefanescu, Jose Meseguer October 10th, 2017

Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

Introduction Origins of Reachability Logic Reachability Logic (RL) was originally proposed by Rosu et. al to verify programs in K based on a rewriting logic (RWL) definition of language L ’s semantics generalizes both Hoare Logic and Separation Logic language-generic: a prover can be generated for each language L from its rewriting logic semantics R L 1 / 22

Introduction From Language-generic to Theory-generic RL This work addresses the following open problems: 1 Can we develop a reachability logic for general rewrite theories, i.e. RL ( R ) generalizing RL ( R L ) ? ...will allow us to move from verifying code to verifying distributed system designs 2 How can we maximize automation in RL proofs? 3 How can we use RL to prove invariants ( invariant paradox )? 2 / 22

Introduction From Language-generic to Theory-generic RL We address questions (1)-(3) via: 1 developing a new RWL-theory based RL semantics and very simple proof system , 2 utilizing RWL concepts (e.g. constructors , variants ) in our proof system as well as a equational-theory-generic SMT solver as a backend based on variant satisfiability 3 and applying an appropriate RWL theory transformation to prove invariants . 3 / 22

Introduction A Running Example: QLOCK The mutual exclusion protocol QLOCK has five rewrite rules: n2w : < n i | w | c | q > → < n | w i | c | q ; i > | w i | c | i ; q > → | w | c i | i ; q > w2c : < n < n c2n : < n | w | c i | i ; q > → < n i | w | c | q > | w | c | q → < n i | w | c | q join : < n > > if φ exit : < n i | w | c | q → | w | c | q > < n > where φ ≡ dup ( n w c i ) � = tt . QLOCK’s specification is R QLOCK = (Σ , E ∪ B, R ) with R the above rules, B the axioms ACU for and and, E the equation dup ( s s s ′ ) = tt . A for ; 4 / 22

Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

Reachability Logic Semantics Constrained Constructor Patterns Definition Let (Σ , B, � E ) be sufficiently complete w.r.t. constructors Ω . A constrained constructor pattern is a pair: u | ϕ such that u ∈ T Ω ( X ) ∧ ϕ ∈ QFForm (Σ) The set PatPred (Ω , Σ) contains ⊥ and all constrained constructor patterns, and is closed under ( ∨ ) and ( ∧ ) The semantics of predicate A is � A � ⊆ C Σ /E,B where: 1 � ⊥ � = ∅ 2 � u | ϕ � = { [( uρ )!] B Ω ∈ C Σ /E,B | ρ ∈ [ X → T Ω ] ∧ E ∪ B | = ϕρ } . 3 � A ∨ B � = � A � ∪ � B � 4 � A ∧ B � = � A � ∩ � B � 5 / 22

Reachability Logic Semantics Reachability Formulas Definition Given patterns u | φ and v i | ψ i , a reachability formula has form: → ⊛ � u | ϕ − v i | ψ i i Example . 1 < n | w | c | q > | dup ( n w c ) � = tt → ⊛ 2 < n | w | c | q > | dup ( n w c ) � = tt − < n ′ | w ′ | c ′ | q ′ > | dup ( n ′ w ′ c ′ ) � = tt 6 / 22

Reachability Logic Semantics Intuitive Semantics → ⊛ B mean? Q: What does the relation A − A: Suppose we have: (1) a rewrite theory R (2) pattern fomulas A, B (3) and terminating states T → ⊛ B means: Then A − for each state [ t ] ∈ � A � and rewrite path p from [ t ] , - - - indicates counterex. either: (1) p crosses � B � or satisfies A → ⊛ B - - - (2) p is infinite - - - vacuously satisfies 7 / 22

Reachability Logic Semantics Formal Semantics Definition Let R = (Σ , E ∪ B, R ) have (a) good executability conditions , (b) constructor subsignature Ω , (c) and top sort State of states. Let C R denote the canonical reachability model . → ⊛ B iff: R | = A − For each concrete state [ u 0 ] ∈ C R , State ∩ � A � and; terminating sequence [ u 0 ] → R [ u 1 ] · · · [ u n − 1 ] → R [ u n ] There exists 0 ≤ j ≤ n with [ u j ] ∈ � B � N.B.: expressible as LTL formula A → ( � enabled ) ∨ ♦ B 8 / 22

Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

The Invariant Paradox Introduction Recall our example theory QLOCK. → ⊛ B ? Q: How to express mutual exclusion invariant by A − A: Since: → ⊛ B just means A → ( � enabled ) ∨ ♦ B , 1 A − 2 and QLOCK is never terminating , → ⊛ B are satisfied, so we cannot. then all formulas A − (Paradox!!). 9 / 22

The Invariant Paradox Solving the Invariant Paradox (I) Recall the structure of the rewrite rules in QLOCK: n2w : < n i | w | c | q > → < n | w i | c | q ; i > Each rule is topped with a State constructor < > . Let’s add rule: stop : < n | w | c | q > → [ n | w i | c | q ] Note that the stop rule can terminate from any state in the combined theory QLOCK-stop. If B = � . . . � | ϕ , let [ B ] denote the predicate [ B ] = [ . . . ] | ϕ . Fact . B is an invariant from initial states S 0 in QLOCK iff → ⊛ [ B ] holds in QLOCK-stop. S 0 − 10 / 22

The Invariant Paradox Solving the Invariant Paradox (II) Let R be a rewrite theory; assume a single State constructor � , . . . , � : w → State and all rules have terms of sort State . Let R stop extend R by adding: (i) fresh [ , . . . , ] : w → State , and (ii) a stop rule � � x : w � → [ � x : w ] . Then: Theorem → ⊛ [ B ] holds in R stop . B is an invariant for R from S 0 iff S 0 − Corollary → ⊛ [ B ] holds in R stop , then If � S 0 � ⊆ � B � and B − B is an invariant for R from initial sates S 0 . Example . Mutual exclusion in QLOCK can be given by Mutex = � n | w | i | i ; q �| dup ( n w c i ) � = tt ∨� n | w | ∅ | q �| dup ( n w c ) � = tt . → ⊛ [ Mutex ] . Prove: (i) � � n | ∅ | ∅ | nil � � ⊆ � Mutex � (ii) Mutex − 11 / 22

Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

Inference System Introduction (I) → ⊛ B ? Q: Then given RWL theory R , how do we prove A − A: Perhaps surprisingly, two proof rules are enough: A rule that traces rewrite steps of symbolic states in R A rule that internalizes terminating-path-length induction on R We call these two rules: Step+Subsumption Axiom 12 / 22

Inference System Introduction (II) The key ideas are: → ⊛ B may require some auxiliary lemmas ; 1 Proving A − → ⊛ B plus these lemmas Let C denote the formula A − 2 For each formula in C , start with labeled sequents: → ⊛ � [ ∅ , C ] ⊢ T u | ϕ − i v i | ψ i 3 1 st part ( ∅ ) is formulas to be assumed as axioms (none); 4 2 nd part ( C ) is formulas to prove that cannot yet be assumed 5 the Step+Subsumption rule allows us to inductively assume C after a rewrite step with rules R = { l j → r j if φ j } . 13 / 22

Reachability Logic Proof Rules (I): Step+Subsumption Rule [ A ∪ C , ∅ ] ⊢ T ( r j | ϕ ′ ∧ φ j ) α − � → ⊛ � ( v i | ψ i ) α i ( j,α ) ∈ unify ( u | ϕ ′ ,R ) → ⊛ � [ A , C ] ⊢ T u | ϕ − v i | ψ i i with ϕ ′ = ϕ ∧ � ( i,β ) ∈ match ( u, { v i } ) ¬ ( ψ i β ) and R = { l j → r j if φ j } Note . proof rule performs all possible narrowing steps with rules R → ⊛ B with unsatisfiable φ are implicitly removed goals u | φ − 14 / 22

Reachability Logic Proof Rules (II): The Axiom Rule [ { u ′ | ϕ ′ − � → ⊛ � v ′ j | ψ ′ j } ∪ A , ∅ ] ⊢ T v ′ j α | ϕ ∧ ψ ′ → ⊛ � j α − v i | ψ i j j i [ { u ′ | ϕ ′ − → ⊛ � v ′ j | ψ ′ → ⊛ � j } ∪ A , ∅ ] ⊢ T u | ϕ − v i | ψ i j i where ∃ α with u = E Ω ∪ B Ω u ′ α and T Σ /E ∪ B | = ϕ ⇒ ϕ ′ α 15 / 22

Reachability Logic Soundness Theorem (Soundness) Let R be a rewrite theory, and C a finite set of = ∀ reachability formulas. If R proves [ ∅ , C ] ⊢ T C then R | T C 16 / 22

Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

Implementation and Case Studies Reflective Implementation The proof system has been implemented in Maude . Some notes: 1 RWL is reflective , Maude’s META-LEVEL library support was used which supports reasoning over RWL theories and terms 2 Maude’s built-in support for narrowing modulo axioms was used to compute successors in the RWL theory R 3 An implementation of a variant satisfiability -based, theory-generic SMT solver was used to discharge satisfiability and validity proof obligations 17 / 22