Decidability of Entailments in Separation Logic with Arrays Daisuke - PowerPoint PPT Presentation

Decidability of Entailments in Separation Logic with Arrays Daisuke Kimura (Toho Univ.) joint work with Makoto Tatsuta (NII) Workshop on Mathematical Logic and its Application JSPS Core-to-Core Program 16-17 Sep. 2016 Kyoto University

Introduction Separation Logic Proposed by J.C.Reynolds in 2002 • Each formula states some state of memory • • Useful for verifying pointer-programs (like C) On-going our project Separation-Logic-Based analyzer for C • Fully automated system • Checking memory errors (buffer-overflow, memory-leak) • • One of our main problem: decision procedure for entailment problem in SL • Our current target system : separation logic with arrays

Syntax of SL ARRAY t , u , n , m :: = x | 0 | 1 | . . . | t + t | t − t Terms Pure expressions Π :: = t = t | t � t | t < t | Π ∧ Π Spatial expressions Σ :: = emp (Empty heap) | t �→ ( t , . . . , t ) (Points-to predicate) | Array ( t , m ) (Array predicate) | Σ ∗ Σ (Separating conjunction) Symbolic Heaps Π ∧ Σ

Heap model Stores s : Vars → N h : N \ { 0 } −→ fin N n ( n is the number of t �→ ( t 1 , . . . , t n ) ) Heaps ( s , h ) Heap model A heap model means a state of memory For example, assume that • s ( x ) = 5 Dom ( h ) = { 100 , 101 } , • h (100) = (10 , 20) , h (101) = (11 , 15) • This heap model ( s , h ) means the following memory state 100 101 The value of x is 5 (10,20) (11,15)

Semantics of SL ARRAY s | = Π and s , h | = Σ are defined as follows def s | = t = u ⇐⇒ s ( t ) = s ( u ) def s | = t � u ⇐⇒ s ( t ) � s ( u ) def s | = t < u s ( t ) < s ( u ) ⇐⇒ def s | = Π 1 ∧ Π 2 ⇐⇒ s | = Π 1 and s | = Π 2 def s , h | = emp ⇐⇒ Dom ( h ) = ∅ def s , h | = t �→ ( � h ( s ( t )) = ( s ( � u ) ) and Dom ( h ) = { s ( t ) } u ) ⇐⇒ def s , h | = Σ 1 ∗ Σ 2 s , h 1 | = Σ 1 and s , h 2 | = Σ 2 for some h = h 1 + h 2 ⇐⇒ def s , h | = Array ( t , m ) Dom ( h ) = { s ( t ) , . . . , s ( t + m ) } ⇐⇒ Intuitively, Array ( t , m ) means there is an array starting from t of length m + 1 def s , h | = Π ∧ Σ s | = Π and s , h | = Σ ⇐⇒

Entailments and main result Entailments of SL ARRAY : Π 1 ∧ Σ 1 ⊢ � i ( Π i ∧ Σ i ) The above entailment is said to be valid if s , h | = Π 1 ∧ Σ 1 s , h | = Π i ∧ Σ i for some i implies holds for any ( s , h ) Our main result Validity of entailments of SL ARRAY is decidable

Basic Idea Approach Translating entailments into Presburger formulas Idea : Sorted separating conjunction ⊛ def s , h | = Σ 1 ⊛ Σ 2 s , h 1 | = Σ 1 and s , h 2 | = Σ 2 ⇐⇒ and h = h 1 + h 2 and max Dom ( h 1 ) < min Dom ( h 2 ) for some h 1 , h 2 For example, • 1 �→ ( x ) ⊛ 2 �→ ( y ) ⊢ 1 �→ ( x ) ⊛ 2 �→ ( y ) is valid is invalid • 1 �→ ( x ) ⊛ 2 �→ ( y ) ⊢ 2 �→ ( y ) ⊛ 1 �→ ( x )

Idea of translation Observation1 ( �→�→ case) u ) ⊛ Σ | = Π ′ ∧ t ′ �→ ( � u ′ ) ⊛ Σ ′ Π ∧ t �→ ( � Π ∧ t < Σ ∧ Σ | = Π ′ ∧ t = t ′ ∧ � u ′ ∧ Σ ′ u = � ⇐⇒ where t < Σ means that t is less than the first address of Σ

Idea of translation Observation1 ( �→�→ case) u ) ⊛ Σ | = Π ′ ∧ t ′ �→ ( � u ′ ) ⊛ Σ ′ Π ∧ t �→ ( � Π ∧ t < Σ ∧ Σ | = Π ′ ∧ t = t ′ ∧ � u ′ ∧ Σ ′ u = � ⇐⇒ Example 1 �→ ( x ) ⊛ 2 �→ ( y ) | = 1 �→ ( x ) ⊛ 2 �→ ( y ) 1 < 2 ∧ 2 �→ ( y ) | = 1 = 1 ∧ x = x ∧ 2 �→ ( y ) ⇐⇒ 1 < 2 | = 1 = 1 ∧ x = x ∧ 2 = 2 ∧ y = y ⇐⇒ | = PbA 1 < 2 = ⇒ (1 = 1 ∧ x = x ∧ 2 = 2 ∧ y = y ) ⇐⇒

Idea of translation Observation2 ( �→ Array case) u ) ⊛ Σ | = Π ′ ∧ Array ( t ′ , m ′ ) ⊛ Σ ′ Π ∧ t �→ ( � ⇐⇒ u ) ⊛ Σ | = Π ′ ∧ t = t ′ ∧ t ′ �→ ( � Π ∧ m ′ = 0 ∧ t �→ ( � u ) ⊛ Σ ′ and Π ∧ m ′ > 0 ∧ t �→ ( � u ) ⊛ Σ | = Π ′ ∧ t = t ′ ∧ t ′ �→ ( � u ) ⊛ Array ( t ′ + 1 , m ′ − 1) ⊛ Σ ′ Lower case ( m ′ > 0 ) Upper case ( m ′ = 0 )

Idea of translation Observation3 (Array �→ case) Π ∧ Array ( t , m ) ⊛ Σ | = Π ′ ∧ t ′ �→ ( � u ′ ) ⊛ Σ ′ ⇐⇒ z ) ⊛ Σ | = Π ′ ∧ t = t ′ ∧ t ′ �→ ( � u ′ ) ⊛ Σ ′ Π ∧ m = 0 ∧ t �→ ( � and z ′ ) ⊛ Array ( t + 1 , m − 1) ⊛ Σ | = Π ′ ∧ t = t ′ ∧ t ′ �→ ( � Π ∧ m > 0 ∧ t �→ ( � u ′ ) ⊛ Σ ′ z ′ : fresh z , � � Lower case ( m > 0 ) Upper case ( m = 0 )

Idea of translation Observation4 (ArrayArray case) Π ∧ Array ( t , m ) ⊛ Σ | = Π ′ ∧ Array ( t ′ , m ′ ) ⊛ Σ ′ ⇐⇒ Π ∧ m = m ′ ∧ Σ | = Π ′ ∧ t = t ′ ∧ Σ ′ and Π ∧ m < m ′ ∧ Σ | = Π ′ ∧ t = t ′ ∧ Array ( t + m + 1 , m ′ − m − 1) ⊛ Σ ′ and Π ∧ m > m ′ ∧ Array ( t + m ′ + 1 , m − m ′ − 1) ⊛ Σ | = Π ′ ∧ t = t ′ ∧ Σ ′ 1st case ( m = m ′ ) 2nd case ( m < m ′ ) 3rd case ( m > m ′ )

Idea of translation Observation4 (ArrayArray case) Π ∧ Array ( t , m ) ⊛ Σ | = Π ′ ∧ Array ( t ′ , m ′ ) ⊛ Σ ′ ⇐⇒ Π ∧ m = m ′ ∧ Σ | = Π ′ ∧ t = t ′ ∧ Σ ′ and Π ∧ m < m ′ ∧ Σ | = Π ′ ∧ t = t ′ ∧ Array ( t + m + 1 , m ′ − m − 1) ⊛ Σ ′ and Π ∧ m > m ′ ∧ Array ( t + m ′ + 1 , m − m ′ − 1) ⊛ Σ | = Π ′ ∧ t = t ′ ∧ Σ ′ 1st case ( m = m ′ ) 2nd case ( m < m ′ ) 3rd case ( m > m ′ )

Idea of translation Observation4 (ArrayArray case) Π ∧ Array ( t , m ) ⊛ Σ | = Π ′ ∧ Array ( t ′ , m ′ ) ⊛ Σ ′ ⇐⇒ Π ∧ m = m ′ ∧ Σ | = Π ′ ∧ t = t ′ ∧ Σ ′ and Π ∧ m < m ′ ∧ Σ | = Π ′ ∧ t = t ′ ∧ Array ( t + m + 1 , m ′ − m − 1) ⊛ Σ ′ and Π ∧ m > m ′ ∧ Array ( t + m ′ + 1 , m − m ′ − 1) ⊛ Σ | = Π ′ ∧ t = t ′ ∧ Σ ′ 1st case ( m = m ′ ) 2nd case ( m < m ′ ) 3rd case ( m > m ′ )

Translation Our translation mkPb ( Π , Σ ; { ( Π i , Σ i ) } i ) is defined by using the observations � mkPb ( Π , Σ ; { ( Π i , Σ i ) } i ) is the result of translation of Π ∧ Σ ⊢ � i ( Π i ∧ Σ i ) � def mkPb ( Π , Σ ; S 1 ∪ { ( Π ′ , emp ⊛ Σ ′ ) } ∪ S 2 ) mkPb ( Π , Σ ; S 1 ∪ { ( Π ′ , Σ ′ ) } ∪ S 2 ) = def mkPb ( Π , emp ⊛ Σ ; S ) mkPb ( Π , Σ ; S ) = � def mkPb ( Π , emp ; { ( Π i , emp ) } i ) = Π = ⇒ Π i i def mkPb ( Π , emp ; S 1 ∪ { ( Π ′ , Σ ′ ) } ∪ S 2 ) mkPb ( Π , emp ; S 1 ∪ S 2 ) = ( Σ ′ is not emp ) def mkPb ( Π , emp ; ∅ ) = ¬ Π def mkPb ( Π , Σ ; ∅ ) ¬ ( Π ∧ Sorted ( Σ )) = ( Σ is not emp ) ( Sorted ( Σ ) means that the addresses in Σ is sorted)

Translation (cont.) ( �→�→ -case) u i ) ⊛ Σ ′ ) } i ) mkPb ( Π , t �→ ( � u ) ⊛ Σ ; { ( Π i , t i �→ ( � def mkPb ( Π ∧ t < Σ , Σ ; { ( Π i ∧ t = t ′ ∧ � u = � u ′ , Σ i ) } i ) = ( �→ Array-case) u ) ⊛ Σ ; S 1 ∪ { ( Π ′ , Array ( t ′ , m ) ⊛ Σ ′ ) } ∪ S 2 ) mkPb ( Π , t �→ ( � � � Π ∧ m = 0 , t �→ ( � u ) ⊛ Σ ; def = mkPb S 1 ∪ { ( Π ′ ∧ t = t ′ , t ′ �→ ( � u ) ⊛ Σ ′ ) } ∪ S 2 ∧ � � Π ∧ m > 0 , t �→ ( � u ) ⊛ Σ ; mkPb S 1 ∪ { ( Π ′ ∧ t = t ′ , t ′ �→ ( � u ) ⊛ Array ( t ′ + 1 , m − 1) ⊛ Σ ′ ) } ∪ S 2 (Array �→ -case) (where ( Π ′ , t ′ �→ ( � u ′ ) ⊛ Σ ′ ) ∈ S ) mkPb ( Π , Array ( t , m ) ⊛ Σ ; S ) def mkPb ( Π ∧ m = 0 , t �→ ( � = z ) ⊛ Σ ; S ) ∧ z ′ : fresh) mkPb ( Π ∧ m > 0 , t �→ ( � z , � z ′ ) ⊛ Array ( t + 1 , m − 1) ⊛ Σ ; S ) ( �

Translation (cont.) (ArrayArray-case) mkPb ( Π , Array ( t , n ) ⊛ Σ ; { ( Π i , Array ( t i , m i ) ⊛ Σ ′ ) } i ∈ I ) def = Π ∧ n = min( n , { m i } i ) ∧ � j ∈ J n = m j ∧ � j � J n < m j ∧ t + n < Σ , Σ ;       { ( Π i ∧ t = t i , Σ i ) } i ∈ J �   J ⊆ I mkPb         ∪ { ( Π i ∧ t = t i ∧ Array ( t i + n + 1 , m i − n − 1) ⊛ Σ i ) } i � J   ∧ Π ∧ m ′ = min( n , { m i } i ) ∧ m ′ < n ∧ � j � J m ′ < m j j ∈ J m ′ = m j ∧ �     ∧ t + n < Σ , Array ( t + m ′ + 1 , n − m ′ − 1) ⊛ Σ ;         � ∅ � J ⊆ I mkPb     { ( Π i ∧ t = t i , Σ i ) } i ∈ J         ∪ { ( Π i ∧ t = t i ∧ Array ( t i + m ′ + 1 , m i − m ′ − 1) ⊛ Σ i ) } i � J     (where m ′ is m min( J ) ) • The first clause: n is the least one and J = { i ∈ I | n = m i } m ′ ( � n ) is the least one and J = { i ∈ I | m ′ = m i } • The second clause:

Decidability of entailment problem Proposition Suppose that Σ and Σ i has the form σ 1 ⊛ . . . ⊛ σ n Π ∧ Σ | = � ⇔ | = PbA ∀ � x . mkPb ( Π , Σ ; { ( Π i , Σ i ) } i ) i Π i ∧ Σ i