Inductive Data Flow Graphs Azadeh Farzan 1 Zachary Kincaid 1 Andreas Podelski 2 1 University of Toronto 2 University of Freiburg January 23, 2013 Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 1 / 16
• Static analysis for sequential programs • Model checking for finite-state concurrent protocols This talk presents Inductive Data Flow Graphs (iDFGs): a form of correctness proof for (concurrent) programs Algorithmic verification Goal Given a (concurrent) program P and a specification ϕ pre / ϕ post , prove { ϕ pre } P { ϕ post } (or provide a counter-example) Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 2 / 16
• Model checking for finite-state concurrent protocols This talk presents Inductive Data Flow Graphs (iDFGs): a form of correctness proof for (concurrent) programs Algorithmic verification Goal Given a (concurrent) program P and a specification ϕ pre / ϕ post , prove { ϕ pre } P { ϕ post } (or provide a counter-example) • Static analysis for sequential programs Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 2 / 16
This talk presents Inductive Data Flow Graphs (iDFGs): a form of correctness proof for (concurrent) programs Algorithmic verification Goal Given a (concurrent) program P and a specification ϕ pre / ϕ post , prove { ϕ pre } P { ϕ post } (or provide a counter-example) • Static analysis for sequential programs • Model checking for finite-state concurrent protocols Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 2 / 16
Algorithmic verification Goal Given a (concurrent) program P and a specification ϕ pre / ϕ post , prove { ϕ pre } P { ϕ post } (or provide a counter-example) • Static analysis for sequential programs • Model checking for finite-state concurrent protocols This talk presents Inductive Data Flow Graphs (iDFGs): a form of correctness proof for (concurrent) programs Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 2 / 16
• Succinct • Present only the essence of a proof • Polynomial in the data complexity of a program • Can be generated and checked automatically • Extend static analysis to concurrent control • Extend model checking to (unbounded) data Why iDFGs? There are many proof systems: Floyd/Hoare, Owicki-Gries, Rely/Guarantee. Why do we want a new one? Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 3 / 16
• Can be generated and checked automatically • Extend static analysis to concurrent control • Extend model checking to (unbounded) data Why iDFGs? There are many proof systems: Floyd/Hoare, Owicki-Gries, Rely/Guarantee. Why do we want a new one? • Succinct • Present only the essence of a proof • Polynomial in the data complexity of a program Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 3 / 16
Why iDFGs? There are many proof systems: Floyd/Hoare, Owicki-Gries, Rely/Guarantee. Why do we want a new one? • Succinct • Present only the essence of a proof • Polynomial in the data complexity of a program • Can be generated and checked automatically • Extend static analysis to concurrent control • Extend model checking to (unbounded) data Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 3 / 16
“Essence” of a proof x = 2 z = x + y x = 2 x ++ y ++ x ++ z = x + y y ++ { x ≥ 0 ∧ y ≥ 0 } . . . . . . . . . . . ϕ pre : x ≥ 0 ∧ y ≥ 0 { y ≥ 0 } Thread 1 Thread 2 { x ≥ 1 ∧ y ≥ 0 } { x ≥ 1 ∧ y ≥ 1 } ϕ post : z ≥ 2 { z ≥ 2 } Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 4 / 16
“Essence” of a proof x = 2 init y ++ x = 2 x ++ z = x + y x ++ z = x + y y ++ x ≥ 0 ∧ y ≥ 0 . . . . . . . . . . . . . { true } ϕ pre : x ≥ 0 ∧ y ≥ 0 { y ≥ 0 } Thread 1 Thread 2 { x ≥ 1 } { y ≥ 1 } ϕ post : z ≥ 2 z ≥ 2 Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 4 / 16
“Essence” of a proof x = 2 y ++ x = 2 x ++ z = x + y init z = x + y y ++ x ++ x ≥ 0 ∧ y ≥ 0 . . . . . . . . . . . . . . { true } ϕ pre : x ≥ 0 ∧ y ≥ 0 { y ≥ 0 } Thread 1 Thread 2 { x ≥ 1 } { y ≥ 1 } ϕ post : z ≥ 2 z ≥ 2 Independent conditions Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 4 / 16
“Essence” of a proof x = 2 z = x + y y ++ x = 2 x ++ init z = x + y y ++ x ++ x ≥ 0 ∧ y ≥ 0 . . . . . . . . . . . . . . . { true } ϕ pre : x ≥ 0 ∧ y ≥ 0 Irrelevant { y ≥ 0 } Thread 1 Thread 2 { x ≥ 1 } { y ≥ 1 } ϕ post : z ≥ 2 z ≥ 2 Independent conditions Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 4 / 16
“Essence” of a proof x = 2 init y ++ x = 2 x ++ z = x + y x ++ z = x + y y ++ x ≥ 0 ∧ y ≥ 0 . . . . . . . . . . . . . { true } ϕ pre : x ≥ 0 ∧ y ≥ 0 { y ≥ 0 } Thread 1 Thread 2 { x ≥ 1 } { y ≥ 1 } ϕ post : z ≥ 2 z ≥ 2 Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 4 / 16
“Essence” of a proof x = 2 init x = 2 y ++ x ++ z = x + y x ++ z = x + y y ++ x ≥ 0 ∧ y ≥ 0 . . . . . . . . . . . . . { y ≥ 0 } ϕ pre : x ≥ 0 ∧ y ≥ 0 { true } Thread 1 Thread 2 { y ≥ 1 } { x ≥ 1 } ϕ post : z ≥ 2 z ≥ 2 Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 4 / 16
Inductive Data Flow Graphs (iDFGs) init y ++ x = 2 z = x + y cmd a ψ i ψ 1 ψ m . for all j , { ψ 1 ∧· · · ∧ ψ m } cmd a { ϕ j } . . . . . . . . Inductiveness condition: ϕ 1 ϕ n ϕ j . . . . . . . . . . . . { x ≥ 0 ∧ y ≥ 0 } Suppress irrelevant details of a partial cor- rectness proof { true } { y ≥ 0 } • Irrelevant ordering constraints ( x = 2 ; y ++ vs y ++ ; x = 2 ) { x ≥ 1 } { y ≥ 1 } • Irrelevant actions ( x ++ ) { z ≥ 2 } Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 5 / 16
Inductive Data Flow Graphs (iDFGs) init z = x + y y ++ x = 2 cmd a ψ i ψ 1 ψ m . for all j , { ψ 1 ∧· · · ∧ ψ m } cmd a { ϕ j } . . . . . . . . Inductiveness condition: ϕ 1 ϕ n ϕ j . . . . . . . . . . . . { x ≥ 0 ∧ y ≥ 0 } Parallelize a partial correctness proof • Irrelevant ordering constraints { true } { y ≥ 0 } ( x = 2 ; y ++ vs y ++ ; x = 2 ) • Irrelevant actions ( x ++ ) { x ≥ 1 } { y ≥ 1 } { z ≥ 2 } Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 5 / 16
. . . . . . . . . . . . . . . Thread 1 Thread 2 x Denotation of an iDFG y true y x y z x x z = x + y y ++ x ++ z = x + y pre y x ++ y ++ x x = 2 post z init x = 2 Data flow graph with inductive assertions (iDFG) proves correctness of traces that obey particular constraints ∼ Control flow graph with inductive assertions (Floyd annotation) proves correctness of traces that label paths The set of such traces is called the denotation of the iDFG, denoted � G � . Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 6 / 16
Denotation of an iDFG y ++ z = x + y y ++ x = 2 init x = 2 z = x + y x ++ x ++ Data flow graph with inductive assertions (iDFG) proves correctness of traces that obey particular constraints ∼ Control flow graph with inductive assertions (Floyd annotation) proves correctness of traces that label paths The set of such traces is called the denotation of the iDFG, denoted . . . . . . . . . . . . . . � G � . { x ≥ 0 ∧ y ≥ 0 } ϕ pre : x ≥ 0 ∧ y ≥ 0 { x ≥ 0 } { y ≥ 0 } { true } Thread 1 Thread 2 { x ≥ 1 } { x ≥ 1 } { y ≥ 1 } ϕ post : z ≥ 2 { z ≥ 2 } Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 6 / 16
Denotation of an iDFG y ++ z = x + y y ++ x = 2 init x = 2 z = x + y x ++ x ++ Data flow graph with inductive assertions (iDFG) proves correctness of traces that obey particular constraints ∼ Control flow graph with inductive assertions (Floyd annotation) proves correctness of traces that label paths The set of such traces is called the denotation of the iDFG, denoted . . . . . . . . . . . . . . � G � . { x ≥ 0 ∧ y ≥ 0 } ϕ pre : x ≥ 0 ∧ y ≥ 0 { x ≥ 0 } { y ≥ 0 } { true } Thread 1 Thread 2 { x ≥ 1 } { x ≥ 1 } { y ≥ 1 } ϕ post : z ≥ 2 { z ≥ 2 } Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 6 / 16
Denotation of an iDFG y ++ z = x + y y ++ x = 2 init x = 2 z = x + y x ++ x ++ Data flow graph with inductive assertions (iDFG) proves correctness of traces that obey particular constraints ∼ Control flow graph with inductive assertions (Floyd annotation) proves correctness of traces that label paths The set of such traces is called the denotation of the iDFG, denoted . . . . . . . . . . . . . . � G � . { x ≥ 0 ∧ y ≥ 0 } ϕ pre : x ≥ 0 ∧ y ≥ 0 { x ≥ 0 } { y ≥ 0 } { true } Thread 1 Thread 2 { x ≥ 1 } { x ≥ 1 } { y ≥ 1 } ϕ post : z ≥ 2 { z ≥ 2 } Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 6 / 16
Program P finite automaton, P is the set of traces of P . Proof rule . . Program P is correct w.r.t. post iff P G iDFGs as proof objects G pre Theorem Let G = ⟨ V , E , ϕ pre , ϕ post , v o , V final ⟩ be an iDFG. For all τ ∈ � G � , { ϕ pre } τ { ϕ post } Z. Kincaid (U. Toronto) Inductive Data Flow Graphs January 23, 2013 7 / 16
Recommend
More recommend