CS6202: Advanced Topics in Programming Hoare Logic Hoare Logic Languages and Systems Lecture 8/9 : Separation Logic Can handle reasoning of imperative programs well. • Overview Notation : {P} code {Q} • Assertion Logic {P} precondition before executing code • Semantic Model {Q} postcondition after executing code • Hoare-style Inference Rules • Specification and Annotations Some examples : {x=1} x:=x+1 {x=2} • Linked List and Segments • Trees and Instuitionistic Logic {x=x 0 } x:=x+1 {x=x 0 +1} • (above from John Reynold’s mini-course) • Automated Verification {Q[x+1/x]} x:=x+1 {Q} {P} x:=x+1 { � x 1 . P[x 1 /x] � x=x 1 +1} CS6202 Separation Logic 1 CS6202 Separation Logic 3 Motivation Motivation Problem Problem Program reasoning is important for: Hoare logic can handle program variables but not heap objects well due to aliasing problems. correctness of software Consider an in-place list reversal algorithm safety (fewer or no bugs) performance guarantee optimization [i] denotes a heap location at address i CS6202 Separation Logic 2 CS6202 Separation Logic 4
Loop Invariant Loop Invariant B B a sics of S a sics of S eparation Logic eparation Logic Loop invariant is a statement that holds at the beginning of each iteration of the loop. heap predicate relates a list of elements and a pointer CS6202 Separation Logic 5 CS6202 Separation Logic 7 Loop Invariant Loop Invariant Simple Language with Heap Store Simple Language with Heap Store in separation logic : CS6202 Separation Logic 6 CS6202 Separation Logic 8
Memory F Memory F aults aults S S emantic Model emantic Model Can be caused by out of range look up of memory. CS6202 Separation Logic 9 CS6202 Separation Logic 11 Assertion L Assertion L anguage anguage S S emantic Model emantic Model CS6202 Separation Logic 10 CS6202 Separation Logic 12
S S eparation Implication - eparation Implication - Examples Examples S S eparation Conjunction eparation Conjunction - - Examples Examples CS6202 Separation Logic 13 CS6202 Separation Logic 15 Inference Rules Inference Rules Conjunction - Conjunction - Examples Examples Reasoning with normalization, weakening and strengthening. Conjunction describes the same heap space. CS6202 Separation Logic 14 CS6202 Separation Logic 16
Pure Assertion Pure Assertion Partial Correctness Specification Partial Correctness Specification Axiom schematic guided by pure formulae CS6202 Separation Logic 17 CS6202 Separation Logic 19 T T wo Unsound Axiom S wo Unsound Axiom S chemata chemata T T otal Correctness Specification otal Correctness Specification Structural logic without contraction and weakening. CS6202 Separation Logic 18 CS6202 Separation Logic 20
Examples of Valid Specifications Examples of Valid Specifications Hoare Inference Rules Hoare Inference Rules Structural rules are applicable to any commands. CS6202 Separation Logic 21 CS6202 Separation Logic 23 Hoare Inference Rules Hoare Inference Rules Partial Correctness of While Loop Partial Correctness of While Loop CS6202 Separation Logic 22 CS6202 Separation Logic 24
T T otal Correctness of While L otal Correctness of While L oop oop Hoare Inference Rules Hoare Inference Rules CS6202 Separation Logic 25 CS6202 Separation Logic 27 Hoare Inference Rules Hoare Inference Rules Annotated Specifications Annotated Specifications In annotated specifications, additional assertions called annotations are placed in command in such a way that it assist proof construction process. Examples : CS6202 Separation Logic 26 CS6202 Separation Logic 28
Minimal Annotated Specifications Minimal Annotated Specifications Structural Inference Rules Structural Inference Rules Should attempt to minimise annotations where possible. Restrict to pre/post of methods and invariant of loops. Further advances : (i) intraprocedural inference (ii) interprocedural inference. CS6202 Separation Logic 29 CS6202 Separation Logic 31 Structural Inference Rules Structural Inference Rules Structural Inference Rules Structural Inference Rules CS6202 Separation Logic 30 CS6202 Separation Logic 32
Rule of Constancy from Hoare L Rule of Constancy from Hoare L ogic ogic Local Specifications Local Specifications CS6202 Separation Logic 33 CS6202 Separation Logic 35 Frame Rule of S Frame Rule of S eparation Logic eparation Logic Inference Rules for Mutation Inference Rules for Mutation This facilitates local reasoning and specification CS6202 Separation Logic 34 CS6202 Separation Logic 36
Inference Rules for Lookup Inference Rules for Lookup Inference Rules for Deallocation Inference Rules for Deallocation CS6202 Separation Logic 37 CS6202 Separation Logic 39 Notation for S equences Notation for S equences Inference Rules for Noninterfering Inference Rules for Noninterfering Allocation Allocation CS6202 Separation Logic 38 CS6202 Separation Logic 40
Singly Linked List Singly Linked List S egment Singly Linked List Singly Linked List S egment Properties What is the default property (invariant) of this predicate? CS6202 Separation Logic 41 CS6202 Separation Logic 43 Singly Linked List S egment Non- - T T ouching Linked List S egment Singly Linked List S egment Non ouching Linked List S egment Easier test for emptiness CS6202 Separation Logic 42 CS6202 Separation Logic 44
Doubly Linked List Doubly Linked List Braced List Segment Braced List Segment CS6202 Separation Logic 45 CS6202 Separation Logic 47 XOR XOR- - Linked List Segment Linked List Segment Bornat Bornat List List CS6202 Separation Logic 46 CS6202 Separation Logic 48
Array Allocation Array Allocation DAGs DAGs Inference rule : CS6202 Separation Logic 49 CS6202 Separation Logic 51 Trees Trees Intuitionistic Intuitionistic S S eparation Logic eparation Logic Supports justification rather than truth. Things that no longer hold include: law of excluded middle (P � � P) double negation ( � � P = P) Pierce’s law (((P � Q) � P) � P) Formulae valid in intuitionistic separation logic but not the classical one. x � 1,y � emp x � 1,y * y � , nil � x � 1,_ CS6202 Separation Logic 50 CS6202 Separation Logic 52
Intuitionistic Intuitionistic Assertion Assertion Copying Tree Copying Tree CS6202 Separation Logic 53 CS6202 Separation Logic 55 Inference for Procedures Inference for Procedures Copying Tree (Proof) Copying Tree (Proof) CS6202 Separation Logic 54 CS6202 Separation Logic 56
Copying Tree (Proof) Copying Tree (Proof) Core Imperative Language Core Imperative Language CS6202 Separation Logic 57 CS6202 Separation Logic 59 Automated Verification Automated Verification Data Nodes and Notation Data Nodes and Notation Modular Verification (i) Given pre/post conditions for each method and loop (ii) Determine each postcondition is sound for method body. (iii) Each precondition is satisfied for each call site. Why Verification? (i) can handle more complex examples (ii) can be used to check inference algorithm (iii) grand challenge of verifiable software CS6202 Separation Logic 58 CS6202 Separation Logic 60
Shape Predicates Shape Predicates Prime Notation Prime Notation Linked-list with size Prime notation is used to capture the latest values of each program variable. This allows a state transition to be expressed since the unprimed form denotes original values. Double linked-list (right traversal) with size Sorted linked-list with size, min, max CS6202 Separation Logic 61 CS6202 Separation Logic 63 Insertion Sort Algorithm Insertion Sort Algorithm Prime Notation Prime Notation Example : {x’=x � y’=y} x:=x+1 {x’=x+1 � y’=y} x:=x+y {x’=x+1+y � y’=y} y:=2 {x’=x+1+y � y’=2} CS6202 Separation Logic 62 CS6202 Separation Logic 64
Forward Verification Forward Verification Separation Constraint Normalization Rules Separation Constraint Normalization Rules Target : Given � 1 , infer � 2 : � { � 1 } e { � 2 } CS6202 Separation Logic 65 CS6202 Separation Logic 67 Forward Verification Forward Verification Separation Constraint Approximation Separation Constraint Approximation XPure n ( � ) returns a sound approximation of the form : non-null symbolic addresses Normalization : CS6202 Separation Logic 66 CS6202 Separation Logic 68
Translating to Pure Form Translating to Pure Form Separation Constraint Entailment Separation Constraint Entailment denotes CS6202 Separation Logic 69 CS6202 Separation Logic 71 Deriving Shape Invariant Deriving Shape Invariant Separation Constraint Entailment Separation Constraint Entailment From each pure invariant, such as (n � 0) for ll<n> We use Inv 1 (..) to obtain a more precise invariant : CS6202 Separation Logic 70 CS6202 Separation Logic 72
Recommend
More recommend