Model Checking for Symbolic-Heap Separation Logic with Inductive - PowerPoint PPT Presentation

. POPL 2016, St Petersburg, Florida, USA, 1 Programming Principles, Logic & Verification Group Department of Computer Science, University College London 2 Foundations of Computing Group Department of Computer Science, Middlesex University Model Checking for Symbolic-Heap Separation Logic with Inductive Predicates James Brotherston 1 Max Kanovich 1 Nikos Gorogiannis 2 Reuben N. S. Rowe 1 Wednesday 20 th January 2016

• More generally, S could be any kind of mathematical structure • Model checking is the problem of checking whether a structure • Typically, S is a Kripke structure representing a program, and a formula of modal or temporal logic describing its behaviour. and a formula in a language describing such structures. 1/12 Model Checking in General S satisfies, or is a model of, some formula ϕ : does S | = ϕ ?

• More generally, S could be any kind of mathematical structure • Model checking is the problem of checking whether a structure and a formula in a language describing such structures. 1/12 Model Checking in General S satisfies, or is a model of, some formula ϕ : does S | = ϕ ? • Typically, S is a Kripke structure representing a program, and ϕ a formula of modal or temporal logic describing its behaviour.

1/12 • Model checking is the problem of checking whether a structure Model Checking in General S satisfies, or is a model of, some formula ϕ : does S | = ϕ ? • Typically, S is a Kripke structure representing a program, and ϕ a formula of modal or temporal logic describing its behaviour. • More generally, S could be any kind of mathematical structure and ϕ a formula in a language describing such structures.

• Typically, we do static analysis: given an annotated program, • When static analysis fails, we might try run-time verification: • We focus on the popular symbolic-heap fragment of SL, • Separation logic (SL) facilitates verification of imperative pointer programs by describing program memory. prove that it meets its specification. run the program and check that it does not violate the spec. • In that case, we need to compare memory states S against a specification : does S ? allowing arbitrary sets of inductive predicates. 2/12 Model Checking for Separation Logic

• We focus on the popular symbolic-heap fragment of SL, • Separation logic (SL) facilitates verification of imperative pointer programs by describing program memory. prove that it meets its specification. • When static analysis fails, we might try run-time verification: run the program and check that it does not violate the spec. • In that case, we need to compare memory states S against a specification : does S ? allowing arbitrary sets of inductive predicates. 2/12 Model Checking for Separation Logic • Typically, we do static analysis: given an annotated program,

• We focus on the popular symbolic-heap fragment of SL, • Separation logic (SL) facilitates verification of imperative pointer programs by describing program memory. prove that it meets its specification. run the program and check that it does not violate the spec. • In that case, we need to compare memory states S against a specification : does S ? allowing arbitrary sets of inductive predicates. 2/12 Model Checking for Separation Logic • Typically, we do static analysis: given an annotated program, • When static analysis fails, we might try run-time verification:

• Separation logic (SL) facilitates verification of imperative pointer programs by describing program memory. prove that it meets its specification. run the program and check that it does not violate the spec. • In that case, we need to compare memory states S against a • We focus on the popular symbolic-heap fragment of SL, allowing arbitrary sets of inductive predicates. 2/12 Model Checking for Separation Logic • Typically, we do static analysis: given an annotated program, • When static analysis fails, we might try run-time verification: specification ϕ : does S | = ϕ ?

• Separation logic (SL) facilitates verification of imperative pointer programs by describing program memory. prove that it meets its specification. run the program and check that it does not violate the spec. • In that case, we need to compare memory states S against a • We focus on the popular symbolic-heap fragment of SL, allowing arbitrary sets of inductive predicates. 2/12 Model Checking for Separation Logic • Typically, we do static analysis: given an annotated program, • When static analysis fails, we might try run-time verification: specification ϕ : does S | = ϕ ?

• complexity is EXPTIME • These reduce the complexity to NP or PTIME For symbolic-heap SL with arbitrary inductive predicates: • the model checking problem is decidable • We identify three natural syntactic criteria for restricting inductive definitions • We provide a prototype tool implementation and experimental evaluation 3/12 Overview of our Results

• These reduce the complexity to NP or PTIME For symbolic-heap SL with arbitrary inductive predicates: • the model checking problem is decidable • We identify three natural syntactic criteria for restricting inductive definitions • We provide a prototype tool implementation and experimental evaluation 3/12 Overview of our Results • complexity is EXPTIME

• These reduce the complexity to NP or PTIME For symbolic-heap SL with arbitrary inductive predicates: • the model checking problem is decidable • We identify three natural syntactic criteria for restricting inductive definitions • We provide a prototype tool implementation and experimental evaluation 3/12 Overview of our Results • complexity is EXPTIME

For symbolic-heap SL with arbitrary inductive predicates: • the model checking problem is decidable • We identify three natural syntactic criteria for restricting inductive definitions • We provide a prototype tool implementation and experimental evaluation 3/12 Overview of our Results • complexity is EXPTIME • These reduce the complexity to NP or PTIME

For symbolic-heap SL with arbitrary inductive predicates: • the model checking problem is decidable • We identify three natural syntactic criteria for restricting inductive definitions • We provide a prototype tool implementation and experimental evaluation 3/12 Overview of our Results • complexity is EXPTIME • These reduce the complexity to NP or PTIME

emp t P t ( P a predicate symbol, t a tuple of terms) • emp is the empty heap ("points to") denotes a pointer to a single heap record x a set of pure formulas) ( Symbolic heaps F given by domain-disjoint heaps ("separating conjunction") describes the combining of two • • 4/12 Terms: x Spatial Formulas: t t t t Pure Formulas: Symbolic Heaps with Inductive Predicates t ::= x | nil

emp t P t ( P a predicate symbol, t a tuple of terms) • emp is the empty heap x • a set of pure formulas) ( Symbolic heaps F given by domain-disjoint heaps ("separating conjunction") describes the combining of two 4/12 ("points to") denotes a pointer to a single heap record • Terms: x Spatial Formulas: Pure Formulas: Symbolic Heaps with Inductive Predicates t ::= x | nil π ::= t = t | t ̸ = t

• emp is the empty heap ("points to") denotes a pointer to a single heap record x 4/12 a set of pure formulas) ( Symbolic heaps F given by domain-disjoint heaps ("separating conjunction") describes the combining of two • • Terms: Spatial Formulas: Pure Formulas: Symbolic Heaps with Inductive Predicates t ::= x | nil π ::= t = t | t ̸ = t Σ ::= emp | x �→ t | P t | Σ ∗ Σ ( P a predicate symbol, t a tuple of terms)

("points to") denotes a pointer to a single heap record x 4/12 a set of pure formulas) ( Symbolic heaps F given by domain-disjoint heaps ("separating conjunction") describes the combining of two • • Terms: Spatial Formulas: Pure Formulas: Symbolic Heaps with Inductive Predicates t ::= x | nil π ::= t = t | t ̸ = t Σ ::= emp | x �→ t | P t | Σ ∗ Σ ( P a predicate symbol, t a tuple of terms) • emp is the empty heap

x 4/12 ("separating conjunction") describes the combining of two a set of pure formulas) Pure Formulas: ( Spatial Formulas: Symbolic heaps F given by domain-disjoint heaps Terms: • Symbolic Heaps with Inductive Predicates t ::= x | nil π ::= t = t | t ̸ = t Σ ::= emp | x �→ t | P t | Σ ∗ Σ ( P a predicate symbol, t a tuple of terms) • emp is the empty heap • �→ ("points to") denotes a pointer to a single heap record

x 4/12 domain-disjoint heaps a set of pure formulas) Pure Formulas: ( Spatial Formulas: Symbolic heaps F given by Terms: Symbolic Heaps with Inductive Predicates t ::= x | nil π ::= t = t | t ̸ = t Σ ::= emp | x �→ t | P t | Σ ∗ Σ ( P a predicate symbol, t a tuple of terms) • emp is the empty heap • �→ ("points to") denotes a pointer to a single heap record • ∗ ("separating conjunction") describes the combining of two