Automated Verification with HIP and SLEEK
description
Transcript of Automated Verification with HIP and SLEEK
Automated Verification withHIP and SLEEK
Asankhaya Sharma
Recall the List length Example
int length(struct node* p)/*@requires p::list<n,B>ensures p::list<n,B> & res=n;*/{ if(p == NULL) return 0; else return 1 + length(p->next);}
Memory Safety
Length of the List
Bag of Values
With Inference
int length(struct node* p)/*@infer [H,G]requires H(p)ensures G(p);*/{ if(p == NULL) return 0; else return 1 + length(p->next);}
Second Order Variables for Unknown Predicates
Modular Shape Inference
Relational Assumptions
// Post (1)H(p) & x = null => G(p)// Bind (2)H(p) & x != null => x::node<_,q> * HP(q)// Pre-Rec (3)HP(q) => H(p)//Post (4)x::node<_,q> * G(q) => G(p)
Predicate Derivation
For Pre ConditionH(p) == emp & p = null
or p::node<_,q> * H(q)
For Post ConditionG(p) == emp * p = null
or p::node<_,q> * G(q)
Linked List Predicate Inferred
Automatically
Bi-Abduction
1 4 2 R3
antecedent consequent residue
Compositional shape analysis by means of bi-abduction Calcagno C, Distefano D, O'Hearn P W and Yang HPOPL 2009
Achievement : Scalable automated shape analysis!
precondition
Incremental Specification• Formal specs are important for verification
and documentation.• Tedious for legacy system and maintenance
efforts.• Users role to guide inference process• Our thesis : Specification can be developed
incrementally and when needed.
Inference Exampleinfer [x,Q3]requires x::lln1 y::lln2 ensures x::lln3 & Q3(n1,n2,n3)
requires x::lln1 y::lln2 & x nullensures x::lln3 & n1+n2=n3
Inference Exampleinfer [R]requires x::lln1 y::lln2 & n null & Term[R(n1, n2)]
ensures x::lln3 & n1+n2=n3
requires x::lln1 y::lln2 & n null & Term[n1]
ensures x::lln3 & n1+n2=n3
Selective Entailment
[v*] 1 4 2 3 dantecedent consequent residue
precondition
definitions
Key Principles• Selective Inference• Inferable Heap Locations• Never Inferring False • Antecedent Contradiction• Unknown Relation/Function Derivation
Selective Inference[x] x::lln
x::node<_,q>
[n] x::lln
x::node<_,q>
x null
q:: lln-1
q:: lln-1n > 0
Selective Inference[x] x::lln
x::node<_,null>
[n] x::lln
x::node<_,null>
FAIL
empn=1
Inferring Heap Locations• Heap state may be inferred
[x] emp
x::node<_,null> x ::node<_,null>
Allows predicates to be inferredAllows cascaded heaps by adding auxiliary variables
emp
Never Inferring False[x] true
x>x
[x] true x::node<_,_> x::node<_,_>
FAIL
FAIL
Antecedent Contradiction• What if contradiction detected between 1
and 2 ?[v*] 1
2
Add pre over v* to support contradicted antecedent.
Antecedent Contradiction[b] x=1 & b>0
x=2 b0
false
[x] x=null
x::node<_,q> x null
false
Selective Inference[Q] x::node(_,y) y::lln2 & n1=1
x::lln3 & Q(n1 ,n2, n3)
[Q] x::node(_,y) y::lln2 & Q(n1-1,n2,n3) x::lln3 & Q(n1 ,n2, n3)
n1=1 & n3= n2+1 Q(n1,n2,n3)
n3= n2+1 & n1>0 & Q(n1-1,n2,n3) Q(n1,n2,n3)
FixPoint Calculationn1=1 & n3= n2+1Q(n1,n2,n3)
n3= n2+1 & n1>0 & Q(n1-1,n2,n3) Q(n1,n2,n3)
n1>0 & n2 0 & n3= n2+ n2 Q(n1,n2,n3)
Inferring Heap Locations• Auxiliary variables may be added
[x] emp
x::node<_,q> q::node<_,null>
[x, x1] emp
x::node<_,q> q::node<_,null> x ::node<_,x1> x1::node<_,null> & x1=q
[x, x1] emp
x::node<_,q> q::node<_,null> x ::node<_,x1> & x1=q
Inferring Unknown Relations• Two kinds of relationships inferred
R(..) c
Relational Obligation:
R(..) & c R(…)
Relational Definition:
Further Reading
• Trinh, Minh-Thai, Quang Loc Le, Cristina David, and Wei-Ngan Chin. "Bi-Abduction with Pure Properties for Specification Inference." In Programming Languages and Systems, pp. 107-123. Springer International Publishing, 2013.