Mechanical Verification of a Garbage Collector

Similar documents
Static Program Transformations for Efficient Software Model Checking

Automated Theorem Proving - summary of lecture 1

ML for the Working Programmer

The Lean Theorem Prover

Foundational Proof Certificates

Model Checking: An Introduction

A Static Analyzer for Large Safety-Critical Software. Considered Programs and Semantics. Automatic Program Verification by Abstract Interpretation

Full and Complete Binary Trees

Introducing Formal Methods. Software Engineering and Formal Methods

Regression Verification: Status Report

Verifying Specifications with Proof Scores in CafeOBJ

CHAPTER 7 GENERAL PROOF SYSTEMS

Model Checking of Software

CS510 Software Engineering

Formal Verification of Software

CHAPTER 3. Methods of Proofs. 1. Logical Arguments and Formal Proofs

Relations: their uses in programming and computational specifications

Automated Program Behavior Analysis

CSE 459/598: Logic for Computer Scientists (Spring 2012)

Rigorous Software Engineering Hoare Logic and Design by Contracts

Coverability for Parallel Programs

A Generic Process Calculus Approach to Relaxed-Memory Consistency

Journal of Mathematics Volume 1, Number 1, Summer 2006 pp

The Model Checker SPIN

Electronic Voting Protocol Analysis with the Inductive Method

Computer-Assisted Theorem Proving for Assuring the Correct Operation of Software

Correspondence analysis for strong three-valued logic

Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

Context-Bounded Model Checking of LTL Properties for ANSI-C Software. Jeremy Morse, Lucas Cordeiro, Bernd Fischer, Denis Nicole

Interactive Software Verification

NASA Technical Memorandum (Revised) An Elementary Tutorial on Formal. Specication and Verication. Using PVS 2. Ricky W.

Rigorous Software Development CSCI-GA

Lecture 13 of 41. More Propositional and Predicate Logic

Applications of formal verification for secure Cloud environments at CEA LIST

The Course.

Software Modeling and Verification

Formal Methods in Security Protocols Analysis

OUTILS DE DÉMONSTRATION

Bindings, mobility of bindings, and the -quantifier

Monitoring Metric First-order Temporal Properties

MATHEMATICS: CONCEPTS, AND FOUNDATIONS Vol. III - Logic and Computer Science - Phokion G. Kolaitis

A Case Study on Verification of a Cloud Hypervisor by Proof and Structural Testing

Verification of Imperative Programs in Theorema

Chair of Software Engineering. Software Verification. Assertion Inference. Carlo A. Furia

HOMEWORK 5 SOLUTIONS. n!f n (1) lim. ln x n! + xn x. 1 = G n 1 (x). (2) k + 1 n. (n 1)!

From Program Verification to Certified Binaries

Functional Programming. Functional Programming Languages. Chapter 14. Introduction

Formal Methods at Intel An Overview

Testing LTL Formula Translation into Büchi Automata


Formal Verification and Linear-time Model Checking

Concurrent Programming

Trust but Verify: Authorization for Web Services. The University of Vermont

Parametric Domain-theoretic models of Linear Abadi & Plotkin Logic

FORMALLY CERTIFIED SATISFIABILITY SOLVING. Duck Ki Oe. An Abstract

There is no degree invariant half-jump

Algorithms are the threads that tie together most of the subfields of computer science.

PROPERTECHNIQUEOFSOFTWARE INSPECTIONUSING GUARDED COMMANDLANGUAGE

facultad de informática universidad politécnica de madrid

Fixed-Point Logics and Computation

µz An Efficient Engine for Fixed points with Constraints

The Prime Numbers. Definition. A prime number is a positive integer with exactly two positive divisors.

COMPUTER SCIENCE TRIPOS

Chapter II. Controlling Cars on a Bridge

Modular Verification of Dynamically Adaptive Systems

EasyCrypt - Lecture 6 Overview and perspectives. Tuesday November 25th

Binary Search Trees CMPSC 122

Progress Report to ONR on MURI Project Building Interactive Formal Digital Libraries of Algorithmic Mathematics

WHAT ARE MATHEMATICAL PROOFS AND WHY THEY ARE IMPORTANT?

Handout #1: Mathematical Reasoning

Reasoning about Safety Critical Java

On Automation in the Verification of Software Barriers: Experience Report

Factoring & Primality

Termination Checking: Comparing Structural Recursion and Sized Types by Examples

Automatic Generation of Coq Certificates from Instrumented Static Analyzers

Software Testing. Quality & Testing. Software Testing

Ensuring Consistency in Long Running Transactions

TECH. Requirements. Why are requirements important? The Requirements Process REQUIREMENTS ELICITATION AND ANALYSIS. Requirements vs.

General Introduction


Introduction to Formal Methods. Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm

= = 3 4, Now assume that P (k) is true for some fixed k 2. This means that

Lecture Notes on Linear Search

Recent Developments on Algebraic Specification and Verification in CafeOBJ

Summary Last Lecture. Automated Reasoning. Outline of the Lecture. Definition sequent calculus. Theorem (Normalisation and Strong Normalisation)

Know or Go Practical Quest for Reliable Software

FROM SAFETY TO SECURITY SOFTWARE ASSESSMENTS AND GUARANTEES FLORENT KIRCHNER (LIST)

This asserts two sets are equal iff they have the same elements, that is, a set is determined by its elements.

Bounded Treewidth in Knowledge Representation and Reasoning 1

SEQUENCE-BASED SPECIFICATION OF CRITICAL SOFTWARE SYSTEMS

Extending Semantic Resolution via Automated Model Building: applications

MATHEMATICAL INDUCTION. Mathematical Induction. This is a powerful method to prove properties of positive integers.

Model Driven Security: Foundations, Tools, and Practice


A Propositional Dynamic Logic for CCS Programs

Software Verification: Infinite-State Model Checking and Static Program

Verification Everywhere: Security, Dependability, Reliability. Lenore D. Zuck Usable Verification, May 25, 2011

RANDOM INTERVAL HOMEOMORPHISMS. MICHA L MISIUREWICZ Indiana University Purdue University Indianapolis

Certified Computer Algebra on top of an Interactive Theorem Prover

Types, Polymorphism, and Type Reconstruction

Transcription:

Mechanical Verification of a Garbage Collector by Klaus Havelund FMPPTA 99 Talk by Sibylle Aregger

Motivation handwritten proofs are error prone show approach to verify algorithm mechanically 2

Contents 1. Garbage Collection Algorithm 2. Formal Methods Theorem Proving Model Checking 3. Proof in PVS 4. Verification in Murphi 5. Conclusion 3

Memory colour 0 1 2 ROOTS = 2 free list 0 3 1 2 3 1 4

Garbage Collection Algorithm Mutator Collector colour 0 1 2 ROOTS = 2 free list 0 3 1 2 3 1 5

Garbage Collection Algorithm Collectors steps: 1. Colour root nodes black 2. Propagate 3. Count black nodes 4. Append garbage nodes atomic instruction: each iteration within each step 6

Formal Methods Mathematical approach specification design analysis implementation software and hardware Proof of correctness (verification) Theorem proving vs Model checker 7

(Automated) Theorem Proving prove mathematical theorems by computer show: some statement is logical consequence of a set of statements often user inferences needed 8

Model Checking verify finite-state systems formally does model satisfy logical specification? brute-force enumeration of possible states state space explosion A B partial order reduction B A 9

PVS Prototype Verification System Theorem proving Formal specification and verification script proof edit rerun attach 10

Proof in PVS Define Types Variables Functions Axioms Theorems Theory 11

accessible define if a node is accessible accessible(n:node)(m):bool = EXISTS (p:list[node]):path(p)(m) AND last(p) = n 12

append_to_free append garbage node to free list append_to_free:[node -> [Memory -> Memory]] append_ax1: AXIOM colour(n)(append_to_free(f)(m)) = colour(n)(m) other axioms describing: closed memory, accessibility of nodes, effect on pointers 13

Garbage Collector Theory 2 program counters, state, initial state transition relation (TR) MUTATOR and COLLECTOR MUTATOR(s1, s2):bool= (EXISTS (m:node, i:index, n:node): s2 = Rule_mutate(m, I, n)(s1)) OR s2 = Rule_colour_target(s1) global transition relation (next) interleaving semantics of concurrency 14

Mutator two program counter values: MPC0, MPC1 two transition functions (pseudo code) Rule_mutate: if in MPC0 then change cell save new pointer set MPC1 else do nothing Rule_colour_target: if in MPC1 then colour saved ptr black set MPC0 else do nothing 15

Collector nine program counter locations CPC0 - CPC8 CPC0-CPC6: Marking phase Root Blackening Progapation Counting CPC7, CPC8: Appending phase COLLECTOR = U rule pc= CPC0.. CPC8 16

Collectors Locations Root black Propagation Count Append { { { { pc description next pc CPC0 blacken roots: done? y/n CPC1, CPC0 CPC1 continue propagation? y/n CPC2, CPC4 CPC2 node black? y/n CPC3, CPC1 CPC3 color sons? y/n CPC3, CPC1 CPC4 continue count? y/n CPC5, CPC6 CPC5 count if black CPC4 CPC6 bc = obc CPC7, CPC1 CPC7 continue append? y/n CPC8, CPC0 CPC8 append if white CPC7 17

Collector: CHI3 % CPC3: (Node is black) colour each son Rule_stop_colouring_sons(s):State = IF CPC(s) = CPC3 AND J(s) = SONS THEN s WITH [I := I(s) + 1, CPC := CPC1] ELSE s ENDIF Rule_colour_son(s):State = IF CPC(s) = CPC3 AND J(s) /= SONS THEN s WITH [M := set_colour(son(i(s),j(s))(m(s)),true)(m(s)), J := J(s) + 1, CPC := CPC3] ELSE s ENDIF 18

Safety property Proof: safety property must hold in all accessible states nothing but garbage is ever collected happens in CPC8 if node is white safe(s:state):bool = CPC(s) = CPC8 AND accessible(l(s))(m(s)) IMPLIES colour(l(s))(m(s)) 19

Proof of safey property test if a predicate holds in all possible states invariant(p:pred[state]):bool = FORALL (tr:trace)): FORALL (n:nat):p(tr(n)) correctness criterion safe:theorem invariant(safe) not provable invariant strengthening 20

Sub-invariants split invariant into lemmas auxiliary function pi = preserved(i) for each invariant invx(s):bool = i_invx: LEMMA I IMPLIES invx p_invx: LEMMA pi(invx) finally: I conjunction of all those invariants 21

Proof I = inv1 & inv2 & inv1(s) := bool i_inv1: LEMMA I IMPLIES inv1 p_inv1: LEMMA pi(inv1) p_i: LEMMA pi(i) correct: LEMMA invariant(i) invariant(safe) 22

Numbers Total of 19 invariants 70 lemmas (55 safety, 15 lists) 98.5% automatically general approach: failure, result of unproven sequents new invariants, generalization by conjunction effort: 1.5 months 23

Murphi model checker (finite-state system) program components: global variables, initial state, TR, state invariant conditions interleaving transitions and shared variables Execution: automatically select TR where guard holds and execute this statement 24

Problems design choices: fixed memory boundaries memory as two-dimensional array append at head (cell(0,0)) algorithm for accessible state space explosion on large boundaries only verified for small boundaries 25

Verification in Murphi proof automatically < 14 minutes; but fixed boundaries of memory (n=3, s=2, r=1) concrete implementation decisions Experiment with n=4, i=2, r=2 did not finish within 24 hours done in 1999 26

Comparison PVS vs. Murphi PVS Murphi level of algorithm program verification verification abstract infinite not fully automatic partial implementation finite-state automatic 27

Conclusion compact algorithm 20 invariants and 70 lemmas effort 1.5 months Murphi: no conclusive result 28

Memory Layout in PVS Types: NODE, INDEX, Root, Colour Functions: colour, set_colour, son, set_son Axioms for initial state, effect of change colour 0 1 2 0 3 1 2 3 1 29

PVS: next next(s1, s):bool = MUTATOR(s1, s2) OR COLLECTOR(s1, s2) 30

preserved preserved(i:pred[state]) (p:pred[state]):bool = (initial IMPLIES p) AND FORALL (s1,s2:state): I(s1) AND p(s1) AND next(s1,s2) IMPLIES p(s2) 31

Theorem provers Isabelle HOL Paradox ACL2 PVS Simplyfy Otter Vampire Waldmeister E SPASS Gandalf NuPRL MetaPRL Coq Mizar 32

PVS The Prototype Verification System is a comprehensive verification environment: it provides a specification language in which mathematical theories and conjectures can be specified, together with an interactive theorem prover. The PVS specification language is a higher-order logic with a rich type system that supports concise and perspicuous specifications. Its theorem prover provides powerful automation, with decision procedures for several theories including real and integer arithmetic. PVS has been available since 1993; its current version is 3.1. 33

PVS Language specification language based on higher-order logic built-in types type-constructors (functions, sets, tuples, records, enumerations, ) Predicate subtypes dependent types organization: parameteriyed theories with assumptions, deifinitions, axioms and theorems inductively defined relations arithmetic and logical operators, function application, lambda abstration 34

PVS Theorem Prover applied interactively under user guidance within a sequent calculus framework optimised for large proofs proofs yield scripts that can be edited, attached to additional formulas and rerun permits proof to be adjusted economically User Interface: Gnu or X Emacs 35

36

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information