Interactive Software Verification



Similar documents
Boogie: A Modular Reusable Verifier for Object-Oriented Programs

Regression Verification: Status Report

Rigorous Software Engineering Hoare Logic and Design by Contracts

The Boogie Verification Debugger (Tool Paper)

Computer Arithmetic Aliasing issues: Call by reference, Pointer programs

StaRVOOrS: A Tool for Combined Static and Runtime Verification of Java

Deterministic Discrete Modeling

Verification of Imperative Programs in Theorema

Building SMT-based Software Model Checkers: an Experience Report

The countdown problem

Stephen Drape. Oxford University Computing Laboratory. with thanks to Jeff Sanders

Verifying Semantic of System Composition for an Aspect-Oriented Approach

Object Invariants in Dynamic Contexts

Verifying security protocols using theorem provers

The cheap Program Verifier 1

Formal Engineering for Industrial Software Development

Unified Static and Runtime Verification of Object-Oriented Software

Automated Program Behavior Analysis

How To Write A Program Verification And Programming Book

A case study of C source code verification: the Schorr-Waite algorithm

Automated Theorem Proving - summary of lecture 1

Lecture Notes on Binary Search Trees

6th International Workshop on Systems Software Verification

4 PSP DC : An Adaptation of the PSP to Incorporate Verified Design by Contract

Reasoning about Safety Critical Java

Lecture Notes on Binary Search Trees

Rigorous Software Development CSCI-GA

Managing Proof Documents for Asynchronous Processing

Safe Object-Oriented Software: The Verified Design-By-Contract Paradigm

Tableaux Modulo Theories using Superdeduction

From Program Verification to Certified Binaries

LEVERAGING DEDUCTIVE VERIFICATION IN INDUSTRIAL CONTEXTS

Fully Abstract Operation Contracts

How to Make Ad Hoc Proof Automation Less Ad Hoc

Deseo Meeting Scheduler: Towards Automated Verification of Database Integrity Constraints

VSE II - Hybrid Automata to Express Realtime Properties

Constructing Contracts: Making Discrete Mathematics Relevant to Beginning Programmers

Smallfoot: Modular Automatic Assertion Checking With Separation Logic

Relations: their uses in programming and computational specifications

Termination Checking: Comparing Structural Recursion and Sized Types by Examples

Verifying design patterns in Hoare Type Theory. Kasper Svendsen, Alexandre Buisse and Lars Birkedal

The Common Framework Initiative for algebraic specification and development of software

Foundational Proof Certificates

Department of Computing Science and Mathematics University of Stirling

The Spirit of Ghost Code

Static Program Transformations for Efficient Software Model Checking

Harmless Advice. Daniel S Dantas Princeton University. with David Walker

Implications of a Data Structure Consistency Checking System

Topology-based network security

Static Analysis of Dynamic Properties - Automatic Program Verification to Prove the Absence of Dynamic Runtime Errors

Software Engineering Techniques

Model-based Security Testing of a Health-Care System Architecture:

Writing in the Computer Science Major

Combining Theorem Proving with Static Analysis for Data Structure Consistency

Software Testing & Verification 2013/2014 Universiteit Utrecht

Chair of Software Engineering. Software Verification. Assertion Inference. Carlo A. Furia

Tool Support for Invariant Based Programming

The KeY Platform for Verification and Analysis of Java Programs

Peter V. Homeier and David F. Martin. and

Lightweight Verification of Functional Programs

Quotes from Object-Oriented Software Construction

Eastern Washington University Department of Computer Science. Questionnaire for Prospective Masters in Computer Science Students

Lecture Notes on Linear Search

A Framework for the Semantics of Behavioral Contracts

A Formally Verified Calculus for Full Java Card

The Advantages of Dan Grossman CSE303 Spring 2005, Lecture 25

Formal Verification of Software

Verifying Specifications with Proof Scores in CafeOBJ

Removing Even Crossings

A Reasoning Concept Inventory for Computer Science

Recent Developments on Algebraic Specification and Verification with CafeOBJ

Runtime Verification of Computer Programs and its Application in Programming Education

Keywords Aspect-Oriented Modeling, Rule-based graph transformations, Aspect, pointcuts, crosscutting concerns.

Splicing Maps and Sets

A Note on Context Logic

Software Verification and Testing. Lecture Notes: Temporal Logics

A Case for Static Analyzers in the Cloud (Position paper)

Hoare Type Theory, Polymorphism and Separation

Loop Invariants and Binary Search

Electronic Voting Protocol Analysis with the Inductive Method

Introduction to Auction Design

Software-platform-independent, Precise Action Specifications for UML. Stephen J. Mellor. Project Technology, Inc.

Applications of formal verification for secure Cloud environments at CEA LIST

Tobias Nipkow, Gerwin Klein. Concrete Semantics. with Isabelle/HOL. February 29, Springer-Verlag

Mathematically Rigorous Software Design

6.852: Distributed Algorithms Fall, Class 2

Persistent Binary Search Trees

Verifying Spec# Delegates. Samuele Gantner

A Case Study on Verification of a Cloud Hypervisor by Proof and Structural Testing

Verified Firewall Policy Transformations for Test Case Generation

Modern Systems Analysis and Design

Analysis of Approximation Algorithms for k-set Cover using Factor-Revealing Linear Programs

Compositional May-Must Program Analysis: Unleashing the Power of Alternation

Proving That Non-Blocking Algorithms Don t Block

Computer Science at Kent

Types, Polymorphism, and Type Reconstruction

Automated Domain-Specific C Verification with mbeddr

POLYTYPIC PROGRAMMING OR: Programming Language Theory is Helpful

The Technology Behind a Graphical User Interface for an Equational Reasoning Assistant

µz An Efficient Engine for Fixed points with Constraints

Transcription:

Interactive Software Verification Spring Term 2013 Holger Gast gasth@in.tum.de 25.6.2013 1 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Today Manipulating lists on the heap Ghost variables as a specification tool 2 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Recap 3 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Correctness with Abstractions 4 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

The Problem of Aliasing {r0 = q point-y point-alloc p p q}p->y = 0;{r0 = q point-y} Proof obligation: exclude aliasing field-get point-y q = field-get (field-upd point-y p 0) q 5 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Separation Lemmas & Split k / { i..<j } = elems (aset k y a) i j = elems a i j Lift (non-)aliasing proofs to abstractions 6 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Cheat Sheet 7 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Burstall s Heap Model 8 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Lists on the Heap Using Burstall s heap model inductive list :: alloc nxt addr addr list addr bool where emptyi: [ p = q; xs = [] ] = list alloc nxt p xs q consi: [ alloc p; p NULL; list alloc nxt (p nxt) xs q ] = list alloc nxt p (p # xs ) q 9 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Example: Counting the List Nodes define-struct {* struct node { int data; struct node *next; } *} pre: list node-alloc node-next p XS NULL post: nat n = length XS n = 0; /*@ ys. list node-alloc node-next p ys NULL length XS = nat n + length ys 0 n */ while (p!= null) { n = n + 1; p = p->next; } 10 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Example: Sum over List Data pre: "list node-alloc node-next p XS NULL p = P" post: "s = listsum (list-data node-data XS)" s = 0; /*@ xs ys. list node-alloc node-next P xs p list node-alloc node-next p ys NULL XS = xs @ ys s = listsum (list-data node-data xs) */ while (p!= null) { s = s + p->data; p = p->next; } 11 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Manipulating Lists 12 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Side-effects and Separation Lemmas Problem: side-effects may destroy list structure Insight: result of list depends only of nodes in fragment lemma list-sep[simp]: r / set xs = list alloc (field-upd nxt r y) p xs q = list alloc nxt p xs q Reduced aliasing problem to proving set properties Isabelle s provers solve such proof obligations 13 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Example: List Reversal q = NULL; while (p NULL) { t = p nxt; p->nxt = q; q = p; p = t; } 14 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Invariant of List Reversal ys zs. list alloc nxt p zs NULL list alloc nxt q ys NULL XS = rev ys @ zs set zs set ys = {} distinct zs Initial list is XS During loop: two lists starting at p and q Invariant strategy partial result : XS has already been partially reversed State disjointness to exclude alias Holds initially, since q=null, i.e. ys=[] 15 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Cheat Sheet 16 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Preserving the Invariant ys zs. list alloc nxt p zs NULL list alloc nxt q ys NULL XS = rev ys @ zs set zs set ys = {} distinct zs We write to p, such that we must Extract p from the list abstraction Prove that green nodes are not changed Apply separation lemma for lists Finally add node p to list at q Befor reading on, look at the cheat sheet on p. 7 17 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Looking at the Single Steps Extract p from the list abstraction [p NULL; xs. zs = p # xs alloc p list alloc nxt (field-get nxt p) xs NULL; list alloc nxt q ys NULL; set zs set ys = {}; distinct zs ] = ysa zsa. list alloc (field-upd nxt p q) (field-get nxt p) zsa NULL ( xs. ysa = p # xs alloc p list alloc (field-upd nxt p q) q xs NULL) set zsa set ysa = {} distinct zsa rev ys @ zs = rev ysa @ zsa -quantifiers are annoying (clarsimp & exi) [p NULL; list alloc nxt q ys NULL; alloc p; list alloc nxt (field-get nxt p) xs NULL; p / set ys; set xs set ys = {}; p / set xs ; distinct xs ] = list alloc (field-upd nxt p q) (field-get nxt p) xs NULL list alloc (field-upd nxt p q) q ys NULL set xs set (p # ys) = {} rev ys @ p # xs = rev (p # ys) @ xs Only remaining problem: side-effects 18 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Rewriting with the Separation Lemma Simplify: list alloc (field-upd nxt p q) (field-get nxt p) xs NULL Pre-condition of list_sep yields goal p / set xs Nice: given by the distinct clause of the invariant Apply same ideas to second list abstraction In this case we could also use a lemma on the special case [3]: lemma list-hd-not-in-tl: list alloc nxt (field-get nxt p) xs NULL = p / set xs 19 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Slightly More Automatic Proofs Have understood outline of proof Unfold lists by list-step Remove side-effects by list-sep All side-conditions are proven by auto Isabelle should be of more assistance apply vcg apply (auto simp add: list-step) apply (rule-tac x= p # ys in exi) apply auto done Only a little help needed on one -quantifier Can be get rid of this remaining piece of interaction? 20 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Ghost Variables 21 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Ghost-Variablen Idea: witnesses for -quantifiers follow computation Write down witnesses as assignments Ghost variables (e.g. [1]) Can be written to like ordinary variables Can be read in assertions & ghost statements Cannot be read in non-ghost statements Will not be required during execution Content: any HOL values (lists, trees, functions,... ) Example: list-sum with ghost variables (interactive) Beware: auxiliary variables Those are -quantified They cannot be modified Goal: connect pre-/post-condition & invariants 22 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

List Reversal with Ghost Variables q = null; //@ ys = [] //@ zs = XS /*@ list node-alloc node-next p zs NULL list node-alloc node-next q ys NULL set zs set ys = {} distinct zs XS= rev ys @ zs */ while (p!= null) { t = p next; p next = q; q = p; p = t; //@ ys = (hd zs) # ys //@ zs = tl zs }... by vcg (fastforce simp add: list-step)+ // that s it! 23 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Loop updates ghots state Looking at the Details list node-alloc node-next p zs NULL list node-alloc node-next q ys NULL... //@ ys = (hd zs) # ys //@ zs = tl zs Compare to idea of code 24 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Example: Destructive List Append if (p == null) r = q; else { r = p; //@ xs1 = [] //@ xs2 = XS while (p->next!= null) { p = p->next; //@ xs1 = xs1 @ [ hd xs2 ] //@ xs2 = tl xs2 } p->next = q; } 25 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

The Proof Structure with Ghost State Previously: ys. list node-alloc node-next p ys NULL Must fill ys while proving Ghost state: result of reading a list from a heap is given Can simplify proving proving by classical reasoners Introduce rewrite rules list alloc nxt p [] q = (p = q) list alloc nxt p (x # xs) q = (p = x alloc p p NULL list alloc nxt (p nxt) xs q) list alloc nxt p (xs @ ys) q = ( r. list alloc nxt p xs r list alloc nxt r ys q) 26 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Precondition The Core Assertions list node-alloc node-next p XS NULL list node-alloc node-next q YS NULL Postcondition list node-alloc node-next r (XS @ YS) NULL Invariant list node-alloc node-next r xs1 p list node-alloc node-next p xs2 NULL list node-alloc node-next q YS NULL XS = xs1 @ xs2 p NULL 27 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Adding Disjointness Assertions Clearly the two input lists are disjoint set XS set YS = {} Furthermore, we find that the first list must not be cyclic distinct XS Both are maintained (obviously) by the loop And then enable us to reason about the final p->next = q; 28 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

Conclusion Concept: ghost state Store HOL values in mutable locations Cannot access from usual program Not present during execution Role in proofs: provide witnesses for existentials Proofs can compute abstractions Proofs become more automatic The (efficient) simplifier can do more SMT-Solvers can do more [2, 4] 29 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

References [1] Mike Barnett, Bor-Yuh Evan Chang, Robert DeLine, Bart Jacobs, and K. Rustan M. Leino. Boogie: A modular reusable verifier for object-oriented programs. In 4th International Symposium on Formal Methods for Components and Objects, volume 4111 of LNCS. Springer, 2006. [2] K. Rustan M. Leino. Dafny: An automatic program verifier for functional correctness. In 16th International Conference on Logic for Programming Artificial Intelligence and Reasoning (LPAR-16), 2010. [3] Farhad Mehta and Tobias Nipkow. Proving pointer programs in higher-order logic. Inf. Comput., 199(1 2):200 227, 2005. [4] Micha lmoskal. Programming with triggers. In Bruno Dutertre and Ofer Strichman, editors, SMT 09: Proceedings of the 7th International Workshop on Satisfiability Modulo Theories. ACM, 2009. 30 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information