Logic Grigore Rosu and Andrei Stefanescu University of Illinois USA Main Goal Languageindependent program verification framework D erive program properties from operational semantics ID: 626406
Download Presentation The PPT/PDF document "Checking Reachability using Matching" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Checking Reachability using Matching Logic
Grigore
Rosu
and Andrei Stefanescu
University of Illinois, USASlide2
Main Goal
Language-independent
program verification framework
Derive program properties from operational semanticsQuestions:Is it possible?Is it practical?Answers: Sound and complete proof system, so YES, it is possible!Efficient automated verifier MatchC, so YES, it is practical!
1Slide3
Overview
State-of-the-art in Certifiable Verification
Our Approach
Specifying Reachability PropertiesReasoning about ReachabilitySlide4
Operational Semantics
Easy
to define and understand
Can be regarded as formal “implementations”Require little mathematical knowledgeGreat introductory topics in PL coursesScale up wellC (>1000 rules), Java, Scheme, Verilog, …, definedExecutable, so testableC semantics tested against real benchmarks
3Slide5
Operational Semantics
Sample rule (may require a configuration context)
D
efine languages only with rules of the forml, r are configuration termsb is a Boolean side condition
4Slide6
Unfortunately …
Operational semantics considered
inappropriate
for program verification; proofs are low-level and tedious:Formalization of and working with transition systemTypically by inductionon the structure of the programon the number of execution stepsetc.
5Slide7
Axiomatic Semantics
(Hoare Logic)
Emphasis on program verification
Programming language captured as a formal proof system deriving Hoare triples
6
p
recondition
postconditionSlide8
Axiomatic Semantics
Not easy to define and understand,
error-prone
Not executable, hard to testRequire program transformations, behavior loss
7
Write e = 1 and you’ve got a wrong semantics!Slide9
State-of-the-art in
Certifiable Verification
Define an operational semantics: trusted language model
Define an axiomatic semantics: for verification purposesProve axiomatic semantics sound for operational semanticsNow we have trusted verification … BUTRequires two semantics of the same languageC operational semantics took more than 2 years!Must be done individually for each language
8Slide10
Overview
State-of-the-art in Certifiable Verification
Our Approach
Specifying Reachability PropertiesReasoning about ReachabilitySlide11
Our Approach
Underlying belief:
one semantics for each language!Executable (testable), easy to define and understandSuitable for program verification, “as is”Approach: language-independent proof systemTakes operational semantics unchangedDerives program propertiesBoth operational semantics rules and program specifications stated
as
reachability rules
10Slide12
Reachability Rules
Pairs of configuration predicates
11
Reachability:
Any
concrete configuration satisfying and terminating reaches a configuration satisfying
,
in the transition system induced by the operational
semantics .Slide13
Overview
State-of-the-art in Certifiable Verification
Our Approach
Specifying Reachability Properties Reasoning about ReachabilitySlide14
Reachability Rules- Operational + Axiomatic -
Operational flavor
Axiomatic flavor
13Slide15
Hoare Triple = Syntactic
S
ugar
14Slide16
Matching Logic
State
static
properties of program configurationsParametric in a model of configurationsExtends first-order logic with patternsSpecial predicates which are configuration termsConfigurations satisfy patterns iff they match themC Configurations15
Extra 70 cellsSlide17
Model of Configurations- Properties -
Configuration abstraction (list)
“Separation” achieved at term
levelOperations (reverse)16Slide18
Separation Logic =
Matching Logic Instance
Separation logic: popular logic for heap properties
Mechanical translation to matching logic (see paper)Configuration:Separation encoded using different sub-termsNo expressiveness loss from using matching logicMatching logic gives “structural separation” anywhere in the configuration, not only in the heap17Slide19
Operational and Axiomatic Semantics Rules as Reachability Rules
Reachability rules
generalize
Operational semantics rulesHoare triplesOperational semantics rule is syntactic sugar for reachability rule Hoare triple encoded in a reachability rule with the empty code in the right-hand-side (see FM’12)
18Slide20
Overview
State-of-the-art in Certifiable Verification
Our Approach
Specifying Reachability PropertiesReasoning about ReachabilitySlide21
Reasoning about Reachability
The main result of our paper is a proof system deriving reachability rules from reachability rules:
20
Trusted reachability rules
(starts with operational semantics)
Target reachability rule
C
laimed reachability rulesSlide22
Reachability Proof System
- 8 Rules -
21
Symbolic execution (multiple steps)
Symbolic execution (one step)
Code with circular behaviorSlide23
Circular behaviors
Circularity
and Transitivity proof rules
Hoare logic rule for while loops22
Language-independent
Language-specificSlide24
Soundness
Theorem:
If is
derivable
by the proof system, then is semantically valid.
23Slide25
Relative Completeness
Relativity
V
alidity oracle for static configuration propertiesLanguage-independent result, unlike Hoare logics
Theorem:
If is semantically valid, then is derivable by the proof system, with
the operational semantics of a language.
24Slide26
MatchC
Proof-of-concept verifier for a C fragment
Derives program specifications from the operational semantics (in K framework) using the proof system
No Hoare/separation logic, no WP, no VC generationAutomated, user only provideSpecifications for recursive functions and loops25Slide27
MatchC Snapshot
26
List reverse: code + invariantSlide28
Implementation
Heuristics for applying the proof system
(forward) symbolic execution
Matching logic reasoningMaude: efficient structure matching and rearrangingmatching a list the heap, …SMTs (CVC3, Z3): simplifying constraintssmall queries (milliseconds each)27Slide29
Preliminary Evaluation
28
Program
Time (s)Buffered read-write0.15
Stack inspection
0.24
Insertion sort
0.41
Merge
sort
0.47
Quicksort
1.97
AVL find
0.15
AVL insert
43.5
AVL delete
133.58
Schorr
-Waite
(tree)
0.28
Schorr
-Waite
(graph)
1.73
…
…
Dozens more programs at
matching-logic.org
Only annotated main functions (
insert/delete).
Inlined
auxiliary functions (balance, rotate, …).Slide30
Conclusions
Matching logic reachability proof system
Sound and (relatively) complete
PracticalMatchC, an automated verifierExpressiveEfficientOperational semantics based verification is viable!29
matching-logic.org