Patrick M Rondon Ming Kawaguchi Ranjit Jhala University of California San Diego Refinement Type Inference Invariant Discovery Liquid Types C Program Verification Vs Liquid Types ID: 579132
Download Presentation The PPT/PDF document "Low-Level Liquid Types" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Low-Level Liquid Types
Patrick M.
Rondon
, Ming Kawaguchi,
Ranjit
Jhala
University of California, San DiegoSlide2
Refinement Type Inference
(Invariant Discovery)
Liquid Types
C Program Verification Vs. Liquid Types
x++;
C Program
x : positive
int
…
Inferred Refinement Types
(Discovered Invariants)
How Do We Fit C To Liquid Types?Slide3
Positive
Addressing C’s Challenges
void
init (
string *
s,
int
n) { s->len = n; s->
str = malloc(n);
}
void
reinit
(stringlist *
sl
) {
while
(
sl
!=
NULL) { init (sl->s, random ()); sl = sl->next; }}
struct string { int len; char *str;}
Points To Start Of len Bytes
1.
Expressing Invariants?
2.
Temporary Violations?
3.
Unknown Aliasing?
str
Hasn’t Been Set Yet
sl
, sl->next May Alias
Challenge
Types & Refinement Types
Strong Updates
Check In, Check Out Discipline
Solution
Adapt C To Liquid Types
+
+Slide4
Refinement Type Inference
(Invariant Discovery)
Liquid Types
C Program Verification With Liquid Types
C Program
x : positive
int
…
Inferred Refinement Types
(Discovered Invariants)
Automatically Adapt C Programs To Fit Liquid Types
C Program
+ Types
+ Strong Update
+ Check In, Check Out
x++;Slide5
Overview
Basic Types
Refinement Types
Refinement Types And Collections
Refinement Type InferenceEvaluationSlide6
Basic Types
We first describe the basic structure of the heapSlide7
Offset
4
Offset
0
After 4-byte
int
fst
Basic Types And Heaps By Example
struct
pair {
int
fst
;
int
snd
;}p->fst++;p->snd++;p : ref(L, 0)0 : int(4, 0)4 : int(4, 4)
Type Givenint(4, ⊤)int(4, ⊤)L ⟼
Read/Write int(4, ⊤)
At Offset
0
In L
p + 0
:
ref(L, 0)
At Offset 4 In L
p + 4
: ref(L, 4)
At Start Of Struct
Pointer To Location L At Byte Offset 0
4-Byte Integer With Value 0
Pointer To Location L At Byte Offset
0
4-Byte Integer With Value 4
*(p + 0)++;
*(p + 4)++;
Pointer To Location L At Byte Offset 4
Read/Write
int
(4, ⊤)Slide8
Overview
Basic Types
Refinement Types
Refinement Types And Collections
Refinement Type InferenceEvaluationSlide9
Refinement Types
We use refinement types to express invariantsSlide10
Offset
4
Offset
0
Refinement Types And Heaps
{
ν
:
type
| p(ν
)}
type
Refinement Predicate
{ν: int(4, ⊤ ) |
ν > 0}
{
ν
:
ref(L,
0
)
| ν ≠ 0}Positive IntegerNon-NULL PointerPair With snd ≥ fstint(4, ⊤)L ⟼
Denotes fst Field{ν: int(4, ⊤) | ν ≥ @0}fst Fieldsnd FieldSlide11
Offset
4
Offset
0
Maintaining The Invariant
p->
fst
++;
p->
snd
++;
L ⟼
int
{
ν ≥ @
0
}
Requires Flow-Sensitivity And Strong Update
Temporary Invariant Violation
int
(4, ⊤)
L ⟼ {ν: int(4, ⊤) | ν ≥ @0}
Invariant ReestablishedInvariant MaintainedSlide12
Value Names Enable Strong Update
int
{
ν
≥ @
0
}
L
⟼
{
ν
= f
0
}
{
ν
= f
4
}
L
⟼ f0 : intf4 : {ν ≥ f0}Records Same Invariant With Initial Values NamedChange @0 to f0
Env.Rename fst To f0Rename snd To f4Slide13
Using Strong Updates
f
0
:
int
f
4
: {
ν
≥ f
0
}
p->
fst++;p
->
snd
++;
{
ν
= f
0
}L ⟼ {ν = f4}Env.{ν = f
0 + 1}L ⟼ {ν = f4}{ν = f0 + 1}L ⟼ {ν = f4 + 1}
intL
⟼
{
ν ≥ @
0}
p->
fst
= p->
fst + 1;
Type {ν = f0
}Type {ν = f0
+ 1}
snd Unchanged
☑
Invariant Reestablished!p :
ref(L, 0)
Is Subsumed By:Slide14
Overview
Basic Types
Refinement Types
Refinement Types And Collections
Refinement Type InferenceEvaluationSlide15
Refinement Types And Collections
We adapt strong update to handle aliasingSlide16
struct
pair {
int
fst
;
int
snd;
pair *
next;}
Example: Loops and Linked Lists
while
(p !=
NULL
) {
p->
fst
++;
p->snd++; p = p->next; }intL ⟼ {ν ≥ @0}ref(L,
0)Many Items Represented By LintL ⟼ {ν ≥ @0}ref(L, 0)next Field
Abstract Location
…
Strong Updates To Abstract Locations Are Unsound!
Their Invariants Are “Locked”Slide17
Unfold And Fold: Check Out, Check In
All Satisfy L’s Invariant
Unfold p
…
…
p
“Checked Out”
L
p
Only Allow Accesses To
One
“Checked Out”
L
p
Must
“Check In” (Reestablish Invariant)To Check Out Another Item
All Satisfy L’s Invariant
…
Fold
“Check Out” p
“Check In” p
Accessing Other Items ForbiddenSlide18
Example: Fold & Unfold
p
->
fst
++;
p
->
snd
++;
int
{
ν
≥ @
0
}
L
⟼
{
ν
= f
0}Lp ⟼ {ν = f4}int
{ν ≥ @0}L ⟼ {ν = f0 + 1}Lp ⟼ {ν = f4 + 1}Fold
int
{
ν ≥ @
0}
L ⟼
Unfold
p
while (p != NULL
) { p->fst++; p->snd++; p = p->next;}
Unfold p At Loop Head
Fold Ensures Validity At Iteration’s End
Fold, Unfold Verify Collection Invariant
int
{
ν ≥ @0}
L ⟼
p : ref(L, 0)
☑
Invariant Maintained!Slide19
Overview
Basic Types
Refinement Types
Refinement Types And Collections
Refinement Type InferenceEvaluationSlide20
Inferring Refinement Types
p
->
fst
++;
p
->
snd
++;
{
R
}
{
S
}
L
⟼
{
ν
= f
0}Lp ⟼ {ν = f4}
{R}{S}L ⟼ {ν = f0 + 1}Lp ⟼ {ν = f4 + 1}
Fold
{
R
}
{
S}
L ⟼
Unfold
p
{R}
{S}L
⟼ ν
≥ *ν = 0…
ν ≥ f0ν
= 0…
{ν ≥ f
0, ν = 0, …}
{ν ≥ f0,
ν = 0, …}L ⟼
{
ν
≥ f
0,
ν
= 0, …
}
{
ν
≥ f
0,
ν
= 0, …
}
L
⟼
int
{
ν
≥ @
0
}
L
⟼
int
{
ν
≥ @
0
}
L
⟼
{
ν
≥ f
0,
ν
= 0, …
}
{
ν
≥ f
0,
ν
= 0, …
}
L
⟼
int
{
ν
≥ @
0
}
{
ν
≥ f
0,
ν
= 0, …
}
{
ν
≥ f
0,
ν
= 0, …
}
L
⟼
int
{
ν
≥ @
0
}
L
⟼
Unknown
Refinement Variables
Subtyping
Constraints Over Variables
Solve To Infer
Refinements
Liquid Types Overview:
Hints For Refinement Inference
Instantiate With Value Names
Assign Conjunction To Variables
Keep Only Valid RefinementsSlide21
Overview
Basic Types
Refinement Types
Refinement Types And Collections
Refinement Type InferenceEvaluationSlide22
Evaluation: CSolve
CSolve
C Source
void
incpairs
(pair *p) {
while
(p !=
NULL
) {
*(p +
offsetOf
(
fst
));
*(p +
offsetOf
(
snd
)); p = p->next; }}
Hintsν ≥ *ν ≤ *ν = * + 1☑Pointer Safe!Spatial Memory Safety:Array BoundsPointer DereferencesField Accesses☒Pointer Unsafe!Slide23
Benchmarks
Arrays
Arrays
Arrays
Arrays
Arrays
Arrays
Arrays
Arrays
Graphs
Graphs
Graphs
Linked Lists
Linked Lists
Linked Lists
Linked Lists
Linked ListsSlide24
Verifying C Programs
2.
Temporary Violations?
Strong Updates
3.
Unknown Aliasing?
Check In, Check Out Discipline
4.
Annotation Burden?
Liquid Types
1.
Expressing Invariants?
Types & Refinement Types
Challenge
Solution
pho.ucsd.edu/liquid