Effectively-Propositional Modular Reasoning about Reachability in Linked Data Structures CAV 13, POPL 14 Shachar Itzhaky

Transcription

1 Effectively-Propositional Modular Reasoning about Reachability in Linked Data Structures CAV 13, POPL 14 Shachar Itzhaky Anindya Banerjee Neil Immerman Ori Lahav Aleks Nanevski Mooly Sagiv TAU IMDEA UMASS TAU IMDEA TAU

2 Motivation Proving presence (absence) of pointer paths between memory allocated objects in a given program Partial program correctness Memory safety Absence of memory leaks Data structure invariants Acylicity, Sortedness Total program correctness Program equivalence Reasoning about Reachability

3 Program Termination {x <n * > y} traverse(node x, Node y) { } for (t =x; t!= y ; t = t.n) { } x n n n n y null

4 Disjoint Parallelism { : null (h<n * > k<n * > )} h n n n n x null k n n n null for (x =h; x!= null; x = x.n) { } y for (y=k; y!= null; y = y.n) { }

5 Challenges Complexity of reasoning about reachability assertions Undecidability of reachability (not even RE) Modularity How to specify the behavior on reachability independent of the call [Inferring reachability properties from the code and some assertions]

6 Link list manipulations are simple Simple to reason about correctness Small counterexamples Even for doubly/circular/nested lists Simple invariants Alternation Free + Reachability * *

7 EA( * * ) formulas Bernays-Schönfinkel-Ramsey t ::= var constant (Terms) ap ::= t 1 = t 2 r(t 1,t 2,, t n ) qf ::= ap qf 1 qf 2 qf 1 qf 2 qf ea ::= 1, 2, n : 1, 2, m : qf Effectively Propositional Skolimization yields finite models EQ-satisfiable to a propositional formula Support from Z3

8 EA( ) formulas Bernays-Schönfinkel-Ramsey 1, 2, : 1 : r( 1, 1 ) r( 1, 2 ) = sat 1 : r(c 1, 1 ) r( 1, c 2 ) = sat (r(c 1, c 1 ) r(c 1, c 2 )) (r(c 1, c 2 ) r(c 2, c 2 )) = sat (P 11 P 12 ) (P 12 P 22 )

9 Alternation Free Reachability (AF R ) Extended subset of EA Closed under negation t ::= var constant (Terms) ap ::= t 1 = t 2 r(t 1,t 2,, t n ) t 1 <f * > t 2 (Reachability via sequences of f s) (exists k: f k (t 1 )=t 2 ) qf ::= qf qf 1 qf 2 qf 1 qf 2 qf e ::= 1, 2,, n : qf a: ::= 1, 2,, m : qf af R ::= e a af R 1 af R 2 af R 1 af R 2

10 AF R Program Properties Acylicity (>2), : <n * > <n * > = n * n * Acyclic list with a head h, : h<n * > h<n * > <n * > <n * > = h n * n * Sorted segment, : <n * > data u n * u v v

11 AF R Program Properties Doubly linked acyclic lists f *, : <f * > <b * > b * Disjoint lists with heads h and k : null (h<n * > k<n * > ) h n * 1 k 2

12 List Reversal (isolated) {ac [h] : h <n * > } Node reverse(node h) { Node c = h; Node d = null; while {I} (c!= null) { Node t = c.next; c.next = d; d = c; c = t; } return d } I=, : <n * > <n * > c <n * > ( <n * > <n * > ) {ac[d], : <n * > <n * > : d <n * > } d<n * > d<n * >

13 Why AF R? Represent invariants of simple linked list manipulations Closed under,,,, wp x.n :=y Finite model property Decidable for satisfiability/validity AF R AF Can be reduced to a propositional formula SAT solver is complete for verification/falsification

14 AF R AF Introduce an auxiliary relation n* t[ <n * > ] =n * (, ) Axiomatize n* by an AF formula linord =, : n * (, ) n * (, ) = : n * (, ),, : n * (, ) n * (, ) n * (, ),, : n * (, ) n * (, ) (n * (, ) n * (, )) Completeness is satisfiable ( linord t[ ]) is satisfiable AF formulas have finite model

15 Inverting n* n Every finite model in which n* satisfies the order requirements:, : n * (, ) n * (, ) = : n*(, ),, : n * (, ) n * (, ) n * (, ),, : n * (, ) n * (, ) (n * (, ) n * (, )) n * uniquely determines n

16 Inverting n* n n * n * u n * n * n * y n * n * n * n * n * v x n * w n * n * <n + > <n * >

17 Inverting n* n n u n v n + n + n + n + y n + n n + n + x n + n + n n( )= <n + > : <n + > <n * > w

18 Simple SAT Application Determine if two clients are identical Produce isomorphic reachable stores reverse(reverse(h)) = h, : <n 1* > <n 0* >, : <n 2* > <n 1* >, : <n 0* > <n 2* >

19 Verification Process Program P Assertions VC gen Verification Condition P SAT Solver Counterexample Proof

20 Modular Specification Every procedure mutates a limited part of the heap footprint Can we specify the effect of the procedure on the footprint only? Provide a general adaptation rule for the context Possible for second order logics Transitive closure Separation Logic Can this be done in a weak logic?

21 An Adaptation Rule mod = the footprint New local path Old local path Old path New path

22 {ac [h] : h <n * > } List Reversal (isolated) Node reverse(node h) { Node c = h; Node d = null; while (c!= null) { Node t = c.next; c.next = d; d = c; c = t; } return d } {?} reverse(i); {ac[i] ] i<n*>j} {ac[d], : <n * > <n * > : d <n * > }

23 {ac [h]} When ownership breaks Node reverse(node h) { Node c = h; Node d = null; while (c!= null) { Node t = c.next; c.next = d; d = c; c = t; } return d }, : <n * > h null <n * > h<n * > h<n * > <n * > h<n * > h<n * > false h<n * > h<n * > : <n * > h<n * > h<n * > h<n * > <n * >n( )

24 Unbounded Cutpoints Node find(node x) { Node i = x.p; if (i!= null) { i = find(i); x.p = i; } else i = x; return i; } x b c a accessed branch null d

25 Complicated Mutations c 6 h h n * c c n * k k c 6 h h n * c c n * k k

26 Limited Programming Model Type correct programs Recursion instead of loops Limited amount of new sharing per call Deterministic transitive closure Specified changes Uniform changes Fixed number of contiguous intervals of changed parts of the heap

27 Small Footprint Destructive Updates x.n := y x y x y x null x n null x n * y y n * x

28 Large Footprint x.n := y Destructive Updates n * n * ( n * x y n * )) x y

29 Small Footprint Destructive Updates x.n := null x s x s x null x n s x n * s s n * x

30 Large Footprint x.n := null n * n * ( n * x n * x)) x y x y x y x y

31 Small Footprint Reverse modifies mod = [h, null) [d, d] { : null (h<n * > d<n * > )} (disjoint lists h, d) Node reverse(node h, Node d) { if (h == null) return d; else { Node t = h.next; h.next = d; return reverse(t, h); } } {, mod : <n * > ( <n * > =d)}

32 Large Footprint Reverse h reverse(h, null) z 1 z 2 z h z 1 z 2 z 3

33 Modular Reasoning Node find(node x) { Node i = x.p; if (i!= null) { i = find(i); x.p = i; } else i = x; return i; } y x y x mod null find(x) null mod

34 Modular Reasoning y y x null null null mod union(x,y) void union(node x, Node y){ Node t = find(x); Node s = find(y); if (t!= s) t.p = s; } x mod

35 An Adaptation Rule Unchanged path New local path mod Old local path Becomes unreachable Becomes reachable

36 An FOTC Adaptation Rule Unmodified edges q s,t: s<q> t s<f> t s mod t mod Paths in post state s, t: s<f*>t s<q*>t, mod : s<q*> <f*> <q*> t

37 An Adaptable Heap Logic Extend AF R with an idempotent function en mod Maps nodes into footprint entrance points Reducible to effectively propositional Even with nested recursive calls

38 Large Footprint Adaptation s en mod mod en mod (s) = min ([s,null) mod) s mod, t mod: s<f * >t en mod (s)<f * >t

39 An Adaptation Rule (Simplified) en mod (s 1 ) = null Unchanged path s 1 en mod (s 2 ) mod t 1 Old local path t 2 s 2 New local path ex 2 ex 1 Becomes unreachable s 2 <q * > <f * > <q * >t 3 en mod (s 2 )<f * > <f * >ex i ex i <f * >t 3 ex i t 3 Becomes reachable

40 An AE R Adaptation Rule s,t: s<f * >t en mod (s) = null s<f * >t t mod en mod (s)<f * >t ex i en mod (s)<f * >ex i ex i <f * >t * *

41 Small Footprint Specification in AF R Node find(node x) requires: x!= null ensures:,β: <p * >β =β β=r y x mod null find(x) where r = max p [x, null) y x null mod

42 Verification Time (Z3) Formula Size Solving Benchmark P,Q mod VC time # # # (Z3) SLL: filter s SLL: quicksort s SLL: insert-sort s UF:find s UF:union s

43 Disproving with SAT Formula Size Solving C.e. Size Benchmark Nature of defect P,Q mod VC time # # (Z3) (vertices) UF: find Incorrect handling of s 2 corner case UF: union Incorrect s 8 specification SLL: filter Uncontrolled sharing s 14 SLL: insert-sort Violating call precondition s 8

44 Example Bug x r = max p [x, null) Node find(node x) { Node i = x.p; if (i!= null) { i = find(i); x.p = i; } // else i = x; return i; } Bug: missing else branch x null find(x) null violates spec : x<p*> <p * >r (for =x)

45 Data Structures outside AF R Lists with the same lengths Trees General DAGs Grids

46 Mutations outside our adaptable logic Creation of unbounded sharing Changing multiple fields Nested linked lists

47 Property Guided Shape Analysis N. Bjorner, T. Reps, A.Thakur, T. Weiss Predictable Shape Analysis Simple fixed Predicate Abstraction Infer propositional invariants guided by the verification problem When the analysis fails: Concrete counterexamples A trace showing overly coarse abstraction Programmer can define new predicates using AF R Employ IC3/PDR

48 Related Work First Order Rechability Axioms [Nelson POPL 83] Useful axioms [Lev-Ami 09] Useful axioms + completeness study Incremental Methods [Hesse 03, Reps 03, Lahiri&Qadeer POPL 06] Decidable Logics [Mona, STRAND, LRP, Berdine 2004,Lahiri&Qadeer POPL 08, Wies, Muñiz,Kuncak 2011,12 ]

49 Summary Reduction to SAT Support modularity Works for many programs Principles Restricted invariants Inversion n* Uniform mutations Two logics