A short manual for the tool Accumulator

Transcription

1 A short manual for the tool Accumulator ZHAO Jianhua State Key Laboratory of Novel Software Technology Dept. of Computer Sci. and Tech. Nanjing University Nanjing, Jiangsu, P.R.China Abstract. This is a short manual for the code-verification tool Accumulator. 1 The main user interface of this tool The main window of this tool is divided into two parts. The left one is a tree view of the program and specification under verification. People can select a nodes in the left, and then do corresponding operations on the right part. The nodes in the left tree include: Declared variables. The Function Definition node. Select this node, the right part displays the user interface to manipulate function definitions. The Global Property node. Select this node, the right part displays the user interface to manipulate global properties. The tree view of the program and asserts (i.e. the program points). Select a program point, the right part displays the user interface to manipulate formulas in this node. In the program point nodes, the tool display the point number and how many formulas are inserted and how many of them have been proven. 2 About the memory scopes of recursive functions and global properties In our theoretical paper, the memory scope of a user-defined function is specified by a memory scope function. However, such a simple method may introduce too many recursive functions. In this tool, we let users input a memory scope expression for each defined function. The memory scope expression can use the formal parameters of the original function. Now the users are responsible for the correctness of these memory scope expression. Later, we will presents a method to check the correctness of memory scope expressions. We use SMT solver Z3 to do logical formula implications. However, Z3 can not deal with recursive function definitions directly. To solve this problem, we use This paper is supported by the Chinese National 863 Project, NO.2011AA010103

2 a set of global properties to express the properties about the defined functions. The correctness of these global properties is not treated in this tool. There are some high-order logical tools to deal with this problem. Our tool only use the memory scope expressions of defined functions and the global properties. The function definitions are in fact not used by this tool. An interesting advantage is that we can use some undefined functions during the code verification. 3 The main steps of code verification 3.1 Open a source file The first step of verification is to open the code under verification. The tool parses the code and displays the code in the left part of the main window. The tool does the following treatment. 1. The program point nodes (ASSERTS) are inserted into the program automatically. 2. Some spontaneous formulas are inserted automatically. These formulas are set as PROVED. These formulas are called spontaneous because they hold spontaneously at the point as long as the program runs normally. For an if-statement if (e) s 1 else s 2, e is inserted into the point before s 1, not e is inserted into the point before s 2. For a while-statement while (e) s, e is inserted into the point before s, not e is inserted into the point after this while-statement. For an allocation, the tool also inserted some spontaneous formulas. 3. Some mandatory formulas are inserted automatically. These formulas are set as UNPROVED. These formulas are called mandatory because they must hold so that the program can run without causing any exceptions like null-pointer-access or divided-by-zero. Before an assignment e 1 = e 2, the formula &e 1 nil is inserted. Some other formulas are also inserted into the point, to assure that the e- valuation of &e 1 and e 2 causes no exception. For example, before the assignment p = a/b + q f + a[i], the tool generates the formula p nil, b 0, q nil, 0 i and i c, where c is the number of elements of the array a. For an if-statement if (e) s 1 else s 2, some formulas are inserted into the point before this if-statement, to assure that e can be evaluated. For a while-statement while (e) s, some formulas are inserted to the point before this statement and the point after s, to assure that e can be evaluated. Before an allocation e 1 = alloc(t), the formula &e 1 nil is inserted. Some formulas are also inserted, to assure that the evaluation of &e 1 causes no exception.

3 3.2 Input or import user-defined functions and their properties The second step is to insert user-defined functions and global properties. You must input the memory scope expressions of these functions. These expressions may use the formal parameters in the definitions of their original functions. Input function definitions Select the Function Definitions node on the left part of the windows, the right part will display the function definitions already input in a table. Click on the last empty line in the table, you can input a function definition and its memory scope expression in a Dialog window. Though a memory scope function definition can be generated syntactically, the generated definition may hard to use and may generate to many recursive functions. With λ-expressions, we can reduce the number of functions significantly. NOTICE 1: Please make sure the memory scope expressions are correct. They are used when we transfer a formula form one program point to another. NOTICE 2: In fact, these function definitions are not used in code verification directly. We use global properties to specify the properties about these functions. We will later implement some mechanics to ensure the consistence between the function definitions and their global properties and memory scope expressions. Input Global Properties Select the Global Properties node on the left part of the windows, the right part will display the global properties already input in a table. The global properties are a set of uniquely numbered formulas. These formulas are used as premisses when we prove formulas by the SMT solver Z3. Click on the last empty line in the table, you can input a global property in a Dialog window. Click on a global property already exists, you can modify the global property. The new property has a new number after the modification. Import and export global properties Recursive function definitions and global properties are important for code verification. These definitions and properties are usually data-structure specific, and can be reused in the verification of other programs. Our tool supports reuse of these definitions and properties by exporting and importing them. You can import these definitions using the menu FILE >Open function definition file. To export these definitions, use the menu FILE >Save function definition file. NOTICE: After you insert formulas into program points, please don t modify the memory scope expressions you have input before. This may cause inconsistency if the memory scope expressions are already used. Till now, this tool does not guarantee the dependency on memory scope expressions yet. We will implement this feature soon.

4 3.3 Insert formulas and prove them Then you can insert formulas into program points and proved them. Usually, you should first insert the pre-conditions of the whole program into the entrance point (usually the point numbered 1), and the post-conditions inserted into the exit point. Then you input formulas into the program points and prove then. The verification process finishes when all the formulas (except the pre-conditions) are set as PROVED. You can use the menu File >Open Scope Logic File and File >Save or File >Save As to load and save files in the middle of verification. 4 Prove formulas 4.1 Formula status and dependencies A formula inserted into program points is either PROVED or UNPROVED. For a PROVED formula, the tool displays the reason by which it holds in the column Proved By of the table. It may dependents some other formulas and global properties. If people delete or modify one of those formulas/global properties, the status of this formula will be set to UNPROVED. 4.2 View, insert, and delete formulas View formulas Select an assert (program point) node in the left part of the main window, all the formulas in this point will be displayed in a table in the right window. On the top of the table, there are some buttons to manipulate the formulas. There may be many formulas in a program point (assert), you can use the menu Option >Hide Proved Intermediate Formulas to hide intermediate formulas from the table. You can select a set of formulas in the table, and click the Hide/Show button to hide or show these formulas, when the option is selected. Insert formulas Click on the last line of the table, or click the button Insert, you can input a formula in a popup dialog window. Some times, you may need to insert a formula similar to an existing one. You can select the existing formula and click the button Clone&Modify. The existing formula will display in the popup dialog window. You can modify the formula and insert to it. Delete formulas Select a set of formulas in the table, you can delete these formulas by clicking the button Delete, or hitting the key Delete. Modify formulas Click a existing formula in the table, you can modify the formula. The original formula is deleted. The new formula has a new unique number.

5 4.3 Prove by This is based on the axiom PST. Select a formula f on a point i, click Prove button, the tool will search in the current program point for a formula f such that f can be derived by adding into f. If such formula is found, f is set as PROVED and dependent on f. 4.4 Prove a formula as a spontaneous one The tool has ready insert some spontaneous formulas in the proper program points. However, there are some other formulas can be inserted and proved as a spontaneous one. After an assignment e 1 = e 2 Suppose the point before this assignment is i. You can select a formula f of the form e 1 == e 2 satisfying the following conditions and click the button Spontaneous, Removing operators in e 2 yields e 2. Removing operators in e 1 yields e 1 or (&e 1 ). The tool first checks the above conditions, and insert memory scope formulas &e 1 M(&e 1) and &e 1 M(&e 2) into the point i. The formula f is set as PROVED, and dependent on the memory scope formulas. These memory scope formulas are simplified automatically. In many cases, these formulas are simplified to a formula T RUE, and set as PROVED. For example, given an assignment c := c + p D, you can use this function to prove a formula c == c@i + p D after this assignment. The tool will insert formula &c {&p, &p D} into the point i, where i is the point before this assignment. The inserted formula can be simplified to T RUE. You can also insert a formula c == c + p D and have the tool proved as a spontaneous. However, the memory scope &c {&c, &p, &p D} is insert into the point i. This formula is equivalent to F ALSE, and can not be proved. After an allocation e 1 = alloc(t) Let the point before this allocation is i. You can prove formulas of one of the following form. not(e 1 = e 2). not(e 1 e 2). It is required that removing from e 1 yields e 1 or (&e 1 ). The tool inserts &e 1 M(&e 1) into the point i. This memory scope formula is simplified automatically. In many cases, this formula is simplified and proved automatically. 4.5 Transfer formulas There are two buttons (Transfer Forward, Transfer Backward) to transfer formulas from one program point to other points.

6 Transfer Forward Select one or more formulas f on a program i, click the Transfer Forward button, If i is before an if-statement if (e) s 1 else s 2, then f is copied to the points before s 1 and s 2. These two copies are both set as PROVED, and dependent on the formula f before this if-statement. If i is the point after one of the branches of an if-statement if (e) s 1 else s 2, f is copied to the point after another branch and the point after this ifstatement. The copy after this if-statement is set as PROVED, dependent on the two copies after the branches. If i is before a while-statement while (e) s, f is copied to the point before s, the point after s and the point after this while-statement. The copy at the point before s is set as PROVED, and dependent on the copy before the while-statement and the copy after s. The copy after this while-statement is also set as PROVED, and dependent on the copy before the while-statement and the copy after s. The copy before s is set as UNPROVED. In fact, this formula is a loop-invariant of this statement. If i is the point before an assignment e 1 = e 2 or an allocation e 1 = alloc(t), the formula not(&e 1 M(f)) is generated and inserted into the point i, and f is copied to the point after this statement, the copy is set as PROVED, and depends on the original copy at i and the formula not(&e 1 f) at the point i. The formula not(&e 1 f) may be automatically simplified into some other simpler formula. Usually, all the operators & in this formula are removed. For example, &v {&pt, &f irst} λ(x)(&x link)[listnodes(first)] can be automatically proved by our tool. So if we transfer a formula &pt ListNodes(first) from the point before v =... to the point after, the memory scope formula is proved automatically. NOTICE: Before transfer a formula, make sure that not(&e 1 M(f)) can be proved at point i. For example, you can not transfer a formula i < 10 before the assignment i := 5, though this formula really holds after this assignment. Transferring this formula inserts a formula &i {&i} into the point before this assignment. Transfer Backward This is reverse to the function Transfer Backward. Select one or more unproved formulas f on a program i, click the Transfer Backward button, If i is after an if-statement if (e) s 1 else s 2, then f is copied to the points after s 1 and s 2. The original formula is set PROVED and dependent on the two copies. If i is at the begin of one branch of an if-statement if (e) s 1 else s 2, then f is copied to the point before this if-statement, and then the original copy is set as PROVED, and dependent on the copy before the if-statement. If i is a point after a while-statement, f is copied to the following points : before the while-statement, before s, after s. The original copy and the copy

7 before s is set as PROVED. They both dependent on the copies after s and before the while-statement. If i is a point after an assignment e 1 = e 2 or an allocation e 1 = alloc(t), f is copied to the point before this statement, and transferred forward to the point i. The formulas about memory scopes are generated and treated automatically. Continuous Transfer This function in fact performs the Transfer Forward continuously. Select one or more formulas at a source point, and then select a proper target point, the tool continuously transfer these formulas to the target point. NOTICE: Make sure all the assignments and allocations does not modify any memory units in the memory scopes of the formulas. Otherwise, the tool will generate some unprovable formulas. This means that you can not finish the verification. 4.6 Prove a formula by implication A formula holds at a point if it is implied by other formulas at the same point. Our tool uses the SMT solver Z3 to prove such formulas. To use this function, you can select one or many formulas in the point, and click the button Z3 Prove, the tool will try to prove the selected unproved formulas using Z3. The smt2 code will be shown in a popup dialog window. When there are too many formulas at the point, using all the formulas as premises may cause Z3 runs over-time and returns UNKNOWN result. You can also use the button Select Premises to select premises. The first you use this function, you will be asked to tell the tool where the executive file of Z3 is. Usually, the location is \Program Files (x86)\microsoft Research\Z3-4.0\bin\z3.exe in Windows OS. Please visit the homepage of Z3: to download Z3 installation. 4.7 Instantiate a global property Usually, a global property is a universal quantified formula. Sometime, Z3 does not handle quantifier very well. You can instantiate such a global property by assigning concrete expressions to the universal quantified variables. Click the button Instantiate GP, then you can select the global property to be instantiated and then input concrete expressions to each variables. The instance of this global property will be inserted into the current program point. This instance is set as PROVED and dependent on the global property.

8 5 The data analysis features We also implement some data analysis techniques, including the range of integer variables, the null-pointer analysis, and the singly-linked lists analysis. However, there are problems about the dependency relations between the formulas generated by these analysis. We will fix the problem later. 6 The loop invariant generation We provide a loop-invariant-generation component to automatically infer loop invariants for loops manipulating commonly-used data structures, including, singly-linked lists, doubly-linked lists, static lists and one-dimensional arrays. Select an exit program point of a loop in the left part of the main window, all the formulas in this point will be displayed in a table in the right window. These formulas are the post-conditions of this loop. Then select one of the postconditions in this table and click the button Loop Invariant Gen with Post. If a suitable invariant can be generated for this selected post-condition, this invariant will be added to the corresponding program points, namely the entry point of the loop, the program point before the loop body, the program point after the loop body and the exit point of the loop. In addition, this selected post-condition is set as PROVED. Otherwise, prompt the user that we cannot generate any loop invariant for this post-condition right now. 7 The weakest precondition calculation Precondition calculation is a very important feature of this tool. Select one or many formulas at a point i, and click the button WP Calculator. Then select a target point j before the point i, the tool will try to compute preconditions at the point i for the formulas at the point j. It is required that the path from i to j contains no allocation statement. As we discussed in the paper about Scope Logic, if the selected formula contains no user-defined recursive functions, the preconditions are just the weakest preconditions. You can still carefully use this function for formulas with user-defined functions. The requirement is that the memory units implicitly accessed by these functions are not modified by the statements. The tool may generate some extra unproved formulas in this case. You can prove these formulas later. For example, given a formula x (NodeSet(first))(first D > 0), the precondition w.r.t the assignments first D = 5, first = first link can be computed. There may be some extra unproved memory scope formulas inserted, but you can prove them later. However, you can not make the tool to compute the pre-condition w.r.t. f irst link = tmp. In this case, a formula f irst NodeSet(f irst) is generated. This property can not be proved anyway. A skill to solve this problem is change the formula to first ({first} NodeSet(first link)). The precondition is

9 x ({first} NodeSet(tmp))(first D > 0). The memory scope generated is (after simplification) f irst NodeSet(tmp) 8 The execution effect synthesis A execution-effect-synthesis component is provided in this tool. Select an assert in the left part and click the button Execution Effect Synthesis. Then select a target point j after the point i, the tool will try to synthesize the execution effect of the statements between the point j and the point i. The execution effect of a statement specifies the memories modified by this statement and the new values stored in these memories after executing the statement. The memory expressions and the new value expressions are evaluated at the point before this statement. The execution effect of a statement can be used to help calculate weakest preconditions for this statement. In this function, assignments, conditionals, sequential statements and some kinds of loops that manipulate commonly-used data structures are supported.