Integrating Arrays into the Heap-Hop program prover

Size: px

Start display at page:

Download "Integrating Arrays into the Heap-Hop program prover"

Kelly Morgan
5 years ago
Views:

1 Integrating Arrays into the Heap-Hop program prover Ioana Cristescu under the supervision of Jules Villard Queen Mary University of London 7 September / 29

2 Program verification using Heap-Hop Program verification assert program s correctness programs that manipulate memory harder in a concurrent setting need for an automated tool Heap-Hop - program prover for concurrent programs that manipulate pointers 2 / 29

3 Outline Context Formal verification Manipulating memory Concurrency Automation Our contributions The parameters The arrays Concluding remarks 3 / 29

4 Outline Context Formal verification Manipulating memory Concurrency Automation Our contributions The parameters The arrays Concluding remarks 4 / 29

5 Formal verification model the specifications model the program s behavior match the two models 5 / 29

6 Formal verification model the specifications model the program s behavior match the two models The Hoare triple {φ} p {φ } the program p the precondition φ and postcondition φ example: {list(x, 0)} y = copy(x); {list(x, 0) list(y, 0)} 5 / 29

7 Using pointers Why is it difficult formal verification uses a syntactic representation proper representation of the memory access example: the problem of aliasing 6 / 29

8 Using pointers Why is it difficult formal verification uses a syntactic representation proper representation of the memory access example: the problem of aliasing Separation Logic local reasoning example if z, list(x, 0) and list(y, 0) are disjoint {z list(x, 0)} y = copy(x); {z list(x, 0) list(y, 0)} {list(x, 0)} y = copy(x); {list(x, 0) list(y, 0)} separation conjuction: P R frame rule: {φ} p {φ } {φ φ } p {φ φ } 6 / 29

9 Concurrency Apply the separation conjuction to a shared memory model p2 p1 φ φ 1 φ 2 7 / 29

10 Communication The message passing model using bidirectional channels a channel is guarded by two endpoints e, f communication respects a protocol, called a contract contract C{ initial state start {?data compute; } state compute {!result finish; } final state finish {} } the contract guarantees some safety properties a symbolic representation of the exchanged messages, called a message footprint [val ] 8 / 29

11 The copyless message passing model Ownership transfer p2 p2 p1 x p1 x 9 / 29

12 The copyless message passing model Ownership transfer p2 p2 p1 x p1 x The communication primitives open a communication channel {φ} (e, f ) = open(c) {φ e C[start] f C[start]} send a pointer x {φ x } send(a, e, x) {φ} receive a pointer x {φ} x = receive(a, f ) {φ x } close the channel {φ e C[finish] f C[finish]} close(e, f ) {φ} 9 / 29

13 Automation Annotate programs procedure_name [precondition] {procedure_body} [postcondition] message message_name [message footprint] example: message cell [val ] 10 / 29

14 Automation Annotate programs procedure_name [precondition] {procedure_body} [postcondition] message message_name [message footprint] example: message cell [val ] Semantics for the precondition and the postcondition σ, p σ σ, p error with σ the current state of a program p defined by a stack s for storing variables x = 4 [[x]] s = 4 [empty] a heap h representing the process memory x value := 4 h([[x]] s value) = 4 10 / 29

15 A semantic state models a separation logic formula the semantics - the actual behavior of the program a proof system using separation logic - allows to reason about the program s correctness 11 / 29

16 A semantic state models a separation logic formula the semantics - the actual behavior of the program a proof system using separation logic - allows to reason about the program s correctness Using the Hoare triples If {φ} p {φ } σ, p σ σ = φ then σ = φ. 11 / 29

17 The proof system Separation logic proof system symbolically execute each operation the inference rules {φ 3 } skip {φ }... {φ 2 } C {φ } {φ 1 } operation(); C {φ } 12 / 29

18 The proof system Separation logic proof system symbolically execute each operation the inference rules {φ 3 } skip {φ }... {φ 2 } C {φ } {φ 1 } operation(); C {φ } the entailment rules φ φ... φ 3 φ the proof system is sound and decidable 12 / 29

19 Heap-Hop Limitations no mechanism for retrieving data about previous communications no support for programs that manipulate arrays 13 / 29

20 Heap-Hop Limitations no mechanism for retrieving data about previous communications no support for programs that manipulate arrays Contributions 13 / 29

21 Heap-Hop Limitations no mechanism for retrieving data about previous communications no support for programs that manipulate arrays Contributions the parameters modify the proof system rules for the operations send, receive, open and close keep the proof system sound: the rules are consistent with the semantics 13 / 29

22 Heap-Hop Limitations no mechanism for retrieving data about previous communications no support for programs that manipulate arrays Contributions the parameters modify the proof system rules for the operations send, receive, open and close keep the proof system sound: the rules are consistent with the semantics the arrays add the proof system s rules for handling the predicate array add the corresponding semantic rules prove that the new proof system is sound and decidable 13 / 29

23 Heap-Hop Limitations no mechanism for retrieving data about previous communications no support for programs that manipulate arrays Contributions the parameters modify the proof system rules for the operations send, receive, open and close keep the proof system sound: the rules are consistent with the semantics the arrays add the proof system s rules for handling the predicate array add the corresponding semantic rules prove that the new proof system is sound and decidable implementation in Caml ( 1000 lines added) 13 / 29

24 Outline Context Formal verification Manipulating memory Concurrency Automation Our contributions The parameters The arrays Concluding remarks 14 / 29

25 The parameters Modify the endpoint e Contract[contract state], param 1 :, param 2 :,... update the parameter using a user-defined function p 1 = nextparam(e, f, val 1, p 1 ) p 2 = nextparam(e, f, val 2, p 2 )... update the parameter after a message is sent/received message message name [...]updating nextparam(endpoints, sent value, parameter) 15 / 29

26 Example of using the parameters Sending a list cell by cell x val next... val 0 inductive predicate list(x, 0) list(x, 0) (x = 0 empty) (x 0 x.x next : x list(x, 0)) the exchanged messages message cell [val next : param = val] nextparam(val,...) = val next 16 / 29

27 The rule for Receive in the proof system { (φ E cs : q, ctt : C, rl : r, pr : E, ρ)[x /x] γ a(e[x /x], E [x /x], r, x) succ(c, q,!a, r) = q } {C}{φ } {φ E cs : q, ctt : C, rl : r, pr : E, ρ} x = receive(a, E); C {φ } 17 / 29

28 The rule for Receive in the proof system { (φ E cs : q, ctt : C, rl : r, pr : E, ρ)[x /x] γ a(e[x /x], E [x /x], r, x) succ(c, q,!a, r) = q } {C}{φ } {φ E cs : q, ctt : C, rl : r, pr : E, ρ} x = receive(a, E); C {φ } receive a cell message cell [val next : param = val] nextparam(val,...) = val next {f C[transfer], p : y list(l, y)} x = receive(cell, f ); 17 / 29

29 The rule for Receive in the proof system { (φ E cs : q, ctt : C, rl : r, pr : E, ρ)[x /x] γ a(e[x /x], E [x /x], r, x) succ(c, q,!a, r) = q } {C}{φ } {φ E cs : q, ctt : C, rl : r, pr : E, ρ} x = receive(a, E); C {φ } receive a cell message cell [val next : param = val] nextparam(val,...) = val next {f C[transfer], p : y list(l, y)} x = receive(cell, f ); {f C[transfer], p : y list(l, y) x next : x x = y} 17 / 29

30 The rule for Receive in the proof system { (φ E cs : q, ctt : C, rl : r, pr : E, ρ)[x /x] γ a(e[x /x], E [x /x], r, x) succ(c, q,!a, r) = q } {C}{φ } {φ E cs : q, ctt : C, rl : r, pr : E, ρ} x = receive(a, E); C {φ } receive a cell message cell [val next : param = val] nextparam(val,...) = val next {f C[transfer], p : y list(l, y)} x = receive(cell, f ); {f C[transfer], p : y list(l, y) x next : x x = y} {f C[transfer], p : x list(l, x) x next : x } 17 / 29

31 The rule for Receive in the proof system { (φ E cs : q, ctt : C, rl : r, pr : E, ρ)[x /x] γ a(e[x /x], E [x /x], r, x) succ(c, q,!a, r) = q } {C}{φ } {φ E cs : q, ctt : C, rl : r, pr : E, ρ} x = receive(a, E); C {φ } receive a cell message cell [val next : param = val] nextparam(val,...) = val next {f C[transfer], p : y list(l, y)} x = receive(cell, f ); {f C[transfer], p : y list(l, y) x next : x x = y} {f C[transfer], p : x list(l, x) x next : x } {f C[transfer], p : x list(l, x) x next : x } 17 / 29

32 The rule for Receive in the proof system { (φ E cs : q, ctt : C, rl : r, pr : E, ρ)[x /x] γ a(e[x /x], E [x /x], r, x) succ(c, q,!a, r) = q } {C}{φ } {φ E cs : q, ctt : C, rl : r, pr : E, ρ} x = receive(a, E); C {φ } receive a cell message cell [val next : param = val] nextparam(val,...) = val next {f C[transfer], p : y list(l, y)} x = receive(cell, f ); {f C[transfer], p : y list(l, y) x next : x x = y} {f C[transfer], p : x list(l, x) x next : x } {f C[transfer], p : x list(l, x) x next : x } {f C[transfer], p : x list(l, x )} 17 / 29

33 The arrays Defined by the inductive predicate array(x, E 1, E 2, E 3 ) E 1, E 2 - the indices bounding the array that we can access {[[x + E 1 ]] s,..., [[x + E 2 1]] s } dom(h) E 3 - the size of the array array(x, E 1, E 2, E 3 ) (E 1 E 2 empty) ( i.e 1 i < E 2.array(x, E 1, i, E 3 ) array(x, i + 1, E 2, E 3 ) x[i] F ) x[i] h([[x + i]] s ) 18 / 29

34 Allocate and dispose arrays allocating the array disposing the array {empty} x = new(10); {array(x, 0, 10, 10)} {array(x, 0, 3, 10) x + 3 array(x, 4, 7, 10) array(x, 7, 10, 10)} dispose(x); {empty} we need to know the size of the array we disallocate an array only if all its elements are available 19 / 29

35 Example of using the arrays a server distributes the array x to several workers the exchanged messages: message rands [ array(x, val1, val2, 10)] nextparam(val i, param i,...) = val i with i {1, 2} message result [ array(x, param1, param2, 10)] nextparam(val i, param i,...) = param i with i {1, 2} 20 / 29

36 The server s function message rands [ array(x, val1, val2, 10)] nextparam(val, param) = val message result [ array(x, param1, param2, 10)] nextparam(val, param) = param {s C[start], p : (0, 5) array(x, 0, 10, 10)} 21 / 29

37 The server s function message rands [ array(x, val1, val2, 10)] nextparam(val, param) = val message result [ array(x, param1, param2, 10)] nextparam(val, param) = param {s C[start], p : (0, 5) array(x, 0, 10, 10)} {s C[start], p : (0, 5) array(x, 0, 5, 10) array(x, 5, 10, 10)} send(rands, s, x, 0, 5); 21 / 29

38 The server s function message rands [ array(x, val1, val2, 10)] nextparam(val, param) = val message result [ array(x, param1, param2, 10)] nextparam(val, param) = param {s C[start], p : (0, 5) array(x, 0, 10, 10)} {s C[start], p : (0, 5) array(x, 0, 5, 10) array(x, 5, 10, 10)} send(rands, s, x, 0, 5); {s C[compute], p : (0, 5) array(x, 5, 10, 10)} 21 / 29

39 The server s function message rands [ array(x, val1, val2, 10)] nextparam(val, param) = val message result [ array(x, param1, param2, 10)] nextparam(val, param) = param {s C[start], p : (0, 5) array(x, 0, 10, 10)} {s C[start], p : (0, 5) array(x, 0, 5, 10) array(x, 5, 10, 10)} send(rands, s, x, 0, 5); {s C[compute], p : (0, 5) array(x, 5, 10, 10)} y = receive(result, s); {s C[end], p : (0, 5) array(x, 0, 5, 10) array(x, 5, 10, 10)} 21 / 29

40 Outline Context Formal verification Manipulating memory Concurrency Automation Our contributions The parameters The arrays Concluding remarks 22 / 29

41 Concluding remarks Contributions theoretical results modify the proof system and the semantics in order to accomodate arrays and parameters properties on the new proof system Soundness Any provable entailment is valid. Decidability The entailment procedure terminates. features available in Heap-Hop Future work theoretical - prove that the new proof system is complete implementation - automatically discover the arrays and the values of the parameters 23 / 29

42 The proof system and the semantics - example The proof system {φ[x /x] array(x, 0, E, E)} C {φ } {φ} x = new(e); C {φ } Semantics σ = (s, h) ε,...ε + n / dom(h) σ = ([s x : ε, E : n], [h ε : (val 0, E, ε),...ε + n : (val n, E, ε)]) x = new(e); C, (σ, k) C, (σ.k) 24 / 29

43 Access one element of the array φ E 1 E < E 2 {φ array(x, E 1, E, E 3 ) array(x, E + 1, E 2, E 3 ) x[e] f } x[e] f := F ; p {φ } {φ array(x, E 1, E 2, E 3 )} x[e] f := F ; p {φ } 25 / 29

44 Access one element of the array φ E 1 E < E 2 {φ array(x, E 1, E, E 3 ) array(x, E + 1, E 2, E 3 ) x[e] f } x[e] f := F ; p {φ } {φ array(x, E 1, E 2, E 3 )} x[e] f := F ; p {φ } An entailment rule φ array(x, E, E + 1, E ) φ φ x[e] f φ 25 / 29

45 Example of using the arrays a server generates an array of random values two workers perform some computation on parts of the array the result is sent back to the server the exchanged messages: message rands [ array(x, val1, val2, 10)] nextparam(val i, param i,...) = val i with i {1, 2} message result [ array(x, param1, param2, 10)] nextparam(val i, param i,...) = param i with i {1, 2} contract contract C{ initial state start {!rands compute; } state compute {?result end; } final state end {} } 26 / 29

46 The server s function message rands [ array(x, val1, val2, 10)] nextparam(val, param) = val message result [ array(x, param1, param2, 10)] nextparam(val, param) = param {s1 C[start], p : (O, 5) s2 C[start], p : (5, 10) array(x, 0, 10, 10)} {s1 C[start], p : (O, 5) s2 C[start], p : (5, 10) array(x, 0, 5, 10) array(x, 5, 10, 10)} send(rands, s1, x, 0, 5); {s1 C[compute], p : (O, 5) s2 C[start], p : (5, 10) array(x, 5, 10, 10)} send(rands, s2, x, 5, 10); {s1 C[compute], p : (O, 5) s2 C[compute], p : (5, 10)} y = receive(result, s1); {s1 C[end], p : (O, 5) s2 C[compute], p : (5, 10) array(x, 0, 5, 10)} z = receive(result, s2); {s1 C[end], p : (O, 5) s2 C[end], p : (5, 10) array(x, 0, 5, 10) array(x, 5, 10, 10)} 27 / 29

47 The worker s function message rands [ array(x, val1, val2, 10)] nextparam(val, param) = val message result [ array(x, param1, param2, 10)] nextparam(val, param) = param {w C[start], p : (sindex, eindex)} (i, j) = receive(rands, w); {w C[compute], p : (sindex, eindex) array(x, i, j, 10)} {w C[compute], p : (i, j) array(x, i, j, 10)} res = computation(x[i], x[i + 1],..., x[j]); send(result, w, res); {w C[end], p : (i, j)} 28 / 29

48 The rule for Send in the proof system {φ E cs : q, ctt : C, rl : r, pr : E, p : P, ρ} p 1 = P; p 2 = nextparam(e, E, r, E 1, P); E p := p 2 ; send(a, E, E 1 ); C {φ } {φ E cs : q, ctt : C, rl : r, pr : E, p : P, ρ} send param(a, E, E 1 ); C {φ } 29 / 29

49 The rule for Send in the proof system {φ E cs : q, ctt : C, rl : r, pr : E, p : P, ρ} p 1 = P; p 2 = nextparam(e, E, r, E 1, P); E p := p 2 ; send(a, E, E 1 ); C {φ } {φ E cs : q, ctt : C, rl : r, pr : E, p : P, ρ} send param(a, E, E 1 ); C {φ } send a cell message cell [val next : param = val] nextparam(val,...) = val next {e C[transfer], p : x list(x, 0)} send(a, e, x); {e C[transfer], p : x list(x, 0) x next : x p 1 = x} {e C[transfer], p : x list(x, 0) x next : x p 1 = x} {e C[transfer], p : x list(x, 0)} 29 / 29

Hoare triples. Floyd-Hoare Logic, Separation Logic

Hoare triples. Floyd-Hoare Logic, Separation Logic Hoare triples Floyd-Hoare Logic, Separation Logic 1. Floyd-Hoare Logic 1969 Reasoning about control Hoare triples {A} p {B} a Hoare triple partial correctness: if the initial state satisfies assertion