10.8.2006 sat-based methods for proving properties in reynolds/o'hearn separation logic daniel...
TRANSCRIPT
![Page 1: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/1.jpg)
10.8.2006
SAT-based methods for proving properties in Reynolds/O'Hearn
Separation Logic
Daniel Kröning(currently visiting CBL)
Joint work with B. Cook and J. Berdine
![Page 2: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/2.jpg)
10.8.2006 Daniel Kroening 2
Program Verification
Goal:
Editor that highlights programming errors
Not syntax, but semantics
![Page 3: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/3.jpg)
10.8.2006 Daniel Kroening 3
Like what?
![Page 4: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/4.jpg)
10.8.2006 Daniel Kroening 4
Verification Engines
Unwinding Abstraction
Bounded Model Checking (BMC)
No invariant discovery
One very largeconstraint problem
A lot of case-splitting
Abstract interpretation
Predicate abstraction
Attemptinginvariant discovery
Many small constraint problems
Little case-splitting
![Page 5: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/5.jpg)
10.8.2006 Daniel Kroening 5
Program Analysis: BMC
BMCBMC
Program
CONSTRAINT SOLVERCONSTRAINT SOLVER
VC Model
SAT solver,CVC-Lite, Math-SAT, …
CBMC, …
![Page 6: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/6.jpg)
10.8.2006 Daniel Kroening 6
BMC Overview
ANSI-CProgramANSI-CProgram unwindunwindparsingparsing +
*
=
Parse tree
+*
=
ConstraintProblem
CNF SATSolver
SATSolver
![Page 7: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/7.jpg)
10.8.2006 Daniel Kroening 7
ANSI-C Transformation
1. Preparation Side effect removal continue, break replaced by goto for, do while replaced by while
2. Unwinding Loops are unwound Same for backward goto jumps and
recursive functions
![Page 8: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/8.jpg)
10.8.2006 Daniel Kroening 8
Implementation
3. Transformation into Equation After unwinding: Transform into SSA
Example:
Generate constraints by simply conjoiningequations resulting from assignments
For arrays, use simple lambda notation
![Page 9: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/9.jpg)
10.8.2006 Daniel Kroening 9
Example
![Page 10: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/10.jpg)
10.8.2006 Daniel Kroening 10
Required Theories
Bit vector
Arrays
Pointers (pair of object/offset)
Floating Point
If contained in assertion: Quantifiers Data type predicates (lists, trees, …)
![Page 11: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/11.jpg)
10.8.2006 Daniel Kroening 11
int *p, x, y;
int main() {
int z;
y=z;
p=&y;
x=*p;
assert(x==z);
}
cbmc test.c –cvc –outfile test
Example
![Page 12: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/12.jpg)
10.8.2006 Daniel Kroening 12
p0: [# object: INT, offset: BITVECTOR(32) #] = (# object:=0, offset:=0bin00000000000000000000000000000000 #);
x0: BITVECTOR(32) = 0bin00000000000000000000000000000000;
y0: BITVECTOR(32) = 0bin00000000000000000000000000000000;
z1: BITVECTOR(32);
z0: BITVECTOR(32);
y1: BITVECTOR(32) = z0;
p1: [# object: INT, offset: BITVECTOR(32) #] = (# object:=3, offset:=0bin00000000000000000000000000000000 #);
x1: BITVECTOR(32) = y1;
l1: BOOLEAN;
ASSERT l1 <=> (x1=z0);
ASSERT (NOT l1);
QUERY FALSE;
Download me!
We have ~300 MB of benchmark files available
Soon: SMT-Lib format
![Page 13: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/13.jpg)
10.8.2006 Daniel Kroening 13
Program Analysis: Abstraction
PROGRAM ANALYSIS
ENGINE
PROGRAM ANALYSIS
ENGINE
Program
CONSTRAINT SOLVERCONSTRAINT SOLVER
VCsModel
WIDENINGWIDENING
T ’
Simplify, Zapato,Cogent,CPLEX, …
Pre-, Post-,Proof-based, …
SLAM, …
![Page 14: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/14.jpg)
10.8.2006 Daniel Kroening 14
Existing Tools
Implement
Fragments of linear arithmetic,
Maybe arrays, maybe pointers
Sometimes float
![Page 15: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/15.jpg)
10.8.2006 Daniel Kroening 15
Extending the Assertion Logic
PROGRAM ANALYSIS
ENGINE
PROGRAM ANALYSIS
ENGINE
Program
CONSTRAINT SOLVERCONSTRAINT SOLVER
VCCsModel
WIDENINGWIDENING
T ’
Linear Arithmetic,Arrays, Float, …
Linear Arithmetic,Arrays, Float, …
![Page 16: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/16.jpg)
10.8.2006 Daniel Kroening 16
Existing Tools
Biggest challenge for mass-market:
dynamic data structures
Fix with choice of assertion logic, e.g.,
Reynolds’ Separation Logic
E.g., add separating conjunction and
predicates for linked list
![Page 17: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/17.jpg)
10.8.2006 Daniel Kroening 17
Separation Logic
A logic for heap data structures
NOT the same as the fragment of linear
arithmetic called difference logic
Due to Reynolds/O’Hearn
![Page 18: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/18.jpg)
10.8.2006 Daniel Kroening 18
Separation Logic
. .
Payload
“next” pointer
…. .
…
Main problem:
Need to specify that allheap cells are disjoint
![Page 19: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/19.jpg)
10.8.2006 Daniel Kroening 19
Separation Logic
In general, one needs to express constraints
that a data structure does not share cells
with any other data structure
Key idea: new logical operator
P * Q
“Separating Conjunction”
![Page 20: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/20.jpg)
10.8.2006 Daniel Kroening 20
Separation Logic
Semantics of expressions defined over
valuations of heaps
(maps from addresses to values)
Obvious meaning for
State Heap Pointer Value
![Page 21: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/21.jpg)
10.8.2006 Daniel Kroening 21
Separation Logic
Define disjoint heaps:
Separating conjunction:
![Page 22: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/22.jpg)
10.8.2006 Daniel Kroening 22
Separation Logic: Lists
Notation for sequences
: empty sequence
x¢: concatenation
Define list:
![Page 23: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/23.jpg)
10.8.2006 Daniel Kroening 23
Extending the Assertion Logic
PROGRAM ANALYSIS
ENGINE
PROGRAM ANALYSIS
ENGINE
Program
CONSTRAINT SOLVERCONSTRAINT SOLVER
VCCsModel
WIDENINGWIDENING
T ’
Linear Arithmetic,Arrays, Float, …
Linear Arithmetic,Arrays, Float, …
+Separation Logic +Separation Logic
![Page 24: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/24.jpg)
10.8.2006 Daniel Kroening 24
Who does the assertions?
Manual annotations
Automatic discovery
Standard Template Library Data in containers is implicitly
in separate heap cells
typedef std::hash_map <std::string, symbolt, string_hash> symbolst;
. . .
typedef std::vector<nodet> nodest;
![Page 25: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/25.jpg)
10.8.2006 Daniel Kroening 25
Requirements for Constraint Solvers
Constraint solver must support
very rich logic
Data types might even be application-specific
But most queries are simple!
Extending custom-made constraint solver
is tedious
![Page 26: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/26.jpg)
10.8.2006 Daniel Kroening 26
Proposed Solution
Assumption: we have a (partial)
axiomatization of all logics
Goal: high performance constraint solver
1st step: define language for axioms
![Page 27: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/27.jpg)
10.8.2006 Daniel Kroening 27
Example: Equality Logic
equality_transitivity:
A "=" B, B "=" C -> A "=" C;
equality_commutativity:
A "=" B <-> B "=" A;
equality:
A "=" A;
disequality:
A "!=" B <-> NOT A "=" B;
![Page 28: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/28.jpg)
10.8.2006 Daniel Kroening 28
Build a Compiler!
2nd step: build a compiler
AxiomsAxiomsg++g++codegencodegen C++
code BinaryBinary
VCC
SAT/UNSAT
![Page 29: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/29.jpg)
10.8.2006 Daniel Kroening 29
Multiple Theories
Note that one can combine multiple theories
Interfacing through arbitrary propositions,
not just equalities
Convexity requirement?
![Page 30: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/30.jpg)
10.8.2006 Daniel Kroening 30
What about OR?
We could build case-splitting into the
generated code
However, we will never be able to implement
Proper decision heuristics
Non-chronological back-tracking
Learning
![Page 31: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/31.jpg)
10.8.2006 Daniel Kroening 31
What about OR?
Alternative: produce
reduction to propositional logic
Generate CNF, and pass formula to SAT
solver
The formula is unsatisfiable iff there exists a
deduction that shows a contradiction
![Page 32: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/32.jpg)
10.8.2006 Daniel Kroening 32
What about OR?
3nd step: add SAT solver
AxiomsAxiomsg++g++codegencodegen C++
code BinaryBinary
VCC
CNF SATSolver
SATSolver
This is the eager version – lazy version straight-forward.
![Page 33: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/33.jpg)
10.8.2006 Daniel Kroening 33
What about OR?
1. Maintain truth value with each fact:
2. Set new facts to unknown
3. Assign a literal to each fact that has truth value unknown
4. For each deduction step,generate constraint
![Page 34: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/34.jpg)
10.8.2006 Daniel Kroening 34
Separation Logic
disjoint_not_self:
h “!=“ “emp” -> not [h "#“ h];
not:
h "|=" ["!" P] <-> not [h "|=" P];
and:
h "|=" [P "^" Q] <-> h "|=" P, h "|=" Q;
conditional:
h "|=" [P "?" Q ":" R] <-> (h "|=" P -> h "|=" Q), (h "|=" "!" P -> h "|=" R);
![Page 35: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/35.jpg)
10.8.2006 Daniel Kroening 35
Separation Logic
star:
h "|=" [P "*" Q] <-> NEW h0 "|=" P, NEW h1 "|=" Q, h "=" [NEW h0 "**" NEW h1], NEW h0 "#" NEW h1;
![Page 36: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/36.jpg)
10.8.2006 Daniel Kroening 36
Obtaining Invariants
Again, could be custom-made
Instead: inspect proofs of failed
refutation-attempts
Paper available on doing this for bit-vectors
E.g., for constructing interpolants
![Page 37: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/37.jpg)
10.8.2006 Daniel Kroening 37
Conclusion
Generic constraint solver with propositional
SAT as backend
Especially for complicated logics
Extensions of logic are easy
All case-splitting is pushed into
propositional SAT solver
![Page 38: 10.8.2006 SAT-based methods for proving properties in Reynolds/O'Hearn Separation Logic Daniel Kröning (currently visiting CBL) Joint work with B. Cook](https://reader036.vdocuments.mx/reader036/viewer/2022062618/5514c6ce55034640138b5b6d/html5/thumbnails/38.jpg)
10.8.2006 Daniel Kroening 38
Cross-Advertising
TACAS: this can be used for
–quantification over predicates
CAV: Predicate abstraction for deep loops
PDPAR: Completeness
How to tell for sure that no proof exists?