checking reachability using matching logic
DESCRIPTION
Checking Reachability using Matching Logic. Grigore Rosu and Andrei Stefanescu University of Illinois, USA. Main Goal. Language-independent program verification framework D erive program properties from operational semantics Questions : Is it possible? Is it practical? Answers : - PowerPoint PPT PresentationTRANSCRIPT
Checking Reachability using Matching Logic
Grigore Rosu and Andrei StefanescuUniversity of Illinois, USA
2
Main GoalLanguage-independent program verification
frameworkDerive program properties from operational semanticsQuestions:
Is it possible? Is it practical?
Answers: Sound and complete proof system, so YES, it is possible! Efficient automated verifier MatchC, so YES, it is practical!
Overview
State-of-the-art in Certifiable Verification
Our ApproachSpecifying Reachability PropertiesReasoning about Reachability
4
Operational SemanticsEasy to define and understand
Can be regarded as formal “implementations”Require little mathematical knowledge
Great introductory topics in PL coursesScale up well
C (>1000 rules), Java, Scheme, Verilog, …, definedExecutable, so testable
C semantics tested against real benchmarks
5
Operational SemanticsSample rule (may require a configuration
context)
Define languages only with rules of the form
l, r are configuration termsb is a Boolean side condition
6
Unfortunately …Operational semantics considered inappropriate
for program verification; proofs are low-level and tedious:Formalization of and working with transition systemTypically by induction
on the structure of the programon the number of execution stepsetc.
7
Axiomatic Semantics(Hoare Logic)
Emphasis on program verificationProgramming language captured as a formal proof
system deriving Hoare triples
precondition postcondition
8
Axiomatic SemanticsNot easy to define and understand, error-prone
Not executable, hard to testRequire program transformations, behavior loss
Write e = 1 and you’ve got a wrong semantics!
9
State-of-the-art inCertifiable Verification
Define an operational semantics: trusted language model
Define an axiomatic semantics: for verification purposesProve axiomatic semantics sound for operational
semanticsNow we have trusted verification … BUT
Requires two semantics of the same language C operational semantics took more than 2 years!
Must be done individually for each language
Overview
State-of-the-art in Certifiable Verification
Our ApproachSpecifying Reachability PropertiesReasoning about Reachability
11
Our ApproachUnderlying belief: one semantics for each
language! Executable (testable), easy to define and understand Suitable for program verification, “as is”
Approach: language-independent proof system Takes operational semantics unchanged Derives program properties Both operational semantics rules and program
specifications stated as reachability rules
12
Reachability RulesPairs of configuration predicates
Reachability: Any concrete configuration satisfying and terminating reaches a configuration satisfying , in the transition system induced by the operational semantics .
Overview
State-of-the-art in Certifiable Verification
Our ApproachSpecifying Reachability
Properties Reasoning about Reachability
14
Reachability Rules- Operational + Axiomatic
-Operational flavor
Axiomatic flavor
15
Hoare Triple = Syntactic Sugar
16
Matching LogicState static properties of program configurations
Parametric in a model of configurationsExtends first-order logic with patterns
Special predicates which are configuration termsConfigurations satisfy patterns iff they match them
C Configurations Extra 70 cells
17
Model of Configurations- Properties -
Configuration abstraction (list)“Separation” achieved at term level
Operations (reverse)
18
Separation Logic =Matching Logic Instance
Separation logic: popular logic for heap propertiesMechanical translation to matching logic (see
paper)Configuration:Separation encoded using different sub-terms
No expressiveness loss from using matching logicMatching logic gives “structural separation”
anywhere in the configuration, not only in the heap
19
Operational and Axiomatic Semantics Rules as Reachability Rules
Reachability rules generalizeOperational semantics rulesHoare triples
Operational semantics rule is syntactic sugar for reachability rule
Hoare triple encoded in a reachability rule with the empty code in the right-hand-side (see FM’12)
Overview
State-of-the-art in Certifiable Verification
Our ApproachSpecifying Reachability PropertiesReasoning about Reachability
21
Reasoning about Reachability
The main result of our paper is a proof system deriving reachability rules from reachability rules:
Trusted reachability rules(starts with operational
semantics)
Target reachability rule
Claimed reachability rules
22
Reachability Proof System- 8 Rules -
Symbolic execution (multiple steps) Symbolic execution (one step)Code with circular behavior
23
Circular behaviorsCircularity and Transitivity proof rules
Hoare logic rule for while loops
Language-independent
Language-specific
24
Soundness
Theorem: If is derivable by the proof system, then is semantically valid.
25
Relative Completeness
RelativityValidity oracle for static configuration properties
Language-independent result, unlike Hoare logics
Theorem: If is semantically valid, then is derivable by the proof system, with the operational semantics of a language.
26
MatchCProof-of-concept verifier for a C fragmentDerives program specifications from the
operational semantics (in K framework) using the proof systemNo Hoare/separation logic, no WP, no VC generation
Automated, user only provideSpecifications for recursive functions and loops
27
MatchC Snapshot
List reverse: code + invariant
28
ImplementationHeuristics for applying the proof system
(forward) symbolic executionMatching logic reasoning
Maude: efficient structure matching and rearrangingmatching a list the heap, …
SMTs (CVC3, Z3): simplifying constraintssmall queries (milliseconds each)
29
Preliminary EvaluationProgram Time (s)Buffered read-write 0.15Stack inspection 0.24Insertion sort 0.41Merge sort 0.47Quicksort 1.97AVL find 0.15AVL insert 43.5AVL delete 133.58Schorr-Waite (tree) 0.28Schorr-Waite (graph) 1.73… …
Dozens more programs at matching-logic.org
Only annotated main functions (insert/delete).
Inlined auxiliary functions (balance, rotate, …).
30
ConclusionsMatching logic reachability proof system
Sound and (relatively) completePractical
MatchC, an automated verifierExpressiveEfficient
Operational semantics based verification is viable!
matching-logic.org