SATbased methods for proving properties in ReynoldsO'Hearn Separation Logic PowerPoint PPT Presentation

presentation player overlay
1 / 38
About This Presentation
Transcript and Presenter's Notes

Title: SATbased methods for proving properties in ReynoldsO'Hearn Separation Logic


1
SAT-based methods for proving properties in
Reynolds/O'Hearn Separation Logic
  • Daniel Kröning
  • (currently visiting CBL)
  • Joint work with B. Cook and J. Berdine

2
Program Verification
  • GoalEditor that highlights programming errors
  • Not syntax, but semantics

3
Like what?
4
Verification Engines
Unwinding
Abstraction
  • Bounded Model Checking (BMC)
  • No invariant discovery
  • One very largeconstraint problem
  • A lot of case-splitting
  • Abstract interpretation
  • Predicate abstraction
  • Attemptinginvariant discovery
  • Many small constraint problems
  • Little case-splitting

5
Program Analysis BMC
Program
BMC
CBMC,
Model
VC
CONSTRAINT SOLVER
SAT solver,CVC-Lite, Math-SAT,
6
BMC Overview
ANSI-CProgram
parsing
unwind
SATSolver


CNF




?
?
ConstraintProblem
Parse tree
7
ANSI-C Transformation
  • Preparation
  • Side effect removal
  • continue, break replaced by goto
  • for, do while replaced by while
  • Unwinding
  • Loops are unwound
  • Same for backward goto jumps and recursive
    functions

8
Implementation
  • Transformation into Equation
  • After unwinding Transform into SSAExample
  • Generate constraints by simply conjoiningequation
    s resulting from assignments
  • For arrays, use simple lambda notation

9
Example
10
Required Theories
?
  • Bit vector
  • Arrays
  • Pointers (pair of object/offset)
  • Floating Point
  • If contained in assertion
  • Quantifiers
  • Data type predicates (lists, trees, )

?
?
?
?
?
11
Example
int p, x, y int main() int z yz
py xp assert(xz)
cbmc test.c cvc outfile test
12
p0 object INT, offset BITVECTOR(32)
( object0, offset0bin000000000000000000000000
00000000 ) x0 BITVECTOR(32)
0bin00000000000000000000000000000000 y0
BITVECTOR(32) 0bin000000000000000000000000000000
00 z1 BITVECTOR(32) z0 BITVECTOR(32) y1
BITVECTOR(32) z0 p1 object INT, offset
BITVECTOR(32) ( object3,
offset0bin00000000000000000000000000000000
) x1 BITVECTOR(32) y1 l1 BOOLEAN ASSERT
l1 ltgt (x1z0) ASSERT (NOT l1) QUERY FALSE
  • Download me!
  • We have 300 MB of benchmark files available
  • Soon SMT-Lib format

13
Program Analysis Abstraction
Program
PROGRAM ANALYSISENGINE
SLAM,
VCs
?, T
?
Model
CONSTRAINT SOLVER
WIDENING
Simplify, Zapato,Cogent,CPLEX,
Pre-, Post-,Proof-based,
14
Existing Tools
  • Implement
  • Fragments of linear arithmetic,
  • Maybe arrays, maybe pointers
  • Sometimes float

15
Extending the Assertion Logic
Program
PROGRAM ANALYSISENGINE
VCCs
?, T
?
Model
CONSTRAINT SOLVER
WIDENING
Linear Arithmetic,Arrays, Float,
Linear Arithmetic,Arrays, Float,
16
Existing Tools
  • Biggest challenge for mass-marketdynamic data
    structures
  • Fix with choice of assertion logic,
    e.g.,Reynolds Separation Logic
  • E.g., add separating conjunction andpredicates
    for linked list

17
Separation Logic
  • A logic for heap data structures
  • NOT the same as the fragment of linear arithmetic
    called difference logic
  • Due to Reynolds/OHearn

18
Separation Logic
next pointer
0


.
.
.
.
Main problem Need to specify that allheap cells
are disjoint
Payload
19
Separation Logic
  • In general, one needs to express constraints that
    a data structure does not share cells with any
    other data structure
  • Key idea new logical operator
  • P Q
  • Separating Conjunction

20
Separation Logic
  • Semantics of expressions defined over valuations
    of heaps(maps from addresses to values)
  • Obvious meaning for

State
Heap
Pointer
Value
21
Separation Logic
  • Define disjoint heaps
  • Separating conjunction

22
Separation Logic Lists
  • Notation for sequences
  • ? empty sequence
  • x? concatenation
  • Define list

23
Extending the Assertion Logic
Program
PROGRAM ANALYSISENGINE
VCCs
?, T
?
Model
CONSTRAINT SOLVER
WIDENING
Linear Arithmetic,Arrays, Float,
Linear Arithmetic,Arrays, Float,
Separation Logic
Separation Logic
24
Who does the assertions?
  • Manual annotations
  • Automatic discovery
  • Standard Template Library
  • Data in containers is implicitlyin separate heap
    cells

typedef stdhash_map ltstdstring,
symbolt, string_hashgt symbolst . . .
typedef stdvectorltnodetgt nodest
25
Requirements for Constraint Solvers
  • Constraint solver must supportvery rich logic
  • Data types might even be application-specific
  • But most queries are simple!
  • Extending custom-made constraint solveris tedious

26
Proposed Solution
  • Assumption we have a (partial) axiomatization of
    all logics
  • Goal high performance constraint solver

1st step define language for axioms
27
Example Equality Logic
equality_transitivity A "" B, B "" C -gt A
"" C
equality_commutativity A "" B lt-gt B "" A
equality A "" A
disequality A "!" B lt-gt NOT A "" B
emp rewrite h"""emp" lt-gt h"""semp""""semp
"
28
Build a Compiler!
2nd step build a compiler
VCC
Axioms
codegen
g
Binary
Ccode
SAT/UNSAT
29
Multiple Theories
  • Note that one can combine multiple theories
  • Interfacing through arbitrary propositions, not
    just equalities
  • Convexity requirement?

30
What about OR?
  • We could build case-splitting into the generated
    code
  • However, we will never be able to implement
  • Proper decision heuristics
  • Non-chronological back-tracking
  • Learning

31
What about OR?
  • Alternative producereduction to propositional
    logic
  • Generate CNF, and pass formula to SAT solver
  • The formula is unsatisfiable iff there exists a
    deduction that shows a contradiction

32
What about OR?
3nd step add SAT solver
VCC
Axioms
codegen
SATSolver
g
Binary
CNF
Ccode
This is the eager version lazy version
straight-forward.
33
What about OR?
  • Maintain truth value with each fact
  • Set new facts to unknown
  • Assign a literal to each fact that has truth
    value unknown
  • For each deduction step,generate constraint

emp rewrite h"""emp" lt-gt h"""semp""""semp
"
34
Separation Logic
disjoint_not_self h ! emp -gt not h "
h
and h "" P "" Q lt-gt h "" P, h "" Q
not h "" "!" P lt-gt not h "" P
conditional h "" P "?" Q "" R lt-gt (h
"" P -gt h "" Q), (h "" "!" P -gt h "" R)
35
Separation Logic
star h "" P "" Q lt-gt NEW h0 "" P,
NEW h1 "" Q, h "" NEW h0 "" NEW h1,
NEW h0 "" NEW h1
emp rewrite h"""emp" lt-gt h"""semp""""semp
"
36
Obtaining Invariants
  • Again, could be custom-made
  • Instead inspect proofs of failedrefutation-attem
    pts
  • Paper available on doing this for bit-vectors
  • E.g., for constructing interpolants

37
Conclusion
  • Generic constraint solver with propositional SAT
    as backend
  • Especially for complicated logics
  • Extensions of logic are easy
  • All case-splitting is pushed intopropositional
    SAT solver

38
Cross-Advertising
  • TACAS this can be used for?quantification over
    predicates
  • CAV Predicate abstraction for deep loops
  • PDPAR Completeness
  • How to tell for sure that no proof exists?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "SATbased methods for proving properties in ReynoldsO'Hearn Separation Logic" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!