Building a program verifier - PowerPoint PPT Presentation

1 / 42

About This Presentation

Title:

Building a program verifier

Description:

int y = c.M(5); call y := C.M(c, 5); return; Verification-condition generation ... {x x3, y y0} VC generation: state changes (cont.) Replace every assignment. x : ... – PowerPoint PPT presentation

Number of Views:61

Avg rating:3.0/5.0

Slides: 43

Provided by: Rustan5

Category:

more less

Transcript and Presenter's Notes

Title: Building a program verifier

1
Building a program verifier

K. Rustan M. LeinoMicrosoft Research, Redmond, WA

10 May 2006Guest lecture, Shaz Qadeers cse599f,
Formal Verification of Computer
SystemsUniversity of WashingtonSeattle, WA
2
Spec research goals

Build the best such system we can build today
Experiment with the system to get a feel for what
it is like to use
Advance the state of the art

3
Spec demo Chunker
4
Basic architecture of a verifier
program with specifications
verification conditiongenerator
verification condition
theorem prover
correct or list of errors
5
Spec verifier architecture
Spec
Spec compiler
MSIL (bytecode)
Spec program verifier
translator
inference engine
Boogie PL
V.C. generator
verification condition
automatictheorem prover
correct or list of errors
6
Core language

Program outcomes
terminate
go wrong
block
diverge

7
Core language

x E
evaluate E and change x to that value
havoc x
change x to an arbitrary value
assert E
if E holds, terminate otherwise, go wrong
assume E
if E holds, terminate otherwise, block
S T
execute S, then T
S T or goto A or B
execute either S or T, choosing blindly
change point of control to block A or block B,
choosing blindly

8
Example translation if

Tr if P then S else T end
Start goto Then or Else
Then assume P Tr S goto After
Else assume P Tr T goto After
After

9
Example translation loop

Tr while invariant J B do S end
LoopHead assert J goto LoopBody or AfterLoop
LoopBody assume B Tr S goto LoopHead
AfterLoop assume B

10
Example translation partial expressions

Tr x a / b assert b ? 0 x
a / b
Tr x (T) y //
type cast assert y null ? typeof(y) lt T x
y

11
Example translation fields of objects

Tr x o.f assert o ? null x
Heap o, f
Tr o.f x assert o ? null Heap
o, f x

x Select(Heap, (o,f))
Heap Update(Heap, (o,f), x)
12
Example translation OO things

class C Object int x C() virtual
int M(int n)
static void Main() C c new C() c.x
12 int y c.M(5)

13
BoogiePL translation of OO things (0)

// types
const Object name
const C name
axiom C lt Object
function typeof(o ref) returns (t name)
// fields
const C.x name
const allocated name
// the heap
var Heap ref,nameint

14
BoogiePL translation of OO things (1)

// method declarations
procedure C..ctor(this ref)
requires this ! null typeof(this) lt C
modifies Heap
procedure C.M(this ref, n int) returns (result
int)
requires this ! null typeof(this) lt C
modifies Heap
procedure C.Main()
modifies Heap

15
BoogiePL translation of OO things (2)

// method implementations
implementation C.Main()
var c ref, y int
start
// C c new C()
havoc c
assume c ! null
assume Heapc, allocated 0
assume typeof(c) C
Heapc, allocated 1
call C..ctor(c)
// c.x 12
assert c ! null
Heapc, C.x 12
// int y c.M(5)

16
Verification-condition generation

0. passive features assert, assume,
1. control flow goto (no loops)
2. state changes , havoc
3. loops

17
Weakest preconditions

The weakest precondition of a statement S with
respect to a predicate Q on the post-state of S,
denoted wp(S,Q), is the set of pre-states from
which execution
does not go wrong, and
if it terminates, terminates in Q

18
VC generation passive features

wp( assert E, Q )
E ? Q
wp( assume E, Q )
E ? Q
wp( S T, Q )
wp( S, wp( T, Q ))

19
VC generation acyclic control flow

For each block A, introduce a variable Aok with
the meaning Aok is true iffevery program
execution starting in the current state from
block A does not go wrong
The verification condition for the program
A S goto B or C
is
( Aok ? wp( S, Bok ? Cok ) ) ?
?
Aok

20
VC generation state changes

Replace definitions and uses of variables by
definitions and uses of different incarnations of
the variables
x?x0, y?y0 x E(x,y) x1 E(x0,y0)
x?x1, y?y0
x?x0, y?y0 havoc x skip x?x1, y?y0

21
VC generation state changes (cont.)

Given x?x0 ,y?y0 S S x?x1, y?y0 x?x0,
y?y0 T T x?x2, y?y0
then we have
x?x0, y?y0 if E(x,y) then S else T end if
E(x0,y0) then S x3 x1else T x3
x2end
x?x3, y?y0

22
VC generation state changes (cont.)

Replace every assignment x Ewith assume x
E

23
VC generation loops
loop head
assert LoopInv( x )
assume Guard( x ) x
loop body
after loop
assume Guard( x )
24
VC generation loops
assert Passert P assume P
loop head
assert LoopInv( x ) assume LoopInv( x )
assume Guard( x ) x
loop body
after loop
assume Guard( x )
25
VC generation loops
assert LoopInv( x )
loop head
assert LoopInv( x ) assume LoopInv( x )
assume Guard( x ) x
loop body
after loop
assume Guard( x )
assert LoopInv( x )
26
VC generation loops
assert LoopInv( x )
loop head
havoc x
assume LoopInv( x )
loop target
assume Guard( x ) x assert LoopInv( x )
loop body
after loop
assume Guard( x )
27
VC generation loops
assert LoopInv( x )
loop head
havoc x
assume LoopInv( x )
assume Guard( x ) x assert LoopInv( x
)assume false
loop body
after loop
assume Guard( x )
28
Programming methodology
light-weight rules forsimpler reasoning
29
Object invariants

class C
private int xprivate int y
invariant x lt y
public void M() int t 100 / (y x) x
x 1 P(t) y y 1

30
When do object invariants hold?

class C
private int xprivate int y
invariant x lt y
public C() x 0 y 1
public void M() int t 100 / (y x) x
x 1 P(t) y y 1

invariant checked to holdat end of constructor
invariant assumed to holdon entry to method
invariant may betemporarily broken here
what if P calls back into M?
invariant is restored here
invariant checked to holdon exit from method
31
Object states

Mutable
Object invariant may not hold
Field updates allowed
Valid
Object invariant holds
Field updates not allowed

32
Valid vs. mutable objects

class C
private int x
private int y
invariant x lt ypublic void M()
requires this.inv Valid
expose (this) x x 1 P() y y
1

represent explicitlythat invariant
holds (without revealingwhat the invariant is)
change this.invfrom Valid to Mutable
field updates allowedonly on Mutable objects
check invariantthen, change this.invfrom
Mutable to Valid
33
Aggregate objects

class Set
Hashtable h
invariant public void Add(Element e)
requires this.inv Valid
expose (this)
h.Add(e, e)
class Hashtable
invariant
public void Add(object key, object
val) requires this.inv Valid

how do we know h is Valid here?
34
Aggregate objects

class Set
Hashtable h
invariant public void Add(Element e)
requires this.inv Valid
expose (this)
h.Add(e, e)
public Hashtable Leak() return h
class Hashtable
invariant
public void Add(object key, object
val) requires this.inv Valid

how do we know h is Valid here?
Perhaps it isnt! void Violation(Set
s) requires s.inv Valid Hashtable g
s.Leak() expose (g) g.x
s.Add()
35
Object states

Mutable
Object invariant may not hold
Field updates allowed
Valid
Object invariant holds
Field updates not allowed
Committed
Valid and owned
Cannot be exposedowner must be exposed first,
which makes this object Valid

36
Ownership

For any s Set,
s uniquely owns s.h
validity of s implies validity of s.h

class Set
owned Hashtable h
invariant public void Add(Element e)
requires this.inv Valid
expose (this)
h.Add(e, e)
class Hashtable
invariant
public void Add(object key, object
val) requires this.inv Valid

ownership of htemporarilyrelinquished here
ownership of hre-obtained here
37
Object states a picture of the heap
expose (s)
s Set
ownership
h
Mutable
Hashtable
Valid
Committed
38
Object states a picture of the heap
expose (s)
s Set
ownership
h
Mutable
Hashtable
Valid
Committed
39
Object states a picture of the heap
expose (s)
s Set
ownership
h
Mutable
Hashtable
Valid
Committed
40
Object states a picture of the heap
expose (s)
s Set
ownership
h
Mutable
Hashtable
Valid
Committed
41
Summary of object invariants