Download
1 / 18
180 likes | 315 Views
Automated Verification with HIP and SLEEK. Asankhaya Sharma. Recall the List length Example. int length( struct node* p) /*@ requires p::list<n,B> ensures p::list<n,B> & res=n; */ { if(p == NULL) return 0; else return 1 + length(p->next); }. Memory Safety. Length of the List.
E N D
Automated Verification withHIP and SLEEK Asankhaya Sharma
Recall the List length Example int length(struct node* p)/*@requires p::list<n,B>ensures p::list<n,B> & res=n;*/{ if(p == NULL) return 0; else return 1 + length(p->next);} Memory Safety Length of the List Bag of Values
Total Correctness int length(struct node* p)/*@requires p::list<n,B> & Term[n]ensures p::list<n,B> & res=n;*/{ if(p == NULL) return 0; else return 1 + length(p->next);} Termination Metric A ranking function which decreases with each recursive call (or loop iteration)
Termination Examples for SLEEK checkentail Term[m] & m > n |- Term[n]. checkentail x::list<n> & x !=null & Term[n] |- x::node<_,p> * p::list<m> & Term[m]. checkentail Term[m] |- Loop. checkentail Term[m] |- MayLoop. Valid. Valid. InValid. InValid.
Structured Specifications • Richer specifications that provide guidance to automated verification • Support automatic case analysis • Support Reuse of Verification • Support Multiple specifications
Trivial Loop Example while(z!=n)requires trueensures z’ = n{z = z + 1;}Precondition same as loop invariantPostcondition of loop is final state when loop terminates When does this loop terminate ?
With Termination while(z!=n)requires z <= n & Term[n-z]ensures z’ = n{z = z + 1;} Specify ranking function Term[R]
With Non-Termination while(z!=n)requires z > n & Loopensures false{z = z + 1;} Post condition is false which signifies unreachable exit
Recall Multiple Specs while(z!=n)requires z<=n & Term[n-z]ensures z’ = nrequires z > n & Loopensures false{z = z + 1;} Case Analysis
Case Structure • Case Specificationcase { p1 requires R1 ensures Q1; p2 requires R2 ensures Q2;} • Analogous to LEM • It can be applied during verification to support more comprehensive reasoning
Why Case ? • The presence of case structures enables: • Automatic case analysis • Clearer and more concise specifications
Case Specs for Scenario Analysis Trivial loop with multiple scenarios revisited: while(z!=n)case{ z<=n requires Term[n-z] ensures z’ = nz > n requires Loop ensures false }{z = z + 1;}
A Tricky Loop • What termination spec to give to this loop ? while(x>0){ x = x + y;}
Case Specs for Scenario Analysis • Three Scenarios while(x>0)case{ x<=0 ensures x’ = x x > 0 case { y >= 0 ensures false y <0 ensures y<x’<=0; } }{ x = x + y;} Base Case Non-terminating Recursive but terminating
With Termination Specs while(x>0)case{ x<=0 requires Term[] ensures x’ = x x > 0 case{ y >= 0 requires Loop ensures false y <0 requires Term[x] ensures y<x’<=0} }{ x = x + y;}
McCarthy 91 Function • This function always returns 91 when input is less than or equal to 100 intmcCarthy(int n){ if (n>100) return n-10;else return mcCarthy(mcCarthy(n+11)); } Nested recursion. Does it terminate ?
Termination intmcCarthy(int n)case{ n > 100 requires Term[] ensures res=n-10 n<=100 requires Term[100-n] ensures res = 91 }{ if (n>100) return n-10;else return mcCarthy(mcCarthy(n+11)); }
Further Reading • Gherghina, Cristian, Cristina David, Shengchao Qin, and Wei-Ngan Chin. "Structured specifications for better verification of heap-manipulating programs." In FM 2011: Formal Methods, pp. 386-401. Springer Berlin Heidelberg, 2011.
