A Constructor-Based Reachability Logic for Rewrite Theories

Transcription

1 A Constructor-Based Reachability Logic for Rewrite Theories Stephen Skeirik, Andrei Stefanescu, Jose Meseguer October 10th, 2017

2 Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

3 Introduction Origins of Reachability Logic Reachability Logic (RL) was originally proposed by Rosu et. al to verify programs in K based on a rewriting logic (RWL) definition of language L s semantics generalizes both Hoare Logic and Separation Logic language-generic: a prover can be generated for each language L from its rewriting logic semantics R L 1 / 22

4 Introduction From Language-generic to Theory-generic RL This work addresses the following open problems: 1 Can we develop a reachability logic for general rewrite theories, i.e. RL(R) generalizing RL(R L )?...will allow us to move from verifying code to verifying distributed system designs 2 How can we maximize automation in RL proofs? 3 How can we use RL to prove invariants (invariant paradox)? 2 / 22

5 Introduction From Language-generic to Theory-generic RL We address questions (1)-(3) via: 1 developing a new RWL-theory based RL semantics and very simple proof system, 2 utilizing RWL concepts (e.g. constructors, variants) in our proof system as well as a equational-theory-generic SMT solver as a backend based on variant satisfiability 3 and applying an appropriate RWL theory transformation to prove invariants. 3 / 22

6 Introduction A Running Example: QLOCK The mutual exclusion protocol QLOCK has five rewrite rules: n2w : < n i w c q > < n w i c q ; i > w2c : < n w i c i ; q > < n w c i i ; q > c2n : < n w c i i ; q > < n i w c q > join : < n w c q > < n i w c q > if φ exit : < n i w c q > < n w c q > where φ dup(n w c i) tt. QLOCK s specification is R QLOCK = (Σ, E B, R) with R the above rules, B the axioms ACU for and A for ; and, E the equation dup(s s s ) = tt. 4 / 22

7 Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

8 Reachability Logic Semantics Constrained Constructor Patterns Definition Let (Σ, B, E) be sufficiently complete w.r.t. constructors Ω. A constrained constructor pattern is a pair: u ϕ such that u T Ω (X) ϕ QFForm(Σ) The set PatPred(Ω, Σ) contains and all constrained constructor patterns, and is closed under ( ) and ( ) The semantics of predicate A is A C Σ/E,B where: 1 = 2 u ϕ = {[(uρ)!] BΩ C Σ/E,B ρ [X T Ω ] E B = ϕρ}. 3 A B = A B 4 A B = A B 5 / 22

9 Reachability Logic Semantics Reachability Formulas Definition Given patterns u φ and v i ψ i, a reachability formula has form: u ϕ i v i ψ i Example. 1 < n w c q > dup(n w c) tt 2 < n w c q > dup(n w c) tt < n w c q > dup(n w c ) tt 6 / 22

10 Reachability Logic Semantics Intuitive Semantics Q: What does the relation A B mean? A: Suppose we have: (1) a rewrite theory R (2) pattern fomulas A, B (3) and terminating states T Then A B means: for each state [t] A and rewrite path p from [t], either: (1) p crosses B or (2) p is infinite indicates counterex satisfies A B vacuously satisfies 7 / 22

11 Reachability Logic Semantics Formal Semantics Definition Let R = (Σ, E B, R) have (a) good executability conditions, (b) constructor subsignature Ω, (c) and top sort State of states. Let C R denote the canonical reachability model. R = A B iff: For each concrete state [u 0 ] C R,State A and; terminating sequence [u 0 ] R [u 1 ] [u n 1 ] R [u n ] There exists 0 j n with [u j ] B N.B.: expressible as LTL formula A ( enabled) B 8 / 22

12 Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

13 The Invariant Paradox Introduction Recall our example theory QLOCK. Q: How to express mutual exclusion invariant by A B? A: Since: 1 A B just means A ( enabled) B, 2 and QLOCK is never terminating, then all formulas A B are satisfied, so we cannot. (Paradox!!). 9 / 22

14 The Invariant Paradox Solving the Invariant Paradox (I) Recall the structure of the rewrite rules in QLOCK: n2w : < n i w c q > < n w i c q ; i > Each rule is topped with a State constructor < >. Let s add rule: stop : < n w c q > [ n w i c q ] Note that the stop rule can terminate from any state in the combined theory QLOCK-stop. If B =... ϕ, let [B] denote the predicate [B] = [...] ϕ. Fact. B is an invariant from initial states S 0 in QLOCK iff S 0 [B] holds in QLOCK-stop. 10 / 22

15 The Invariant Paradox Solving the Invariant Paradox (II) Let R be a rewrite theory; assume a single State constructor,..., : w State and all rules have terms of sort State. Let R stop extend R by adding: (i) fresh [,..., ] : w State, and (ii) a stop rule x : w [ x : w]. Then: Theorem B is an invariant for R from S 0 iff S 0 [B] holds in R stop. Corollary If S 0 B and B [B] holds in R stop, then B is an invariant for R from initial sates S 0. Example. Mutual exclusion in QLOCK can be given by Mutex = n w i i ; q dup(n w c i) tt n w q dup(n w c) tt. Prove: (i) n nil Mutex (ii) Mutex [Mutex]. 11 / 22

16 Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

17 Inference System Introduction (I) Q: Then given RWL theory R, how do we prove A B? A: Perhaps surprisingly, two proof rules are enough: A rule that traces rewrite steps of symbolic states in R A rule that internalizes terminating-path-length induction on R We call these two rules: Step+Subsumption Axiom 12 / 22

18 Inference System Introduction (II) The key ideas are: 1 Proving A B may require some auxiliary lemmas; Let C denote the formula A B plus these lemmas 2 For each formula in C, start with labeled sequents: [, C] T u ϕ i v i ψ i 3 1 st part ( ) is formulas to be assumed as axioms (none); 4 2 nd part (C) is formulas to prove that cannot yet be assumed 5 the Step+Subsumption rule allows us to inductively assume C after a rewrite step with rules R = {l j r j if φ j }. 13 / 22

19 Reachability Logic Proof Rules (I): Step+Subsumption Rule (j,α) unify(u ϕ,r)[a C, ] T (r j ϕ φ j )α i (v i ψ i )α [A, C] T u ϕ i v i ψ i with ϕ = ϕ (i,β) match(u,{v i }) (ψ iβ) and R = {l j r j if φ j } Note. proof rule performs all possible narrowing steps with rules R goals u φ B with unsatisfiable φ are implicitly removed 14 / 22

20 Reachability Logic Proof Rules (II): The Axiom Rule [{u ϕ j j v j ψ j} A, ] T v jα ϕ ψ jα i v i ψ i [{u ϕ j v j ψ j} A, ] T u ϕ i v i ψ i where α with u = EΩ B Ω u α and T Σ/E B = ϕ ϕ α 15 / 22

21 Reachability Logic Soundness Theorem (Soundness) Let R be a rewrite theory, and C a finite set of reachability formulas. If R proves [, C] T C then R = T C 16 / 22

22 Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

23 Implementation and Case Studies Reflective Implementation The proof system has been implemented in Maude. Some notes: 1 RWL is reflective, Maude s META-LEVEL library support was used which supports reasoning over RWL theories and terms 2 Maude s built-in support for narrowing modulo axioms was used to compute successors in the RWL theory R 3 An implementation of a variant satisfiability-based, theory-generic SMT solver was used to discharge satisfiability and validity proof obligations 17 / 22

24 Implementation and Case Studies Case Studies Example Choice Comm. Protocol 1 Comm. Protocol 2 Dijkstra Fixed-Size Token Ring QLOCK Readers/Writers Lamport s Bakery Thermostat Description of the System/Property Nondeterministically throws away elements from a multiset/eventually only one element left Simple communication protocol/received data is always a prefix of the data to be sent Fault-tolerant communication protocol/all data is eventually received in-order Dijkstra s mutual exclusion alg./mutual exclusion 2-Token ring mutual exclusion alg./mutual exclusion QLOCK mutual exclusion alg./mutual exclusion Readers-writers mutual exclusion alg./mutual exclusion Unbounded Lamport s bakery/mutual exclusion Open system that dynamically responds to temperature/temperature remains in preset bounds 18 / 22

25 Implementation and Case Studies Example Proof Fragment T 1 { [C, ] [] [n 3 w 3 q 3 ] dup(n w p) tt dup(n 3 w 3 ) tt [Mutex 1 ] [Mutex 2 ] sub(p 1, α) T 1 T 2 axiom(g 2, α) [C, ] [] <n w p q > dup(n w p) tt [Mutex 1 ] [Mutex 2 ] [, C] [] <n w q > dup(n w ) tt [Mutex 1 ] [Mutex 2 ] step(n2w, θ) where G i Mutex i [Mutex], C {G 1, G 2 } 19 / 22

26 Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

27 Conclusions We have presented our new theory and implementation of a RL semantics and inference system where: 1 our system is rewrite-theory-generic, so it can be applied to analyze distributed system designs 2 our implementation uses a theory-generic, variant satisfiability SMT solver underneath 3 we applied RWL theory transformations in order to specify and verify invariants 20 / 22

28 Future Work At this point, there are a two clear directions for future work: 1 our variant satisfiability implementation currently supports rewrite theories whose equational fragment is decidable we are developing heuristics for undecidable theories 2 we are developing larger, more interesting case studies to provide further validation for our reachability logic tool 21 / 22

29 The End Any Questions? 22 / 22