An Entailment Checker for Separation Logic with Inductive Definitions

Size: px

Start display at page:

Download "An Entailment Checker for Separation Logic with Inductive Definitions"

Rosamund Parsons
5 years ago
Views:

1 An Entailment Checker for Separation Loic with Inductive Definitions Radu Iosif, Cristina Serban Université de Grenoble Alpes, CNRS, VERIMAG July 18, 2018 Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

2 Outline 1 Motivation and contributions 2 Inductive systems of predicates The entailment problem 3 Proof systems for inductive entailments Downwards inclusion check for tree automata Inference rules Restrictin the set of constraints for soundness and completeness 4 Implementation and experimental evaluation 5 Conclusions Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

3 Proram verification Given a proram P and a set of initial proram states I is there an execution of P startin from a state in I and endin in a state from a bad set B? Provin proram correctness: annotate P with assertions such that Whenever an assertion is reached, it holds for the current state of P The bad set B is excluded from the states reachable by P Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

4 Proram verification This process has been formalized by Hoare loic, reasonin about triples {φ} c {ψ} precondition φ holds c is executed postcondition ψ holds Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

5 Proram verification This process has been formalized by Hoare loic, reasonin about triples {φ} c {ψ} precondition φ holds c is executed postcondition ψ holds Usin deduction rules, we can automatically compute Stronest postcondition: sp(c, φ) Weakest precondition: wp(c, ψ) Given a specification {φ} P {ψ}, we obtain verification conditions sp(p, φ) = ψ φ = wp(p, ψ) Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

6 Reasonin about dynamically allocated memory Most prorams use dynamic memory and mutable data structures Coarse memory abstractions can lead to complex verification conditions, e.. properties of untouched memory carried throuh a function body Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

7 Reasonin about dynamically allocated memory Most prorams use dynamic memory and mutable data structures Coarse memory abstractions can lead to complex verification conditions, e.. properties of untouched memory carried throuh a function body Compositional methods required to ensure scalability Local reasonin - specifications and proofs for a proram component refer only to the memory that component accesses (footprint) Modularity - analysin components in isolation and combinin the results to obtain a lobal verification condition Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

8 Separation Loic (SL) Two types of connectives: Additive:, (classic conjunction and implication) Multiplicative:, (separatin conjunction and implication) Memory (heap) a resource of finite volume which can be split Resource interpretation of the separatin connectives: decomposes current resources talks about new or fresh resources φ 1 φ 2 φ 1 φ 2 φ 1 φ 1 φ 2 φ 2 Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

9 SL features Frame rule for compositional reasonin The ability to extend local specifications reained at a deeper level with {φ} c {ψ} {φ ϕ} c {ψ ϕ} φ and ψ refer to the footprint of c, while ϕ involves only variables and heap cells not modified or mutated by c Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

10 SL features Inductive definitions Recursive data structures are ubiquitous in real-life software Described by inductively defined predicates, which can also specify the shape of the memory where they are dynamically allocated Can be used in verification conditions Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

11 Buildin a list sement ls(x, y) empty x u... y emp x = y Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

12 Buildin a list sement ls(x, y) empty emp x = y x u... y x u Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

13 Buildin a list sement ls(x, y) empty emp x = y x u... y x u ls(u, y) Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

14 Buildin a list sement ls(x, y) empty emp x = y x u... y x u ls(u, y) Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

15 Buildin a list sement ls(x, y) empty emp x = y x u... y x u ls(u, y) ls(x, y) ::= emp x = y u. x u ls(u, y) list sement ls a (x, y) ::= emp x = y x y u. x u ls a (u, y) acyclic list sement Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

16 Buildin a list sement ls(x, y) empty emp x = y x u... y x u ls(u, y) ls(x, y) ::= emp x = y u. x u ls(u, y) list sement ls a (x, y) ::= emp x = y x y u. x u ls a (u, y) acyclic list sement Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

17 Buildin a list sement ls(x, y) empty emp x = y x u... y x u ls(u, y) ls(x, y) ::= emp x = y u. x u ls(u, y) list sement ls a (x, y) ::= emp x = y x y u. x u ls a (u, y) acyclic list sement Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

18 Contributions Checker for entailments between predicates with inductive definitions in SL Implements a cyclic proof system inspired by an antichain-based method for lanuae inclusion of tree automata Identify semantic restrictions for soundness and completeness Decision procedures from the DPLL(T)-based SMT solver CVC4 are used to establish the satisfiability of round SL formulae Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

19 Outline 1 Motivation and contributions 2 Inductive systems of predicates The entailment problem 3 Proof systems for inductive entailments Downwards inclusion check for tree automata Inference rules Restrictin the set of constraints for soundness and completeness 4 Implementation and experimental evaluation 5 Conclusions Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

20 Syntax of SL Sort symbols: Loc, Data, Bool, where Data = Loc k with k 1 fixed Function symbols: nil Loc Variables: Var = {x, y, z,...}, each havin a sort σ Fixed interpretation I s.t. Loc I = L countably infinite, nil I = l nil L Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

21 Syntax of SL Sort symbols: Loc, Data, Bool, where Data = Loc k with k 1 fixed Function symbols: nil Loc Variables: Var = {x, y, z,...}, each havin a sort σ Fixed interpretation I s.t. Loc I = L countably infinite, nil I = l nil L Terms: t σ ::= x σ Var nil Loc t Loc 1,..., t Loc k Formulae: φ SL ::= t Bool t σ u σ ψ SL ψ SL 1 ψsl 2 ψ SL 1 ψsl 2 x σ. ψ SL x σ. ψ SL emp t Loc u Data ψ1 SL ψsl 2 ψ1 SL ψ2 SL Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

22 Semantics of SL Valuation ν under I assins a value ν(x σ ) σ I to each x σ Var Heap is a mappin h : L fin L k and Heaps is the set of heaps h 1 #h 2 dom(h 1 ) dom(h 2 ) = h = h 1 h 2 h 1 #h 2 h = h 1 h 2 ν, h = SL φ if φ is interpreted to true under valuation ν and heap h. ν, h = SL emp iff h = ν, h = SL t u iff h = {(tν I, uν I )} and tν I l nil ν, h = SL φ 1 φ 2 iff h 1, h 2. h = h 1 h 2 and ν, h i = SL φ i, i {1, 2} ν, h = SL φ 1 φ 2 iff h. if h #h and ν, h = SL φ 1 then ν, h h = SL φ 2 φ 1 φ 2 φ 1 φ 2 φ 1 φ 1 φ 2 φ 2 Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

23 Systems of inductive definitions Let Pred be a countable set of predicates p σ 1...σ n A predicate rule is a pair oal body p(x), {φ(x, x 1,..., x m ), q 1 (x 1 ),..., q m (x m )} constraint suboals Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

24 Systems of inductive definitions Let Pred be a countable set of predicates p σ 1...σ n A predicate rule is a pair oal body p(x), {φ(x, x 1,..., x m ), q 1 (x 1 ),..., q m (x m )} constraint suboals An inductive system S is a finite set of rules and we write p(x) := S R 1... R l when { p(x), R 1,..., p(x), R l } are all the predicate rules for p in S Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

25 The entailment problem F S monotone and continuous function on assinments mappin each p σ 1...σ n Pred to a set of solutions X (p) L n Heaps µs = {X F S (X ) X } least fixed point of F S and least solution of S Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

26 The entailment problem F S monotone and continuous function on assinments mappin each p σ 1...σ n Pred to a set of solutions X (p) L n Heaps µs = {X F S (X ) X } least fixed point of F S and least solution of S Given an inductive system S and predicates p σ 1...σ n and q σ 1...σ n 1,..., q σ 1...σ n m, is µs(p) m i=1 µs(q i)? We denote entailment problems as p = SL S q 1,..., q m Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

27 Examples of inductive entailments in SL ls(x, y) := Sl emp x = y x u, ls(u, y) ls a (x, y) := Sl emp x = y x y x u, ls a (u, y) ls ls a ls a = SL S l ls ls = SL S l ls a Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

28 Examples of inductive entailments in SL tree(x) := St emp x = nil x (l, r), tree(l), tree(r) tree + 1 (x) := S t x (nil, nil) x (l, r), tree + 1 (l), tree(r) x (l, r), tree(l), tree + 1 (r) tree + 2 (x) := S t x (nil, nil) x (l, r), tree + 2 (l), tree+ 2 (r) nil nil nil nil nil nil nil nil nil nil built only by tree + 1 built both by tree + 1 and tree + 2 tree + 1 =SL S t tree tree = SL S t tree + 1 tree + 2 =SL S t tree tree = SL S t tree + 2 tree + 2 =SL S t tree + 1 tree + 1 =SL S t tree + 2 Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

29 Outline 1 Motivation and contributions 2 Inductive systems of predicates The entailment problem 3 Proof systems for inductive entailments Downwards inclusion check for tree automata Inference rules Restrictin the set of constraints for soundness and completeness 4 Implementation and experimental evaluation 5 Conclusions Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

30 Nondeterministic finite tree automata An NFTA can be viewed as an inductive system states are represented by predicates predicate rules are obtained by translation from transition rules Consider a ranked alphabet F = {f (, ), (), a, b} A = {{p, p 1, p 2 }, F, {p}, A } and B = {{q, q 1, q 2 }, F, {q}, B } A = {p f (p 1, p 2 ), p 1 p1, a p 1 (), p 2 p2, b p 2 ()} B = {q f (q 1, q 2 ), q 1 q1, a q 1 (), q f (q 2, q 1 ), q 2 q2, b q 2 ()}. a f. b startin from both p and q. b f. a only startin from q Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

31 Nondeterministic finite tree automata An NFTA can be viewed as an inductive system states are represented by predicates predicate rules are obtained by translation from transition rules Consider a ranked alphabet F = {f (, ), (), a, b} A = {{p, p 1, p 2 }, F, {p}, A } and B = {{q, q 1, q 2 }, F, {q}, B } A = {p f (p 1, p 2 ), p 1 p1, a p 1 (), p 2 p2, b p 2 ()} B = {q f (q 1, q 2 ), q 1 q1, a q 1 (), q f (q 2, q 1 ), q 2 q2, b q 2 ()}. a f. b startin from both p and q. b f. a only startin from q Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

32 Nondeterministic finite tree automata An NFTA can be viewed as an inductive system states are represented by predicates predicate rules are obtained by translation from transition rules Consider a ranked alphabet F = {f (, ), (), a, b} A = {{p, p 1, p 2 }, F, {p}, A } and B = {{q, q 1, q 2 }, F, {q}, B } A = {p f (p 1, p 2 ), p 1 p1, a p 1 (), p 2 p2, b p 2 ()} B = {q f (q 1, q 2 ), q 1 q1, a q 1 (), q f (q 2, q 1 ), q 2 q2, b q 2 ()}. a f. b startin from both p and q. b f. a only startin from q Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

33 Nondeterministic finite tree automata An NFTA can be viewed as an inductive system states are represented by predicates predicate rules are obtained by translation from transition rules Consider a ranked alphabet F = {f (, ), (), a, b} A = {{p, p 1, p 2 }, F, {p}, A } and B = {{q, q 1, q 2 }, F, {q}, B } A = {p f (p 1, p 2 ), p 1 p1, a p 1 (), p 2 p2, b p 2 ()} B = {q f (q 1, q 2 ), q 1 q1, a q 1 (), q f (q 2, q 1 ), q 2 q2, b q 2 ()}. a f. b startin from both p and q. b f. a only startin from q Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

34 Nondeterministic finite tree automata An NFTA can be viewed as an inductive system states are represented by predicates predicate rules are obtained by translation from transition rules Consider a ranked alphabet F = {f (, ), (), a, b} A = {{p, p 1, p 2 }, F, {p}, A } and B = {{q, q 1, q 2 }, F, {q}, B } A = {p f (p 1, p 2 ), p 1 p1, a p 1 (), p 2 p2, b p 2 ()} B = {q f (q 1, q 2 ), q 1 q1, a q 1 (), q f (q 2, q 1 ), q 2 q2, b q 2 ()}. a f. b startin from both p and q. b f. a only startin from q Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

35 Lanuae inclusion for tree automata A = {{p, p 1, p 2 }, F, {p}, A } and B = {{q, q 1, q 2 }, F, {q}, B } A = {p f (p 1, p 2 ), p 1 p1, a p 1 (), p 2 p2, b p 2 ()} B = {q f (q 1, q 2 ), q 1 q1, a q 1 (), q f (q 2, q 1 ), q 2 q2, b q 2 ()}. a f. b startin from both p and q. b f. a only startin from q Lanuae inclusion: whether L(A) L(B), where L(A) = s I A L(A, s) L(A) L(B) L(A, p) L(B, q) p = SL S q Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

36 Downwards inclusion check for tree automata A = { p f a (p 1, p 2 ), p 1 p1, p 1 (), b p 2 p2, p 2 () } (p, {q}) B = { q f a (q 1, q 2 ), q 1 q1, q 1 (), f q f b (q 2, q 1 ), q 2 q2, q 2 () } ((p 1, p 2 ), {(q 1, q 2 ), (q 2, q 1 )}) (p 1, {q 1, q 2 }) (p 1, {q 1 }) (p 2, {q 2 }) (p 2, {q 2, q 1 }) a a b b ((), {()}) (p 1, {q 1, q 2 }) ((), {()}) (p 1, {q 1 }) ((), {()}) (p 2, {q 2 }) ((), {()}) (p 2, {q 2, q 1 }) Efficient Inclusion Checkin on Explicit and Semi-symbolic Tree Automata [L. Hoĺık, O. Lenál, J. Simácek, T. Vojnar ATVA 2011] Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

37 Downwards inclusion check for tree automata A = { p f a (p 1, p 2 ), p 1 p1, p 1 (), b p 2 p2, p 2 () } (p, {q}) B = { q f a (q 1, q 2 ), q 1 q1, q 1 (), f q f b (q 2, q 1 ), q 2 q2, q 2 () } ((p 1, p 2 ), {(q 1, q 2 ), (q 2, q 1 )}) (p 1, {q 1, q 2 }) (p 1, {q 1 }) (p 2, {q 2 }) (p 2, {q 2, q 1 }) a a b b ((), {()}) (p 1, {q 1, q 2 }) ((), {()}) (p 1, {q 1 }) ((), {()}) (p 2, {q 2 }) ((), {()}) (p 2, {q 2, q 1 }) Efficient Inclusion Checkin on Explicit and Semi-symbolic Tree Automata [L. Hoĺık, O. Lenál, J. Simácek, T. Vojnar ATVA 2011] Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

38 Downwards inclusion check for tree automata A = { p f a (p 1, p 2 ), p 1 p1, p 1 (), b p 2 p2, p 2 () } (p, {q}) B = { q f a (q 1, q 2 ), q 1 q1, q 1 (), f q f b (q 2, q 1 ), q 2 q2, q 2 () } ((p 1, p 2 ), {(q 1, q 2 ), (q 2, q 1 )}) (p 1, {q 1, q 2 }) (p 1, {q 1 }) (p 2, {q 2 }) (p 2, {q 2, q 1 }) a a b b ((), {()}) (p 1, {q 1, q 2 }) ((), {()}) (p 1, {q 1 }) ((), {()}) (p 2, {q 2 }) ((), {()}) (p 2, {q 2, q 1 }) L(A, p 1 ) L(A, p 2 ) L(B, q 1 ) L(B, q 2 ) L(B, q 2 ) L(B, q 1 ) Efficient Inclusion Checkin on Explicit and Semi-symbolic Tree Automata [L. Hoĺık, O. Lenál, J. Simácek, T. Vojnar ATVA 2011] Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

39 Downwards inclusion check for tree automata A = { p f a (p 1, p 2 ), p 1 p1, p 1 (), b p 2 p2, p 2 () } (p, {q}) B = { q f a (q 1, q 2 ), q 1 q1, q 1 (), f q f b (q 2, q 1 ), q 2 q2, q 2 () } ((p 1, p 2 ), {(q 1, q 2 ), (q 2, q 1 )}) (p 1, {q 1, q 2 }) (p 1, {q 1 }) (p 2, {q 2 }) (p 2, {q 2, q 1 }) a a b b ((), {()}) (p 1, {q 1, q 2 }) ((), {()}) (p 1, {q 1 }) ((), {()}) (p 2, {q 2 }) ((), {()}) (p 2, {q 2, q 1 }) L(A, p 1 ) L(A, p 2 ) L(B, q 1 ) L(B, q 2 ) L(B, q 2 ) L(B, q 1 ) Efficient Inclusion Checkin on Explicit and Semi-symbolic Tree Automata [L. Hoĺık, O. Lenál, J. Simácek, T. Vojnar ATVA 2011] Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

40 Downwards inclusion check for tree automata A = { p f a (p 1, p 2 ), p 1 p1, p 1 (), b p 2 p2, p 2 () } (p, {q}) B = { q f a (q 1, q 2 ), q 1 q1, q 1 (), f q f b (q 2, q 1 ), q 2 q2, q 2 () } ((p 1, p 2 ), {(q 1, q 2 ), (q 2, q 1 )}) (p 1, {q 1, q 2 }) (p 1, {q 1 }) (p 2, {q 2 }) (p 2, {q 2, q 1 }) a a b b ((), {()}) (p 1, {q 1, q 2 }) ((), {()}) (p 1, {q 1 }) ((), {()}) (p 2, {q 2 }) ((), {()}) (p 2, {q 2, q 1 }) Check successful when reachin ((), S) with () S Efficient Inclusion Checkin on Explicit and Semi-symbolic Tree Automata [L. Hoĺık, O. Lenál, J. Simácek, T. Vojnar ATVA 2011] Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

41 Downwards inclusion check for tree automata A = { p f a (p 1, p 2 ), p 1 p1, p 1 (), b p 2 p2, p 2 () } (p, {q}) B = { q f a (q 1, q 2 ), q 1 q1, q 1 (), f q f b (q 2, q 1 ), q 2 q2, q 2 () } ((p 1, p 2 ), {(q 1, q 2 ), (q 2, q 1 )}) (p 1, {q 1, q 2 }) (p 1, {q 1 }) (p 2, {q 2 }) (p 2, {q 2, q 1 }) a a b b ((), {()}) (p 1, {q 1, q 2 }) ((), {()}) (p 1, {q 1 }) ((), {()}) (p 2, {q 2 }) ((), {()}) (p 2, {q 2, q 1 }) Check successful when reachin an already processed pair (p, S) Efficient Inclusion Checkin on Explicit and Semi-symbolic Tree Automata [L. Hoĺık, O. Lenál, J. Simácek, T. Vojnar ATVA 2011] Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

42 Downwards inclusion check for tree automata A = { p f a (p 1, p 2 ), p 1 p1, p 1 (), b p 2 p2, p 2 () } (p, {q}) B = { q f a (q 1, q 2 ), q 1 q1, q 1 (), f q f b (q 2, q 1 ), q 2 q2, q 2 () } ((p 1, p 2 ), {(q 1, q 2 ), (q 2, q 1 )}) (p 1, {q 1, q 2 }) (p 1, {q 1 }) (p 2, {q 2 }) (p 2, {q 2, q 1 }) a a b b ((), {()}) (p 1, {q 1, q 2 }) ((), {()}) (p 1, {q 1 }) ((), {()}) (p 2, {q 2 }) ((), {()}) (p 2, {q 2, q 1 }) Efficient Inclusion Checkin on Explicit and Semi-symbolic Tree Automata [L. Hoĺık, O. Lenál, J. Simácek, T. Vojnar ATVA 2011] Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

43 Sequents and inference rules a pair (p, {q 1,..., q m }) Γ set of formulae and predicate atoms ( conjunction) a sequent Γ set of conjunctions over formulae and predicate atoms (disjunction) Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

44 Sequents and inference rules a pair (p, {q 1,..., q m }) Γ set of formulae and predicate atoms ( conjunction) a sequent Γ set of conjunctions over formulae and predicate atoms (disjunction) An inference rule is of the form: IR Γ Γ n n Γ. C Γ p p side conditions Γ is the consequent Γ i i are the antecedents Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

45 Sequents and inference rules a pair (p, {q 1,..., q m }) Γ set of formulae and predicate atoms ( conjunction) a sequent Γ set of conjunctions over formulae and predicate atoms (disjunction) An inference rule is of the form: IR Γ Γ n n Γ. C Γ p p side conditions Γ is the consequent Γ i i are the antecedents, we write if n = 0 Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

46 Sequents and inference rules a pair (p, {q 1,..., q m }) Γ set of formulae and predicate atoms ( conjunction) a sequent Γ set of conjunctions over formulae and predicate atoms (disjunction) An inference rule is of the form: IR Γ Γ n n Γ. C Γ p p side conditions Γ is the consequent Γ i i are the antecedents, we write if n = 0 Γ p p is the pivot of the rule, ancestor of the consequent Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

47 Sequents and inference rules a pair (p, {q 1,..., q m }) Γ set of formulae and predicate atoms ( conjunction) a sequent Γ set of conjunctions over formulae and predicate atoms (disjunction) An inference rule is of the form: IR Γ Γ n n Γ. C Γ p p side conditions Γ is the consequent Γ i i are the antecedents, we write if n = 0 Γ p p is the pivot of the rule, ancestor of the consequent C is a pivot constraint on the path from the pivot to the consequent Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

48 Derivations and proofs IR 4 IR 5 Γ 4 4 Γ 5 5 IR 2 IR 3 Γ 2 2 Γ 3 3 IR 1 Γ 1 1 Derivation (possibly infinite) IR 4 IR 5 Γ 4 4 Γ 5 5 IR 2 IR 3 Γ 2 2 Γ 3 3 IR 1 Γ 1 1 Proof (finite, all leaves are ) Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

49 Derivations and proofs Γ Γ SL S Soundness - If there exists a proof for Γ, then the correspondin entailment holds Completeness - If the entailment holds, then there exists a proof for its correspondin sequent Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

50 Inference rules - LU (left unfold) ID tree + 2 (l 0) tree + 1 (l 0) SP tree + 2 (l 0), tree + 2 (r 0) tree 1 + (l 0) tree(r 0 ), tree(l 0 ) tree + 1 (r 0) RD AX x (l 0, r 0 x), tree (nil, 2 + (l nil) 0), tree x 2 + (r 0) (nil, xnil),(nil, nil), l l 1 r. x (l 1, r 1 ) tree + 1 (l 1 r 1. x (l 1, r 1 ) tree + 1) tree(r 1 ), 1 (l 1) tree(r 1 ), l l 1 r. x 1, r 1 ) tree(l 1 ) tree + 1 (r 1 r 1. x (l 1, r 1 ) tree(l 1 ) + 1 (r 1) 1) RU RU x (l 0, rx 0 ), tree (nil, + 2 (l nil) 0), tree tree 2 + (r+ 10) (x) tree + 1 (x) LU tree + 2 (x) tree + 1 (x) tree + 2 (x) := S t x (nil, nil) x (l, r), tree + 2 (l), tree+ 2 (r) Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

51 Inference rules - RU (riht unfold) ID tree + 2 (l 0) tree + 1 (l 0) SP tree + 2 (l 0), tree + 2 (r 0) tree 1 + (l 0) tree(r 0 ), tree(l 0 ) tree + 1 (r 0) RD AX x (l 0, r 0 x), tree (nil, 2 + (l nil) 0), tree x 2 + (r 0) (nil, xnil),(nil, nil), l l 1 r. x (l 1, r 1 ) tree + 1 (l 1 r 1. x (l 1, r 1 ) tree + 1) tree(r 1 ), 1 (l 1) tree(r 1 ), l l 1 r. x 1, r 1 ) tree(l 1 ) tree + 1 (r 1 r 1. x (l 1, r 1 ) tree(l 1 ) + 1 (r 1) 1) RU RU x (l 0, rx 0 ), tree (nil, + 2 (l nil) 0), tree tree 2 + (r+ 10) (x) tree + 1 (x) LU tree + 2 (x) tree + 1 (x) tree + 1 (x) := S t x (nil, nil) x (l, r), tree + 1 (l), tree(r) x (l, r), tree(l), tree + 1 (r) Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

52 Inference rules - AX (axiom) ID tree + 2 (l 0) tree + 1 (l 0) SP tree + 2 (l 0), tree + 2 (r 0) tree 1 + (l 0) tree(r 0 ), tree(l 0 ) tree + 1 (r 0) RD AX x (l 0, r 0 x), tree (nil, 2 + (l nil) 0), tree x 2 + (r 0) (nil, xnil),(nil, nil), l l 1 r. x (l 1, r 1 ) tree + 1 (l 1 r 1. x (l 1, r 1 ) tree + 1) tree(r 1 ), 1 (l 1) tree(r 1 ), l l 1 r. x 1, r 1 ) tree(l 1 ) tree + 1 (r 1 r 1. x (l 1, r 1 ) tree(l 1 ) + 1 (r 1) 1) RU RU x (l 0, rx 0 ), tree (nil, + 2 (l nil) 0), tree tree 2 + (r+ 10) (x) tree + 1 (x) LU tree + 2 (x) tree + 1 (x) Similar to reachin a pair ((), S) with () S in the NFTA inclusion check Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

53 Inference rules - LU (left unfold) RD RU SP tree + 2 (l 0) tree + 1 (l 0) tree + 2 (l 0), tree + 2 (r 0) tree + 1 (l 0) tree(r 0 ), tree(l 0 ) tree + 1 (r 0) x (l 0, r 0 ), tree + 2 (l 0), tree + 2 (r 0) x (nil, nil), l 1 r 1. x (l 1, r 1 ) tree + 1 (l 1) tree(r 1 ), l 1 r 1. x (l 1, r 1 ) tree(l 1 ) tree + 1 (r 1) LU ID x (l 0, r 0 ), tree + 2 (l 0), tree + 2 (r 0) tree + 1 (x) tree + 2 (x) tree + 1 (x) tree + 2 (x) := S t x (nil, nil) x (l, r), tree + 2 (l), tree+ 2 (r) Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

54 Inference rules - RU (riht unfold) RD RU SP tree + 2 (l 0) tree + 1 (l 0) tree + 2 (l 0), tree + 2 (r 0) tree + 1 (l 0) tree(r 0 ), tree(l 0 ) tree + 1 (r 0) x (l 0, r 0 ), tree + 2 (l 0), tree + 2 (r 0) x (nil, nil), l 1 r 1. x (l 1, r 1 ) tree + 1 (l 1) tree(r 1 ), l 1 r 1. x (l 1, r 1 ) tree(l 1 ) tree + 1 (r 1) LU ID x (l 0, r 0 ), tree + 2 (l 0), tree + 2 (r 0) tree + 1 (x) tree + 2 (x) tree + 1 (x) tree + 1 (x) := S t x (nil, nil) x (l, r), tree + 1 (l), tree(r) x (l, r), tree(l), tree + 1 (r) Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

55 Inference rules - RD (reduce) RD RU SP tree + 2 (l 0) tree + 1 (l 0) tree + 2 (l 0), tree + 2 (r 0) tree + 1 (l 0) tree(r 0 ), tree(l 0 ) tree + 1 (r 0) x (l 0, r 0 ), tree + 2 (l 0), tree + 2 (r 0) x (nil, nil), l 1 r 1. x (l 1, r 1 ) tree + 1 (l 1) tree(r 1 ), l 1 r 1. x (l 1, r 1 ) tree(l 1 ) tree + 1 (r 1) LU ID x (l 0, r 0 ), tree + 2 (l 0), tree + 2 (r 0) tree + 1 (x) tree + 2 (x) tree + 1 (x) x (l 0, r 0 ) = SL x (nil, nil) x (l 0, r 0 ) = SL l 1 r 1. x (l 1, r 1 ) θ = {(l 1, l 0 ), (r 1, r 0 )} LU + RU + RD encode a transition action in the NFTA inclusion check Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

56 Inference rules - SP (split) RD RU SP tree + 2 (l 0) tree + 1 (l 0) tree + 2 (l 0), tree + 2 (r 0) tree + 1 (l 0) tree(r 0 ), tree(l 0 ) tree + 1 (r 0) x (l 0, r 0 ), tree + 2 (l 0), tree + 2 (r 0) x (nil, nil), l 1 r 1. x (l 1, r 1 ) tree + 1 (l 1) tree(r 1 ), l 1 r 1. x (l 1, r 1 ) tree(l 1 ) tree + 1 (r 1) LU ID x (l 0, r 0 ), tree + 2 (l 0), tree + 2 (r 0) tree + 1 (x) tree + 2 (x) tree + 1 (x) tree + 2 (l 0) tree + 1 (l 0), tree(l 0 ) tree + 2 (l 0) tree + 1 (l 0) tree + 2 (l 0) tree(l 0 ) tree + 2 (r 0) tree(r 0 ), tree + 1 (r 0) tree + 2 (l 0) tree + 1 (l 0) tree + 2 (l 0) tree(l 0 ) tree + 2 (r 0) tree(r 0 ), tree + 1 (r 0) Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

57 Inference rules - ID (infinite descent) RD RU SP tree + 2 (l 0) tree + 1 (l 0) tree + 2 (l 0), tree + 2 (r 0) tree + 1 (l 0) tree(r 0 ), tree(l 0 ) tree + 1 (r 0) x (l 0, r 0 ), tree + 2 (l 0), tree + 2 (r 0) x (nil, nil), l 1 r 1. x (l 1, r 1 ) tree + 1 (l 1) tree(r 1 ), l 1 r 1. x (l 1, r 1 ) tree(l 1 ) tree + 1 (r 1) LU ID x (l 0, r 0 ), tree + 2 (l 0), tree + 2 (r 0) tree + 1 (x) tree + 2 (x) tree + 1 (x) Backlink from Γθ θ to the pivot Γ with Pivot constraint: LU required between the pivot and the consequent Generalizes the reachin an already seen pair in the NFTA inclusion check Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

58 Outline 1 Motivation and contributions 2 Inductive systems of predicates The entailment problem 3 Proof systems for inductive entailments Downwards inclusion check for tree automata Inference rules Restrictin the set of constraints for soundness and completeness 4 Implementation and experimental evaluation 5 Conclusions Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

59 Ranked Suboal models decrease in a well-founded domain w.r.t the oal models If h 1 = h h 2, then h 2 h 1 and h 2 h 1 if, moreover, h p(x), {φ(x, x 1,..., x m ), q 1 (x 1 ),..., q i (x 1 ),..., q m (x m )} h = h 0 h 1... h i... h m h i h Necessary to ensure proress alon a recurrin branch closed by ID Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

60 Soundness Inference rules are sound for entailments with ranked inductive definitions LU, RU, RD, SP, AX are locally sound Global soundness of proofs usin ID: a counterexample cex 1 for the root Γ 1 1 of a proof can be propaated alon an infinite trace antecedent or pivot Γ 1 1 Γ Γ i i Γ i+1 i+1... cex 1 cex 2... cex i cex i+1... Ranked + LU required by ID counterexample strictly decreases infinitely often, contradictin the well-foundedness of the chosen domain Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

61 Completeness Three additional semantic restrictions on the constraints of an inductive system - safe removal of constraints from sequents when usin RD Reduce to checkin satisfiability of -quantified SL formulae, which is PSPACE-complete for the -free frament Proofs can be discovered by employin a search stratey S = (LU RU RD SP?) LU? RU (AX ID) Only for definitions eneratin matchin coverae trees of the heap models Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

62 Completeness Only for definitions eneratin matchin coverae trees of the heap models ls = SL S r ls(x, y) := Sr emp x = y x u, ls(u, y) ls r (x, y) := Sr emp x = y u y, ls r (x, u) ls r and ls r = SL S r ls hold, but we cannot build a proof v = 1, 4 and h = {(1, 2), (2, 3), (3, 4)} solution for both ls and ls r, but the two definitions enerate different coverae trees for h t = {(1, 2)} {(2, 3)} {(3, 4)} t r = {(3, 4)} {(2, 3)} {(1, 2)} Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

63 Outline 1 Motivation and contributions 2 Inductive systems of predicates The entailment problem 3 Proof systems for inductive entailments Downwards inclusion check for tree automata Inference rules Restrictin the set of constraints for soundness and completeness 4 Implementation and experimental evaluation 5 Conclusions Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

64 Inductor checker for inductive entailments in SL Written in C++, queries CVC4 to check restrictions and noninductive entailments when applyin AX or RD Inductive definitions and entailment queries are iven as SMT-LIB scripts Explores all possible derivations usin a tree structure with two types of nodes: SNodes (for sequents) and RNodes (for inference rules) Node status: unknown, valid, invalid, updates propaate to ancestors S 1 S 1 S 1 IR 1 IR 2 IR 1 IR 2 IR 1 IR 2 S 2 S 3 S 4 S 2 S 3 S 4 S 2 S 3 S 4 Output: valid + proof, invalid + counterexample Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

65 Experimental evaluation LHS RHS R Sequents Rules H Seq H LU H SP T CVC4 tree + 1 tree V s 9 tree + 2 tree V s 7 tree + 2 tree + 1 V s 37 tree tree + 1 I s 7 tree tree + 2 I s 5 tree + 1 tree + 2 I s 14 ls a ls V s 2 ls ls a I s 2 Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

66 Outline 1 Motivation and contributions 2 Inductive systems of predicates The entailment problem 3 Proof systems for inductive entailments Downwards inclusion check for tree automata Inference rules Restrictin the set of constraints for soundness and completeness 4 Implementation and experimental evaluation 5 Conclusions Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

67 Conclusions Cyclic proof system for entailments between inductive predicates in SL Infinite Descent principle, inductive invariants produced durin proof search Semantic boundaries within which soundness and completeness are ensured Inductor uses a search stratey to explore possible derivations and outputs a proof if an entailment is shown to be valid, or counterexamples if it is not Cristina Serban (VERIMAG) An Entailment Checker for SL with Inductive Definitions July 18, /44

Learning Goals of CS245 Logic and Computation

Learning Goals of CS245 Logic and Computation Alice Gao April 27, 2018 Contents 1 Propositional Logic 2 2 Predicate Logic 4 3 Program Verification 6 4 Undecidability 7 1 1 Propositional Logic Introduction