Program Verification using Separation Logic Lecture 0 : Course Introduction and Assertion Language. Hongseok Yang (Queen Mary, Univ.

Size: px

Start display at page:

Download "Program Verification using Separation Logic Lecture 0 : Course Introduction and Assertion Language. Hongseok Yang (Queen Mary, Univ."

Megan Bruce
5 years ago
Views:

1 Program Verification using Separation Logic Lecture 0 : Course Introduction and Assertion Language Hongseok Yang (Queen Mary, Univ. of London)

2 Dream Automatically verify the memory safety of systems software, such as OS kernels and web servers. The course is about the use of separation logic for realizing this dream.

3 Windows Firewire Driver Q: Is this correct?

4 Windows Firewire Driver Q: Is this correct?

5 Windows Firewire Driver Q: Is this correct?

6 Windows Firewire Driver Q: Is this correct?

7 Windows Firewire Driver Q: Is this correct?

8 Windows Firewire Driver Q: Is this correct?

9 Demo

10 Windows Firewire Driver Q: Is this correct?

11 Windows Firewire Driver Q: Is this correct?

12 BusResetIrp=(...)deviceExtension->Flink2; Windows Firewire Driver Q: Is this correct?

13 if (BusResetIrp->Irp == Irp) { Windows Firewire Driver Q: Is this correct?

14 if (BusResetIrp->Irp == Irp) { Windows Firewire Driver Q: Is this correct? Pb: Dereferences a nonexisting field Irp.

15 Separation Logic A variant of Hoare logic that lets you verify pointermanipulating programs effectively. Philosophy: formalize and exploit good disciplines used by top-ranked systems programmers.

16 Very Rough History 1995, Discoveries in categorical semantics. 1999, Logic of Bunched Implications. 2001, Separation logic. 2003~, Application to data abstraction. 2004~, Application to concurrency. 2005~, Application to program analysis.

17 Outcome of this Course Understand the basic principles of separation logic. Should be able to build a simple automatic verifier based on separation logic.

18 Schedule Lecture 0: Assertion language. Lecture 3: Frame rule. Lecture 4: Concurrency. Lecture 1: Proof rules in sep. logic. Lecture 2: Simple automatic verifier.

19 Starting Point Should be able to express properties at each program point effectively. x = create_list(); y = create_list(); z = create_sorted_list(); x = append_list(x,y); free_list(x); traverse_list(z);

20 Starting Point Should be able to express properties at each program point effectively. 1. lists x,y,z. 2. lists x,y: disjoint. 3. lists y,z: disjoint. 4. lists x,z: disjoint. 5. list z sorted. x = create_list(); y = create_list(); z = create_sorted_list(); x = append_list(x,y); free_list(x); traverse_list(z);

21 Starting Point Should be able to express properties at each program point effectively. 1. lists x,y,z. 2. lists x,y: disjoint. 3. lists y,z: disjoint. 4. lists x,z: disjoint. 5. list z sorted. x = create_list(); y = create_list(); z = create_sorted_list(); x = append_list(x,y); free_list(x); traverse_list(z); 1. lists x,y,z. 2. list x contains y. 3. lists x,z: disjoint. 4. list z sorted.

22 Should be able to express properties at each program point effectively. 1. lists x,y,z. 2. lists x,y: disjoint. 3. lists y,z: disjoint. 4. lists x,z: disjoint. 5. list z sorted. Starting Point x = create_list(); y = create_list(); z = create_sorted_list(); x = append_list(x,y); free_list(x); traverse_list(z); Express implicit/explicit, statedependent separation effectively. 1. lists x,y,z. 2. list x contains y. 3. lists x,z: disjoint. 4. list z sorted.

23 Toolkit of Separation-Logic Maniac 1. A class of (separation) properties to express. 2. Pick a storage model with separation built-in. Means to find a partial commutative monoid. 3. Apply a general method for constructing an assertion language with separating connectives.

24 Toolkit of Separation-Logic Maniac 1. A class of (separation) properties to express. 2. Pick a storage model with separation built-in. Means to find a partial commutative monoid. 3. Apply a general method for constructing an assertion language with separating connectives.

25 Storage Model with Separation ( ) Principle: Find a local description of state (or resource). Define a splitting ( operator. ) ( Technical, find a partial commutative monoid. E.g. Global heap model: [1:0, 2:0, 3:0,...], [1:3, 2:0, 3:4, 4:0, 5:0,...] Local heap model: Heaps = def Locs Vals Heaps = def Locs fin Vals [], [2:0, 5:0], [1:3, 3:4, 4:0], [1:3, 3:4, 4:0, 8:0, 9:8]

26 Partial Commutative Monoid A set M together with Should satisfy: identity: e * m = m * e = m commutativity: m * m = m * m associativity: m * (m * m ) = (m * m ) * m a unit e in M and a partial binary operator * on M. m = m * m implies that m and m are separate.

27 PCM Structure of Heaps { } Heaps = def Locs fin Vals = Separateness predicates h#h : h 1 #h 2 def dom(h 1 ) dom(h 2 ) = { if # { def h1 h = 2 if h 1 #h 2 undefined otherwise Partial heap combining operator h*h : h 1 h 2 The empty heap [] is the unit for *.

28 1) [] * [11:98] = [11:98] 2) [6:11, 98:0] * [11:98] = [6:11, 11:98, 98:0] 3) [6:11, 11:0] * [11:98] = undefined 4) [11:98] * [11:98] { = undefined } PCM Structure of Heaps Heaps = def Locs fin Vals = Separateness predicates h#h : h 1 #h 2 def dom(h 1 ) dom(h 2 ) = { if # { def h1 h = 2 if h 1 #h 2 undefined otherwise Partial heap combining operator h*h : h 1 h 2 The empty heap [] is the unit for *.

29 Storage Model in Detail Vars = def {x, y, z,...} Locs = def {1, 2, 3, 4,...} Vals Locs Heaps = def Locs fin Vals Stacks = def Vars Vals States = def Stacks Heaps

30 Storage Model in Detail Vars = def {x, y, z,...} Locs = def {1, 2, 3, 4,...} Vals Locs Heaps = def Locs fin Vals Stacks = def Vars Vals States = def Stacks Heaps 1) Each state consists of stack s and heap h. 2) Complete stacks, but partial finite heaps. 3) Allows pointer arithmetic, but no &x in C.

31 Storage Model in Detail Vars = def {x, y, z,...} Locs = def {1, 2, 3, 4,...} Vals Locs Heaps = def Locs fin Vals Stacks = def Vars Vals States = def Stacks Heaps 1) Each state consists of stack s and heap h. 2) Complete stacks, but partial finite local heaps. 3) Allows pointer arithmetic, but no &x in C.

32 Storage Model in Detail Vars = def {x, y, z,...} Locs = def {1, 2, 3, 4,...} Vals Locs Heaps = def Locs fin Vals Stacks = def Vars Vals States = def Stacks Heaps 1) Each state consists of stack s and heap h. 2) Complete stacks, but partial finite local heaps. 3) Allows pointer arithmetic, but not &x in C.

33 E.g. 1) ([x:0,y:0,...], []) 2) ([x:6,y:98,...], [6:11, 11:98, 98:0]) 3) ([x:6,y:98,...], [6:11, 11:12, 12:0, 98:99, 99:100]) Storage Model in Detail Vars = def {x, y, z,...} Locs = def {1, 2, 3, 4,...} Vals Locs Heaps = def Locs fin Vals Stacks = def Vars Vals States = def Stacks Heaps 1) Each state consists of stack s and heap h. 2) Complete stacks, but partial finite local heaps. 3) Allows pointer arithmetic, but not &x in C.

34 Storage Model in Detail Vars = def {x, y, z,...} Locs = def {1, 2, 3, 4,...} Vals Locs Heaps = def Locs fin Vals Stacks = def Vars Vals States = def Stacks Heaps

35 Storage Model in Detail General Vars = def {x, y, z,...} Locs = def {1, 2, 3, 4,...} Vals Locs Heaps = def Locs fin Vals Stacks = def Vars Vals States = def Stacks Heaps

36 Storage Model in Detail General Vars = def {x, y, z,...} Locs = def {1, 2, 3, 4,...} Vals Locs Heaps = def Locs fin Vals Stacks = def Vars Vals States = def Stacks Heaps

37 Storage Model in Detail ( ) General Vars = def {x, y, z,...} Locs = def {1, 2, 3, 4,...} Vals Locs Heaps = def Locs fin Vals Stacks = def Vars Vals States = def Stacks Heaps States = def Stacks M

38 Toolkit of Separation-Logic Maniac 1. A class of (separation) properties to express. 2. Pick a storage model with separation built-in. Means to find a partial commutative monoid. 3. Apply a general method for constructing an assertion language with separating connectives.

39 General Method Constructs an assertion language and its semantics. Each assertion P specifies a set of states: Recipe: Meaning of P States 1. Re-use all the connectives from classical logic. 2. Add separating connectives: emp, P * Q, P -* Q 3. Define semantics using the PCM structure.

40 General Method Constructs an assertion language and its semantics. Each assertion P specifies a set of states: Recipe: Meaning of P States 1. Re-use all the connectives from classical logic. 2. Add separating connectives: emp, P * Q, P -* Q 3. Define semantics using the PCM structure. States = def Stacks M

41 General Method Constructs an assertion language and its semantics. Each assertion P specifies a set of states: Recipe: Meaning of P States 1. Re-use all the connectives from classical logic. 2. Add separating connectives: emp, P * Q, P -* Q 3. Define semantics using the PCM structure. Ignore separating implication. HW: Include the separating implication. States = def Stacks M

42 Assertion for Our Storage Model Stacks = Vars Vals States = def Stacks Heaps Specifies a set of states: Syntax of expressions E and assertions P { Meaning of P States E, F ::= x n E+F E... Heap-independent Exprs P, Q ::= E = F E F E F Atomic Predicates emp P Q Separating Connectives true P Q P x. P Classical Logic

43 Assertion for Our Storage Model Stacks = Vars Vals States = def Stacks Heaps Specifies a set of states: Meaning of P States Syntax of expressions E and assertions P { E, F ::= x n E+F E... Heap-independent Exprs P, Q ::= E = F E F E F Atomic Predicates emp P Q Separating Connectives true P Q P x. P Classical Logic E F

44 E.g. Assertion 1 0, x y for Our Storage Model ([x:1,y:0,...], [1:0]), ([x:1,y:2,...], Stacks = Vars Vals [1:0]), ([x:1,y:2,...], Specifies a set [1:2]), of states: States = def Stacks Heaps { Meaning of P States ([x:1,y:0,...], [1:0, 2:0]) Syntax of expressions E and assertions P E, F ::= x n E+F E... Heap-independent Exprs P, Q ::= E = F E F E F Atomic Predicates emp P Q Separating Connectives true P Q P x. P Classical Logic E F

45 Assertion for Our Storage Model Stacks = Vars Vals States = def Stacks Heaps Specifies a set of states: Syntax of expressions E and assertions P { Meaning of P States E, F ::= x n E+F E... Heap-independent Exprs P, Q ::= E = F E F E F Atomic Predicates emp P Q Separating Connectives true P Q P x. P Classical Logic

46 Assertion for Our Storage Model Stacks = Vars Vals States = def Stacks Heaps Specifies a set of states: Syntax of expressions E and assertions P { Meaning of P States E, F ::= x n E+F E... Heap-independent Exprs P, Q ::= E = F E F E F Atomic Predicates emp P Q Separating Connectives true P Q P x. P Classical Logic E.g. emp ([x:1,y:0,...], []), ([x:1,y:1,...], [1:0])

47 Assertion for Our Storage Model Stacks = Vars Vals States = def Stacks Heaps Specifies a set of states: Syntax of expressions E and assertions P { Meaning of P States E, F ::= x n E+F E... Heap-independent Exprs P, Q ::= E = F E F E F Atomic Predicates emp P Q Separating Connectives true P Q P x. P Classical Logic

48 Assertion for Our Storage Model Stacks = Vars Vals States = def Stacks Heaps Specifies a set of states: Syntax of expressions E and assertions P { Meaning of P States E, F ::= x n E+F E... Heap-independent Exprs P, Q ::= E = F E F E F Atomic Predicates emp P Q Separating Connectives true P Q P x. P Classical Logic P Q

49 E.g , x y y x, x 0 x 0 ([x:1,y:2,...], Assertion [1:0, for 2:0]), Our Storage Model ([x:1,y:2,...], [1:2, 2:1]), Stacks = Vars Vals ([x:2,y:1,...], Specifies a [1:2, set of 2:1]) states: States = def Stacks Heaps Meaning of P States Syntax of expressions E and assertions P { E, F ::= x n E+F E... Heap-independent Exprs P, Q ::= E = F E F E F Atomic Predicates emp P Q Separating Connectives true P Q P x. P Classical Logic P Q

E.g. 1 0 2 0, x y y x, x 0 x 0 ([x:1,y:2,...], Assertion [1:0, for 2:0]), Our Storage Model ([x:1,y:2,...], [1:2, 2:1]), Stacks = Vars Vals ([x:2,y:1,.

50 E.g , x y y x, x 0 x 0 ([x:1,y:2,...], Assertion [1:0, for 2:0]), Our Storage Model ([x:1,y:2,...], [1:2, 2:1]), Stacks = Vars Vals ([x:2,y:1,...], Specifies a [1:2, set of 2:1]) states: States = def Stacks Heaps Meaning of P States Syntax of expressions E and assertions P { E, F ::= x n E+F E... Heap-independent Exprs P, Q ::= E = F E F E F Atomic Predicates emp P Q Separating Connectives true P Q P x. P Classical Logic P Q Can express the separation of arbitrary formulas in a state-dependent manner.

51 Assertion for Our Storage Model Stacks = Vars Vals States = def Stacks Heaps Specifies a set of states: Syntax of expressions E and assertions P 1) Usual connectives from classical logic. 2) All other connectives are definable. 3) E.g. (x 0) x.(x x ) (x 0). { Meaning of P States E, F ::= x n E+F E... Heap-independent Exprs P, Q ::= E = F E F E F Atomic Predicates emp P Q Separating Connectives true P Q P x. P Classical Logic

52 Semantics of Assertions Expressions mean maps from stacks to values. Semantics of assertions ( ) given = by satisfaction relation between states and assertions. s in Stacks, h in Heaps. [E ] : Stacks Vals (s, h) = P

53 Semantics of Assertions (s, h) = E F iff [[E]]s, [[F ]]s Integers and [[E]]s [[F ]]s (s, h) = E F iff dom(h) ={[[E]]s} and h([[e]]s) = [[F ]]s (s, h) = emp iff h = [] (i.e., dom(h) = ) (s, h) = P Q iff h 0 h 1. h 0 h 1 = h, (s, h 0 ) = P and (s, h 1 ) = Q (s, h) = true always (s, h) = P Q iff (s, h) = P and (s, h) = Q (s, h) = P iff not ((s, h) = P ) (s, h) = x. P iff v Vals. (s[x v],h) = P )

54 Semantics of Assertions (s, h) = E F iff [[E]]s, [[F ]]s Integers and [[E]]s [[F ]]s (s, h) = E F iff dom(h) ={[[E]]s} and h([[e]]s) = [[F ]]s (s, h) = emp iff h = [] (i.e., dom(h) = ) (s, h) = P Q iff h 0 h 1. h 0 h 1 = h, (s, h 0 ) = P and (s, h 1 ) = Q (s, h) = true always (s, h) = P Q iff (s, h) = P and (s, h) = Q (s, h) = P iff not ((s, h) = P ) (s, h) = x. P iff v Vals. (s[x v],h) = P ) ([x:1,y:2,...], [1:2]) = x y, but ([x:1,y:2,...], [1:2, 2:1]) = x y ([x:1,y:2,...], []) = emp ([x:1,y:2,...], [1:2, 2:1]) = x y y x

55 Assertions for Any Storage Models Semantics of Assertions (s, h) = E F iff [[E]]s, [[F ]]s Integers and [[E]]s [[F ]]s (s, h) = E F iff dom(h) ={[[E]]s} and h([[e]]s) = [[F ]]s (s, h) = emp iff h = [] (i.e., dom(h) = ) (s, h) = P Q iff h 0 h 1. h 0 h 1 = h, (s, h 0 ) = P and (s, h 1 ) = Q (s, h) = true always (s, h) = P Q iff (s, h) = P and (s, h) = Q (s, h) = P iff not ((s, h) = P ) (s, h) = x. P iff v Vals. (s[x v],h) = P )

56 Assertions for Any Storage Models Semantics of Assertions (s, h) = E F iff [[E]]s, [[F ]]s Integers and [[E]]s [[F ]]s (s, h) = E F iff dom(h) ={[[E]]s} and h([[e]]s) = [[F ]]s (s, h) = emp iff h = [] (i.e., dom(h) = ) (s, h) = P Q iff h 0 h 1. h 0 h 1 = h, (s, h 0 ) = P and (s, h 1 ) = Q (s, h) = true always (s, h) = P Q iff (s, h) = P and (s, h) = Q (s, h) = P iff not ((s, h) = P ) (s, h) = x. P iff v Vals. (s[x v],h) = P ) Replace basic predicates appropriately. Interpret emp and * by the PCM structure of the model. Keep the rest.

57 Assertions for Any Storage Models Semantics of Assertions (s, h) = E F iff [[E]]s, [[F ]]s Integers and [[E]]s [[F ]]s (s, h) = E F iff dom(h) ={[[E]]s} and h([[e]]s) = [[F ]]s (s, h) = emp iff h = [] (i.e., dom(h) = ) (s, h) = P Q iff h 0 h 1. h 0 h 1 = h, (s, h 0 ) = P and (s, h 1 ) = Q (s, h) = true always (s, h) = P Q iff (s, h) = P and (s, h) = Q (s, h) = P iff not ((s, h) = P ) (s, h) = x. P iff v Vals. (s[x v],h) = P ) h = e Replace basic predicates appropriately. Interpret emp and * by the PCM structure of the model. Keep the rest.

58 Assertions for Any Storage Models Semantics of Assertions (s, h) = E F iff [[E]]s, [[F ]]s Integers and [[E]]s [[F ]]s (s, h) = E F iff dom(h) ={[[E]]s} and h([[e]]s) = [[F ]]s (s, h) = emp iff h = [] (i.e., dom(h) = ) (s, h) = P Q iff h 0 h 1. h 0 h 1 = h, (s, h 0 ) = P and (s, h 1 ) = Q (s, h) = true always (s, h) = P Q iff (s, h) = P and (s, h) = Q (s, h) = P iff not ((s, h) = P ) (s, h) = x. P iff v Vals. (s[x v],h) = P ) h = e Replace basic predicates appropriately. Interpret emp and * by the PCM structure of the model. Keep the rest.

59 Assertions for Any Storage Models Semantics of Assertions This recipe is standard, and used frequently. E.g. Bornat&Parkinson s permission. (s, h) = E F iff [[E]]s, [[F ]]s Integers and [[E]]s [[F ]]s (s, h) = E F Vafeiadis&Parkinson s iff dom(h) ={[[E]]s} and RGSep. h([[e]]s) = [[F ]]s (s, h) = emp iff h = [] (i.e., dom(h) = ) (s, h) = P Q iff h 0 h 1. h 0 h 1 = h, (s, h 0 ) = P and (s, h 1 ) = Q (s, h) = true always (s, h) = P Q iff (s, h) = P and (s, h) = Q (s, h) = P iff not ((s, h) = P ) (s, h) = x. P iff v Vals. (s[x v],h) = P ) h = e Replace basic predicates appropriately. Interpret emp and * by the PCM structure of the model. Keep the rest.

60 Benefits Reminder: Goal: Effective way to express separation. Recipe: First, PCM. Next, separating connectives. Gives a very flexible way of expressing separation. Well-known proof rules for implication. Can re-use another, more important part of sep. logic, which is about program verification.

61 P emp P P Q Q P P (Q R) P (Q R) Benefits P ( i Q i) i (P Q i) P ( x.q(x)) x.p Q(x) P P Q Q P Q P Q Reminder: Goal: Effective way to express separation. Recipe: First, PCM. Next, separating connectives. Gives a very flexible way of expressing separation. Well-known proof rules for implication. Can re-use another, more important part of sep. logic, which is about program verification.

62 List Segment Predicate Least fixpoint of the following equivalence: ls α (E, F ) (α = [] E = F emp) ( x α. α = E::α (E x ) ls α (x, F )) E, a0 a1 a2 a3 F The induction occurs positively, so it exists. Also, consider a variant that hides alpha: ls (E, F ) (E = F emp) ( x.e x ls α (x,f))

63 Back to Original Example Express properties at each program point. 1. lists x,y,z. 2. lists x,y: disjoint. 3. lists y,z: disjoint. 4. lists x,z: disjoint. 5. list z sorted. x = create_list(); y = create_list(); z = create_sorted_list(); x = append_list(x,y); free_list(x); traverse_list(z); 1. lists x,y,z. 2. list x contains y. 3. lists x,z: disjoint. 4. list z sorted.

64 Back to Original Example Express properties at each program point. ls(x, 0) ls(y, 0) ( α. sorted(α) ls α (z,0)) ( ) ( 0) ( ( ) ( 0)) x = create_list(); 1. lists x,y,z. 2. lists x,y: disjoint. 3. lists y,z: disjoint. 4. lists x,z: disjoint. 5. list z sorted. y = create_list(); z = create_sorted_list(); x = append_list(x,y); free_list(x); traverse_list(z); 1. lists x,y,z. 2. list x contains y. 3. lists x,z: disjoint. 4. list z sorted.

65 Back to Original Example Express properties at each program point. ls(x, 0) ls(y, 0) ( α. sorted(α) ls α (z,0)) ( ) ( 0) ( ( ) ( 0)) x = create_list(); 1. lists x,y,z. 2. lists x,y: disjoint. 3. lists y,z: disjoint. 4. lists x,z: disjoint. 5. list z sorted. y = create_list(); z = create_sorted_list(); x = append_list(x,y); free_list(x); traverse_list(z); 1. lists x,y,z. 2. list x contains y. 3. lists x,z: disjoint. 4. list z sorted. ls(x, y) ls(y, 0) ( α. sorted(α) ls α (z,0))

66 Separating Implication P -* Q is the weakest assertion A s.t. P * A Q Equivalently, P -* Q is the unique assertion s.t. P * A Q if and only if A P -* Q. Q1: Define the satisfaction relation for P -* Q. Q2: Define the satisfaction relation for (P -* Q). Q3: Give intuitive meanings of both connectives.

67 Reference Reynolds s LICS 2001 paper. Biering et al s ESOP 2005 paper.

Program Verification Using Separation Logic

Program Verification Using Separation Logic Cristiano Calcagno Adapted from material by Dino Distefano Lecture 1 Goal of the course Study Separation Logic having automatic verification in mind Learn how