Automated Verification withHIP and SLEEK

Asankhaya Sharma

Goal

• Design and build software that is correct by construction

• Needed: Automatic tools for establishing software correctness

• Such tools can– Search for standard problems like memory access

violations or array index out of bounds– Check if a program does what it is supposed to do

with respect to a specification

Why a Need for Automatic Tools?

Let the tool fill in the details

A Tale of Two Tools

• HIP– Automatically applies a given set of Hoare rules

• SLEEK– Discharges the proof obligations resulting from the

rule of consequence and the frame rule• Under development since 2006

– 180k lines of OCaml– Currently 6 PhD students; 3 graduated

Overview

code verifier(HIP)

separationlogic prover(SLEEK)

Pre/Post Predicates LemmasCode

range of pure provers …Omega, MONA, Isabelle, Coq, SMT, Redlog, MiniSAT, Mathematica

An Example – List Length

struct node{ int val; struct node* next;};

int length(struct node* p){ if(p == NULL) return 0; else return 1 + length(p->next);}

List Predicate

Example of Acyclic List : list(x)

xnull

list(self) self=null r . self node(_,r) list(r)

pointer to memory spatial conjunction

Syntactic Abbreviation (ASCII)

list(self) self=null r . self node(_, r) list(r)

list == self=null or self::node_, r r::list

implicit existential instantiation

Verify with Shape Propertystruct node{ int val; struct node* next;};/*@list<> == self=null or self::node<_,q>*q::list<>;*/

int length(struct node* p)/*@requires p::list<>ensures p::list<>;*/{ if(p == NULL) return 0; else return 1 + length(p->next);}

Predicate Definition

Method Pre and Post condition

Memory Safety

With Size

listn == self=null & n=0 or self::node_, r r::listn-1

inv n >= 0

parameter on length of linked list

predicate invariant

x::ll5

xnull

Verify with Shape and Size

int length(struct node* p)/*@requires p::list<n>ensures p::list<n> & res=n;*/{ if(p == NULL) return 0; else return 1 + length(p->next);}

Memory Safety

Length of the List

With Size and Bag

listn,B == self=null & n=0 & B={} or self::nodev, r r::listn-1,B1

& B = B1 U {v}inv n >= 0 & n=|B|

Verify with Shape, Size and Bag

int length(struct node* p)/*@requires p::list<n,B>ensures p::list<n,B> & res=n;*/{ if(p == NULL) return 0; else return 1 + length(p->next);}

Memory Safety

Length of the List

Bag of Values

Automated Verificationint length(struct node* p)/*@requires p::list<n>ensures p::list<n> & res=n;*/{ if(p == NULL) return 0;// p=null & n = 0 & res = 0 |- p::list<n> & res = n// p::ll<n> & p!=null |- p::node<val,nxt>// p::node<_,q> * q::ll<n-1> & p!=null & q = r |- r::ll<m> else return 1 + length(p->next);// p::node<_,q> * q::ll<n-1> & x!=null & res = 1 + n – 1 |- p::ll<n> & res = n}

Pre condition Checking

Post condition Checking

Memory dereference Checking

SLEEK

• Automatic Checking of Entailment• Custom decision procedure for the spatial fragment

(Separation Logic)– Handles user-defined data structures and inductive

predicates• Uses off-the-shelf provers to discharge:

– Linear Arithmetic (using Omega)• Also available as a tactic in Coq

– Bag Expressions (using MONA)• Sound but incomplete

Numerical Examples for SLEEK

Checking implications with integer constraints:

checkentail x > 5 |- x > 0.checkentail x > 5 |- x < 0.checkentail x > 5 |- x > 6.checkentail x > 1 & y > 1 & r = x + y |- r > 3.

SLEEK uses Omega for these examples

Valid.InValid.InValid.

Valid.

List Examples for SLEEK

checkentail x::node<1,null> |- x::list<n,B>. checkentail x::node<17,null> |-

x::list<n,B> & B = {17}. checkentail x::node<2,y> * y::list<m,{2} |-

x::list<n,B>.checkentail x::list<1,{2}> |- x::node<2,null>. checkentail x::list<2,{2,3}> |- x::node<2,null>.

Valid.

Valid.

Valid.

InValid.

Valid.

HIP

• Automatic checking of pre/post for methods– Handle conditional, loops, methods– With arrays, data structures, dynamic memory

allocation– Supports Multiple pre/post specifications,

structured specifications, termination specifications

• Sound but incomplete• Automated with the help of SLEEK

Append Example with HIP

• What should be the specification for the following method ?

void append(node* x, node* y)requires ?ensures ?{ if(x->next==NULL) x->next=y; else append(x->next,y);}

Append Example with HIP

• Is the following specification which aims to guarantee memory safety correct?

void append(node* x, node* y)requires x::list<> * y::list<>ensures x::list<>{ if(x->next==NULL) x->next=y; else append(x->next,y);}

No, null pointer dereference possible

Append Example with HIP

• Correct specification for safetyvoid append(node* x, node* y)requires x::list<> * y::list<> & x!=nullensures x::list<>{ if(x->next==NULL) x->next=y; else append(x->next,y);}

Append Example with HIP

• With size and bag propertiesvoid append(node* x, node* y)requires x::list<n1,B1> * y::list<n2,B2> & x!=nullensures{ if(x->next==NULL) x->next=y; else append(x->next,y);}

x::list<n1 + n2, B1 U B2>

Multiple Specifications

• Same method may be called in different calling contexts

• Verify using different specifications for each scenario

• Which sorting algorithm may require an append function for two sorted lists ?– Quick Sort (and Merge Sort)

With Bag and Sortedness

lsortn,B == self=null & n=0 & B={} or self::nodev, r r::lsortn-

1,B1 & B = B1 U {v} & x B1. v<=xinv n >= 0 & n=|B|

Verify with Multiple Specifications

void append(node* x, node* y)requires x::list<n1,B1> * y::list<n2,B2> & x!=nullensures x::list<n1 + n2, B1 U B2>requires x::lsort<n1,B1> * y::lsort<n2,B2>

& x!=null & a B1. b B2. a<=b∀ ∈ ∀ ∈ensures x::lsort<n1 + n2, B1 U B2>{ if(x->next==NULL) x->next=y; else append(x->next,y);}

List Segment with Size

lsegp,n == self=p & n=0 or self::node_,r r::lsegp,n-1

inv n >= 0

x

y

x::lsegy,3

y::lsegx,2

Circular List with Size

x

r::lsegx,2

r

x::clist3

clistn == self::node_,r r::lsegself,n-1inv n >= 1

Use of Multiple Pre/Post

void append(node* x, node* y)requires x::list<n> & x != null & x = yensuresrequires x::list<n> & x != null ensures{ if(x->next==NULL) x->next=y; else append(x->next,y);}

x::clist<n>

x::lseg<y,n>

Binary Search Tree

How do we express a binary search tree ?

tree<> == self=null or self::node<v,l,r> * l::tree<> * r::tree<>

Shape Property for Tree

Binary Search Tree

bst<B> == self=null & B = {} or self::node<v,l,r> * l::bst<B1> * r::bst<B2> & B = {v} U B1 U B2 & w B1. v>=w & w B2. v<=w∀ ∈ ∀ ∈

5

3 7

1 4

Sortedness property

AVL Tree

How do we specify height balanced trees ?

avl<h,B> == self=null & B = {} & h = 0or self::node<v,l,r> * l::avl<h1,B1> * r::avl<h2,B2> & B={v}UB1UB2 & w B1.v>=w & ∀ ∈

w B2.v<=w∀ ∈ & h = 1 + max(h1,h2) & h2<=h1+1 & h1<=h2+1

Conclusions

• HIP and SLEEK Verification System– Automated

• Given pre/post and loop invariants– Modular and scalable

• Each method verified independently– Expressive

• From shape, size, bag properties towards functional correctness

• Total correctness with Termination and Non-Termination proving

Perspectives

• Hardware community has accepted verification in their design phase

• Verified software is the future for guarantying high assurance and reliability

• Many challenges remain on scalability, automation, expressivity, concurrency, inference and higher order programs

Questions?

• We will try out some examples in Lab tomorrow using TeachHIP

• TeachHIP is a Web Interface to– Try out HIP and SLEEK without installing any

software– Available at

http://loris-7.ddns.comp.nus.edu.sg/~project/TeachHIP/

• Contact– asankhaya@nus.edu.sg

Further Reading

• Chin, Wei-Ngan, Cristina David, Huu Hai Nguyen, and Shengchao Qin. "Automated verification of shape, size and bag properties via user-defined predicates in separation logic." Science of Computer Programming 77, no. 9 (2012): 1006-1036.