(one-path) reachability logic
DESCRIPTION
(One-Path) Reachability Logic. Grigore Rosu , Andrei Stefanescu , Brandon Moore University of Illinois at Urbana-Champaign, USA Stefan Ciobaca University Alexadru Ioa n Cuza , Romania. Long-Standing Dream. Deductive program verifier. Parser. Interpreter. Formal Language Definition - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/1.jpg)
(One-Path) Reachability Logic
Grigore Rosu, Andrei Stefanescu, Brandon MooreUniversity of Illinois at Urbana-Champaign, USA
Stefan CiobacaUniversity Alexadru Ioan Cuza, Romania
![Page 2: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/2.jpg)
Long-Standing DreamDeductive program verifierParser
Interpreter
Compiler
(semantic) Debugger
Symbolic execution
Model checker
Formal Language Definition (Syntax and Semantics)
![Page 3: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/3.jpg)
Language Frameworks• PLT-Redex/Racket (Findler et al.)• OTT (Sewell et al.)• PLanComps (Mosses et al.)• Raskal (Klint et al.)• RLS-Maude (Meseguer et al.)• K (Rosu et al.)• …• All based on operational semantics• Defined semantics serve as language reference models of
languages, but are close to useless for verification • Takes 1-2 years to define a language
![Page 4: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/4.jpg)
C Semantics (in K)
… plus ~1200 user-defined rules… plus ~1500 automatically generated rules
C configuration
![Page 5: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/5.jpg)
Operational Semantics• Virtually all operational semantics can be
defined with rewrite rules of the form
• We would like to reason about programs using precisely such operational semantics!
![Page 6: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/6.jpg)
State-of-the-Art
• Redefine the language using a different semantic approach (Hoare/separation/dynamic logic)
• Very language specific, error-prone; e.g.:
Many different program logics for
“state” properties: FOL, HOL, Separation logic…
![Page 7: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/7.jpg)
State-of-the-Art
• Thus, these semantics need to be proved sound, sometimes also relatively complete, wrt trusted, operational semantics of the language
• Verification tools developed using them• So we have an inherent gap between trusted,
operational semantics, and the semantics currently used for program verification
![Page 8: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/8.jpg)
Our Proposal
• Use directly the trusted operational semantics!– Has been done before (ACL2), but proofs are low-level
(induction on the structure of program or on steps in transition system) and language-specific
• We give a language-independent proof system– Takes unchanged operational semantics as axioms– Derives reachability rules– Both operational semantics rules and program
properties stated as reachability rules– Is sound (partially correct) and relatively complete
![Page 9: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/9.jpg)
Deductive program verifierParser
Interpreter
Compiler
(semantic) Debugger
Symbolic execution
Model checker
Formal Language Definition (Syntax and Semantics)
Need a means to specify static and dynamic program properties
![Page 10: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/10.jpg)
Matching Logic
• Logic for specifying static properties about program configurations and reason with them
• Key insight:– Configuration terms with variables are allowed to be
used as predicates, called patterns– Semantically, their satisfaction means matching
• Matching logic is parametric in a (first-order) configuration model: typically the underlying model of the operational semantics
[Rosu, Ellison, Schulte 2010]
![Page 11: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/11.jpg)
Configurations
• For concreteness, assume configurations having the following syntax:
(matching logic works with any configurations)
• Examples of concrete (ground) configurations:
![Page 12: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/12.jpg)
Patterns
• Concrete configurations are already patterns, but very simple ones, ground patterns
• Example of more complex pattern
• Thus, patterns generalize both terms and [FOL]
![Page 13: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/13.jpg)
Matching Logic Reasoning
• We can now prove (using [FOL] reasoning) properties about configurations, such as
![Page 14: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/14.jpg)
Matching Logic vs. Separation Logic
• Matching logic achieves separation through matching at the structural (term) level, not through special logical connectives (*).
• Separation logic = Matching logic [heap]SL:ML:
• Matching logic realizes separation at all levels of the configuration, not only in the heap– the heap was only 1 out of the 75 cells in C’s def.
[OOPSLA’12]
![Page 15: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/15.jpg)
Deductive program verifierParser
Interpreter
Compiler
(semantic) Debugger
Symbolic execution
Model checker
Formal Language Definition (Syntax and Semantics)
Need a means to specify static and dynamic program properties
![Page 16: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/16.jpg)
Reachability Rules - Syntax
• “Rewrite” rules over matching logic patterns:
• Since patterns generalize terms, matching logic reachability rules capture term rewriting rules
• Moreover, deals naturally with side conditions:
turn into
![Page 17: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/17.jpg)
Conditional Reachability Rules
• The involved patterns can share free variables• Generalize conditional rewrite rules
![Page 18: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/18.jpg)
Reachability Rules - Semantics
• In the transition system generated by the operational semantics on the configuration model, any terminating configuration that matches reaches a configuration that matches (patterns can share free variables)
• That is, partial correctness
![Page 19: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/19.jpg)
Expressivity of Reachability Rules
• Capture operational semantics rules:
• Capture Hoare Triples:
![Page 20: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/20.jpg)
20
Hoare Triple = Syntactic Sugar
![Page 21: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/21.jpg)
Reachability Logic
Language-independent proof system that derives reachability rules from other reachability rules:
Trusted reachability rules(starts with operational semantics)
Target reachability rule
Claimed reachability rules
Intuitively: symbolic execution with operational semantics + reasoning with cyclic behaviors
![Page 22: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/22.jpg)
7 Proof Rules for Reachability
![Page 23: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/23.jpg)
![Page 24: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/24.jpg)
![Page 25: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/25.jpg)
Traditional Verification vs. Our Approach
Traditional proof systems: language-specific
Our proof system: language-independent
![Page 26: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/26.jpg)
Results
• Soundness (partial correctness): Under weak well-definedness conditions on (see paper)
• Mechanized in Coq, for verification certificates • Relative completeness: Under weak
assumptions on the configuration model (e.g., it can express Godel’s beta predicate)
![Page 27: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/27.jpg)
Implementation
• Being implemented within the K framework• Symbolic execution using the operational
semantic rules; custom solver for the matching part + Z3 solver for the model reasoning part (for the Consequence rule)
• Circularity steps given by user (via pre/post/inv annotations), everything else automatic
• Online interface available for fragment of C at
http://matching-logic.org
![Page 28: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/28.jpg)
Related Work and Limitations
• Hoare logic: already explained• Dynamic logic: need to redefine language semantics
(invariant rules, etc.), but more expressive:• CTL*: expressive, but not clear how to integrate with
operational semantics; maybe CTL* over ML patterns?
• Currently we only support one-path reachability for conditional rules. We have a similar proof system for all-path reachability, but only with unconditional rules
• Previous one-path attempts: [ICALP’12] , [OOPSLA’12]
![Page 29: (One-Path) Reachability Logic](https://reader035.vdocuments.us/reader035/viewer/2022081507/56816850550346895dde4f78/html5/thumbnails/29.jpg)
Conclusion
• Program verification using the language operational semantics is possible and feasible
• Language-independent 7-rule reachability proof system, which is sound and complete– Circularity generalizes the invariant rules
• Being implemented in the K programming language design framework