NATURAL PROOFS FOR STRUCTURE, DATA, AND SEPARATION

XIAOKANG QIU PRANAV GARG

ANDREI STEFANESCU P. MADHUSUDAN

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN

PLDI 2013, SEATTLE, WA

MOTIVATION

Automatic Deductive Software Verification

Success stories: Hypervisor (MSR), ExpressOS (Illinois), etc. using tools like Boogie, VCC, etc.

Challenge: dynamically modified heap

• Structure (e.g., “p points to the root of a tree”)• Data (e.g., “the integers stored in a list is sorted”)• Separation (e.g., “the procedure modifies only elements

reachable using the next field”)

int f(int x){ assume x>0; … inv x < y; … assert y>0;}

VC-Generator

yes

no

Annotated ProgramVerification Condition SMT Solver

Don’t know

EXAMPLE: MEMORY ISOLATION

Verify invariants in ExpressOS [@UIUC, ASPLOS’13]

- “Every two assigned memory chunks are disjoint“

- “The start addresses are sorted along the doubly-linked list”

- “The memory allocator modifies only this doubly-linked list”

Key Challenge:

Expressive logics to specify complex data structures

Automated reasoning with these sophisticated logics

UNDECIDABLE

PID: 12

Start Addr

End Addr

Next

PID: 30

Start Addr

End Addr

Next

PID: 19

Start Addr

End Addr

Next

… …

… …Prev Prev Prev

Structure, Data, and Separation are mixed

HEAP VERIFICATION

Automatic

Expressive

Decidable Logics:Strand, LISBQ,

CSL, etc.

Expressive Logics:

Separation logics, HOL, Matching

logic, etc.give up decidabilitysound but incompletepreserve automaticity

keep expressiveness Natural

Proofs

NATURAL PROOFS: IN A NUTSHELL

• Handle a logic that is very expressive

(inevitably undecidable)

• Retain automaticity at the same level as decidable logics

• Identify a class of natural proofs N such that

• N includes natural proof tactics used in human proofs

• Many correct programs can be proved using a proof in class N

• The class N is effectively searchable (checking if there is a proof in N is efficiently decidable)

All Proofs

N

MORE GENERALNATURAL PROOFS

• Natural Proofs for Trees [POPL’12]

• only for trees (can’t say “x points to a tree and y points into the tree”)

• only functional recursion (no while-loops, too weak for loop invariants)

• only classical logic (no frame reasoning)

• In this work: Natural Proofs for Separation Logic

• A wide variety of structures, and their combination (trees, doubly-linked lists, cyclic lists, etc.)

• Iterative and Recursive (pre, post, and loop-inv.)

• Separation Logic (frame reasoning is natively supported)

CONTRIBUTION

• Dryad: a dialect of separation logic that is amenable to natural proofs

- No explicit quantification, but supports recursive definitions- Admits a translation to quantifier-free classic logic with recursion

• Automatic VC-generation for Dryad-annotated programs

• Develop natural proofs using decision procedures (powered by SMT solvers)

Two proof tactics for handling recursive defs [Suter et al., 2010] :

- Unfold across the footprint- Formula abstraction

These two tactics form the class of natural proofs!

(loop invariant for “bst-search”:

root points to a BST and curr points into the BST;

k is stored in the BST iff k is stored under curr)

BINARY SEARCH TREE IN DRYAD

root

currk

Recursive predicateRecursive

functionSeparatingConjunction

Base case: empty heaplet

the root

left subtree:a BST

right subtree:a BST

Base case: empty set

the union of the keys stored in the

root and the left/right sub-

trees

WHY DRYAD?The heaplet semantics is not supported by automatic theorem provers

Solution: translated to

Capture the scope (heaplet required) of a formula using set-variables?

• Empty heap emp : • Singleton heap :

• Separating Conj. t t’ :

• Recursive definition :

Separation Logic: The semantics of is arbitrary fix point of the recursive definition, and the scope is not syntactically determined

?reachl,r(x)

Dryad: the scope is exactly the reachable locations from x using l and r(only difference between Dryad and classic Separation Logic)

TRANSLATING HEAPLETS TO SETS• The heaplet required for a Dryad formula can be syntactically

determined

• the scope can be modeled as a set of locations, and the heaplet semantics can be expressed using free set variables

Example:

translated to

(still quantifier-free)

NATURAL PROOFS FOR DRYAD

We consider programs with modular annotations• A simple heap-manipulating language

(supports memory allocation/deallocation, destructive pointer/data updates, and function calls)• Pre/post-conditions and loop invariants written in Dryad• Footprint: dereferenced locations (x is in footprint if y := x.next )

Verify programs in 4 steps1. Translate Dryad to classic logic with recursion

2. VC-Generation (compute strongest-post)

3. Unfold recursive defs across the footprint (still precise; explained later)

4. Formula Abstraction (recursive definitions uninterpreted, becomes sound but

incomplete)

Natural Proofs:Two proof tactics

inspired by human proofs

1ST PROOF TACTIC:UNFOLDING ACROSS THE FOOTPRINT

The verification condition ψVC involves recursive definitions that can be unfolded ad infinitum.

Where to stop?

• In most cases: unfold only across the footprint (locations get dereferenced in the program).

…y = x.l;z = x.r;z.l = y;…

Footprint: {x, z}, then asserttree(x) = …tree(z) = …

Non-footprint: {y}, then asserttree(y) /\ NoMod(y) ==> tree’(y)

1ST PROOF TACTIC:UNFOLDING ACROSS THE FOOTPRINT

Formally, we capture this proof tactic using a set of conjuncts:

Theorem

• ψVC is valid iff ψ’VC is valid.

Unfold only across the footprintApply the

frame rule for non-footprint

locations

2ND PROOF TACTIC:FORMULA ABSTRACTION

Natural Proofs in two steps:

Formula Abstraction

• replace each recursive definition rec with uninterpreted • when a proof for is found, we call it a natural proof for

(sound but incomplete)

is expressible in the decidable theories

(theory of sets/arrays, maps, uninterpreted functions and integers)

and is solvable using modern SMT solvers.

USER-PROVIDED AXIOMS

Proof tactics cannot effectively find the relationship between data structures

Meta-level axioms for structures (independent of program verified)

• Relating simpler data structures and more sophisticated ones, e.g.,

• Relating partial data structures and complete ones, e.g.,

Instantiated at all non-footprint locations

Still automatic?

• Axioms are program-independent, defined once and for all

• Can be encoded in the verifier

NATURAL PROOFS FOR DRYAD

Program+

Recursive defs+

Annotationsin

Dryad

Program+

Recursive defs+

annptations in

Classical-logic

TranslateVerificationConditions

NTwo proof tactics for recursive

defs

VCGen

Encode

SMT Solver

no

Don’t knowyes

Formula in a dec. logic over sets:Does a

natural proof exist?

EXPERIMENTAL EVALUATION

A prototype verifier with Z3 as the backend solver

(more details at http://web.engr.illinois.edu/~qiu2/dryad/)

Inductive data structures singly-linked list, sorted list, doubly-linked list, cyclic list, max-heap, BST, Treap, AVL tree, red-black tree, binomial heap, …

Data structures from open source programs• Glib library: singly/doubly-linked list• OpenBSD library: queue• Linux kernel: VMA for virtual memory management

ExpressOS: a secure mobile platform• Structures for memory management

WE VERIFIED …

106 Dryad-annotated programs• insert, delete, search, reverse, rotate, … (recursive & iterative)• Quicksort, Schorr-Waite algorithm for trees, etc.• VMA: virtual memory operations• ExpressOS: operations memory isolation• full-functional, partial correctness (e.g., data structure invariants,

expected set-of-keys, …)

All the VCs were automatically proved by our tool！• 69 verified within 1 sec• 96 verified within 10 sec• 104 verified within 100 sec

“RBT-delete_iter” spent 225 secs, “binomial-heap-merge_rec” spent 153 secs

(To the best of our knowledge)

First terminating automatic mechanism that can prove such a wide variety of data-structure manipulating programs full-functionally correct

RELATED WORKNatural proofs

• [Suter et al., POPL’10]: Proof tactics for functional programs• [Madhusudan et al., POPL’12]: Imperative programs, only trees,

no while-loops, no frame reasoning

Separation Logic

• Verifast, Bedrock, etc.: proof tactics provided by the user per program

• Implicit Dynamic Frames: also using sets for heaplet, not syntactically determined, not quantifier-free

• HIP/Sleek: search for a class of proofs, but not in any decidable theory

Classical Logic

• Dafny, VCC, etc.: require significant ghost annotations• Jahob: often relies on complex provers, e.g., Mona or Isabelle

CONCLUSIONDryad

• an expressive, tractable dialect of separation logic• A translation to QF classical logic with recursion

Established a natural proof scheme

• Algorithmically search for a subclass of proofs• Automatic, sound but incomplete• Formalized two proof tactics for inductive data structures

A verifier that handles Hoare-triples automatically using SMT solvers

Future work

• More proof tactics for natural proofs

(non-inductive structures, e.g., graphs)

• Natural Proofs for C

(incorporate natural proofs into existing verifiers, e.g., VCC)

• Natural Proofs for concurrent programs (Rely-Guarantee + Dryad)

All Proofs

Natural proofs