Completeness of Pointer Program Verification by Separation Logic

Completeness of Pointer Program Verification by Separation Logic Makoto Tatsuta (National Institute of Informatics) joint work with: Wei-Ngan Chin (National Univ of Singapore) Mahmudul Faisal Al Ameen (Graduate Univ for Advanced Studies) Seminar School of Computer Science and Engineering, Seoul National University March 15, 2010 1 Introduction Pointer programs - while programs + heaps - memory allocation, lookup, mutation, and dispose Separation logic - Peano arithmetic + heap primitives + separating connectives Completeness: Question: Every correct program is proved to be correct Is separation logic for pointer programs complete? Results: (1) Completeness of separation logic for pointer programs (2) Expressiveness of separation logic for pointer programs (3) Completeness of that under deterministic semantics Ideas: - Relative completeness and expressiveness for while programs - A formula that exactly describes the current heap 2 Background 1/7: While Programs While Programs P ::= x := e|if (b) then (P ) else (P )| while (b) do (P )|P ; P Eg. while (x < 11) do (y := y + x; x := x + 1) Semantics [[P ]] - a store s : variables → natural numbers - [[P ]](s1) = s2 Eg. s1(x) = 1, s1(y) = 0, s2(x) = 11, s2(y) = 55 [[while (x < 11) do (y := y + x; x := x + 1)]](s1) = s2 3 Background 2/7: Asserted Programs Assertions A formulas in Peano arithmetic Eg. x = 11 ∧ y = 55 Asserted Programs {A}P {B} {A}P {B} is true iff - If the initial state that satisfies A and the execution of the program P terminates, then the resulting state satisfies B - Partial correctness Eg. {x = 1∧y = 0}while (x < 11) do (y := y+x; x := x+1){x = 11∧y = 55} is true 4 Background 3/7: Hoare Logic Boolean expression b a quantifier-free assertion Inference rules: {A[x := e]}x := e{A} (assignment) {A ∧ b}P1{B} {A ∧ ¬b}P2{B} (if ) {A}if (b) then (P1) else (P2){B} {A ∧ b}P {A} (while) {A}while (b) do (P ){A ∧ ¬b} {A}P1{C} {C}P2{B} (comp) {A}P1; P2{B} {A1}P {B1} (conseq) {A}P {B} (A → A1, B1 → B true) {A}P {B} is provable - There exists its derivation by the inference rules 5 Example {x = 1∧y = 0}while (x < 11) do (y := y+x; x := x+1){x = 11∧y = 55} is provable Let the loop invariant I be x ≤ 11 ∧ y = 1 + . . . + (x − 1) x = 1 ∧ y = 0 → I is true I ∧ x ≥ 11 → x = 11 ∧ y = 55 is true ... . {I ∧ x < 11}y := y + x; x := x + 1{I} (while) {I}while (x < 11) do (y := y + x; x := x + 1){I ∧ x ≥ 11} (conseq) {x = 1 ∧ y = 0}while (x < 11) do (y := y + x; x := x + 1){x = 11 ∧ y = 55} 6 Background 4/7: Soundness and Completeness Soundness: if {A}P {B} is provable, {A}P {B} is true - If the system proves a program is correct, it is indeed correct - Significance of a verification system Completeness: if {A}P {B} is true, {A}P {B} is provable - If a program is correct, the system surely proves it is correct - The converse of Soundness - Ability of a verification system Hoare Logic is sound and complete 7 Background 5/7: Pointer Programs Pointer programs while programs with heaps Programs P ::= x := e|if (b) then (P ) else (P )| while (b) do (P )|P ; P | x := cons(e, e)|x := [e]|[e] := e|dispose(e) Eg. Allocation x := cons(0, 3) x: 100 100: 0 101: 3 Lookup x := [101] x: 3 100: 0 101: 3 Mutation [100] := 2 x: 3 100: 2 101: 3 Dispose dispose(100) x: 3 101: 3 8 Background 6/7: Semantics N the set of natural numbers (values and addresses) Locs = {n ∈ N |n > 0} 0 a null pointer a store s:variables → N a heap h:Locs →f in N a state (s, h) A program (1) terminates without abort (normal execution), (2) terminates with abort (memory error), or (3) does not terminate - abort: referring to an unallocated address e in x := [e], [e] := e2, or dispose(e) Semantics [[P ]]((s, h)) a set of states - If the initial state is (s, h) and the execution of the program P terminates without abort, then P ((s, h)) is the set of possible resulting states - nondeterministic: a choice of free memory for x := cons(e1, e2) 9 Background: Semantics (cont.) [[P ]](abort) = {abort}, [[x := e]]((s, h)) = {(s[x := [[e]]s], h)}, [[if (b) then (P1) else (P2)]]((s, h)) = [[P1]]((s, h)) if [[b]]s = true, [[P2]]((s, h)) otherwise, [[while (b) do (P )]]((s, h)) = {(s, h)} if [[b]]s = false, [[while (b) do (P )]]([[P ]]((s, h))) otherwise, [[P1; P2]]((s, h)) = [[P2]]([[P1]]((s, h))), [[x := cons(e1, e2)]]((s, h)) = {(s[x := n], h[n := [[e1]]s, n + 1 := [[e2]]s])| n > 0, n, n + 1 6∈ Dom(h)}, [[x := [e]]]((s, h)) = {(s[x := h([[e]]s)], h)} if [[e]]s ∈ Dom(h), {abort} otherwise, [[[e1] := e2]]((s, h)) = {(s, h[[[e1]]s := [[e2]]s])} if [[e1]]s ∈ Dom(h), {abort} otherwise, [[dispose(e)]]((s, h)) = {(s, h|Dom(h)−{[[e]]s})} if [[e]]s ∈ Dom(h), {abort} otherwise. 10 Background 7/7: Separation Logic Reynolds (LICS 02) Assertions for pointer programs Assertions A ::= emp|e A|∀xA|∃xA|A ∗ A|A —∗ A Eg. emp 3 7→ 5 = e|e < e|e 7→ e|¬A|A ∧ A|A ∨ A|A → the current heap is empty the current heap is 3: 5 (the current heap is a single cell) A∗B the current heap can be split into some two heaps h1 and h2 such that A is true for h1 and B is true for h2 A—∗B if the heap h satisfies A, then B is true for the heap obtained from the current heap by adding h 11 Background: Separation Logic (cont.) Inference rules: (cons) {∀x′((x′ 7→ e1, e2) —∗ A[x := x′])}x := cons(e1, e2){A} (x′ 6∈ FV(e1, e2, A)) (lookup) {∃x′(e 7→ x′ ∗ (e 7→ x′ —∗ A[x := x′]))}x := [e]{A} (x′ 6∈ FV(e, A)) {(∃x(e1 7→ x)) ∗ (e1 7→ e2 —∗ A)}[e1] := e2{A} (mutation) (x 6∈ FV(e1)) {(∃x(e 7→ x)) ∗ A}dispose(e){A} (dispose) (x 6∈ FV(e)) 12 Related Work [Reynolds 02(LICS)] - gave separation logic and showed its soundness [Nguyen, David, Qin, and Chin 07] - Verification system based on separation logic - Implemented - Automatic verification of the quick sort program in a second [Berdine, Calcagno, and O’Hearn 05] - Verification system based on separation logic - Implemented [Ishtiaq and O’Hearn 01(POPL)] - Completeness only for programs without if-statements nor whilestatements No completeness results Our result: a proof of the completeness (SEFM09) 13 Main Theorem Theorem (Completeness). {A}P {B} is provable If {A}P {B} is true, then Ideas: - Extending the completeness proof of Hoare Logic - Relative completeness: We assume all true assertions {A1}P {B1} (conseq) {A}P {B} (A → A1, B1 → B true) - Weakest precondition: For a given program P and a given assertion B, the weakest precondition of P and B is the weakest condition for the input states such that B is true after the execution of P Difficulty: - Expressiveness: For a given program P and a given assertion B, there exists some assertion that describes the weakest precondition of P and B 14 Assertion for Current Heap (n, m) the code that represents the pair of natural numbers n, m hn1, . . . , nk i the code that represents the sequence n1, . . . , nk Lookup(x, y, z) The sequence x contains the pair (y, z) - Lookup(x, l, k) iff x = hn1, . . . , (l, k), . . . , nmi Heap(m) = ∀xy(Lookup(m, x, y) ↔ (x 7→ y∗0 = 0)) Heap(h(l1, n1), . . . , (lk , nk )i) means: Dom(h) = {l1, . . . , lk } and h(li) = ni where h is the current heap (The current heap is l1: n1 . . . lk : nk ) 15 Expressiveness Theorem Storex1,...,xn (hm1, . . . , mni) means s(xi) = mi where s is the current store The code ⌈(s, h)⌉ of (s, h) is (⌈s⌉, ⌈h⌉) → Vector notation − x = x1 , . . . , x n ExecP,− → x (⌈r1⌉, ⌈r2⌉) means [[P ]](r1) ∋ r2 → (− x includes free variables in P ) → WP,A(− x ) = ∀xyzw(Store− → x (x) ∧ Heap(y)∧ Pair2(z, x, y) ∧ ExecP,− → x (z, w) → w > 0∧ ∃y1z1(Pair2(w, y1, z1) ∧ EvalA,− → x (y1, z1))) → (− x includes free variables in P and A) → Theorem (Expressiveness). WP,A(− x ) describes the weakest precondition of P and A 16 Proof of Completeness Theorem By induction on P . Cases according to the last rule. Case (comp). {A}P1{C} {C}P2{B} (comp) {A}P1; P2{B} Suppose {A}P1; P2{B} is true. → → x ) where − x includes free variables in B, P2. Let C be WP2,B (− By Expressiveness Theorem, {A}P1{C} and {C}P2{B} are both true. By induction hypothesis for P1 and P2, {A}P1{C} and {C}P2{B} are both provable. By (comp), {A}P1; P2{B} is provable. Expressiveness Theorem is {A}while (b) do (P ){B}. ✷ also necessary for the case 17 of Deterministic Semantics 1 In the previous semantics, x := cons(e1, e2) finds some new memory cells, which we do not know. This is formalized by nondeterminism. Deterministic semantics specifies the new memory cells. For simplicity, we assume the free memory cells will be chosen so that the address is smallest among free memory cells. Assertions A ::= ...| New(e) New(e) means to hold if and only if e is the address of the first free cells in memory space. Semantics [[P ]](r1) = r2 - the execution of P with the initial state r1 terminates with the resulting state r2 [[x := cons(e1, e2)]]((s, h)) = (s[x := n], h[n := [[e1]]s, n + 1 := [[e2]]s]), where n is the smallest number such that n > 0 and n, n + 1 6∈ Dom(h) 18 Deterministic Semantics 2 Our new inference rule: {∃x′ (New(x′ ) ∧ ((x′ 7→ e1 , e2 ) —∗ A[x := x′ ]))}x := cons(e1 , e2 ){A} (cons) (x′ 6∈ FV(e1 , e2 , A)) Note. The rule (conseq) assumes all true assertions for New Theorem(Soundness). If {A}P {B} is provable in the system with New(e), then {A}P {B} is true under deterministic semantics Theorem(Completeness). If {A}P {B} is true under deterministic semantics, then {A}P {B} is provable in the system with New(e) 19 Conclusion Pointer programs - while programs + heaps - memory allocation, lookup, mutation, and dispose Separation logic - Peano arithmetic + heap primitives + separating connectives Completeness: Question: Every correct program is proved to be correct Is separation logic for pointer programs complete? Results: (1) Completeness of separation logic for pointer programs (2) Expressiveness of separation logic for pointer programs (3) Completeness of that under deterministic semantics Ideas: - Relative completeness and expressiveness for while programs - A formula that exactly describes the current heap 20