A Constructor-Based Reachability Logic for Rewrite Theories Stephen - - PowerPoint PPT Presentation

a constructor based reachability logic for rewrite
SMART_READER_LITE
LIVE PREVIEW

A Constructor-Based Reachability Logic for Rewrite Theories Stephen - - PowerPoint PPT Presentation

May 04, 2023 241 likes •549 views

A Constructor-Based Reachability Logic for Rewrite Theories Stephen Skeirik, Andrei Stefanescu, Jose Meseguer October 10th, 2017 Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation

slide-1
SLIDE 1

A Constructor-Based Reachability Logic for Rewrite Theories

Stephen Skeirik, Andrei Stefanescu, Jose Meseguer October 10th, 2017

slide-2
SLIDE 2

Outline

1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

slide-3
SLIDE 3

Introduction

Origins of Reachability Logic

Reachability Logic (RL) was originally proposed by Rosu et. al to verify programs in K based on a rewriting logic (RWL) definition of language L ’s semantics generalizes both Hoare Logic and Separation Logic language-generic: a prover can be generated for each language L from its rewriting logic semantics RL

1 / 22

slide-4
SLIDE 4

Introduction

From Language-generic to Theory-generic RL

This work addresses the following open problems:

1 Can we develop a reachability logic for general rewrite

theories, i.e. RL(R) generalizing RL(RL )? ...will allow us to move from verifying code to verifying distributed system designs

2 How can we maximize automation in RL proofs? 3 How can we use RL to prove invariants (invariant paradox)?

2 / 22

slide-5
SLIDE 5

Introduction

From Language-generic to Theory-generic RL

We address questions (1)-(3) via:

1 developing a new RWL-theory based RL semantics and very

simple proof system,

2 utilizing RWL concepts (e.g. constructors, variants) in our

proof system as well as a equational-theory-generic SMT solver as a backend based on variant satisfiability

3 and applying an appropriate RWL theory transformation to

prove invariants.

3 / 22

slide-6
SLIDE 6

Introduction

A Running Example: QLOCK

The mutual exclusion protocol QLOCK has five rewrite rules: n2w : < n i | w | c | q > → < n | w i | c | q ; i > w2c : < n | w i | c | i ; q > → < n | w | c i | i ; q > c2n : < n | w | c i | i ; q > → < n i | w | c | q > join : < n | w | c | q > → < n i | w | c | q > if φ exit : < n i | w | c | q > → < n | w | c | q > where φ ≡ dup(n w c i) = tt. QLOCK’s specification is RQLOCK = (Σ, E ∪ B, R) with R the above rules, B the axioms ACU for and A for ; and, E the equation dup(s s s′) = tt.

4 / 22

slide-7
SLIDE 7

Outline

1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

slide-8
SLIDE 8

Reachability Logic Semantics

Constrained Constructor Patterns

Definition

Let (Σ, B, E) be sufficiently complete w.r.t. constructors Ω. A constrained constructor pattern is a pair: u | ϕ such that u ∈ TΩ(X) ∧ ϕ ∈ QFForm(Σ) The set PatPred(Ω, Σ) contains ⊥ and all constrained constructor patterns, and is closed under (∨) and (∧) The semantics of predicate A is A ⊆ CΣ/E,B where:

1 ⊥ = ∅ 2 u | ϕ = {[(uρ)!]BΩ ∈ CΣ/E,B | ρ ∈ [X→TΩ] ∧ E ∪B |

= ϕρ}.

3 A ∨ B = A ∪ B 4 A ∧ B = A ∩ B

5 / 22

slide-9
SLIDE 9

Reachability Logic Semantics

Reachability Formulas

Definition

Given patterns u | φ and vi | ψi, a reachability formula has form: u | ϕ − →⊛

i

vi | ψi Example.

1 < n | w | c | q > | dup(n w c) = tt 2 < n | w | c | q > | dup(n w c) = tt −

→⊛ < n′ | w′ | c′ | q′ > | dup(n′ w′ c′) = tt

6 / 22

slide-10
SLIDE 10

Reachability Logic Semantics

Intuitive Semantics

Q: What does the relation A − →⊛ B mean? A: Suppose we have: (1) a rewrite theory R (2) pattern fomulas A, B (3) and terminating states T Then A − →⊛ B means: for each state [t] ∈ A and rewrite path p from [t], either: (1) p crosses B or (2) p is infinite

  • - - indicates counterex.
  • - -

satisfies A →⊛ B

  • - -

vacuously satisfies

7 / 22

slide-11
SLIDE 11

Reachability Logic Semantics

Formal Semantics

Definition

Let R = (Σ, E ∪ B, R) have (a) good executability conditions, (b) constructor subsignature Ω, (c) and top sort State of states. Let CR denote the canonical reachability model. R | = A − →⊛ B iff: For each concrete state [u0] ∈ CR,State ∩ A and; terminating sequence [u0] →R [u1] · · · [un−1] →R [un] There exists 0 ≤ j ≤ n with [uj] ∈ B N.B.: expressible as LTL formula A → (enabled) ∨ ♦B

8 / 22

slide-12
SLIDE 12

Outline

1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

slide-13
SLIDE 13

The Invariant Paradox

Introduction

Recall our example theory QLOCK. Q: How to express mutual exclusion invariant by A − →⊛ B? A: Since:

1 A −

→⊛ B just means A → (enabled) ∨ ♦B,

2 and QLOCK is never terminating,

then all formulas A − →⊛ B are satisfied, so we cannot. (Paradox!!).

9 / 22

slide-14
SLIDE 14

The Invariant Paradox

Solving the Invariant Paradox (I)

Recall the structure of the rewrite rules in QLOCK: n2w : < n i | w | c | q > → < n | w i | c | q ; i > Each rule is topped with a State constructor < >. Let’s add rule: stop : < n | w | c | q > → [ n | w i | c | q ] Note that the stop rule can terminate from any state in the combined theory QLOCK-stop. If B = . . . | ϕ, let [B] denote the predicate [B] = [. . .] | ϕ.

  • Fact. B is an invariant from initial states S0 in QLOCK iff

S0 − →⊛ [B] holds in QLOCK-stop.

10 / 22

slide-15
SLIDE 15

The Invariant Paradox

Solving the Invariant Paradox (II)

Let R be a rewrite theory; assume a single State constructor , . . . , : w → State and all rules have terms of sort State. Let Rstop extend R by adding: (i) fresh [ , . . . , ] : w → State, and (ii) a stop rule x : w → [ x : w]. Then:

Theorem

B is an invariant for R from S0 iff S0 − →⊛ [B] holds in Rstop.

Corollary

If S0 ⊆ B and B − →⊛ [B] holds in Rstop, then B is an invariant for R from initial sates S0.

  • Example. Mutual exclusion in QLOCK can be given by Mutex =

n | w | i | i ; q|dup(n w c i)=tt ∨n | w | ∅ | q|dup(n w c)=tt. Prove: (i) n | ∅ | ∅ | nil ⊆ Mutex (ii) Mutex − →⊛ [Mutex].

11 / 22

slide-16
SLIDE 16

Outline

1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

slide-17
SLIDE 17

Inference System

Introduction (I)

Q: Then given RWL theory R, how do we prove A − →⊛ B? A: Perhaps surprisingly, two proof rules are enough:

A rule that traces rewrite steps of symbolic states in R A rule that internalizes terminating-path-length induction on R

We call these two rules:

Step+Subsumption Axiom

12 / 22

slide-18
SLIDE 18

Inference System

Introduction (II)

The key ideas are:

1 Proving A −

→⊛ B may require some auxiliary lemmas; Let C denote the formula A − →⊛ B plus these lemmas

2 For each formula in C, start with labeled sequents:

[∅, C] ⊢T u | ϕ − →⊛

i vi | ψi 3 1st part (∅) is formulas to be assumed as axioms (none); 4 2nd part (C) is formulas to prove that cannot yet be assumed 5 the Step+Subsumption rule allows us to inductively assume C

after a rewrite step with rules R = {lj → rj if φj}.

13 / 22

slide-19
SLIDE 19

Reachability Logic

Proof Rules (I): Step+Subsumption Rule

  • (j,α)∈unify(u|ϕ′

,R)

[A ∪ C, ∅] ⊢T (rj | ϕ′ ∧ φj)α − →⊛

i

(vi | ψi)α [A, C] ⊢T u | ϕ − →⊛

i

vi | ψi with ϕ′ = ϕ ∧

(i,β)∈match(u,{vi})¬(ψiβ) and R = {lj → rj if φj}

Note. proof rule performs all possible narrowing steps with rules R goals u | φ − →⊛ B with unsatisfiable φ are implicitly removed

14 / 22

slide-20
SLIDE 20

Reachability Logic

Proof Rules (II): The Axiom Rule

  • j

[{u′ | ϕ′ − →⊛

j

v′

j | ψ′ j} ∪ A, ∅] ⊢T v′ jα | ϕ ∧ ψ′ jα −

→⊛

i

vi | ψi [{u′ | ϕ′ − →⊛

j

v′

j | ψ′ j} ∪ A, ∅] ⊢T u | ϕ −

→⊛

i

vi | ψi where ∃α with u =EΩ∪BΩ u′α and TΣ/E∪B | = ϕ ⇒ ϕ′α

15 / 22

slide-21
SLIDE 21

Reachability Logic

Soundness

Theorem

(Soundness) Let R be a rewrite theory, and C a finite set of reachability formulas. If R proves [∅, C] ⊢T C then R | =∀

T C

16 / 22

slide-22
SLIDE 22

Outline

1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

slide-23
SLIDE 23

Implementation and Case Studies

Reflective Implementation

The proof system has been implemented in Maude. Some notes:

1 RWL is reflective, Maude’s META-LEVEL library support was

used which supports reasoning over RWL theories and terms

2 Maude’s built-in support for narrowing modulo axioms was

used to compute successors in the RWL theory R

3 An implementation of a variant satisfiability-based,

theory-generic SMT solver was used to discharge satisfiability and validity proof obligations

17 / 22

slide-24
SLIDE 24

Implementation and Case Studies

Case Studies

Example Description of the System/Property Choice Nondeterministically throws away elements from a multiset/eventually only one element left

  • Comm. Protocol 1

Simple communication protocol/received data is always a prefix of the data to be sent

  • Comm. Protocol 2

Fault-tolerant communication protocol/all data is eventually received in-order Dijkstra Dijkstra’s mutual exclusion alg./mutual exclusion Fixed-Size Token Ring 2-Token ring mutual exclusion alg./mutual exclusion QLOCK QLOCK mutual exclusion alg./mutual exclusion Readers/Writers Readers-writers mutual exclusion alg./mutual exclusion Lamport’s Bakery Unbounded Lamport’s bakery/mutual exclusion Thermostat Open system that dynamically responds to temperature/temperature remains in preset bounds

18 / 22

slide-25
SLIDE 25

Implementation and Case Studies

Example Proof Fragment

T1 ≡

  • sub(P1, α)

[C, ∅] ⊢[] [n3 | w3 | ∅ | q3] | dup(n′′ w′ p) = tt ∧ dup(n3w3) = tt →⊛ [Mutex 1] ∨ [Mutex 2] T1 T2

axiom(G2, α)

· · · [C, ∅] ⊢[] <n′′ | w′ p | ∅ | q′ > | dup(n′′ w′ p) = tt →⊛ [Mutex 1] ∨ [Mutex 2] · · ·

step(n2w, θ)

[∅, C] ⊢[] <n′ | w′ | ∅ | q′ > | dup(n′ w′) = tt →⊛ [Mutex 1] ∨ [Mutex 2] where Gi ≡ Mutex i − →⊛ [Mutex], C ≡ {G1, G2}

19 / 22

slide-26
SLIDE 26

Outline

1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

slide-27
SLIDE 27

Conclusions

We have presented our new theory and implementation of a RL semantics and inference system where:

1 our system is rewrite-theory-generic, so it can be applied to

analyze distributed system designs

2 our implementation uses a theory-generic, variant satisfiability

SMT solver underneath

3 we applied RWL theory transformations in order to specify

and verify invariants

20 / 22

slide-28
SLIDE 28

Future Work

At this point, there are a two clear directions for future work:

1 our variant satisfiability implementation currently supports

rewrite theories whose equational fragment is decidable—we are developing heuristics for undecidable theories

2 we are developing larger, more interesting case studies to

provide further validation for our reachability logic tool

21 / 22

slide-29
SLIDE 29

The End

Any Questions?

22 / 22