Feature constraints to modelise Unix filesystems Nicolas Jeannerod - - PowerPoint PPT Presentation

1/27

Feature constraints to modelise Unix filesystems

Nicolas Jeannerod

IRIF

February 7, 2018

2/27

The CoLiS Project

Shell

2/27

The CoLiS Project

Shell IL

Translation

2/27

The CoLiS Project

Shell IL

Translation

2/27

The CoLiS Project

Shell IL

Translation

Specification in Tree Transducers

2/27

The CoLiS Project

Shell IL

Translation

Specification in Tree Transducers Specification in Feature Trees

2/27

The CoLiS Project

Shell IL

Translation

Specification in Tree Transducers Specification in Feature Trees

3/27

Specifications.. then what?

Find accessible states that lead to errors.

3/27

Specifications.. then what?

Find accessible states that lead to errors. ◮ “Accessible”? Where the specification is satisfiable.

3/27

Specifications.. then what?

Find accessible states that lead to errors. ◮ “Accessible”? Where the specification is satisfiable. ◮ “Lead to errors”? Where the script exists abnormally.

3/27

Specifications.. then what?

Find accessible states that lead to errors. ◮ “Accessible”? Where the specification is satisfiable. ◮ “Lead to errors”? Where the script exists abnormally. Fill automated report to script’s maintainer.

3/27

Specifications.. then what?

Find accessible states that lead to errors. ◮ “Accessible”? Where the specification is satisfiable. ◮ “Lead to errors”? Where the script exists abnormally. Fill automated report to script’s maintainer. Check properties

3/27

Specifications.. then what?

Find accessible states that lead to errors. ◮ “Accessible”? Where the specification is satisfiable. ◮ “Lead to errors”? Where the script exists abnormally. Fill automated report to script’s maintainer. Check properties: ◮ ∀rin, rout ·

• specs1(rin, rout) ↔ specs2(rout, rin)

3/27

Specifications.. then what?

Find accessible states that lead to errors. ◮ “Accessible”? Where the specification is satisfiable. ◮ “Lead to errors”? Where the script exists abnormally. Fill automated report to script’s maintainer. Check properties: ◮ ∀rin, rout ·

• specs1(rin, rout) ↔ specs2(rout, rin)
• ◮ ∀rin, rout · (specs(rin, rout) → rout[home] = rin[home])

3/27

Specifications.. then what?

Find accessible states that lead to errors. ◮ “Accessible”? Where the specification is satisfiable. ◮ “Lead to errors”? Where the script exists abnormally. Fill automated report to script’s maintainer. Check properties: ◮ ∀rin, rout ·

• specs1(rin, rout) ↔ specs2(rout, rin)
• ◮ ∀rin, rout · (specs(rin, rout) → rout[home] = rin[home])

◮ ∀rin, rout · (specs(rin, rout) ↔ rout . = rin)

3/27

Specifications.. then what?

Find accessible states that lead to errors. ◮ “Accessible”? Where the specification is satisfiable. ◮ “Lead to errors”? Where the script exists abnormally. Fill automated report to script’s maintainer. Check properties: ◮ ∀rin, rout ·

• specs1(rin, rout) ↔ specs2(rout, rin)
• ◮ ∀rin, rout · (specs(rin, rout) → rout[home] = rin[home])

◮ ∀rin, rout · (specs(rin, rout) ↔ rout . = rin) ◮ ∀rin, rout ·

• ∃r′ · (specs1(rin, r′) ∧ specs2(r′, rout)) ↔ rout .

= rin

4/27

Table of Contents

• 1. Description of filesystems

Unix filesystems Static description Directory update

• 2. Constraints

Definitions Basic constraints Negation

• 3. Usages

Decidability of the First-Order Theory Automated Specification for Scripts: Proof of Concept

5/27

Unix filesystem

/ usr etc lib ◮ Basically a tree with labelled nodes and edges;

5/27

Unix filesystem

/ usr etc lib libc.so libc.so.6 ◮ Basically a tree with labelled nodes and edges; ◮ There can be sharing at the leafs (hard link between files);

5/27

Unix filesystem

/ usr etc lib libc.so libc.so.6 lib ◮ Basically a tree with labelled nodes and edges; ◮ There can be sharing at the leafs (hard link between files); ◮ There can be pointers to other parts of the tree (symbolic links)

5/27

Unix filesystem

/ usr etc lib libc.so libc.so.6 lib root ◮ Basically a tree with labelled nodes and edges; ◮ There can be sharing at the leafs (hard link between files); ◮ There can be pointers to other parts of the tree (symbolic links) which may form cycles.

6/27

Table of Contents

• 1. Description of filesystems

Unix filesystems Static description Directory update

• 2. Constraints

Definitions Basic constraints Negation

• 3. Usages

Decidability of the First-Order Theory Automated Specification for Scripts: Proof of Concept

7/27

Static description

r v w x u∅ usr etc lib skel

• caml

7/27

Static description

r v w x u∅ usr etc lib skel

• caml

7/27

Static description

r v w x u∅ usr etc lib skel

• caml

c =

7/27

Static description

r v w x u[∅] usr etc lib skel

• caml

c = ∃u, v, x, w ·

7/27

Static description

r v w x u[∅] usr etc lib skel

• caml

c = ∃u, v, x, w · r[usr]v ∧ v[lib]x ∧ r[etc]w ∧ w[skel]u

7/27

Static description

r v w x u[∅] usr etc lib skel

• caml

c = ∃u, v, x, w · r[usr]v ∧ v[lib]x ∧ x[ocaml] ↑ ∧ r[etc]w ∧ w[skel]u

7/27

Static description

r v w x u[∅] usr etc lib skel

• caml

c = ∃u, v, x, w · r[usr]v ∧ v[lib]x ∧ x[ocaml] ↑ ∧ r[etc]w ∧ w[skel]u ∧ u[∅]

8/27

Table of Contents

• 1. Description of filesystems

Unix filesystems Static description Directory update

• 2. Constraints

Definitions Basic constraints Negation

• 3. Usages

Decidability of the First-Order Theory Automated Specification for Scripts: Proof of Concept

9/27

Directory update

r v w x usr etc lib

• caml

9/27

Directory update

r v w x usr etc lib

• caml

mkdir /usr/lib/ocaml

9/27

Directory update

r v w x usr etc lib

• caml

mkdir /usr/lib/ocaml

r′ v′ w′ x′ y′∅ usr etc lib

• caml

9/27

Directory update

r v w x usr etc lib

• caml

mkdir /usr/lib/ocaml

r′ v′ w′ x′ y′∅ usr etc lib

• caml

c′ =

9/27

Directory update

r v w x usr etc lib

• caml

mkdir /usr/lib/ocaml

r′ v′ w′ x′ y′[∅] usr etc lib

• caml

c′ = ∃v, v′, x, x′, y′ ·       

9/27

Directory update

r v w x usr etc lib

• caml

mkdir /usr/lib/ocaml

r′ v′ w′ x′ y′[∅] usr etc lib

• caml

c′ = ∃v, v′, x, x′, y′ ·        r′ is r with usr → v′ ∧ v′ is v with lib → x′ ∧ x′ is x with ocaml → y′ ∧ y′[∅]

10/27

Er.. is that really what we want?

◮ Asymmetric: y is x with f → v

10/27

Er.. is that really what we want?

◮ Asymmetric: y is x with f → v ◮ Makes it hard to eliminate variables: ∃x ·

• y is x with f → v

∧ z is x with g → w

10/27

Er.. is that really what we want?

◮ Asymmetric: y is x with f → v ◮ Makes it hard to eliminate variables: ∃x ·

• y is x with f → v

∧ z is x with g → w

• ◮ Contains in fact two pieces of information:

10/27

Er.. is that really what we want?

◮ Asymmetric: y is x with f → v ◮ Makes it hard to eliminate variables: ∃x ·

• y is x with f → v

∧ z is x with g → w

• ◮ Contains in fact two pieces of information:

◮ “y and x may be different in f but are identical everywhere else”

10/27

Er.. is that really what we want?

◮ Asymmetric: y is x with f → v ◮ Makes it hard to eliminate variables: ∃x ·

• y is x with f → v

∧ z is x with g → w

• ◮ Contains in fact two pieces of information:

◮ “y and x may be different in f but are identical everywhere else” ◮ “y points to v through f”

10/27

Er.. is that really what we want?

◮ Asymmetric: y is x with f → v ◮ Makes it hard to eliminate variables: ∃x ·

• y is x with f → v

∧ z is x with g → w

• ◮ Contains in fact two pieces of information:

◮ “y and x may be different in f but are identical everywhere else” ◮ “y points to v through f”: y[f]v

10/27

Er.. is that really what we want?

◮ Asymmetric: y is x with f → v ◮ Makes it hard to eliminate variables: ∃x ·

• y is x with f → v

∧ z is x with g → w

• ◮ Contains in fact two pieces of information:

◮ “y and x may be different in f but are identical everywhere else”: y

.

∼f x ◮ “y points to v through f”: y[f]v

11/27

∼: Much better

◮ Allows to express the update: “y is x with f → v” := y

.

∼f x ∧ y[f]v

11/27

∼: Much better

◮ Allows to express the update: “y is x with f → v” := y

.

∼f x ∧ y[f]v ◮ Symmetric and transitive: y

.

∼f x ⇐ ⇒ x . ∼f y y

.

∼f x ∧ z

.

∼f x = ⇒ y

.

∼f z

11/27

∼: Much better

◮ Allows to express the update: “y is x with f → v” := y

.

∼f x ∧ y[f]v ◮ Symmetric and transitive: y

.

∼f x ⇐ ⇒ x . ∼f y y

.

∼f x ∧ z

.

∼f x = ⇒ y

.

∼f z ◮ Other properties: y

.

∼f x ∧ z

.

∼g x = ⇒ y

.

∼{f,g} z y

.

∼f x ∧ y

.

∼g x ⇐ ⇒ y

.

∼∅ x

11/27

∼: Much better

◮ Allows to express the update: “y is x with f → v” := y

.

∼f x ∧ y[f]v ◮ Symmetric and transitive: y

.

∼f x ⇐ ⇒ x . ∼f y y

.

∼f x ∧ z

.

∼f x = ⇒ y

.

∼f z ◮ Other properties: y

.

∼f x ∧ z

.

∼g x = ⇒ y

.

∼{f,g} z y

.

∼f x ∧ y

.

∼g x ⇐ ⇒ y

.

∼∅ x ◮ Allows to remove variables: ∃x ·

• y is x with f → v

∧ z is x with g → w

11/27

∼: Much better

◮ Allows to express the update: “y is x with f → v” := y

.

∼f x ∧ y[f]v ◮ Symmetric and transitive: y

.

∼f x ⇐ ⇒ x . ∼f y y

.

∼f x ∧ z

.

∼f x = ⇒ y

.

∼f z ◮ Other properties: y

.

∼f x ∧ z

.

∼g x = ⇒ y

.

∼{f,g} z y

.

∼f x ∧ y

.

∼g x ⇐ ⇒ y

.

∼∅ x ◮ Allows to remove variables: ∃x ·

• y

.

∼f x ∧ y[f]v ∧ z

.

∼g x ∧ z[g]w

11/27

∼: Much better

◮ Allows to express the update: “y is x with f → v” := y

.

∼f x ∧ y[f]v ◮ Symmetric and transitive: y

.

∼f x ⇐ ⇒ x . ∼f y y

.

∼f x ∧ z

.

∼f x = ⇒ y

.

∼f z ◮ Other properties: y

.

∼f x ∧ z

.

∼g x = ⇒ y

.

∼{f,g} z y

.

∼f x ∧ y

.

∼g x ⇐ ⇒ y

.

∼∅ x ◮ Allows to remove variables: ∃x ·

• y

.

∼f x ∧ y[f]v ∧ z

.

∼g x ∧ z[g]w

• ↔ y[f]v ∧ z[g]w

11/27

∼: Much better

◮ Allows to express the update: “y is x with f → v” := y

.

∼f x ∧ y[f]v ◮ Symmetric and transitive: y

.

∼f x ⇐ ⇒ x . ∼f y y

.

∼f x ∧ z

.

∼f x = ⇒ y

.

∼f z ◮ Other properties: y

.

∼f x ∧ z

.

∼g x = ⇒ y

.

∼{f,g} z y

.

∼f x ∧ y

.

∼g x ⇐ ⇒ y

.

∼∅ x ◮ Allows to remove variables: ∃x ·

• y

.

∼f x ∧ y[f]v ∧ z

.

∼g x ∧ z[g]w

• ↔ y[f]v ∧ z[g]w ∧ y

.

∼{f,g} z

12/27

Table of Contents

• 1. Description of filesystems

Unix filesystems Static description Directory update

• 2. Constraints

Definitions Basic constraints Negation

• 3. Usages

Decidability of the First-Order Theory Automated Specification for Scripts: Proof of Concept

13/27

Model and Constraints

ftree ::= F ftree

13/27

Model and Constraints

ftree ::= F ftree ◮ F infinite set of features (names for the edges); ◮ F ftree: partial function with finite domain;

13/27

Model and Constraints

ftree ::= F ftree ◮ F infinite set of features (names for the edges); ◮ F ftree: partial function with finite domain; ◮ Infinite set of variables x, y, etc.; ◮ f ∈ F, F ⊂ F finite. Equality x . = y Feature x[f]y x[f] ↑ Absence Fence x[F] x . ∼F y Similarity

13/27

Model and Constraints

ftree ::= F ftree ◮ F infinite set of features (names for the edges); ◮ F ftree: partial function with finite domain; ◮ Infinite set of variables x, y, etc.; ◮ f ∈ F, F ⊂ F finite. Equality x . = y Feature x[f]y x[f] ↑ Absence Fence x[F] x . ∼F y Similarity ◮ Composed with ¬, ∧, ∨, ∃x, ∀x (no quantification on features);

13/27

Model and Constraints

ftree ::= F ftree ◮ F infinite set of features (names for the edges); ◮ F ftree: partial function with finite domain; ◮ Infinite set of variables x, y, etc.; ◮ f ∈ F, F ⊂ F finite. Equality x . = y Feature x[f]y x[f] ↑ Absence Fence x[F] x . ∼F y Similarity ◮ Composed with ¬, ∧, ∨, ∃x, ∀x (no quantification on features); ◮ Wanted: (un)satisfiability of these constraints; ◮ Bonus point for incremental procedures.

14/27

Semantics

T , ρ | = c ◮ T the model of all feature trees; ◮ ρ : V(c) → T ;

14/27

Semantics

T , ρ | = c ◮ T the model of all feature trees; ◮ ρ : V(c) → T ; Equality: T , ρ | = x . = y if ρ(x) = ρ(y)

14/27

Semantics

T , ρ | = c ◮ T the model of all feature trees; ◮ ρ : V(c) → T ; Equality: T , ρ | = x . = y if ρ(x) = ρ(y) Feature: T , ρ | = x[f]y if ρ(x)(f) = ρ(y) Absence: T , ρ | = x[f] ↑ if f / ∈ dom(ρ(x))

14/27

Semantics

T , ρ | = c ◮ T the model of all feature trees; ◮ ρ : V(c) → T ; Equality: T , ρ | = x . = y if ρ(x) = ρ(y) Feature: T , ρ | = x[f]y if ρ(x)(f) = ρ(y) Absence: T , ρ | = x[f] ↑ if f / ∈ dom(ρ(x)) Fence: T , ρ | = x[F] if dom(ρ(x)) ⊆ F

14/27

Semantics

T , ρ | = c ◮ T the model of all feature trees; ◮ ρ : V(c) → T ; Equality: T , ρ | = x . = y if ρ(x) = ρ(y) Feature: T , ρ | = x[f]y if ρ(x)(f) = ρ(y) Absence: T , ρ | = x[f] ↑ if f / ∈ dom(ρ(x)) Fence: T , ρ | = x[F] if dom(ρ(x)) ⊆ F Similarity: T , ρ | = x . ∼F y if ρ(x) ↾ F = ρ(y) ↾ F

15/27

Table of Contents

• 1. Description of filesystems

Unix filesystems Static description Directory update

• 2. Constraints

Definitions Basic constraints Negation

• 3. Usages

Decidability of the First-Order Theory Automated Specification for Scripts: Proof of Concept

16/27

Game plan

◮ Rewriting system;

16/27

Game plan

◮ Rewriting system; ◮ Puts constraints in normal form (not necessarily unique);

16/27

Game plan

◮ Rewriting system; ◮ Puts constraints in normal form (not necessarily unique); ◮ Respects equivalences;

16/27

Game plan

◮ Rewriting system; ◮ Puts constraints in normal form (not necessarily unique); ◮ Respects equivalences; ◮ Normal forms: either ⊥ or with nice properties.

17/27

Basic rewriting system

x1[f1]x2 ∧ . . . ∧ xn[fn]x1 (n ≥ 1) x[f]y ∧ x[f] ↑ x[f]y ∧ x[F] (f / ∈ F) Clash Patterns

17/27

Basic rewriting system

x1[f1]x2 ∧ . . . ∧ xn[fn]x1 (n ≥ 1) x[f]y ∧ x[f] ↑ x[f]y ∧ x[F] (f / ∈ F) Clash Patterns ∃X, x · (x . = y ∧ c) ⇒ ∃X · c{x → y} (x = y) ∃X, z · (x[f]y ∧ x[f]z ∧ c) ⇒ ∃X · (x[f]y ∧ c{z → y}) (y = z) x . ∼F y ∧ x . ∼G y ∧ c ⇒ x . ∼F∩G y ∧ c Simplification Rules

17/27

Basic rewriting system

x1[f1]x2 ∧ . . . ∧ xn[fn]x1 (n ≥ 1) x[f]y ∧ x[f] ↑ x[f]y ∧ x[F] (f / ∈ F) Clash Patterns ∃X, x · (x . = y ∧ c) ⇒ ∃X · c{x → y} (x = y) ∃X, z · (x[f]y ∧ x[f]z ∧ c) ⇒ ∃X · (x[f]y ∧ c{z → y}) (y = z) x . ∼F y ∧ x . ∼G y ∧ c ⇒ x . ∼F∩G y ∧ c Simplification Rules x . ∼F y ∧ x[f]z ∧ c ⇒ x . ∼F y ∧ x[f]z ∧ y[f]z ∧ c (f / ∈ F) x . ∼F y ∧ x[f] ↑ ∧c ⇒ x . ∼F y ∧ x[f] ↑ ∧y[f] ↑ ∧c (f / ∈ F) x . ∼F y ∧ x[G] ∧ c ⇒ x . ∼F y ∧ x[G] ∧ y[F ∪ G] ∧ c x . ∼F y ∧ x . ∼G z ∧ c ⇒ x . ∼F y ∧ x . ∼G z ∧ y

.

∼F∪G z ∧ c (if

y . ∼Hz H ⊆ F ∪ G)

Propagation Rules

18/27

Properties

Lemma

The basic constraint system terminates and yields a clause that is equivalent to the first one.

18/27

Properties

Lemma

The basic constraint system terminates and yields a clause that is equivalent to the first one.

Lemma

Let c be a clause c = gc ∧ ∃X · lc such that

18/27

Properties

Lemma

The basic constraint system terminates and yields a clause that is equivalent to the first one.

Lemma

Let c be a clause c = gc ∧ ∃X · lc such that: ◮ c is in normal form;

18/27

Properties

Lemma

The basic constraint system terminates and yields a clause that is equivalent to the first one.

Lemma

Let c be a clause c = gc ∧ ∃X · lc such that: ◮ c is in normal form; ◮ V(gc) ∩ X = ∅; ◮ every literal in lc is about X;

18/27

Properties

Lemma

The basic constraint system terminates and yields a clause that is equivalent to the first one.

Lemma

Let c be a clause c = gc ∧ ∃X · lc such that: ◮ c is in normal form; ◮ V(gc) ∩ X = ∅; ◮ every literal in lc is about X; ◮ there is no y[f]x with x ∈ X and y / ∈ X.

18/27

Properties

Lemma

The basic constraint system terminates and yields a clause that is equivalent to the first one.

Lemma

Let c be a clause c = gc ∧ ∃X · lc such that: ◮ c is in normal form; ◮ V(gc) ∩ X = ∅; ◮ every literal in lc is about X; ◮ there is no y[f]x with x ∈ X and y / ∈ X. Then c is equivalent to gc.

19/27

Table of Contents

• 1. Description of filesystems

Unix filesystems Static description Directory update

• 2. Constraints

Definitions Basic constraints Negation

• 3. Usages

Decidability of the First-Order Theory Automated Specification for Scripts: Proof of Concept

20/27

Negation: new players, new rules

aka La Slide de la Mort

20/27

Negation: new players, new rules

¬x[f]y ∧ c ⇒ (x[f] ↑ ∨∃z · (x[f]z ∧ y ∼∅ z)) ∧ c ¬x[f] ↑ ∧c ⇒ ∃z · x[f]z ∧ c Simple Replacement Rules

20/27

Negation: new players, new rules

¬x[f]y ∧ c ⇒ (x[f] ↑ ∨∃z · (x[f]z ∧ y ∼∅ z)) ∧ c ¬x[f] ↑ ∧c ⇒ ∃z · x[f]z ∧ c Simple Replacement Rules x[F] ∧ ¬x[G] ∧ c ⇒ x[F] ∧ xF \ G ∧ c x[F] ∧ x ∼G y ∧ c ⇒ x[F] ∧

• ¬y[F ∪ G] ∨ x .

=F\G y

• ∧ c

x . ∼F y ∧ x ∼G y ∧ c ⇒ x . ∼F y ∧ x . =F\G y ∧ c More Replacement Rules

20/27

Negation: new players, new rules

x[F] ∧ ¬x[G] ∧ c ⇒ x[F] ∧ xF \ G ∧ c x[F] ∧ x ∼G y ∧ c ⇒ x[F] ∧

• ¬y[F ∪ G] ∨ x .

=F\G y

• ∧ c

x . ∼F y ∧ x ∼G y ∧ c ⇒ x . ∼F y ∧ x . =F\G y ∧ c More Replacement Rules

20/27

Negation: new players, new rules

x[F] ∧ ¬x[G] ∧ c ⇒ x[F] ∧ xF \ G ∧ c x[F] ∧ x ∼G y ∧ c ⇒ x[F] ∧

• ¬y[F ∪ G] ∨ x .

=F\G y

• ∧ c

x . ∼F y ∧ x ∼G y ∧ c ⇒ x . ∼F y ∧ x . =F\G y ∧ c More Replacement Rules

20/27

Negation: new players, new rules

xF :=

• f∈F

∃z · x[f]z x[F] ∧ ¬x[G] ∧ c ⇒ x[F] ∧ xF \ G ∧ c x[F] ∧ x ∼G y ∧ c ⇒ x[F] ∧

• ¬y[F ∪ G] ∨ x .

=F\G y

• ∧ c

x . ∼F y ∧ x ∼G y ∧ c ⇒ x . ∼F y ∧ x . =F\G y ∧ c More Replacement Rules

20/27

Negation: new players, new rules

x . =F y :=

• f∈F

∃z′ · (x[f] ↑ ∧y[f]z′) ∨ ∃z · (x[f]z ∧ y[f] ↑) ∨∃z, z′ · (x[f]z ∧ y[f]z′ ∧ z ∼∅ z′)

• x[F] ∧ ¬x[G] ∧ c

⇒ x[F] ∧ xF \ G ∧ c x[F] ∧ x ∼G y ∧ c ⇒ x[F] ∧

• ¬y[F ∪ G] ∨ x .

=F\G y

• ∧ c

x . ∼F y ∧ x ∼G y ∧ c ⇒ x . ∼F y ∧ x . =F\G y ∧ c More Replacement Rules

20/27

Negation: new players, new rules

x . =F y :=

• f∈F

∃z′ · (x[f] ↑ ∧y[f]z′) ∨ ∃z · (x[f]z ∧ y[f] ↑) ∨∃z, z′ · (x[f]z ∧ y[f]z′ ∧ z ∼∅ z′)

• x[F] ∧ ¬x[G] ∧ c

⇒ x[F] ∧ xF \ G ∧ c x[F] ∧ x ∼G y ∧ c ⇒ x[F] ∧

• ¬y[F ∪ G] ∨ x .

=F\G y

• ∧ c

x . ∼F y ∧ x ∼G y ∧ c ⇒ x . ∼F y ∧ x . =F\G y ∧ c More Replacement Rules x . ∼F y ∧ ¬x[G] ∧ c ⇒ x . ∼F y ∧ (¬x[F ∪ G] ∨ xF \ G) ∧ c (F ⊆ G x . ∼F y ∧ ¬x[G] ∧ c ⇒ x . ∼F y ∧ ¬x[G] ∧ ¬y[G] ∧ c (F ⊆ G x . ∼F y ∧ x ∼G z ∧ c ⇒ x . ∼F y ∧

• x ∼F∪G z ∨ x .

=F\G z

• ∧ c

(F ⊆ G x . ∼F y ∧ x ∼G z ∧ c ⇒ x . ∼F y ∧ x ∼G z ∧ y ∼G z ∧ c (F ⊆ G Enlargement and Propagation Rules

20/27

Negation: new players, new rules

x . =F y :=

• f∈F

∃z′ · (x[f] ↑ ∧y[f]z′) ∨ ∃z · (x[f]z ∧ y[f] ↑) ∨∃z, z′ · (x[f]z ∧ y[f]z′ ∧ z ∼∅ z′)

• x[F] ∧ ¬x[G] ∧ c

⇒ x[F] ∧ xF \ G ∧ c x[F] ∧ x ∼G y ∧ c ⇒ x[F] ∧

• ¬y[F ∪ G] ∨ x .

=F\G y

• ∧ c

x . ∼F y ∧ x ∼G y ∧ c ⇒ x . ∼F y ∧ x . =F\G y ∧ c More Replacement Rules

20/27

Negation: new players, new rules

x . =F y :=

• f∈F

∃z′ · (x[f] ↑ ∧y[f]z′) ∨ ∃z · (x[f]z ∧ y[f] ↑) ∨∃z, z′ · (x[f]z ∧ y[f]z′ ∧ z ∼∅ z′)

• x[F] ∧ ¬x[G] ∧ c

⇒ x[F] ∧ xF \ G ∧ c x[F] ∧ x ∼G y ∧ c ⇒ x[F] ∧

• ¬y[F ∪ G] ∨ x .

=F\G y

• ∧ c

x . ∼F y ∧ x ∼G y ∧ c ⇒ x . ∼F y ∧ x . =F\G y ∧ c More Replacement Rules

20/27

Negation: new players, new rules

x . =F y :=

• f∈F

∃z′ · (x[f] ↑ ∧y[f]z′) ∨ ∃z · (x[f]z ∧ y[f] ↑) ∨∃z, z′ · (x[f]z ∧ y[f]z′ ∧ z ∼∅ z′)

• x[F] ∧ ¬x[G] ∧ c

⇒ x[F] ∧ xF \ G ∧ c x[F] ∧ x ∼G y ∧ c ⇒ x[F] ∧

• ¬y[F ∪ G] ∨ x .

=F\G y

• ∧ c

x . ∼F y ∧ x ∼G y ∧ c ⇒ x . ∼F y ∧ x . =F\G y ∧ c More Replacement Rules x[F] = “x has no feature outside F” x ∼G y = “there is a feature outside G that differentiates x and y”

20/27

Negation: new players, new rules

x . =F y :=

• f∈F

∃z′ · (x[f] ↑ ∧y[f]z′) ∨ ∃z · (x[f]z ∧ y[f] ↑) ∨∃z, z′ · (x[f]z ∧ y[f]z′ ∧ z ∼∅ z′)

• x[F] ∧ ¬x[G] ∧ c

⇒ x[F] ∧ xF \ G ∧ c x[F] ∧ x ∼G y ∧ c ⇒ x[F] ∧

• ¬y[F ∪ G] ∨ x .

=F\G y

• ∧ c

x . ∼F y ∧ x ∼G y ∧ c ⇒ x . ∼F y ∧ x . =F\G y ∧ c More Replacement Rules x[F] = “x has no feature outside F” x ∼G y = “there is a feature outside G that differentiates x and y” ◮ either it is in F, ◮ or it is not,

20/27

Negation: new players, new rules

x . =F y :=

• f∈F

∃z′ · (x[f] ↑ ∧y[f]z′) ∨ ∃z · (x[f]z ∧ y[f] ↑) ∨∃z, z′ · (x[f]z ∧ y[f]z′ ∧ z ∼∅ z′)

• x[F] ∧ ¬x[G] ∧ c

⇒ x[F] ∧ xF \ G ∧ c x[F] ∧ x ∼G y ∧ c ⇒ x[F] ∧

• ¬y[F ∪ G] ∨ x .

=F\G y

• ∧ c

x . ∼F y ∧ x ∼G y ∧ c ⇒ x . ∼F y ∧ x . =F\G y ∧ c More Replacement Rules x[F] = “x has no feature outside F” x ∼G y = “there is a feature outside G that differentiates x and y” ◮ either it is in F, and we can list all the cases; ◮ or it is not,

20/27

Negation: new players, new rules

x . =F y :=

• f∈F

∃z′ · (x[f] ↑ ∧y[f]z′) ∨ ∃z · (x[f]z ∧ y[f] ↑) ∨∃z, z′ · (x[f]z ∧ y[f]z′ ∧ z ∼∅ z′)

• x[F] ∧ ¬x[G] ∧ c

⇒ x[F] ∧ xF \ G ∧ c x[F] ∧ x ∼G y ∧ c ⇒ x[F] ∧

• ¬y[F ∪ G] ∨ x .

=F\G y

• ∧ c

x . ∼F y ∧ x ∼G y ∧ c ⇒ x . ∼F y ∧ x . =F\G y ∧ c More Replacement Rules x[F] = “x has no feature outside F” x ∼G y = “there is a feature outside G that differentiates x and y” ◮ either it is in F, and we can list all the cases; ◮ or it is not, and since x[F] then ¬y[F ∪ G].

21/27

Properties

Lemma

The constraint system terminates and yields a clause that is equivalent to the first one.

21/27

Properties

Lemma

The constraint system terminates and yields a clause that is equivalent to the first one.

Lemma

Let c be a clause c = gc ∧ ∃X · lc such that: ◮ c is in normal form; ◮ V(gc) ∩ X = ∅; ◮ every literal in lc is about X; ◮ there is no y[f]x with x ∈ X and y / ∈ X. Then c is equivalent to gc.

22/27

Does that even terminate?

R-NSim-Fence:

x[F] ∧ x ∼G y ∧ c ⇒ x[F] ∧

• ¬y[F ∪ G] ∨ x .

=F\G y

• ∧ c

22/27

Does that even terminate?

R-NSim-Fence (for F = {f} and G = ∅):

x[{f}] ∧ x ∼∅ y ∧ c ⇒ x[{f}] ∧ (¬y[{f}] ∨ x . =f y) ∧ c

22/27

Does that even terminate?

R-NSim-Fence (for F = {f} and G = ∅):

x[{f}] ∧ x ∼∅ y ∧ c ⇒ ∃z, z′ · x[f]z ∧ y[f]z′ ∧ z ∼∅ z′ ∧ x[{f}

22/27

Does that even terminate?

x0[{f}] x1[{f}] x2[{f}] . . . xn[{f}] . . . f f f f f . . . y0 f ∼∅

R-NSim-Fence (for F = {f} and G = ∅):

x[{f}] ∧ x ∼∅ y ∧ c ⇒ ∃z, z′ · x[f]z ∧ y[f]z′ ∧ z ∼∅ z′ ∧ x[{f}

22/27

Does that even terminate?

x0[{f}] x1[{f}] x2[{f}] . . . xn[{f}] . . . f f f f f . . . y0 f ∼∅

R-NSim-Fence (for F = {f} and G = ∅):

x[{f}] ∧ x ∼∅ y ∧ c ⇒ ∃z, z′ · x[f]z ∧ y[f]z′ ∧ z ∼∅ z′ ∧ x[{f} ◮ R-NSim-Fence with x0 and y0;

22/27

Does that even terminate?

∃y1, z1· x0[{f}] x1[{f}] x2[{f}] . . . xn[{f}] . . . f f f f f . . . y0 y1 f f z1 f ∼∅

R-NSim-Fence (for F = {f} and G = ∅):

x[{f}] ∧ x ∼∅ y ∧ c ⇒ ∃z, z′ · x[f]z ∧ y[f]z′ ∧ z ∼∅ z′ ∧ x[{f} ◮ R-NSim-Fence with x0 and y0;

22/27

Does that even terminate?

∃y1, z1· x0[{f}] x1[{f}] x2[{f}] . . . xn[{f}] . . . f f f f f . . . y0 y1 f f z1 f ∼∅

R-NSim-Fence (for F = {f} and G = ∅):

x[{f}] ∧ x ∼∅ y ∧ c ⇒ ∃z, z′ · x[f]z ∧ y[f]z′ ∧ z ∼∅ z′ ∧ x[{f} ◮ R-NSim-Fence with x0 and y0; ◮ S-Feats with x1 and z1

22/27

Does that even terminate?

∃y1· x0[{f}] x1[{f}] x2[{f}] . . . xn[{f}] . . . f f f f f . . . y0 y1 f f ∼∅

R-NSim-Fence (for F = {f} and G = ∅):

x[{f}] ∧ x ∼∅ y ∧ c ⇒ ∃z, z′ · x[f]z ∧ y[f]z′ ∧ z ∼∅ z′ ∧ x[{f} ◮ R-NSim-Fence with x0 and y0; ◮ S-Feats with x1 and z1

22/27

Does that even terminate?

∃y1· x0[{f}] x1[{f}] x2[{f}] . . . xn[{f}] . . . f f f f f . . . y0 y1 f f ∼∅

R-NSim-Fence (for F = {f} and G = ∅):

x[{f}] ∧ x ∼∅ y ∧ c ⇒ ∃z, z′ · x[f]z ∧ y[f]z′ ∧ z ∼∅ z′ ∧ x[{f} ◮ R-NSim-Fence with x0 and y0; ◮ S-Feats with x1 and z1 ◮ R-NSim-Fence with x1 and y1;

22/27

Does that even terminate?

∃y1, y2, z2· x0[{f}] x1[{f}] x2[{f}] . . . xn[{f}] . . . f f f f f . . . y0 y1 y2 f f f z2 f ∼∅

R-NSim-Fence (for F = {f} and G = ∅):

x[{f}] ∧ x ∼∅ y ∧ c ⇒ ∃z, z′ · x[f]z ∧ y[f]z′ ∧ z ∼∅ z′ ∧ x[{f} ◮ R-NSim-Fence with x0 and y0; ◮ S-Feats with x1 and z1 ◮ R-NSim-Fence with x1 and y1;

22/27

Does that even terminate?

∃y1, y2, z2· x0[{f}] x1[{f}] x2[{f}] . . . xn[{f}] . . . f f f f f . . . y0 y1 y2 f f f z2 f ∼∅

R-NSim-Fence (for F = {f} and G = ∅):

x[{f}] ∧ x ∼∅ y ∧ c ⇒ ∃z, z′ · x[f]z ∧ y[f]z′ ∧ z ∼∅ z′ ∧ x[{f} ◮ R-NSim-Fence with x0 and y0; ◮ S-Feats with x1 and z1 ◮ R-NSim-Fence with x1 and y1; ◮ S-Feats with x2 and z2

22/27

Does that even terminate?

∃y1, y2· x0[{f}] x1[{f}] x2[{f}] . . . xn[{f}] . . . f f f f f . . . y0 y1 y2 f f f ∼∅

R-NSim-Fence (for F = {f} and G = ∅):

x[{f}] ∧ x ∼∅ y ∧ c ⇒ ∃z, z′ · x[f]z ∧ y[f]z′ ∧ z ∼∅ z′ ∧ x[{f} ◮ R-NSim-Fence with x0 and y0; ◮ S-Feats with x1 and z1 ◮ R-NSim-Fence with x1 and y1; ◮ S-Feats with x2 and z2

22/27

Does that even terminate?

∃y1, y2· x0[{f}] x1[{f}] x2[{f}] . . . xn[{f}] . . . f f f f f . . . y0 y1 y2 f f f ∼∅

R-NSim-Fence (for F = {f} and G = ∅):

x[{f}] ∧ x ∼∅ y ∧ c ⇒ ∃z, z′ · x[f]z ∧ y[f]z′ ∧ z ∼∅ z′ ∧ x[{f} ◮ R-NSim-Fence with x0 and y0; ◮ S-Feats with x1 and z1 ◮ R-NSim-Fence with x1 and y1; ◮ S-Feats with x2 and z2 ◮ . . .

22/27

Does that even terminate?

∃y1, y2, . . . , yn· x0[{f}] x1[{f}] x2[{f}] . . . xn[{f}] . . . f f f f f . . . y0 y1 y2 . . . yn f f f f f ∼∅

R-NSim-Fence (for F = {f} and G = ∅):

x[{f}] ∧ x ∼∅ y ∧ c ⇒ ∃z, z′ · x[f]z ∧ y[f]z′ ∧ z ∼∅ z′ ∧ x[{f} ◮ R-NSim-Fence with x0 and y0; ◮ S-Feats with x1 and z1 ◮ R-NSim-Fence with x1 and y1; ◮ S-Feats with x2 and z2 ◮ . . .

23/27

Table of Contents

• 1. Description of filesystems

Unix filesystems Static description Directory update

• 2. Constraints

Definitions Basic constraints Negation

• 3. Usages

Decidability of the First-Order Theory Automated Specification for Scripts: Proof of Concept

24/27

Weak Quantifier Elimination

Assume given a technique to transform ∃X · c into an equivalent ∀X′ · c′.

24/27

Weak Quantifier Elimination

Assume given a technique to transform ∃X · c into an equivalent ∀X′ · c′. Take any closed formula

24/27

Weak Quantifier Elimination

Assume given a technique to transform ∃X · c into an equivalent ∀X′ · c′. Take any closed formula, look at the last quantifier bloc

24/27

Weak Quantifier Elimination

Assume given a technique to transform ∃X · c into an equivalent ∀X′ · c′. Take any closed formula, look at the last quantifier bloc: ◮ Universal ∀ ∃ · · · ∀X · c

24/27

Weak Quantifier Elimination

Assume given a technique to transform ∃X · c into an equivalent ∀X′ · c′. Take any closed formula, look at the last quantifier bloc: ◮ Universal, switch it to existential: ∀ ∃ · · · ∀X · c = ⇒ ¬ ∃ ∀ · · · ∃X · ¬c

24/27

Weak Quantifier Elimination

Assume given a technique to transform ∃X · c into an equivalent ∀X′ · c′. Take any closed formula, look at the last quantifier bloc: ◮ Universal, switch it to existential: ∀ ∃ · · · ∀X · c = ⇒ ¬ ∃ ∀ · · · ∃X · ¬c ◮ Existential:

24/27

Weak Quantifier Elimination

Assume given a technique to transform ∃X · c into an equivalent ∀X′ · c′. Take any closed formula, look at the last quantifier bloc: ◮ Universal, switch it to existential: ∀ ∃ · · · ∀X · c = ⇒ ¬ ∃ ∀ · · · ∃X · ¬c ◮ Existential:

◮ If there is an other bloc before ∀ ∃ · · · ∀Y · ∃X · c

24/27

Weak Quantifier Elimination

Assume given a technique to transform ∃X · c into an equivalent ∀X′ · c′. Take any closed formula, look at the last quantifier bloc: ◮ Universal, switch it to existential: ∀ ∃ · · · ∀X · c = ⇒ ¬ ∃ ∀ · · · ∃X · ¬c ◮ Existential:

◮ If there is an other bloc before, use the given technique: ∀ ∃ · · · ∀Y · ∃X · c = ⇒ ∀ ∃ · · · ∀Y, X′ · c′

24/27

Weak Quantifier Elimination

Assume given a technique to transform ∃X · c into an equivalent ∀X′ · c′. Take any closed formula, look at the last quantifier bloc: ◮ Universal, switch it to existential: ∀ ∃ · · · ∀X · c = ⇒ ¬ ∃ ∀ · · · ∃X · ¬c ◮ Existential:

◮ If there is an other bloc before, use the given technique: ∀ ∃ · · · ∀Y · ∃X · c = ⇒ ∀ ∃ · · · ∀Y, X′ · c′ ◮ If not

24/27

Weak Quantifier Elimination

Assume given a technique to transform ∃X · c into an equivalent ∀X′ · c′. Take any closed formula, look at the last quantifier bloc: ◮ Universal, switch it to existential: ∀ ∃ · · · ∀X · c = ⇒ ¬ ∃ ∀ · · · ∃X · ¬c ◮ Existential:

◮ If there is an other bloc before, use the given technique: ∀ ∃ · · · ∀Y · ∃X · c = ⇒ ∀ ∃ · · · ∀Y, X′ · c′ ◮ If not, then it is only a satisfiability question.

25/27

Weak Quantifier Elimination

Previous slide said: “Assume given a technique to transform ∃X · c into an equivalent ∀X′ · c′.”

25/27

Weak Quantifier Elimination

Previous slide said: “Assume given a technique to transform ∃X · c into an equivalent ∀X′ · c′.” Here is what we have:

Lemma

Let c be a clause c = gc ∧ ∃X · lc such that: ◮ . . . ◮ there is no y[f]x with x ∈ X and y / ∈ X. Then c is equivalent to gc.

25/27

Weak Quantifier Elimination

Previous slide said: “Assume given a technique to transform ∃X · c into an equivalent ∀X′ · c′.” Here is what we have:

Lemma

Let c be a clause c = gc ∧ ∃X · lc such that: ◮ . . . ◮ there is no y[f]x with x ∈ X and y / ∈ X. Then c is equivalent to gc.

25/27

Weak Quantifier Elimination

Previous slide said: “Assume given a technique to transform ∃X · c into an equivalent ∀X′ · c′.” Here is what we have:

Lemma

Let c be a clause c = gc ∧ ∃X · lc such that: ◮ . . . ◮ there is no y[f]x with x ∈ X and y / ∈ X. Then c is equivalent to gc. Lukily: ∃X, x · (y[f]x ∧ c)

25/27

Weak Quantifier Elimination

Previous slide said: “Assume given a technique to transform ∃X · c into an equivalent ∀X′ · c′.” Here is what we have:

Lemma

Let c be a clause c = gc ∧ ∃X · lc such that: ◮ . . . ◮ there is no y[f]x with x ∈ X and y / ∈ X. Then c is equivalent to gc. Lukily: ∃X, x · (y[f]x ∧ c) ⇒ ¬y[f] ↑ ∧∀x · (y[f]x → ∃X · c)

26/27

Table of Contents

• 1. Description of filesystems

Unix filesystems Static description Directory update

• 2. Constraints

Definitions Basic constraints Negation

• 3. Usages

Decidability of the First-Order Theory Automated Specification for Scripts: Proof of Concept

27/27

Demo!