Inductive Data Flow Graphs Azadeh Farzan 1 Zachary Kincaid 1 Andreas - - PowerPoint PPT Presentation

Inductive Data Flow Graphs

Azadeh Farzan1 Zachary Kincaid1 Andreas Podelski2

1University of Toronto 2University of Freiburg

January 23, 2013

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 1 / 16

Algorithmic verification

Goal Given a (concurrent) program P and a specification ϕpre/ϕpost, prove {ϕpre}P{ϕpost} (or provide a counter-example)

• Static analysis for sequential programs
• Model checking for finite-state concurrent protocols

This talk presents Inductive Data Flow Graphs (iDFGs): a form of correctness proof for (concurrent) programs

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 2 / 16

Algorithmic verification

Goal Given a (concurrent) program P and a specification ϕpre/ϕpost, prove {ϕpre}P{ϕpost} (or provide a counter-example)

• Static analysis for sequential programs
• Model checking for finite-state concurrent protocols

This talk presents Inductive Data Flow Graphs (iDFGs): a form of correctness proof for (concurrent) programs

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 2 / 16

Algorithmic verification

Goal Given a (concurrent) program P and a specification ϕpre/ϕpost, prove {ϕpre}P{ϕpost} (or provide a counter-example)

• Static analysis for sequential programs
• Model checking for finite-state concurrent protocols

This talk presents Inductive Data Flow Graphs (iDFGs): a form of correctness proof for (concurrent) programs

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 2 / 16

Algorithmic verification

Goal Given a (concurrent) program P and a specification ϕpre/ϕpost, prove {ϕpre}P{ϕpost} (or provide a counter-example)

• Static analysis for sequential programs
• Model checking for finite-state concurrent protocols

This talk presents Inductive Data Flow Graphs (iDFGs): a form of correctness proof for (concurrent) programs

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 2 / 16

Why iDFGs?

There are many proof systems: Floyd/Hoare, Owicki-Gries, Rely/Guarantee. Why do we want a new one?

• Succinct
• Present only the essence of a proof
• Polynomial in the data complexity of a program
• Can be generated and checked automatically
• Extend static analysis to concurrent control
• Extend model checking to (unbounded) data
• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 3 / 16

Why iDFGs?

There are many proof systems: Floyd/Hoare, Owicki-Gries, Rely/Guarantee. Why do we want a new one?

• Succinct
• Present only the essence of a proof
• Polynomial in the data complexity of a program
• Can be generated and checked automatically
• Extend static analysis to concurrent control
• Extend model checking to (unbounded) data
• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 3 / 16

Why iDFGs?

There are many proof systems: Floyd/Hoare, Owicki-Gries, Rely/Guarantee. Why do we want a new one?

• Succinct
• Present only the essence of a proof
• Polynomial in the data complexity of a program
• Can be generated and checked automatically
• Extend static analysis to concurrent control
• Extend model checking to (unbounded) data
• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 3 / 16

“Essence” of a proof

ϕpre : x ≥ 0 ∧ y ≥ 0 Thread 1 x ++ y ++ z = x + y Thread 2 x = 2 ϕpost : z ≥ 2 . . x ++ . . x = 2 . y ++ . z = x + y .

{y ≥ 0}

.

{x ≥ 1 ∧ y ≥ 0}

.

{x ≥ 1 ∧ y ≥ 1}

.

{x ≥ 0 ∧ y ≥ 0}

.

{z ≥ 2}

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 4 / 16

“Essence” of a proof

ϕpre : x ≥ 0 ∧ y ≥ 0 Thread 1 x ++ y ++ z = x + y Thread 2 x = 2 ϕpost : z ≥ 2 . . x ++ . . x = 2 . y ++ . z = x + y . init . {x ≥ 1} . {y ≥ 1} . {true} . {y ≥ 0} . x ≥ 0 ∧ y ≥ 0 . z ≥ 2

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 4 / 16

“Essence” of a proof

ϕpre : x ≥ 0 ∧ y ≥ 0 Thread 1 x ++ y ++ z = x + y Thread 2 x = 2 ϕpost : z ≥ 2 . . x ++ . . x = 2 . y ++ . z = x + y . init . {x ≥ 1} . {y ≥ 1} . {true} . {y ≥ 0} . x ≥ 0 ∧ y ≥ 0 . z ≥ 2 . Independent conditions

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 4 / 16

“Essence” of a proof

ϕpre : x ≥ 0 ∧ y ≥ 0 Thread 1 x ++ y ++ z = x + y Thread 2 x = 2 ϕpost : z ≥ 2 . . x ++ . . x = 2 . y ++ . z = x + y . init . {x ≥ 1} . {y ≥ 1} . {true} . {y ≥ 0} . x ≥ 0 ∧ y ≥ 0 . z ≥ 2 . Independent conditions . Irrelevant

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 4 / 16

“Essence” of a proof

ϕpre : x ≥ 0 ∧ y ≥ 0 Thread 1 x ++ y ++ z = x + y Thread 2 x = 2 ϕpost : z ≥ 2 . . x ++ . . x = 2 . y ++ . z = x + y . init . {x ≥ 1} . {y ≥ 1} . {true} . {y ≥ 0} . x ≥ 0 ∧ y ≥ 0 . z ≥ 2

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 4 / 16

“Essence” of a proof

ϕpre : x ≥ 0 ∧ y ≥ 0 Thread 1 x ++ y ++ z = x + y Thread 2 x = 2 ϕpost : z ≥ 2 . . x ++ . . y ++ . x = 2 . z = x + y . init . {x ≥ 1} . {y ≥ 1} . {true} . {y ≥ 0} . x ≥ 0 ∧ y ≥ 0 . z ≥ 2

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 4 / 16

Inductive Data Flow Graphs (iDFGs)

Inductiveness condition: .

. cmda . . ψ1 . ψi . ψm . ϕ1 . ϕj . ϕn

for all j, {ψ1 ∧· · · ∧ ψm}cmda{ϕj} .

. . init . x = 2 . y ++ . z = x + y . {x ≥ 1} . {y ≥ 1} . {true} . {y ≥ 0} . {x ≥ 0 ∧ y ≥ 0} . {z ≥ 2}

Suppress irrelevant details of a partial cor- rectness proof

• Irrelevant ordering constraints

(x = 2;y ++ vs y ++;x = 2)

• Irrelevant actions (x ++)
• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 5 / 16

Inductive Data Flow Graphs (iDFGs)

Inductiveness condition: .

. cmda . . ψ1 . ψi . ψm . ϕ1 . ϕj . ϕn

for all j, {ψ1 ∧· · · ∧ ψm}cmda{ϕj} .

. . init . x = 2 . y ++ . z = x + y . {x ≥ 1} . {y ≥ 1} . {true} . {y ≥ 0} . {x ≥ 0 ∧ y ≥ 0} . {z ≥ 2}

Parallelize a partial correctness proof

• Irrelevant ordering constraints

(x = 2;y ++ vs y ++;x = 2)

• Irrelevant actions (x ++)
• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 5 / 16

Denotation of an iDFG

Data flow graph with inductive assertions (iDFG) proves correctness of traces that obey particular constraints

∼ Control flow graph with inductive assertions (Floyd annotation) proves correctness

• f traces that label paths

The set of such traces is called the denotation of the iDFG, denoted G.

pre

x y Thread 1 x ++ y ++ z = x + y Thread 2 x = 2

post

z . . . init . x = 2 . y ++ . x ++ . z = x + y . x . y . true . y . x y . z . x . x

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 6 / 16

Denotation of an iDFG

Data flow graph with inductive assertions (iDFG) proves correctness of traces that obey particular constraints

∼ Control flow graph with inductive assertions (Floyd annotation) proves correctness

• f traces that label paths

The set of such traces is called the denotation of the iDFG, denoted G.

ϕpre : x ≥ 0 ∧ y ≥ 0 Thread 1 x ++ y ++ z = x + y Thread 2 x = 2 ϕpost : z ≥ 2 . . init . x = 2 . y ++ . x ++ . z = x + y . {x ≥ 1} . {y ≥ 1} . {true} . {y ≥ 0} . {x ≥ 0 ∧ y ≥ 0} . {z ≥ 2} . {x ≥ 0} . {x ≥ 1}

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 6 / 16

Denotation of an iDFG

Data flow graph with inductive assertions (iDFG) proves correctness of traces that obey particular constraints

∼ Control flow graph with inductive assertions (Floyd annotation) proves correctness

• f traces that label paths

The set of such traces is called the denotation of the iDFG, denoted G.

ϕpre : x ≥ 0 ∧ y ≥ 0 Thread 1 x ++ y ++ z = x + y Thread 2 x = 2 ϕpost : z ≥ 2 . . init . x = 2 . y ++ . x ++ . z = x + y . {x ≥ 1} . {y ≥ 1} . {true} . {y ≥ 0} . {x ≥ 0 ∧ y ≥ 0} . {z ≥ 2} . {x ≥ 0} . {x ≥ 1}

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 6 / 16

Denotation of an iDFG

Data flow graph with inductive assertions (iDFG) proves correctness of traces that obey particular constraints

∼ Control flow graph with inductive assertions (Floyd annotation) proves correctness

• f traces that label paths

The set of such traces is called the denotation of the iDFG, denoted G.

ϕpre : x ≥ 0 ∧ y ≥ 0 Thread 1 x ++ y ++ z = x + y Thread 2 x = 2 ϕpost : z ≥ 2 . . init . x = 2 . y ++ . x ++ . z = x + y . {x ≥ 1} . {y ≥ 1} . {true} . {y ≥ 0} . {x ≥ 0 ∧ y ≥ 0} . {z ≥ 2} . {x ≥ 0} . {x ≥ 1}

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 6 / 16

iDFGs as proof objects

Theorem Let G = ⟨V, E, ϕpre, ϕpost, vo, Vfinal⟩ be an iDFG. For all τ ∈ G, {ϕpre}τ{ϕpost} Program P finite automaton, P is the set of traces of P. . Program P is correct w.r.t.

pre post iff

G P G . Proof rule

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 7 / 16

iDFGs as proof objects

Theorem Let G = ⟨V, E, ϕpre, ϕpost, vo, Vfinal⟩ be an iDFG. For all τ ∈ G, {ϕpre}τ{ϕpost} Program P ∼ finite automaton, L(P) is the set of traces of P. . Program P is correct w.r.t.

pre post iff

G P G . Proof rule

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 7 / 16

iDFGs as proof objects

Theorem Let G = ⟨V, E, ϕpre, ϕpost, vo, Vfinal⟩ be an iDFG. For all τ ∈ G, {ϕpre}τ{ϕpost} Program P ∼ finite automaton, L(P) is the set of traces of P. . Program P is correct w.r.t. ϕpre/ϕpost iff ∃G.L(P) ⊆ G . Proof rule

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 7 / 16

Data complexity

If there exists a small proof that P is correct (w.r.t. ϕpre/ϕpost), then exists a small iDFG proof Theorem For any

pre P post , there exists a iDFG proof with size polynomial

in the data complexity of P

pre post

Data complexity measures how difficult a property is to prove.

• Minimum # of assertions in a localized proof that

pre P post

• Localized proofs: expose “how compositional” a Floyd proof is.
• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 8 / 16

Data complexity

If there exists a small proof that P is correct (w.r.t. ϕpre/ϕpost), then exists a small iDFG proof Theorem For any {ϕpre}P{ϕpost}, there exists a iDFG proof with size polynomial in the data complexity of P, ϕpre, ϕpost Data complexity measures how difficult a property is to prove.

• Minimum # of assertions in a localized proof that

pre P post

• Localized proofs: expose “how compositional” a Floyd proof is.
• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 8 / 16

Data complexity

If there exists a small proof that P is correct (w.r.t. ϕpre/ϕpost), then exists a small iDFG proof Theorem For any {ϕpre}P{ϕpost}, there exists a iDFG proof with size polynomial in the data complexity of P, ϕpre, ϕpost Data complexity measures how difficult a property is to prove.

• Minimum # of assertions in a localized proof that {ϕpre}P{ϕpost}
• Localized proofs: expose “how compositional” a Floyd proof is.
• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 8 / 16

Automation

. Pick a program trace τ. . Is τ correct? . Construct an iDFG Gτ from τ. . Merge Gτ into G. . L(P)

?

⊆ G . yes . no . Program is correct. . Program is incorrect. . . no . yes

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 9 / 16

Automation

. Pick a program trace τ. . Is τ correct? . Construct an iDFG Gτ from τ. . Construct an iDFG Gτ from τ. . Merge Gτ into G. . L(P)

?

⊆ G . yes . no . Program is correct. . Program is incorrect. . . no . yes

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 9 / 16

iDFG construction

Goal Given a trace τ ∈ L(P) with {ϕpre}τ{ϕpost}, construct an iDFG Gτ with τ ∈ Gτ. . . x ++ . x = 2 . y ++ . z = x + y .

{z ≥ 2}

.

x y

.

x

.

y

.

x

.

y

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 10 / 16

iDFG construction

Goal Given a trace τ ∈ L(P) with {ϕpre}τ{ϕpost}, construct an iDFG Gτ with τ ∈ Gτ. . . x ++ . x = 2 . y ++ . z = x + y .

{z ≥ 2}

.

{x ≥ 0 ∧ y ≥ 0}

.

x

.

y

.

x

.

y

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 10 / 16

iDFG construction

Goal Given a trace τ ∈ L(P) with {ϕpre}τ{ϕpost}, construct an iDFG Gτ with τ ∈ Gτ. . . x ++ . x = 2 . y ++ . z = x + y .

{z ≥ 2}

.

x y

.

{x ≥ 0}

.

{y ≥ 0}

.

x

.

y

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 10 / 16

iDFG construction

Goal Given a trace τ ∈ L(P) with {ϕpre}τ{ϕpost}, construct an iDFG Gτ with τ ∈ Gτ. . . x ++ . x = 2 . y ++ . z = x + y .

{z ≥ 2}

.

x y

.

x

.

y

.

{x ≥ 0}

.

{y ≥ 0}

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 10 / 16

Automation

. Pick a program trace τ. . Is τ correct? . Construct an iDFG Gτ from τ. . Merge Gτ into G. . Merge Gτ into G. . L(P)

?

⊆ G . yes . no . Program is correct. . Program is incorrect. . . no . yes

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 11 / 16

Merging iDFGs

Goal Given iDFGs G1, G2, construct an iDFG G1 G2 such that G1 ∪ G2 ⊆ G1 G2 . . cmda . cmdb . · · · . .

ψ1

.

ψi

.

ψm

. · · · . .

ϕ1

.

ϕi

.

ϕm

. G1 . G2 . .

n cmdb i

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 12 / 16

Merging iDFGs

Goal Given iDFGs G1, G2, construct an iDFG G1 G2 such that G1 ∪ G2 ⊆ G1 G2 . . cmda . cmdb . · · · . .

ψ1

.

ψi

.

ψm

. · · · . .

ϕ1

.

ϕi

.

ϕm

. G . G . . .

n cmdb i

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 12 / 16

Merging iDFGs

Goal Given iDFGs G1, G2, construct an iDFG G1 G2 such that G1 ∪ G2 ⊆ G1 G2 . . cmda . cmdb . · · · . .

ψ1

.

ψi

.

ψm

. · · · . .

ϕ1

.

ϕi

.

ϕm

. G . G . . {ϕ1 ∧· · · ∧ ϕn}cmdb{ψi}

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 12 / 16

Merging iDFGs

Goal Given iDFGs G1, G2, construct an iDFG G1 G2 such that G1 ∪ G2 ⊆ G1 G2 . . cmda . cmdb . · · · . .

ψ1

.

ψi

.

ψm

. · · · . .

ϕ1

.

ϕi

.

ϕm

. G . G . . {ϕ1 ∧· · · ∧ ϕn}cmdb{ψi}

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 12 / 16

Automation

. Pick a program trace τ. . Is τ correct? . Construct an iDFG Gτ from τ. . Merge Gτ into G. . L(P)

?

⊆ G . L(P)

?

⊆ G . yes . no . Program is correct. . Program is incorrect. . . no . yes

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 13 / 16

Proof checking

For any iDFG G, we can efficiently (linear time, in the size of G) construct an alternating finite automaton AG such that L(AG) = Grev Proof checking: L(P)rev ? ⊆ L(AG)

• Can be solved in PSPACE
• Combinatorial problem (non-reachability)
• Reuse techniques from (finite-state) model checking
• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 14 / 16

Summary

• Inductive Data Flow Graphs are a proof method for partial

correctness of (concurrent) programs

• (Provably) succinct
• Can be generated automatically

Future work

• Can iDFGs be constructed more effectively?
• Efficient proof checking?
• Parameterized programs?
• Weak memory models?
• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 15 / 16

Summary

• Inductive Data Flow Graphs are a proof method for partial

correctness of (concurrent) programs

• (Provably) succinct
• Can be generated automatically

Future work

• Can iDFGs be constructed more effectively?
• Efficient proof checking?
• Parameterized programs?
• Weak memory models?
• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 15 / 16

Questions?

Thank you for your attention.

• Z. Kincaid (U. Toronto)

Inductive Data Flow Graphs January 23, 2013 16 / 16