logic against ghosts
play

Logic Against Ghosts: Comparison of two Proof Approaches for - PowerPoint PPT Presentation

Nov 29, 2023 •516 likes •831 views

Logic Against Ghosts: Comparison of two Proof Approaches for Linked Lists Allan Blanchard Nikolai Kosmatov Frdric Loulergue April 10, 2019 @ SAC-SVT 2019 0/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019 Motivation

  1. Logic Against Ghosts: Comparison of two Proof Approaches for Linked Lists Allan Blanchard Nikolai Kosmatov Frédéric Loulergue – April 10, 2019 @ SAC-SVT 2019 0/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019

  2. Motivation Formal verification of IoT So�ware The VESSEDIA project make IoT so�ware safer mainly by making formal verification more affordable for this field How? Make it easier to apply Use case: the Contiki Operating System an operating system for (low power) IoT devices critical module: the linked-list module 2/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019

  3. Motivation The LIST module - Overview Provides a generic list API for linked lists about 176 LOC (excl. MACROS) required by 32 modules of Contiki more than 250 calls in the core part of Contiki Some special features no dynamic allocation does not allow cycles maintain item unicity 3/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019

  4. struct list { struct list *next; void list_copy(list_t dest, list_t src); void list_insert(list_t pLst, void *previtem, void *newitem); void list_remove(list_t pLst, void *item); void list_add(list_t pLst, void *item); void * list_chop(list_t pLst); void list_push(list_t pLst, void *item); void * list_pop (list_t pLst); void * list_item_next(void *item); void * list_tail(list_t pLst); void * list_head(list_t pLst); list_length(list_t pLst); int void list_init(list_t pLst); typedef struct list ** list_t; }; Motivation The LIST module - A rich API 4/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019

  5. struct list { void * list_pop (list_t pLst); void list_copy(list_t dest, list_t src); void list_insert(list_t pLst, void *previtem, void *newitem); void list_remove(list_t pLst, void *item); void list_add(list_t pLst, void *item); void * list_chop(list_t pLst); struct list *next; void list_push(list_t pLst, void *item); void * list_item_next(void *item); void * list_tail(list_t pLst); void * list_head(list_t pLst); list_length(list_t pLst); int void list_init(list_t pLst); typedef struct list ** list_t; }; Motivation The LIST module - A rich API Observers 4/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019

  6. struct list { void * list_pop (list_t pLst); void list_copy(list_t dest, list_t src); void list_insert(list_t pLst, void *previtem, void *newitem); void list_remove(list_t pLst, void *item); void list_add(list_t pLst, void *item); void * list_chop(list_t pLst); struct list *next; void list_push(list_t pLst, void *item); void * list_item_next(void *item); void * list_tail(list_t pLst); void * list_head(list_t pLst); list_length(list_t pLst); int void list_init(list_t pLst); typedef struct list ** list_t; }; Motivation The LIST module - A rich API Observers Update list beginning 4/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019

  7. struct list { void * list_pop (list_t pLst); void list_copy(list_t dest, list_t src); void list_insert(list_t pLst, void *previtem, void *newitem); void list_remove(list_t pLst, void *item); void list_add(list_t pLst, void *item); struct list *next; void list_push(list_t pLst, void *item); void * list_chop(list_t pLst); void * list_item_next(void *item); void * list_tail(list_t pLst); void * list_head(list_t pLst); list_length(list_t pLst); int void list_init(list_t pLst); typedef struct list ** list_t; }; Motivation The LIST module - A rich API Observers Update list beginning Update list end 4/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019

  8. struct list { void * list_pop (list_t pLst); void list_copy(list_t dest, list_t src); void list_insert(list_t pLst, void *previtem, void *newitem); void list_remove(list_t pLst, void *item); void list_add(list_t pLst, void *item); struct list *next; void list_push(list_t pLst, void *item); void * list_chop(list_t pLst); void * list_item_next(void *item); void * list_tail(list_t pLst); void * list_head(list_t pLst); list_length(list_t pLst); int void list_init(list_t pLst); typedef struct list ** list_t; }; Motivation The LIST module - A rich API Observers Update list beginning Update list end Update list anywhere 4/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019

  9. Motivation Frama-C at a glance a Framework for Modular Analysis of C code developed at CEA List ACSL annotation language extensible plugin-oriented platform > collaboration of analyses over same code > inter plugin communication through ACSL formulas > adding specialized plugins is easy http://frama-c.com/ [Kirchner et al. FAC 2015] 5/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019

  10. Motivation Deductive verification with Frama-C The WP plugin based on Dijkstra’s weakest precondition calculus verify that: > every function ensures its postcondition, > each function call respects the precondition about the input, > no runtime error can happen input: program annotated with ACSL contracts > precondition, postcondition, loop invariant, ... output: a set of verification conditions (VCs) > that are then transmitted to automatic/interactive provers 6/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019

  11. 02 Ghosts for lists 6/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019

  12. list* root = *pLst ; if(root){ } return root ; } *plst = root->next ; //@ ghost array_pop(pLst, array, index, size) ; list* list_pop(list_t pLst) /*@ ghost (list** array, int index, int size) */ { Ghosts for lists Proof using ghost arrays [NFM 2018] Ghost code index index+n-1 cArr &A &B &C &D &E pLst root A B C D E &root &A &B &C &D &E bound Actual code Example 7/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019

  13. Ghosts for lists Limitations Ghosts are still quite concrete we need to show that the array is spatially separated from the list elements which is costly for the verification process > about a third of the annotations are dedicated to this > it pollutes the proof context Maintain equivalence each time we modify the list, we have to modify the content of the array ⇒ more functions to verify The list_insert function was not proved ... and we expected it to be really hard to prove because of memory separation 8/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019

  14. 03 New approach: logic lists 8/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019

  15. \let empty_list = \Nil ; \let another_one = [| 2 |] ; \let multi = [| 3, 4, 5 |] ; \let concat = (an_elem ^ another_one ^ multi ^ [| 6, 7, 8 |]) ; /* etc ... */ \let an_elem = \Cons (1, empty_list) ; New approach: logic lists ACSL logic lists What is the difference with ghost arrays? Purely logic type: easier to handle for SMT solvers, > natively handled type > no encoding of the C semantics (related to arrays) no separation property needed, leads to more concise specification. 9/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019

  16. */ } /*@ New approach: logic lists Formalization I Logic view : &A :: &B :: &C :: &D :: &E :: [] A pLst root B C D E &root &A &B &C &D &E bound inductive linked_ll{L}(list *bl, list *el, \list < list* > ll) { case linked_ll_nil{L}: ∀ list *el; linked_ll{L}(el, el, \Nil ); case linked_ll_cons{L}: ∀ list *bl, *el, \list < list* > tail; \separated (bl, el) ⇒ \valid (bl) ⇒ linked_ll{L}(bl- > next, el, tail) ⇒ separated_from_list(bl, tail) ⇒ linked_ll{L}(bl, el, \Cons (bl, tail)); 10/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019

  17. ACSL does not allow to quantify variables over a contract assigns *list ; @*/ @ @ ... @ @ @ requires linked_ll(*list, NULL, \Cons (hd, l)); @ @ list * list_pop(list_t list); @ ensures linked_ll(*list, NULL, l); New approach: logic lists An issue: no global \exists in contracts A classic way to specify a list pop feature: /*@ ∃ list * hd, \list < list* > l ; @ behavior not_empty: assumes *list ̸ = NULL ; ensures \result == hd == \old (*list) ; 11/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019

  18. assigns *list ; ensures linked_ll(*list, NULL, l); @ @ ... @ @ @ requires linked_ll(*list, NULL, \Cons (hd, l)); @ list * list_pop(list_t list); @ @*/ @ New approach: logic lists An issue: no global \exists in contracts A classic way to specify a list pop feature: /*@ ∃ list * hd, \list < list* > l ; @ behavior not_empty: assumes *list ̸ = NULL ; ensures \result == hd == \old (*list) ; ACSL does not allow to quantify variables over a contract 11/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019

  19. */ /*@ axiomatic To_ll { } New approach: logic lists Formalization II Solution: a logic function that provides the right value to solvers logic \list < list* > to_ll{L}(list* bl, list* el) reads { e- > next | list* e ; \valid (e) ∧ in_list(e, to_ll(bl, el)) } ; axiom to_ll_nil{L}: ∀ list *el ; to_ll{L}(el, el) == \Nil ; axiom to_ll_cons{L}: ∀ list *bl, *el ; \separated (bl, el) ⇒ \valid (bl) ⇒ ptr_separated_from_list(bl, to_ll{L}(bl- > next, el)) ⇒ to_ll{L}(bl, el) == ( \Cons (bl, to_ll{L}(bl- > next, el))) ; 12/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Impacting Culture through Communication Saft World Class Strategy 1. Overcoming Ghosts of

Impacting Culture through Communication Saft World Class Strategy 1. Overcoming Ghosts of

Impacting Culture through Communication Saft World Class Strategy 1. Overcoming Ghosts of the Past Misconceptions, Misunderstandings &amp; Myths 2. Lean Reawakening 3. Nurturing Lean Growth 2 New mention Ghosts of the

383 views • 26 slides
GHOSTS M101 using Resolved Stars 70 kpc g =30 mag/'' 2 F9 F8 F5 F1 F4 F7 F6 F2 F3

GHOSTS M101 using Resolved Stars 70 kpc g =30 mag/'' 2 F9 F8 F5 F1 F4 F7 F6 F2 F3

Quantifying the Faint Outskirts of GHOSTS M101 using Resolved Stars 70 kpc g =30 mag/'' 2 F9 F8 F5 F1 F4 F7 F6 F2 F3 g-band, Dragonfly array In Sung Jang (AIP) Roelof de Jong Benne Holwerda Antonela Monachesi Eric Bell Jeremy

298 views • 5 slides
People with Pain are like Ghosts None see them and None see their Disability WHO

People with Pain are like Ghosts None see them and None see their Disability WHO

There is an Epidemic Morbus named Chronic Pain But People with Pain are like Ghosts None see them and None see their Disability WHO declaration,1948 Health is not merely the absence of disease

265 views • 14 slides
WELCOME!! GHOSTS AND GOBLINS ARE SC SCAR ARY. QUICKBOOKS DOESNT HAVE TO BE! Presented by our

WELCOME!! GHOSTS AND GOBLINS ARE SC SCAR ARY. QUICKBOOKS DOESNT HAVE TO BE! Presented by our

WELCOME!! GHOSTS AND GOBLINS ARE SC SCAR ARY. QUICKBOOKS DOESNT HAVE TO BE! Presented by our QuickBooks experts Becky Miller, Anne Becker, Lauren Brothen, and Christina Hess J AMES H AMLIN&amp; C O .,P .C. CPAs &amp; Business Advisors

473 views • 29 slides
Who Are Those Ancestors? Friendly Ghosts From the Past Haunting the Present Names Shanny

Who Are Those Ancestors? Friendly Ghosts From the Past Haunting the Present Names Shanny

Who Are Those Ancestors? Friendly Ghosts From the Past Haunting the Present Names Shanny Lyndon brothers Nanee Aunt Clyde &amp; Uncle Rufus Granny Bo Robertsons McCartneys Shorts, Hollidays, Floods, Maclin

1.08k views • 62 slides
http://www.neutrino2008.co.nz NEUTRINOS: Ghosts of the Universe Stephen Parke Theoretical

http://www.neutrino2008.co.nz NEUTRINOS: Ghosts of the Universe Stephen Parke Theoretical

http://www.neutrino2008.co.nz NEUTRINOS: Ghosts of the Universe Stephen Parke Theoretical Physicist Fermilab Websters Online Dictionary Main Entry: neutrino Pronunciation: n-'trE-(&quot;)nO, ny- Etymology: Italian, from neutro

1.44k views • 88 slides
The ghosts of departed quantities as the soul of computation Sam Sanders 1 FotFS8, Cambridge 1

The ghosts of departed quantities as the soul of computation Sam Sanders 1 FotFS8, Cambridge 1

The ghosts of departed quantities as the soul of computation Sam Sanders 1 FotFS8, Cambridge 1 This research is generously supported by the John Templeton Foundation. Aim and Motivation AIM: To connect infinitesimals and computability. Aim and

1.2k views • 87 slides
Weaponised Children: Wars, Ghosts and the adults the children will become. Sarah Calvert.

Weaponised Children: Wars, Ghosts and the adults the children will become. Sarah Calvert.

Weaponised Children: Wars, Ghosts and the adults the children will become. Sarah Calvert. PhD. Clinical Psychologist Distinguished Scholar, Waikato University. The Adult the Child will Become We are a social animal Families are an

309 views • 16 slides
WE ARE NOT ALONE: PARTNERS, GHOSTS, STORYTELLERS Presented by: Berlin Loa, Director, The Museum

WE ARE NOT ALONE: PARTNERS, GHOSTS, STORYTELLERS Presented by: Berlin Loa, Director, The Museum

WE ARE NOT ALONE: PARTNERS, GHOSTS, STORYTELLERS Presented by: Berlin Loa, Director, The Museum of Casa Grande Stacey Seaman, Director, BlackBox Foundation Excerpt from a presentation given at the Museum Association of Arizona conference May

486 views • 5 slides
In the shadow of Chief Seattle: Reclaiming environmentalism from the ghosts of white settlement

In the shadow of Chief Seattle: Reclaiming environmentalism from the ghosts of white settlement

In the shadow of Chief Seattle: Reclaiming environmentalism from the ghosts of white settlement Robert Jackson-Paton, Ph.D. White Privilege Conference Seattle, WA 11 April 2013 rjacksonpaton@mac.com beingunsettled.us Finding ground

665 views • 21 slides
On fermionic ghosts and the removal from scalar-fermion systems Yuki Sakakihara (Osaka City

On fermionic ghosts and the removal from scalar-fermion systems Yuki Sakakihara (Osaka City

15:50-16:10, 9th Feb., GC2018 On fermionic ghosts and the removal from scalar-fermion systems Yuki Sakakihara (Osaka City University) ref. Rampei Kimura, YS, Masahide Yamaguchi Phys. Rev. D96 (2017) 044015, another paper in prep. WHY

855 views • 12 slides
Antonela Monachesi Universidad de La Serena E. Bell, B. Harmsen, R. de Jong, D. Radburn-Smith,

Antonela Monachesi Universidad de La Serena E. Bell, B. Harmsen, R. de Jong, D. Radburn-Smith,

Comparing results from the GHOSTS survey and the Auriga simulations Antonela Monachesi Universidad de La Serena E. Bell, B. Harmsen, R. de Jong, D. Radburn-Smith, J. Bailin + GHOSTS team F . Gomez, R. Grand, V. Springel, G. Kau ff mann +

531 views • 20 slides
Looking for Ghosts in the Machine Scott Campbell Security Analyst August 10, 2015

Looking for Ghosts in the Machine Scott Campbell Security Analyst August 10, 2015

Looking for Ghosts in the Machine Scott Campbell Security Analyst August 10, 2015 - 1 - Network Monitoring Limitations There are issues for a fully network centric analysis:

845 views • 69 slides
Markov Logic Markov Logic Probability First-Order Logic Propositional Logic Markov Logic

Markov Logic Markov Logic Probability First-Order Logic Propositional Logic Markov Logic

Putting the Pieces Together Markov Logic Markov Logic Probability First-Order Logic Propositional Logic Markov Logic Definition A Markov Logic Network (MLN) is a set of A logical KB is a set of hard constraints pairs (F, w) where on

350 views • 6 slides
and the Ghosts of Empire British Academy 7 May 2019 TML (2014-2017) project team and partners

and the Ghosts of Empire British Academy 7 May 2019 TML (2014-2017) project team and partners

CHARLES BURDETT UNIVERSITY OF DURHAM Transnational Italian Culture and the Ghosts of Empire British Academy 7 May 2019 TML (2014-2017) project team and partners Charles Burdett (Bristol); Jenny Burns (Warwick); Jacopo Colombini (St Andrews);

603 views • 48 slides
SPECTRES, VIRTUAL GHOSTS, AND HARDWARE SUPPORT Xiaowan Dong University of

SPECTRES, VIRTUAL GHOSTS, AND HARDWARE SUPPORT Xiaowan Dong University of

SPECTRES, VIRTUAL GHOSTS, AND HARDWARE SUPPORT Xiaowan Dong University of Rochester Zhuojia Shen University of Rochester John Criswell University of Rochester

842 views • 33 slides
Local Verification of Global Invariants in Concurrent Programs Ernie Cohen 1 , Michal Moskal 2 ,

Local Verification of Global Invariants in Concurrent Programs Ernie Cohen 1 , Michal Moskal 2 ,

Local Verification of Global Invariants in Concurrent Programs Ernie Cohen 1 , Michal Moskal 2 , Wolfram Schulte 2 , Stephan Tobies 1 1 European Microsoft Innovation Center, Aachen 2 Microsoft Research, Redmond Presentation: Florian Besser

746 views • 27 slides
Toward Gear-Change and Beam-Beam Simula5ons with GHOST Bala Terzi Department of Physics, Old

Toward Gear-Change and Beam-Beam Simula5ons with GHOST Bala Terzi Department of Physics, Old

Toward Gear-Change and Beam-Beam Simula5ons with GHOST Bala Terzi Department of Physics, Old Dominion University Center for Accelerator Studies (CAS), Old Dominion University JLEIC CollaboraCon MeeCng, Jefferson Lab, March 31, 2016 1

447 views • 20 slides
PROGRAMMING ADVANCED FEEDBACK WITH ARDUINO Part 09 - State machine structure The

PROGRAMMING ADVANCED FEEDBACK WITH ARDUINO Part 09 - State machine structure The

Part 09 - State machine structure PROGRAMMING ADVANCED FEEDBACK WITH ARDUINO Part 09 - State machine structure The Pomodoro Technique Part 09 - State machine structure The Pomodoro Technique 1. Decide on the task to be done. 2.

139 views • 9 slides
Gluon and Ghost Propagators from Schwinger-Dyson Equation and Lattice Simulations Joannis

Gluon and Ghost Propagators from Schwinger-Dyson Equation and Lattice Simulations Joannis

Gluon and Ghost Propagators from Schwinger-Dyson Equation and Lattice Simulations Joannis Papavassiliou Departament of Theoretical Physics and IFIC, University of Valencia CSIC, Spain Approaches to QCD, Oberwlz, Austria, 7-13th

458 views • 27 slides
Prophecy Variables in Separation Logic (Extending Iris with Prophecy Variables) Ralf Jung,

Prophecy Variables in Separation Logic (Extending Iris with Prophecy Variables) Ralf Jung,

Prophecy Variables in Separation Logic (Extending Iris with Prophecy Variables) Ralf Jung, Rodolphe Lepigre, Gaurav Parthasarathy, Marianna Rapoport, Amin Timany, Derek Dreyer, Bart Jacobs MPI-SWS, KU Leuven, ETH Zrich, University of Waterloo

1.02k views • 52 slides
Finite element methods in scientifjc computing Wolfgang Bangerth, Colorado State University

Finite element methods in scientifjc computing Wolfgang Bangerth, Colorado State University

Finite element methods in scientifjc computing Wolfgang Bangerth, Colorado State University http://www.dealii.org/ Wolfgang Bangerth Lecture 1 http://www.dealii.org/ Wolfgang Bangerth Overview The numerical solution of partial differential

1.12k views • 89 slides
Sharing Ghost Variables in a Collection of In a Reduced Product Abstract Domains Discussion Marc

Sharing Ghost Variables in a Collection of In a Reduced Product Abstract Domains Discussion Marc

Sharing Ghost Variables in a Collection of Abstract Domains Marc Chevalier J er ome Feret Problems Sharing Ghost Variables in a Collection of In a Reduced Product Abstract Domains Discussion Marc Chevalier J er ome Feret DI ENS,

458 views • 31 slides
One-leg off-shell helicity amplitudes in high-energy factorization Piotr Kotko Institute of

One-leg off-shell helicity amplitudes in high-energy factorization Piotr Kotko Institute of

One-leg off-shell helicity amplitudes in high-energy factorization Piotr Kotko Institute of Nuclear Physics (Cracow) supported by LIDER/02/35/L-2/10/NCBiR/2011 based on A. van Hameren, P .K., K. Kutak, JHEP 1212 (2012) 029 Motivation Why

263 views • 12 slides

More recommend