Reasoning with Mutable Data Structures Tamara Rezk Javier Blanco F - - PowerPoint PPT Presentation

reasoning with mutable data structures
SMART_READER_LITE
LIVE PREVIEW

Reasoning with Mutable Data Structures Tamara Rezk Javier Blanco F - - PowerPoint PPT Presentation

Nov 08, 2022 178 likes •537 views

Reasoning with Mutable Data Structures Tamara Rezk Javier Blanco F A MAF Universidad Nacional de Crdoba, Argentina Reasoning with Mutable Data Structures p. 1/16 This talk Motivation: a problem (pointer variables aliasing) Reynolds

slide-1
SLIDE 1

Reasoning with Mutable Data Structures

Tamara Rezk Javier Blanco FAMAF Universidad Nacional de Córdoba, Argentina

Reasoning with Mutable Data Structures– p. 1/16

slide-2
SLIDE 2

This talk

Motivation: a problem (pointer variables aliasing) Reynolds’ Logic More problems (reasoning with the logic), more motivations Method to implement pointer-programs Case study Conclusions

Reasoning with Mutable Data Structures– p. 2/16

slide-3
SLIDE 3

Aliasing everywhere

✂ ✄ ✂
✂✆☎ ✝ ✞ ✄ ☎ ✝ ✞
✡ ✡ ☛
✡ ✡

Reasoning with Mutable Data Structures– p. 3/16

slide-4
SLIDE 4

Aliasing everywhere

✂ ✄ ✂
✂✆☎ ✝ ✞ ✄ ☎ ✝ ✞
✡ ✡ ☛
✡ ✡
  • Reasoning with Mutable Data Structures– p. 3/16
slide-5
SLIDE 5

Aliasing everywhere

✂ ✄ ✂
✂✆☎ ✝ ✞ ✄ ☎ ✝ ✞
✡ ✡ ✠
✡ ✡
  • Reasoning with Mutable Data Structures– p. 3/16
slide-6
SLIDE 6

Aliasing everywhere

✂ ✄ ✂
✂✆☎ ✝ ✞ ✄ ☎ ✝ ✞
✡ ✡ ✠
✡ ✡
  • Reasoning with Mutable Data Structures– p. 3/16
slide-7
SLIDE 7

Aliasing everywhere

✂ ✄ ✂
✂✆☎ ✝ ✞ ✄ ☎ ✝ ✞
✡ ✡ ✟
✡ ✡
  • Reasoning with Mutable Data Structures– p. 3/16
slide-8
SLIDE 8

Aliasing everywhere

✁ ✂ ✄ ☎
✁ ☛ ✝ ☛ ✆ ✁ ☛ ✡ ✞ ☎ ✝
✞ ☎ ✆ ✁ ✟ ✝ ✟ ✆ ✁
  • Reasoning with Mutable Data Structures– p. 3/16
slide-9
SLIDE 9

Aliasing everywhere

✁ ✂ ✄ ☎
✁ ☛ ✝ ☛ ✆ ✁ ☛ ✡ ✞ ☎ ✝
✞ ☎ ✆ ✁ ✟ ✝ ✟ ✆ ✁
  • Reasoning with Mutable Data Structures– p. 3/16
slide-10
SLIDE 10

How to verify the program?

✁ ✂ ✄ ☎
✁ ☛ ✝ ☛ ✆ ✁ ☛ ✡ ✞ ☎ ✝
✞ ☎ ✆ ✁ ✟ ✝ ✟ ✆ ✁

Reasoning with Mutable Data Structures– p. 4/16

slide-11
SLIDE 11

How to verify the program?

✁ ✂ ✄ ☎
✁ ☛ ✝ ☛ ✆ ✁ ☛ ✡ ✞ ☎ ✝
✞ ☎ ✆ ✁ ✟ ✝ ✟ ✆ ✁
✂ ✄ ☎ ✆ ✄ ✁ ✝ ✞ ✟ ✟ ✠☛✡ ✄ ☎ ☞ ✌ ✍ ✡ ✎ ✆✑✏ ✒ ✝✔✓ ✕ ☞ ✟ ✟ ✖ ✆ ✗ ☎ ✄✙✘ ✞ ✡ ✚ ✘ ✡ ✟ ✛ ☎ ✄ ✘ ✞ ✡ ✜ ✘ ✡ ☛ ✛ ☛✢ ✣ ✞ ✚ ✘ ✤ ✖ ✁ ✚ ✘ ☛ ✢ ✣ ✞ ✜ ✘ ✖ ✥ ☎ ✄ ✘ ✞ ✡ ✦✧ ✡ ✟ ✁ ✟ ✁ ✂ ✄ ☎ ☎ ✄ ✘ ✞ ✡ ✞ ✚ ✆ ✚ ✘ ✖ ✡ ✟ ✁ ★
✟ ✞ ✚✪✩
✛ ☎ ✄✙✘ ✞ ✡ ✚ ✘ ✡
  • Reasoning with Mutable Data Structures– p. 4/16
slide-12
SLIDE 12

How to verify the program?

✁ ✂ ✄ ☎
✁ ☛ ✝ ☛ ✆ ✁ ☛ ✡ ✞ ☎ ✝
✞ ☎ ✆ ✁ ✟ ✝ ✟ ✆ ✁
✂ ✄ ☎ ✆ ✄ ✁ ✝ ✞ ✟ ✟ ✠☛✡ ✄ ☎ ☞ ✌ ✍ ✡ ✎ ✆✑✏ ✒ ✝✔✓ ✕ ☞ ✟ ✟ ✖ ✆ ✗ ☎ ✄✙✘ ✞ ✡ ✚ ✘ ✡ ✟ ✛ ☎ ✄ ✘ ✞ ✡ ✜ ✘ ✡ ☛ ✛ ☛✢ ✣ ✞ ✚ ✘ ✤ ✖ ✁ ✚ ✘ ☛ ✢ ✣ ✞ ✜ ✘ ✖ ✥ ☎ ✄ ✘ ✞ ✡ ✦✧ ✡ ✟ ✁ ✟ ✁ ✂ ✄ ☎ ☎ ✄ ✘ ✞ ✡ ✞ ✚ ✆ ✚ ✘ ✖ ✡ ✟ ✁ ★
✟ ✞ ✚✪✩
✛ ☎ ✄✙✘ ✞ ✡ ✚ ✘ ✡
  • Reasoning with Mutable Data Structures– p. 4/16
slide-13
SLIDE 13

How to verify the program?

✁ ✂ ✄ ☎
✁ ☛ ✝ ☛ ✆ ✁ ☛ ✡ ✞ ☎ ✝
✞ ☎ ✆ ✁ ✟ ✝ ✟ ✆ ✁
✂ ✄ ☎ ✆ ✄ ✁ ✝ ✞ ✟ ✟ ✠☛✡ ✄ ☎ ☞ ✌ ✍ ✡ ✎ ✆✑✏ ✒ ✝✔✓ ✕ ☞ ✟ ✟ ✖ ✆ ✗ ☎ ✄✙✘ ✞ ✡ ✚ ✘ ✡ ✟ ✛ ☎ ✄ ✘ ✞ ✡ ✜ ✘ ✡ ☛ ✛ ☛✢ ✣ ✞ ✚ ✘ ✤ ✖ ✁ ✚ ✘ ☛ ✢ ✣ ✞ ✜ ✘ ✖ ✥ ☎ ✄ ✘ ✞ ✡ ✦✧ ✡ ✟ ✁ ✟ ✁ ✂ ✄ ☎ ☎ ✄ ✘ ✞ ✡ ✞ ✚ ✆ ✚ ✘ ✖ ✡ ✟ ✁ ★
✟ ✞ ✚✪✩
✛ ☎ ✄✙✘ ✞ ✡ ✚ ✘ ✡
✡ ✡ ☛
✂ ✄

Reasoning with Mutable Data Structures– p. 4/16

slide-14
SLIDE 14

How to verify the program?

✁ ✂ ✄ ☎
✁ ☛ ✝ ☛ ✆ ✁ ☛ ✡ ✞ ☎ ✝
✞ ☎ ✆ ✁ ✟ ✝ ✟ ✆ ✁
✂ ✄ ☎ ✆ ✄ ✁ ✝ ✞ ✟ ✟ ✠☛✡ ✄ ☎ ☞ ✌ ✍ ✡ ✎ ✆✑✏ ✒ ✝✔✓ ✕ ☞ ✟ ✟ ✖ ✆ ✗ ☎ ✄✙✘ ✞ ✡ ✚ ✘ ✡ ✟ ✛ ☎ ✄ ✘ ✞ ✡ ✜ ✘ ✡ ☛ ✛ ☛✢ ✣ ✞ ✚ ✘ ✤ ✖ ✁ ✚ ✘ ☛ ✢ ✣ ✞ ✜ ✘ ✖ ✥ ☎ ✄ ✘ ✞ ✡ ✦✧ ✡ ✟ ✁ ✟ ✁ ✂ ✄ ☎ ☎ ✄ ✘ ✞ ✡ ✞ ✚ ✆ ✚ ✘ ✖ ✡ ✟ ✁ ★
✟ ✞ ✚✪✩
✛ ☎ ✄✙✘ ✞ ✡ ✚ ✘ ✡
✡ ✡ ☛
  • ✍✁
✂ ✄ ✄

Reasoning with Mutable Data Structures– p. 4/16

slide-15
SLIDE 15

Separation Logic

Extension of Hoare logic (J.Reynolds, P .O’Hearn). No need of using complex reachability predicates. Novel ”separating conjunction” :

  • New ways of assertion (predicate ”points-to”

). Rules for heap manipulation commands Restrictions over expressions (no pointer references, due to variables substitution)

Reasoning with Mutable Data Structures– p. 5/16

slide-16
SLIDE 16

Separation Logic

Extension of Hoare logic (J.Reynolds, P .O’Hearn). No need of using complex reachability predicates. Novel ”separating conjunction” :

  • New ways of assertion (predicate ”points-to”

). Rules for heap manipulation commands Restrictions over expressions (no pointer references, due to variables substitution)

Reasoning with Mutable Data Structures– p. 5/16

slide-17
SLIDE 17

Separation Logic

Extension of Hoare logic (J.Reynolds, P .O’Hearn). No need of using complex reachability predicates. Novel ”separating conjunction” :

  • .

New ways of assertion (predicate ”points-to” ). Rules for heap manipulation commands. Restrictions over expressions (no pointer references, due to variables substitution)

Reasoning with Mutable Data Structures– p. 5/16

slide-18
SLIDE 18

Separation Logic

Extension of Hoare logic (J.Reynolds, P .O’Hearn). No need of using complex reachability predicates. Novel ”separating conjunction” :

  • .

New ways of assertion (predicate ”points-to” ). Rules for heap manipulation commands. Restrictions over expressions (no pointer references, due to variables substitution)

Reasoning with Mutable Data Structures– p. 5/16

slide-19
SLIDE 19

Separation Logic

Extension of Hoare logic (J.Reynolds, P .O’Hearn). No need of using complex reachability predicates. Novel ”separating conjunction” :

  • .

New ways of assertion (predicate ”points-to” ). Rules for heap manipulation commands. Restrictions over expressions (no pointer references, due to variables substitution)

Reasoning with Mutable Data Structures– p. 5/16

slide-20
SLIDE 20

Separation Logic

Extension of Hoare logic (J.Reynolds, P .O’Hearn). No need of using complex reachability predicates. Novel ”separating conjunction” :

  • .

New ways of assertion (predicate ”points-to” ). Rules for heap manipulation commands. Restrictions over expressions (no pointer references, due to variables substitution)

Reasoning with Mutable Data Structures– p. 5/16

slide-21
SLIDE 21

Separation Logic

Extension of Hoare logic (J.Reynolds, P .O’Hearn). No need of using complex reachability predicates. Novel ”separating conjunction” :

  • .

New ways of assertion (predicate ”points-to” ). Rules for heap manipulation commands. Restrictions over expressions (no pointer references, due to variables substitution).

Reasoning with Mutable Data Structures– p. 5/16

slide-22
SLIDE 22

Separation Logic

✁ ✩ ✜ ✖
✂ ✩ ✚ ✖

, is satisfied by:

  • Reasoning with Mutable Data Structures– p. 6/16
slide-23
SLIDE 23

Separation Logic

✁ ✩ ✜ ✖
✂ ✩ ✚ ✖

, is satisfied by:

  • Splitting the heap:
  • Reasoning with Mutable Data Structures– p. 6/16
slide-24
SLIDE 24

Still a problem: reasoning with pointers

Reasoning with Mutable Data Structures– p. 7/16

slide-25
SLIDE 25

Still a problem: reasoning with pointers

Solution: find a systematic way to obtain from an abstract specification of the program, a verified imperative pointer-algorithm.

Reasoning with Mutable Data Structures– p. 7/16

slide-26
SLIDE 26

Still a problem: reasoning with pointers

Solution: find a systematic way to obtain from an abstract specification of the program, a verified imperative pointer-algorithm. Traditional method using abstraction functions doesn’t work (unless we use reachability conditions, but this causes loss of the abstract reasoning and complicates the proofs). We propose: to use ”abstraction predicates”, naturally incorporated into the programming logic.

Reasoning with Mutable Data Structures– p. 7/16

slide-27
SLIDE 27

Method to obtain verified programs

Step 1: Defi nition of the tail recursive function

✞ ✚ ✖ ✁ ✞
✚ ✖ ✞ ✚ ✖ ✁
✚ ✖ ✞✄✂ ✞ ✚ ✖ ✖ ✖

Reasoning with Mutable Data Structures– p. 8/16

slide-28
SLIDE 28

Method to obtain verified programs

Step 1: Defi nition of the tail recursive function

  • ✁✄✂
☎ ✆ ✁ ✝ ✁ ✂ ☎ ✞ ✟ ✁ ✂ ☎ ✠ ✝ ✁✄✂ ☎ ✞
  • ✁✄✡
✁✄✂ ☎ ☎ ☎ ☛ ✂ ☞✌ ✍ ✎✑✏ ✒ ✏✓ ✁✄✂✔ ✕ ✖ ✔ ☎ ✆ ✂✔ ✆ ✗✘ ✞ ✖ ✔ ✂✔ ✙ ✆ ✗✘ ✞ ✒ ✏ ✓ ✁ ✚ ☞ ✛ ✎ ✁✄✂✔ ☎ ✕ ✟ ✔ ✚ ✁ ✂ ✔ ☎✢✜ ✖ ✔ ☎ ✝ ✁ ✂ ✔ ✕ ✖ ✔ ☎ ✆ ✂✔ ✆ ✗✘ ✟ ✁✄✂✔ ✕ ✖ ✔ ☎ ✆ ✖ ✔ ✡ ✁✄✂✔ ✕ ✖ ✔ ☎ ✆ ✁ ✚ ☞ ✛ ✎ ✁ ✂ ✔ ☎ ✕ ✟ ✔ ✚ ✁✄✂✔ ☎ ✜ ✖ ✔ ☎

Reasoning with Mutable Data Structures– p. 9/16

slide-29
SLIDE 29

Method to obtain verified programs

Step 2: Find a representation invariant

✁ ✞ ✩ ✖

State the relation between the abstract data type X, used in the initial specifi cation, and its pointer implementation with concrete type Y.

Reasoning with Mutable Data Structures– p. 10/16

slide-30
SLIDE 30

Method to obtain verified programs

Step 2:Find a representation invariant

✁ ✕ ✂ ☎

State the relation between the abstract data type X, used in the initial specifi cation, and its pointer implementation with concrete type Y.

☛ ✂ ☞✌ ✍ ✎✑✏ ✎ ✛ ✔ ✚☎✄ ✗✘ ✄ ✍ ✆ ✍ ✆ ✆ ✛ ✎ ✝ ✏ ✌ ✍ ✚ ✖ ✎ ✛ ✔ ✚☎✄ ✁ ✂ ✜ ✂✔ ☎ ✄ ✍ ✆ ✞✠✟ ✄ ✍ ✞ ✁ ✂ ✕ ✟ ☎☛✡ ✎ ✛ ✔ ✚☎✄ ✂ ✔ ✄ ✟
✂ ✔ ✕ ✖ ✔ ✕ ✍ ✕ ✒ ☎ ✆ ✎ ✛ ✔ ✚ ✄ ✂ ✔ ✄ ✍ ✡ ✎ ✛ ✔ ✚☎✄ ✖ ✔ ✄ ✒

Reasoning with Mutable Data Structures– p. 11/16

slide-31
SLIDE 31

Method to obtain verified programs

Step 3: Defi ne b’,f’,g’ such that:

✁ ✞ ✚ ✩ ✜ ✖ ✩
✞ ✜ ✖
✚ ✖ ✁ ✞ ✚ ✩ ✜ ✖ ✁
✞ ✟ ✞ ✜ ✟ ✖ ✩ ✁ ✟ ✞ ✞ ✚ ✖ ✩ ✜ ✟ ✖ ✖ ✁ ✞ ✚ ✩ ✜ ✖ ✛ ✁
✚ ✖ ✁
✞✄✂ ✟ ✞ ✜ ✖ ✩ ✁ ✞ ✂ ✞ ✚ ✖ ✩ ✜ ✖ ✖

Reasoning with Mutable Data Structures– p. 12/16

slide-32
SLIDE 32

Method to obtain verified programs

Step 3:Defi ne b’,f’,g’

✂ ✕ ✖ ☎ ✕ ✝
✖ ☎ ✁✂ ✝ ✁✄✂ ☎
✂ ✕ ✖ ☎ ✆ ✂ ✄ ✍ ✁ ✟
✟ ✁✄✂ ☎ ✕ ✖
✂ ✕ ✖ ☎ ✝ ✠ ✝ ✁✄✂ ☎ ✆ ✂ ✄ ✍ ✁ ✡
✖ ☎ ✕
  • ✁✄✡
✁✄✂ ☎ ✕ ✖ ☎ ☎ ☛ ✂ ☞ ✌ ✍ ✎ ✏ ✝
✒ ✕ ✍ ☎ ✆ ✒ ✆ ✆ ✛ ✎ ✟
✒ ✕ ✍ ☎ ✆ ✍ ✡
✒ ✕ ✍ ☎ ✆ ☎ ✟ ✜ ✆ ✒ ✆ ✒ ✜ ✆ ✒ ✄ ✚ ✎ ✆ ✟ ✄ ✚ ✎ ✜ ✆ ✍ ✆ ✍ ✜ ✆ ✟ ✝

Reasoning with Mutable Data Structures– p. 13/16

slide-33
SLIDE 33

Method to obtain verified programs

Step 4: Obtain the verifi ed imperative pointer program

✞ ✜ ✖ ✜ ✆ ✁ ✂ ✟ ✞ ✜ ✖
✆ ✁ ✟ ✞ ✜ ✖

Loop Invariant:

✗ ✁ ✞ ✚ ✩ ✜ ✖ ✛ ✞ ✚ ✖ ✁ ✞ ✚ ✤ ✖ ✥

Reasoning with Mutable Data Structures– p. 14/16

slide-34
SLIDE 34

Method to obtain verified programs

Step 4:Obtain the verifi ed imperative pointer program

✂✁ ✠ ✝
✖ ☎ ✖ ✜ ✆ ✡
✖ ☎ ✁
✜ ✆ ✟
✖ ☎

Loop Invariant:

✂ ✕ ✖ ☎ ✝
  • ✁✄✂
☎ ✆
✂ ✄ ☎ ✝ ☛ ✂ ☞✌ ✍ ✎✑✏
✒ ✙ ✆ ✆ ✛ ✎ ✟ ✜ ✆ ✒ ✆ ✒ ✜ ✆ ✒ ✄ ✚ ✎ ✆ ✟ ✄ ✚ ✎ ✜ ✆ ✍ ✆ ✍ ✜ ✆ ✟ ✁
✜ ✆ ✍

Loop Invariant:

☎ ✎ ✛ ✔ ✚ ✄ ✂✔ ✄ ✍ ✡ ✎ ✛ ✔ ✚ ✄ ✖ ✔ ✄ ✒ ✝ ✒ ✏ ✓ ✁ ✂✔ ✄ ✕ ✗ ✘ ☎ ✆ ✒ ✏✓ ✁ ✂ ✔ ✕ ✖ ✔ ☎ ✝

Reasoning with Mutable Data Structures– p. 15/16

slide-35
SLIDE 35

Conclusions

The method provides: a way to reason abstractly when specifying the program. a modularization of the implementation the notion of ”abstraction predicates” to be used with the logic as representation invariants well defined proof obligations steps

Reasoning with Mutable Data Structures– p. 16/16