Bi-Abduction with Pure Properties for Specification Inference Minh-ThaiTrinh1,QuangLocLe1,CristinaDavid2,andWei-NganChin1 1 NationalUniversityofSingapore {trinhmt,locle,chinwn}@comp.nus.edu.sg 2 UniversityofOxford [email protected] Abstract. Separation logic is a state-of-the-art logic for dealing with the pro- gram heap. Using its frame rule, initial works have strived towards automated modularverificationforheap-manipulatingprogramsagainstuser-suppliedspec- ifications.Sincemanuallywritingspecificationsisatediousanderror-proneengi- neeringprocess,theso-calledbi-abduction(acombinationoftheframeruleand abductiveinference)isproposedtoautomaticallyinferpre/postspecificationson datastructureshapes.However,ithasomittedtheinferenceofpurepropertiesof datastructuressuchastheirsize,sum,height,contentandminimum/maximum value,whichareneededtoexpressahigherlevelofprogramcorrectness. Inthispaper,weproposeanovelapproach,calledpurebi-abduction,forin- ferringpureinformationforpre/postspecifications,usingtheresultfromaprior shapeanalysisstep.Thepowerofournewbi-abductiveentailmentprocedureis significantly enhanced by itscollection of proof obligations over uninterpreted relations (functions). Additionally, wedesign apredicate extensionmechanism tosystematicallyextendshapepredicateswithpureproperties. Wehaveimple- mentedourinferencemechanismandevaluateditsutilityonabenchmarkofpro- grams.Weshowthatpurepropertiesareprerequisitetoallowthecorrectnessof about20%ofanalyzedprocedurestobecapturedandverified. Keywords: Specification Inference, Pure Bi-Abduction, Separation Logic, ProgramVerification,MemorySafety,FunctionalCorrectness. 1 Introduction One of the challengingareas forsoftware verificationconcernsprogramsusingheap- based data structures. To prove the correctness of such programs, in the last decade, researchmethodologiesbasedonseparationlogichaveofferedgoodsolutions[1,13,3]. Separationlogic[20,14], anextensionofHoarelogic,is astate-of-the-artlogicfor dealingwiththeprogramheap.Itsassertionlanguagecansuccinctlydescribehowdata structuresarelaidoutinmemory,byprovidingtheseparatingconjunctionoperatorthat splits the heap into disjoint regions:reasoning abouteach such region is independent oftheothers.Thislocalreasoningis capturedbythe frameruleofseparationlogic,a proofrulethatenablescompositionalverificationofheap-manipulatingprograms. Initialworks[1,13]basedonseparationlogichavestrivedtowardsautomatedmod- ularverificationagainstuser-suppliedspecifications.However,manuallywritingspeci- ficationsisatediousanderror-proneengineeringprocess.Thus,morerecentseparation C.-c.Shan(Ed.):APLAS2013,LNCS8301,pp.107–123,2013. (cid:2)c SpringerInternationalPublishingSwitzerland2013 108 M.-T.Trinhetal. logic-basedshape analysesendeavor to automaticallyconstructsuch specificationsin ordertoprovethatprogramsdonotcommitpointer-safetyerrors(dereferencinganull ordanglingpointer,orleakingmemory).Onesuchleadingshapeanalysis[3]proposes bi-abductiontobeabletoscaleuptomillionslinesofcodes.Bi-abduction,acombina- tionoftheframeruleandabductiveinference,isabletoinfer“frames”describingextra, unneededportionsofstate(viatheframerule)aswellastheneeded,missingportions (via abductive inference). Consequently, it would automatically infer both precondi- tions and postconditions on the shape of the data structures used by program codes, enablingacompositionalandscalableshapeanalysis. However, bi-abduction in [3] presently Ex.1.Amethodwherepurepropertiesof suffers from an inability to analyze for pure its data structure are critical for proving (i.e., heap-independent) properties of data itsmemorysafety. structures, which are needed to express a 1 data node { higher-level of program correctness. For il- 2 int val; node next;} lustration,considerasimpleC-stylerecursive 3 node zip(node x,node y){ functioninEx.1thatzipstwolistsofintegers 4 if (x==null) return y; intoasingleone.Toreducetheperformance 5 else { overhead of redundant null-checking, in the 6 node tmp = zip method there is no null-checking for y. 7 zip(x.next,y.next); As a result, the field access y.next at line 7 8 x.next = y; may not be memory-safe.In fact, it triggers 9 y.next = tmp; 10 return x;}} a null-dereferencing error whenever the list pointedbyxislongerthanthelistpointedbyy.Naturally,toensurememorysafety,the method’spreconditionneedstocapturethesizeofeachlist. Adirectsolutiontosuchlimitationistorelyonnumericalanalyses.However,since numericalstaticanalysesareoftenunawareoftheshapeofaprogram’sheap,itbecomes difficultforthemtocapturepurepropertiesofheap-baseddatastructures. In this paper,we proposea systematic methodologyfor inferringpure information forpre/postspecificationsintheseparationlogicdomain,usingtheresultfromaprior shapeanalysisstep.Thispureinformationisnotonlycriticalforprovingmemorysafety butalsohelpfultoexpressahigher-levelofprogramcorrectness.Wecallourinference methodology pure bi-abduction, and employ it for inferring pure properties of data structuressuchastheirsize,height,sum,contentandminimum/maximumvalue.Like bi-abduction,purebi-abductionis meantto combinethe frame rule andabductivein- ference,butfocusedontheproblemofinferringspecificationswithbothheapandpure information.To achieve this, we have designed a new bi-abductiveentailment proce- dure. Its power will be significantly enhanced by the collection of proof obligations overuninterpretedrelations(functions). Thoughthe main noveltyof our currentwork is a systematic inferenceof pure in- formation for specifications of heap-manipulating programs, we have also devised a predicate extension mechanism that can systematically transform shape predicates in ordertoincorporatenewpureproperties.Thistechniqueiscrucialforenhancinginduc- tiveshapepredicateswithrelevantpureproperties. Contributions. Ourcontributionsincludethefollowing: • Wedesignanewbi-abductiveentailmentprocedureforinferringpureinformationfor Bi-AbductionwithPurePropertiesforSpecificationInference 109 specificationsof heap-manipulatingprograms.We design a set offundamentalmech- anisms for pure bi-abduction to help ensure succinct and precise specifications. Our mechanismsincludetheinferenceofobligationsanddefinitionsforuninterpretedrela- tions,priortotheirsynthesisviafixpointanalyses(Sections4,5,6). • We proposean extensionmechanismfor systematically enhancinginductiveshape predicateswithavarietyofpureproperties(Section7). • We have implementedour approachand evaluated it on a benchmarkof programs (Section 8). We show that pure propertiesare prerequisite to allow the correctnessof about20%ofanalyzedprocedurestobecapturedandverified. 2 Overview andMotivation Memory Safety. For the zip method, by using shape analysis techniques [3,6], we couldonlyobtainthefollowingshapespecification: requiresll(cid:2)x(cid:3)∗ll(cid:2)y(cid:3) ensures ll(cid:2)res(cid:3); where predll(cid:2)root(cid:3)≡(root=null)∨∃q·(root(cid:8)→node(cid:2) ,q(cid:3)∗ll(cid:2)q(cid:3)). Althoughthisspecificationcannotensurememorysafetyforthey.nextfieldaccess(at lines7and9),itstillillustratestwoimportantcharacteristicsofseparationlogic.First, by using separation logic, the assertion language can provide inductive spatial predi- cates that describe the shape of unboundedlinked data structures such as lists, trees, etc. For instance, the ll predicate describes the shape of an acyclic singly-linkedlist pointedbyroot.Initsdefinition,thefirstdisjunctcorrespondstothecaseofanempty list, while the secondone separatesthe list into two parts: the head root(cid:2)→node(cid:4) ,q(cid:5), where(cid:2)→ispoints-tooperator,andthetailll(cid:4)q(cid:5).Second,theuseof∗(separatingcon- junction)operatorguaranteesthatthesetwopartsresideindisjointmemoryregions.In short,forthezipmethod,itspreconditionrequiresxandypointtolinkedlists(using ll)thatresideindisjointmemoryregions(using∗),whileitspostconditionensuresthe resultalsopointstoalinkedlist. Generallyspeaking,we cannotobtainanyvalid pre/postspecification(validHoare triple)forthezipmethodbyusingonlytheshapedomain.Toprovememorysafety,the specificationmustalsocapturethesizeofeachlist. Usingpredicateextensionmechanism,wefirstinjectthesizeproperty(capturedby n)intothellpredicateinordertoderivethellNpredicateasfollows: predllN(cid:2)root,n(cid:3)≡(root=null∧n=0) ∨∃q,m·(root(cid:8)→node(cid:2) ,q(cid:3)∗llN(cid:2)q,m(cid:3)∧n=m+1). WiththenewllNpredicate,wecouldthenstrengthenthespecificationtoincludeunin- terpretedrelations:P(a,b)inthepreconditionandQ(r,a,b)inthepostcondition.Their purposeis to capturethe relationshipbetweennewly-introducedvariables(a,b,r) de- notingsizepropertiesoflinkedlists.Uninterpretedrelationsinthepreconditionshould beasweakaspossible,whileonesinthepostconditionshouldbeasstrongaspossible. infer[P,Q] requiresllN(cid:2)x,a(cid:3)∗llN(cid:2)y,b(cid:3)∧P(a,b) ensures llN(cid:2)res,r(cid:3)∧Q(r,a,b); 110 M.-T.Trinhetal. Intuitively,itismeanttoincorporatetheinferencecapability(viainfer)intoapairof pre/post-condition(viarequires/ensures).Andtheinferencewillbeappliedtospeci- fiedsecond-ordervariablesP,Q. Byforwardreasoningonthezipcode,ourbi-abductiveentailmentprocedurewould finallygatherthefollowingproofobligationsonthetwouninterpretedrelations: P(a,b)=⇒b(cid:12)=0∨a≤0, P(a,b)∧a=ar+1∧b=br+1∧0≤ar∧0≤br=⇒P(ar,br), P(a,b)∧r=b∧a=0∧0≤b=⇒Q(r,a,b), P(a,b)∧rn=r−2∧bn=b−1∧an=a−1∧0≤bn,an,rn∧Q(rn,an,bn)=⇒Q(r,a,b). Usingsuitablefix-pointanalysistechniques,wecansynthesizetheapproximationsfor these unknowns, which would add a pre-condition a≤b to guarantee memory safety. Specifically,wehaveP(a,b)≡a≤b,Q(r,a,b)≡r=a+bandanewspecification: requiresllN(cid:2)x,a(cid:3)∗llN(cid:2)y,b(cid:3)∧a≤b ensures llN(cid:2)res,r(cid:3)∧r=a+b; ProgramTermination. Withinferenceofpurepropertiesforspecifications,wecango beyondmemorysafetytowardsfunctionalcorrectnessandeventotalcorrectness.Total correctnessrequiresprogramstobeproventoterminate. Program termination is typically proven with a well-founded decreasing measure. Our inference mechanism can help discover suitable well-founded ranking functions [16]tosupportterminationproofs.Forthistask,wewouldintroduceanuninterpreted functionF(a,b), as a possible measure,via the followingtermination-basedspecifica- tionthatissynthesizedrightaftersizeinference.Notethatsizeinferenceiscrucialfor provingnotonlyprogramsafetybutalsoprogramtermination. infer[F] requiresllN(cid:2)x,a(cid:3)∗llN(cid:2)y,b(cid:3)∧a≤b∧Term[F(a,b)] ensures llN(cid:2)res,r(cid:3)∧r=a+b; Similarly,applyingourpurebi-abductiontechnique,wecanderivethefollowingproof obligationswhosesatisfactionwouldguaranteeprogramtermination. a≥0∧b≥0∧a≤b=⇒F(a,b)≥0 an=a−1∧bn=b−1∧a≤b∧an≥0=⇒F(a,b)>F(an,bn) Usingsuitablefixpointanalyses,wecansynthesizeF(a,b)≡a−1,thuscapturingawell- foundeddecreasingmeasureforourmethod.Thoughterminationanalysisofprograms has been extensivelyinvestigated before, we find it refreshing to re-considerit in the context of pure property inference for pre/post specifications. For space reasons, we shallnotconsiderthisaspectthatusesuninterpretedfunctionsintherestofthepaper. 3 Specification Language Inthissection,weintroducethespecificationlanguageusedinpurebi-abduction(Fig- ure1).Thelanguagesupportsdatatypedeclarationsdatat(e.g.node),inductiveshape predicatedefinitionsspred(e.g.ll)andmethodspecificationsspec.Eachiterativeloop Bi-AbductionwithPurePropertiesforSpecificationInference 111 isconvertedtoanequivalenttail-recursivemethod,wheremutationsonparametersare madevisibletothecallerviapass-by-reference. Regardingeachmethod’sspecification,itis madeupofasetofinferablevariables [v∗,v∗ ],apreconditionΦ andapostconditionΦ .Theintendedmeaningiswhenever rel pr po the methodis called in a state satisfying preconditionΦ and the methodterminates, pr the resulting state will satisfy the correspondingpostcondition Φ . The specification po inferenceprocesscanbeenabledbyprovidingaspecificationwithinferablevariables.If [v∗]isspecified,suitablepreconditionsonthesevariableswillbeinferredwhileif[v∗ ] rel isspecified,suitableapproximationsfortheseuninterpretedrelationswillbeinferred. Program prog ::=tdecl∗meth∗ tdecl::=datat|spred|spec Datadeclaration datat ::=datac{(tv)∗} Shapepredicate spred::=predp(cid:4)v∗(cid:5)≡Φ Methodspec spec ::=(cid:2)infer[v∗,vr∗el]requiresΦpr ensuresΦpo; Formula Φ ::= (∃v∗·κ∧π)∗ Heapformula κ ::=κ1∗κ2|p(cid:4)v∗(cid:5)|v(cid:2)→c(cid:4)u∗(cid:5)|emp Pureformula π ::=π∧ι|ι ι::=vrel(v∗)|α α ::=γ |i|b|ϕ|α1∨α2 |α1∧α2 |¬α |∃v·α|∀v·α Lineararithmetic i ::=a1=a2 |a1≤a2 a ::=kint |v|kint×a|a +a |−a|max(a ,a )|min(a ,a ) 1 2 1 2 1 2 Booleanformula b ::=true |false |v|b1=b2 Bagconstraint ϕ ::=v∈B|B1=B2|B1(cid:2)B2|∀v∈B·α|∃v∈B·α B ::=B (cid:14)B |B (cid:15)B |B −B |{}|{v} 1 2 1 2 1 2 Ptr.(dis)equality γ ::=v1=v2|v=null|v1(cid:16)=v2|v(cid:16)=null β ::=v (v∗)→α|π→v (v∗) rel rel Δ ::=Δ ∨Δ |Δ ∗Δ |∃v·Δ|κ∧π φ ::=π 1 2 1 2 Fig.1.TheSpecificationLanguageusedinPureBi-Abduction TheΦconstraintisindisjunctivenormalform.Eachdisjunctconsistsofa∗-separated heapconstraintκ,referredtoasheappart,andaheapfreeconstraintπ,referredtoas pure part. The pure part does not contain any heap nodes and is presently restricted touninterpretedrelationsvrel(v∗),pointer(dis)equalityγ,lineararithmetici,boolean constraintsbandbagconstraintsϕ.Internally,eachuninterpretedrelationisannotated with@pror@po,dependingonwhetheritcomesfromthepreconditionorpostcondition resp.Thisinformationwillbelaterusedtosynthesizetheapproximationforeachunin- terpretedrelationinSec.6.TherelationaldefinitionsandobligationsdefinedinSec.4.4 aredenotedasπ→vrel(v∗)andvrel(v∗)→α resp.Lastly,Δ denotesa compositefor- mulathatcanbenormalizedintotheΦform,whileφrepresentsapureformula. 4 Principles ofPure Bi-Abduction Initialworks[1,13]aretypicallybasedonanentailmentsystemoftheformΔ1 (cid:15)Δ2 (cid:2) Δr,whichattemptstoprovethatthecurrentstateΔ1entailsanexpectedstateΔ2with Δr asitsframe(orresidual)notrequiredforprovingΔ2. Tosupportshapeanalysis,bi-abduction[3]wouldallowbothpreconditionsandpost- conditionsonshapespecificationtobeautomaticallyinferred.Bi-abductionisbasedon 112 M.-T.Trinhetal. amoregeneralentailmentoftheformΔ1 (cid:15) Δ2 (cid:2)(Δp,Δr),wherebyaprecondition Δp,theconditionfortheentailmentprovingtosucceed,maybeinferred. Inthispaper,weproposepurebi-abductiontechniquetoinferpureinformationfor pre/postspecifications.Tobetterexploittheexpressivenessofseparationlogic,weinte- grateinferencemechanismsdirectlyintoitandproposetouseanentailmentsystemof thefollowingform[v1,..,vn]Δ1 (cid:15) Δ2 (cid:2)(φp,Δr,βc).Threenewfeaturesareadded heretosupportinferenceonpureproperties: • We mayspecifyasetofvariables{v1,..,vn}forwhichinferenceisselectivelyap- plied.Asaspecialcase,whennovariablesarespecified,theentailmentsystemreduces toforwardverificationwithoutinferencecapability. • We allow second-ordervariables,in the formofuninterpretedrelations,to support inferenceofpurepropertiesforpre/postspecifications. • Wethencollectasetofconstraintsβc oftheformφ1 =⇒φ2,toprovideinterpreta- tionsforthesesecond-ordervariables.Thisapproachiscriticalforcapturinginductive definitionsthatcanberefinedviafix-pointanalyses. We first highlight key principles employed by pure bi-abduction with examples. LaterinSec.5,weshallpresenttheformalizationforourproposedtechnique. 4.1 SelectiveInference Ourfirstprincipleisbasedonthenotionthatpurebi-abductionisbestdoneselectively. Considerthreeentailmentsbelowwithx(cid:2)→node(cid:4) ,q(cid:5)asaconsequent: [n]llN(cid:2)x,n(cid:3)(cid:15)x(cid:8)→node(cid:2) ,q(cid:3)(cid:2)(n>0,llN(cid:2)q,n−1(cid:3),∅) [x]llN(cid:2)x,n(cid:3)(cid:15)x(cid:8)→node(cid:2) ,q(cid:3)(cid:2)(x(cid:12)=null,llN(cid:2)q,n−1(cid:3),∅) [n,x]llN(cid:2)x,n(cid:3)(cid:15)x(cid:8)→node(cid:2) ,q(cid:3)(cid:2)(n>0∨x(cid:12)=null,llN(cid:2)q,n−1(cid:3),∅) PredicatellN(cid:2)x,n(cid:3)byitselfdoesnotentailanon-emptynode.Fortheentailmentprov- ingtosucceed,thecurrentstate wouldhaveto bestrengthenedwith eitherx(cid:16)=null or n>0.Ourprocedurecandecideonwhichpre-conditiontoreturn,dependingontheset ofvariablesforwhichpre-conditionsarebuiltfrom.Theselectivityisimportantsince weonlyconsiderasubsetofvariables(e.g.a,b,r),whichareintroducedtocapturepure propertiesofdatastructures.Notethatthisselectivitydoesnotaffecttheautomationof purebi-abductiontechnique,sincethevariablesofinterestcanbegeneratedautomati- callyrightafterapplyingpredicateextensionmechanisminSec.7. 4.2 NeverInferringfalse Anotherprinciplethatwestriveinourselectiveinferenceisthatweneverinferanycu- mulativepreconditionthatisequivalenttofalse,sincesuchapreconditionwouldnot beprovableforanysatisfiableprogramstate.Asanexample,consider[x]true (cid:17)x>x. Thoughwecouldhaveinferredx>x,werefrainfromdoingso,sinceitisonlyprovable underdeadcodescenarios. 4.3 AntecedentContradiction The problem of traditional abduction is to find an explanatory hypothesis such that it is satisfiable with the antecedent. Our purpose here is different in the sense that we aim to find a sufficient precondition that would allow an entailment to succeed. Considering [v∗] Δ1 (cid:15) Δ2, if a contradiction is detected between Δ1 and Δ2, the Bi-AbductionwithPurePropertiesforSpecificationInference 113 only precondition (over variables v∗) that would allow such an entailment to suc- ceed is one that contradicts the antecedent Δ1. Although we disallow false to be inferred, we allow above precondition if it is not equivalent to false. For example, with [n] x=null∧n=0 (cid:17) x(cid:16)=null, we have a contradiction between x=null∧n=0 and x(cid:16)=null.Toallowthisentailmenttosucceed,weinfern(cid:16)=0asitspreconditionoverjust theselectedvariable[n]. 4.4 UninterpretedRelations Ourinferencedealswithuninterpretedrelationsthatmayappearineitherpreconditions orpostconditions.Werefertotheformeraspre-relationsandthelatteraspost-relations. Pre-relationsshouldbeasweakaspossible,whilepost-relationsshouldbeasstrongas possible. Our inferencemechanism respects this principle,and would use it to derive theweakestpre-relationsandstrongestpost-relations,wherepossible. Toprovidedefinitionsfortheseuninterpretedrelations,suchasR(v∗),weinfertwo kindsofrelationalconstraints.Thefirstkind,calledrelationalobligation,isoftheform π∧R(v∗)→c, where the consequent c is a known constraint and unknown R(v∗) is presentin the antecedent.The secondkind,called relationaldefinition,is of the form π→R(v∗),wheretheunknownrelationisintheconsequentinstead. Relational Obligations. They are useful in two ways. For pre-relations, they act as initialpreconditionsfor(recursive)methods.Forpost-relations,theydenoteproofobli- gationsthat post-relationsmust also satisfy. We will check these obligationsafter we havesynthesizedpost-relations. As an example, consider the entailment extracted from the motivating example: [P] a≥1∧b=0∧P(a,b) (cid:17) b(cid:16)=0. We infer P(a,b)→a≤0∨b(cid:16)=0, which will denote an ini- tial precondition for P. More generally, with [P] α1∧P(v∗) (cid:15) α2 where α1 and α2 denote known constraints, we first selectively infer preconditionφ over selected vari- ables v∗ and then collect P(v∗)→ φ as our relational obligation. To obtain succinct pre-conditions,wefilteroutconstraintsthatcontradictthecurrentprogramstate. RelationalDefinitions. Theyaretypicallyusedtoformdefinitionsforfixpointanaly- ses.Forpost-relations,weshouldinferthestrongestdefinitions.Aftergatheringthere- lationaldefinitions(bothbaseandinductivecases),wewouldapplyaleastfixpointpro- cedure [17] to discover suitable closed-form definitions for post-relations. For pre-relations, while it may be possible to compute a greatest fixpoint to discover the weakest pre-relationsthat can satisfy all relationalconstraints, we have designed two simplertechniquesforinferringpre-relations.Afterfindingtheinterpretationsforpost- relations,weattempttoextractconditionsoninputvariablesfromthem.Iftheextracted conditionscansatisfyallrelationalconstraintsforpre-relations,wesimplyusethemas theapproximationsforourpre-relations.Ifnot,weproceedwithasecondtechniqueto firstconstructarecursiveinvariantwhichrelatestheparametersofanarbitrarycall(e.g. RECa,RECb)tothoseofthefirstone(e.g.a,b)usingtop-downfixpoint[18].Forexample, a recursiveinvariantrec inv forzip methodis RECa≥0∧a≥1+RECa∧RECa+b=RECb+a. Next, since parameters of an arbitrary call must also satisfy relevant relational obli- gations, the precondition pre rec is then ∀RECa,RECb· rec inv→pre fst(RECa,RECb), wherepre fst(a,b)=a≤0∨b(cid:16)=0istheinitialcondition.Finally,thepreconditionforall method invocationsis pre fst∧pre rec∧a≥0∧b≥0=0≤a≤b. This approachallows us 114 M.-T.Trinhetal. toavoidgreatestfix-pointanalyses,whoseimportantoperators(i.e.narrowing)aresup- portedinrestricteddomains,andissufficientforallpracticalexamplesevaluated. 5 FormalizationofPure Bi-Abduction Recallthatourbi-abductiveentailmentprovingprocedurehasthefollowingform: [v∗]Δ (cid:15)Δ (cid:2)(φ ,Δ ,β ). 1 2 3 3 3 Thisnewentailmentprocedureservestwokeyroles: • Forourforwardverification,itsgoalistoreducetheentailmentbetweenseparation formulastotheentailmentbetweenpureformulasbysuccessivelymatchingupaliased heapnodesbetweentheantecedentandtheconsequentthroughfolding,unfoldingand matching[13]. When this happens,the heapformulain the antecedentis soundlyap- (cid:2) proximated by returning a pure approximation of the form (∃v∗·π)∗ for each given heapformulaκ(usingXPurefunctionasin[13]). • Forourinference,itsgoalistoinferapreconditionφ3andgatherasetofconstraints β3 overspecifieduninterpretedrelations.AlongwiththeinferredframeΔ3,weshould beabletofinallyconstructrelevantpreconditionsandpostconditionsforeachmethod. Thefocusofthecurrentworkisonthesecondcategory.Fromthisperspective,the scenarioofinterestiswhenboththeantecedentandtheconsequentareheapfree,and therulesinFigure2caninturnapply.Takenotethattheserulesareappliedina top- downandleft-to-rightorder. [INF−[AND]] [v∗]π (cid:17)π (cid:2)(φ ,Δ ,β ) [v∗]π (cid:17)π (cid:2)(φ ,Δ ,β ) 1 2 2 2 2 1 3 3 3 3 [v∗]π (cid:17)π ∧π (cid:2)(φ ∧φ ,Δ ∧Δ ,β ∪β ) 1 2 3 2 3 2 3 2 3 [INF−[UNSAT]] [INF−[VALID]] UNSAT(α1) α1 ⇒ α2 [v∗]α (cid:17)α (cid:2)(true,false,∅) [v∗]α (cid:17)α (cid:2)(true,α ,∅) 1 2 1 2 1 [INF−[LHS−CONTRA]] [INF−[PRE−DERIVE]] φ =∀(FV(α1)−v∗)·¬α1 φ=∀(FV(α1,α2)−v∗)·(¬α1∨α2) UNSAT(α1∧α2) φ(cid:16)=false φ(cid:16)=false [v∗]α (cid:17)α (cid:2)(φ,false,∅) [v∗]α (cid:17)α (cid:2)(φ,α ∧φ,∅) 1 2 1 2 1 [INF−[REL−DEFN]] [v∗,v ]π(cid:17)v (u∗)(cid:2)(true,true,{π→v (u∗)}) rel rel rel [INF−[REL−OBLG]] [u∗]α (cid:17)α (cid:2)(φ ,Δ ,∅) [v∗]α (cid:17)α (cid:2)(φ ,Δ ,∅) 1 2 1 1 1 2 2 2 [v∗,v ]α ∧v (u∗)(cid:17)α (cid:2)(φ ,Δ ∧Δ ,{v (u∗)→φ }) rel 1 rel 2 2 1 2 rel 1 Fig.2.PureBi-AbductionRules • Rule[INF−[AND]]breakstheconjunctiveconsequentintosmallercomponents. • Rules [INF−[UNSAT]] and [INF−[VALID]] infer true precondition whenever the Bi-AbductionwithPurePropertiesforSpecificationInference 115 entailment already succeeds. Specifically, rule [INF−[UNSAT]] applies when the an- tecedent α1 of the entailment is unsatisfiable, whereas rule [INF−[VALID]] is used if [INF−[UNSAT]]cannotbeapplied,meaningthattheantecedentissatisfiable. • The pure precondition inference is captured by two rules [INF−[LHS−CONTRA]] and [INF−[PRE−DERIVE]]. While the first rule handles antecedentcontradiction,the secondoneinfersthemissinginformationfromtheantecedentrequiredforprovingthe consequent.Specifically,wheneveracontradictionisdetectedbetweentheantecedent α1 and the consequent α2, then rule [INF−[LHS−CONTRA]] applies and the precon- dition ∀(FV(α1)−v∗)·¬α1 contradicting the antecedent is being inferred. Note that FV(·) returns the set of free variables from its argument(s), while v∗ is a shorthand notation for v1,..,vn1. On the other hand, if no contradiction is detected, then rule [INF−[PRE−DERIVE]] infersa sufficientpreconditionto provethe consequent.In or- derto notcontradictthe principlestated in Sec. 4.2, bothaforementionedrulescheck thattheinferredpreconditionisnotequivalenttofalse. • The last two rules [INF−[REL−DEFN]] and [INF−[REL−OBLG]] are used to gather definitionsandobligationsrespectively,fortheuninterpretedrelationvrel(u∗).Forsim- plicity,inrule[INF−[REL−OBLG]],we justformalizethecase whenthereisonlyone uninterpretedrelationintheantecedent. 6 Inference via Hoare-StyleRules CodeverificationistypicallyformulatedasaHoaretripleoftheform:(cid:15){Δ1}c{Δ2}, withapreconditionΔ1 andapostconditionΔ2.Thisverificationcouldeitherbecon- ductedforwardsorbackwardsforthespecifiedpropertiestobesuccessfullyverified,in accordancewiththerulesofHoarelogic.Inseparationlogic,thepredominantmodeof verificationisforward.Specifically,givenaninitialstateΔ1andaprogramcodec,such aHoare-styleverificationruleisexpectedtocomputeabestpossiblepostconditionΔ2 satisfyingtheinferencerulesofHoarelogic.Ifthebestpossiblepostconditioncannotbe calculated,itisalwayssoundandoftensufficienttocomputeasuitableapproximation. To supportpurebi-abduction,weextendthisHoare-styleforwardruleto theform: [v∗](cid:15){Δ1}c{φ2,Δ2,β2}withthreeadditionalfeatures(i)asetofvariables[v∗](ii) anextrapreconditionφ2 thatmustbeadded(iii)asetofdefinitionsandobligationsβ2 onthespecifieduninterpretedrelations.Theselectivitycriterionwillhelpensurethatφ2 andβ2comefromonlythespecifiedsetofvariables,namely{v∗}.Ifthissetisempty, ournewruleissimplythecasethatperformsverification,withoutanyinference. Figure3capturesasetofourHoareruleswithpurebi-abduction.Rule[INF−[SEQ]] showshowsequentialcompositione1;e2ishandled.Thetwoinferredpreconditionsare conjunctivelycombinedasφ2∧φ3.Rule[INF−[IF]]dealswithconditionalexpression. Ourcorelanguageallowsonlybooleanvariables(e.g.w) ineachconditionaltest.We useaprimednotationwherebywdenotestheoldvalue,andw(cid:3)denotesthelatestvalue of each variable w. The conditionsw(cid:3) and ¬w(cid:3) are asserted for each of the two con- ditional branches. Since the two preconditionsφ2,φ3 come from two branches, both of them must hold for soundness; thus they are combined conjunctively in a conser- vative manner. Rule [INF−[ASSIGN]] handlesassignmentstatement. We first define a 1Ifthereisnoambiguity,wecanusev∗insteadof{v∗}. 116 M.-T.Trinhetal. composition with update operator. Given a state Δ1, a state change Δ2, and a set of variablestobeupdatedX={x1,...,xn},thecompositionoperatoropX isdefinedas: Δ1 opX Δ2 d=ef∃r1..rn·(ρ1Δ1)op(ρ2Δ2),wherer1,...,rn arefreshvariablesand ρ1 = [ri/x(cid:3)i]ni=1, ρ2 = [ri/xi]ni=1. Note thatρ1 andρ2 aresubstitutionsthatlink each latestvalueofx(cid:3)i inΔ1 withthecorrespondinginitialvaluexi inΔ2 viaafreshvari- ableri.Thebinaryoperatoropiseither∧or∗.Instancesofthisoperatorwillbeusedin theinferencerules[INF−[ASSIGN]]and[INF−[CALL]].Asillustratedin[INF−[CALL]], foreachmethodcall,wemustensurethatitspreconditionissatisfied,andthenaddthe expectedpostconditionintoitsresidualstate.Here,(tivi)mi=−11arepass-by-referencepa- rameters,thataremarkedwithref,whilethepass-by-valueparametersV areequated to their initial values through the nochange function, as their updated values are not visible to the method’s callers. Note that inference may occur during the entailment provingforthemethod’sprecondition. [INF−[SEQ]] [v∗](cid:17){Δ}e {φ ,Δ ,β } [v∗](cid:17){Δ }e {φ ,Δ ,β } 1 2 2 2 2 2 3 3 3 [v∗](cid:17){Δ}e ;e {φ ∧φ ,Δ ,β ∪β } 1 2 2 3 3 2 3 [INF−[IF]] [v∗](cid:17){Δ∧w(cid:3)}e {φ ,Δ ,β } [v∗](cid:17){Δ∧¬w(cid:3)}e {φ ,Δ ,β } 1 2 2 2 2 3 3 3 [v∗](cid:17){Δ}ifwthene elsee {φ ∧φ ,Δ ∨Δ ,β ∪β } 1 2 2 3 2 3 2 3 [INF−[ASSIGN]] [v∗](cid:17){Δ}e{φ ,Δ ,β } Δ =∃res·(Δ ∧ u(cid:3)=res) 2 2 2 3 2 u [v∗](cid:17){Δ}u:=e{φ ,Δ ,β } 2 3 2 [INF−[CALL]] t0mn(ref(tivi)mi=−11,(tj vj)nj=m) Φpr Φpo{c}∈Prog ρ=[v(cid:3)/v ]n Φ(cid:3) =ρ(Φ ) W={v ,...,v } V={v ,...,v } k k k=1 pr pr 1 m−1 m n [v∗]Δ(cid:17)Φ(cid:3)pr(cid:2)(φ2,Δ2,β2) Δ3=(Δ2∧nochange(V)) ∗V∪W Φpo [v∗](cid:17){Δ}mn(v1,...,vm−1,vm,...vn){φ2,Δ3,β2} (cid:3) [INF−[METH]] [v∗,v∗ ](cid:17){Φ ∧ (u(cid:3)=u)∗}c{φ ,Δ ,β } [v∗,v∗ ]Δ (cid:17)Φ (cid:2)(φ ,Δ ,β ) rel pr 2 2 2 rel 2 po 3 3 3 ρ1 =infer pre(β2∪β3) ρ2=infer post(β2∪β3) Φn =ρ (Φ ∧φ ∧φ ) Φn =ρ (Φ ∗Δ ) pr 1 pr 2 3 po 2 po 3 (cid:17)t0mn((tu)∗)infer[v∗,vr∗el]ΦprΦpo{c}(cid:2)ΦnprΦnpo Fig.3.HoareRuleswithPureBi-Abduction Lastly,wediscusstherule[INF−[METH]]forhandlingeachmethoddeclaration.At theprogramlevel,ourinferenceruleswillbeappliedtoeachsetofmutuallyrecursive methodsinabottom-uporderinaccordancewiththecallhierarchy.Thisallowsusto gather the entire set β of definitions and obligations for each uninterpreted relation. Fromthissetβweinferthepre-andpost-relationsviatwotechniquesdescribedbelow.
Description: