UCLDEPARTMENTOF COMPUTERSCIENCE Research Note RN/13/14 Cyclic Abduction of Inductively Defined Safety and Termination Preconditions July 12, 2013 James Brotherston Nikos Gorogiannis Abstract We describe a new method, called cyclic abduction, for automatically inferring safetyand/orterminationpreconditionsforheap-manipulatingwhileprograms, expressed as inductive definitions in separation logic. Cyclic abduction essen- tially works by searching for a cyclic proof of memory safety and/or termina- tion, abducing definitional clauses of the precondition as necessary in order to advance the proof search process. This is achieved via a suite of heuristically guided automatic tactics. We have implemented our cyclic abduction procedure as an automatic tool, Caber, that automatically infers the correct safety and termination precondi- tions for a range of common small programs manipulating lists and trees, and can also abduce the definitions of more exotic data structures such as cyclic or segmented lists, or trees of linked lists. To our knowledge, cyclic abduction is the first technique for automatically abducing such inductive definitions from pointer programs. Cyclic Abduction of Inductively Defined Safety and Termination Preconditions JamesBrotherston∗ NikosGorogiannis† Dept.ofComputerScience,UniversityCollegeLondon,UK Abstract describedbytheprovideddefinitions.Forexample,thewellknown Wedescribeanewmethod,calledcyclicabduction,forautomat- SPACEINVADER [25] and SLAYER [5] analysers perform accu- ratelyonprogramsusingcombinationsoflinkedlists,asfoundwith ically inferring safety and/or termination preconditions for heap- devicedrivers,butreportafalsebugiftheyencounteratree.Thus manipulating while programs, expressed as inductive definitions theabilitytomechanicallyinfer,orabduce,theinductivepredicates inseparationlogic.Cyclicabductionessentiallyworksbysearch- neededtoanalyseindividualprocedureshasthepotentialtogreatly ingforacyclicproof ofmemorysafetyand/ortermination,abduc- boosttheautomationofsuchverificationtools. ingdefinitionalclausesofthepreconditionasnecessaryinorderto In this paper, we consider the following form of the above advance the proof search process. This is achieved via a suite of synthesisorabductionproblem:givenaheap-manipulatingwhile heuristicallyguidedautomatictactics. programP,canwedefineaninductivepredicateinseparationlogic Wehaveimplementedourcyclicabductionprocedureasanau- suchthat,giventhispredicateasaprecondition, tomatic tool, CABER, that automatically infers the correct safety and termination preconditions for a range of common small pro- • P runswithoutencounteringamemoryerror(safety);or grams manipulating lists and trees, and can also abduce the defi- nitionsofmoreexoticdatastructuressuchascyclicorsegmented • P eventuallyterminatessafely(termination)? lists,ortreesoflinkedlists.Toourknowledge,cyclicabductionis thefirsttechniqueforautomaticallyabducingsuchinductivedefi- These are highly non-trivial questions. On the one hand, the nitionsfrompointerprograms. weakest (liberal) precondition (cf. Dijkstra [15]) can straightfor- wardlybeextractedfromP,butisuselessforanalysis:Deciding Categories and Subject Descriptors F.3.1 [Logics and Mean- whichprogramstatessatisfythispreconditionisashardasdecid- ingsofPrograms]:SpecifyingandVerifyingandReasoningabout ingfromwhichstatesP runssafelyand/orterminates!Ontheother Programs—Logicsofprograms,pre-andpost-conditions hand,manypreconditions(e.g.⊥)maybecorrectbuttoostrongbe- GeneralTerms Verification,theory causetheyruleouttheexecutionofsomeoftheprogram.Ideally, wewouldliketofindtheweakestpreconditionthatisexpressible Keywords abduction, shape analysis, cyclic proof, separation insidesomefairlynatural,“positive”classofinductivedefinitions logic,inductivedefinitions,programverification andthatensuresmaximalprogramcoverage.Forcomputabilityrea- sons,wecannothopetoobtainsuchapreconditioningeneral,so 1. Introduction wemustinsteadlookforreasonableapproximatingheuristics. Our main contribution is a new method, cyclic abduction, for Inthelastfewyears,anumberofprogramanalyseshaveappeared inferring safety and/or termination preconditions for while pro- thatemployseparationlogic[24]toestablishsafetyand/ortermi- grams,expressedasinductivedefinitionsinseparationlogic.Our nationpropertiesofheap-manipulatingprograms,insomecasesex- approachisbaseduponheuristicproofsearchinaformalsystem tendingtosubstantialcodebases(seee.g.[25,16,21,23]).Allof ofcyclicproofs,adaptedfromthecyclicterminationproofsin[8]. these analyses rely on the use of inductive predicates to specify Here,thecoreofacyclicproofisaderivationtreebuiltfrom theshapeofdatastructuresstoredinmemoryandmanipulatedby symbolic execution rules capturing the effect of program com- theprogram,e.g.,listsortrees.However,suchpredicatesmusttyp- mands(cf.[3]),andlogicalrulesthatmanipulatetheprecondition. ically be hard-coded into the analysis (or in some cases must be Cyclicproofsaresonamedbecausethisderivationtreeisallowed providedbytheuser).Thismeansthattheanalysismusteitherfail to contain back-links identifying leaves of the tree with arbitrary orasktheuserforadvicewhenitencountersadatastructurenot interior nodes, potentially creating cycles in the proof. Because ∗ResearchsupportedbyanEPSRCCareerAccelerationFellowship. such structures do not in general correspond to sound proofs, an additional(decidable)globalsoundnessconditionmustbeimposed †ResearchsupportedbyEPSRCgrantEP/H008373/1. uponthesegraphstoqualifythemasgenuineproofs.Thedifference betweencyclicproofsofmemorysafetyandthoseoftermination isentirelyamatterofthechoiceofsoundnesscondition. Given a program, our cyclic abduction procedure aims to si- multaneouslyconstructtheinductivedefinitionofapreconditionin separationlogic,underwhichthisprogramismemorysafeand/or terminating.Broadlyspeaking,wesearchforacyclicproofthatthe programhasthedesiredproperty,andwhentheproofsearchgets stuck,weabduce(i.e.,guess)partofthepreconditioninorderto [Copyrightnoticewillappearhereonce’preprint’optionisremoved.] proceed.Approximately,themainabductionprinciplesare: 1 2013/7/12 • symbolicallyexecutingbranchingcommandsinthederivation Aheapisapartialfunctionh : Loc (cid:42) (ValList)mapping fin leadstoconditionaldisjunctioninthedefinitions; finitelymanylocationstotuplesofvalues(i.e.records);wewrite dom(h)forthedomainofheaph,i.e.thesetoflocationsonwhich • symbolicallyexecutingdereferencingcommandsinthederiva- hisdefined,andefortheemptyheapthatisundefinedeverywhere. tionforcesustoincludepointerformulasinthedefinitions; Ifh andh areheapswithdom(h )∩dom(h ) = ∅,wedefine 1 2 1 2 • formingback-linksinthederivationleadstotheinstantiationof h ◦h tobetheunionofh andh ;otherwise,h ◦h isundefined. 1 2 1 2 1 2 recursioninthedefinitions;and Wewrites[x(cid:55)→v]forthestackdefinedexactlyassexceptthat • encounteringaloopintheprogramalertsustothepossibility (s[x(cid:55)→v])(x)=v,andadoptasimilarupdatenotationforheaps. thatwemayneedtogeneralisetheprecondition. Weemployastandardsmall-stepoperationalsemanticsofour programs (Fig. 1). A (program) state is either a triple (C,s,h) Wehaveimplementedourabductionprocedureasanautomatic where C is a command sequence, s a stack and h a heap, or the tool, CABER, that builds on the generic cyclic theorem prover specialstatefault,usedtocatchmemoryerrors.Givenaprogram CYCLIST [10]. This tool essentially comprises a number of low- fields f ,...,f ; C, we map the field names f ,...,f onto 1 k 1 k leveltacticsimplementingtheabductionprinciplesabove,heuristi- elementsofheaprecordsbyf = j.Thesmall-stepsemantics j def callyguidedbyahigh-levelproofsearchstrategy.CABERisableto ofourprogramsisthenasusualgivenbyabinaryrelation(cid:32)on automaticallyabducesafetyand/orterminationpreconditionsfora states,presentedinFigure1.Wewrite(cid:32)nforthen-stepvariantof fairlywidevarietyofcommonsmallprograms.Theabducedinduc- (cid:32),and(cid:32)∗ foritsreflexive-transitiveclosure.Wesaythatastate tivepredicatesincludedefinitionsofsegmented,cyclic,nestedand (C,s,h)issafeifthereisnocomputation(C,s,h)(cid:32)∗ fault,i.e. mutuallydefineddatastructures(overanynumberofparameters). if running the program from (C,s,h) cannot result in a memory Theremainderofthispaperisstructuredasfollows.Section2 error.Wesaythat(C,s,h)isterminatingifitissafeandthereis introducestheprogramminglanguageandthefragmentofsepara- noinfinite(cid:32)-computationstartingfrom(C,s,h). tionlogicpreconditionsweusetoexpressprogrampreconditions. Section 3 presents the formal system of cyclic safety/termination Proposition 2.1 (Safety / termination monotonicity). If (C,s,h) proofsonwhichourabductiontechniqueisbased.InSection4we issafe(resp.terminating)andh◦h(cid:48)isdefinedthen(C,s,h◦h(cid:48)) presentanoverviewofthecyclicabductionstrategy,andthende- isalsosafe(terminating). scribeindetailthevariousabductivetacticsfromwhichitisbuilt. Section5describestheimplementationofourcyclicabductiontool CABERandourexperimentalevaluationofthistool.Section6ex- Essentially,Proposition2.1holdsforthesamereasonasin[26], aminesrelatedworkandSection7concludes. i.e.,extendingthememorycannotleadtonewmemoryfaults.Itis possiblethatextendingthememorymightleadtonon-termination wherepreviouslytherewasamemoryfault,butthisisnotproblem- 2. Programsandpreconditions aticsinceterminatingstatesarealsorequiredtobesafe. Inthissectionwepresentabasiclanguageofwhileprogramswith heappointers(similartothelanguagein[26])andthefragmentof separationlogicweusedtoexpressprogrampreconditions,based 2.3 Syntaxoflogicalpreconditions uponthesymbolicheapsof[3]. Weoftenusevectornotationtoabbreviatetuplesorlists,e.g.x We express program preconditions using a simple fragment of for(x ,...,x ).Wewritex fortheithelementofthetuplex. separationlogicwithinductivedefinitions,basedonthesymbolic 1 k i heapsof[3].Weassumeaninfinitesetofpredicatesymbols,each 2.1 Syntaxofprograms. withanassociatedarity. We assume infinite sets Var of variables and of field names. An expressioniseitheravariableortheconstantnil.Branchingcondi- Definition2.2. Formulasaregivenbythefollowinggrammar: tionsB andcommandsequencesC aredefinedasfollows,where x,yrangeoverVar,f overfieldnamesandEoverexpressions: F ::=(cid:62)|⊥|E =E |E (cid:54)=E |emp|x(cid:55)→E|P(E)|F ∗F B ::= (cid:63)|E =E |E (cid:54)=E C ::= (cid:15)|x:=E; C |y:=x.f; C |x.f :=E; C | wherexrangesoverVar,Erangesoverexpressions,P overpred- free(x); C |x := new(); C | icatesymbolsandEovertuplesofexpressions(matchingthearity ifBthenCelseCfi; C |whileBdoCod; C ofP inP(E)).WewriteF[E/x]fortheresultofreplacingalloc- currencesofthevariablexbytheexpressionE intheformulaF. wherey := x.f andx.f := E(cid:48) respectivelyreadfromandwrite Substitutionisextendedpointwisetotuples;butwhenwewritean tofieldf oftheheapcellwithaddressx,and(cid:63)representsanon- expressionoftheformF[E/x ],wemeanthatEshouldbesubsti- i deterministic condition. A program is a list of the field names of tutedfortheithcomponentofxonly. heaprecordsfollowedbyacommandsequence: We define ≡ to be the least equivalence on formulas closed underassociativityandcommutativityof∗andF ∗emp≡F. fieldsf ,...,f ; C 1 k 2.2 Semanticsofprograms Definition2.3. Aninductiverulesetisafinitesetofinductiverules eachoftheformF ⇒P(E),whereF andP(E)areformulas.We We use a typical RAM model employing heaps of records. We fix a set Val of values, of which an infinite subset Loc ⊂ Val sometimeswriteaninductiveruleasF ⇒z P(E),wherezisatuple are locations, i.e., the addresses of heap cells. We also assume a listingthesetofallvariablesappearinginF andE. “nullary” value nil ∈ Val\Loc which is not the address of any If Φ is an inductive rule set we define ΦP to be the set of all heapcell.Astackisafunctions:Var→Val.Thesemantics[[E]]s inductiverulesforP inΦ,i.e.thoseoftheformF ⇒ P(E).We ofexpressionEinstacksisdefinedasusual:[[x]]s=def s(x)forall sayP isundefinedifΦP isempty. x∈Var,and[[nil]]s= nil.Thesemantics[[B]]s⊆{true,false} def ofabranchingconditionBinstacksisdefinedintheobviousway InductiverulesforapredicateP areunderstoodasdisjunctive forequalitiesanddisequalities,and[[(cid:63)]]s= {true,false}. clausesofthedefinitionofP (cf.[8]). def 2 2013/7/12 2.4 Semanticsoflogicalpreconditions we include an unfolding (or “case analysis”) rule for inductively definedpredicatesthatunfoldsaformulaP(E)intheconclusion Theforcingrelations,h|= F forsatisfactionoftheformulaF Φ accordingtothedefinitionofP inaninductivedefinitionsetΦ: bythestacksandheaphunderinductiverulesetΦisdefinedby s,h|= (cid:62) ⇔ always Example3.2. Defineaunaryinductivepredicatebt(x),denoting Φ s,h|= ⊥ ⇔ never thoseheapsstructuredasabinarytreewithheadpointerx,by Φ s,h|=Φ E1 =E2 ⇔ [[E1]]s=[[E2]]sandh=e x=nil⇒bt(x) s,h|= E (cid:54)=E ⇔ [[E ]]s(cid:54)=[[E ]]sandh=e Φ 1 2 1 2 x(cid:54)=nil∗x(cid:55)→(y,z)∗bt(y)∗bt(z)⇒bt(x) s,h|= emp ⇔ h=e Φ s,h|= E (cid:55)→E ⇔ dom(h)={[[E]]s}andh([[E]]s)=[[E]]s Theunfoldingruleforbtisthefollowing: Φ s,h|=Φ P(E) ⇔ (h,[[E]]s)∈[[P]]Φ E =nil∗F (cid:96)C s,h|=Φ F1∗F2 ⇔ h=h1◦h2ands,h1 |=Φ F1 E (cid:54)=nil∗E (cid:55)→(y(cid:48),z(cid:48))∗bt(y(cid:48))∗bt(z(cid:48))∗F (cid:96)C ands,h2 |=Φ F2 (bt) bt(E)∗F (cid:96)C Inordertoremovetheneedforstandardconjunction∧inourlogic fragment, it is convenient to interpret equalities and disequalities wherey(cid:48)andz(cid:48)arefreshvariables. as holding in the empty heap. (This does not result in a loss of Definition3.3(Pre-proof). Apre-proof ofF (cid:96)Cisapair(D,L), expressivity,since,e.g.,arbitrarys,hsatisfyings(x) = s(y)can whereDisafinitederivationtreewhoserootislabelledbyF (cid:96)C, berepresentedasx=y∗(cid:62). Thesemantics[[P]]ΦofthepredicateP underΦis,asusual,the and L is a back-link function assigning to every open leaf (cid:96) of D a node L((cid:96)) of D such that the judgements at (cid:96) and L((cid:96)) are leastprefixedpointofamonotoneoperatorconstructedfromΦ: syntacticallyidentical. Definition 2.4. Assume that Φ defines n predicates P1,...,Pn. Anypre-proofP =(D,L)canbeunderstoodasagraph,with PartitionΦintoΦ1,...,Φn,whereΦi ⊆Φisthesetofinductive an edge from the conclusion of any rule instance to each of its rulesoftheformF ⇒ Pix.WeleteachΦi beindexedbyj,and premises,byidentifyingeachopenleaf(cid:96)ofDwithL((cid:96)).Apath foreachinductiveruleΦi,j oftheformF ⇒ Pix,wedefinethe inPisthenunderstoodintheobviousway. operatorϕ by: i,j Lemma3.4. LetΦbeaninductiveruleset.Supposetheconclu- ϕi,j(X)=def {(s(x),h)|s,h|=X F} sion F (cid:96) C of an instance of a rule R is invalid w.r.t. Φ, so that there exist a stack s and heap h such that s,h |= F but where |= is the satisfaction relation defined above, except that Φ [[P ]]X =X X ,whereX = (X ,...,X )isatupleofpairsof (C,s,h)(cid:32)n fault. i def i 1 n Then there is a premise F(cid:48) (cid:96) C(cid:48) of this rule instance that theappropriatetype.Wethendefine[[P]]Φby: is invalid w.r.t. Φ, i.e. there exist stack s(cid:48) and heap h(cid:48) such that [[P]]Φ =def µX.((cid:83)jϕ1,j(X),...,(cid:83)jϕn,j(X)) s(cid:48),h(cid:48) |=Φ F(cid:48),but(C(cid:48),s(cid:48),h(cid:48))(cid:32)m fault.Moreover,m≤n,andif Risasymbolicexecutionrulethenm<n. Wewrite[[P ]]Φfortheithcomponentof[[P]]Φ. i Proof. A straightforward verification for each proof rule in Fig- Anextremelyusefulfactaboutthefragmentofseparationlogic ure2.Thecaseof(Frame)reliesuponProposition2.1. weconsideristhat,foranygiveninductiveruleset,itisdecidable whetheraformulainthefragmentisconsistent,i.e.,whetherornot Definition 3.5 (Cyclic proof). A pre-proof P is a cyclic (safety) theformulaissemanticallyequivalentto⊥.Theproofofthisfact, proof if for every infinite path in P, there are infinitely many whichisveryhelpfulinsimplifyingabducedpreconditionsaswell symbolicexecutionruleapplicationsalongthispath. asassessingtheirquality,appearsin[9]. Theorem 3.6. For any inductive rule set Φ, if there is a cyclic 3. Formalcyclicsafety/terminationproofs safetyproofofF (cid:96)C,thenF (cid:96)Cisvalidw.r.tΦ. Inthissectionwepresentaformalcyclicproofsystemforproving Proof. Suppose for contradiction that F (cid:96) C has a cyclic safety memory safety and/or termination of programs. The system here proof P but is invalid. Using Lemma 3.4, we can construct an is adapted from the system of cyclic termination proofs in [8], infinite path (F (cid:96) C ) in P, and an an infinite sequence withthefollowingmaindifferences:(i)wetreatwhileprograms k k k≥0 (n ) of natural numbers such that n < n whenever rather than goto programs; and (ii) we are additionally able to k k≥0 k+1 k F (cid:96) C istheconclusionofasymbolicexecutionruleinstance, considermemorysafetyonlybyimposinganalternativesoundness k k andn =n otherwise. conditionontheproofgraph. k+1 k SinceP isacyclicsafetyproof,thereareinfinitelymanysym- AproofjudgementisgivenbyF (cid:96)C,whereC isacommand bolic executions along the path (F (cid:96) C ) . This implies the sequenceandF isaformula. k k k≥0 existenceofaninfinitedescendingchainofnaturalnumbers,which Definition 3.1 (Validity). Let Φ be an inductive rule set. The isimpossible.HenceF (cid:96)Cmustbevalid. judgement F (cid:96) C is valid (resp. termination-valid) w.r.t. Φ if s,h|= F implies(C,s,h)issafe(resp.terminating). Wecanconsidercyclicproofsofterminationratherthanmem- Φ orysafetysimplybyreplacingthesoundnessconditionof3.5with The proof rules for judgements are given in Fig. 2. Our nota- the trace-based soundness condition of [8], which essentially de- tionalconventionisthattheprimedvariablesx(cid:48),x(cid:48)(cid:48)etc.appearing mands that some inductive predicate be unfolded infinitely often inthepremisesofrulesarechosenfresh,andwewriteBtomean alongeveryinfinitepathinthepre-proof.Thus,byasimpleadap- E (cid:54)= E(cid:48) if B is (E = E(cid:48)), and vice versa. The symbolic ex- tationofthesoundnessresultin[8],wealsohave: ecution rules for commands are adaptations of standard rules for separationlogic[3].Thelogicalrulesmanipulatetheprecondition Theorem 3.7. For any inductive rule set Φ, if there is a cyclic withoutadvancingtheprogram.Inparticular,therule(Frame)can terminationproofofF (cid:96)C—i.e.,apre-proofofF (cid:96)Csatisfying be seen as a special case of the general frame rule of separation thesoundnessconditionof[8]—thenF (cid:96)Cistermination-valid logic(seee.g.[26]),wherethepostconditionisomitted.Crucially, w.r.tΦ. 3 2013/7/12 (x:=E; C,s,h)(cid:32)(C,s[x(cid:55)→[[E]]s],h) [[y]]s∈dom(h) [[x]]s∈dom(h) (x:=y.f; C,s,h)(cid:32)(C,s[x(cid:55)→h([[y]]s).f],h) (x.f :=E; C,s,h)(cid:32)(C,s,h[[[x]]s.f (cid:55)→[[E]]s]) (cid:96)∈Loc\dom(h) v ,...,v ∈Val [[x]]s∈dom(h) 1 k (x:=new(); C,s,h)(cid:32)(C,s[x(cid:55)→(cid:96)],h[(cid:96)(cid:55)→(v ,...,v )] (free(x); C,s,h)(cid:32)(C,s,(h(cid:22)(dom(h)\{[[x]]s})) 1 k [[y]]s(cid:54)∈dom(h) [[x]]s∈/ dom(h) [[x]]s∈/ dom(h) (x:=y.f; C,s,h)(cid:32)fault (x.f :=E; C,s,h)(cid:32)fault (free(x); C,s,h)(cid:32)fault true∈[[B]]s false∈[[B]]s (ifBthenCelseC(cid:48)fi; C(cid:48)(cid:48),s,h)(cid:32)(C; C(cid:48)(cid:48),s,h) (ifBthenCelseC(cid:48)fi; C(cid:48)(cid:48),s,h)(cid:32)(C(cid:48); C(cid:48)(cid:48),s,h) true∈[[B]]s false∈[[B]]s (whileBdoCod; C(cid:48),s,h)(cid:32)(C; whileBdoCod; C(cid:48),s,h) (whileBdoCod; C(cid:48),s,h)(cid:32)(C(cid:48),s,h) Figure1. Small-stepoperationalsemanticsofprograms,givenbythebinaryrelation(cid:32)overprogramstates. Symbolicexecutionrules: x=E[x(cid:48)/x]∗F[x(cid:48)/x](cid:96)C F (cid:96)(cid:15) F (cid:96)x:=E; C x=E [x(cid:48)/x]∗(y(cid:55)→E∗F)[x(cid:48)/x](cid:96)C x(cid:55)→E[E/E ]∗F (cid:96)C f f |E|≥f |E|≥f y(cid:55)→E∗F (cid:96)x:=y.f; C x(cid:55)→E∗F (cid:96)x.f :=E; C x(cid:55)→(x(cid:48),...,x(cid:48))∗F[x(cid:48)/x](cid:96)C F (cid:96)C 1 k F (cid:96)x:=new(); C x(cid:55)→E∗F (cid:96)free(x); C B∗F (cid:96)C; C(cid:48)(cid:48) B∗F (cid:96)C(cid:48); C(cid:48)(cid:48) F (cid:96)C; C(cid:48)(cid:48) F (cid:96)C(cid:48); C(cid:48)(cid:48) B∗F (cid:96)ifBthenCelseC(cid:48)fi; C(cid:48)(cid:48) B∗F (cid:96)ifBthenCelseC(cid:48)fi; C(cid:48)(cid:48) F (cid:96)if(cid:63)thenCelseC(cid:48)fi; C(cid:48)(cid:48) B∗F (cid:96)C; whileBdoCod; C(cid:48) B∗F (cid:96)C(cid:48) F (cid:96)C; whileBdoCod; C(cid:48) F (cid:96)C(cid:48) B∗F (cid:96)whileBdoCod; C(cid:48) B∗F (cid:96)whileBdoCod; C(cid:48) F (cid:96)while(cid:63)doCod; C(cid:48) Logicalrules: F (cid:96)C F (cid:96)C xnotaprogram F(cid:48) (cid:96)C G(cid:48)∗F (cid:96)C (Frame) (Subst) F ≡F(cid:48) (Equiv) G(cid:96)G(cid:48) (Cut) F ∗G(cid:96)C F[E/x](cid:96)C variable F (cid:96)C G∗F (cid:96)C (t =t ∗F)[t /x,t /y](cid:96)C 1 2 2 1 (=) ((cid:54)=) ((cid:55)→) (t =t ∗F)[t /x,t /y](cid:96)C t1 =t2∗t1 (cid:54)=t2∗F (cid:96)C x(cid:55)→E∗x(cid:55)→E(cid:48)∗F (cid:96)C 1 2 1 2 Predicateunfoldingrule: (E=Ej[xj/zj]∗Fj[xj/zj]∗F (cid:96)C)1≤j≤k Φ ={F ⇒z1 P(E ),...,F ⇒zk P(E )} P 1 1 k k (P) P(E)∗F (cid:96)C ∀xj ∈{xj}.xj isfresh Figure2. Hoarelogicrulesforproofjudgements. 4 2013/7/12 4. Cyclicabduction:basicstrategy&tactics Principle3. Beforeapplyingsymbolicexecutiontoawhileloop, oneshouldnormallyattempttogeneralisethepreconditionF ap- Wenowturntothemaincontributionofthispaper:ourcyclicab- pearingatthesubgoalinquestion.Thatistosay,weshouldattempt duction method for inferring inductive safety and/or termination tofindsomeweakerpreconditionF(cid:48) suchthatF(cid:48) (cid:96) F isavalid preconditions of programs. Here, we first explain the high-level entailment,and,byapplying(Cut),proceedwiththeproofsearch strategyforabducingsuchpreconditions,andthendevelopanum- usingthepreconditionF(cid:48) inplaceofF.Ifnecessary,wemayab- berofautomatic,abductivetacticsusedinimplementingthisstrat- duceinductiverulesinordertoobtainthismoregeneralF(cid:48). egy.Then,inSection5,wedescribehowthesetacticsareimple- mentedandcombinedintoanabductiveproofsearchalgorithm. Generalisation is well known to be a necessary (and difficult) stepininductivetheoremproving[11],andunsurprisinglyitshows 4.1 Overviewofabductionstrategy up in our abduction proofs also. Section 4.6 presents tactics for Thetypicalinitialproblemwearefacedwithis:givenaprogram generalisingthepreconditionwhenweencounterawhileloop. withcodeC andinputvariablesx,findaninductivedefinitionset 4.2 Tactics:anoverview ΦsuchthatthejudgementP(x)(cid:96)Cis(termination-)validwrt.Φ, whereP isafreshpredicatesymbol. A tactic in our setting is a more general version of a tactic as it OurstrategyforfindingsuchaΦistosearchforacyclicproof usually appears in automated theorem proving. Here, a tactic is ofthejudgementP(x) (cid:96) C (withrespecttosafetyortermination essentiallyageneralprooftransformer:itupdatesthecurrentproof as desired). Almost invariably, this search process will become statebyapplyingsome(possiblynondeterministic)combinationof “stuck” at some point, e.g., because the precondition does not atomic inferences. The differences between our setting and that containenoughinformationforasymbolicexecutionruletofire. of a traditional theorem prover reside in the underlying notions When this happens, we may abduce one or more new inductive of“proofstate”and“atomicinference”.First,sinceweemploya rulestoenablethesearchtoproceed.Inthefollowing,wesetout cyclic notion of proof, with back-links joining leaves to arbitrary informallythemainprinciplesgoverningthisprocess. proof nodes, it is not sufficient to restrict our attention to the current subgoal only: our proof state must reflect the entire pre- Principle1. Thefirstpriorityofthesearchprocedureistoclose proof,andformingaback-linkbetweennodesmustcountasavalid the current branch of the derivation tree, preferably by applying atomicinferencestep.Second,sinceweareallowedtoabducenew an axiom, or else by forming a back-link to some other node. inductive rules in the proof search, the current inductive rule set (The formation of back-links must respect the relevant soundness mustformpartoftheproofstate,andaddingnewinductiverulesto conditiononcyclicproofs.) thissetmustalsocountasavalidinferencestep.(Asusual,allproof If closing the branch is not possible, the second priority is to rulesofoursystem,inFigure2,arealsovalidatomicinferences.) applythesymbolicexecutionruleforthecommandappearingat Takingtheaboveintoaccount,ourformalproofstatesaretriples thecurrentsubgoal. comprisedofthefollowingelements: That is, if we can close the current branch somehow then we P: A partial pre-proof, representing the portion of proof con- doso,otherwisewetrytoadvancetheprogramalongthisbranch structedsofar.By“partial”,wemeanthatsomeoftheleaves via symbolic execution. (Note that when we attempt to form a ofPmaybeopen;wecallthesetheopensubgoalsofP. back-linkintheproof,violationsofthesoundnessconditioncanbe detectedautomaticallybyappealingtoamodelchecker.)However, Φ: Aninductiveruleset,containingalltheinductiverulesabduced itoftenhappensthatneitheroftheseispossible.Whenthissituation sofarintheproofsearch. occurs, we are allowed to use the logical rules and/or to abduce (cid:96): Adistinguishedopenleafofthepre-proofP,representingthe inductiverulesinordertoenabletheproofsearchtomakeprogress, subgoalonwhichthenextstepoftheproofsearchistooperate. asdescribedbyoursecondprinciple. Atacticisthensimplyatransformeronproofstates. Principle2. Wemayabduceinductiverulesand/ordeploythelog- Example 4.1. In order to demonstrate how our abductive tactics icalandpredicateunfoldingrulesinthefollowingcircumstances: are applied in practice, we will frequently refer to the following (a) inordertosymbolicallyexecuteabranchingcommand; runningexampleintheremainderofthissection.Figure3shows (b) inordertosymbolicallyexecuteadereferencingcommand; anabductivecyclicproofofthefollowingprogram: (c) inordertoformaback-link; fieldsl,r; (d) aspartofageneralisationattempt. whilex(cid:54)=nildo if(cid:63)then x := x.l else x := x.r fi When we abduce inductive rules for a predicate occurring in the od current subgoal,we alwaysimmediately apply the unfolding rule forthatpredicatetothesubgoal. TheproofinFigure3abducesthebinarytreepredicatefromExam- Wemayabduceinductiverulesonlyforpredicatesymbolsthat ple3.2asasafetyandterminationpreconditionforthisprogram. arecurrentlyundefined. Foreaseofpresentation,wenumbereachindividualcommand(se- quence)intheprogram,andwewritethejudgementsintheproof We explain in the following subsections exactly how induc- byreferringtotheseindicesratherthanthecommandsthemselves. tive rules are abduced in the situations (a), (b), and (c) described by Principle 2 (generalisation (d) being covered in Section 4.6). 4.3 Abductivetacticfordeterministicbranchingcommands Thereasonforrestrictingabductiontoundefinedpredicatesisthat adding inductive rules to Φ adds new premises to the unfold- Ourproofrulesfordeterministicifandwhilecommands(Fig.2) P ing rule (P), rendering any existing applications of (P) in the mirrortheoperationalsemanticsinthattheyrequiretheprecondi- derivation unsound. We will indicate a combined abduction-and- tiontodeterminethestatusofthebranchingcondition.Weintro- unfoldingstepinourderivationswithA(P). duceanabductivetactic,abduce branch,enablingustoproceed Ourfinalprinciplesetsoutthegeneralideabehindperforming wheneverthesymbolicexecutionofsucharulefails. generalisationinaproofsearch. Supposeabduce branchisappliedtotheproofstate(P,Φ,(cid:96)) where the command sequence C in the judgement appearing at 5 2013/7/12 P (x)(cid:96)0 0 (Frame) x(cid:48) (cid:54)=nil∗ (cid:96)0 P0(x)(cid:96)0 x(cid:48) (cid:55)→(y,x)∗P0(y)∗P0(x)∗P5(x(cid:48),y,x) x(cid:48) (cid:54)=nil∗ (Frame) x(cid:48) (cid:54)=nil∗ A(P4) (cid:96)0 (cid:96)0 x(cid:48) (cid:55)→(x,z)∗P (x)∗P (x(cid:48),x,z) x(cid:48) (cid:55)→(y,x)∗P (y)∗P (x(cid:48),y,x) 0 4 0 4 x(cid:48) (cid:54)=nil∗ A(P3) x(cid:48) (cid:54)=nil∗ (P3) (cid:96)0 (cid:96)0 x(cid:48) (cid:55)→(x,z)∗P (x(cid:48),x,z) x(cid:48) (cid:55)→(y,x)∗P (x(cid:48),y,x) 3 3 x := x.l x := x.r x(cid:54)=nil∗ x(cid:54)=nil∗ (cid:96)2 (cid:96)3 x(cid:55)→(y,z)∗P (x,y,z) x(cid:55)→(y,z)∗P (x,y,z) 3 3 A(P2) (P2) x(cid:54)=nil∗P (x)(cid:96)2 x(cid:54)=nil∗P (x)(cid:96)3 2 2 (cid:15) if(cid:63)... x=nil∗P (x)(cid:96)(cid:15) x(cid:54)=nil∗P (x)(cid:96)1 1 2 whilex(cid:54)=nil whilex(cid:54)=nil x=nil∗P (x)(cid:96)0 x(cid:54)=nil∗P (x)(cid:96)0 1 2 A(P0) P (x)(cid:96)0 0 fieldsl,r; x=nil∗P (x)⇒P (x) 1 0 0: whilex(cid:54)=nildo x(cid:54)=nil∗P (x)⇒P (x) 1: if (cid:63) then 2 0 x=nil∗emp⇒P (x) 0 2: x := x.l x(cid:55)→(y,z)∗P (x,y,z)⇒P (x) 3 2 x(cid:54)=nil∗x(cid:55)→(y,z)∗P (y)∗P (z)⇒P (x) else 0 0 0 P (y)∗P (x,y,z)⇒P (x,y,z) 3: x := x.r 0 4 3 fi od P0(z)∗P5(x,y,z)⇒P4(x,y,z) Figure3. Top:abductiveproofforabinarytreesearchprogram(shownbottomleft).Bottomcenter:inductiverulesabducedduringthe proof.Bottomright:simplifiedinductiverules. the current subgoal (cid:96) is of the form whileBdoCod;C(cid:48) or inductiverulesforP : 0 ifBthenCelseC(cid:48)fi;C(cid:48)(cid:48) (where B (cid:54)= (cid:63)). For simplicity we x=nil∗P (x) ⇒ P (x) assumeBisanequalityordisequalitybetweentwoprogramvari- 1 0 ablesx,y(thecasewhereoneofthetwotermsisnilisverysimi- x(cid:54)=nil∗P2(x) ⇒ P0(x) lar).First,abduce branchselectsasubformulaoftheformP(E) ThetacticthenunfoldsP (x)andappliessymbolicexecutionfor appearingin(cid:96)suchthatthepredicatesymbolP iscurrentlyunde- 0 thewhilecommandinthetworesultingsubgoals.Thisisshownin finedinΦ,andsuchthatxandy occurinthetupleE.Thus,we Fig.3astheapplicationofA(P )followedbythenormalsymbolic maywritethejudgementappearingat(cid:96)asF ∗P(E) (cid:96) C where 0 executionsforwhile). x = E andy = E (wherek (cid:54)= j).Then,abduce branchadds k j thefollowinginductiverulesforP toΦ: 4.4 Abductivetacticfordereferencingassignments B[z /x,z /y]∗P(cid:48)(z) ⇒ P(z) k (cid:96) The symbolic execution rules for commands that dereference a B[z /x,z /y]∗P(cid:48)(cid:48)(z) ⇒ P(z) k (cid:96) memory address (Fig. 2) require the precondition to guarantee where P(cid:48),P(cid:48)(cid:48) are fresh predicate symbols and z is a tuple of that this address is indeed allocated (otherwise the program will appropriatelymanyarbitraryvariables.Next,thetacticunfoldsthe encounter a memory fault, as per the operational semantics in indicatedoccurrenceofP(E)in(cid:96)asfollows: Fig.1).Herewepresentanabductivetactic,abduce deref,that enablesthesymbolicexecutionofsuchcommandstoproceedby B∗F ∗P(cid:48)(E)(cid:96)C B∗F ∗P(cid:48)(cid:48)(E)(cid:96)C abducingtheallocationoftheappropriateaddress. A(P) Formally,supposeabduce derefisappliedtotheproofstate F ∗P(E)(cid:96)C (P,Φ,(cid:96)), where the command C in the judgement labelling the Finally,thetacticappliestheappropriatesymbolicexecutionrule current subgoal (cid:96) is of the form free(x); C, x.f := E; C or for C to each of the new subgoals (note that this step is now y :=x.f; C.First,abduce derefnon-deterministicallyselectsa guaranteedtosucceed). subformulaoftheformP(E)appearingat(cid:96),whereP iscurrently The choice of subformula P(E) and indices k,j is nondeter- undefined in Φ, and such that x occurs in the tuple E. Thus, we ministic;abduce branchreturnstheresultsofallsuchchoices. maywritethejudgementappearingat(cid:96)asF ∗P(E) (cid:96) C where x = E (for some k). Then abduce branch adds the following Example4.2. WhensearchingforaproofoftheprograminEx- k inductiveruleforP toΦ: ample4.1,ourinitialgoalisoftheform P0(x)(cid:96)whilex(cid:54)=nildo... P(cid:48)(x(cid:116)y)∗xk (cid:55)→y⇒P(x) where P is undefined. As the symbolic execution of the while where (cid:116) is tuple concatenation, P(cid:48) is a fresh predicate symbol, 0 commandfails,wecancallabduce branchwhichselectsP (x) and x and y are tuples of distinct, arbitrary variables such that 0 astheonlyviablesubformulaofthegoalandabducesthefollowing |x| = |E|, and |y| is the number of fields in the program. The 6 2013/7/12 tacticthenunfoldstheselectedoccurrenceofP(E)in(cid:96)asfollows: ofthefollowingform: F ∗x(cid:55)→y(cid:48)∗P(cid:48)(E(cid:116)y(cid:48))(cid:96)C F(cid:48)∗P(cid:48)(z)⇒P(z) A(P) F ∗P(E)(cid:96)C whereP(cid:48)isafreshpredicate,andF(cid:48)ischosensoastosatisfy wherey(cid:48) isatupleof|y|freshvariables.Finally,abduce deref F2[θ]⊆multiset F1∗F(cid:48)[E/z] updates P again by applying the symbolic execution rule for C forsomesubstitutionθ ofexpressionsfornon-programvariables (whichisnowguaranteedtosucceed). only,whereweviewspatialformulasas∗-separatedmultisets.Pro- Similarly to abduce branch in the previous subsection, the vidingwecanfindsuitableF(cid:48)—whichisessentiallyaunification selection of subformula P(E) and index k is essentially non- problem—abduce backlinktransformsP byapplyingrulesto deterministic, so abduce deref returns the list of proof states (cid:96)andinsertinganewback-linkasfollows: correspondingtotheresultsofallsuchselections. . F2 (cid:96)C Example 4.3. When searching for an abductive proof of the bi- .. (Subst) nary tree traversal program in Example 4.1, after applying the F2[θ](cid:96)C abduce branch tactic we arrive at the following subgoal on the F2 (cid:96)C F ∗F(cid:48)[E/z]∗P(cid:48)(E)(cid:96)C (Frame) middlebranch(seeFigure3): 1 . A(P) . x(cid:54)=nil∗P2(x)(cid:96)x := x.l;... . F1∗P(E)(cid:96)C where P is undefined (at the current proof state). We cannot TheroleofthefreshpredicateP(cid:48)istoallowapartoftheheaptobe 2 applythesymbolicexecutionruleforthedereferencingassignment abducedatalaterstage,possiblyonacompletelydifferentbranch x := x.l,asitwouldrequireaformulaoftheformx (cid:55)→ (E,E(cid:48)) oftheproof(seethesecondpartofExample4.4). toappearintheprecondition.Thuswecallabduce deref,which As with our other abductive tactics, abduce backlink acts selects the only suitable formula P (x) in the precondition and nondeterministically: there may be several viable choices of un- abducesthefollowinginductiverule2forP : definedpredicateP,“matchingformula”F(cid:48)andsubstitutionθ. 2 Two further caveats apply. First, according to Principle 1, we x(cid:55)→(y,z)∗P3(x,y,z)⇒P2(x). must ensure that the proposed back-link does not violate the rel- evant soundness condition on cyclic proofs. We verify this is the ThetacticthenunfoldsP (x)andappliesthesymbolicexecution 2 casebycallingamodelcheckerwhenabduce backlinkattempts ruleforthecommandx := x.lasshowninFigure3. toformaback-link.Second,abduce backlinkisalsoallowedto Asimilarsituationoccurswhenwereachthesimilarsubgoalon tryunfoldingadefinedpredicateinthesubgoal(cid:96)ifnoundefined therighthandbranch: predicatesareavailable(similarlytoabduce deref). x(cid:54)=nil∗P (x)(cid:96)x := x.r 2 Example4.4. InExample4.1,uponreachingthesubgoal However, there is one crucial difference: having already abduced x(cid:48) (cid:54)=nil∗x(cid:48) (cid:55)→(x,z)∗P (x(cid:48),x,z)(cid:96)0 a definition for P when tackling the left-hand subgoal, it is no 3 2 longer undefined. In such situations, when no suitable undefined on the middle branch of the proof in Fig. 3, we notice that the predicateisavailable,abduce derefattemptstoapplysymbolic whilecommandinthesubgoalmatchesthatinearliernodes,sowe execution for x := x.r by first unfolding a previously defined decidetotrytoformaback-link.Thuswecallabduce backlink, predicateinstance,inthiscaseP2(x).(Calcagnoetal.[12]employ whichselectstheonlysuitableformulaP3(x(cid:48),x,z)inthesubgoal asimilarabductiontacticfortheirfixedinductivepredicates.) andabducesthefollowinginductiveruleforP : 3 4.5 Abductivetacticforformingback-links P0(y)∗P4(x,y,z)⇒P3(x,y,z) In principle, we may attempt to form a back-link from an open ThetacticthenunfoldsP3(x(cid:48),x,z),applies(Frame)andformsa subgoallabelledbyF (cid:96) C toanyothernodeinthecurrentpre- back-linkfromtheresultingsubgoaltotherootnodeoftheproof prooflabelledbyajudgementoftheformF(cid:48) (cid:96)C,providedthat: asshowninFig.3.Notethat,inthiscase,theuseofsubstitutionis notrequiredandthechosen“matchingformula”F(cid:48)isP (y). 1. the judgement F (cid:96) C is derivable from F(cid:48) (cid:96) C, so that the 0 Whenwearriveatasimilarsubgoalontherightmostbranch, source and target of the back-link can be made syntactically identicalasrequiredbyDefinition3.3;and x(cid:48) (cid:54)=nil∗x(cid:48) (cid:55)→(y,x)∗P3(x(cid:48),y,x)(cid:96)0 2. the addition of this back-link does not create an infinite path thesituationisslightlydifferentbecauseP isnolongerundefined. 3 violating the soundness condition on cyclic proofs (for safety In this situation, abduce backlink first unfolds P according 3 ortermination,asappropriate). to its existing definition, and then proceeds in the usual way by abducingasuitableinductiverulefortheundefinedP .(Itisforthis Herewepresentatactic,abduce backlink,thatattemptstoform 4 reasonthatitwasessentialtoabducethefreshpredicatecomponent suchback-linksautomaticallyduringtheproofsearch. P (x,y,z)ofthepreviousinductiveruleforP ,eventhoughon Formally, suppose that abduce backlink is applied to the 4 3 themiddlebranchthiscomponentwasdiscardedby(Frame).) proofstate(P,Φ,(cid:96)).First,thetacticselectsanodenofP,distinct from(cid:96),suchthatthecommandsinthejudgementslabellingnand Weobservethatabduce backlinkis“forgetful”inthatituses (cid:96)areidentical.Thenittriestomanipulate(cid:96)usinglogicalrulesso theframeruletodiscardpartsoftheprecondition.Anotheralter- astoobtainapreconditionidenticaltotheoneatn.Moreprecisely, native would instead be to use the (Cut) rule to establish logical foranypredicateP in(cid:96)thatisundefinedinΦ,abduce backlink entailmentsenablingthecurrentsubgoaltobeidentifiedwiththe attemptstoabduceinductiverulesforP suchthatafterunfolding desired target node. In some cases, such reasoning is necessary P, the logical rules (Frame) and (Subst) can be used to obtain a in order to abduce the “ideal” predicate as precondition. We im- copyofn. plementedanalternativeback-linkingtacticthatattemptstoapply Wewrite(cid:96)asF ∗P(E)(cid:96)C,whereP isundefinedinΦ,andn (Cut) in order to unify the current subgoal with a chosen target 1 asF (cid:96)C.Thenabduce backlinkwillabduceaninductiverule node.Theresultinglogicalentailmentsarepassedtotheseparation 2 7 2013/7/12 logicinstantiationofCYCLIST(describedin[10])whichattempts Ourtacticseg genidentifiesyasapotentialcursorvariable,since todischargethem.Unfortunately,becausesuchentailmentsmight itismodifiedbytheloopbodyandappearsintheloopguard,and beinvalid,andoftenrequireinductivereasoningtoestablisheven abducesthefollowinginductiverulefortheundefinedP : 0 inthecasethattheyarevalid,suchcallstoCYCLISTareextremely P (x,x)∗P (x,nil)⇒P (x) expensive(manysuchcallsmightbemadeduringaproofattempt 1 1 0 andanyofthemmighttime-out).Thus,atthetimeofwriting,we ThetacticthenunfoldsP0(x)andrewritesusingtheequalityx=y havefoundthecomputationalcostofthistactictobeprohibitive. asshownbytheapplicationofSEG-GENinFig.5.Thisenablesus tolaterformaback-linkwiththemoregeneralP (x,y)∗P (y,nil) 1 1 4.6 Existentialgeneralisation as the precondition which describes the general invariant of the while loop (i.e., a list segment from x to y together with a list Symbolically executing while loops creates a potentially infinite segmentfromy tonil).However,thisrequiresustoestablishthe branchoftheproofsearch,unlessitcanbeclosedeitherbyanax- entailment P (x,y(cid:48)) ∗ y(cid:48) (cid:55)→ y (cid:96) P (x,y), as shown by the iomor,morecommonly,byformingaback-link.However,naive 1 1 applicationof(Cut)onbranch,whichrequiresinductivereasoning. attemptstoback-linktoaspecifiedtargetjudgementoftenfailbe- InordertofindtheproofinFig.5automaticallyinreasonabletime, cause the judgement specifies a too-precise relationship between werequireabetterlemmaspeculationmechanism,asdiscussedin programvariableswhichisnotpreservedbythebodyoftheloop. theprevioussubsection. Onepossiblesolution,whichistypicalofinductivetheoremprov- ingingeneral,istogeneralisethepreconditionuponencountering 4.7 Simplificationofinductiverulesets thewhileloopsoasto“forget”suchvariablerelationships.Here Whenanabductiveproofsearchusingthetacticsabovesucceeds, wepresentatactic,ex gen,thatimplementsthisprinciple. the returned set of abduced inductive rules will typically be too Formally,supposeex genisappliedtotheproofstate(P,Φ,(cid:96)), large and unwieldy for human consumption. We can apply some wherethejudgementlabellingcurrentsubgoal(cid:96)isoftheform fairlystraightforwardsimplificationstoourabducedrulesetsinor- F (cid:96)whileB doC od; C(cid:48) dertomakethemmoreeasilyreadable.Oursimplificationmethod, outlined below, is used to produce the simplified inductive rules ThenforeveryprogramvariablexmodifiedbytheloopbodyC, showninFigures3–5. ex gen replaces every occurrence of x in a subformula of F of the form E = E(cid:48) or y (cid:55)→ E by a fresh (implicitly existentially 1. Elimination of undefined predicates. When our search tactics quantified)variablew.(Thisstepimplicitlyusesanapplicationof abduce inductive rules, these rules always contain an undefined (Cut),andiseasilyseentobesound.)Thistacticalsoexhibitsnon- componentinvolvingafreshpredicatesymbol.Thus,thefinalset determinisminthatitmaygeneraliseoveranysubsetofvariables ofabducedinductiveruleswilltypicallycontainseveralundefined modifiedbytheloopbody,andpresentintheprecondition. predicates.Clearly,suchpredicatesmaybeinterpretedhoweverwe Example 4.5. Figure 4 shows an abductive cyclic proof of the wish;thusweinterpretthemallastheemptyheapemp. followingprogram,whichtraversesalistoflists: For example, during the abductive proof in Figure 3 we ab- ducetheinductiveruleP (z)∗P (x,y,z) ⇒ P (x,y,z),where fieldsnext,down; 0 5 4 P is still undefined at the end of the proof. Thus we instantiate whilex(cid:54)=nildo 5 P (x,y,z)toempwhereby,takingintoaccountthatF∗emp≡F, z := x.down; 5 weobtainthesimplifiedruleP (z)⇒P (x,y,z). whilez(cid:54)=nildo z := z.down od; 0 4 x := x.next 2. In-lining. In most cases, our abductive tactics abduce a single od inductive rule for an undefined predicate. Consequently, the final Whentheproofsearchforthisprogramreachesthesubgoal inductiverulesettypicallycontainsmanymutuallyrecursivepred- x(cid:54)=nil∗x(cid:55)→(y,z)∗P (x,y,z)(cid:96) icates,manyofwhichcanbestraightforwardlyeliminatingbyin- 3 whilez(cid:54)=nildo z := z.down od lining.First,weorderthepredicatesymbolsbytheorderinwhich their definitions were abduced during the proof search. Then, for we call the tactic ex gen. Since z is modified by the body of anypredicateQwithonlyasingleinductiverule,wheneverQ>P the while loop, and the precondition contains the subformula accordingtoourordering,wereplaceallsubformulasoftheform x(cid:55)→(y,z), the tactic replaces the z in this subformula by the Q(E)intheinductiverulesforP bythedefinitionofQ(E). freshvariablew,asshownintheapplicationofEX-GENinFig.4. Forexample,intheabductiveproofinFigure3,thepredicate Observethatthisgeneralisationstepisneededinordertoformthe P isdefinedbyasingleinductiverule, 2 back-linkontheright-handbranch(asx (cid:55)→ (y,z)doesnothold afterexecutionoftheloopbody,butx(cid:55)→(y,w)does). x(cid:55)→(y,z)∗P3(x,y,z)⇒P2(x) andP > P accordingtotheabductionorder.Thus,wereplace Other, more complex types of generalisation are also possible 2 0 P (x)byitsdefinitioninthesecondinductiveruleforP toobtain (and indeed might be needed for some proofs). For example, we 2 0 thein-linedinductiverule implemented a “segmenting” generalisation tactic, seg gen, that identifiesa“cursor”variableintheloopbodyandabducesinduc- x(cid:54)=nil∗x(cid:55)→(y,z)∗P (x,y,z)⇒P (x) 3 0 tiverulesforanundefinedpredicateintheprecondition,basedon RepeatingthisprocessforthepredicatesP andP producesthe forming segments from this predicate with this cursor as a mid- 3 4 inductiveruleshowninFigure3, point.Figure5showsanapplicationofthistacticinthecontextof anabductivecyclicproofofthefollowingprogram,whichtraverses x(cid:54)=nil∗x(cid:55)→(y,z)∗P (y)∗P (z)⇒P (x). 0 0 0 alistfromyafterinitiallyassigningxtoy: 3.Eliminationofredundantparameters.Aparameterofapredicate fieldsnext; P issaidtoberedundant(intheinductiverulesetΦ)ifitdoesnot y := x; whiley(cid:54)=nildo y := y.next od occur on the left hand side of any inductive rule in Φ , except P possiblyasthesameparameterofP itself.Ourfinalsimplification Aftersymbolicallyexecutingy := xwearriveatthesubgoal: stepistoremoveanysuchredundantparametersfromtheinductive x=y∗P (x)(cid:96)whiley(cid:54)=nildoy := y.nextod ruleset. 0 8 2013/7/12 x(cid:54)=nil∗x(cid:55)→(y,w)∗P3(x,y,z)(cid:96)2 (Frame) x(cid:54)=nil∗z(cid:48)(cid:54)=nil∗ P0(x)(cid:96)0 x(cid:55)→(y,w)∗z(cid:48)(cid:55)→(v,z)∗P3(x,y,z)∗P8(x,y,z(cid:48),v,z) (cid:96)2 x(cid:48)(cid:54)=nil∗z=nil∗ (Frame) x(cid:54)=nil∗z(cid:48)(cid:54)=nil∗ A(P7) (cid:96)0 (cid:96)2 x(cid:48)(cid:55)→(x,w)∗P0(x)∗P6(x(cid:48),x,z) x(cid:55)→(y,w)∗z(cid:48)(cid:55)→(v,z)∗P7(x,y,z(cid:48),v,z) x(cid:48)(cid:54)=nil∗z=nil∗ A(P4) x(cid:54)=nil∗z(cid:54)=nil∗ z := z.down (cid:96)0 (cid:96)3 x(cid:48)(cid:55)→(x,w)∗P4(x(cid:48),x,z) x(cid:55)→(y,w)∗z(cid:55)→(v,v(cid:48))∗P7(x,y,z,v,v(cid:48)) x := x.next A(P5) x(cid:54)=nil∗z=nil∗ x(cid:54)=nil∗z(cid:54)=nil∗ (cid:96)4 (cid:96)3 x(cid:55)→(y,w)∗P4(x,y,z) x(cid:55)→(y,w)∗P5(x,y,z) whilez(cid:54)=nil whilez(cid:54)=nil x(cid:54)=nil∗z=nil∗ x(cid:54)=nil∗z(cid:54)=nil∗ (cid:96)2 (cid:96)2 x(cid:55)→(y,w)∗P4(x,y,z) x(cid:55)→(y,w)∗P5(x,y,z) A(P3) x(cid:54)=nil∗x(cid:55)→(y,w)∗P3(x,y,z)(cid:96)2 EX-GEN x(cid:54)=nil∗x(cid:55)→(y,z)∗P3(x,y,z)(cid:96)2 z := x.down x(cid:54)=nil∗x(cid:55)→(y,y(cid:48))∗P3(x,y,y(cid:48))(cid:96)1 (cid:15) A(P2) x=nil∗P1(x)(cid:96)(cid:15) x(cid:54)=nil∗P2(x)(cid:96)1 whilex(cid:54)=nil whilex(cid:54)=nil x=nil∗P1(x)(cid:96)0 x(cid:54)=nil∗P2(x)(cid:96)0 A(P0) P0(x)(cid:96)0 x=nil∗P1(x)⇒P0(x) x(cid:54)=nil∗P2(x)⇒P0(x) fieldsnext,down 0: whilex(cid:54)=nildo x(cid:55)→(y,y(cid:48))∗P3(x,y,y(cid:48))⇒P2(x) x=nil⇒P0(x) 1: z := x.down; z=nil∗P4(x,y,z)⇒P3(x,y,z) x(cid:54)=nil∗x(cid:55)→(y,y(cid:48))∗P3(y,y(cid:48))⇒P0(x) 2: whilez(cid:54)=nildo 3: z := z.down od; z(cid:54)=nil∗P5(x,y,z)⇒P3(x,y,z) z=nil∗P0(y)⇒P3(y,z) 4: x := x.next P0(y)∗P6(x,y,z)⇒P4(x,y,z) z(cid:54)=nil∗z(cid:55)→(v,v(cid:48))∗P3(y,v(cid:48))⇒P3(y,z) od z(cid:55)→(v,v(cid:48))∗P7(x,y,z,v,v(cid:48))⇒P5(x,y,z) P3(x,y,w)∗P8(x,y,z,v,w)⇒P7(x,y,z,v,w) Figure4. Top:abductiveproofforlist-of-liststraversal.Bottom,lefttoright:program;predicatesfound;simplifiedpredicates. P (x,y)∗P (y,nil)(cid:96)1 1 1 (Cut) y(cid:48) (cid:54)=nil∗P (x,y(cid:48))∗y(cid:48) (cid:55)→y∗P (y,nil)∗P (x,y,z)(cid:96)1 1 1 5 y(cid:48) (cid:54)=nil∗P (x,y(cid:48))∗y(cid:48) (cid:55)→y∗P (y(cid:48),nil,y)(cid:96)1 A(P4) 1 4 y := y.next y(cid:54)=nil∗P (x,y)∗y(cid:55)→z∗P (y,nil,z)(cid:96)2 1 4 (cid:15) A(P3) y=nil∗P (x,y)∗P (y,nil)(cid:96)(cid:15) y(cid:54)=nil∗P (x,y)∗P (y,nil)(cid:96)2 1 2 1 3 whiley(cid:54)=nil whiley(cid:54)=nil y=nil∗P (x,y)∗P (y,nil)(cid:96)1 y(cid:54)=nil∗P (x,y)∗P (y,nil)(cid:96)1 1 2 1 3 A(P1) P (x,y)∗P (y,nil)(cid:96)1 1 1 SEG-GEN x=y ∗P (x)(cid:96)1 0 y := x P (x)(cid:96)0 0 P (x,x)∗P (x,nil)⇒P (x) 1 1 0 fieldsnext; x=y∗P (x,y)⇒P (x,y) P (x,x)∗P (x,nil)⇒P (x) 0: y := x; 2 1 1 1 0 1: whiley(cid:54)=nildo x(cid:54)=y∗P (x,y)⇒P (x,y) x=y ∗emp⇒P (x,y) 3 1 1 2: y := y.next x(cid:55)→z∗P (x,y,z)⇒P (x,y) x(cid:54)=y ∗x(cid:55)→z∗P (z,y)⇒P (x,y) od 4 3 1 1 P (z,y)∗P (x,y,z)⇒P (x,y,z) 1 5 4 Figure5. Top:abductiveproofforlisttraversalprogram(bottomleft)employingsegmentgeneralisation.Bottomcentre:inductiverules abducedduringtheproof.Bottomright:thesimplifiedpredicates. 9 2013/7/12
Description: