PresentationPDF Available

K and KIV: Towards Deductive Verification for Arbitrary Programming Languages

Authors:
Kand Kiv: Towards Deductive Verification
for Arbitrary Programming Languages
Dominik Klumpp
University of Freiburg
Philip Lenzen
Augsburg University
WADT 2020
Dominik Klumpp, Philip Lenzen Kand Kiv 1
Program Verification is ...
Dominik Klumpp, Philip Lenzen Kand Kiv 2
Program Verification is ...
GREAT
immense confidence in program correctness
Dominik Klumpp, Philip Lenzen Kand Kiv 2
Program Verification is ...
HARD
difficult and time-consuming for programmers
Dominik Klumpp, Philip Lenzen Kand Kiv 2
Program Verification is ...
PATCHWORK
each language: dedicated calculus & tool support
Dominik Klumpp, Philip Lenzen Kand Kiv 2
Vision
programming
language
semantics
K
Kiv
specification
Kiv
One-Path
Reachability
proof
automation
Dominik Klumpp, Philip Lenzen Kand Kiv 3
Vision
programming
language
semantics
K
Kiv
specification
Kiv
One-Path
Reachability
proof
automation
Dominik Klumpp, Philip Lenzen Kand Kiv 3
Vision
programming
language
semantics
K
Kiv
specification
Kiv
One-Path
Reachability
proof
automation
Dominik Klumpp, Philip Lenzen Kand Kiv 3
Vision
programming
language
semantics
K
Kiv
specification
Kiv
One-Path
Reachability
proof
automation
[1]
[1] Grigore Roşu and Traian Florin Şerbănuţă. “An Overview of the K Semantic
Framework”. In: Journal of Logic and Algebraic Programming 79.6 (2010), pp. 397–434,
(http://kframework.org).
Dominik Klumpp, Philip Lenzen Kand Kiv 3
Vision
programming
language
semantics
K
Kiv
specification
Kiv
One-Path
Reachability
proof
automation
[2]
[2] Gidon Ernst et al. “KIV: Overview and VerifyThis competition”. In: International
Journal on Software Tools for Technology Transfer 17.6 (2015), pp. 677–694.
Dominik Klumpp, Philip Lenzen Kand Kiv 3
Vision
programming
language
semantics
K
Kiv
specification
Kiv
One-Path
Reachability
proof
automation
[3]
[3] Roşu, Grigore and Ştefănescu, Andrei and Ciobâcă, Ştefan and Moore, Brandon M.
“One-Path Reachability Logic”. In: Proceedings of the 28th Symposium on Logic in
Computer Science (LICS’13). IEEE, 2013, pp. 358–367.
Dominik Klumpp, Philip Lenzen Kand Kiv 3
Vision
programming
language
semantics
K
Kiv
specification
Kiv
One-Path
Reachability
proof
automation
Dominik Klumpp, Philip Lenzen Kand Kiv 3
Simple program in EXAMPLE language
x=4// x >= 0
f=1
// t e rm i nat e s if x == 0
whi l e ( x ) {
f *= x
x - -
}
Dominik Klumpp, Philip Lenzen Kand Kiv 4
KLanguage Definitions: Syntax
module EXAMPLE
syntax Stmt ::= Id "=" Int
| "while" "(" Id ")" "{" Stmt "}"
| Id "*=" Id
| Id "--"
| Stmt Stmt
...
endmodule
Translated to algebraic specification defining one data type K
Productions become constructors :Stmt_=_(id: K, int: K)
Type safety by subsort predicates:isId(k: K), isInt(k: K)
Dominik Klumpp, Philip Lenzen Kand Kiv 5
KLanguage Definitions: Syntax
module EXAMPLE
syntax Stmt ::= Id "=" Int
| "while" "(" Id ")" "{" Stmt "}"
| Id "*=" Id
| Id "--"
| Stmt Stmt
...
endmodule
Translated to algebraic specification defining one data type K
Productions become constructors :Stmt_=_(id: K, int: K)
Type safety by subsort predicates:isId(k: K), isInt(k: K)
Dominik Klumpp, Philip Lenzen Kand Kiv 5
KLanguage Definitions: Syntax
module EXAMPLE
syntax Stmt ::= Id "=" Int
| "while" "(" Id ")" "{" Stmt "}"
| Id "*=" Id
| Id "--"
| Stmt Stmt
...
endmodule
Translated to algebraic specification defining one data type K
Productions become constructors :Stmt_=_(id: K, int: K)
Type safety by subsort predicates:isId(k: K), isInt(k: K)
Dominik Klumpp, Philip Lenzen Kand Kiv 5
KLanguage Definitions: Configuration
module EXAMPLE
...
configuration
T
k
$PGM:Stmt
state
.Map
...
endmodule
Dominik Klumpp, Philip Lenzen Kand Kiv 6
KLanguage Definitions: Configuration
One data type for each cell:
KCell(k: ksequence), StateCell(m: kmap),
TCell(k: KCell, s: StateCell)
T
k
$PGM:Stmt
state
.Map
Initialization function:
initialConfig(pgm ) = TCell(KCell(pgm.toSeq), StateCell())
Dominik Klumpp, Philip Lenzen Kand Kiv 6
KLanguage Definitions: Rules
Rewrite rules define small-step operational semantics:
rule kS1:Stmt S2:Stmt
S1 yS2
“followed by” operator
computational tasks are
“executed” sequentially
Actually, rules are defined on patterns of configurations:
rule
kwhile (X) { S }
S while (X) { S }
state
X7→I:Int
requires
I =/=Int 0
Dominik Klumpp, Philip Lenzen Kand Kiv 7
KLanguage Definitions: Rules
Rewrite rules define small-step operational semantics:
rule kS1:Stmt S2:Stmt
S1 yS2
“followed by” operator
computational tasks are
“executed” sequentially
Actually, rules are defined on patterns of configurations:
rule
kwhile (X) { S }
S while (X) { S }
state
X7→I:Int
requires
I =/=Int 0
Dominik Klumpp, Philip Lenzen Kand Kiv 7
KLanguage Definitions: Rules
Rewrite rules define small-step operational semantics:
rule kS1:Stmt S2:Stmt
S1 yS2
“followed by” operator
computational tasks are
“executed” sequentially
Actually, rules are defined on patterns of configurations:
rule
kwhile (X) { S }
S while (X) { S }
state
X7→I:Int
requires
I =/=Int 0
Dominik Klumpp, Philip Lenzen Kand Kiv 7
KLanguage Definitions: Rules
rule
kwhile (X) { S }
.
state
X7→0
rule
kX:Id = I:Int
.
state .Map
M:Map
X7→I
requires
X/keys(M)
rule
kX:Id *= Y:Id
.
state X7→I
Y7→JX7→IInt J
...
Dominik Klumpp, Philip Lenzen Kand Kiv 7
KLanguage Definitions: Rule Translation
Rules defined in language semantics Sinduce transition relation
S:TCell ×TCell
Each rule is translated to an axiom:
rule
kX:Id --
.
state X7→I
X7→IInt 1
legal((x7→i)m)`
TCell(KCell(Stmt--(x).toSeq ~>ks ), StateCell((x7→i)m))
S
TCell(KCell(ks ), StateCell((x7→i-1)m))
Dominik Klumpp, Philip Lenzen Kand Kiv 8
KLanguage Definitions: Rule Translation
Rules defined in language semantics Sinduce transition relation
S:TCell ×TCell
Each rule is translated to an axiom:
rule
kX:Id --
.
state X7→I
X7→IInt 1
legal((x7→i)m)`
TCell(KCell(Stmt--(x).toSeq ~>ks ), StateCell((x7→i)m))
S
TCell(KCell(ks ), StateCell((x7→i-1)m))
Dominik Klumpp, Philip Lenzen Kand Kiv 8
KLanguage Definitions: Rule Translation
Rules defined in language semantics Sinduce transition relation
S:TCell ×TCell
Each rule is translated to an axiom:
rule
kX:Id --
.
state X7→I
X7→IInt 1
legal((x7→i)m)`
TCell(KCell(Stmt--(x).toSeq ~>ks ), StateCell((x7→i)m))
S
TCell(KCell(ks ), StateCell((x7→i-1)m))
Dominik Klumpp, Philip Lenzen Kand Kiv 8
Overview
programming
language
semantics
K
Kiv
specification
Kiv
One-Path
Reachability
proof
automation
Dominik Klumpp, Philip Lenzen Kand Kiv 9
Overview
programming
language
semantics
K
Kiv
specification
Kiv
One-Path
Reachability
proof
automation
Dominik Klumpp, Philip Lenzen Kand Kiv 9
One-Path Reachability Calculus (Opr)
A |=
ΦΨ
Reachability Property
configs in Φmay reach Ψ
(or diverge)
Patterns
describing configurations
Premises
set of reachability properties
(e.g. from semantics definition S)
Dominik Klumpp, Philip Lenzen Kand Kiv 10
One-Path Reachability Calculus (Opr)
A |=
ΦΨ
Reachability Property
configs in Φmay reach Ψ
(or diverge)
Patterns
describing configurations
Premises
set of reachability properties
(e.g. from semantics definition S)
Dominik Klumpp, Philip Lenzen Kand Kiv 10
One-Path Reachability Calculus (Opr)
A |=
ΦΨ
Reachability Property
configs in Φmay reach Ψ
(or diverge)
Patterns
describing configurations
Premises
set of reachability properties
(e.g. from semantics definition S)
Dominik Klumpp, Philip Lenzen Kand Kiv 10
One-Path Reachability Calculus (Opr)
A |= Φ Ψ
Reachability Property
configs in Φmay reach Ψ
(or diverge)
Patterns
describing configurations
Premises
set of reachability properties
(e.g. from semantics definition S)
Dominik Klumpp, Philip Lenzen Kand Kiv 10
One-Path Reachability Calculus (Opr)
Opr sequent:
A `CΦΨ
Correctness and Completeness*:
A |= Φ Ψiff A `ΦΨ
Dominik Klumpp, Philip Lenzen Kand Kiv 11
One-Path Reachability Calculus (Opr)
Opr sequent:
A `CΦΨ
Correctness and Completeness*:
A |= Φ Ψiff A `ΦΨ
Circularities
set of reachability properties
Dominik Klumpp, Philip Lenzen Kand Kiv 11
One-Path Reachability Calculus (Opr)
Opr sequent:
A `CΦΨ
Correctness and Completeness*:
A |= Φ Ψiff A `ΦΨ
Circularities
set of reachability properties
Dominik Klumpp, Philip Lenzen Kand Kiv 11
Opr in Kiv
Opr sequent:
A `CΦΨ
Correctness and Completeness*:
A |= Φ Ψiff A `ΦΨ
Dominik Klumpp, Philip Lenzen Kand Kiv 12
Opr in Kiv
Opr sequent:
A `CΦΨ
Correctness and Completeness*:
A |= Φ Ψiff A `ΦΨ
Patterns
predicates on configurations
(lambda expressions)
Dominik Klumpp, Philip Lenzen Kand Kiv 12
Opr in Kiv
Opr sequent:
A `CΦΨ
Correctness and Completeness*:
A |= Φ Ψiff A `ΦΨ
Premises
include semantic rules: S ⊆ A
Dominik Klumpp, Philip Lenzen Kand Kiv 12
Opr in Kiv
Opr sequent:
A `CΦh →SiΨ
Correctness and Completeness*:
A∪S|= Φ Ψiff A `Φh →SiΨ
Transition Relation
induced by semantics S
Dominik Klumpp, Philip Lenzen Kand Kiv 12
Opr in Kiv
Calculus Rule: Axiom
A `CΦh →SiΨ
where h →SiΨ) ∈ A
New Calculus Rule: One Step
A`∀c.Φ(c) =⇒ ∃c0.Ψ(c0)cSc0
A `CΦh →SiΨ
Used if conclusion follows from semantics S.
Dominik Klumpp, Philip Lenzen Kand Kiv 13
Opr in Kiv
Calculus Rule: Axiom
A `CΦh →SiΨ
where h →SiΨ) ∈ A
New Calculus Rule: One Step
A`∀c.Φ(c) =⇒ ∃c0.Ψ(c0)cSc0
A `CΦh →SiΨ
Used if conclusion follows from semantics S.
Dominik Klumpp, Philip Lenzen Kand Kiv 13
Opr in Kiv
Opr sequent:
A `CΦh →SiΨ
Correctness and Completeness*:
A ∪ S |= Φ Ψiff A `Φh →SiΨ
Dominik Klumpp, Philip Lenzen Kand Kiv 14
Opr in Kiv
Opr sequent:
L ∪ R `CΦh →SiΨ
Correctness and Completeness*:
A ∪ S |= Φ Ψiff A `Φh →SiΨ
Logical Premises
first-order formulas
Reachability Premises
reachability properties
Dominik Klumpp, Philip Lenzen Kand Kiv 14
Opr in Kiv
New Calculus Rule: Cut Constraint
(L∪{ϕ2})∪ R `C(λc. ϕ1)h →SiΨ
L ∪ R `C(λc. ϕ1ϕ2)h →SiΨ
where c/freevars(ϕ2)
Logical premises used with Kiv HOL-calculus rules
e.g. use equalities to rewrite conclusion
Dominik Klumpp, Philip Lenzen Kand Kiv 15
Opr in Kiv
New Calculus Rule: Cut Constraint
(L∪{ϕ2})∪ R `C(λc. ϕ1)h →SiΨ
L ∪ R `C(λc. ϕ1ϕ2)h →SiΨ
where c/freevars(ϕ2)
Logical premises used with Kiv HOL-calculus rules
e.g. use equalities to rewrite conclusion
Dominik Klumpp, Philip Lenzen Kand Kiv 15
Opr in Kiv
ALL Opr calculus rules:
Axiom,One Step
Reflexivity (generalized for convenience)
Consequence
Transitivity
Case Analysis,Cut (for convenience)
Abstraction
Circularity
Cut Constraint
Dominik Klumpp, Philip Lenzen Kand Kiv 16
Overview
programming
language
semantics
K
Kiv
specification
Kiv
One-Path
Reachability
proof
automation
Dominik Klumpp, Philip Lenzen Kand Kiv 17
Overview
programming
language
semantics
K
Kiv
specification
Kiv
One-Path
Reachability
proof
automation
Dominik Klumpp, Philip Lenzen Kand Kiv 17
Programs
x = 4
f=1
whi l e ( x ) {
f *= x
x - -
}
translated to function fact(I) in Kiv specification
Dominik Klumpp, Philip Lenzen Kand Kiv 18
Programs
x = 4
f=1
whi l e ( x ) {
f *= x
x - -
}
translated to constant fact in Kiv specification
Dominik Klumpp, Philip Lenzen Kand Kiv 18
Programs
x = KIV.input(I)
f=1
whi l e ( x ) {
f *= x
x - -
}
translated to function fact(I) in Kiv specification
Kiv Input
logical variables
Dominik Klumpp, Philip Lenzen Kand Kiv 18
Programs
// lemma: ...
x = KIV.input(I)
f=1
whi l e ( x ) {
f *= x
x - -
}
translated to function fact(I) in Kiv specification
Kiv Input
logical variables
Lemma
reachability property
initialConfig(fact(I))
where I0h →Si.f7→ I!
Dominik Klumpp, Philip Lenzen Kand Kiv 18
Programs
// lemma: ...
x = KIV.input(I)
f=1
// invariant: ...
whi l e ( x ) {
f *= x
x - -
}
translated to function fact(I) in Kiv specification
Kiv Input
logical variables
Lemma
reachability property
initialConfig(fact(I))
where I0h →Si.f7→ I!
X,F.
where I! = FX!and F>0 and X0
while (x){...} f7→ F,x7→ X
Dominik Klumpp, Philip Lenzen Kand Kiv 18
Programs
// lemma: ...
x = KIV.input(I)
f=1
// invariant: ...
whi l e ( x ) {
f *= x
x - -
}
translated to function fact(I) in Kiv specification
Kiv Input
logical variables
Lemma
reachability property
initialConfig(fact(I))
where I0h →Si.f7→ I!
X,F.
where I! = FX!and F>0 and X0
while (x){...} f7→ F,x7→ X
Kiv Function
also usable in program
Dominik Klumpp, Philip Lenzen Kand Kiv 18
Programs
// lemma: ...
x = KIV.input(I)
f=1
// invariant: ...
whi l e ( x ) {
f *= x
x - -
}
translated to function fact(I) in Kiv specification
Kiv Input
logical variables
Lemma
reachability property
initialConfig(fact(I))
where I0h →Si.f7→ I!
X,F.
where I! = FX!and F>0 and X0
while (x){...} f7→ F,x7→ X
Kiv Function
also usable in program
Annotation
used for automation
Dominik Klumpp, Philip Lenzen Kand Kiv 18
Proof Automation
Heuristic: automatically applies Opr rules
Dominik Klumpp, Philip Lenzen Kand Kiv 19
Proof Automation
Heuristic: automatically applies Opr rules
Symbolic
Execution
heavy use of
pattern matching
Dominik Klumpp, Philip Lenzen Kand Kiv 19
Proof Automation
Heuristic: automatically applies Opr rules
Symbolic
Execution
heavy use of
pattern matching
Invariant Usage
without assumption
of correctness
Dominik Klumpp, Philip Lenzen Kand Kiv 19
Proof Automation
Heuristic: automatically applies Opr rules
Symbolic
Execution
heavy use of
pattern matching
Invariant Usage
without assumption
of correctness
automation
extremely high
Dominik Klumpp, Philip Lenzen Kand Kiv 19
Proof Automation
// lemma: ...
x = KIV.input(I)
f=1
// invariant: ...
whi l e ( x ) {
f *= x
x - -
}
translated to function fact(I) in Kiv specification
Dominik Klumpp, Philip Lenzen Kand Kiv 20
Proof Automation
// lemma: ...
x = KIV.input(I)
f=1
// invariant: ...
whi l e ( x ) {
f *= x
x - -
}
translated to function fact(I) in Kiv specification
Dominik Klumpp, Philip Lenzen Kand Kiv 20
Conclusion
programming
language
semantics
K
Kiv
specification
Kiv
One-Path
Reachability
proof
automation
Dominik Klumpp, Philip Lenzen Kand Kiv 21
Conclusion
programming
language
semantics
K
Kiv
specification
Kiv
One-Path
Reachability
proof
automation
Dominik Klumpp, Philip Lenzen Kand Kiv 21
Conclusion
programming
language
semantics
K
Kiv
specification
Kiv
One-Path
Reachability
proof
automation
Dominik Klumpp, Philip Lenzen Kand Kiv 21
The End
Thank you for your attention.
Questions?
Dominik Klumpp, Philip Lenzen Kand Kiv 22
ResearchGate has not been able to resolve any citations for this publication.
ResearchGate has not been able to resolve any references for this publication.