From Matching Logic To Parallel Imperative Language Verification
FFrom Matching Logic To Parallel Imperative Language Verification ShangBei Wang Nanjing University of Aeronautics and Astronautics, Nanjing, China [email protected] Abstract Program verification is to develop the program’s proof system, and to prove the proof system soundness with respect to a trusted operational semantics of the program. However, many practical program verifiers are not based on operational semantics and can’t seriously validate the program. Matching logic is proposed to make program verification based on operational semantics. In this paper, following Grigore Roşu et al’s work, we consider matching logic for parallel imperative language(PIMP). According to our investigation, this paper is the first study on matching logic for PIMP. In our matching logic, we redefine "interference-free" to character parallel rule and prove the soundness of matching logic to the operational semantics of PIMP. We also link PIMP’s operational semantics and PIMP’s verification formally by constructing a matching logic verifier for PIMP which executes rewriting logic semantics symbolically on configuration patterns and is sound and complete to matching logic for PIMP. That is our matching logic verifier for PIMP is sound to the operational semantics of PIMP. Finally, we also verify the matching logic verifier through an example which is a standard problem in parallel programming. Keywords and phrases
Matching Logic, Operational Semantics, Program Verification, Parallel Language Operational semantics[1][7][23] is called “transition semantics” whose basic idea is to use a sequence γ → γ → γ i → · · · of configurations to formalize the execution of a program. γ i is either a terminal configuration or a nonterminal configuration. The development of semantics engineering frameworks K [17][18], Ott[29] and PLT-Redex[3] make it very easy to define the operational semantics of a programming language. Consequently, the operational semantics of C[4][5], Java[10], Python[12], CAML[36], JavaScript[8][25] have been proposed. The advantages of operational semantics such as easy to define and understand, being executable and being tested, make it suitable as trusted reference model for language. The ideal program verification should use such operational semantics, unchanged, to produce proof certificates. However, program verification rarely use operational semantics directly, because the proof based on operational semantics directly involve the corresponding transition system, which is generally considered low-level. Hoare[31][34] and dynamic logic[9] are typically used because their reasoning seems higher level. However, the set of abstract proof rules to define language semantics in Hoare and dynamic logic are hard to understand and trust. The essence of program verification is to develop a program’s proof system, and to prove the proof system sound with respect to a trusted operational semantics of the program. However, instead of being based on a formal semantics, many practical program verifiers[6][28][32][33] convert the target program language to an intermediate validation language or simply implement ad-hoc verification condition. If a program verification is not based on the formal semantics of the program, the program verification does not seriously validate the program and the result can’t be trusted. Matching logic[13] is proposed to make program verification based on operational semantics. To reason about program, we first need to define program configurations. Matching logic a r X i v : . [ c s . L O ] F e b configuration patterns consist of variables, symbols in signature, first-order logical connectives and existential quantifiers. For example ∃ z ( o = < x := x ∗ y > k < x x, y z, ρ> env
Relationship among operational semantics, matching logic and matching logic verifier In this section, we introduce a simple parallel imperative language(PIMP) by adding await operation, parallel operation and array operations to the IMP[19]. The operational semantics of PIMP is defined as a rewrite logic theory (Σ PIMP , E PIMP , R PIMP )[11]. Figure 2 shows the complete rewrite theory. The signature Σ PIMP consists of the PIMP’s syntax and the syntax of configurations. The configurations of PIMP have the form < · · · > k < · · · > env < · · · > mem , containing: a computation, an environment and a memory. The Env sort is a partial mapping and has the form x i , x i , · · · , x n i n with · representing the empty environment. Like
Env sort, the
Mem sort is also a partial map structure but from positive naturals to integers. The C sort is computation and · is empty computation with its usual properties : · ; c = c and · k c = c = c k · . await b then cc computation acts as a flexible but primitive tool for mutual exclusion. Only when the condition b is true, the process can execute await b then cc , otherwise, the process is blocked. The computation cc is an indivisible action. During its execution, other processes are blocked. Hence, it is very desirable to not contain k , while and await computations in CC sort. A := Array ( e , e , · · · , e n ) evaluates e , e , · · · , e n to i , i , · · · , i n , allocates a contiguous space with size n and starting address as positive integer p in memory, writes values i , i , · · · , i n in order in that space and assigns p to A . x := A [ e ] evaluates e to positive integer p , evaluates A to positive integer q and assigns to x the value at location p + q in memory ( p + q must be allocated). A [ e ] := e evaluates e to positive integer p , A to positive integer q and e to value i , writes i to location p + q in memory ( p + q must be allocated). The E PIMP contains equations which define bags, sequences and maps. We do not list these equations explicitly in Figure 2 because our main goal is to give PIMP an operational semantics in the rewriting logic framework. The semantic rules[2] are the core of a rewrite semantics, and usually each language construct has at least one semantic rule. + , − , ∗ , ÷ , mod constructs are reduced to the domain + Int , − Int , ∗ Int , ÷ Int , mod Int when its arguments become integers and the = , = , <, > constructs are reduced to the domain = Bool , = Bool , <
Bool , >
Bool when its arguments become integers.
PAR1 and
PAR2 semantic rules use non-determinism to simulate parallelism, but they are defined in such a way that the results are equivalent to those which would be obtained using true parallelism.
ARRAY semantic rule chose some arbitrary positive integer p such that ( p [ ρ ( e )] , m ) is a well-formed map and update the environment and the memory accordingly where p [ ρ ( e )] is a shorthand for p ρ ( e ) , p + 1 ρ ( e ) , · · · , p + n − ρ ( e n ) and e ∈ Seq − , − [ E ] and ρ ( e ) ∈ Seq − , − [ Int ]. It has been suggested[21][22] that a computation should be thought of as being executed
Rewrite Theory Of PIMPAbstract Syntax: E ::= 0 | | | · · · | Var | − E | E + E | E − E | E ∗ E | E ÷ E | E mod E B ::= true | false | E = E | E = E | E < E | E > E CC ::= Var := E | if ( B ) CC else CC | CC ; CC | Var := Array ( Seq − , − [ E ]) | Var [ E ] := E | Var := Var [ E ] | skipC ::= Var := E | if ( B ) C else C | C ; C | while B do C | C k C | await B then CC | skip | Var := Array ( Seq − , − [ E ]) | Var [ E ] := E | Var := Var [ E ] Configurtation:
Cfg ::= < C > k < Env > env < Mem > mem Env ::=
Map − , − . [ Var , Int ] Mem ::=
Map − , − . [ Nat + , Int ] Semantic Rules:
SKIP: · mem IF1: ρ ( b ) is true< if ( b ) c else c > k <ρ> env Rewrite Theory Of PIMP hangBei Wang 42:5 in an arbitrary "state", that is, in parallel with other computations. Therefore, there are two types of semantic rules, < c > k < ρ > env < m > mem P −→ < c > k < ρ > env < m > mem represents update of the environment ρ to ρ and memory m to m because c is executed; Definition 1. Let PIMP denotes the rewriting logic theory (Σ PIMP , E PIMP , R PIMP ) in Figure L = P or L = E , PIMP | = t L −→ t indicates that t L −→ t can be derived. PIMP | = t L −→ ∗ t indicates that the rule t L −→ t can be derived in zero or more steps. Computation k is well-terminated iff it is equal to an integer value or to " · ". Let PIMP o be the algebraic specification (Σ PIMP , E o PIMP ) where E o PIMP ⊆ E PIMP contains equations defining bags, sequences and maps. Let T o be the initial PIMP o algebra. Terms An execution of concrete configuration For any c , c ∈ C , if σ is an execution of concrete configuration < c k c > k <ρ> env Suppose σ ≡ By PAR1 rule, By PAR2 rule, Suppose mem L −→ ∗ < · > k <ρ > env By SEQ and PAR1 rules, < ( c k c ); c > k <ρ > env By SEQ and PAR2 rules, < ( c k c ); c > k <ρ > env SVar is an infinite set of logical or semantic variables, and it also contain a special variable named " o " of sort Cfg which serves as a place holder in the matching logic pattern. (cid:73) Definition 6. [19]Matching logic patterns, are FOL = forumlae ∃ X (( o = c ) ∧ ϕ ) , where: X ⊂ SVar is the set of bound variables; c is the pattern structure and is a term of sort Cfg; ϕ is the constraint, an arbitrary FOL = formula. Let T is the initial model of PIMP and SVar o = SVar ∪ { o } . Valuation ( γ, τ ) : SVar o → T includes a concrete configuration γ and a map τ : SVar → T . ( γ, τ ) | = ∃ X (( o = c ) ∧ ϕ )iff there exists θ τ : SVar → T with θ τ (cid:22) SVar /X = τ (cid:22) SVar /X such that γ = θ τ ( c ) and θ τ | = ϕ . Let Γ , Γ are matching logic patterns, Γ ⇓ Γ is called matching logic correctnesspair. Informally matching logic correctness pair ∃ X ( o = < c> k < ρ> env < m> mem ∧ ϕ ) ⇓∃ X ( o = < · > k < ρ > env < m > mem ∧ ϕ ) means: for any valuation ( γ, τ ) : SVar o → T , if( γ, τ ) | = ∃ X ( o = M-SKIP: ·∃ X ( o = mem ∧ ϕ )M-SEQ: ∃ X ( o = Matching logic proof system of PIMP hangBei Wang 42:13 and <ρ> env Given a proof outline of pre ( c ) c post ( c ) and a computation k with pre ( k ) k post ( k ) , we say that k don’t interfere with c if the following two conditions hold: For any concrete configuration γ , if ( γ, τ ) | = Given proof outlines of pre ( c ) c post ( c ) and pre ( c ) c post ( c ) , we say that c , c are "interference-free" if the following two conditions hold: Let c be an await or := sub computation (which don’t appear in an await) of c , then c don’t interfere with c ; Let c be an await or := sub computation (which don’t appear in an await) of c , then c don’t interfere with c . (cid:73) Definition 9. Given a proof outline of pre ( c ) c post ( c ) and any concrete configura- tion γ with ( γ , τ ) | = < c > k pre ( c ) , there are infinite number of terminable executions σ = γ L −→ γ L −→ · · · L −→ γ i L −→ γ i +1 L −→ · · · L −→ γ n because of ENV rule. For any γ i L −→ γ i +1 , ≤ i < n , if L = E , it means other computation c which is in parallel with c updates environment and memory. Let S represents a set of computations executed in parallel with c . A terminable execution σ is called actual execution if c , c are "interference- free" for any c ∈ S . We now formally give the proof that matching logic is soundness to the operational semantics of PIMP. Let’s make the assumption that the original PIMP program don’t contain variables in SVar . (cid:73) Theorem 10. For any actual execution σ = γ L −→ γ L −→ · · · L −→ γ i L −→ γ i +1 L −→ · · · L −→ γ n , if ( γ , τ ) | = Γ and Γ ⇓ Γ is derivable, then ( γ n , τ ) | = Γ . Proof. We prove by the induction on the depth of inference of Γ ⇓ Γ . We consider thedifferent ways in which the last step of the inference is done: Case1: By M-ASGN1 rule ·∃ X ( o = < x := e> k <ρ> env 1) such that γ E −→ · · · E −→ γ j P −→ γ j +1 E −→ · · · E −→ γ n with ( γ i , τ ) | = Γ, 1 ≤ i ≤ j . Suppose there exists θ τ : SVar → T with θ τ (cid:22) SVar /X = τ (cid:22) SVar /X such that γ j = < x := e> k <θ τ ( ρ j ) > env <θ τ ( m j ) > mem and θ τ | = ϕ . By ASGN1 rule, weconclude γ j +1 = < · > k <θ τ ( ρ j )[ θ τ ( ρ j )( e ) / x] > env <θ τ ( m j ) > mem . Due to θ τ | = ϕ , ( γ j +1 , τ ) | = Γ .Since σ is an actual execution, we conclude ( γ i , τ ) | = Γ , j + 1 ≤ i ≤ n . Case2: By M-ASGN2 rule ·∃ X ( o = < x := A [ e ] > k <ρ> env 1) such that γ E −→ · · · E −→ γ j P −→ γ j +1 E −→ · · · E −→ γ n with ( γ i , τ ) | = Γ, 1 ≤ i ≤ j . Suppose there exists θ τ : SVar → T with θ τ (cid:22) SVar /X = τ (cid:22) SVar /X such that γ j = < x := A [ e ] > k <θ τ ( ρ j ) > env <θ τ ( m j ) > mem and θ τ | = ϕ . By ASGN2 rule, weconclude γ j +1 = < · > k <θ τ ( ρ j )[ θ τ ( m j )( θ τ ( ρ j )( A ) + Int θ τ ( ρ j )( e )) / x] > env <θ τ ( m j ) > mem hangBei Wang 42:15 Due to θ τ | = ϕ , ( γ j +1 , τ ) | = Γ . Since σ is actual execution, we conclude ( γ i , τ ) | = Γ , j + 1 ≤ i ≤ n . Case3: By M-ASGN3 rule ·∃ X ( o = k <ρ> env 1) such that γ E −→ · · · E −→ γ j P −→ γ j +1 E −→ · · · E −→ γ n with ( γ i , τ ) | = Γ, 1 ≤ i ≤ j . Suppose there exists θ τ : SVar → T with θ τ (cid:22) SVar /X = τ (cid:22) SVar /X such that γ j = k <θ τ ( ρ j ) > env <θ τ ( m j ) > mem and θ τ | = ϕ . By ASGN3 rule, weconclude γ j +1 = < · > k <θ τ ( ρ j ) > env <θ τ ( m j )[ θ τ ( ρ j )( e ) / ( θ τ ( ρ j )( A ) + Int θ τ ( ρ j )( e ))] > mem Due to θ τ | = ϕ , ( γ j +1 , τ ) | = Γ . Since σ is an actual execution, we conclude ( γ i , τ ) | = Γ , j + 1 ≤ i ≤ n . Case4: By M-ARRAY rule ·∃ X ( o = k <ρ> env mem ∧ ϕ )Γ ≡ ∃ X ( o = < A := Array ( e ) > k < ρ > env < m > mem ∧ ϕ ) and Γ ≡ ∃ ( X ∪ { p } )( o = < · > k < ρ [ p/A ] > env < p [ ρ ( e )] , m > mem ∧ ϕ ). Suppose there exists θ τ : SVar → T with θ τ (cid:22) SVar /X = τ (cid:22) SVar /X such that γ = < A := Array ( e ) > k < θ τ ( ρ ) > env < θ τ ( m ) > mem and θ τ | = ϕ and k <θ τ ( ρ ) > env <θ τ ( m ) > mem L −→ γ L −→ · · · L −→ γ i L −→ γ i +1 L −→ · · · L −→ γ n If k <θ τ ( ρ ) > env <θ τ ( m ) > mem P −→ γ , by ARRAY rule, γ = < · > k <θ τ ( ρ )[ θ τ ( p ) /A ] > env <θ τ ( p ) [ θ τ ( ρ )( e )] , θ τ ( m ) > mem and < · > k <θ τ ( ρ )[ θ τ ( p ) /A ] > env <θ τ ( p ) [ θ τ ( ρ )( e )] , θ τ ( m ) > mem E −→ · · · E −→ γ i E −→ γ i +1 E −→ · · · E −→ γ n Set θ τ (cid:22) SVar / ( X ∪{ p } ) = τ (cid:22) SVar / ( X ∪{ p } ) and θ τ (cid:22) X = θ τ (cid:22) X and θ τ (cid:22) p = τ (cid:22) p . Due to θ τ | = ϕ , θ τ | = ϕ and ( γ , τ ) | = Γ . Since σ is an actual execution, we conclude ( γ i , τ ) | = Γ , 2 ≤ i ≤ n .If < A := Array ( e ) > k < θ τ ( ρ ) > env < θ τ ( m ) > mem E −→ γ , since σ is an actual execution,( γ , τ ) | = Γ and there exits j (1 < j ≤ n − 1) such that γ E −→ · · · E −→ γ j P −→ γ j +1 E −→ · · · E −→ γ n with ( γ i , τ ) | = Γ, 1 ≤ i ≤ j . Suppose there exists θ τ : SVar → T with θ τ (cid:22) SVar /X = τ (cid:22) SVar /X such that γ j = k <θ τ ( ρ j ) > env <θ τ ( m j ) > mem and θ τ | = ϕ . By ARRAY rule,we conclude γ j +1 = < · > k <θ τ ( ρ j )[ θ τ ( p ) /A ] > env <θ τ ( p ) [ θ τ ( ρ j )( e )] , θ τ ( m j ) > mem Set θ τ (cid:22) SVar / ( X ∪{ p } ) = τ (cid:22) SVar / ( X ∪{ p } ) and θ τ (cid:22) X = θ τ (cid:22) X and θ τ (cid:22) p = τ (cid:22) p . Due to θ τ | = ϕ , θ τ | = ϕ and ( γ j +1 , τ ) | = Γ . Since σ is an actual execution, we conclude ( γ i , τ ) | = Γ , j + 1 ≤ i ≤ n . Case5: By M-SEQ rule ∃ X ( o = By M-IF rule ∃ X ( o = 1) such that γ E −→ · · · E −→ γ j P −→ γ j +1 E −→ · · · E −→ γ n with ( γ i , τ ) | = Γ, 1 ≤ i ≤ j . Suppose there exists θ τ : SVar → T with θ τ (cid:22) SVar /X = τ (cid:22) SVar /X such that γ j = < if ( b ) c else c > k <θ τ ( ρ j ) > env <θ τ ( m j ) > mem and θ τ | = ϕ . We also distinguishtwo cases according to whether θ τ ( ρ j )( b ) is true or not. Case6.3: θ τ ( ρ j )( b ) is true; by IF1 rule, < if ( b ) c else c > k <θ τ ( ρ j ) > env <θ τ ( m j ) > mem P −→ By M-CONS rule | = Γ ⇒ Γ , Γ ⇓ Γ , | = Γ ⇒ Γ Γ ⇓ Γ Suppose ( γ , τ ) | = Γ and γ L −→ γ L −→ · · · L −→ γ i L −→ γ i +1 L −→ · · · L −→ γ n . Due to | = Γ ⇒ Γ ,( γ , τ ) | = Γ . By the induction hypothesis of Γ ⇓ Γ , we conclude ( γ n , τ ) | = Γ . Due to | = Γ ⇒ Γ , ( γ n , τ ) | = Γ . Case8: By M-CASE rule | = Γ ⇒ Γ ∨ Γ , Γ ⇓ Γ , Γ ⇓ Γ Γ ⇓ Γ Suppose ( γ , τ ) | = Γ and γ L −→ γ L −→ · · · L −→ γ i L −→ γ i +1 L −→ · · · L −→ γ n . Due to | = Γ ⇒ Γ ∨ Γ ,( γ , τ ) | = Γ or ( γ , τ ) | = Γ . If ( γ , τ ) | = Γ , by the induction hypothesis of Γ ⇓ Γ , weconclude ( γ n , τ ) | = Γ . If ( γ , τ ) | = Γ , by the induction hypothesis of Γ ⇓ Γ , we conclude( γ n , τ ) | = Γ . Thus, ( γ n , τ ) | = Γ . Case9: By M-AWAIT rule ∃ X ( o = 1) such that γ E −→ · · · E −→ γ j P −→ γ j +1 E −→ · · · E −→ γ n with ( γ i , τ ) | = Γ, 1 ≤ i ≤ j . Suppose there exists θ τ : SVar → T with θ τ (cid:22) SVar /X = τ (cid:22) SVar /X such that γ j = < await b then cc > k <θ τ ( ρ j ) > env <θ τ ( m j ) > mem and θ τ | = ϕ . By AWAIT rule,we conclude γ j +1 is a final configuration and θ τ ( ρ j )( b ) is true and < cc > k <θ τ ( ρ j ) > env <θ τ ( m j ) > mem L −→ ∗ γ j +1 . By the induction hypothesis of ∃ X ( o = By M-WHILE rule ∃ X ( o = By M-PAR rule ∃ X ( o = First, since σ is an actual execution and c is substructure of c k c , c , c are "interference-free" where c ∈ S and S represents a set of computations executed in parallel with c k c . Second, c , c are also "interference-free". Thus, γ L −→ γ L −→ · · · L −→ γ i L −→ γ i +1 L −→ · · · L −→ γ n is an actual execution. Similarly, γ L −→ γ L −→ · · · L −→ γ i L −→ γ i +1 L −→ · · · L −→ γ n is also an actual execution. (cid:67) By the induction hypothesis of ∃ X ( o = By M-SKIP rule ·∃ X ( o = 1) such that γ E −→ · · · E −→ γ j P −→ γ j +1 E −→ · · · E −→ γ n with ( γ i , τ ) | = Γ, 1 ≤ i ≤ j . Suppose there exists θ τ : SVar → T with θ τ (cid:22) SVar /X = τ (cid:22) SVar /X such that γ j = Cfg sort, two new sub cells are added, one to hold the bound variables setand the other to hold the constraints. Secondly, we add program annotations. assert ass acts as program annotation and can be inserted at any place in the computation. Sort Ass don’t include the < · · · > k because the purpose of program annotation is to describe the stateof the program. We also add Top sort to wrap a set of patterns such as < Γ , Γ , · · · , Γ n > and each Γ i is a pattern with program annotation. Final, we introduce semantic rules.V-NULL and V-FALSE rules are used to dissolve pattern. A pattern Γ i is considered verifiedeither when it translate into < · > k <ρ> env PatternItem ::= < C > k | < Env > env | < Mem > mem | V-NULL: · << · > k <ρ> env mem Matching logic verifier for PIMP hangBei Wang 42:23 (cid:73) Theorem 12. Given an annotated computation k ∈ C , k ∈ C is the computation obtained by removing all assert ass from k , the following holds: If < Suppose Γ ≡ < By V-FALSE rule < By V-ASGN1 rule << x := e ; k ; assert ass post > k <ρ> env By V-ASGN2 rule << x := A [ e ]; k ; assert ass post > k <ρ> env By V-ASGN3 rule < k <ρ> env By V-ARRAY rule < k <ρ> env mem mem mem mem By V-IF rule << (if( b ) c else c ); k ; assert ass post > k <ρ> env