Using Knuth-Bendix to Verify Programs

1
Using Knuth-Bendix toVerify Programs

• Scott McPeak
• OSQ 2/23/04

2
Outline

• Use axioms to describe data structures
• Knuth-Bendix semi-algorithm to decide equality
  entailment
• Ensure termination of KB with offline
  pre-processing

3
Need Precise Pointer Info

• Scenario
• time 1 P(x) holds
• time 2 (the object pointed to by) y is modified
• time 3 assert(P(x))
• P(x) might be any time-dependent prop.
• e.g. locked(x), opened(x), allocated(x), etc.
• How can we prove x ¹ y?

4
Data Structures ) Disequalities

• Will prove x ¹ y using data str. knowledge
• Injectivity
• 8 p. p-gtnext ¹ 0 ) p-gtnext-gtprev p
• consequence x ¹ y ) x-gtnext ¹ y-gtnext
• Transitivity
• 8 p. p-gtnext ¹ 0 ) p-gtnext-gthead p-gthead
• consequence x-gthead ¹ y-gthead ) x-gtnext ¹
  y-gtnext

5
Short Example

• assume(x ¹ y)
• x x-gtnext
• y y-gtnext
• assert(x ¹ y)

6
Short Example
8 p. p-gtnext-gtprev p x1 x0-gtnext y1
y0-gtnext x1 y1 ( goal) x0 y0 ? (contr.?)

• assume(x ¹ y)
• x x-gtnext
• y y-gtnext
• assert(x ¹ y)

7
Short Example

• 8 p. p-gtnext-gtprev p
• x1 x0-gtnext
• y1 y0-gtnext
• x1 y1 ( goal)
• x0 y0 ? (contr.?)

x0-gtnext x1 x0-gtnext-gtprev x1-gtprev x0
y1-gtprev x0 y0-gtnext-gtprev x0 y0
8
Decision Problem

• Given a data structure specification
• set of 8 p. p-gta p-gtg
• and hypotheses derived from program,
• set of x-gtd y-gte
• are terms t1 and t2 entailed equal?
• (Undecidable in general)

9
Knuth-Bendix (1970)
F t1 t2?
F facts (axhyp)
rewrite rules
KBcompletion
rewrite engine
g(g(x)) ! f(x)
8 x. f(x) g(g(x))
t1 t2?
non-orientable equation
non-termination...
10
Orienting Rules

• Start with a well-order on ground terms
• Conservatively extend to quantified s.t.
• Rules rewrite big to small
• Some choices
• KBO length, then lexicographic
• RPO inclusion, then (e.g.) lexicographic

11
KB Completion Mixing
(1) 8 p. p-gta-gtb p-gtg
(2) 8 p. p-gtb-gtd p-gte
8 p. p-gta-gtb-gtd p-gtg-gtd
8 p. p-gta-gte p-gtg-gtd
12
Mixing Example
(1) 8 p. p-gtB-gtC p-gtA
(2) 8 p. p-gtA-gtB p-gtA
13
Confluence

• Completed system has confluence property
• t ß t1 Æ t ß t2 ) 9 t3. t1 ß t3 Æ t2 ß t3
• Proof
• Case 1 t x-gta-gtb-gtg-gtd-gte

(1) b ß b (2) d ß d
(1)
(2)
t2 x-gta-gtb-gtg-gtd-gte
t1 x-gta-gtb-gtg-gtd-gte
(2)
(1)
t3 x-gta-gtb-gtg-gtd-gte
t3 x-gta-gtb-gtg-gtd-gte
14
Confluence Proof, Case 2
t x-gta-gtb-gtg-gtd-gte
(1) b-gtg ß h (2) g-gtd ß q
(2)
(1)
t2 x-gta-gtb-gtq-gte
t1 x-gta-gth-gtd-gte
15
Why Confluence is Useful

• Suppose F s t
• Then s t1 t2 ... tn-1 tn t
• where each equality justified by an axiom
• Then ti ß ti1 or ti1 ß ti, for all i
• But x ß y ) 9 z. x ß z Æ y ß z
• Then 9 u. x ß u Æ y ß u, induction on n
• Also, confluenceterm. ) normal form

16
Ensuring Termination

• Axioms correspond to data structures
• change rarely process off-line
• Hypotheses correspond to program stmts
• change frequently must handle on-line
• Q Can we restrict axioms s.t. KB(axhyp)
  terminates for all hypotheses?

17
Attempt 1

• Theorem If KB(ax) terminates, then KB(axhyp)
  terminates

Wrong!
(a) 8 p. p-gtC-gtA-gtB p-gtD-gtD-gtC
(1) x-gtC-gtC y x-gtC-gtC-gtA-gtB
y-gtA-gtB (2) x-gtC-gtD-gtD-gtC y-gtA-gtB x-gtC-gtD-gtD-
gtC-gtA-gtB y-gtA-gtB-gtA-gtB (3) x-gtC-gtD-gtD-gtD-gtD-gtC
y-gtA-gtB-gtA-gtB
18
Attempt 2

• Theorem If KB(axRHSs) terminates, then
  KB(axhyp) terminates

Wrong!
19
Attempt 3

• Theorem If KB(axcompl_RHSs) terminates, then
  KB(axhyp) terminates

Case 2 js LHS does not match part of a Then a
is irrelevant, so b alone sufficient.
Orients backwards? Then b is LHS, same argument
applies.
20
Conclusion

• Useful theory equalities among exps w/unary
  function symbols (model ptrs)
• KB semi-decides the theory
• We can move nontermination potentialoff-line