Upgrade to Pro — share decks privately, control downloads, hide ads and more …

VeriFast Termination Checking Introduction(α)

eldesh
April 29, 2017
Programming
0
620

VeriFast Termination Checking Introduction(α)

静的コード解析の会 第2回 (https://metasepi.connpass.com/event/50450/) で発表した資料です。
VeriFastによるC(およびJava)言語の停止性証明に関する解説を行っています。停止性検査を行う理論的背景を説明し、これを行う際にVeriFastの採る大まかな方針と検証のアイデアを説明しています。

eldesh

April 29, 2017
Tweet

More Decks by eldesh

See All by eldesh
Modular Termination Verification on VeriFast
eldesh
0
710
TPPMark2016 を解きながら学ぶ VeriFast
eldesh
2
1.4k

Other Decks in Programming

See All in Programming
GitHub ActionsとDeployGateで始めるAndroidアプリのCICD
yuhei_fujita
2
180
Réinventer le composant Console de Symfony
chalasr
3
740
私がSymfonyはいいぞ、Doctrineはいいぞと言い続ける理由
77web
3
220
The Art of Unit Testing
dicoding
0
540
NOT A HOTEL
AIコンシェルジュ「Kevin」の開発秘話
codehex
3
27k
日常業務のカイゼンで図る開発チームへの貢献 - YAPC::Kyoto 2023
koluku
4
610
OAuth for Java Developers - IntelliJ IDEA Live Stream 2023
mraible
PRO
0
230
ふんわり使うPlantUML
suzuki
0
240
Spring Modulithで始めるモジュラモノリス開発
yutootsuka
2
320
Angular Deep Dive: Components & Directives
manfredsteyer
PRO
0
140
ChatGPTによるデータ変換がもたらすインパクト
masahiro_nishimi
3
4.3k
5minutes_learning_OAuth
maimux2x
0
110

Featured

See All Featured
Rails Girls Zürich Keynote
gr2m
87
12k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.7k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
3
480
What’s in a name? Adding method to the madness
productmarketing
PRO
13
2k
Build The Right Thing And Hit Your Dates
maggiecrowley
22
1.5k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
109
16k
Fireside Chat
paigeccino
17
2k
Raft: Consensus for Rubyists
vanstee
130
5.8k
It's Worth the Effort
3n
177
26k
Art, The Web, and Tiny UX
lynnandtonic
284
18k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
349
27k
Navigating Team Friction
lara
177
12k

Transcript

  1. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    VeriFast Termination Checking Introduction(α)
    @eldesh
    https://twitter.com/eldesh
    http://d.hatena.ne.jp/eldesh
    ੩తίʔυղੳͷձ ୈ 2 ճ
    2017/04/29
    2017/04/29 VeriFast Termination Checking 1 / 42

    View Slide

  2. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    ໨࣍
    1 VeriFast ֓આ
    2 ఀࢭੑݕࠪͱ͸Կ͔
    3 ఀࢭੑݕࠪ͜ͱ͸͡Ί
    4 Ұൠͷ৔߹ͷఀࢭੑݕࠪ
    5 ύλʔϯผఀࢭੑݕূ
    6 ࢀর
    2017/04/29 VeriFast Termination Checking 2 / 42

    View Slide

  3. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    What is this slide?
    ͜ͷεϥΠυͰ͸ VeriFast ʹΑΔ C ݴޠϓϩάϥϜͷఀࢭੑݕূͷํ๏ͱɺ
    ͦͷػೳͷجૅͱͳΔ֓೦ʹ͍ͭͯ঺հ͠·͢ 1ɻ
    1Java Ͱ΋શ͘ಉ༷ͷߟ͑ํͰݕূग़དྷ·͢
    2017/04/29 VeriFast Termination Checking 3 / 42

    View Slide

  4. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    ૝ఆ/ର৅ௌऺ
    ඞਢ
    C ݴޠ͕෼͔Δ
    ๬·͍͠
    ࣄલ/ࣄޙ৚݅ͷݕ͕ࠪͲΜͳ΋ͷͳͷ͔෼͔Δ
    2017/04/29 VeriFast Termination Checking 4 / 42

    View Slide

  5. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    ఀࢭੑݕࠪͱ͸
    ϓϩάϥϜ͕ (༗ݶ࣌ؒ಺ʹ) ఀࢭ͢Δ͜ͱΛݕࠪ͢Δ͜ͱɻ
    2017/04/29 VeriFast Termination Checking 5 / 42

    View Slide

  6. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    VeriFast ͕ݕࠪ͢Δ͜ͱ
    ͱ͜ΖͰɺVeriFast ͸ϓϩάϥϜ (ؔ਺) ͱɺͦͷࣄલ৚݅/ࣄޙ৚݅ͱͷҰ
    ؏ੑΛݕࠪ͢Δɻ
    2017/04/29 VeriFast Termination Checking 6 / 42

    View Slide

  7. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    VeriFast ͕ݕࠪ͢Δ͜ͱ
    ͱ͜ΖͰɺVeriFast ͸ϓϩάϥϜ (ؔ਺) ͱɺͦͷࣄલ৚݅/ࣄޙ৚݅ͱͷҰ
    ؏ੑΛݕࠪ͢Δɻ
    ⇒ ͜Ε͸Կ͕ݕূग़དྷ͍ͯΔͷ͔ɻ
    2017/04/29 VeriFast Termination Checking 6 / 42

    View Slide

  8. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    VeriFast Ͱݕࠪͨؔ͠਺
    ΤϯΩϡʔͷ࢓༷ͷྫ
    void enqueue(struct queue *q, int x)
    //@ requires queue(q, ?vs);
    //@ ensures queue(q, iappend(vs , icons(x, inil )));
    {
    ...
    }
    2017/04/29 VeriFast Termination Checking 7 / 42

    View Slide

  9. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    Hoare triple
    ؔ਺ͱɺͦͷࣄલ৚݅/ࣄޙ৚݅ 3 ͭΛ߹Θͤͯ Hoare triple ͱݺͿɻ
    ͜ΕΛܗࣜతʹѻ͏ࡍʹ͸ҎԼͷΑ͏ʹදه͢Δɻ
    Hoare triple
    ⊢ {P} c {Q}
    2017/04/29 VeriFast Termination Checking 8 / 42

    View Slide

  10. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    Hoare triple ͷҙຯ
    ؔ਺ͱɺͦͷࣄલ৚݅/ࣄޙ৚݅ 3 ͭΛ߹Θͤͯ Hoare triple ͱݺͿɻ
    Hoare triple ͷҙຯ
    ⊢ {P} c {Q} ⇔ ∀h, γ.Ifix , h |= P ∧ (h, c) ⇓ γ ⇒ γ |= Q
    γ |= Q ͷҙຯ
    Divergence |= Q
    Ifix , h |= Q[v/res]
    (n, v, h) |= Q
    Divergence ͸ൃࢄͨ͠ঢ়ଶ (ແݶϧʔϓ) Λද͢ɻ
    2017/04/29 VeriFast Termination Checking 9 / 42

    View Slide

  11. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    Hoare triple ͷҙຯ
    Divergence |= Q
    ͱ͍͏͜ͱ͸ɺແݶϧʔϓʹͳͬͨ৔߹͸ৗʹ Q ࣄޙ৚
    ͕݅੒Γཱͭͱݴ͍ͬͯΔɻ
    2017/04/29 VeriFast Termination Checking 10 / 42

    View Slide

  12. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    Hoare triple ͷҙຯ
    Divergence |= Q
    ͱ͍͏͜ͱ͸ɺແݶϧʔϓʹͳͬͨ৔߹͸ৗʹ Q ࣄޙ৚
    ͕݅੒Γཱͭͱݴ͍ͬͯΔɻ
    ⇒VerifFast ͸ແݶϧʔϓʹͳΔ͔Ͳ͏͔͸ݕূ͠ͳ͍
    2017/04/29 VeriFast Termination Checking 10 / 42

    View Slide

  13. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    Hoare triple ͷҙຯ
    VeriFast ͸෦෼ਖ਼౰ੑ (partial correctness) Λ࣋ͭɻ
    ෦෼ਖ਼౰ੑ
    ϓϩάϥϜͷ࣮ߦ݁Ռ͕ग़ͨ (=ਖ਼͘͠ऴྃͨ͠) ৔߹ʹ
    ͦͷਖ਼͠͞Λอূ͢Δ

    Partial Correctness
    ͜Εʹରͯ͠ɺৗʹϓϩάϥϜ͕ਖ਼͍݁͠ՌΛग़ྗ͢Δ৔߹ɺ͜ΕΛ׬શ
    ਖ਼౰ੑ (Total Correctness) Λ࣋ͭ ͱ͍͏ɻ
    2017/04/29 VeriFast Termination Checking 11 / 42

    View Slide

  14. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    ఀࢭੑݕࠪͱ͸ (࠶)

    ϓϩάϥϜ͕ (༗ݶ࣌ؒ಺ʹ) ఀࢭ͢Δ͜ͱΛݕࠪ͢Δ͜ͱɻ
    ͱ͍͏͜ͱ͸. . .
    ఀࢭੑΛݕূ͢Δ

    VeriFast ʹ׬શਖ਼౰ੑΛ༩͑Δ

    ϓϩάϥϜ͕ৗʹਖ਼͍͠౴͑Λฦ͢͜ͱΛอূͰ͖Δ
    2017/04/29 VeriFast Termination Checking 12 / 42

    View Slide

  15. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    ఀࢭੑݕࠪͷࢦఆ
    ؔ਺ͷఀࢭੑΛݕࠪ͢Δʹ͸௨ৗͷࣄલ, ࣄޙ৚݅ͷଞʹ terminates Λࢦ
    ఆ͢Δ.
    Կ΋͠ͳ͍ؔ਺ͷݕূ
    void empty_cmd (void)
    //@ requires emp;
    //@ ensures emp;
    //@ terminates;
    {
    }
    2017/04/29 VeriFast Termination Checking 13 / 42

    View Slide

  16. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    ࣗ໌ʹఀࢭ͢Δྫ 1
    ϓϦϛςΟϒͳԋࢉ͸ࣗ໌ʹఀࢭ͢Δɻ
    less than ͷ࢓༷
    bool compare (int x, int y)
    //@ requires emp;
    //@ ensures result == (x < y);
    //@ terminates;
    {
    return x < y;
    // ฦΓ஋͸େখൺֱͷ݁ՌʹҰக͢Δ
    }
    2017/04/29 VeriFast Termination Checking 14 / 42

    View Slide

  17. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    ࣗ໌ʹఀࢭ͢Δྫ 2
    if จ͸ࣗ໌ʹఀࢭ͢Δɻ
    if statement
    int max_int (int x, int y)
    //@ requires emp;
    //@ ensures result == (x > y ? x : y);
    //@ terminates;
    {
    if (x > y) {
    return x;
    } else {
    return y;
    }
    }
    2017/04/29 VeriFast Termination Checking 15 / 42

    View Slide

  18. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    ࣗ໌ʹఀࢭ͢Δྫ 3
    ఀࢭ͢Δؔ਺ΛݺͿؔ਺΋ఀࢭ͢Δ͜ͱ͕ࣗಈͰݕࠪͰ͖Δɻ
    call function
    int callee (int x)
    //@ requires emp;
    //@ ensures emp;
    //@ terminates;
    {
    return 0;
    }
    void caller (void)
    //@ requires emp;
    //@ ensures emp;
    //@ terminates;
    {
    callee (3);
    }
    2017/04/29 VeriFast Termination Checking 16 / 42

    View Slide

  19. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    ఀࢭ͢Δϧʔϓ
    ϧʔϓΠϯόϦΞϯτʹՃ͑ͯɺݮগ͢ΔύϥϝʔλΛࢦఆ͢Δ͜ͱͰఀ
    ࢭ͢Δ͜ͱ͕อোͰ͖Δɻ
    while loop
    void loop (int x)
    //@ requires 0 < x;
    //@ ensures emp;
    //@ terminates;
    {
    int i = 0;
    while (i < x)
    //@ invariant i <= x;
    //@ decreases x - i;
    {
    ++i;
    }
    }
    2017/04/29 VeriFast Termination Checking 17 / 42

    View Slide

  20. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    ࣗ໌Ͱ͸ͳ͍ఀࢭ͢Δྫ
    ΞοΧʔϚϯؔ਺
    int ackermann(int m, int n)
    {
    if (m == 0) {
    return n + 1;
    } else {
    if (n == 0) {
    int r = ackermann(m - 1, 1);
    return r;
    } else {
    return ackermann(m - 1,
    ackermann(m, n - 1));
    }
    }
    }
    ఀࢭੑΛݕূͨ͠ίʔυ͸ examples/termination/ackermann.c Λࢀরɻ72 ߦ͋Δɻ
    2017/04/29 VeriFast Termination Checking 18 / 42

    View Slide

  21. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    جຊతͳൃ૝
    શͯͷݺͼग़͠γʔέϯε͕༗ݶεςοϓ௕͔͠ͳ͍͜ͱΛࣔͤ͹ྑ͍ɻ
    ⇒ Ͳ͏͢Δ͔
    2017/04/29 VeriFast Termination Checking 19 / 42

    View Slide

  22. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    fixpoint
    ͱ͜ΖͰ VeriFast ͸໋୊தͷؔ਺Λ fixpoint ͱ͍͏ΩʔϫʔυͰهड़͢Δ
    ͜ͱ͕ग़དྷΔɻ
    fixpoint ؔ਺ͷྫ
    fixpoint int length (list xs) {
    switch (xs) {
    case nil: return 0;
    case cons(x, xs0): return 1 + length(xs0);
    }
    }
    2017/04/29 VeriFast Termination Checking 20 / 42

    View Slide

  23. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    fixpoint
    fixpoint ͸ඞͣఀࢭ͢Δɻ
    fixpoint ؔ਺ͷྫ
    fixpoint int length (list xs) {
    switch (xs) {
    case nil: return 0;
    case cons(x, xs0): return 1 + length(xs0);
    }
    }
    2017/04/29 VeriFast Termination Checking 20 / 42

    View Slide

  24. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    fixpoint
    fixpoint ͸ͳͥඞͣఀࢭ͢Δͷ͔
    fixpoint ؔ਺ͷྫ
    fixpoint int length (list xs) {
    switch (xs) {
    case nil: return 0;
    case cons(x, xs0): return 1 + length(xs0);
    }
    }
    2017/04/29 VeriFast Termination Checking 20 / 42

    View Slide

  25. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    fixpoint ͷ੍ݶ
    fixpoint ʹΑΔؔ਺ͷఆٛʹ͸ɺ೚ҙͷؔ਺͕هड़Ͱ͖ΔΘ͚Ͱ͸ͳ͘ز
    ੍͔ͭ໿͕൐͏ 2ɻ
    fixpoint ͷ੍ݶ
    ୯ಠͷ return ·ͨ͸ switch จͰ͋Δ͜ͱ
    switch ʹ౉ͤΔͷ͸ inductive σʔλͷΈ
    શͯͷίϯετϥΫλʹ͍ͭͯఆٛ͞Ε͍ͯΔ͜ͱ
    ࠶ؼ͢Δ৔߹͸ύλʔϯϚονͰऔΓग़ͨ͠σʔλʹ͍ͭͯࣗ਎Λݺ
    ΜͰ͍Δ͜ͱ
    Ҏ্ͷΑ͏ͳ੍ݶΛकΔ͜ͱͰɺ஋ʹґͬͯ͸ະఆٛ͋Δ͍͸ݕ͕ࠪࢭ·
    Βͳ͘ͳΔΑ͏ͳ (͓͔͠ͳ) ࢓༷Λආ͚Δ͜ͱ͕Ͱ͖Δɻ
    2ͦΕͧΕ VeriFast ͕ݕࠪ͢Δ
    2017/04/29 VeriFast Termination Checking 21 / 42

    View Slide

  26. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    fixpoint ͷ੍ݶ
    fixpoint ʹΑΔؔ਺ͷఆٛʹ͸ɺ೚ҙͷؔ਺͕هड़Ͱ͖ΔΘ͚Ͱ͸ͳ͘ز
    ੍͔ͭ໿͕൐͏ 2ɻ
    fixpoint ͷ੍ݶ
    ୯ಠͷ return ·ͨ͸ switch จͰ͋Δ͜ͱ
    switch ʹ౉ͤΔͷ͸ inductive σʔλͷΈ
    શͯͷίϯετϥΫλʹ͍ͭͯఆٛ͞Ε͍ͯΔ͜ͱ
    ࠶ؼ͢Δ৔߹͸ύλʔϯϚονͰऔΓग़ͨ͠σʔλʹ͍ͭͯࣗ਎Λݺ
    ΜͰ͍Δ͜ͱ
    Ҏ্ͷΑ͏ͳ੍ݶΛकΔ͜ͱͰɺ஋ʹґͬͯ͸ະఆٛ͋Δ͍͸ݕ͕ࠪࢭ·
    Βͳ͘ͳΔΑ͏ͳ (͓͔͠ͳ) ࢓༷Λආ͚Δ͜ͱ͕Ͱ͖Δɻ
    ⇒fixpoint ؔ਺͸ඞͣఀࢭ͢Δ
    2ͦΕͧΕ VeriFast ͕ݕࠪ͢Δ
    2017/04/29 VeriFast Termination Checking 21 / 42

    View Slide

  27. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    fixpoint Ͱ͏·͍͘͘ཧ༝
    fixpoint ͕ఀࢭ͢Δॏཁͳཧ༝͸ɺ
    inductive σʔλ্ͷ࠶ؼͰ͋Δ
    ࠶ؼݺͼग़͠ຖʹίϯετϥΫλ͕Ұͭͣͭണ͕Ε͍ͯ͘ 3
    3Inductive σʔλͱ͍͏ͷ͸ɺجఈͷσʔλʹίϯετϥΫλΛ༗ݶճద༻ͯ͠ಘΒΕΔ
    σʔλͷ͜ͱ
    2017/04/29 VeriFast Termination Checking 22 / 42

    View Slide

  28. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    C ݴޠͰ͏·͍͔͘ͳ͍ཧ༝
    C ݴޠͰ͸ఀࢭੑݕূ͸؆୯Ͱ͸ͳ͍ɻ
    C ݴޠͰѻ͏σʔλ͸ inductive ͱ͸ݶΒͳ͍
    ෼͔Γ΍͘͢σʔλߏ଄͕খ͘͞ͳΒͳ͍
    2017/04/29 VeriFast Termination Checking 23 / 42

    View Slide

  29. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    inductive σʔλΛҰൠԽ
    C ݴޠͰఀࢭੑΛݕࠪ͢Δʹ͸ Inductive σʔλΛҰൠԽ͢Δඞཁ͕͋Δɻ
    ؔ਺Λݺͼग़࣌͢ʹԿ͔͕ݮগ͢Δ
    ༗ݶεςοϓͰ࠷খ஋ʹͳΕ͹Α͍
    2017/04/29 VeriFast Termination Checking 24 / 42

    View Slide

  30. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    Կ͔͕ݮΕ͹Α͍
    Կ͕ݮΕ͹͍͍ͩΖ͏ʁ
    2017/04/29 VeriFast Termination Checking 25 / 42

    View Slide

  31. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    Կ͔͕ݮΕ͹Α͍
    Կ͕ݮΕ͹͍͍ͩΖ͏ʁ
    ౴͑ɿcall-permission
    2017/04/29 VeriFast Termination Checking 25 / 42

    View Slide

  32. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    call permission
    ؔ਺ݺͼग़͠ʹ͸ඞͣ call permission ͱ͍͏ݖར͕ඞཁͱ͍͏͜ͱʹ
    ͢Δɻ
    ؔ਺ f ΛݺͿͨΊʹ call_perm(f) ͕ (Ұͭ) ඞཁ
    ࠷ॳʹؔ਺ͦΕͧΕͷ༗ݶݸͷ call_perm ͷετοΫΛ༩͑Δ
    ݕূग़དྷΕ͹༗ݶճ͔ؔ͠਺ݺͼग़͠͸ແ͍͸ͣͰ͋Δ
    2017/04/29 VeriFast Termination Checking 26 / 42

    View Slide

  33. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    call permission ͷ࣮૷
    VeriFast ͷඪ४ϥΠϒϥϦͰ͸૊ΈࠐΈͷड़ޠͱͯ͠ఏڙ͞ΕΔɻ
    call permission ͷ࣮૷
    // prelude.h
    predicate call_perm_(void *f;);
    // VeriFast ͷ౎߹Ͱ͜͏͍͏Ϟϊ΋͋Δ (ৄࡉ͸ׂѪ)
    predicate call_below_perm_ (void *f;);
    2017/04/29 VeriFast Termination Checking 27 / 42

    View Slide

  34. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    call_perm ΛͲ͏΍ͬͯ༩͑Δ͔
    ࠷ॳʹؔ਺ͦΕͧΕͷ༗ݶݸͷ call_perm ͷετοΫΛ༩͑Δ
    ݕূ͠Α͏ͱ͍ͯ͠Δؔ਺͕Ͳͷؔ਺ΛԿ౓ݺͿ͔ͳΜͯ෼͔Βͳ͍. . .
    2017/04/29 VeriFast Termination Checking 28 / 42

    View Slide

  35. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    call_perm ΛͲ͏΍ͬͯ༩͑Δ͔
    ࠷ॳʹؔ਺ͦΕͧΕͷ༗ݶݸͷ call_perm ͷετοΫΛ༩͑Δ
    ݕূ͠Α͏ͱ͍ͯ͠Δؔ਺͕Ͳͷؔ਺ΛԿ౓ݺͿ͔ͳΜͯ෼͔Βͳ͍. . .
    ⇒ ଟॏू߹ (multiset,bag) Λ࢖͏
    2017/04/29 VeriFast Termination Checking 28 / 42

    View Slide

  36. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    ଟॏू߹
    ଟॏू߹͸ɺཁૉͷॏෳΛڐ͢ू߹ɻ
    {[1, 2, 3]} ⊎ {[2, 3, 4]} = {[1, 2, 2, 3, 3, 4]}
    2017/04/29 VeriFast Termination Checking 29 / 42

    View Slide

  37. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    ଟॏू߹ͷॱং
    ଟॏू߹ʹҎԼͷΑ͏ͳద౰ͳॱংؔ܎Λ༩͑Δɻ
    In order to descend down the multiset order starting from a multiset M, one
    can replace any element of M with any number of lesser elements of X, any
    number of timesa.
    (খ͍͞ཁૉ͸زͭ͋ͬͯ΋ΑΓେ͖͍ཁૉ 1 ͭΑΓখ͍͞)
    a࿦จதͰݴٴ͕ແ͍͕ Dershowitz-Manna Ordering ͩͱࢥΘΕΔ
    ͜ͷنଇʹै͑͹ྫ͑͹ {[0, 0, 1, 2, 2, 2]} < {[0, 0, 0, 3]} ͕੒Γཱͭɻ
    2017/04/29 VeriFast Termination Checking 30 / 42

    View Slide

  38. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    ଟॏू߹ͷॱং
    ଟॏू߹ͷॱংؔ܎Λ࢖͏ͱҎԼͷ͜ͱ͕ݴ͑Δɻ
    α′ < α =⇒ call_perm(α) ⊑ n · call_perm(α′)
    ͭ·Γɺ͋Δ call_perm ͔ΒɺΑΓখ͍ؔ͞਺ͷ call_perm ͸زͭͰ΋ (༗
    ݶͷൣғͰ) ࡞Γग़ͤΔɻ
    2017/04/29 VeriFast Termination Checking 31 / 42

    View Slide

  39. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    ؔ਺ͷେখؔ܎
    ଟॏू߹ʹ͸ద੾ͳ൒ॱংؔ܎Λ࣋ͭ஋Λ౉͢ඞཁ͕͋ͬͨɻ
    call_perm ͷॱংؔ܎ͷఆٛʹ͸ؔ਺ͷॱংؔ܎Λ࢖͏ඞཁ͕͋Δɻ
    2017/04/29 VeriFast Termination Checking 32 / 42

    View Slide

  40. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    ؔ਺ͷେখؔ܎
    ଟॏू߹ʹ͸ద੾ͳ൒ॱংؔ܎Λ࣋ͭ஋Λ౉͢ඞཁ͕͋ͬͨɻ
    call_perm ͷॱংؔ܎ͷఆٛʹ͸ؔ਺ͷॱংؔ܎Λ࢖͏ඞཁ͕͋Δɻ
    ͦ΋ͦ΋ؔ਺ͷॱংؔ܎༩͑Δͷ͕େม. . .
    2017/04/29 VeriFast Termination Checking 32 / 42

    View Slide

  41. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    ؔ਺ͷେখؔ܎
    VeriFast ʹ͸೚ҙͷؔ਺ϙΠϯλΛେখൺֱͰ͖Δؔ਺͕͋Δɻ
    ؔ਺ͷେখؔ܎
    // prelude.h
    fixpoint bool func_lt(void *f, void *g);
    /*
    VeriFast ૊ΈࠐΈؔ਺
    */
    2017/04/29 VeriFast Termination Checking 33 / 42

    View Slide

  42. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    ؔ਺ͷେখؔ܎
    ιʔείʔυ্ͷ্Լؔ܎Λͦͷ··࢖͏ʂ
    ؔ਺ͷେখؔ܎
    void foo (void)
    //@ requires emp;
    //@ ensures emp;
    { }
    void bar (void)
    //@ requires emp;
    //@ ensures emp;
    { }
    void cmp (void)
    //@ requires emp;
    //@ ensures emp;
    {
    //@ assert func_lt(foo , bar) == true;
    //@ assert func_lt(bar , foo) == false;
    }
    2017/04/29 VeriFast Termination Checking 34 / 42

    View Slide

  43. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    call_perm Λಋग़͢Δ
    produce_call_below_perm_ͱ͍͏૊ΈࠐΈ໋ྩ 4 Λ࢖͍ɺͦΕΛݺͼग़ͨ͠
    ؔ਺ f ʹ͍ͭͯ call_below_perm_(f) ͱ͍͏໋୊Λੜ੒͢Δɻ
    produce_call_below_perm
    void func (void)
    //@ requires emp;
    //@ ensures call_below_perm_ (func );
    {
    //@ produce_call_below_perm_ ();
    //@ assert( call_below_perm_ (func ));
    }
    4ΰʔετίϚϯυ (ghost command) ͱݺ͹ΕΔ
    2017/04/29 VeriFast Termination Checking 35 / 42

    View Slide

  44. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    ࣮૷ύλʔϯ
    ࢀর࿦จ [1] Ͱ͸ศٓతʹݕূ͢ΔϓϩάϥϜΛҎԼͷΑ͏ʹ෼ྨͯ͠આ໌
    ͍ͯ͠Δɻ
    Upcalls Only ύλʔϯ
    Static Recursion ύλʔϯ
    Dynamic Binding ύλʔϯ
    2017/04/29 VeriFast Termination Checking 36 / 42

    View Slide

  45. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    Upcalls Only
    ݺͼग़͞ΕΔؔ਺͕ɺશͯͦͷ࣌఺Ͱఆٛ͞Ε͓ͯΓɺ͔ͭ࠶ؼ͍ͯ͠ͳ
    ͍৔߹ɻ͜ͷ৔߹͸ callee ଆͷ call_perm ͷಋग़Λࢦఆ͢Δ͚ͩͰݕূͰ
    ͖Δ 5ɻ
    5؆୯ͱ͸ݴ͍ͬͯͳ͍
    2017/04/29 VeriFast Termination Checking 37 / 42

    View Slide

  46. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    Static Recursion
    ୯ҰϨΠϠ಺Ͱ࠶ؼ͍ͯ͠Δ৔߹ɻ͜ͷ৔߹͸࠶ؼΛߏ੒͢Δؔ਺ͦΕͧ
    ΕͰ࠷େͷ call_perm Λཁٻ͢Δɻ
    2017/04/29 VeriFast Termination Checking 38 / 42

    View Slide

  47. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর
    Dynamic Binding
    ந৅Խ͞ΕͨΠϯλʔϑΣʔεͷެ։͢ΔϝιουΛ࢖༻͢Δ৔߹ɻC ݴ
    ޠͰ͸ؔ਺ϙΠϯλΛड͚औͬͯݺͼग़͢৔߹ʹ૬౰͢ΔɻJava ͷ৔߹͸
    ͦͷ·· interface Λ࢖͏৔߹ 6ɻ
    ͜ͷ৔߹͸Ҿ਺ͱ call_perm Λ߹Θͤͯ measure(ݮগ͢Δύϥϝʔλ) ͱ
    ͢Δɻ
    6Ϋϥεͷෆม৚݅Λ࢖͏
    2017/04/29 VeriFast Termination Checking 39 / 42

    View Slide

  48. ࢀߟࢿྉ
    Bart Jacobs, Dragan Bosnacki, Ruurd Kuiper. Modular Termination
    Verification
    ECOOP 2015
    http://www.cs.kuleuven.be/~bartj/ecoop2015.pdf
    VeriFast official web site
    https://people.cs.kuleuven.be/~bart.jacobs/verifast/
    VeriFast Tutorial(೔ຊޠ൛)
    https://github.com/jverifast-ug/translate/

    View Slide

  49. Appendix
    ଟॏू߹ͷॱংؔ܎
    ଟॏू߹ʹಋೖͨ͠ॱংؔ܎͸ Dershowitz–Manna ordering ͍͍ɺ͜Ε͸
    well-founded ordering Λ੒͢͜ͱ͕஌ΒΕ͍ͯΔɻ
    ⇒ ͭ·Γ࠷খ஋ʹ༗ݶεςοϓͰඞͣͨͲΓண͘ɻ
    2017/04/29 VeriFast Termination Checking 41 / 42

    View Slide

  50. Appendix
    Ԡ༻
    ఀࢭੑݕࠪ͸ఀࢭ͢Δ͜ͱҎ֎ͷݕূʹԠ༻ग़དྷΔݟࠐΈ͕͋Δɻ
    ฒߦϓϩάϥϜ͕ఀࢭ͢Δͱ͍͏͜ͱ͔Β deadlock free Λূ໌͢Δ
    ఀࢭ͠ͳ͍͜ͱΛड़΂Δ͜ͱͰ liveness Λূ໌͢Δ
    2017/04/29 VeriFast Termination Checking 42 / 42

    View Slide