VeriFast Termination Checking Introduction(α)

Transcript

1. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর VeriFast Termination

   Checking Introduction(α) @eldesh https://twitter.com/eldesh http://d.hatena.ne.jp/eldesh ੩తίʔυղੳͷձ ୈ 2 ճ 2017/04/29 2017/04/29 VeriFast Termination Checking 1 / 42

2. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ໨࣍ 1

   VeriFast ֓આ 2 ఀࢭੑݕࠪͱ͸Կ͔ 3 ఀࢭੑݕࠪ͜ͱ͸͡Ί 4 Ұൠͷ৔߹ͷఀࢭੑݕࠪ 5 ύλʔϯผఀࢭੑݕূ 6 ࢀর 2017/04/29 VeriFast Termination Checking 2 / 42

3. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর What is

   this slide? ͜ͷεϥΠυͰ͸ VeriFast ʹΑΔ C ݴޠϓϩάϥϜͷఀࢭੑݕূͷํ๏ͱɺ ͦͷػೳͷجૅͱͳΔ֓೦ʹ͍ͭͯ঺հ͠·͢ 1ɻ 1Java Ͱ΋શ͘ಉ༷ͷߟ͑ํͰݕূग़དྷ·͢ 2017/04/29 VeriFast Termination Checking 3 / 42

4. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ૝ఆ/ର৅ௌऺ ඞਢ

   C ݴޠ͕෼͔Δ ๬·͍͠ ࣄલ/ࣄޙ৚݅ͷݕ͕ࠪͲΜͳ΋ͷͳͷ͔෼͔Δ 2017/04/29 VeriFast Termination Checking 4 / 42

5. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ఀࢭੑݕࠪͱ͸ ϓϩάϥϜ͕

   (༗ݶ࣌ؒ಺ʹ) ఀࢭ͢Δ͜ͱΛݕࠪ͢Δ͜ͱɻ 2017/04/29 VeriFast Termination Checking 5 / 42

6. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর VeriFast ͕ݕࠪ͢Δ͜ͱ

   ͱ͜ΖͰɺVeriFast ͸ϓϩάϥϜ (ؔ਺) ͱɺͦͷࣄલ৚݅/ࣄޙ৚݅ͱͷҰ ؏ੑΛݕࠪ͢Δɻ 2017/04/29 VeriFast Termination Checking 6 / 42

7. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর VeriFast ͕ݕࠪ͢Δ͜ͱ

   ͱ͜ΖͰɺVeriFast ͸ϓϩάϥϜ (ؔ਺) ͱɺͦͷࣄલ৚݅/ࣄޙ৚݅ͱͷҰ ؏ੑΛݕࠪ͢Δɻ ⇒ ͜Ε͸Կ͕ݕূग़དྷ͍ͯΔͷ͔ɻ 2017/04/29 VeriFast Termination Checking 6 / 42

8. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর VeriFast Ͱݕࠪͨؔ͠਺

   ΤϯΩϡʔͷ࢓༷ͷྫ void enqueue(struct queue *q, int x) //@ requires queue(q, ?vs); //@ ensures queue(q, iappend(vs , icons(x, inil ))); { ... } 2017/04/29 VeriFast Termination Checking 7 / 42

9. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর Hoare triple

   ؔ਺ͱɺͦͷࣄલ৚݅/ࣄޙ৚݅ 3 ͭΛ߹Θͤͯ Hoare triple ͱݺͿɻ ͜ΕΛܗࣜతʹѻ͏ࡍʹ͸ҎԼͷΑ͏ʹදه͢Δɻ Hoare triple ⊢ {P} c {Q} 2017/04/29 VeriFast Termination Checking 8 / 42

10. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর Hoare triple

    ͷҙຯ ؔ਺ͱɺͦͷࣄલ৚݅/ࣄޙ৚݅ 3 ͭΛ߹Θͤͯ Hoare triple ͱݺͿɻ Hoare triple ͷҙຯ ⊢ {P} c {Q} ⇔ ∀h, γ.Ifix , h |= P ∧ (h, c) ⇓ γ ⇒ γ |= Q γ |= Q ͷҙຯ Divergence |= Q Ifix , h |= Q[v/res] (n, v, h) |= Q Divergence ͸ൃࢄͨ͠ঢ়ଶ (ແݶϧʔϓ) Λද͢ɻ 2017/04/29 VeriFast Termination Checking 9 / 42

11. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর Hoare triple

    ͷҙຯ Divergence |= Q ͱ͍͏͜ͱ͸ɺແݶϧʔϓʹͳͬͨ৔߹͸ৗʹ Q ࣄޙ৚ ͕݅੒Γཱͭͱݴ͍ͬͯΔɻ 2017/04/29 VeriFast Termination Checking 10 / 42

12. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর Hoare triple

    ͷҙຯ Divergence |= Q ͱ͍͏͜ͱ͸ɺແݶϧʔϓʹͳͬͨ৔߹͸ৗʹ Q ࣄޙ৚ ͕݅੒Γཱͭͱݴ͍ͬͯΔɻ ⇒VerifFast ͸ແݶϧʔϓʹͳΔ͔Ͳ͏͔͸ݕূ͠ͳ͍ 2017/04/29 VeriFast Termination Checking 10 / 42

13. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর Hoare triple

    ͷҙຯ VeriFast ͸෦෼ਖ਼౰ੑ (partial correctness) Λ࣋ͭɻ ෦෼ਖ਼౰ੑ ϓϩάϥϜͷ࣮ߦ݁Ռ͕ग़ͨ (=ਖ਼͘͠ऴྃͨ͠) ৔߹ʹ ͦͷਖ਼͠͞Λอূ͢Δ ⇕ Partial Correctness ͜Εʹରͯ͠ɺৗʹϓϩάϥϜ͕ਖ਼͍݁͠ՌΛग़ྗ͢Δ৔߹ɺ͜ΕΛ׬શ ਖ਼౰ੑ (Total Correctness) Λ࣋ͭ ͱ͍͏ɻ 2017/04/29 VeriFast Termination Checking 11 / 42

14. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ఀࢭੑݕࠪͱ͸ (࠶)

    ࠶ ϓϩάϥϜ͕ (༗ݶ࣌ؒ಺ʹ) ఀࢭ͢Δ͜ͱΛݕࠪ͢Δ͜ͱɻ ͱ͍͏͜ͱ͸. . . ఀࢭੑΛݕূ͢Δ ⇕ VeriFast ʹ׬શਖ਼౰ੑΛ༩͑Δ ⇕ ϓϩάϥϜ͕ৗʹਖ਼͍͠౴͑Λฦ͢͜ͱΛอূͰ͖Δ 2017/04/29 VeriFast Termination Checking 12 / 42

15. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ఀࢭੑݕࠪͷࢦఆ ؔ਺ͷఀࢭੑΛݕࠪ͢Δʹ͸௨ৗͷࣄલ,

    ࣄޙ৚݅ͷଞʹ terminates Λࢦ ఆ͢Δ. Կ΋͠ͳ͍ؔ਺ͷݕূ void empty_cmd (void) //@ requires emp; //@ ensures emp; //@ terminates; { } 2017/04/29 VeriFast Termination Checking 13 / 42

16. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ࣗ໌ʹఀࢭ͢Δྫ 1

    ϓϦϛςΟϒͳԋࢉ͸ࣗ໌ʹఀࢭ͢Δɻ less than ͷ࢓༷ bool compare (int x, int y) //@ requires emp; //@ ensures result == (x < y); //@ terminates; { return x < y; // ฦΓ஋͸େখൺֱͷ݁ՌʹҰக͢Δ } 2017/04/29 VeriFast Termination Checking 14 / 42

17. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ࣗ໌ʹఀࢭ͢Δྫ 2

    if จ͸ࣗ໌ʹఀࢭ͢Δɻ if statement int max_int (int x, int y) //@ requires emp; //@ ensures result == (x > y ? x : y); //@ terminates; { if (x > y) { return x; } else { return y; } } 2017/04/29 VeriFast Termination Checking 15 / 42

18. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ࣗ໌ʹఀࢭ͢Δྫ 3

    ఀࢭ͢Δؔ਺ΛݺͿؔ਺΋ఀࢭ͢Δ͜ͱ͕ࣗಈͰݕࠪͰ͖Δɻ call function int callee (int x) //@ requires emp; //@ ensures emp; //@ terminates; { return 0; } void caller (void) //@ requires emp; //@ ensures emp; //@ terminates; { callee (3); } 2017/04/29 VeriFast Termination Checking 16 / 42

19. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ఀࢭ͢Δϧʔϓ ϧʔϓΠϯόϦΞϯτʹՃ͑ͯɺݮগ͢ΔύϥϝʔλΛࢦఆ͢Δ͜ͱͰఀ

    ࢭ͢Δ͜ͱ͕อোͰ͖Δɻ while loop void loop (int x) //@ requires 0 < x; //@ ensures emp; //@ terminates; { int i = 0; while (i < x) //@ invariant i <= x; //@ decreases x - i; { ++i; } } 2017/04/29 VeriFast Termination Checking 17 / 42

20. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ࣗ໌Ͱ͸ͳ͍ఀࢭ͢Δྫ ΞοΧʔϚϯؔ਺

    int ackermann(int m, int n) { if (m == 0) { return n + 1; } else { if (n == 0) { int r = ackermann(m - 1, 1); return r; } else { return ackermann(m - 1, ackermann(m, n - 1)); } } } ఀࢭੑΛݕূͨ͠ίʔυ͸ examples/termination/ackermann.c Λࢀরɻ72 ߦ͋Δɻ 2017/04/29 VeriFast Termination Checking 18 / 42

21. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর جຊతͳൃ૝ શͯͷݺͼग़͠γʔέϯε͕༗ݶεςοϓ௕͔͠ͳ͍͜ͱΛࣔͤ͹ྑ͍ɻ

    ⇒ Ͳ͏͢Δ͔ 2017/04/29 VeriFast Termination Checking 19 / 42

22. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর fixpoint ͱ͜ΖͰ

    VeriFast ͸໋୊தͷؔ਺Λ fixpoint ͱ͍͏ΩʔϫʔυͰهड़͢Δ ͜ͱ͕ग़དྷΔɻ fixpoint ؔ਺ͷྫ fixpoint int length <t>(list <t> xs) { switch (xs) { case nil: return 0; case cons(x, xs0): return 1 + length(xs0); } } 2017/04/29 VeriFast Termination Checking 20 / 42

23. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর fixpoint fixpoint

    ͸ඞͣఀࢭ͢Δɻ fixpoint ؔ਺ͷྫ fixpoint int length <t>(list <t> xs) { switch (xs) { case nil: return 0; case cons(x, xs0): return 1 + length(xs0); } } 2017/04/29 VeriFast Termination Checking 20 / 42

24. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর fixpoint fixpoint

    ͸ͳͥඞͣఀࢭ͢Δͷ͔ fixpoint ؔ਺ͷྫ fixpoint int length <t>(list <t> xs) { switch (xs) { case nil: return 0; case cons(x, xs0): return 1 + length(xs0); } } 2017/04/29 VeriFast Termination Checking 20 / 42

25. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর fixpoint ͷ੍ݶ

    fixpoint ʹΑΔؔ਺ͷఆٛʹ͸ɺ೚ҙͷؔ਺͕هड़Ͱ͖ΔΘ͚Ͱ͸ͳ͘ز ੍͔ͭ໿͕൐͏ 2ɻ fixpoint ͷ੍ݶ ୯ಠͷ return ·ͨ͸ switch จͰ͋Δ͜ͱ switch ʹ౉ͤΔͷ͸ inductive σʔλͷΈ શͯͷίϯετϥΫλʹ͍ͭͯఆٛ͞Ε͍ͯΔ͜ͱ ࠶ؼ͢Δ৔߹͸ύλʔϯϚονͰऔΓग़ͨ͠σʔλʹ͍ͭͯࣗ਎Λݺ ΜͰ͍Δ͜ͱ Ҏ্ͷΑ͏ͳ੍ݶΛकΔ͜ͱͰɺ஋ʹґͬͯ͸ະఆٛ͋Δ͍͸ݕ͕ࠪࢭ· Βͳ͘ͳΔΑ͏ͳ (͓͔͠ͳ) ࢓༷Λආ͚Δ͜ͱ͕Ͱ͖Δɻ 2ͦΕͧΕ VeriFast ͕ݕࠪ͢Δ 2017/04/29 VeriFast Termination Checking 21 / 42

26. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর fixpoint ͷ੍ݶ

    fixpoint ʹΑΔؔ਺ͷఆٛʹ͸ɺ೚ҙͷؔ਺͕هड़Ͱ͖ΔΘ͚Ͱ͸ͳ͘ز ੍͔ͭ໿͕൐͏ 2ɻ fixpoint ͷ੍ݶ ୯ಠͷ return ·ͨ͸ switch จͰ͋Δ͜ͱ switch ʹ౉ͤΔͷ͸ inductive σʔλͷΈ શͯͷίϯετϥΫλʹ͍ͭͯఆٛ͞Ε͍ͯΔ͜ͱ ࠶ؼ͢Δ৔߹͸ύλʔϯϚονͰऔΓग़ͨ͠σʔλʹ͍ͭͯࣗ਎Λݺ ΜͰ͍Δ͜ͱ Ҏ্ͷΑ͏ͳ੍ݶΛकΔ͜ͱͰɺ஋ʹґͬͯ͸ະఆٛ͋Δ͍͸ݕ͕ࠪࢭ· Βͳ͘ͳΔΑ͏ͳ (͓͔͠ͳ) ࢓༷Λආ͚Δ͜ͱ͕Ͱ͖Δɻ ⇒fixpoint ؔ਺͸ඞͣఀࢭ͢Δ 2ͦΕͧΕ VeriFast ͕ݕࠪ͢Δ 2017/04/29 VeriFast Termination Checking 21 / 42

27. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর fixpoint Ͱ͏·͍͘͘ཧ༝

    fixpoint ͕ఀࢭ͢Δॏཁͳཧ༝͸ɺ inductive σʔλ্ͷ࠶ؼͰ͋Δ ࠶ؼݺͼग़͠ຖʹίϯετϥΫλ͕Ұͭͣͭണ͕Ε͍ͯ͘ 3 3Inductive σʔλͱ͍͏ͷ͸ɺجఈͷσʔλʹίϯετϥΫλΛ༗ݶճద༻ͯ͠ಘΒΕΔ σʔλͷ͜ͱ 2017/04/29 VeriFast Termination Checking 22 / 42

28. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর C ݴޠͰ͏·͍͔͘ͳ͍ཧ༝

    C ݴޠͰ͸ఀࢭੑݕূ͸؆୯Ͱ͸ͳ͍ɻ C ݴޠͰѻ͏σʔλ͸ inductive ͱ͸ݶΒͳ͍ ෼͔Γ΍͘͢σʔλߏ଄͕খ͘͞ͳΒͳ͍ 2017/04/29 VeriFast Termination Checking 23 / 42

29. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর inductive σʔλΛҰൠԽ

    C ݴޠͰఀࢭੑΛݕࠪ͢Δʹ͸ Inductive σʔλΛҰൠԽ͢Δඞཁ͕͋Δɻ ؔ਺Λݺͼग़࣌͢ʹԿ͔͕ݮগ͢Δ ༗ݶεςοϓͰ࠷খ஋ʹͳΕ͹Α͍ 2017/04/29 VeriFast Termination Checking 24 / 42

30. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর Կ͔͕ݮΕ͹Α͍ Կ͕ݮΕ͹͍͍ͩΖ͏ʁ

    2017/04/29 VeriFast Termination Checking 25 / 42

31. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর Կ͔͕ݮΕ͹Α͍ Կ͕ݮΕ͹͍͍ͩΖ͏ʁ

    ౴͑ɿcall-permission 2017/04/29 VeriFast Termination Checking 25 / 42

32. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর call permission

    ؔ਺ݺͼग़͠ʹ͸ඞͣ call permission ͱ͍͏ݖར͕ඞཁͱ͍͏͜ͱʹ ͢Δɻ ؔ਺ f ΛݺͿͨΊʹ call_perm(f) ͕ (Ұͭ) ඞཁ ࠷ॳʹؔ਺ͦΕͧΕͷ༗ݶݸͷ call_perm ͷετοΫΛ༩͑Δ ݕূग़དྷΕ͹༗ݶճ͔ؔ͠਺ݺͼग़͠͸ແ͍͸ͣͰ͋Δ 2017/04/29 VeriFast Termination Checking 26 / 42

33. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর call permission

    ͷ࣮૷ VeriFast ͷඪ४ϥΠϒϥϦͰ͸૊ΈࠐΈͷड़ޠͱͯ͠ఏڙ͞ΕΔɻ call permission ͷ࣮૷ // prelude.h predicate call_perm_(void *f;); // VeriFast ͷ౎߹Ͱ͜͏͍͏Ϟϊ΋͋Δ (ৄࡉ͸ׂѪ) predicate call_below_perm_ (void *f;); 2017/04/29 VeriFast Termination Checking 27 / 42

34. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর call_perm ΛͲ͏΍ͬͯ༩͑Δ͔

    ࠷ॳʹؔ਺ͦΕͧΕͷ༗ݶݸͷ call_perm ͷετοΫΛ༩͑Δ ݕূ͠Α͏ͱ͍ͯ͠Δؔ਺͕Ͳͷؔ਺ΛԿ౓ݺͿ͔ͳΜͯ෼͔Βͳ͍. . . 2017/04/29 VeriFast Termination Checking 28 / 42

35. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর call_perm ΛͲ͏΍ͬͯ༩͑Δ͔

    ࠷ॳʹؔ਺ͦΕͧΕͷ༗ݶݸͷ call_perm ͷετοΫΛ༩͑Δ ݕূ͠Α͏ͱ͍ͯ͠Δؔ਺͕Ͳͷؔ਺ΛԿ౓ݺͿ͔ͳΜͯ෼͔Βͳ͍. . . ⇒ ଟॏू߹ (multiset,bag) Λ࢖͏ 2017/04/29 VeriFast Termination Checking 28 / 42

36. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ଟॏू߹ ଟॏू߹͸ɺཁૉͷॏෳΛڐ͢ू߹ɻ

    {[1, 2, 3]} ⊎ {[2, 3, 4]} = {[1, 2, 2, 3, 3, 4]} 2017/04/29 VeriFast Termination Checking 29 / 42

37. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ଟॏू߹ͷॱং ଟॏू߹ʹҎԼͷΑ͏ͳద౰ͳॱংؔ܎Λ༩͑Δɻ

    In order to descend down the multiset order starting from a multiset M, one can replace any element of M with any number of lesser elements of X, any number of timesa. (খ͍͞ཁૉ͸زͭ͋ͬͯ΋ΑΓେ͖͍ཁૉ 1 ͭΑΓখ͍͞) a࿦จதͰݴٴ͕ແ͍͕ Dershowitz-Manna Ordering ͩͱࢥΘΕΔ ͜ͷنଇʹै͑͹ྫ͑͹ {[0, 0, 1, 2, 2, 2]} < {[0, 0, 0, 3]} ͕੒Γཱͭɻ 2017/04/29 VeriFast Termination Checking 30 / 42

38. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ଟॏू߹ͷॱং ଟॏू߹ͷॱংؔ܎Λ࢖͏ͱҎԼͷ͜ͱ͕ݴ͑Δɻ

    α′ < α =⇒ call_perm(α) ⊑ n · call_perm(α′) ͭ·Γɺ͋Δ call_perm ͔ΒɺΑΓখ͍ؔ͞਺ͷ call_perm ͸زͭͰ΋ (༗ ݶͷൣғͰ) ࡞Γग़ͤΔɻ 2017/04/29 VeriFast Termination Checking 31 / 42

39. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ؔ਺ͷେখؔ܎ ଟॏू߹ʹ͸ద੾ͳ൒ॱংؔ܎Λ࣋ͭ஋Λ౉͢ඞཁ͕͋ͬͨɻ

    call_perm ͷॱংؔ܎ͷఆٛʹ͸ؔ਺ͷॱংؔ܎Λ࢖͏ඞཁ͕͋Δɻ 2017/04/29 VeriFast Termination Checking 32 / 42

40. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ؔ਺ͷେখؔ܎ ଟॏू߹ʹ͸ద੾ͳ൒ॱংؔ܎Λ࣋ͭ஋Λ౉͢ඞཁ͕͋ͬͨɻ

    call_perm ͷॱংؔ܎ͷఆٛʹ͸ؔ਺ͷॱংؔ܎Λ࢖͏ඞཁ͕͋Δɻ ͦ΋ͦ΋ؔ਺ͷॱংؔ܎༩͑Δͷ͕େม. . . 2017/04/29 VeriFast Termination Checking 32 / 42

41. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ؔ਺ͷେখؔ܎ VeriFast

    ʹ͸೚ҙͷؔ਺ϙΠϯλΛେখൺֱͰ͖Δؔ਺͕͋Δɻ ؔ਺ͷେখؔ܎ // prelude.h fixpoint bool func_lt(void *f, void *g); /* VeriFast ૊ΈࠐΈؔ਺ */ 2017/04/29 VeriFast Termination Checking 33 / 42

42. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ؔ਺ͷେখؔ܎ ιʔείʔυ্ͷ্Լؔ܎Λͦͷ··࢖͏ʂ

    ؔ਺ͷେখؔ܎ void foo (void) //@ requires emp; //@ ensures emp; { } void bar (void) //@ requires emp; //@ ensures emp; { } void cmp (void) //@ requires emp; //@ ensures emp; { //@ assert func_lt(foo , bar) == true; //@ assert func_lt(bar , foo) == false; } 2017/04/29 VeriFast Termination Checking 34 / 42

43. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর call_perm Λಋग़͢Δ

    produce_call_below_perm_ͱ͍͏૊ΈࠐΈ໋ྩ 4 Λ࢖͍ɺͦΕΛݺͼग़ͨ͠ ؔ਺ f ʹ͍ͭͯ call_below_perm_(f) ͱ͍͏໋୊Λੜ੒͢Δɻ produce_call_below_perm void func (void) //@ requires emp; //@ ensures call_below_perm_ (func ); { //@ produce_call_below_perm_ (); //@ assert( call_below_perm_ (func )); } 4ΰʔετίϚϯυ (ghost command) ͱݺ͹ΕΔ 2017/04/29 VeriFast Termination Checking 35 / 42

44. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ࣮૷ύλʔϯ ࢀর࿦จ

    [1] Ͱ͸ศٓతʹݕূ͢ΔϓϩάϥϜΛҎԼͷΑ͏ʹ෼ྨͯ͠આ໌ ͍ͯ͠Δɻ Upcalls Only ύλʔϯ Static Recursion ύλʔϯ Dynamic Binding ύλʔϯ 2017/04/29 VeriFast Termination Checking 36 / 42

45. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর Upcalls Only

    ݺͼग़͞ΕΔؔ਺͕ɺશͯͦͷ࣌఺Ͱఆٛ͞Ε͓ͯΓɺ͔ͭ࠶ؼ͍ͯ͠ͳ ͍৔߹ɻ͜ͷ৔߹͸ callee ଆͷ call_perm ͷಋग़Λࢦఆ͢Δ͚ͩͰݕূͰ ͖Δ 5ɻ 5؆୯ͱ͸ݴ͍ͬͯͳ͍ 2017/04/29 VeriFast Termination Checking 37 / 42

46. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর Static Recursion

    ୯ҰϨΠϠ಺Ͱ࠶ؼ͍ͯ͠Δ৔߹ɻ͜ͷ৔߹͸࠶ؼΛߏ੒͢Δؔ਺ͦΕͧ ΕͰ࠷େͷ call_perm Λཁٻ͢Δɻ 2017/04/29 VeriFast Termination Checking 38 / 42

47. ໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর Dynamic Binding

    ந৅Խ͞ΕͨΠϯλʔϑΣʔεͷެ։͢ΔϝιουΛ࢖༻͢Δ৔߹ɻC ݴ ޠͰ͸ؔ਺ϙΠϯλΛड͚औͬͯݺͼग़͢৔߹ʹ૬౰͢ΔɻJava ͷ৔߹͸ ͦͷ·· interface Λ࢖͏৔߹ 6ɻ ͜ͷ৔߹͸Ҿ਺ͱ call_perm Λ߹Θͤͯ measure(ݮগ͢Δύϥϝʔλ) ͱ ͢Δɻ 6Ϋϥεͷෆม৚݅Λ࢖͏ 2017/04/29 VeriFast Termination Checking 39 / 42

48. ࢀߟࢿྉ Bart Jacobs, Dragan Bosnacki, Ruurd Kuiper. Modular Termination Verification

    ECOOP 2015 http://www.cs.kuleuven.be/~bartj/ecoop2015.pdf VeriFast official web site https://people.cs.kuleuven.be/~bart.jacobs/verifast/ VeriFast Tutorial(೔ຊޠ൛) https://github.com/jverifast-ug/translate/

49. Appendix ଟॏू߹ͷॱংؔ܎ ଟॏू߹ʹಋೖͨ͠ॱংؔ܎͸ Dershowitz–Manna ordering ͍͍ɺ͜Ε͸ well-founded ordering Λ੒͢͜ͱ͕஌ΒΕ͍ͯΔɻ ⇒

    ͭ·Γ࠷খ஋ʹ༗ݶεςοϓͰඞͣͨͲΓண͘ɻ 2017/04/29 VeriFast Termination Checking 41 / 42

50. Appendix Ԡ༻ ఀࢭੑݕࠪ͸ఀࢭ͢Δ͜ͱҎ֎ͷݕূʹԠ༻ग़དྷΔݟࠐΈ͕͋Δɻ ฒߦϓϩάϥϜ͕ఀࢭ͢Δͱ͍͏͜ͱ͔Β deadlock free Λূ໌͢Δ ఀࢭ͠ͳ͍͜ͱΛड़΂Δ͜ͱͰ liveness Λূ໌͢Δ

    2017/04/29 VeriFast Termination Checking 42 / 42