Tweet
Tweet

Slide 1

Slide 1 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর VeriFast Termination Checking Introduction(α) @eldesh https://twitter.com/eldesh http://d.hatena.ne.jp/eldesh ੩తίʔυղੳͷձ ୈ 2 ճ 2017/04/29 2017/04/29 VeriFast Termination Checking 1 / 42

Slide 2

Slide 2 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ໨࣍ 1 VeriFast ֓આ 2 ఀࢭੑݕࠪͱ͸Կ͔ 3 ఀࢭੑݕࠪ͜ͱ͸͡Ί 4 Ұൠͷ৔߹ͷఀࢭੑݕࠪ 5 ύλʔϯผఀࢭੑݕূ 6 ࢀর 2017/04/29 VeriFast Termination Checking 2 / 42

Slide 3

Slide 3 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর What is this slide? ͜ͷεϥΠυͰ͸ VeriFast ʹΑΔ C ݴޠϓϩάϥϜͷఀࢭੑݕূͷํ๏ͱɺ ͦͷػೳͷجૅͱͳΔ֓೦ʹ͍ͭͯ঺հ͠·͢ 1ɻ 1Java Ͱ΋શ͘ಉ༷ͷߟ͑ํͰݕূग़དྷ·͢ 2017/04/29 VeriFast Termination Checking 3 / 42

Slide 4

Slide 4 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ૝ఆ/ର৅ௌऺ ඞਢ C ݴޠ͕෼͔Δ ๬·͍͠ ࣄલ/ࣄޙ৚݅ͷݕ͕ࠪͲΜͳ΋ͷͳͷ͔෼͔Δ 2017/04/29 VeriFast Termination Checking 4 / 42

Slide 5

Slide 5 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ఀࢭੑݕࠪͱ͸ ϓϩάϥϜ͕ (༗ݶ࣌ؒ಺ʹ) ఀࢭ͢Δ͜ͱΛݕࠪ͢Δ͜ͱɻ 2017/04/29 VeriFast Termination Checking 5 / 42

Slide 6

Slide 6 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর VeriFast ͕ݕࠪ͢Δ͜ͱ ͱ͜ΖͰɺVeriFast ͸ϓϩάϥϜ (ؔ਺) ͱɺͦͷࣄલ৚݅/ࣄޙ৚݅ͱͷҰ ؏ੑΛݕࠪ͢Δɻ 2017/04/29 VeriFast Termination Checking 6 / 42

Slide 7

Slide 7 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর VeriFast ͕ݕࠪ͢Δ͜ͱ ͱ͜ΖͰɺVeriFast ͸ϓϩάϥϜ (ؔ਺) ͱɺͦͷࣄલ৚݅/ࣄޙ৚݅ͱͷҰ ؏ੑΛݕࠪ͢Δɻ ⇒ ͜Ε͸Կ͕ݕূग़དྷ͍ͯΔͷ͔ɻ 2017/04/29 VeriFast Termination Checking 6 / 42

Slide 8

Slide 8 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর VeriFast Ͱݕࠪͨؔ͠਺ ΤϯΩϡʔͷ࢓༷ͷྫ void enqueue(struct queue *q, int x) //@ requires queue(q, ?vs); //@ ensures queue(q, iappend(vs , icons(x, inil ))); { ... } 2017/04/29 VeriFast Termination Checking 7 / 42

Slide 9

Slide 9 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর Hoare triple ؔ਺ͱɺͦͷࣄલ৚݅/ࣄޙ৚݅ 3 ͭΛ߹Θͤͯ Hoare triple ͱݺͿɻ ͜ΕΛܗࣜతʹѻ͏ࡍʹ͸ҎԼͷΑ͏ʹදه͢Δɻ Hoare triple ⊢ {P} c {Q} 2017/04/29 VeriFast Termination Checking 8 / 42

Slide 10

Slide 10 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর Hoare triple ͷҙຯ ؔ਺ͱɺͦͷࣄલ৚݅/ࣄޙ৚݅ 3 ͭΛ߹Θͤͯ Hoare triple ͱݺͿɻ Hoare triple ͷҙຯ ⊢ {P} c {Q} ⇔ ∀h, γ.Ifix , h |= P ∧ (h, c) ⇓ γ ⇒ γ |= Q γ |= Q ͷҙຯ Divergence |= Q Ifix , h |= Q[v/res] (n, v, h) |= Q Divergence ͸ൃࢄͨ͠ঢ়ଶ (ແݶϧʔϓ) Λද͢ɻ 2017/04/29 VeriFast Termination Checking 9 / 42

Slide 11

Slide 11 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর Hoare triple ͷҙຯ Divergence |= Q ͱ͍͏͜ͱ͸ɺແݶϧʔϓʹͳͬͨ৔߹͸ৗʹ Q ࣄޙ৚ ͕݅੒Γཱͭͱݴ͍ͬͯΔɻ 2017/04/29 VeriFast Termination Checking 10 / 42

Slide 12

Slide 12 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর Hoare triple ͷҙຯ Divergence |= Q ͱ͍͏͜ͱ͸ɺແݶϧʔϓʹͳͬͨ৔߹͸ৗʹ Q ࣄޙ৚ ͕݅੒Γཱͭͱݴ͍ͬͯΔɻ ⇒VerifFast ͸ແݶϧʔϓʹͳΔ͔Ͳ͏͔͸ݕূ͠ͳ͍ 2017/04/29 VeriFast Termination Checking 10 / 42

Slide 13

Slide 13 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর Hoare triple ͷҙຯ VeriFast ͸෦෼ਖ਼౰ੑ (partial correctness) Λ࣋ͭɻ ෦෼ਖ਼౰ੑ ϓϩάϥϜͷ࣮ߦ݁Ռ͕ग़ͨ (=ਖ਼͘͠ऴྃͨ͠) ৔߹ʹ ͦͷਖ਼͠͞Λอূ͢Δ ⇕ Partial Correctness ͜Εʹରͯ͠ɺৗʹϓϩάϥϜ͕ਖ਼͍݁͠ՌΛग़ྗ͢Δ৔߹ɺ͜ΕΛ׬શ ਖ਼౰ੑ (Total Correctness) Λ࣋ͭ ͱ͍͏ɻ 2017/04/29 VeriFast Termination Checking 11 / 42

Slide 14

Slide 14 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ఀࢭੑݕࠪͱ͸ (࠶) ࠶ ϓϩάϥϜ͕ (༗ݶ࣌ؒ಺ʹ) ఀࢭ͢Δ͜ͱΛݕࠪ͢Δ͜ͱɻ ͱ͍͏͜ͱ͸. . . ఀࢭੑΛݕূ͢Δ ⇕ VeriFast ʹ׬શਖ਼౰ੑΛ༩͑Δ ⇕ ϓϩάϥϜ͕ৗʹਖ਼͍͠౴͑Λฦ͢͜ͱΛอূͰ͖Δ 2017/04/29 VeriFast Termination Checking 12 / 42

Slide 15

Slide 15 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ఀࢭੑݕࠪͷࢦఆ ؔ਺ͷఀࢭੑΛݕࠪ͢Δʹ͸௨ৗͷࣄલ, ࣄޙ৚݅ͷଞʹ terminates Λࢦ ఆ͢Δ. Կ΋͠ͳ͍ؔ਺ͷݕূ void empty_cmd (void) //@ requires emp; //@ ensures emp; //@ terminates; { } 2017/04/29 VeriFast Termination Checking 13 / 42

Slide 16

Slide 16 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ࣗ໌ʹఀࢭ͢Δྫ 1 ϓϦϛςΟϒͳԋࢉ͸ࣗ໌ʹఀࢭ͢Δɻ less than ͷ࢓༷ bool compare (int x, int y) //@ requires emp; //@ ensures result == (x < y); //@ terminates; { return x < y; // ฦΓ஋͸େখൺֱͷ݁ՌʹҰக͢Δ } 2017/04/29 VeriFast Termination Checking 14 / 42

Slide 17

Slide 17 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ࣗ໌ʹఀࢭ͢Δྫ 2 if จ͸ࣗ໌ʹఀࢭ͢Δɻ if statement int max_int (int x, int y) //@ requires emp; //@ ensures result == (x > y ? x : y); //@ terminates; { if (x > y) { return x; } else { return y; } } 2017/04/29 VeriFast Termination Checking 15 / 42

Slide 18

Slide 18 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ࣗ໌ʹఀࢭ͢Δྫ 3 ఀࢭ͢Δؔ਺ΛݺͿؔ਺΋ఀࢭ͢Δ͜ͱ͕ࣗಈͰݕࠪͰ͖Δɻ call function int callee (int x) //@ requires emp; //@ ensures emp; //@ terminates; { return 0; } void caller (void) //@ requires emp; //@ ensures emp; //@ terminates; { callee (3); } 2017/04/29 VeriFast Termination Checking 16 / 42

Slide 19

Slide 19 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ఀࢭ͢Δϧʔϓ ϧʔϓΠϯόϦΞϯτʹՃ͑ͯɺݮগ͢ΔύϥϝʔλΛࢦఆ͢Δ͜ͱͰఀ ࢭ͢Δ͜ͱ͕อোͰ͖Δɻ while loop void loop (int x) //@ requires 0 < x; //@ ensures emp; //@ terminates; { int i = 0; while (i < x) //@ invariant i <= x; //@ decreases x - i; { ++i; } } 2017/04/29 VeriFast Termination Checking 17 / 42

Slide 20

Slide 20 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ࣗ໌Ͱ͸ͳ͍ఀࢭ͢Δྫ ΞοΧʔϚϯؔ਺ int ackermann(int m, int n) { if (m == 0) { return n + 1; } else { if (n == 0) { int r = ackermann(m - 1, 1); return r; } else { return ackermann(m - 1, ackermann(m, n - 1)); } } } ఀࢭੑΛݕূͨ͠ίʔυ͸ examples/termination/ackermann.c Λࢀরɻ72 ߦ͋Δɻ 2017/04/29 VeriFast Termination Checking 18 / 42

Slide 21

Slide 21 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর جຊతͳൃ૝ શͯͷݺͼग़͠γʔέϯε͕༗ݶεςοϓ௕͔͠ͳ͍͜ͱΛࣔͤ͹ྑ͍ɻ ⇒ Ͳ͏͢Δ͔ 2017/04/29 VeriFast Termination Checking 19 / 42

Slide 22

Slide 22 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর fixpoint ͱ͜ΖͰ VeriFast ͸໋୊தͷؔ਺Λ fixpoint ͱ͍͏ΩʔϫʔυͰهड़͢Δ ͜ͱ͕ग़དྷΔɻ fixpoint ؔ਺ͷྫ fixpoint int length (list xs) { switch (xs) { case nil: return 0; case cons(x, xs0): return 1 + length(xs0); } } 2017/04/29 VeriFast Termination Checking 20 / 42

Slide 23

Slide 23 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর fixpoint fixpoint ͸ඞͣఀࢭ͢Δɻ fixpoint ؔ਺ͷྫ fixpoint int length (list xs) { switch (xs) { case nil: return 0; case cons(x, xs0): return 1 + length(xs0); } } 2017/04/29 VeriFast Termination Checking 20 / 42

Slide 24

Slide 24 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর fixpoint fixpoint ͸ͳͥඞͣఀࢭ͢Δͷ͔ fixpoint ؔ਺ͷྫ fixpoint int length (list xs) { switch (xs) { case nil: return 0; case cons(x, xs0): return 1 + length(xs0); } } 2017/04/29 VeriFast Termination Checking 20 / 42

Slide 25

Slide 25 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর fixpoint ͷ੍ݶ fixpoint ʹΑΔؔ਺ͷఆٛʹ͸ɺ೚ҙͷؔ਺͕هड़Ͱ͖ΔΘ͚Ͱ͸ͳ͘ز ੍͔ͭ໿͕൐͏ 2ɻ fixpoint ͷ੍ݶ ୯ಠͷ return ·ͨ͸ switch จͰ͋Δ͜ͱ switch ʹ౉ͤΔͷ͸ inductive σʔλͷΈ શͯͷίϯετϥΫλʹ͍ͭͯఆٛ͞Ε͍ͯΔ͜ͱ ࠶ؼ͢Δ৔߹͸ύλʔϯϚονͰऔΓग़ͨ͠σʔλʹ͍ͭͯࣗ਎Λݺ ΜͰ͍Δ͜ͱ Ҏ্ͷΑ͏ͳ੍ݶΛकΔ͜ͱͰɺ஋ʹґͬͯ͸ະఆٛ͋Δ͍͸ݕ͕ࠪࢭ· Βͳ͘ͳΔΑ͏ͳ (͓͔͠ͳ) ࢓༷Λආ͚Δ͜ͱ͕Ͱ͖Δɻ 2ͦΕͧΕ VeriFast ͕ݕࠪ͢Δ 2017/04/29 VeriFast Termination Checking 21 / 42

Slide 26

Slide 26 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর fixpoint ͷ੍ݶ fixpoint ʹΑΔؔ਺ͷఆٛʹ͸ɺ೚ҙͷؔ਺͕هड़Ͱ͖ΔΘ͚Ͱ͸ͳ͘ز ੍͔ͭ໿͕൐͏ 2ɻ fixpoint ͷ੍ݶ ୯ಠͷ return ·ͨ͸ switch จͰ͋Δ͜ͱ switch ʹ౉ͤΔͷ͸ inductive σʔλͷΈ શͯͷίϯετϥΫλʹ͍ͭͯఆٛ͞Ε͍ͯΔ͜ͱ ࠶ؼ͢Δ৔߹͸ύλʔϯϚονͰऔΓग़ͨ͠σʔλʹ͍ͭͯࣗ਎Λݺ ΜͰ͍Δ͜ͱ Ҏ্ͷΑ͏ͳ੍ݶΛकΔ͜ͱͰɺ஋ʹґͬͯ͸ະఆٛ͋Δ͍͸ݕ͕ࠪࢭ· Βͳ͘ͳΔΑ͏ͳ (͓͔͠ͳ) ࢓༷Λආ͚Δ͜ͱ͕Ͱ͖Δɻ ⇒fixpoint ؔ਺͸ඞͣఀࢭ͢Δ 2ͦΕͧΕ VeriFast ͕ݕࠪ͢Δ 2017/04/29 VeriFast Termination Checking 21 / 42

Slide 27

Slide 27 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর fixpoint Ͱ͏·͍͘͘ཧ༝ fixpoint ͕ఀࢭ͢Δॏཁͳཧ༝͸ɺ inductive σʔλ্ͷ࠶ؼͰ͋Δ ࠶ؼݺͼग़͠ຖʹίϯετϥΫλ͕Ұͭͣͭണ͕Ε͍ͯ͘ 3 3Inductive σʔλͱ͍͏ͷ͸ɺجఈͷσʔλʹίϯετϥΫλΛ༗ݶճద༻ͯ͠ಘΒΕΔ σʔλͷ͜ͱ 2017/04/29 VeriFast Termination Checking 22 / 42

Slide 28

Slide 28 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর C ݴޠͰ͏·͍͔͘ͳ͍ཧ༝ C ݴޠͰ͸ఀࢭੑݕূ͸؆୯Ͱ͸ͳ͍ɻ C ݴޠͰѻ͏σʔλ͸ inductive ͱ͸ݶΒͳ͍ ෼͔Γ΍͘͢σʔλߏ଄͕খ͘͞ͳΒͳ͍ 2017/04/29 VeriFast Termination Checking 23 / 42

Slide 29

Slide 29 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর inductive σʔλΛҰൠԽ C ݴޠͰఀࢭੑΛݕࠪ͢Δʹ͸ Inductive σʔλΛҰൠԽ͢Δඞཁ͕͋Δɻ ؔ਺Λݺͼग़࣌͢ʹԿ͔͕ݮগ͢Δ ༗ݶεςοϓͰ࠷খ஋ʹͳΕ͹Α͍ 2017/04/29 VeriFast Termination Checking 24 / 42

Slide 30

Slide 30 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর Կ͔͕ݮΕ͹Α͍ Կ͕ݮΕ͹͍͍ͩΖ͏ʁ 2017/04/29 VeriFast Termination Checking 25 / 42

Slide 31

Slide 31 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর Կ͔͕ݮΕ͹Α͍ Կ͕ݮΕ͹͍͍ͩΖ͏ʁ ౴͑ɿcall-permission 2017/04/29 VeriFast Termination Checking 25 / 42

Slide 32

Slide 32 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর call permission ؔ਺ݺͼग़͠ʹ͸ඞͣ call permission ͱ͍͏ݖར͕ඞཁͱ͍͏͜ͱʹ ͢Δɻ ؔ਺ f ΛݺͿͨΊʹ call_perm(f) ͕ (Ұͭ) ඞཁ ࠷ॳʹؔ਺ͦΕͧΕͷ༗ݶݸͷ call_perm ͷετοΫΛ༩͑Δ ݕূग़དྷΕ͹༗ݶճ͔ؔ͠਺ݺͼग़͠͸ແ͍͸ͣͰ͋Δ 2017/04/29 VeriFast Termination Checking 26 / 42

Slide 33

Slide 33 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর call permission ͷ࣮૷ VeriFast ͷඪ४ϥΠϒϥϦͰ͸૊ΈࠐΈͷड़ޠͱͯ͠ఏڙ͞ΕΔɻ call permission ͷ࣮૷ // prelude.h predicate call_perm_(void *f;); // VeriFast ͷ౎߹Ͱ͜͏͍͏Ϟϊ΋͋Δ (ৄࡉ͸ׂѪ) predicate call_below_perm_ (void *f;); 2017/04/29 VeriFast Termination Checking 27 / 42

Slide 34

Slide 34 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর call_perm ΛͲ͏΍ͬͯ༩͑Δ͔ ࠷ॳʹؔ਺ͦΕͧΕͷ༗ݶݸͷ call_perm ͷετοΫΛ༩͑Δ ݕূ͠Α͏ͱ͍ͯ͠Δؔ਺͕Ͳͷؔ਺ΛԿ౓ݺͿ͔ͳΜͯ෼͔Βͳ͍. . . 2017/04/29 VeriFast Termination Checking 28 / 42

Slide 35

Slide 35 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর call_perm ΛͲ͏΍ͬͯ༩͑Δ͔ ࠷ॳʹؔ਺ͦΕͧΕͷ༗ݶݸͷ call_perm ͷετοΫΛ༩͑Δ ݕূ͠Α͏ͱ͍ͯ͠Δؔ਺͕Ͳͷؔ਺ΛԿ౓ݺͿ͔ͳΜͯ෼͔Βͳ͍. . . ⇒ ଟॏू߹ (multiset,bag) Λ࢖͏ 2017/04/29 VeriFast Termination Checking 28 / 42

Slide 36

Slide 36 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ଟॏू߹ ଟॏू߹͸ɺཁૉͷॏෳΛڐ͢ू߹ɻ {[1, 2, 3]} ⊎ {[2, 3, 4]} = {[1, 2, 2, 3, 3, 4]} 2017/04/29 VeriFast Termination Checking 29 / 42

Slide 37

Slide 37 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ଟॏू߹ͷॱং ଟॏू߹ʹҎԼͷΑ͏ͳద౰ͳॱংؔ܎Λ༩͑Δɻ In order to descend down the multiset order starting from a multiset M, one can replace any element of M with any number of lesser elements of X, any number of timesa. (খ͍͞ཁૉ͸زͭ͋ͬͯ΋ΑΓେ͖͍ཁૉ 1 ͭΑΓখ͍͞) a࿦จதͰݴٴ͕ແ͍͕ Dershowitz-Manna Ordering ͩͱࢥΘΕΔ ͜ͷنଇʹै͑͹ྫ͑͹ {[0, 0, 1, 2, 2, 2]} < {[0, 0, 0, 3]} ͕੒Γཱͭɻ 2017/04/29 VeriFast Termination Checking 30 / 42

Slide 38

Slide 38 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ଟॏू߹ͷॱং ଟॏू߹ͷॱংؔ܎Λ࢖͏ͱҎԼͷ͜ͱ͕ݴ͑Δɻ α′ < α =⇒ call_perm(α) ⊑ n · call_perm(α′) ͭ·Γɺ͋Δ call_perm ͔ΒɺΑΓখ͍ؔ͞਺ͷ call_perm ͸زͭͰ΋ (༗ ݶͷൣғͰ) ࡞Γग़ͤΔɻ 2017/04/29 VeriFast Termination Checking 31 / 42

Slide 39

Slide 39 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ؔ਺ͷେখؔ܎ ଟॏू߹ʹ͸ద੾ͳ൒ॱংؔ܎Λ࣋ͭ஋Λ౉͢ඞཁ͕͋ͬͨɻ call_perm ͷॱংؔ܎ͷఆٛʹ͸ؔ਺ͷॱংؔ܎Λ࢖͏ඞཁ͕͋Δɻ 2017/04/29 VeriFast Termination Checking 32 / 42

Slide 40

Slide 40 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ؔ਺ͷେখؔ܎ ଟॏू߹ʹ͸ద੾ͳ൒ॱংؔ܎Λ࣋ͭ஋Λ౉͢ඞཁ͕͋ͬͨɻ call_perm ͷॱংؔ܎ͷఆٛʹ͸ؔ਺ͷॱংؔ܎Λ࢖͏ඞཁ͕͋Δɻ ͦ΋ͦ΋ؔ਺ͷॱংؔ܎༩͑Δͷ͕େม. . . 2017/04/29 VeriFast Termination Checking 32 / 42

Slide 41

Slide 41 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ؔ਺ͷେখؔ܎ VeriFast ʹ͸೚ҙͷؔ਺ϙΠϯλΛେখൺֱͰ͖Δؔ਺͕͋Δɻ ؔ਺ͷେখؔ܎ // prelude.h fixpoint bool func_lt(void *f, void *g); /* VeriFast ૊ΈࠐΈؔ਺ */ 2017/04/29 VeriFast Termination Checking 33 / 42

Slide 42

Slide 42 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ؔ਺ͷେখؔ܎ ιʔείʔυ্ͷ্Լؔ܎Λͦͷ··࢖͏ʂ ؔ਺ͷେখؔ܎ void foo (void) //@ requires emp; //@ ensures emp; { } void bar (void) //@ requires emp; //@ ensures emp; { } void cmp (void) //@ requires emp; //@ ensures emp; { //@ assert func_lt(foo , bar) == true; //@ assert func_lt(bar , foo) == false; } 2017/04/29 VeriFast Termination Checking 34 / 42

Slide 43

Slide 43 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর call_perm Λಋग़͢Δ produce_call_below_perm_ͱ͍͏૊ΈࠐΈ໋ྩ 4 Λ࢖͍ɺͦΕΛݺͼग़ͨ͠ ؔ਺ f ʹ͍ͭͯ call_below_perm_(f) ͱ͍͏໋୊Λੜ੒͢Δɻ produce_call_below_perm void func (void) //@ requires emp; //@ ensures call_below_perm_ (func ); { //@ produce_call_below_perm_ (); //@ assert( call_below_perm_ (func )); } 4ΰʔετίϚϯυ (ghost command) ͱݺ͹ΕΔ 2017/04/29 VeriFast Termination Checking 35 / 42

Slide 44

Slide 44 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর ࣮૷ύλʔϯ ࢀর࿦จ [1] Ͱ͸ศٓతʹݕূ͢ΔϓϩάϥϜΛҎԼͷΑ͏ʹ෼ྨͯ͠આ໌ ͍ͯ͠Δɻ Upcalls Only ύλʔϯ Static Recursion ύλʔϯ Dynamic Binding ύλʔϯ 2017/04/29 VeriFast Termination Checking 36 / 42

Slide 45

Slide 45 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর Upcalls Only ݺͼग़͞ΕΔؔ਺͕ɺશͯͦͷ࣌఺Ͱఆٛ͞Ε͓ͯΓɺ͔ͭ࠶ؼ͍ͯ͠ͳ ͍৔߹ɻ͜ͷ৔߹͸ callee ଆͷ call_perm ͷಋग़Λࢦఆ͢Δ͚ͩͰݕূͰ ͖Δ 5ɻ 5؆୯ͱ͸ݴ͍ͬͯͳ͍ 2017/04/29 VeriFast Termination Checking 37 / 42

Slide 46

Slide 46 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর Static Recursion ୯ҰϨΠϠ಺Ͱ࠶ؼ͍ͯ͠Δ৔߹ɻ͜ͷ৔߹͸࠶ؼΛߏ੒͢Δؔ਺ͦΕͧ ΕͰ࠷େͷ call_perm Λཁٻ͢Δɻ 2017/04/29 VeriFast Termination Checking 38 / 42

Slide 47

Slide 47 text

໨࣍ VeriFast ֓આ ఀࢭੑݕࠪͱ͸Կ͔ ఀࢭੑݕࠪ͜ͱ͸͡Ί Ұൠͷ৔߹ͷఀࢭੑݕࠪ ύλʔϯผఀࢭੑݕূ ࢀর Dynamic Binding ந৅Խ͞ΕͨΠϯλʔϑΣʔεͷެ։͢ΔϝιουΛ࢖༻͢Δ৔߹ɻC ݴ ޠͰ͸ؔ਺ϙΠϯλΛड͚औͬͯݺͼग़͢৔߹ʹ૬౰͢ΔɻJava ͷ৔߹͸ ͦͷ·· interface Λ࢖͏৔߹ 6ɻ ͜ͷ৔߹͸Ҿ਺ͱ call_perm Λ߹Θͤͯ measure(ݮগ͢Δύϥϝʔλ) ͱ ͢Δɻ 6Ϋϥεͷෆม৚݅Λ࢖͏ 2017/04/29 VeriFast Termination Checking 39 / 42

Slide 48

Slide 48 text

ࢀߟࢿྉ Bart Jacobs, Dragan Bosnacki, Ruurd Kuiper. Modular Termination Verification ECOOP 2015 http://www.cs.kuleuven.be/~bartj/ecoop2015.pdf VeriFast official web site https://people.cs.kuleuven.be/~bart.jacobs/verifast/ VeriFast Tutorial(೔ຊޠ൛) https://github.com/jverifast-ug/translate/

Slide 49

Slide 49 text

Appendix ଟॏू߹ͷॱংؔ܎ ଟॏू߹ʹಋೖͨ͠ॱংؔ܎͸ Dershowitz–Manna ordering ͍͍ɺ͜Ε͸ well-founded ordering Λ੒͢͜ͱ͕஌ΒΕ͍ͯΔɻ ⇒ ͭ·Γ࠷খ஋ʹ༗ݶεςοϓͰඞͣͨͲΓண͘ɻ 2017/04/29 VeriFast Termination Checking 41 / 42

Slide 50

Slide 50 text

Appendix Ԡ༻ ఀࢭੑݕࠪ͸ఀࢭ͢Δ͜ͱҎ֎ͷݕূʹԠ༻ग़དྷΔݟࠐΈ͕͋Δɻ ฒߦϓϩάϥϜ͕ఀࢭ͢Δͱ͍͏͜ͱ͔Β deadlock free Λূ໌͢Δ ఀࢭ͠ͳ͍͜ͱΛड़΂Δ͜ͱͰ liveness Λূ໌͢Δ 2017/04/29 VeriFast Termination Checking 42 / 42