added some lemmas about the counter example.
POSIX Lexing with Derivatives
of Regular Expressions
%\normalsize Or, How to Find Bugs with the\\[-5mm]
%\normalsize Isabelle Theorem Prover
Christian Urban
King's College London
Joint work with Fahad Ausaf and Roy Dyckhoff
\item Isabelle interactive theorem prover;
some proofs are automatic -- most however need help
\item the learning curve is steep; you often have to fight the
theorem prover\ldots no different in other ITPs
\frametitle{Why Bother?}
Surely regular expressions must have been implemented and
studied to death, no?
evil regular expressions: $({\tt a}?)^n \cdot {\tt a}^n$
\frametitle{\Large Isabelle Theorem Prover}
\item started to use Isabelle after my PhD (in 2000)
\item the thesis included a rather complicated
``pencil-and-paper'' proof for a
termination argument (sort of $\lambda$-calculus)\medskip
\item me, my supervisor, the examiners did not find any problems\medskip
\item people were building their work on my result
\frametitle{\Large Nominal Isabelle}
\item implemented a package for the Isabelle prover
in order to reason conveniently about binders
\large\bl{$\lambda \alert{x}.\,M$} \hspace{10mm}
\bl{$\forall \alert{x}.\,P\,x$}
\item when finally being able to formalise the proof from my PhD, I found that the main result
(termination) is correct, but a central lemma needed to
be generalised
\frametitle{\Large Variable Convention}
Variable Convention:
If $M_1,\ldots,M_n$ occur in a certain mathematical context
(e.g. definition, proof), then in these terms all bound variables
are chosen to be different from the free variables.
Barendregt in "The Lambda-Calculus: Its Syntax and Semantics"
\item instead of proving a property for \alert{\bf all} bound
variables, you prove it only for \alert{\bf some}\ldots?
\item feels like it is used in 90\% of papers in PT and FP
(9.9\% use de-Bruijn indices)
\item this is mostly OK, but in some corner-cases you can use it
to prove \alert{\bf false}\ldots we fixed this!
published a proof in ACM Transactions on Computational Logic, 2005,
{\footnotesize Andrew Appel}\\[-2.5mm]
relied on their proof in a security critical application
\frametitle{Proof-Carrying Code}
\frametitle{Real-Time Scheduling}
RT-Scheduling: You want to avoid that a
high-priority process is starved indefinitely.
\frametitle{\Large Priority Inheritance Scheduling}
\item Let a low priority process \bl{$L$} temporarily inherit
the high priority of \bl{$H$} until \bl{$L$} leaves the critical
section unlocking the resource.\bigskip
\item Once the resource is unlocked, \bl{$L$} ``returns to its original
priority level.''\\
L.~Sha, R.~Rajkumar, and J.~P.~Lehoczky.
{\it Priority Inheritance Protocols: An Approach to
Real-Time Synchronization}. IEEE Transactions on
Computers, 39(9):1175–1185, 1990
\item Proved correct, reviewed in a respectable journal....what could possibly be wrong?
Scheduling: You want to avoid that a high
priority process is starved indefinitely.
\frametitle{\Large Priority Inheritance Scheduling}
\item Let a low priority process \bl{$L$} temporarily inherit
the high priority of \bl{$H$} until \bl{$L$} leaves the critical
section unlocking the resource.\bigskip
\item Once the resource is unlocked, \bl{$L$} returns to its original
priority level. \alert{\bf BOGUS}\pause\bigskip
\item \ldots \bl{$L$} needs to switch to the highest
\alert{\bf remaining} priority of the threads that it blocks.
this error is already known since around 1999
by Rajkumar, 1991
it resumes the priority it had at the point of entry into the critical
section
by Jane Liu, 2000
\item {\it ``The job $J_l$ executes at its inherited
priority until it releases $R$; at that time, the
priority of $J_l$ returns to its priority
at the time when it acquires the resource $R$.''}\medskip
gives pseudo code and totally bogus data structures
interesting part is "left as an exercise"
by Laplante and Ovaska, 2011 ($113.76)
\item \it ``when $[$the task$]$ exits the critical section that
caused the block, it reverts to the priority it had
when it entered that section''
by Silberschatz, Galvin and Gagne (9th edition, 2013)
\item \it ``Upon releasing the
lock, the $[$low-priority$]$ thread will revert to its original
\frametitle{Priority Scheduling}
\item a scheduling algorithm that is widely used in real-time operating systems
\item has been ``proved'' correct by hand in a paper in 1990
\item but this algorithm turned out to be incorrect, despite its ``proof''\bigskip\pause
\item we (generalised) the algorithm and then {\bf really} proved that it is correct
\item we implemented this algorithm in a small OS called PINTOS (used for teaching at Stanford)
\item our implementation was faster than their reference implementation
\frametitle{Lessons Learned}
\item our proof-technique is adapted from security
\item do not venture outside your field of expertise
\item we solved the single-processor case; the multi-processor
case: no idea!
\frametitle{Regular Expressions}
\bl{$r$} & \bl{$::=$} & \bl{$\varnothing$} & null\\
& \bl{$\mid$} & \bl{$\epsilon$} & empty string\\
& \bl{$\mid$} & \bl{$c$} & character\\
& \bl{$\mid$} & \bl{$r_1 \cdot r_2$} & sequence\\
& \bl{$\mid$} & \bl{$r_1 + r_2$} & alternative / choice\\
& \bl{$\mid$} & \bl{$r^*$} & star (zero or more)\\
\frametitle{\begin{tabular}{c}The Derivative of a Rexp\end{tabular}}
If $r$ matches the string $c\!::\!s$, what is a regular
expression that matches just $s$?
expression that matches just \bl{$s$}?\bigskip\bigskip\bigskip\bigskip
$der\,c\,r$ gives the answer, Brzozowski (1964), Owens (2005)
"...have been lost in the sands of time..."
...whether a regular expression can match the empty string:
\bl{$nullable(\varnothing)$} & \bl{$\dn$} & \bl{$false$}\\
\bl{$nullable(\epsilon)$} & \bl{$\dn$} & \bl{$true$}\\
\bl{$nullable (c)$} & \bl{$\dn$} & \bl{$false$}\\
\bl{$nullable (r_1 + r_2)$} & \bl{$\dn$} & \bl{$nullable(r_1) \vee nullable(r_2)$} \\
\bl{$nullable (r_1 \cdot r_2)$} & \bl{$\dn$} & \bl{$nullable(r_1) \wedge nullable(r_2)$} \\
\bl{$nullable (r^*)$} & \bl{$\dn$} & \bl{$true$} \\
\frametitle{\begin{tabular}{c}The Derivative of a Rexp\end{tabular}}
\bl{$der\, c\, (\varnothing)$} & \bl{$\dn$} & \bl{$\varnothing$} & \\
\bl{$der\, c\, (\epsilon)$} & \bl{$\dn$} & \bl{$\varnothing$} & \\
\bl{$der\, c\, (d)$} & \bl{$\dn$} & \bl{if $c = d$ then $\epsilon$ else $\varnothing$} & \\
\bl{$der\, c\, (r_1 + r_2)$} & \bl{$\dn$} & \bl{$der\, c\, r_1 + der\, c\, r_2$} & \\
\bl{$der\, c\, (r_1 \cdot r_2)$} & \bl{$\dn$} & \bl{if $nullable (r_1)$}\\
& & \bl{then $(der\,c\,r_1) \cdot r_2 + der\, c\, r_2$}\\
& & \bl{else $(der\, c\, r_1) \cdot r_2$}\\
\bl{$der\, c\, (r^*)$} & \bl{$\dn$} & \bl{$(der\,c\,r) \cdot (r^*)$} &\medskip\\\pause
\bl{$\textit{ders}\, []\, r$} & \bl{$\dn$} & \bl{$r$} & \\
\bl{$\textit{ders}\, (c\!::\!s)\, r$} & \bl{$\dn$} & \bl{$\textit{ders}\,s\,(der\,c\,r)$} & \\
\frametitle{\begin{tabular}{c}\bl{$({\tt a}?)^n \cdot {\tt a}^n$}\end{tabular}}
It is a relative easy exercise in a theorem prover:
$matches(r, s)$ if and only if $s \in L(r)$
$matches(r, s) \dn nullable(ders(r, s))$
\frametitle{POSIX Regex Matching}
Two rules:
\item Longest match rule (``maximal munch rule''): The
longest initial substring matched by any regular expression
is taken as the next token.
$\texttt{iffoo\VS bla}$
\item Rule priority:
For a particular longest initial substring, the first regular
expression that can match determines the token.
$\texttt{if\VS bla}$
Kuklewicz: most POSIX matchers are buggy
\hfill \url{}
\frametitle{POSIX Regex Matching}
\item Sulzmann \& Lu came up with a beautiful
idea for how to extend the simple regular expression
matcher to POSIX matching/lexing (FLOPS 2014)\bigskip\bigskip\bigskip
\hspace{0cm}\footnotesize Martin Sulzmann
\item the idea: define an inverse operation to the derivatives
\frametitle{Regexes and Values}
Regular expressions and their corresponding values:
\bl{$r$} & \bl{$::=$} & \bl{$\varnothing$}\\
& \bl{$\mid$} & \bl{$\epsilon$} \\
& \bl{$\mid$} & \bl{$c$} \\
& \bl{$\mid$} & \bl{$r_1 \cdot r_2$}\\
& \bl{$\mid$} & \bl{$r_1 + r_2$} \\
& \bl{$\mid$} & \bl{$r^*$} \\
\bl{$v$} & \bl{$::=$} & \\
& & \bl{$Empty$} \\
& \bl{$\mid$} & \bl{$Char(c)$} \\
& \bl{$\mid$} & \bl{$Seq(v_1,v_2)$}\\
& \bl{$\mid$} & \bl{$Left(v)$} \\
& \bl{$\mid$} & \bl{$Right(v)$} \\
& \bl{$\mid$} & \bl{$[]$} \\
& \bl{$\mid$} & \bl{$[v_1,\ldots\,v_n]$} \\
There is also a notion of a string behind a value: $|v|$
\frametitle{Sulzmann \& Lu Matcher}
We want to match the string $abc$ using $r_1$:
\frametitle{Sulzmann \& Lu Paper}
\item I have no doubt the algorithm is correct ---
the problem, I do not believe their proof.
``How could I miss this? Well, I was rather careless when
stating this Lemma :)\smallskip
Great example how formal machine checked proofs (and
proof assistants) can help to spot flawed reasoning steps.''
``Well, I don't think there's any flaw. The issue is how to
come up with a mechanical proof. In my world mathematical
proof $=$ mechanical proof doesn't necessarily hold.''
The Proof Idea by Sulzmann & Lu
\item introduce an inductively defined ordering relation
\bl{$v \succ_r v'$} which captures the idea of POSIX matching
\item the algorithm returns the maximum of all possible
values that are possible for a regular expression.\pause
\item the idea is from a paper by Cardelli \& Frisch about
greedy matching (greedy $=$ preferring instant gratification to delayed
\item e.g.~given \bl{$(a + (b + ab))^*$} and string \bl{$ab$}
greedy: & \bl{$[Left(a), Right(Left(b)]$}\\
POSIX: & \bl{$[Right(Right(a, b)))]$}
\bl{\infer{\vdash Empty : \epsilon}{}}\hspace{15mm}
\bl{\infer{\vdash Char(c): c}{}}\bigskip
\bl{\infer{\vdash Seq(v_1, v_2) : r_1\cdot r_2}{\vdash v_1 : r_1 \quad \vdash v_2 : r_2}}
\bl{\infer{\vdash Left(v) : r_1 + r_2}{\vdash v : r_1}}\hspace{15mm}
\bl{\infer{\vdash Right(v): r_1 + r_2}{\vdash v : r_2}}\bigskip
\bl{\infer{\vdash [] : r^*}{}}\hspace{15mm}
\bl{\infer{\vdash [v_1,\ldots, v_n] : r^*}
{\vdash v_1 : r \quad\ldots\quad \vdash v_n : r}}
\item Sulzmann: \ldots Let's assume \bl{$v$} is not
a $POSIX$ value, then there must be another one
\ldots contradiction.\bigskip\pause
Exists?
$L(r) \not= \varnothing \;\Rightarrow\; POSIX(v, r)$
\item in the sequence case, the induction hypotheses require
\bl{$|v_1| = |v'_1|$} and \bl{$|v_2| = |v'_2|$},
but you only know
\bl{$|v_1| \;@\; |v_2| = |v'_1| \;@\; |v'_2|$}
\item although one begins with the assumption that the two
values have the same flattening, this cannot be maintained
as one descends into the induction (alternative, sequence)
\frametitle{Our Solution}
direct definition of what a POSIX value is, using
$s \in r \to v$:
\bl{$s \in r \to v$}:
\bl{\infer{[] \in \epsilon \to Empty}{}}\hspace{15mm}
\bl{\infer{c \in c \to Char(c)}{}}\bigskip\medskip
\bl{\infer{s \in r_1 + r_2 \to Left(v)}
{s \in r_1 \to v}}\hspace{10mm}
\bl{\infer{s \in r_1 + r_2 \to Right(v)}
{s \in r_2 \to v & s \not\in L(r_1)}}\bigskip\medskip
\bl{\infer{s_1 @ s_2 \in r_1 \cdot r_2 \to Seq(v_1, v_2)}
s_1 \in r_1 \to v_1 \\
s_2 \in r_2 \to v_2 \\
\neg(\exists s_3\,s_4.\; s_3 \not= []
\wedge s_3 @ s_4 = s_2 \wedge
s_1 @ s_3 \in L(r_1) \wedge
s_4 \in L(r_2))
Pencil-and-Paper Proofs
in CS are normally incorrect
in CS are normally incorrect\end{tabular}}
\item case in point, in one of Roy's proofs he made the
incorrect inference
if \bl{$\forall s.\; |v_2| \alert{\not}\in L(der\,c\,r_1) \cdot s$}
then \bl{$\forall s.\; c\,|v_2| \alert{\not}\in L(r_1) \cdot s$}
if \bl{$\forall s.\; |v_2| \in L(der\,c\,r_1) \cdot s$}
then \bl{$\forall s.\; c\,|v_2| \in L(r_1) \cdot s$}
is correct
\frametitle{Proofs in Math~vs.~in CS}
\alert{\bf My theory on why CS-proofs are often buggy}
{\bf Math}: \\
in math, ``objects'' can be ``looked'' at from all
non-trivial proofs, but it seems
difficult to make mistakes
\end{tabular} &
{\bf Code in CS}: \\
the call-graph of the seL4 microkernel OS;\\\smallskip
easy to make mistakes\\ \mbox{}\\
\item we strengthened the POSIX definition of Sulzmann \& Lu
in order to get the inductions through, his proof
contained small gaps but had also fundamental flaws\bigskip
\item its a nice exercise for theorem proving
\item some optimisations need to be aplied to the
algorithm in order to become fast enough
\item can be used for lexing, small little functional
Thank you very much again
for the invitation!
Questions?
\alert{\Large for the invitation!}\\
\alert{\Large Questions?}
