Mostly-Automated Verification of Low-Level Programs in Computational Separation Logic Adam Chlipala Harvard University PLDI 2011.

Slides:



Advertisements
Similar presentations
Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Automated Verification with HIP and SLEEK Asankhaya Sharma.
Semantics Static semantics Dynamic semantics attribute grammars
Copyright , Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.
Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.
Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.
Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
ISBN Chapter 3 Describing Syntax and Semantics.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Describing Syntax and Semantics
Extensible Untrusted Code Verification Robert Schneck with George Necula and Bor-Yuh Evan Chang May 14, 2003 OSQ Retreat.
Ofer Strichman, Technion Deciding Combined Theories.
1 First order theories. 2 Satisfiability The classic SAT problem: given a propositional formula , is  satisfiable ? Example:  Let x 1,x 2 be propositional.
Mathematics throughout the CS Curriculum Support by NSF #
Input, Output, and Automation in x86 Proved Jason Gross Hosted by Andrew Kennedy Summer 2014.
Deciding a Combination of Theories - Decision Procedure - Changki pswlab Combination of Theories Daniel Kroening, Ofer Strichman Presented by Changki.
Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
1 Program Correctness CIS 375 Bruce R. Maxim UM-Dearborn.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
1 Inference Rules and Proofs (Z); Program Specification and Verification Inference Rules and Proofs (Z); Program Specification and Verification.
Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
CS 363 Comparative Programming Languages Semantics.
Second-Order Functions and Theorems in ACL2 Alessandro Coglio Workshop 2015 Kestrel Institute.
Refinements to techniques for verifying shape analysis invariants in Coq Kenneth Roe GBO Presentation 9/30/2013 The Johns Hopkins University.
Chapter 5: Sequences, Mathematical Induction, and Recursion 5.5 Application: Correctness of Algorithms 1 [P]rogramming reliability – must be an activity.
Certifying Intermediate Programming Zhaopeng Li
COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen.
Automated tactics for separation logic VeriML Reconstruct Z3 Proof Safe incremental type checker Certifying code transformation Proof carrying hardware.
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.
CSE Winter 2008 Introduction to Program Verification for-loops; review.
Daniel Kroening and Ofer Strichman Decision Procedures An Algorithmic Point of View Deciding Combined Theories.
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists Pranav Garg 1, P. Madhusudan 1 and Gennaro Parlato 2 1 University of Illinois at.
1/20 Arrays Changki PSWLAB Arrays Daniel Kroening and Ofer Strichman Decision Procedure.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
Selected Decision Procedures and Techniques for SMT More on combination – theories sharing sets – convex theory Un-interpreted function symbols (quantifier-free.
Extension of Separation Logic for Stack Reasoning Jiang Xinyu.
Formal Verification – Robust and Efficient Code Lecture 1
Cooperative Integration of an Interactive Proof Assistant and an Automated Prover Adam Chlipala and George C. Necula University of California, Berkeley.
1 Interactive Computer Theorem Proving CS294-9 October 5, 2006 Adam Chlipala UC Berkeley Lecture 7: Programming with Proofs.
1 Interactive Computer Theorem Proving CS294-9 October 19, 2006 Adam Chlipala UC Berkeley Lecture 9: Beyond Primitive Recursion.
1 Interactive Computer Theorem Proving CS294-9 September 7, 2006 Adam Chlipala UC Berkeley Lecture 3: Data structures and Induction.
The Bedrock Structured Programming System Combining Generative Metaprogramming and Hoare Logic in an Extensible Program Verifier Adam Chlipala MIT CSAIL.
Thoughts on Programming with Proof Assistants Adam Chlipala University of California, Berkeley PLPV Workshop.
Lecture 11: Proof by Reflection
Further with Hoare Logic Sections 6.12, 6.10, 6.13
Matching Logic An Alternative to Hoare/Floyd Logic
Low-Level Program Verification
SMT-Based Verification of Parameterized Systems
A Verified Compiler for an Impure Functional Language
Automating Induction for Solving Horn Clauses
Kenneth Roe Scott F. Smith 9/30/2017 The Johns Hopkins University
CSE 311 Foundations of Computing I
Programming Languages and Compilers (CS 421)
Programming Languages and Compilers (CS 421)
COP4020 Programming Languages
Presentation transcript:

Mostly-Automated Verification of Low-Level Programs in Computational Separation Logic Adam Chlipala Harvard University PLDI 2011

2 Human Effort Logical Expressiveness Classical verification with SMT solvers Interactive theorem- proving in higher-order logic The Coq library

3 Decidable Theories Equality + Uninterpreted Functions + Linear Arithmetic + Arrays +... Classical verification with SMT solvers Interactive theorem- proving in higher-order logic Complex trigger mechanism for quantifier instantiation Complex program annotation scheme needed to produce tractable proof obligations

4 Solution: Higher-Order Separation Logic is expressive enough to allow direct use of the most natural specs. Solution: Computational specifications use standard programming features to avoid quantifiers in almost all specifications. Classical verification with SMT solvers Complex trigger mechanism for quantifier instantiation Complex program annotation scheme needed to produce tractable proof obligations The Coq library

5 A Thread Scheduler, Abstractly Thread #1 Private memory Thread #2 Private memory Thread #3 Private memory Shared Memory Thread #1 Private memory Thread #1 saved PC saved SP next A Thread Scheduler, Concretely Thread #2 saved PC saved SP next Thread #3 saved PC saved SP next Stack #2 Stack #3 Shared Data Structure Stack #1

6 Quantify over specifications Quantify over lists of specifications What does correctness mean? “ ∀ sets of threads with specifications, written in terms of local and shared heap areas, the scheduling library satisfies all of the specs.” Definition yieldS := st ~> Ex fr, Ex ginv, Ex invs, Ex root, susp ginv (fun sp => sep ([ ] * ![fr])%Sep) st#Rret /\ codesOk ginv invs /\ ![ !{mallocHeap 0} * st#Rsp ==> root * !{threads invs root} * ![ginv] * ![fr] ] st. Example: spec for yield() function Higher-Order Logic Proofs usually considered too hard to automate... Separation Logic Proofs usually considered too hard to automate... + Higher-Order Separation Logic ????? =

7 The Coq library Source Code of Program to Verify Annotations: Invariants Annotations: Requests to Use Lemmas Program- Independent Lemmas About Data Structures Quantifier-Free Proof Obligations That Don't Mention Program Syntax or States SMT solver Other heuristic provers for simpler theories...

8 (* Abstraction predicate for finite sets represented * with unsorted linked lists *) Fixpoint llistOk (s : set) (ls : list nat) (a : nat) : sprop := match ls with | nil => [ ] | x :: ls' => Ex a', [ 0 /\ s x = true >] * a ==> x * (a+1) ==> a' * !{llistOk (del s x) ls' a'} end. Computational Separation Logic Step 1. Define data structure invariants as recursive functions. Limited form of existential quantification

9 Theorem llist_empty_fwd : forall s ls a, a = 0 -> llistOk s ls a ===> [ ]. destruct ls; sepLemma. Qed. Theorem llist_nonempty_fwd : forall a s ls, a <> 0 -> llistOk s ls a ===> Ex x, Ex ls', Ex a', [ ] * a ==> x * (a+1) ==> a' * !{llistOk (del s x) ls' a'}. destruct ls; sepLemma. Qed. Computational Separation Logic Step 2. Prove simplification lemmas. Implication in separation logic

10 Definition linkedList := bmodule {{ bfunction "linc" [lincS] { [lincS] While (R0 != 0) { Use [llist_nonempty_fwd];; Use [llist_nonempty_bwd];; $[R0] <- $[R0] + 1;; R0 <- $[R0+1] };; Use [llist_empty_fwd];; Use [llist_empty_bwd];; Goto Rret } }}. Computational Separation Logic Step 3. Write annotated program. Loop invariant Request to use a lemma here

11 Theorem linkedListOk : moduleOk linkedList. structured; sep. Qed. Computational Separation Logic Step 4. Prove module correctness theorem. Bedrock tactics do almost all of the work.

12 Why Automating Separation Logic Proofs is Easy x > 5 && x < 7 x < 7 && x = 6 Implies

13 Why Automating Separation Logic Proofs is Easy llist(ls1, a1) * * llist(ls1, a1) Implies

14 A Simple Algorithm 1. Use annotations to expand formulas. 2. Symbolically execute block in “pre” formula. 3. Match “pre” and “post” formulas by crossing out equal parts. instr1; instr2; instr3;... precondition postcondition basic block

15 Variable standing for thread #1's invariant over its private heap Higher-Order Implications Are Easy, Too threadInv1 * threadInv2 *... threadInv2 *... * threadInv1 Implies

16 Assertion that every thread's invariant is satisfied Higher-Order Implications Are Easy, Too allOk(invs) * * allOk(invs) Implies

17 = C * E Unification variable, which may be instantiated with any formula Frame Rule for Free A * B * C * D * E B * D * ?? * A Implies

18 Implemented Case Studies Higher- Order Last two reimplement examples from Certified Assembly Programming project [Shao et al.], where overhead is about 100X.

19 The Coq library /

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.