A Verification Infrastructure for Permission-based Reasoning

Slides:



Advertisements
Similar presentations
1 Lecture 5 Towards a Verifying Compiler: Multithreading Wolfram Schulte Microsoft Research Formal Methods 2006 Race Conditions, Locks, Deadlocks, Invariants,
Advertisements

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Automated Verification with HIP and SLEEK Asankhaya Sharma.
Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,
Automated Verification with HIP and SLEEK Asankhaya Sharma.
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.
A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.
The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 3 December 2008 U. Lugano Lugano, Switzerland.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 International Summer School Marktoberdorf Marktoberdorf,
Changing perspective can be useful Relating alternative logics for automatic software verification Alex Summers (ETH Zurich) partly based on joint work.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Fractional Permissions without the Fractions Alex Summers ETH Zurich Joint work with: Stefan Heule, Rustan Leino, Peter Müller ETH Zurich MSR Redmond ETH.
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.
Separation logic for OO Stephan van Staden. Introduction OO languages are popular and widely used We need to reason about OO programs Some (problematic)
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 Summer School on Logic and Theorem-Proving in Programming.
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 0 LASER.
Building a program verifier K. Rustan M. Leino Microsoft Research, Redmond, WA 10 May 2006 Guest lecture, Shaz Qadeer’s cse599f, Formal Verification of.
Chair of Software Engineering Automatic Verification of Computer Programs.
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 5 LASER.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Caltech Pasadena, CA 12 November 2009.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy.
K. Rustan M. Leino RiSE, Joint work with: Peter Müller (ETH Zurich) Jan Smans (KU Leuven) Special thanks to Mike Barnett VMCAI, Madrid, Spain, 18 January.
Maria-Cristina Marinescu Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology A Synthesis Algorithm for Modular Design of.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Automated Software Verification with Implicit Dynamic Frames 5 th December 2013, Leuven Malte Schwerhoff, ETH Zürich/KU Leuven.
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 3 Marktoberdorf.
20 th December 2012, Dagstuhl Comparing Verification Condition Generation with Symbolic Execution Malte Schwerhoff, ETH Zürich Joint work with Yannis Kassios,
Viper A Verification Infrastructure for Permission-Based Reasoning 1 st March 2015, ECOOP’15 PC Meeting, Zurich Uri Juhasz, Ioannis Kassios, Peter Müller,
Refinements to techniques for verifying shape analysis invariants in Coq Kenneth Roe GBO Presentation 9/30/2013 The Johns Hopkins University.
Program Verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond University of Washington CSE P January.
Viper A Verification Infrastructure for Permission-Based Reasoning 24 th March 2015, JML Workshop, Leiden Uri Juhasz, Ioannis Kassios, Peter Müller, Milos.
Rustan Leino RiSE, Microsoft Research, Redmond MIT 5 June 2009 Joint work with: Peter Müller, ETH Zurich Jan Smans, KU Leuven.
Spec# Andreas Vida. Motivation Correct and maintainable software Correct and maintainable software Cost effective software production Cost effective software.
Model Checking for Simple Java Programs Taehoon Lee, Gihwon Kwon Department of Computer Science Kyonggi University, Korea IWFST, Shanghai, China,
Lightweight Support for Magic Wands in an Automatic Verifier Malte Schwerhoff and Alexander J. Summers 10 th July 2015, ECOOP, Prague.
An Introduction to Automated Program Verification with Permission Logics 15 th May 2015, Systems Group, ETH Zurich Uri Juhasz, Ioannis Kassios, Peter Müller,
K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 1 2 September 2009 FOSAD 2009, Bertinoro, Italy.
VSTTE’12 29 th January 2012, Philadelphia Comparing Verification Condition Generation with Symbolic Execution Malte Schwerhoff, ETH Zurich Joint work with.
K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 15 Nov 2007 Chalmers Göteborg, Sweden.
/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.
ESOP 2010, Paphos, Cyprus, 22 March 2010 K. Rustan M. Leino (RiSE group, Microsoft Research) Peter Müller (ETH Zurich) Jan Smans (KU Leuven)
Mostly-Automated Verification of Low-Level Programs in Computational Separation Logic Adam Chlipala Harvard University PLDI 2011.
Spring 2017 Program Analysis and Verification
Dafny An automatic program verifier for functional correctness
Automated program verification Bryan Parno
Specification techniques for verifying object-oriented software
Deductive Verification Tools Tutorial for Dagstuhl Seminar 16201
Auto-active verification
Further with Hoare Logic Sections 6.12, 6.10, 6.13
The Relationship Between Separation Logic and Implicit Dynamic Frames
Matching Logic An Alternative to Hoare/Floyd Logic
The Relationship Between Separation Logic and Implicit Dynamic Frames
Program Verification via an Intermediate Verification Language
Automating Induction for Solving Horn Clauses
Modular Verification of Message Passing Programs
Verification of concurrent object-oriented programs
Auto-active verification
A Verification Infrastructure for Permission-Based Reasoning
Dafny An automatic program verifier for functional correctness
Auto-active verification
Presentation transcript:

A Verification Infrastructure for Permission-based Reasoning Viper A Verification Infrastructure for Permission-based Reasoning Malte Schwerhoff 19th October 2016, Prague

Modular, Deductive & Automated Verifiers Verification methodologies SMT solvers Images: https://www.flickr.com/photos/our-planet/5062099696/in/photostream/ https://pixabay.com/en/gps-navigation-garmin-device-304842/ https://pixabay.com/en/car-sports-car-wedding-car-49278/ 2

Frame Problem v v i i { P } C { Q } { P  R } C { Q  R } 3

Frame Problem class Account { method deposit(n: Int) requires 0 < n ensures balance() == old(balance()) + n { … } } method client(a: Account, l: List) { var tmp := l.length() a.deposit(200) assert tmp == l.length() }

Frame Problem class Account { transactions: List method deposit(n: Int) requires 0 < n ensures balance() == old(balance()) + n { transaction.append(n) } def getTransactions(): List { transactions } } method client(a: Account, l: List) { var tmp := l.length() a.deposit(200) assert tmp == l.length() }

Frame Problem class Account { transactions: List method deposit(n: Int) requires 0 < n ensures balance() == old(balance()) + n { transaction.append(n) } function getTransactions(): List { transactions } } method client(a: Account, l: List) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } var a := new Account() client(a, a.getTransactions())

footprint(C) ∩ footprint(R) = ∅ Footprints v i v i { P } C { Q } footprint(C) ∩ footprint(R) = ∅ { P  R } C { Q  R }

modifies(C) ∩ reads(R) = ∅ Explicit Footprints v i { P } C { Q } modifies(C) ∩ reads(R) = ∅ { P  R } C { Q  R }

Implicit Footprints v i { P } C { Q } { P  R } C { Q  R }

Implicit Footprints v i { P } C { Q } { P  R } C { Q  R } ∗ ∗

Implicit Footprints: Example class Account { bal: Int method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) { bal := bal + n } } class List { len: Int function length(): Int requires acc(len) { len } }

Implicit Footprints: Example class Account { bal: Int method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) { bal := bal + n } } method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } B a.bal L l.len class List { len: Int function length(): Int requires acc(len) { len } } { P } C { Q } { P  R } C { Q  R } ∗ ∗

Implicit Footprints: Example class Account { bal: Int method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) { bal := bal + n } } method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } B a.bal L l.len class List { len: Int function length(): Int requires acc(len) { len } } { P } C { Q } { P  R } C { Q  R } ∗ ∗

Implicit Footprints: Example class Account { bal: Int method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) { bal := bal + n } } method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } B a.bal L l.len class List { len: Int function length(): Int requires acc(len) { len } } { P } C { Q } { P  R } C { Q  R } ∗ ∗

Implicit Footprints: Example class Account { bal: Int method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) { bal := bal + n } } method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } ? a.bal L l.len class List { len: Int function length(): Int requires acc(len) { len } } { P } C { Q } { P  R } C { Q  R } ∗ ∗

Implicit Footprints: Example class Account { bal: Int method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) { bal := bal + n } } method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } ? a.bal L l.len class List { len: Int function length(): Int requires acc(len) { len } } { P } C { Q } { P  R } C { Q  R } ∗ ∗

Tool Support No permissions Expressiveness AutoProof Dafny Frama-C KeY2 Spec# VCC VERL Expressiveness Automation

Tool Support Permissions Expressiveness Bedrock Chalice FCSL/Coq Grasshopper Infer jStar SmallFoot VeriFast Ynot Expressiveness Automation

Consequences of Insufficient Tool Support significant manual effort per application simple properties only popular, but hardly any permission-based tools Verification efforts do not benefit fully from advances in theory Theory does not receive feedback from applications Images: https://www.flickr.com/photos/61423903@N06/7357608430 https://www.flickr.com/photos/rustedhammer/2298322271 http://www.iconarchive.com/show/misc-icons-by-tooschee/Sync-icon.html

Facilitate the 1. development of tools 2. prototyping of encodings for permission-based verification

Prog. language, spec. language and methodology Embedding & tactics Interactive prover Icons: http://www.iconarchive.com/show/vista-people-icons-by-icons-land.html http://www.icons-land.com/

Prog. language, spec. language and methodology Embedding & tactics Interactive prover

Prog. language, spec. language and methodology Custom verifier Prog. language, spec. language and methodology Embedding & tactics SMT solver Interactive Prover

Prog. language, spec. language and methodology Custom verifier Prog. language, spec. language and methodology Embedding & tactics SMT solver Interactive Prover

Prog. language, spec. language and methodology Front end Intermediate verification language Prog. language, spec. language and methodology Prog. language, spec. language and methodology Verification condition generator Embedding & tactics Custom verifier SMT solver Interactive Prover SMT solver

Prog. language, spec. language and methodology Front end Intermediate verification language Prog. language, spec. language and methodology Prog. language, spec. language and methodology Verification condition generator Embedding & tactics Custom verifier SMT solver Interactive prover SMT solver SMT solver

Intermediate verification language Viper Front end Front end Front end Intermediate verification language Back-end tools Viper SMT solver

{ P } C { Q } { P  R } C { Q  R } Permission Transfer callee caller ∗ ∗ caller

{ P } C { Q } { P  R } C { Q  R } Inhale and Exhale callee caller ∗ exhale P assert value constraints check and remove permissions havoc newly-inaccessible locations inhale Q obtain permissions assume value constraints

Example: Permission Transfer method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } method client(a: Account, l: List) { inhale acc(a.bal) ∗ acc(l.len) var tmp := l.length() exhale 0 < 200  acc(a.bal) // a.deposit(200) inhale acc(a.bal) assert tmp == l.length() }

Modelling Thread Interleavings class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this this.val

Modelling Thread Interleavings class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } this.val

Modelling Thread Interleavings class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } ? this.val

Modelling Thread Interleavings class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } 5 this.val

Modelling Thread Interleavings class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } // end synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } ? this.val

Modelling Thread Interleavings class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } ? this.val

Modelling Thread Interleavings class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } ? this.val

Demo Example (Pseudo-Java) class Counter { @GuardedBy(“this”); @MonitorInvariant(“old(val) <= val”); int val; synchronized void inc() { val++; } }

Recursive Predicates v predicate list(this: Ref) { this != null ==> acc(this.data) && acc(this.next) && list(this.next) } v unfold list(this) // access this.data // and this.next fold list(this)

Recursive Predicates: Limitations Extending footprints

Recursive Predicates: Limitations Extending footprints

Recursive Predicates: Limitations Extending footprints Sharing w

Recursive Predicates: Limitations Extending footprints Sharing w

Recursive Predicates: Limitations Extending footprints Sharing Traversal order w

Explicit Footprints with Permissions predicate list(nodes: Set[Ref]) { forall n  nodes :: acc(n.data) && acc(n.next) && (n.next != null ==> n.next  nodes) } v w list(nodes) && v  nodes && w  nodes

Viper Viper Front ends Intermediate verification language Verification condition generator (verifier) Symbolic execution (verifier) Abstract interpretation (inference) Viper Boogie SMT solver

Viper Viper Chalice Java OpenCL C# Python Intermediate verification language Verification condition generator (verifier) Symbolic execution (verifier) Abstract interpretation (inference) Viper Boogie SMT solver

Viper SMT solver Intermediate verification language Expressiveness SMT solver Intermediate verification language Viper Abstract interpretation (inference) Boogie Verification condition generator (verifier) Symbolic execution (verifier) Java Chalice OpenCL Python Automation

http://viper.ethz.ch Viper Expressiveness Automation SMT solver Intermediate verification language Viper Abstract interpretation (inference) Boogie Verification condition generator (verifier) Symbolic execution (verifier) Java Chalice OpenCL Python http://viper.ethz.ch Expressiveness Automation

backup slides

1

Explicit Footprints: Example class Account { bal: Int method deposit(n: Int) requires 0 < n modifies {this} { bal := bal + n } } class List { len: Int function length(): Int reads {this} { len } }

Explicit Footprints: Example class Account { bal: Int method deposit(n: Int) requires 0 < n modifies {this} { bal := bal + n } } method client(a: Account, l: List) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } class List { len: Int function length(): Int reads {this} { len } } { P } C { Q } modifies(C) ∩ reads(R) = ∅ { P  R } C { Q  R }

2

Permission Transfer method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } B a.bal L l.len

Permission Transfer method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } B a.bal L l.len

Permission Transfer method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } ? a.bal L l.len

Inhale and Exhale method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) method client(a: Account, l: List) { inhale acc(a.bal) ∗ acc(l.len) var tmp := l.length() exhale 0 < 200  acc(a.bal) // a.deposit(200) inhale acc(a.bal) assert tmp == l.length() }

3

Permissions in Viper Permissions denoted by accessibility predicates Expressions may be heap-dependent Support for fractional permissions Conjunction is multiplicative (as in separation logic) acc(e.f) acc(e.f) && e.f > 0 acc(e.f, ½) acc(e.f, ½) && acc(e.f, ½)

4

Unbounded Data Structures Unidirectional Multi-directional Random Access Unstructured specify via recursive predicate

Unbounded Data Structures Unidirectional Multi-directional Random Access Unstructured specify via iterated separating conjunction