A Verification Infrastructure for Permission-Based Reasoning

Slides:



Advertisements
Similar presentations
Demand-driven inference of loop invariants in a theorem prover
Advertisements

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
50.530: Software Engineering
Semantics Static semantics Dynamic semantics attribute grammars
Satisfiability Modulo Theories (An introduction)
Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.
Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
Programming with Constraint Solvers CS294: Program Synthesis for Everyone Ras Bodik Emina Torlak Division of Computer Science University of California,
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 3 December 2008 U. Lugano Lugano, Switzerland.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 International Summer School Marktoberdorf Marktoberdorf,
Changing perspective can be useful Relating alternative logics for automatic software verification Alex Summers (ETH Zurich) partly based on joint work.
Fractional Permissions without the Fractions Alex Summers ETH Zurich Joint work with: Stefan Heule, Rustan Leino, Peter Müller ETH Zurich MSR Redmond ETH.
Separation logic for OO Stephan van Staden. Introduction OO languages are popular and widely used We need to reason about OO programs Some (problematic)
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 Summer School on Logic and Theorem-Proving in Programming.
Chair of Software Engineering Automatic Verification of Computer Programs.
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 5 LASER.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Caltech Pasadena, CA 12 November 2009.
K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy.
K. Rustan M. Leino RiSE, Joint work with: Peter Müller (ETH Zurich) Jan Smans (KU Leuven) Special thanks to Mike Barnett VMCAI, Madrid, Spain, 18 January.
Formal Methods: Three suggestions for rapid adoption Wolfram Schulte RiSE, MSR Workshop on Usable Verification 11/15/2010.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Automated Software Verification with Implicit Dynamic Frames 5 th December 2013, Leuven Malte Schwerhoff, ETH Zürich/KU Leuven.
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 3 Marktoberdorf.
20 th December 2012, Dagstuhl Comparing Verification Condition Generation with Symbolic Execution Malte Schwerhoff, ETH Zürich Joint work with Yannis Kassios,
Synthesis with the Sketch System D AY 1 Armando Solar-Lezama.
Viper A Verification Infrastructure for Permission-Based Reasoning 1 st March 2015, ECOOP’15 PC Meeting, Zurich Uri Juhasz, Ioannis Kassios, Peter Müller,
Formal Verification Lecture 9. Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems.
Program Verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond University of Washington CSE P January.
Viper A Verification Infrastructure for Permission-Based Reasoning 24 th March 2015, JML Workshop, Leiden Uri Juhasz, Ioannis Kassios, Peter Müller, Milos.
Rustan Leino RiSE, Microsoft Research, Redmond MIT 5 June 2009 Joint work with: Peter Müller, ETH Zurich Jan Smans, KU Leuven.
Spec# Andreas Vida. Motivation Correct and maintainable software Correct and maintainable software Cost effective software production Cost effective software.
Lightweight Support for Magic Wands in an Automatic Verifier Malte Schwerhoff and Alexander J. Summers 10 th July 2015, ECOOP, Prague.
An Introduction to Automated Program Verification with Permission Logics 15 th May 2015, Systems Group, ETH Zurich Uri Juhasz, Ioannis Kassios, Peter Müller,
K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 1 2 September 2009 FOSAD 2009, Bertinoro, Italy.
ESOP 2010, Paphos, Cyprus, 22 March 2010 K. Rustan M. Leino (RiSE group, Microsoft Research) Peter Müller (ETH Zurich) Jan Smans (KU Leuven)
Formal Verification – Robust and Efficient Code Lecture 1
Model Checking Early Requirements Specifications in Tropos Presented by Chin-Yi Tsai.
Mostly-Automated Verification of Low-Level Programs in Computational Separation Logic Adam Chlipala Harvard University PLDI 2011.
Spring 2017 Program Analysis and Verification
A Review of Software Testing - P. David Coward
Dafny An automatic program verifier for functional correctness
Specification techniques for verifying object-oriented software
Deductive Verification Tools Tutorial for Dagstuhl Seminar 16201
Auto-active verification
Weakest Precondition of Unstructured Programs
Further with Hoare Logic Sections 6.12, 6.10, 6.13
A Verification Infrastructure for Permission-based Reasoning
The Relationship Between Separation Logic and Implicit Dynamic Frames
Reasoning about Comprehensions with First-Order SMT Solvers
Matching Logic An Alternative to Hoare/Floyd Logic
The Relationship Between Separation Logic and Implicit Dynamic Frames
Program Verification via an Intermediate Verification Language
runtime verification Brief Overview Grigore Rosu
Automating Induction for Solving Horn Clauses
Auto-active verification
Relatively Complete Refinement Type System for Verification of Higher-Order Non-deterministic Programs Hiroshi Unno (University of Tsukuba) Yuki Satake.
Lecture 5 Floyd-Hoare Style Verification
IS 2935: Developing Secure Systems
Dafny An automatic program verifier for functional correctness
Automated Analysis and Code Generation for Domain-Specific Models
Language-Independent Verification Framework
Auto-active verification
Java Modeling Language (JML)
The SMT-LIB Initiative
Presentation transcript:

A Verification Infrastructure for Permission-Based Reasoning Viper A Verification Infrastructure for Permission-Based Reasoning Quantified Permissions Dynamic-Frames-Style Specifications in Permission Logics Malte Schwerhoff 3rd November 2016, Bad Herrenalb

Frame Problem { P } C { Q } { P R } C { Q R } ∧

Framing Methodologies { P } C { Q } { P R } C { Q R } ∧ ∧ Dynamic Frames (no permissions) { P } C { Q } modifies(C) ∩ reads(R) = ∅ { P R } C { Q R } ∧ ∧

Framing Methodologies { P } C { Q } { P R } C { Q R } ∧ ∧ Dynamic Frames (no permissions) Separation Logic (permissions) { P } C { Q } modifies(C) ∩ reads(R) = ∅ { P } C { Q } { P R } C { Q R } { P R } C { Q R } ∧ ∧ ∗ ∗

Permissions method mutate() requires acc(this.val) ensures acc(this.val) method client(x, y) requires acc(x.val) ∗ acc(y.val) { var tmp := y.val x.mutate() assert tmp == y.val } X x.val Y y.val

Permissions { P } C { Q } { P  R } C { Q  R } ∗ ∗ method mutate() requires acc(this.val) ensures acc(this.val) method client(x, y) requires acc(x.val) ∗ acc(y.val) { var tmp := y.val x.mutate() assert tmp == y.val } X x.val Y y.val { P } C { Q } { P  R } C { Q  R } ∗ ∗

Permissions { P } C { Q } { P  R } C { Q  R } ∗ ∗ method mutate() requires acc(this.val) ensures acc(this.val) method client(x, y) requires acc(x.val) ∗ acc(y.val) { var tmp := y.val x.mutate() assert tmp == y.val } X x.val Y y.val { P } C { Q } { P  R } C { Q  R } ∗ ∗

Permissions { P } C { Q } { P  R } C { Q  R } ∗ ∗ method mutate() requires acc(this.val) ensures acc(this.val) method client(x, y) requires acc(x.val) ∗ acc(y.val) { var tmp := y.val x.mutate() assert tmp == y.val } ? x.val Y y.val { P } C { Q } { P  R } C { Q  R } ∗ ∗

Permissions { P } C { Q } { P  R } C { Q  R } ∗ ∗ method mutate() requires acc(this.val) ensures acc(this.val) method client(x, y) requires acc(x.val) ∗ acc(y.val) { var tmp := y.val x.mutate() assert tmp == y.val } ? x.val Y y.val { P } C { Q } { P  R } C { Q  R } ∗ ∗

Permissions { P } C { Q } { P  R } C { Q  R } ∗ ∗ method mutate() requires acc(this.val) ensures acc(this.val) method client(x, y) requires acc(x.val) ∗ acc(y.val) { var tmp := y.val x.mutate() assert tmp == y.val } ? x.val Y y.val { P } C { Q } { P  R } C { Q  R } ∗ ∗

Common Tool Infrastructures No Permissions Prog. language, spec. language and methodology Front end Intermediate verification language Verification condition generator SMT solver

Common Tool Infrastructures No Permissions Prog. language, spec. language and methodology Front end Intermediate verification language Verification condition generator SMT solver

Common Tool Infrastructures No Permissions Permissions Prog. language, spec. language and methodology Prog. language, spec. language and methodology Front end Custom verifier Intermediate verification language Intermediate verification language Verification condition generator SMT solver SMT solver

Common Tool Infrastructures No Permissions Permissions Prog. language, spec. language and methodology Prog. language, spec. language and methodology Front end Custom verifier Custom verifier Custom verifier Intermediate verification language Intermediate verification language Verification condition generator SMT solver SMT solver

Common Tool Infrastructures No Permissions Permissions Prog. language, spec. language and methodology Prog. language, spec. language and methodology repeat abstraction gap Front end Custom verifier Custom verifier Custom verifier Intermediate verification language Intermediate verification language Verification condition generator reuse SMT solver SMT solver

Insufficient Tool Support for Permission Logics Prog. language, spec. language and methodology Custom verifier SMT solver Verification efforts do not benefit fully from advances in theory Theory does not receive feedback from applications Toolbox image: http://www.freeiconspng.com/free-images/toolbox-icon-32381

Facilitate the 1. development of tools 2. prototyping of encodings for permission-based verification

Intermediate verification language Viper Front end Front end Front end Intermediate verification language Back-end tools Viper SMT solver Icons: http://www.iconarchive.com/show/vista-people-icons-by-icons-land.html http://www.icons-land.com/

{ P } C { Q } { P  R } C { Q  R } Permission Transfer callee caller ∗ ∗ caller

Viper Features: Inhale and Exhale { P } C { Q } callee { P  R } C { Q  R } ∗ ∗ caller exhale P assert value constraints check and remove permissions havoc newly-inaccessible locations inhale Q obtain permissions assume value constraints

Demo

Recursive Predicates v predicate list(this: Ref) { this != null ==> acc(this.data) && acc(this.next) && list(this.next) } v unfold list(this) // access this.data // and this.next fold list(this)

Recursive Predicates: Limitations Extending

Recursive Predicates: Limitations Extending

Recursive Predicates: Limitations Extending Sharing w

Recursive Predicates: Limitations Extending Sharing w

Recursive Predicates: Limitations Extending Sharing Traversing w

Unbounded Data Structures Unidirectional Multidirectional Random Access Unstructured recursive predicates are often a suitable specification mechanism 28

Unbounded Data Structures Unidirectional Multidirectional Random Access Unstructured need for an alternative specification mechanism 29

Quantified Permissions Multidirectional forall n in nodes :: acc(n.next) && acc(n.prev) Random Access Unstructured 30

Quantified Permissions Multidirectional forall n in nodes :: acc(n.next) && acc(n.prev) Random Access forall i in [0..5] :: acc(arr[i]) Unstructured 31

Quantified Permissions Multidirectional forall n in nodes :: acc(n.next) && acc(n.prev) Random Access forall i in [0..5] :: acc(arr[i]) forall i in [0..5] :: i % 2 == 1 ==> acc(arr[i]) Unstructured 32

Quantified Permissions Multidirectional forall n in nodes :: acc(n.next) && acc(n.prev) Random Access forall i in [0..5] :: acc(arr[i]) forall i in [0..5] :: i % 2 == 1 ==> acc(arr[i]) Unstructured forall n in nodes :: acc(n.succs) && acc(n.marked) 33

Quantified Permissions Multidirectional forall n in nodes :: acc(n.next) && acc(n.prev) Random Access forall i in [0..5] :: acc(arr[i]) forall i in [0..5] :: i % 2 == 1 ==> acc(arr[i]) Unstructured forall n in nodes :: acc(n.succs) && acc(n.marked) && (n.marked ==> forall m in n.succs :: m.marked) 34

List Tail Sharing Revisited predicate list(nodes: Set[Ref]) { forall n  nodes :: acc(n.data) && acc(n.next) && (n.next != null ==> n.next  nodes) } v w list(nodes) && v  nodes && w.next  nodes

General Receiver Expressions inhale ∀ x ∈ S :: acc(e(x).f) exhale ∀ y ∈ R :: acc(y.f) 36

General Receiver Expressions: Challenge inhale ∀ x ∈ S :: acc(e(x).f) {x1, x2, x3, x4, ..., xn} e(x).f {y1, y2, y3, ..., ym} acc(y.f)? exhale ∀ y ∈ R :: acc(y.f) 37

General Receiver Expressions: Challenge inhale ∀ x ∈ S :: acc(e(x).f) {x1, x2, x3, x4, ..., xn} e(x).f ∃ x ϵ S :: e(x) = y? {y1, y2, y3, ..., ym} exhale ∀ y ∈ R :: acc(y.f) 38

General Receiver Expressions: Injectivity inhale ∀ x ∈ S :: acc(e(x).f) 1. Require e(x) to be injective (naturally satisfied by e.g. arrays and graphs) {x1, x2, x3, x4, ..., xn} e(x).f {y1, y2, y3, ..., ym} exhale ∀ y ∈ R :: acc(y.f) 39

General Receiver Expressions: Inverse Functions inhale ∀ x ∈ S :: acc(e(x).f) 1. Require e(x) to be injective 2. Axiomatise inverse function e-1(x) to SMT solver {x1, x2, x3, x4, ..., xn} e(x).f {y1, y2, y3, ..., ym} exhale ∀ y ∈ R :: acc(y.f) 40

General Receiver Expressions: Challenge inhale ∀ x ∈ S :: acc(e(x).f) {x1, x2, x3, x4, ..., xn} e-1(y) ϵ S? e(x).f y.f ϵ L? {y1, y2, y3, ..., ym} acc(y.f)? exhale ∀ y ∈ R :: acc(y.f) 41

Demo

Dynamic Frames vs. Permissions Permission Logics: disjointness per default poorly supported in tools Arbitrary data structures Concurrency Dynamic Frames: sharing per default

Dynamic Frames vs. Permissions Permission Logics: disjointness per default Viper’s quantified permissions Arbitrary data structures Concurrency ? specify and maintain disjointness explicitly Dynamic Frames: sharing per default

Viper: Currently Viper Chalice Java OpenCL Python Intermediate verification language Verification condition generator (verifier) Symbolic execution (verifier) Abstract interpretation (inference) Viper Boogie SMT solver

Viper: Next Viper Fine-Grained Concurrency Chalice Java OpenCL Python Intermediate verification language Verification condition generator (verifier) Symbolic execution (verifier) Abstract interpretation (inference) Viper Boogie SMT solver

+ C1 || C2 http://viper.ethz.ch Viper SMT solver Intermediate verification language Viper Abstract interpretation (inference) Boogie Verification condition generator (verifier) Symbolic execution (verifier) Java Chalice OpenCL Python http://viper.ethz.ch C1 || C2 +

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.