Gradual Verification Seamlessly and flexibly combine static and dynamic verification by drawing on the general principles from abstract interpretation.

Slides:



Advertisements
Similar presentations
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Semantics Static semantics Dynamic semantics attribute grammars
ISBN Chapter 3 Describing Syntax and Semantics.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
The Z Specification Language
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
HCSSAS Capabilities and Limitations of Static Error Detection in Software for Critical Systems S. Tucker Taft CTO, SofCheck, Inc., Burlington, MA, USA.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Software Engineering and Design Principles Chapter 1.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Software Testing and Quality Assurance
Overview. Why data structures is a key course Main points from syllabus Survey Warmup program And now to get started...
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
1 CMSC 132: Object-Oriented Programming II Nelson Padua-Perez William Pugh Department of Computer Science University of Maryland, College Park.
Describing Syntax and Semantics
School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification
© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.
Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.
Mathematics throughout the CS Curriculum Support by NSF #
Computer Science 340 Software Design & Testing Design By Contract.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
CompSci 105 SS 2005 Principles of Computer Science Lecture 4 Lecturer: Santokh Singh.
Course: Software Engineering © Alessandra RussoUnit 1 - Introduction, slide Number 1 Unit 1: Introduction Course: C525 Software Engineering Lecturer: Alessandra.
Introduction CS 3358 Data Structures. What is Computer Science? Computer Science is the study of algorithms, including their  Formal and mathematical.
Chapter 25 Formal Methods Formal methods Specify program using math Develop program using math Prove program matches specification using.
Type Systems CS Definitions Program analysis Discovering facts about programs. Dynamic analysis Program analysis by using program executions.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
Introduction CS 3358 Data Structures. What is Computer Science? Computer Science is the study of algorithms, including their  Formal and mathematical.
CS Data Structures I Chapter 2 Principles of Programming & Software Engineering.
A Universe-Type-Based Verification Technique for Mutable Static Fields and Methods Alexander J Summers Sophia Drossopoulou Imperial College London Peter.
Semantics In Text: Chapter 3.
COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen.
Spec# Andreas Vida. Motivation Correct and maintainable software Correct and maintainable software Cost effective software production Cost effective software.
© 2006 Pearson Addison-Wesley. All rights reserved 2-1 Chapter 2 Principles of Programming & Software Engineering.
Formal Specification: a Roadmap Axel van Lamsweerde published on ICSE (International Conference on Software Engineering) Jing Ai 10/28/2003.
SWE 4743 Abstract Data Types Richard Gesick. SWE Abstract Data Types Object-oriented design is based on the theory of abstract data types Domain.
Properties as Processes : FORTE slide Properties as Processes: their Specification and Verification Joel Kelso and George Milne School of Computer.
PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.
1 Contractual Consistency Between BON Static and Dynamic Diagrams Ali Taleghani July 30, 2004.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
Reasoning and Design (and Assertions). How to Design Your Code The hard way: Just start coding. When something doesn’t work, code some more! The easier.
Principles of Programming & Software Engineering
Weakest Precondition of Unstructured Programs
Principles of Programming and Software Engineering
State your reasons or how to keep proofs while optimizing code
B (The language of B-Method )
Design by Contract Fall 2016 Version.
Lecture 5 Floyd-Hoare Style Verification
Programming Languages and Compilers (CS 421)
Programming Languages 2nd edition Tucker and Noonan
Hoare-style program verification
Semantics In Text: Chapter 3.
Java Modeling Language (JML)
The Zoo of Software Security Techniques
Assertions References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 4/25/2019.
Computer Science 340 Software Design & Testing
Programming Languages and Compilers (CS 421)
Programming Languages 2nd edition Tucker and Noonan
COP4020 Programming Languages
Presentation transcript:

Gradual Verification Seamlessly and flexibly combine static and dynamic verification by drawing on the general principles from abstract interpretation to derive a gradual system from a static one Concerned with formal verification where program correctness determined from specifications of system components drawn from a logic Function/method pre- and postconditions (contracts) Loop invariants Type invariants etc. Jenna Wise Advisors: Jonathan Aldrich, Josh Sunshine Special Thanks to: Johannes Bader & Éric Tanter Bader, Johannes, Jonathan Aldrich, and Éric Tanter. "Gradual Program Verification." In International Conference on Verification, Model Checking, and Abstract Interpretation, pp. 25-46. Springer, Cham, 2018.

Overview & Motivation Static Verification (at compile time) Dynamic Verification (at runtime) If sound, no static errors means no runtime errors (no extra runtime checks) Software must be fully specified with detailed specs Gradual Verification Software can be partially specified with partial specs Specs turned into runtime checks (runtime overhead) Programs checked for properties at compile time Programs checked for properties at runtime Toy programs are easy to specify and prove statically; especially for builders of static verification tools, for software engineers in practice on real code at scale not so much Dynamic verification allows us extra information at runtime so partial specs are an option, Not the case for static verification Tradeoffs Scalability Performance More or less runtime overhead Annotation burden More or less detailed annotations Other SE concerns Up to speed with tool Anticipation of changes to software over time Modularity & Information hiding Readability; can multiple people work on this at a time Error detection

Static Verification by Example Annotated Function Client Program int withdraw(int balance, int balance ≔ 100; int amount) Q: 𝑏𝑎𝑙𝑎𝑛𝑐𝑒=100 requires 𝑏𝑎𝑙𝑎𝑛𝑐𝑒≥𝑎𝑚𝑜𝑢𝑛𝑡 P: 𝑏𝑎𝑙𝑎𝑛𝑐𝑒≥30 ensures 𝑟𝑒𝑠𝑢𝑙𝑡≥0 balance ≔ withdraw(balance, 30); Q: 𝑏𝑎𝑙𝑎𝑛𝑐𝑒≥0 { return balance − amount; } P: 𝑏𝑎𝑙𝑎𝑛𝑐𝑒≥40 balance ≔ withdraw(balance, 40); Precondition: P ⇓ ? Postcondition: Q ⇓ ? Example formal methods: Hoare logic – [brief explanation of Hoard logic] Static verifier proves that withdraw compiles with its contract (pre & post) Proves that two statements are valid: - withdraw’s pre & assert sat

Dynamic Verification by Example Annotated Function Client Program int withdraw(int balance, int balance ≔ 100; int amount) assert P: 𝑏𝑎𝑙𝑎𝑛𝑐𝑒≥30 requires 𝑏𝑎𝑙𝑎𝑛𝑐𝑒≥𝑎𝑚𝑜𝑢𝑛𝑡 balance ≔ withdraw(balance, 30); ensures 𝑟𝑒𝑠𝑢𝑙𝑡≥0 assert P: 𝑏𝑎𝑙𝑎𝑛𝑐𝑒≥40 balance ≔ withdraw(balance, 40); { return balance − amount; } assert P: 100≥30 ? assert P: 70≥40 ? A violation at runtime causes a runtime exception to be thrown, preventing the program from entering a state that contradicts its specification

Gradual Verification adhering to Gradual Gaurantee Gradual Guarantee Reducing the precision of specifications never breaks the verifiability of a program (formalized in [1]) − static guarantees + dynamic checks Static Verification (at compile time) Dynamic Verification (at runtime) + static guarantees − dynamic checks Reducing the precision of contracts – ie. specifying less statically in a gradual formula (? represents more things, phi has more information in it) Reducing the precision of specifications never breaks verifiability of a program - Can choose desired level of precision without artificial constraints imposed by the verification tech Verifiability monotone with respect to precision Programmers can gradually evolve and refine static annotations Rewarded by progressively increased static correctness guarantees and progressively decreased runtime checking Explain why helps us leverage static and dynamic advantages Valid program means it adheres to its specification - verified Static Gradual Guarantee A valid gradual program is still valid when we reduce the precisions of specifications Dynamic Gradual Guarantee A valid program that takes a step still takes the same step if we reduce the precision of specifications Gradual Verification adhering to Gradual Gaurantee [1] Bader, Johannes, Jonathan Aldrich, and Éric Tanter. "Gradual Program Verification." In International Conference on Verification, Model Checking, and Abstract Interpretation, pp. 25-46. Springer, Cham, 2018.

Approach Introduce imprecision into formulas/specifications Take static verification techniques and lift them following the abstract interpretation perspective on gradual typing to deal with imprecise specifications Adheres to gradual guarantee Derive a gradually verified language from a statically verified language following the abstract interpretation perspective on gradual typing - Follows the gradual guarantee

Allow imprecision in specifications via the “?” wildcard Gradual Formulas 𝜙 ∷=𝜙 | 𝜙∧ ? Allow imprecision in specifications via the “?” wildcard ? Is the unknown formula Gradual formulas can include imprecision Phi is the static part of an imprecise formula

Gradual Formulas Gradual formulas are given meaning by the set of fully precise formulas it represents Gradual Formula Set of Representing formulas 𝑏𝑎𝑙𝑎𝑛𝑐𝑒≥0 𝑏𝑎𝑙𝑎𝑛𝑐𝑒≥0 𝛾 𝜙 = 𝜙 𝛾 𝜙∧ ? = 𝜙 ′ ∈𝑆𝑎𝑡𝐹𝑜𝑟𝑚𝑢𝑙𝑎 | 𝜙 ′ ⟹𝜙 𝑖𝑓 𝜙∈𝑆𝑎𝑡𝐹𝑜𝑟𝑚𝑢𝑙𝑎 𝑢𝑛𝑑𝑒𝑓𝑖𝑛𝑒𝑑 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒 Is an infinite set, so any implementation will need to safely approximate this set. What does "safely" mean (guided by the gradual guarantee)? Balance < 0 can’t be in the set since it does not imply balance \geq 0 𝑏𝑎𝑙𝑎𝑛𝑐𝑒=0, 𝑏𝑎𝑙𝑎𝑛𝑐𝑒≥0, 𝑏𝑎𝑙𝑎𝑛𝑐𝑒≥0∧𝑎𝑚𝑜𝑢𝑛𝑡≥0 … 𝑏𝑎𝑙𝑎𝑛𝑐𝑒≥0∧ ? 𝑏𝑎𝑙𝑎𝑛𝑐𝑒≥0∧𝑏𝑎𝑙𝑎𝑛𝑐𝑒<0

Static Verification in Gradual Setting Lifted from normal static verification using ideas from Abstract Interpretation on Gradual Typing [1] Predicates ∙ ⇒ ⋅ Functions 𝑊𝐿𝑃 𝑠𝑡𝑚𝑡,𝜙 Static Verification in Gradual Setting Uses lifted predicates and functions Motivate lifting! Common static verification predicates and functions, such as implication and weakest preconditions calculus are lifted using ideas from Abstract Interpretation on Gradual Typing Illustrated in the next slide [1] Garcia, Ronald, Alison M. Clark, and Éric Tanter. "Abstracting gradual typing." ACM SIGPLAN Notices. Vol. 51. No. 1. ACM, 2016.

⟹ Lifting Diagram 𝜙 𝜙 ′ ⟹ ?  𝛾 𝛾 Set of 𝜙 Exist 𝜙 1 Exist 𝜙 2 Gamma concretizes a gradual formula – computes a set of static formulas represented by the gradual formula Gamma(phi and ?) = {phi’ | phi’ => phi} phi’ is SAT Can get vice-versa, if we know gradual implication holds then there must have been two concrete formulas that imply one another in the concrete representation of those two formulas Set of 𝜙 Exist 𝜙 1 Exist 𝜙 2 Set of 𝜙′ ⟹ 

WLP Lifting Diagram 𝜙 𝜙 ′ ?? 𝑊𝐿𝑃 𝛾 𝛼 Set of 𝜙 Set of 𝜙′ 𝑊𝐿𝑃 Gamma concretizes a gradual formula – computes a set of static formulas represented by the gradual formula Gamma(phi and ?) = {phi’ | phi’ => phi} phi’ is SAT Each of them are sent to WLP and a set of new formulas are computed Alpha takes this set of phi’ and abstracts the concrete formulas to a gradual formula The most precise gradual formula that represents all of the phi’ Alpha(set of phi’) = min_precise{tphi in tF | set of phi’ in Gamma(tphi)} Set of 𝜙 Set of 𝜙′ 𝑊𝐿𝑃

Static Verification in Gradual Setting: An Example Annotated Function Client Program int withdraw(int balance, int balance ≔ 100; int amount) Q: 𝑏𝑎𝑙𝑎𝑛𝑐𝑒=100 requires 𝑏𝑎𝑙𝑎𝑛𝑐𝑒≥𝑎𝑚𝑜𝑢𝑛𝑡 P: 𝑏𝑎𝑙𝑎𝑛𝑐𝑒≥30 ensures 𝑟𝑒𝑠𝑢𝑙𝑡≥0∧ ? balance ≔ withdraw(balance, 30); Q: 𝑏𝑎𝑙𝑎𝑛𝑐𝑒≥0∧ ? { return balance − amount; } P: 𝑏𝑎𝑙𝑎𝑛𝑐𝑒≥40 balance ≔ withdraw(balance, 40); ⇓ ? ⇒ ? Thanks to our imprecise postcondition, the static checker optimistically accepts the program Static verifier optimistically accepts an imprecise formula if some concrete formula representing it makes the formula valid Not guaranteed that the precondition is satisfied at runtime without additional checks GVLs runtime semantics should add such checks as appropriate – talk about this next Will fail if timplies b < 0 since that will contradict the static part of balance >= 0 wedge ? We also expect that imprecise formulas might not necessarily result in runtime checks if there is enough static information to ascertain the result Ensures (result = old(balance) – old(amount)) wedge ?

Dynamic Verification in Gradual Setting Dynamic verification in the gradual setting must ensure that a valid instantiation of “?” in the static checker is valid at runtime Pay-as-you-go cost model: optimized runtime checks based on statically guaranteed info All static guarantees 0 dynamic checks − static guarantees + dynamic checks 0 static guarantees All dynamic checks Explain you can do runtime checks without optimization The statically-guaranteed optimization means that the cost of runtime checking increases with increases in imprecision - And decreases with increased precision; static information Rely on static verification for fully-precise formulas Rely on optimized runtime checks and static checks for imprecise formulas Runtime checks optimized based on statically-guaranteed information 𝜙 1 ∧…∧ 𝜙 𝑛 ? … 𝜙 1 ∧…∧ 𝜙 𝑛−1 ∧ ? 𝜙 1 ∧…∧ 𝜙 𝑛−2 ∧ ? 𝜙 1 ∧ ? + static guarantees − dynamic checks

Current & Future Work

Current & Future Work Building a usable, language independent, and robust gradual verification tool Supports verification of programs written in multiple languages Java, Wyvern, C0 Supports efficient verification of many different language features Shared mutable state, recursive data structures, loops, etc. Multiple languages with extensibility for more Robust in that it verifies many different non-trivial language features Extend theory to these features along the way Educational setting: Course and number at CMU?

Current & Future Work Deploy the tool in 15-122 Teaches imperative programming and methods for ensuring the correctness of imperative programs Teaches process and techniques for going from algorithms to correct implementations Research Question Can the incremental nature of gradual verification allow students to achieve these learning goals more easily? This course teaches imperative programming in a C-like language and methods for ensuring the correctness of imperative programs; teaches dynamic verification. ability to write code that is correct by design and accounts for the needs of its application context Learn the process and techniques needed to go from high-level descriptions of algorithms to correct imperative implementations RQ: Students can learn static verification techniques incrementally; they do not need to learn how to specify aliasing precisely at the start Static verification details helpful for really understanding functional correctness

Gradual Verification adhering to Gradual Gaurantee Summary Static Verification (at compile time) Dynamic Verification (at runtime) If sound, no static errors means no runtime errors (no extra runtime checks) Software must be fully specified with detailed specs Gradual Verification adhering to Gradual Gaurantee Software can be partially specified with partial specs Specs turned into runtime checks (runtime overhead) Allows us to leverage these advantages by – explain further in words out loud - progressively increased static correctness guarantees and progressively decreased runtime checking

Gradual Verification adhering to Gradual Gaurantee Summary All static guarantees 0 dynamic checks − static guarantees + dynamic checks 0 static guarantees All dynamic checks 𝜙 1 ∧…∧ 𝜙 𝑛 ? … 𝜙 1 ∧…∧ 𝜙 𝑛−1 ∧ ? 𝜙 1 ∧…∧ 𝜙 𝑛−2 ∧ ? 𝜙 1 ∧ ? + static guarantees − dynamic checks Allows us to leverage these advantages by – explain further in words out loud progressively increased static correctness guarantees and progressively decreased runtime checking The Gradual guarantee allows us to support a smooth continuum between static and dynamic verification leveraging these advantages Our Approach Gradual static verification derived from static verification following the abstract interpretation perspective on gradual typing Gradual dynamic verification follows a pay-as-you-go cost model – optimizing runtime checks based on statically-guaranteed information Gradual Verification adhering to Gradual Gaurantee