Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen.

Slides:



Advertisements
Similar presentations
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Advertisements

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Automated Verification with HIP and SLEEK Asankhaya Sharma.
Extended Static Checking for Haskell (ESC/Haskell) Dana N. Xu University of Cambridge advised by Simon Peyton Jones Microsoft Research, Cambridge.
- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.
Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.
Automated Verification with HIP and SLEEK Asankhaya Sharma.
1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.
HIP/SLEEK11 HIP/SLEEK :Automatic Verification and Specification Inference System Wei-Ngan Chin & Asankhaya Sharma Dept of Computer Science National University.
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN
A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.
Winter Compiler Construction T7 – semantic analysis part II type-checking Mooly Sagiv and Roman Manevich School of Computer Science Tel-Aviv.
1 University of Toronto Department of Computer Science © 2001, Steve Easterbrook Lecture 10: Formal Verification Formal Methods Basics of Logic first order.
Generic programming in Java
ISMM Analyzing Memory Resource Bounds for Low-Level Programs Wei-Ngan Chin 1 Huu Hai Nguyen 1 Corneliu Popeea 1 Shengchao Qin 2 1 National Univ.
Foundations of Programming Languages: Introduction to Lambda Calculus
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.
Verifying Correct Usage of Atomic Blocks and Typestate Nels E. Beckman Nels E. Beckman, Kevin Bierhoff, and Jonathan Aldrich Carnegie Mellon University.
Advanced Programming Handout 9 Qualified Types (SOE Chapter 12)
On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
Efficient Software Model Checking of Soundness of Type Systems Michael Roberson, Melanie Harries, Paul T. Darga, Chandrasekhar Boyapati University of Michigan.
Basic Definitions Data Structures: Data Structures: A data structure is a systematic way of organizing and accessing data. Or, It’s the logical relationship.
Dependent Types for Reasoning About Distributed Systems Paul Sivilotti - Ohio State Hongwei Xi - Cincinnati.
Type Inference: CIS Seminar, 11/3/2009 Type inference: Inside the Type Checker. A presentation by: Daniel Tuck.
Maria-Cristina Marinescu Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology A Synthesis Algorithm for Modular Design of.
Symbol Table (  ) Contents Map identifiers to the symbol with relevant information about the identifier All information is derived from syntax tree -
CS 2104 : Prog. Lang. Concepts. Functional Programming I Lecturer : Dr. Abhik Roychoudhury School of Computing From Dr. Khoo Siau Cheng’s lecture notes.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Automatic Verification of Pointer Programs using Grammar-based Shape Analysis Hongseok Yang Seoul National University (Joint Work with Oukseh Lee and Kwangkeun.
1 Abstraction  Identify important aspects and ignore the details  Permeates software development programming languages are abstractions built on hardware.
CS 363 Comparative Programming Languages Semantics.
Synthesis, Analysis, and Verification Lecture 05a Lectures: Viktor Kuncak Programs with Data Structures: Assertions for Accesses. Dynamic Allocation.
Sound Haskell Dana N. Xu University of Cambridge Joint work with Simon Peyton Jones Microsoft Research Cambridge Koen Claessen Chalmers University of Technology.
Cristian Gherghina 1, Cristina David 1, Shengchao Qin 2, Wei-Ngan Chin 1 1 National University of Singapore 2 University of Teesside Structured Specifications.
COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen.
11th Nov 2004PLDI Region Inference for an Object-Oriented Language Wei Ngan Chin 1,2 Joint work with Florin Craciun 1, Shengchao Qin 1,2, Martin.
12/9/20151 Programming Languages and Compilers (CS 421) Elsa L Gunter 2112 SC, UIUC Based in part on slides by Mattox.
L13: Design by Contract Definition Reliability Correctness Pre- and post-condition Asserts and Exceptions Weak & Strong Conditions Class invariants Conditions.
Sized Types Inference1 “Calculating Sized Types” by Wei-Ngan Chin and Siau-Cheng Khoo published in PEPM00 and HOSC01 Presented by Xu Na.
1 Static Contract Checking for Haskell Dana N. Xu University of Cambridge Joint work with Simon Peyton Jones Microsoft Research Cambridge Koen Claessen.
CS412/413 Introduction to Compilers Radu Rugina Lecture 13 : Static Semantics 18 Feb 02.
PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.
Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists Pranav Garg 1, P. Madhusudan 1 and Gennaro Parlato 2 1 University of Illinois at.
Soundness of Types Ensuring that a type system is not broken.
1 Verification of object-oriented programs with invariants Mike Barnett, Robert DeLine, Manuel Fahndrich, K. Rustan M. Leino, Wolfram Schulte ECOOP 2003.
DBC NOTES. Design By Contract l A contract carries mutual obligations and benefits. l The client should only call a routine when the routine’s pre-condition.
CS5205Semantics1 CS5205: Foundation in Programming Languages Semantics Static Semantics Dynamic Semantics Operational Semantics Big-step Small-Step Denotational.
Arrays Using array as an expression, on the right-hand side Assigning to an array.
CPSC 252 ADTs and C++ Classes Page 1 Abstract data types (ADTs) An abstract data type is a user-defined data type that has: private data hidden inside.
1 Compiler Construction Run-time Environments,. 2 Run-Time Environments (Chapter 7) Continued: Access to No-local Names.
Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.
Enhancing Modular OO Verification with Separation Logic
Types CSCE 314 Spring 2016.
A lightening tour in 45 minutes
PROGRAMMING IN HASKELL
PROGRAMMING IN HASKELL
Recursion and Induction
Extended Static Checking for Haskell (ESC/Haskell)
Lecture 15 (Notes by P. N. Hilfinger and R. Bodik)
Haskell Types, Classes, and Functions, Currying, and Polymorphism
PROGRAMMING IN HASKELL
Presentation transcript:

Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen 2 1 National University of Singapore 2 Singapore-MIT Alliance 3 University of Durham

2 Background Uses of Size Analysis : array bound check elimin. [Xi-Pfenning'98] data structure invariance [Xi-Pfenning'99] termination analysis [Lee-Jones'01] space complexity [Hofman-Jost'03] Current Status : mostly for declarative languages (functional + logic) restricted imperative language (e.g. Xanadu) analyse and verify

3 Our Goal Static Verification for Object-Based Programs Main Challenges : objects may mutate objects may be aliased Our Approach Use size analysis and alias controls to specify and verify safety policies

4 Type System for Size Analysis Uses annotated types  ::= c Types are annotated with size properties that capture: Values : bool, int Lengths : Array, List, Tree value True --> b=1 value False --> b=0 value 3 --> n=3

5 Methods with Size Annotation  mn (  1 v1, …,  n vn) where  pre ;  post { body } Examples int add (int x, int y) where true ; (r=a+b) { x+y } int sub (Array A, int i) where (0  i  s) ; true { A[i] }

6 Object with Size Invariant AVL Tree: s – number of nodes in tree h – height of tree adt AVL where s=1+s 1 +s 2 Æ h=1+max(h 1,h 2 ) ; s ¸ 0 Æ h ¸ 0 Æ -1 · h 1 -h 2 · 1 { int val ; AVL left ; AVL right; … } void insert (AVL t, int n) where true ; s’=s+1 Æ h · h’ · h+1 {... }  inv - AVL Tree is height-balanced AVL’s invariant is preserved after node insertion  def - size definitionleft sub-treeright sub-treeelement value

7 adt List where n=m+1 ; n  0 { int val ; List next; void setNext (List x, List y) where n>0 ; n’=l+1 { x.next = y } …} Mutability & Aliasing Problem with aliasing and mutability : List a = new List(5,new List(6,null)); // x’=2 List b = a; // y’=x Æ x’=x setNext(b,null); // y’=1 Æ x’=x Unsound conclusion: x’=2 Æ y’=1 tail of the list

8 Alias Controls Adopted annotations : Immutability + Uniqueness Each reference (field/param/local var) is marked: Read-Only (R) : always refers to the same object. Unique (U) : sole reference to an object. Shared (S) : maybe globally aliased. Lent-Once (L) : unique parameter temporarily lent. Goal: precisely and soundly capture size-properties.

9 Size Property for List (1) List with Read-Only (R) tail. adt List where n=m+1 ; n ¸ 0 { val ; next ; : } read-only x; y; x=y; y.val=4; y.next=x; freely shared and trackable

10 List with Unique (U) tail. adt MList where n=m+1 ; n ¸ 0 { val ; next ; : } Size Property for List (2) mutable but unique x; y; x=y; x.next=.. …y… y loses its uniqueness

11 Lending Annotation Properties of a Lent-once reference : value does not escape the method has exclusive/unique access to the object void append xs, ys) where m>0 ; m'=m+n { if xs.next==null then xs.next=ys else append(xs.next,ys) } lent & unique

12 Lending Annotation void append xs, ys) where m>0 ; m'=m+n { … } x; y; append(x,y); …x.next… …y.next… uniqueness of x is lent uniqueness of y is consumed

13 Classification of Size-Variables Three possible groupsV obj (  h s * i ) = (S I,S T,S N ) (i)Size-Immutable (freely shared) (ii) Trackable (mutable and unique) (iii) Non-Trackable (mutable and globally aliased)

14 Outline Background on Size Analysis Size Tracking with Alias Controls Kernel Language and Protocol Specification Type System for Verification Implementation and Conclusion.

15 Kernel Language source program pre/post states Presburger size constraintannotated types expression oriented language define sizesize invariant

16 How are Safety Policies Specified? Popular approach - finite state machine. Our approach : ADT with (i) Object’s Size Invariant. (ii) Methods’ Preconditions. Benefits: Relational Properties Infinite-State Policies

17 File Protocol Safety policy : Read/Write after Successful Open. 123 open close read write new open File state 1 - uninitialized 2 - opened 3 - closed

18 File Protocol Specified using sized typing. successful file open must be opened closed state

19 Bounded Buffer Protocol Safety policy : Buffer does not Under/Overflow. s,c add get new n>0 ; s’=0 Æ c’=n s<c ; s’=s+1 Æ c’=c s>0 ; s’=s-1 Æ c’=c 0,c 1,c 2,c n,c Buffer state s - no of elements c - capacity

20 Outline Background on Size Analysis Size Tracking with Alias Controls Kernel Language and Protocol Specification Type System for Verification Implementation and Conclusion.

21 Type System for Verification Type judgement type environment pre/post states expression to type-check

22 Rule for IF: path-sensitivity path-sensitivity for size information using disjunction size of b corresponds to what branch is taken type of v

23 types for actual parameters Rule for Call poststate effect precondition checked substitution from formal to actual parameters method declaration

24 Correctness of Type System Type Preservation – size type property is correctly preserved during reduction. Progress – a well-typed program never goes wrong. Safety policies are guaranteed for well-typed programs.

25 Implementation Prototype built using Haskell language (GHC) Omega Presburger solver Accepts a Java-like language (without concurrency and exceptions). Is this method viable? Verification is fast because of modular type-checking. Annotation is less than 5% of source code.

26 Related Work Size analysis for immutable data structures [Hughes et.al'96, Xi-Pfenning'98,'99, Jost-Hofman'03] Alias controls for program reasoning [Chan-Boyland'98, Aldrich-Kostadinov-Chambers'02] Other approaches to verification: Finite type-state: Vault, Fugue [Fahndrich-DeLine'02,'04] Theorem proving: ESC (may be unsound) [Flanagan-Leino-Lillibridge-Nelson et.al'02] Model checking: Bogor (requires test harness) [Robby-Dwyer-Hatcliff-Rodriguez'03,'04]

27 Conclusion Formulate a precise relational size analysis for object-based programs. Use alias controls to track mutable size properties. Automatic verification for: Safety policies - files, bounded-buffers. Data invariants - lists, AVL trees. Working towards inference of alias and size annotations (for methods).

28 End

29 Experiments JOlden benchmarks

30 adt Cell where n=v ; true { int val ; void incr(Cell x) where true ; n’=n+1 {x.val =x.val + 1} …} Object Declaration size definition fields can only be accessed via methods Why use ADTs ? Development: a client is based on ADT’s interface (the implementation details are hidden). Modular analysis: correct usage of ADT verified against ADT’s interface.

31 Mutable Size Properties Example with aliasing and mutability : Cell a = new Cell(5);// x’=5 Cell b = a;// y’=x Æ x’=x incr(b);// y’=y+1 Æ x’=x // x’=5 Æ y’=6unsound! new value old value adt Cell where n=v ; true { int val ; void incr(Cell x) where true ; n’=n+1 {x.val =x.val + 1} …}

32 adt Pair where p1=s1 Æ p2=s2 ; true { fst; snd; void p, x) { p.fst=x } } r = new Pair(…); r.setFst(…); Pair Example int ({s1}, ,  ) ( ,{r1,r2},  ) ( ,{s1},  ) Pair ({p2},{p1},  ) int ({s2}, ,  ) where true ; p1’=x Æ p2’=p2 size definition

33 adt Pair where p1=s1 Æ p2=s2 ; true { fst; snd; void p, x) { p.fst=x } } m = new Pair(…); n = m; m.setFst(…); n.setFst(…); Pair Example int Pair ({s1}, ,  )({s2}, ,  ) ({p2},{p1},  ) ( ,{m2},{m1}) ( ,{n2},{n1}) ( ,{s1},  ) ({s2}, ,  ) where true ; p2’=p2 S

34 Array Protocol Safety policy : No Array Bounds Violation. Implementation: array primitive operations (that need no runtime tests). sub(A,i)…A[i] update(A,i,v)…A[i] = v no bounds violation size never change

35 Buffer Protocol Implemented using a cyclic array. Implementation checked to comply with Array protocol. safety preconditions Safety policy : Buffer does not Under/Overflow.

36 Lock Protocol Safety policy : No double lock/unlock operations.

37 adt AVL where s=1+s 1 +s 2 Æ h=1+max(h 1,h 2 ) ; s ¸ 0 Æ h ¸ 0 Æ -1 · h 1 -h 2 · 1 val ; left ; right; void insert t, n) where true ; ts’=ts+1 Æ th · th’ · th+1 {... } } AVL Tree