Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen 2 1 National University of Singapore 2 Singapore-MIT Alliance 3 University of Durham
2 Background Uses of Size Analysis : array bound check elimin. [Xi-Pfenning'98] data structure invariance [Xi-Pfenning'99] termination analysis [Lee-Jones'01] space complexity [Hofman-Jost'03] Current Status : mostly for declarative languages (functional + logic) restricted imperative language (e.g. Xanadu) analyse and verify
3 Our Goal Static Verification for Object-Based Programs Main Challenges : objects may mutate objects may be aliased Our Approach Use size analysis and alias controls to specify and verify safety policies
4 Type System for Size Analysis Uses annotated types ::= c Types are annotated with size properties that capture: Values : bool, int Lengths : Array, List, Tree value True --> b=1 value False --> b=0 value 3 --> n=3
5 Methods with Size Annotation mn ( 1 v1, …, n vn) where pre ; post { body } Examples int add (int x, int y) where true ; (r=a+b) { x+y } int sub (Array A, int i) where (0 i s) ; true { A[i] }
6 Object with Size Invariant AVL Tree: s – number of nodes in tree h – height of tree adt AVL where s=1+s 1 +s 2 Æ h=1+max(h 1,h 2 ) ; s ¸ 0 Æ h ¸ 0 Æ -1 · h 1 -h 2 · 1 { int val ; AVL left ; AVL right; … } void insert (AVL t, int n) where true ; s’=s+1 Æ h · h’ · h+1 {... } inv - AVL Tree is height-balanced AVL’s invariant is preserved after node insertion def - size definitionleft sub-treeright sub-treeelement value
7 adt List where n=m+1 ; n 0 { int val ; List next; void setNext (List x, List y) where n>0 ; n’=l+1 { x.next = y } …} Mutability & Aliasing Problem with aliasing and mutability : List a = new List(5,new List(6,null)); // x’=2 List b = a; // y’=x Æ x’=x setNext(b,null); // y’=1 Æ x’=x Unsound conclusion: x’=2 Æ y’=1 tail of the list
8 Alias Controls Adopted annotations : Immutability + Uniqueness Each reference (field/param/local var) is marked: Read-Only (R) : always refers to the same object. Unique (U) : sole reference to an object. Shared (S) : maybe globally aliased. Lent-Once (L) : unique parameter temporarily lent. Goal: precisely and soundly capture size-properties.
9 Size Property for List (1) List with Read-Only (R) tail. adt List where n=m+1 ; n ¸ 0 { val ; next ; : } read-only x; y; x=y; y.val=4; y.next=x; freely shared and trackable
10 List with Unique (U) tail. adt MList where n=m+1 ; n ¸ 0 { val ; next ; : } Size Property for List (2) mutable but unique x; y; x=y; x.next=.. …y… y loses its uniqueness
11 Lending Annotation Properties of a Lent-once reference : value does not escape the method has exclusive/unique access to the object void append xs, ys) where m>0 ; m'=m+n { if xs.next==null then xs.next=ys else append(xs.next,ys) } lent & unique
12 Lending Annotation void append xs, ys) where m>0 ; m'=m+n { … } x; y; append(x,y); …x.next… …y.next… uniqueness of x is lent uniqueness of y is consumed
13 Classification of Size-Variables Three possible groupsV obj ( h s * i ) = (S I,S T,S N ) (i)Size-Immutable (freely shared) (ii) Trackable (mutable and unique) (iii) Non-Trackable (mutable and globally aliased)
14 Outline Background on Size Analysis Size Tracking with Alias Controls Kernel Language and Protocol Specification Type System for Verification Implementation and Conclusion.
15 Kernel Language source program pre/post states Presburger size constraintannotated types expression oriented language define sizesize invariant
16 How are Safety Policies Specified? Popular approach - finite state machine. Our approach : ADT with (i) Object’s Size Invariant. (ii) Methods’ Preconditions. Benefits: Relational Properties Infinite-State Policies
17 File Protocol Safety policy : Read/Write after Successful Open. 123 open close read write new open File state 1 - uninitialized 2 - opened 3 - closed
18 File Protocol Specified using sized typing. successful file open must be opened closed state
19 Bounded Buffer Protocol Safety policy : Buffer does not Under/Overflow. s,c add get new n>0 ; s’=0 Æ c’=n s<c ; s’=s+1 Æ c’=c s>0 ; s’=s-1 Æ c’=c 0,c 1,c 2,c n,c Buffer state s - no of elements c - capacity
20 Outline Background on Size Analysis Size Tracking with Alias Controls Kernel Language and Protocol Specification Type System for Verification Implementation and Conclusion.
21 Type System for Verification Type judgement type environment pre/post states expression to type-check
22 Rule for IF: path-sensitivity path-sensitivity for size information using disjunction size of b corresponds to what branch is taken type of v
23 types for actual parameters Rule for Call poststate effect precondition checked substitution from formal to actual parameters method declaration
24 Correctness of Type System Type Preservation – size type property is correctly preserved during reduction. Progress – a well-typed program never goes wrong. Safety policies are guaranteed for well-typed programs.
25 Implementation Prototype built using Haskell language (GHC) Omega Presburger solver Accepts a Java-like language (without concurrency and exceptions). Is this method viable? Verification is fast because of modular type-checking. Annotation is less than 5% of source code.
26 Related Work Size analysis for immutable data structures [Hughes et.al'96, Xi-Pfenning'98,'99, Jost-Hofman'03] Alias controls for program reasoning [Chan-Boyland'98, Aldrich-Kostadinov-Chambers'02] Other approaches to verification: Finite type-state: Vault, Fugue [Fahndrich-DeLine'02,'04] Theorem proving: ESC (may be unsound) [Flanagan-Leino-Lillibridge-Nelson et.al'02] Model checking: Bogor (requires test harness) [Robby-Dwyer-Hatcliff-Rodriguez'03,'04]
27 Conclusion Formulate a precise relational size analysis for object-based programs. Use alias controls to track mutable size properties. Automatic verification for: Safety policies - files, bounded-buffers. Data invariants - lists, AVL trees. Working towards inference of alias and size annotations (for methods).
28 End
29 Experiments JOlden benchmarks
30 adt Cell where n=v ; true { int val ; void incr(Cell x) where true ; n’=n+1 {x.val =x.val + 1} …} Object Declaration size definition fields can only be accessed via methods Why use ADTs ? Development: a client is based on ADT’s interface (the implementation details are hidden). Modular analysis: correct usage of ADT verified against ADT’s interface.
31 Mutable Size Properties Example with aliasing and mutability : Cell a = new Cell(5);// x’=5 Cell b = a;// y’=x Æ x’=x incr(b);// y’=y+1 Æ x’=x // x’=5 Æ y’=6unsound! new value old value adt Cell where n=v ; true { int val ; void incr(Cell x) where true ; n’=n+1 {x.val =x.val + 1} …}
32 adt Pair where p1=s1 Æ p2=s2 ; true { fst; snd; void p, x) { p.fst=x } } r = new Pair(…); r.setFst(…); Pair Example int ({s1}, , ) ( ,{r1,r2}, ) ( ,{s1}, ) Pair ({p2},{p1}, ) int ({s2}, , ) where true ; p1’=x Æ p2’=p2 size definition
33 adt Pair where p1=s1 Æ p2=s2 ; true { fst; snd; void p, x) { p.fst=x } } m = new Pair(…); n = m; m.setFst(…); n.setFst(…); Pair Example int Pair ({s1}, , )({s2}, , ) ({p2},{p1}, ) ( ,{m2},{m1}) ( ,{n2},{n1}) ( ,{s1}, ) ({s2}, , ) where true ; p2’=p2 S
34 Array Protocol Safety policy : No Array Bounds Violation. Implementation: array primitive operations (that need no runtime tests). sub(A,i)…A[i] update(A,i,v)…A[i] = v no bounds violation size never change
35 Buffer Protocol Implemented using a cyclic array. Implementation checked to comply with Array protocol. safety preconditions Safety policy : Buffer does not Under/Overflow.
36 Lock Protocol Safety policy : No double lock/unlock operations.
37 adt AVL where s=1+s 1 +s 2 Æ h=1+max(h 1,h 2 ) ; s ¸ 0 Æ h ¸ 0 Æ -1 · h 1 -h 2 · 1 val ; left ; right; void insert t, n) where true ; ts’=ts+1 Æ th · th’ · th+1 {... } } AVL Tree