Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mostly-Automated Verification of Low-Level Programs in Computational Separation Logic Adam Chlipala Harvard University PLDI 2011.

Published byErica Wilkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Mostly-Automated Verification of Low-Level Programs in Computational Separation Logic Adam Chlipala Harvard University PLDI 2011."— Presentation transcript:

1 Mostly-Automated Verification of Low-Level Programs in Computational Separation Logic Adam Chlipala Harvard University PLDI 2011

2 2 Human Effort Logical Expressiveness Classical verification with SMT solvers Interactive theorem- proving in higher-order logic The Coq library

3 3 Decidable Theories Equality + Uninterpreted Functions + Linear Arithmetic + Arrays +... Classical verification with SMT solvers Interactive theorem- proving in higher-order logic Complex trigger mechanism for quantifier instantiation Complex program annotation scheme needed to produce tractable proof obligations

4 4 Solution: Higher-Order Separation Logic is expressive enough to allow direct use of the most natural specs. Solution: Computational specifications use standard programming features to avoid quantifiers in almost all specifications. Classical verification with SMT solvers Complex trigger mechanism for quantifier instantiation Complex program annotation scheme needed to produce tractable proof obligations The Coq library

5 5 A Thread Scheduler, Abstractly Thread #1 Private memory Thread #2 Private memory Thread #3 Private memory Shared Memory Thread #1 Private memory Thread #1 saved PC saved SP next A Thread Scheduler, Concretely Thread #2 saved PC saved SP next Thread #3 saved PC saved SP next Stack #2 Stack #3 Shared Data Structure Stack #1

6 6 Quantify over specifications Quantify over lists of specifications What does correctness mean? “ ∀ sets of threads with specifications, written in terms of local and shared heap areas, the scheduling library satisfies all of the specs.” Definition yieldS := st ~> Ex fr, Ex ginv, Ex invs, Ex root, susp ginv (fun sp => sep ([ ] * ![fr])%Sep) st#Rret /\ codesOk ginv invs /\ ![ !{mallocHeap 0} * st#Rsp ==> root * !{threads invs root} * ![ginv] * ![fr] ] st. Example: spec for yield() function Higher-Order Logic Proofs usually considered too hard to automate... Separation Logic Proofs usually considered too hard to automate... + Higher-Order Separation Logic ????? =

7 7 The Coq library Source Code of Program to Verify Annotations: Invariants Annotations: Requests to Use Lemmas Program- Independent Lemmas About Data Structures Quantifier-Free Proof Obligations That Don't Mention Program Syntax or States SMT solver Other heuristic provers for simpler theories...

8 8 (* Abstraction predicate for finite sets represented * with unsorted linked lists *) Fixpoint llistOk (s : set) (ls : list nat) (a : nat) : sprop := match ls with | nil => [ ] | x :: ls' => Ex a', [ 0 /\ s x = true >] * a ==> x * (a+1) ==> a' * !{llistOk (del s x) ls' a'} end. Computational Separation Logic Step 1. Define data structure invariants as recursive functions. Limited form of existential quantification

9 9 Theorem llist_empty_fwd : forall s ls a, a = 0 -> llistOk s ls a ===> [ ]. destruct ls; sepLemma. Qed. Theorem llist_nonempty_fwd : forall a s ls, a <> 0 -> llistOk s ls a ===> Ex x, Ex ls', Ex a', [ ] * a ==> x * (a+1) ==> a' * !{llistOk (del s x) ls' a'}. destruct ls; sepLemma. Qed. Computational Separation Logic Step 2. Prove simplification lemmas. Implication in separation logic

10 10 Definition linkedList := bmodule {{ bfunction "linc" [lincS] { [lincS] While (R0 != 0) { Use [llist_nonempty_fwd];; Use [llist_nonempty_bwd];; $[R0] <- $[R0] + 1;; R0 <- $[R0+1] };; Use [llist_empty_fwd];; Use [llist_empty_bwd];; Goto Rret } }}. Computational Separation Logic Step 3. Write annotated program. Loop invariant Request to use a lemma here

11 11 Theorem linkedListOk : moduleOk linkedList. structured; sep. Qed. Computational Separation Logic Step 4. Prove module correctness theorem. Bedrock tactics do almost all of the work.

12 12 Why Automating Separation Logic Proofs is Easy x > 5 && x < 7 x < 7 && x = 6 Implies

13 13 Why Automating Separation Logic Proofs is Easy llist(ls1, a1) *...... * llist(ls1, a1) Implies

14 14 A Simple Algorithm 1. Use annotations to expand formulas. 2. Symbolically execute block in “pre” formula. 3. Match “pre” and “post” formulas by crossing out equal parts. instr1; instr2; instr3;... precondition postcondition basic block

15 15 Variable standing for thread #1's invariant over its private heap Higher-Order Implications Are Easy, Too threadInv1 * threadInv2 *... threadInv2 *... * threadInv1 Implies

16 16 Assertion that every thread's invariant is satisfied Higher-Order Implications Are Easy, Too allOk(invs) *...... * allOk(invs) Implies

17 17 = C * E Unification variable, which may be instantiated with any formula Frame Rule for Free A * B * C * D * E B * D * ?? * A Implies

18 18 Implemented Case Studies Higher- Order Last two reimplement examples from Certified Assembly Programming project [Shao et al.], where overhead is about 100X.

19 19 The Coq library http://adam.chlipala.net/bedrock /

Download ppt "Mostly-Automated Verification of Low-Level Programs in Computational Separation Logic Adam Chlipala Harvard University PLDI 2011."

Similar presentations

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Automated Verification with HIP and SLEEK Asankhaya Sharma.

Automated Verification with HIP and SLEEK Asankhaya Sharma.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Copyright 2003-04, Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.

Copyright , Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.
Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.

Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.
Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.

Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.
Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.

Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.

Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.

Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
1.7.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and.

An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.

From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

Similar presentations

Ads by Google