Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Verification Infrastructure for Permission-based Reasoning

Similar presentations


Presentation on theme: "A Verification Infrastructure for Permission-based Reasoning"— Presentation transcript:

1 A Verification Infrastructure for Permission-based Reasoning
Viper A Verification Infrastructure for Permission-based Reasoning Malte Schwerhoff 19th October 2016, Prague

2 Modular, Deductive & Automated Verifiers
Verification methodologies SMT solvers Images: 2

3 Frame Problem v v i i { P } C { Q } { P  R } C { Q  R } 3

4 Frame Problem class Account { method deposit(n: Int) requires 0 < n
ensures balance() == old(balance()) + n { … } } method client(a: Account, l: List) { var tmp := l.length() a.deposit(200) assert tmp == l.length() }

5 Frame Problem class Account { transactions: List
method deposit(n: Int) requires 0 < n ensures balance() == old(balance()) + n { transaction.append(n) } def getTransactions(): List { transactions } } method client(a: Account, l: List) { var tmp := l.length() a.deposit(200) assert tmp == l.length() }

6 Frame Problem class Account { transactions: List
method deposit(n: Int) requires 0 < n ensures balance() == old(balance()) + n { transaction.append(n) } function getTransactions(): List { transactions } } method client(a: Account, l: List) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } var a := new Account() client(a, a.getTransactions())

7 footprint(C) ∩ footprint(R) = ∅
Footprints v i v i { P } C { Q } footprint(C) ∩ footprint(R) = ∅ { P  R } C { Q  R }

8 modifies(C) ∩ reads(R) = ∅
Explicit Footprints v i { P } C { Q } modifies(C) ∩ reads(R) = ∅ { P  R } C { Q  R }

9 Implicit Footprints v i { P } C { Q } { P  R } C { Q  R }

10 Implicit Footprints v i { P } C { Q } { P  R } C { Q  R }

11 Implicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) { bal := bal + n } } class List { len: Int function length(): Int requires acc(len) { len } }

12 Implicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) { bal := bal + n } } method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } B a.bal L l.len class List { len: Int function length(): Int requires acc(len) { len } } { P } C { Q } { P  R } C { Q  R }

13 Implicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) { bal := bal + n } } method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } B a.bal L l.len class List { len: Int function length(): Int requires acc(len) { len } } { P } C { Q } { P  R } C { Q  R }

14 Implicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) { bal := bal + n } } method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } B a.bal L l.len class List { len: Int function length(): Int requires acc(len) { len } } { P } C { Q } { P  R } C { Q  R }

15 Implicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) { bal := bal + n } } method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } ? a.bal L l.len class List { len: Int function length(): Int requires acc(len) { len } } { P } C { Q } { P  R } C { Q  R }

16 Implicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) { bal := bal + n } } method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } ? a.bal L l.len class List { len: Int function length(): Int requires acc(len) { len } } { P } C { Q } { P  R } C { Q  R }

17 Tool Support No permissions Expressiveness AutoProof Dafny Frama-C
KeY2 Spec# VCC VERL Expressiveness Automation

18 Tool Support Permissions Expressiveness Bedrock Chalice FCSL/Coq
Grasshopper Infer jStar SmallFoot VeriFast Ynot Expressiveness Automation

19 Consequences of Insufficient Tool Support
significant manual effort per application simple properties only popular, but hardly any permission-based tools Verification efforts do not benefit fully from advances in theory Theory does not receive feedback from applications Images:

20 Facilitate the 1. development of tools 2. prototyping of encodings for permission-based verification

21 Prog. language, spec. language and methodology
Embedding & tactics Interactive prover Icons:

22 Prog. language, spec. language and methodology
Embedding & tactics Interactive prover

23 Prog. language, spec. language and methodology
Custom verifier Prog. language, spec. language and methodology Embedding & tactics SMT solver Interactive Prover

24 Prog. language, spec. language and methodology
Custom verifier Prog. language, spec. language and methodology Embedding & tactics SMT solver Interactive Prover

25 Prog. language, spec. language and methodology
Front end Intermediate verification language Prog. language, spec. language and methodology Prog. language, spec. language and methodology Verification condition generator Embedding & tactics Custom verifier SMT solver Interactive Prover SMT solver

26 Prog. language, spec. language and methodology
Front end Intermediate verification language Prog. language, spec. language and methodology Prog. language, spec. language and methodology Verification condition generator Embedding & tactics Custom verifier SMT solver Interactive prover SMT solver SMT solver

27 Intermediate verification language
Viper Front end Front end Front end Intermediate verification language Back-end tools Viper SMT solver

28 { P } C { Q } { P  R } C { Q  R } Permission Transfer callee caller
caller

29 { P } C { Q } { P  R } C { Q  R } Inhale and Exhale callee caller ∗
exhale P assert value constraints check and remove permissions havoc newly-inaccessible locations inhale Q obtain permissions assume value constraints

30 Example: Permission Transfer
method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } method client(a: Account, l: List) { inhale acc(a.bal) ∗ acc(l.len) var tmp := l.length() exhale 0 < 200  acc(a.bal) // a.deposit(200) inhale acc(a.bal) assert tmp == l.length() }

31 Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this this.val

32 Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } this.val

33 Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } ? this.val

34 Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } 5 this.val

35 Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } // end synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } ? this.val

36 Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } ? this.val

37 Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } ? this.val

38 Demo Example (Pseudo-Java)
class Counter { @GuardedBy(“this”); @MonitorInvariant(“old(val) <= val”); int val; synchronized void inc() { val++; } }

39 Recursive Predicates v predicate list(this: Ref) { this != null ==>
acc(this.data) && acc(this.next) && list(this.next) } v unfold list(this) // access this.data // and this.next fold list(this)

40 Recursive Predicates: Limitations
Extending footprints

41 Recursive Predicates: Limitations
Extending footprints

42 Recursive Predicates: Limitations
Extending footprints Sharing w

43 Recursive Predicates: Limitations
Extending footprints Sharing w

44 Recursive Predicates: Limitations
Extending footprints Sharing Traversal order w

45 Explicit Footprints with Permissions
predicate list(nodes: Set[Ref]) { forall n  nodes :: acc(n.data) && acc(n.next) && (n.next != null ==> n.next  nodes) } v w list(nodes) && v  nodes && w  nodes

46 Viper Viper Front ends Intermediate verification language
Verification condition generator (verifier) Symbolic execution (verifier) Abstract interpretation (inference) Viper Boogie SMT solver

47 Viper Viper Chalice Java OpenCL C# Python
Intermediate verification language Verification condition generator (verifier) Symbolic execution (verifier) Abstract interpretation (inference) Viper Boogie SMT solver

48 Viper SMT solver Intermediate verification language
Expressiveness SMT solver Intermediate verification language Viper Abstract interpretation (inference) Boogie Verification condition generator (verifier) Symbolic execution (verifier) Java Chalice OpenCL Python Automation

49 http://viper.ethz.ch Viper Expressiveness Automation SMT solver
Intermediate verification language Viper Abstract interpretation (inference) Boogie Verification condition generator (verifier) Symbolic execution (verifier) Java Chalice OpenCL Python Expressiveness Automation

50 backup slides

51 1

52 Explicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n modifies {this} { bal := bal + n } } class List { len: Int function length(): Int reads {this} { len } }

53 Explicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n modifies {this} { bal := bal + n } } method client(a: Account, l: List) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } class List { len: Int function length(): Int reads {this} { len } } { P } C { Q } modifies(C) ∩ reads(R) = ∅ { P  R } C { Q  R }

54 2

55 Permission Transfer method deposit(n: Int)
requires 0 < n  acc(bal) ensures acc(bal) method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } B a.bal L l.len

56 Permission Transfer method deposit(n: Int)
requires 0 < n  acc(bal) ensures acc(bal) method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } B a.bal L l.len

57 Permission Transfer method deposit(n: Int)
requires 0 < n  acc(bal) ensures acc(bal) method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } ? a.bal L l.len

58 Inhale and Exhale method deposit(n: Int) requires 0 < n  acc(bal)
ensures acc(bal) method client(a: Account, l: List) { inhale acc(a.bal) ∗ acc(l.len) var tmp := l.length() exhale 0 < 200  acc(a.bal) // a.deposit(200) inhale acc(a.bal) assert tmp == l.length() }

59 3

60 Permissions in Viper Permissions denoted by accessibility predicates Expressions may be heap-dependent Support for fractional permissions Conjunction is multiplicative (as in separation logic) acc(e.f) acc(e.f) && e.f > 0 acc(e.f, ½) acc(e.f, ½) && acc(e.f, ½)

61 4

62 Unbounded Data Structures
Unidirectional Multi-directional Random Access Unstructured specify via recursive predicate

63 Unbounded Data Structures
Unidirectional Multi-directional Random Access Unstructured specify via iterated separating conjunction


Download ppt "A Verification Infrastructure for Permission-based Reasoning"

Similar presentations


Ads by Google