Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Verification Infrastructure for Permission-based Reasoning

Published byShana Allison Modified over 6 years ago

Similar presentations

Presentation on theme: "A Verification Infrastructure for Permission-based Reasoning"— Presentation transcript:

1 A Verification Infrastructure for Permission-based Reasoning
Viper A Verification Infrastructure for Permission-based Reasoning Malte Schwerhoff 19th October 2016, Prague

2 Modular, Deductive & Automated Verifiers
Verification methodologies SMT solvers Images: 2

3 Frame Problem v v i i { P } C { Q } { P  R } C { Q  R } 3

4 Frame Problem class Account { method deposit(n: Int) requires 0 < n
ensures balance() == old(balance()) + n { … } } method client(a: Account, l: List) { var tmp := l.length() a.deposit(200) assert tmp == l.length() }

5 Frame Problem class Account { transactions: List
method deposit(n: Int) requires 0 < n ensures balance() == old(balance()) + n { transaction.append(n) } def getTransactions(): List { transactions } } method client(a: Account, l: List) { var tmp := l.length() a.deposit(200) assert tmp == l.length() }

6 Frame Problem class Account { transactions: List
method deposit(n: Int) requires 0 < n ensures balance() == old(balance()) + n { transaction.append(n) } function getTransactions(): List { transactions } } method client(a: Account, l: List) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } var a := new Account() client(a, a.getTransactions())

7 footprint(C) ∩ footprint(R) = ∅
Footprints v i v i { P } C { Q } footprint(C) ∩ footprint(R) = ∅ { P  R } C { Q  R }

8 modifies(C) ∩ reads(R) = ∅
Explicit Footprints v i { P } C { Q } modifies(C) ∩ reads(R) = ∅ { P  R } C { Q  R }

9 Implicit Footprints v i { P } C { Q } { P  R } C { Q  R }

10 Implicit Footprints v i { P } C { Q } { P  R } C { Q  R }

11 Implicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) { bal := bal + n } } class List { len: Int function length(): Int requires acc(len) { len } }

12 Implicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) { bal := bal + n } } method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } B a.bal L l.len class List { len: Int function length(): Int requires acc(len) { len } } { P } C { Q } { P  R } C { Q  R }

13 Implicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) { bal := bal + n } } method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } B a.bal L l.len class List { len: Int function length(): Int requires acc(len) { len } } { P } C { Q } { P  R } C { Q  R }

14 Implicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) { bal := bal + n } } method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } B a.bal L l.len class List { len: Int function length(): Int requires acc(len) { len } } { P } C { Q } { P  R } C { Q  R }

15 Implicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) { bal := bal + n } } method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } ? a.bal L l.len class List { len: Int function length(): Int requires acc(len) { len } } { P } C { Q } { P  R } C { Q  R }

16 Implicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) { bal := bal + n } } method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } ? a.bal L l.len class List { len: Int function length(): Int requires acc(len) { len } } { P } C { Q } { P  R } C { Q  R }

17 Tool Support No permissions Expressiveness AutoProof Dafny Frama-C
KeY2 Spec# VCC VERL Expressiveness Automation

18 Tool Support Permissions Expressiveness Bedrock Chalice FCSL/Coq
Grasshopper Infer jStar SmallFoot VeriFast Ynot Expressiveness Automation

19 Consequences of Insufficient Tool Support
significant manual effort per application simple properties only popular, but hardly any permission-based tools Verification efforts do not benefit fully from advances in theory Theory does not receive feedback from applications Images:

20 Facilitate the 1. development of tools 2. prototyping of encodings for permission-based verification

21 Prog. language, spec. language and methodology
Embedding & tactics Interactive prover Icons:

22 Prog. language, spec. language and methodology
Embedding & tactics Interactive prover

23 Prog. language, spec. language and methodology
Custom verifier Prog. language, spec. language and methodology Embedding & tactics SMT solver Interactive Prover

24 Prog. language, spec. language and methodology
Custom verifier Prog. language, spec. language and methodology Embedding & tactics SMT solver Interactive Prover

25 Prog. language, spec. language and methodology
Front end Intermediate verification language Prog. language, spec. language and methodology Prog. language, spec. language and methodology Verification condition generator Embedding & tactics Custom verifier SMT solver Interactive Prover SMT solver

26 Prog. language, spec. language and methodology
Front end Intermediate verification language Prog. language, spec. language and methodology Prog. language, spec. language and methodology Verification condition generator Embedding & tactics Custom verifier SMT solver Interactive prover SMT solver SMT solver

27 Intermediate verification language
Viper Front end Front end Front end Intermediate verification language Back-end tools Viper SMT solver

28 { P } C { Q } { P  R } C { Q  R } Permission Transfer callee caller
caller

29 { P } C { Q } { P  R } C { Q  R } Inhale and Exhale callee caller ∗
exhale P assert value constraints check and remove permissions havoc newly-inaccessible locations inhale Q obtain permissions assume value constraints

30 Example: Permission Transfer
method deposit(n: Int) requires 0 < n  acc(bal) ensures acc(bal) method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } method client(a: Account, l: List) { inhale acc(a.bal) ∗ acc(l.len) var tmp := l.length() exhale 0 < 200  acc(a.bal) // a.deposit(200) inhale acc(a.bal) assert tmp == l.length() }

31 Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this this.val

32 Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } this.val

33 Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } ? this.val

34 Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } 5 this.val

35 Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } // end synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } ? this.val

36 Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } ? this.val

37 Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } ? this.val

38 Demo Example (Pseudo-Java)
class Counter { @GuardedBy(“this”); @MonitorInvariant(“old(val) <= val”); int val; synchronized void inc() { val++; } }

39 Recursive Predicates v predicate list(this: Ref) { this != null ==>
acc(this.data) && acc(this.next) && list(this.next) } v unfold list(this) // access this.data // and this.next fold list(this)

40 Recursive Predicates: Limitations
Extending footprints

41 Recursive Predicates: Limitations
Extending footprints

42 Recursive Predicates: Limitations
Extending footprints Sharing w

43 Recursive Predicates: Limitations
Extending footprints Sharing w

44 Recursive Predicates: Limitations
Extending footprints Sharing Traversal order w

45 Explicit Footprints with Permissions
predicate list(nodes: Set[Ref]) { forall n  nodes :: acc(n.data) && acc(n.next) && (n.next != null ==> n.next  nodes) } v w list(nodes) && v  nodes && w  nodes

46 Viper Viper Front ends Intermediate verification language
Verification condition generator (verifier) Symbolic execution (verifier) Abstract interpretation (inference) Viper Boogie SMT solver

47 Viper Viper Chalice Java OpenCL C# Python
Intermediate verification language Verification condition generator (verifier) Symbolic execution (verifier) Abstract interpretation (inference) Viper Boogie SMT solver

48 Viper SMT solver Intermediate verification language
Expressiveness SMT solver Intermediate verification language Viper Abstract interpretation (inference) Boogie Verification condition generator (verifier) Symbolic execution (verifier) Java Chalice OpenCL Python Automation

49 http://viper.ethz.ch Viper Expressiveness Automation SMT solver
Intermediate verification language Viper Abstract interpretation (inference) Boogie Verification condition generator (verifier) Symbolic execution (verifier) Java Chalice OpenCL Python Expressiveness Automation

50 backup slides

51 1

52 Explicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n modifies {this} { bal := bal + n } } class List { len: Int function length(): Int reads {this} { len } }

53 Explicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n modifies {this} { bal := bal + n } } method client(a: Account, l: List) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } class List { len: Int function length(): Int reads {this} { len } } { P } C { Q } modifies(C) ∩ reads(R) = ∅ { P  R } C { Q  R }

54 2

55 Permission Transfer method deposit(n: Int)
requires 0 < n  acc(bal) ensures acc(bal) method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } B a.bal L l.len

56 Permission Transfer method deposit(n: Int)
requires 0 < n  acc(bal) ensures acc(bal) method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } B a.bal L l.len

57 Permission Transfer method deposit(n: Int)
requires 0 < n  acc(bal) ensures acc(bal) method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } ? a.bal L l.len

58 Inhale and Exhale method deposit(n: Int) requires 0 < n  acc(bal)
ensures acc(bal) method client(a: Account, l: List) { inhale acc(a.bal) ∗ acc(l.len) var tmp := l.length() exhale 0 < 200  acc(a.bal) // a.deposit(200) inhale acc(a.bal) assert tmp == l.length() }

59 3

60 Permissions in Viper Permissions denoted by accessibility predicates Expressions may be heap-dependent Support for fractional permissions Conjunction is multiplicative (as in separation logic) acc(e.f) acc(e.f) && e.f > 0 acc(e.f, ½) acc(e.f, ½) && acc(e.f, ½)

61 4

62 Unbounded Data Structures
Unidirectional Multi-directional Random Access Unstructured specify via recursive predicate

63 Unbounded Data Structures
Unidirectional Multi-directional Random Access Unstructured specify via iterated separating conjunction

Download ppt "A Verification Infrastructure for Permission-based Reasoning"

Similar presentations

1 Lecture 5 Towards a Verifying Compiler: Multithreading Wolfram Schulte Microsoft Research Formal Methods 2006 Race Conditions, Locks, Deadlocks, Invariants,

1 Lecture 5 Towards a Verifying Compiler: Multithreading Wolfram Schulte Microsoft Research Formal Methods 2006 Race Conditions, Locks, Deadlocks, Invariants,
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.

Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Automated Verification with HIP and SLEEK Asankhaya Sharma.

Automated Verification with HIP and SLEEK Asankhaya Sharma.
Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.

Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,

Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,
Automated Verification with HIP and SLEEK Asankhaya Sharma.

Automated Verification with HIP and SLEEK Asankhaya Sharma.
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.

Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.

Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.

Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.
A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.

A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.
The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.

The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 3 December 2008 U. Lugano Lugano, Switzerland.

K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 3 December 2008 U. Lugano Lugano, Switzerland.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 International Summer School Marktoberdorf Marktoberdorf,

K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 International Summer School Marktoberdorf Marktoberdorf,
Changing perspective can be useful Relating alternative logics for automatic software verification Alex Summers (ETH Zurich) partly based on joint work.

Changing perspective can be useful Relating alternative logics for automatic software verification Alex Summers (ETH Zurich) partly based on joint work.
1.7.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Similar presentations

Ads by Google