Download presentation
Presentation is loading. Please wait.
Published byShana Allison Modified over 6 years ago
1
A Verification Infrastructure for Permission-based Reasoning
Viper A Verification Infrastructure for Permission-based Reasoning Malte Schwerhoff 19th October 2016, Prague
2
Modular, Deductive & Automated Verifiers
Verification methodologies SMT solvers Images: 2
3
Frame Problem v v i i { P } C { Q } { P R } C { Q R } 3
4
Frame Problem class Account { method deposit(n: Int) requires 0 < n
ensures balance() == old(balance()) + n { … } } method client(a: Account, l: List) { var tmp := l.length() a.deposit(200) assert tmp == l.length() }
5
Frame Problem class Account { transactions: List
method deposit(n: Int) requires 0 < n ensures balance() == old(balance()) + n { transaction.append(n) } def getTransactions(): List { transactions } } method client(a: Account, l: List) { var tmp := l.length() a.deposit(200) assert tmp == l.length() }
6
Frame Problem class Account { transactions: List
method deposit(n: Int) requires 0 < n ensures balance() == old(balance()) + n { transaction.append(n) } function getTransactions(): List { transactions } } method client(a: Account, l: List) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } var a := new Account() client(a, a.getTransactions())
7
footprint(C) ∩ footprint(R) = ∅
Footprints v i v i { P } C { Q } footprint(C) ∩ footprint(R) = ∅ { P R } C { Q R }
8
modifies(C) ∩ reads(R) = ∅
Explicit Footprints v i { P } C { Q } modifies(C) ∩ reads(R) = ∅ { P R } C { Q R }
9
Implicit Footprints v i { P } C { Q } { P R } C { Q R }
10
Implicit Footprints v i { P } C { Q } { P R } C { Q R } ∗ ∗
11
Implicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n acc(bal) ensures acc(bal) { bal := bal + n } } class List { len: Int function length(): Int requires acc(len) { len } }
12
Implicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n acc(bal) ensures acc(bal) { bal := bal + n } } method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } B a.bal L l.len class List { len: Int function length(): Int requires acc(len) { len } } { P } C { Q } { P R } C { Q R } ∗ ∗
13
Implicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n acc(bal) ensures acc(bal) { bal := bal + n } } method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } B a.bal L l.len class List { len: Int function length(): Int requires acc(len) { len } } { P } C { Q } { P R } C { Q R } ∗ ∗
14
Implicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n acc(bal) ensures acc(bal) { bal := bal + n } } method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } B a.bal L l.len class List { len: Int function length(): Int requires acc(len) { len } } { P } C { Q } { P R } C { Q R } ∗ ∗
15
Implicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n acc(bal) ensures acc(bal) { bal := bal + n } } method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } ? a.bal L l.len class List { len: Int function length(): Int requires acc(len) { len } } { P } C { Q } { P R } C { Q R } ∗ ∗
16
Implicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n acc(bal) ensures acc(bal) { bal := bal + n } } method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } ? a.bal L l.len class List { len: Int function length(): Int requires acc(len) { len } } { P } C { Q } { P R } C { Q R } ∗ ∗
17
Tool Support No permissions Expressiveness AutoProof Dafny Frama-C
KeY2 Spec# VCC VERL Expressiveness Automation
18
Tool Support Permissions Expressiveness Bedrock Chalice FCSL/Coq
Grasshopper Infer jStar SmallFoot VeriFast Ynot Expressiveness Automation
19
Consequences of Insufficient Tool Support
significant manual effort per application simple properties only popular, but hardly any permission-based tools Verification efforts do not benefit fully from advances in theory Theory does not receive feedback from applications Images:
20
Facilitate the 1. development of tools 2. prototyping of encodings for permission-based verification
21
Prog. language, spec. language and methodology
Embedding & tactics Interactive prover Icons:
22
Prog. language, spec. language and methodology
Embedding & tactics Interactive prover
23
Prog. language, spec. language and methodology
Custom verifier Prog. language, spec. language and methodology Embedding & tactics SMT solver Interactive Prover
24
Prog. language, spec. language and methodology
Custom verifier Prog. language, spec. language and methodology Embedding & tactics SMT solver Interactive Prover
25
Prog. language, spec. language and methodology
Front end Intermediate verification language Prog. language, spec. language and methodology Prog. language, spec. language and methodology Verification condition generator Embedding & tactics Custom verifier SMT solver Interactive Prover SMT solver
26
Prog. language, spec. language and methodology
Front end Intermediate verification language Prog. language, spec. language and methodology Prog. language, spec. language and methodology Verification condition generator Embedding & tactics Custom verifier SMT solver Interactive prover SMT solver SMT solver
27
Intermediate verification language
Viper Front end Front end Front end Intermediate verification language Back-end tools Viper SMT solver
28
{ P } C { Q } { P R } C { Q R } Permission Transfer callee caller
∗ ∗ caller
29
{ P } C { Q } { P R } C { Q R } Inhale and Exhale callee caller ∗
exhale P assert value constraints check and remove permissions havoc newly-inaccessible locations inhale Q obtain permissions assume value constraints
30
Example: Permission Transfer
method deposit(n: Int) requires 0 < n acc(bal) ensures acc(bal) method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } method client(a: Account, l: List) { inhale acc(a.bal) ∗ acc(l.len) var tmp := l.length() exhale 0 < 200 acc(a.bal) // a.deposit(200) inhale acc(a.bal) assert tmp == l.length() }
31
Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this this.val
32
Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } this.val
33
Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } ? this.val
34
Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } 5 this.val
35
Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } // end synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } ? this.val
36
Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } ? this.val
37
Modelling Thread Interleavings
class Counter { @GuardedBy(“this”); int val; void fails() { synchronized(this) { val = 5; } synchronized(this) { assert val == 5; } } Monitor this field val: Int method fails(this: Ref) { inhale acc(this.val) this.val := 5 exhale acc(this.val) inhale acc(this.val) assert this.val == 5 } ? this.val
38
Demo Example (Pseudo-Java)
class Counter { @GuardedBy(“this”); @MonitorInvariant(“old(val) <= val”); int val; synchronized void inc() { val++; } }
39
Recursive Predicates v predicate list(this: Ref) { this != null ==>
acc(this.data) && acc(this.next) && list(this.next) } v unfold list(this) // access this.data // and this.next fold list(this)
40
Recursive Predicates: Limitations
Extending footprints
41
Recursive Predicates: Limitations
Extending footprints
42
Recursive Predicates: Limitations
Extending footprints Sharing w
43
Recursive Predicates: Limitations
Extending footprints Sharing w
44
Recursive Predicates: Limitations
Extending footprints Sharing Traversal order w
45
Explicit Footprints with Permissions
predicate list(nodes: Set[Ref]) { forall n nodes :: acc(n.data) && acc(n.next) && (n.next != null ==> n.next nodes) } v w list(nodes) && v nodes && w nodes
46
Viper Viper Front ends Intermediate verification language
Verification condition generator (verifier) Symbolic execution (verifier) Abstract interpretation (inference) Viper Boogie SMT solver
47
Viper Viper Chalice Java OpenCL C# Python
Intermediate verification language Verification condition generator (verifier) Symbolic execution (verifier) Abstract interpretation (inference) Viper Boogie SMT solver
48
Viper SMT solver Intermediate verification language
Expressiveness SMT solver Intermediate verification language Viper Abstract interpretation (inference) Boogie Verification condition generator (verifier) Symbolic execution (verifier) Java Chalice OpenCL Python Automation
49
http://viper.ethz.ch Viper Expressiveness Automation SMT solver
Intermediate verification language Viper Abstract interpretation (inference) Boogie Verification condition generator (verifier) Symbolic execution (verifier) Java Chalice OpenCL Python Expressiveness Automation
50
backup slides
51
1
52
Explicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n modifies {this} { bal := bal + n } } class List { len: Int function length(): Int reads {this} { len } }
53
Explicit Footprints: Example
class Account { bal: Int method deposit(n: Int) requires 0 < n modifies {this} { bal := bal + n } } method client(a: Account, l: List) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } class List { len: Int function length(): Int reads {this} { len } } { P } C { Q } modifies(C) ∩ reads(R) = ∅ { P R } C { Q R }
54
2
55
Permission Transfer method deposit(n: Int)
requires 0 < n acc(bal) ensures acc(bal) method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } B a.bal L l.len
56
Permission Transfer method deposit(n: Int)
requires 0 < n acc(bal) ensures acc(bal) method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } B a.bal L l.len
57
Permission Transfer method deposit(n: Int)
requires 0 < n acc(bal) ensures acc(bal) method client(a: Account, l: List) requires acc(a.bal) ∗ acc(l.len) { var tmp := l.length() a.deposit(200) assert tmp == l.length() } ? a.bal L l.len
58
Inhale and Exhale method deposit(n: Int) requires 0 < n acc(bal)
ensures acc(bal) method client(a: Account, l: List) { inhale acc(a.bal) ∗ acc(l.len) var tmp := l.length() exhale 0 < 200 acc(a.bal) // a.deposit(200) inhale acc(a.bal) assert tmp == l.length() }
59
3
60
Permissions in Viper Permissions denoted by accessibility predicates Expressions may be heap-dependent Support for fractional permissions Conjunction is multiplicative (as in separation logic) acc(e.f) acc(e.f) && e.f > 0 acc(e.f, ½) acc(e.f, ½) && acc(e.f, ½)
61
4
62
Unbounded Data Structures
Unidirectional Multi-directional Random Access Unstructured specify via recursive predicate
63
Unbounded Data Structures
Unidirectional Multi-directional Random Access Unstructured specify via iterated separating conjunction
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.