Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Verification Infrastructure for Permission-Based Reasoning

Published byἈλαλά Καραμήτσος Modified over 6 years ago

Similar presentations

Presentation on theme: "A Verification Infrastructure for Permission-Based Reasoning"— Presentation transcript:

1 A Verification Infrastructure for Permission-Based Reasoning
Viper A Verification Infrastructure for Permission-Based Reasoning Quantified Permissions Dynamic-Frames-Style Specifications in Permission Logics Malte Schwerhoff 3rd November 2016, Bad Herrenalb

2 Frame Problem { P } C { Q } { P R } C { Q R }

3 Framing Methodologies
{ P } C { Q } { P R } C { Q R } Dynamic Frames (no permissions) { P } C { Q } modifies(C) ∩ reads(R) = ∅ { P R } C { Q R }

4 Framing Methodologies
{ P } C { Q } { P R } C { Q R } Dynamic Frames (no permissions) Separation Logic (permissions) { P } C { Q } modifies(C) ∩ reads(R) = ∅ { P } C { Q } { P R } C { Q R } { P R } C { Q R }

5 Permissions method mutate() requires acc(this.val)
ensures acc(this.val) method client(x, y) requires acc(x.val) ∗ acc(y.val) { var tmp := y.val x.mutate() assert tmp == y.val } X x.val Y y.val

6 Permissions { P } C { Q } { P  R } C { Q  R } ∗ ∗ method mutate()
requires acc(this.val) ensures acc(this.val) method client(x, y) requires acc(x.val) ∗ acc(y.val) { var tmp := y.val x.mutate() assert tmp == y.val } X x.val Y y.val { P } C { Q } { P  R } C { Q  R }

7 Permissions { P } C { Q } { P  R } C { Q  R } ∗ ∗ method mutate()
requires acc(this.val) ensures acc(this.val) method client(x, y) requires acc(x.val) ∗ acc(y.val) { var tmp := y.val x.mutate() assert tmp == y.val } X x.val Y y.val { P } C { Q } { P  R } C { Q  R }

8 Permissions { P } C { Q } { P  R } C { Q  R } ∗ ∗ method mutate()
requires acc(this.val) ensures acc(this.val) method client(x, y) requires acc(x.val) ∗ acc(y.val) { var tmp := y.val x.mutate() assert tmp == y.val } ? x.val Y y.val { P } C { Q } { P  R } C { Q  R }

9 Permissions { P } C { Q } { P  R } C { Q  R } ∗ ∗ method mutate()
requires acc(this.val) ensures acc(this.val) method client(x, y) requires acc(x.val) ∗ acc(y.val) { var tmp := y.val x.mutate() assert tmp == y.val } ? x.val Y y.val { P } C { Q } { P  R } C { Q  R }

10 Permissions { P } C { Q } { P  R } C { Q  R } ∗ ∗ method mutate()
requires acc(this.val) ensures acc(this.val) method client(x, y) requires acc(x.val) ∗ acc(y.val) { var tmp := y.val x.mutate() assert tmp == y.val } ? x.val Y y.val { P } C { Q } { P  R } C { Q  R }

11 Common Tool Infrastructures
No Permissions Prog. language, spec. language and methodology Front end Intermediate verification language Verification condition generator SMT solver

12 Common Tool Infrastructures
No Permissions Prog. language, spec. language and methodology Front end Intermediate verification language Verification condition generator SMT solver

13 Common Tool Infrastructures
No Permissions Permissions Prog. language, spec. language and methodology Prog. language, spec. language and methodology Front end Custom verifier Intermediate verification language Intermediate verification language Verification condition generator SMT solver SMT solver

14 Common Tool Infrastructures
No Permissions Permissions Prog. language, spec. language and methodology Prog. language, spec. language and methodology Front end Custom verifier Custom verifier Custom verifier Intermediate verification language Intermediate verification language Verification condition generator SMT solver SMT solver

15 Common Tool Infrastructures
No Permissions Permissions Prog. language, spec. language and methodology Prog. language, spec. language and methodology repeat abstraction gap Front end Custom verifier Custom verifier Custom verifier Intermediate verification language Intermediate verification language Verification condition generator reuse SMT solver SMT solver

16 Insufficient Tool Support for Permission Logics
Prog. language, spec. language and methodology Custom verifier SMT solver Verification efforts do not benefit fully from advances in theory Theory does not receive feedback from applications Toolbox image:

17 Facilitate the 1. development of tools 2. prototyping of encodings for permission-based verification

18 Intermediate verification language
Viper Front end Front end Front end Intermediate verification language Back-end tools Viper SMT solver Icons:

19 { P } C { Q } { P  R } C { Q  R } Permission Transfer callee caller
caller

20 Viper Features: Inhale and Exhale
{ P } C { Q } callee { P  R } C { Q  R } caller exhale P assert value constraints check and remove permissions havoc newly-inaccessible locations inhale Q obtain permissions assume value constraints

21 Demo

22 Recursive Predicates v predicate list(this: Ref) { this != null ==>
acc(this.data) && acc(this.next) && list(this.next) } v unfold list(this) // access this.data // and this.next fold list(this)

23 Recursive Predicates: Limitations
Extending

24 Recursive Predicates: Limitations
Extending

25 Recursive Predicates: Limitations
Extending Sharing w

26 Recursive Predicates: Limitations
Extending Sharing w

27 Recursive Predicates: Limitations
Extending Sharing Traversing w

28 Unbounded Data Structures
Unidirectional Multidirectional Random Access Unstructured recursive predicates are often a suitable specification mechanism 28

29 Unbounded Data Structures
Unidirectional Multidirectional Random Access Unstructured need for an alternative specification mechanism 29

30 Quantified Permissions
Multidirectional forall n in nodes :: acc(n.next) && acc(n.prev) Random Access Unstructured 30

31 Quantified Permissions
Multidirectional forall n in nodes :: acc(n.next) && acc(n.prev) Random Access forall i in [0..5] :: acc(arr[i]) Unstructured 31

32 Quantified Permissions
Multidirectional forall n in nodes :: acc(n.next) && acc(n.prev) Random Access forall i in [0..5] :: acc(arr[i]) forall i in [0..5] :: i % 2 == 1 ==> acc(arr[i]) Unstructured 32

33 Quantified Permissions
Multidirectional forall n in nodes :: acc(n.next) && acc(n.prev) Random Access forall i in [0..5] :: acc(arr[i]) forall i in [0..5] :: i % 2 == 1 ==> acc(arr[i]) Unstructured forall n in nodes :: acc(n.succs) && acc(n.marked) 33

34 Quantified Permissions
Multidirectional forall n in nodes :: acc(n.next) && acc(n.prev) Random Access forall i in [0..5] :: acc(arr[i]) forall i in [0..5] :: i % 2 == 1 ==> acc(arr[i]) Unstructured forall n in nodes :: acc(n.succs) && acc(n.marked) && (n.marked ==> forall m in n.succs :: m.marked) 34

35 List Tail Sharing Revisited
predicate list(nodes: Set[Ref]) { forall n  nodes :: acc(n.data) && acc(n.next) && (n.next != null ==> n.next  nodes) } v w list(nodes) && v  nodes && w.next  nodes

36 General Receiver Expressions
inhale ∀ x ∈ S :: acc(e(x).f) exhale ∀ y ∈ R :: acc(y.f) 36

37 General Receiver Expressions: Challenge
inhale ∀ x ∈ S :: acc(e(x).f) {x1, x2, x3, x4, ..., xn} e(x).f {y1, y2, y3, ..., ym} acc(y.f)? exhale ∀ y ∈ R :: acc(y.f) 37

38 General Receiver Expressions: Challenge
inhale ∀ x ∈ S :: acc(e(x).f) {x1, x2, x3, x4, ..., xn} e(x).f ∃ x ϵ S :: e(x) = y? {y1, y2, y3, ..., ym} exhale ∀ y ∈ R :: acc(y.f) 38

39 General Receiver Expressions: Injectivity
inhale ∀ x ∈ S :: acc(e(x).f) 1. Require e(x) to be injective (naturally satisfied by e.g. arrays and graphs) {x1, x2, x3, x4, ..., xn} e(x).f {y1, y2, y3, ..., ym} exhale ∀ y ∈ R :: acc(y.f) 39

40 General Receiver Expressions: Inverse Functions
inhale ∀ x ∈ S :: acc(e(x).f) 1. Require e(x) to be injective 2. Axiomatise inverse function e-1(x) to SMT solver {x1, x2, x3, x4, ..., xn} e(x).f {y1, y2, y3, ..., ym} exhale ∀ y ∈ R :: acc(y.f) 40

41 General Receiver Expressions: Challenge
inhale ∀ x ∈ S :: acc(e(x).f) {x1, x2, x3, x4, ..., xn} e-1(y) ϵ S? e(x).f y.f ϵ L? {y1, y2, y3, ..., ym} acc(y.f)? exhale ∀ y ∈ R :: acc(y.f) 41

42 Demo

43 Dynamic Frames vs. Permissions
Permission Logics: disjointness per default poorly supported in tools Arbitrary data structures Concurrency Dynamic Frames: sharing per default

44 Dynamic Frames vs. Permissions
Permission Logics: disjointness per default Viper’s quantified permissions Arbitrary data structures Concurrency ? specify and maintain disjointness explicitly Dynamic Frames: sharing per default

45 Viper: Currently Viper
Chalice Java OpenCL Python Intermediate verification language Verification condition generator (verifier) Symbolic execution (verifier) Abstract interpretation (inference) Viper Boogie SMT solver

46 Viper: Next Viper Fine-Grained Concurrency Chalice Java OpenCL Python
Intermediate verification language Verification condition generator (verifier) Symbolic execution (verifier) Abstract interpretation (inference) Viper Boogie SMT solver

47 + C1 || C2 http://viper.ethz.ch Viper SMT solver
Intermediate verification language Viper Abstract interpretation (inference) Boogie Verification condition generator (verifier) Symbolic execution (verifier) Java Chalice OpenCL Python C1 || C2 +

Download ppt "A Verification Infrastructure for Permission-Based Reasoning"

Similar presentations

Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.

Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
50.530: Software Engineering

50.530: Software Engineering
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.

Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.
Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,

Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.

Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
Programming with Constraint Solvers CS294: Program Synthesis for Everyone Ras Bodik Emina Torlak Division of Computer Science University of California,

Programming with Constraint Solvers CS294: Program Synthesis for Everyone Ras Bodik Emina Torlak Division of Computer Science University of California,
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.

Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 3 December 2008 U. Lugano Lugano, Switzerland.

K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 3 December 2008 U. Lugano Lugano, Switzerland.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 International Summer School Marktoberdorf Marktoberdorf,

K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 International Summer School Marktoberdorf Marktoberdorf,
Changing perspective can be useful Relating alternative logics for automatic software verification Alex Summers (ETH Zurich) partly based on joint work.

Changing perspective can be useful Relating alternative logics for automatic software verification Alex Summers (ETH Zurich) partly based on joint work.
Fractional Permissions without the Fractions Alex Summers ETH Zurich Joint work with: Stefan Heule, Rustan Leino, Peter Müller ETH Zurich MSR Redmond ETH.

Fractional Permissions without the Fractions Alex Summers ETH Zurich Joint work with: Stefan Heule, Rustan Leino, Peter Müller ETH Zurich MSR Redmond ETH.
Separation logic for OO Stephan van Staden. Introduction OO languages are popular and widely used We need to reason about OO programs Some (problematic)

Separation logic for OO Stephan van Staden. Introduction OO languages are popular and widely used We need to reason about OO programs Some (problematic)
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 Summer School on Logic and Theorem-Proving in Programming.

K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 Summer School on Logic and Theorem-Proving in Programming.

Similar presentations

Ads by Google