1. Language-Independent Verification Framework
Academic languages: IMP, KernelC, … Practical languages: C, Java, JavaScript, … Blockchain languages: EVM, Vyper, …
Language-Independent Verification Framework
Grigore Rosu, Xiaohong Chen
University of Illinois at Urbana-Champaign, USA

2. Program verification Given a program P and a specification S
The verification problem asks if P satisfies S:
“Yes”, then give a proof.
“No”, then give a counterexample.
Traditionally, it needs a program logic + proof rules

3. Language-specific program logics
Hoare logic, dynamic logic, separation logic, …
The logic depends on the programming language.
A Hoare logic for Java
A dynamic logic for C
A separation logic for JavaScript
… …

4. Language-specific approach
Not easy to define and understand:
Not directly executable.
Often need to develop a separate executable semantics and prove equivalence.
High cost in response to language changes:
E.g., blockchain languages have very rapid (weekly) development cycle.
Language tools (such as verifiers) are designed for one particular language.
… …

5. Intermediate verification languages (IVL)
Examples: Boogie, Why, …
Translate target languages to IVLs and build verification tools for IVL.
Brings some re-usability; But …
Can miss details of language behavior
VCC (based on Boogie) incorrectly reported an overflow error

6. Ideal language framework vision
Defining formal semantics can be hard, but there’s no way around.
The point is it is a task that is done once and for all.

7. A simple imperative language (IMP)
The target language when Hoare logic was firstly proposed in 1969.
All tools are generated automatically:
Parser
Interpreter
Verifier
… …

8. Verification: The state-of-the-art
Redefine the language using a different semantic approach (Hoare/separation/dynamic logic)
Language specific, non-executable, error-prone
Various different program logics for state/static properties: FOL, HOL, separation logic…

9. What we want Use directly the trusted executable semantics.
Together with a language-independent proof system
Takes semantics as axioms.
Derives reachability properties.
Partially sound and relatively complete reasoning for all languages.
We need a unifying logic to
define semantics of any languages;
specify any properties written in any logics (LTL, CTL, separation logic, …)

10. Matching Logic Patterns (of each sort s) Structure Constraints Binders
[…, LICS’13, RTA’15, OOPSLA’16, FSCD’16, LMCS’17, …]
Patterns
(of each sort s)
Structure
Constraints
Binders

11. Matching Logic Models
Patterns interpreted as sets (all elements that match them)
 as complement,  as intersection,  as union over all x

12. Matching Logic Proof System
First-Order Logic
13 Proof rules. Sound and complete
C  (1,…, i-1,□, i+1,…, n)
Technical (completeness)
Local reasoning

13. Expressiveness
Important logics for program reasoning can be framed as matching logic theories / notations
First-order logic
Equality, membership, definedness, partial functions
Lambda / mu calculi (least/largest fixed points)
Modal logics
Hoare logics
Dynamic logics
LTL, CTL, CTL*
Separation logic
Reachability logic …
x.e  x.0(x,e)
(x.e)e’ = e[e’/x]
x.e  x. 0(x,e)
x.e = e[x.e/x]
[e[/x]  ]  [x.e  ]
Knaster-Tarski

14. Reachability logic (semantics of K) [LICS’13, RTA’14, RTA’15,OOPLSA’16]
“Rewrite” rules over matching logic patterns:
For example, the two K rules for if-statement in IMP:
Naturally deal with conditional rules in RL:   
Can be expressed in matching logic:
  (’)  is “weak eventually”
rule if (0) S1 S2 => S2
rule if (V) S1 S2 => S1 when V =/=Int 0
rule (if (V) S1 S2) /\ (V =/=Int 0) => S1

15. Expressiveness of RL rules
Capture operational semantics rules:
Capture Hoare Triples:

16. Matching logic captures reachability logic
All RL proof rules (shown later) are provable in ML.
Language-independent proof system for deriving reachability claims of the form:
where
A (axioms, including semantic rules)
C (circularities) are sets of reachability rules.
Intuition:
Symbolic execution with operational semantics A
Reasoning with cyclic behaviors C

17. Proof system for reachability (language-independent)
Prove any reachability property of any language, including anything that Hoare logic can prove (with proofs of comparable size). [FM’12] Partially sound and relatively complete [ICALP’12,OOPSLA’12], [LICS’13,RTA’14,OOPSLA’16]

18. Traditional verification vs. our approach
Traditional proof systems: language-specific
Our proof system: language-independent

19. Verification example: SUM
// SUM int n, s; n = N:Int; // LOOP while(n){ s = s + n; n = n + 1; }
// SUM_spec
<k> SUM => .K </k>
<state> .Map
=> n |-> 0
s |-> N(N+1)/2
</state>
when N >= 0
// LOOP_spec (invariant)
<k> LOOP => .K </k>
<state>
n |-> (N => 0)
s |-> (S => S + N(N+1)/2)

20. Verify the Invariant LOOP_spec
Axioms (the semantics) |- 
<k> LOOP => .K </k>
<state>
n |-> (N => 0)
s |-> (S => S + N(N+1)/2)
</state>
when N >= 0
Axioms |-{LOOP_spec}
<k> LOOP => .K </k>
<state>
n |-> (N => 0)
s |-> (S => S + N(N+1)/2)
</state>
when N >= 0

21. Verify the Invariant LOOP_spec
Axioms |-{LOOP_spec}
<k> LOOP => .K </k>
<state>
n |-> (N => 0)
s |-> (S => S + N(N+1)/2)
</state>
when N >= 0
LOOP = ​
while(n){​
  s = s + n;​
  n = n + 1;​ }
Axioms |-{LOOP_spec}
<k> while(n){BODY} => .K </k>
<state>
n |-> (N => 0)
s |-> (S => S + N(N+1)/2)
</state>
when N >= 0

22. Verify the Invariant LOOP_spec
Axioms |-{LOOP_spec}
<k> while(n){BODY} => .K </k>
<state>
n |-> (N => 0)
s |-> (S => S + N(N+1)/2)
</state>
when N >= 0
// imp.k, i.e., Axioms
...
rule while(B)S
  => if(B)
     {S while(B)S}
     {}

23. Verify the Invariant LOOP_spec
Axioms |-{LOOP_spec}
<k> while(n){BODY} => .K </k>
<state>
n |-> (N => 0)
s |-> (S => S + N(N+1)/2)
</state>
when N >= 0
This is just symbolic execution.
In the meantime, move Circularities to Axioms. 
Axioms U {LOOP_spec} |-
<k> if(n){BODY LOOP}{} => .K </k>
<state>
n |-> (N => 0)
s |-> (S => S + N(N+1)/2)
</state>
when N >= 0

24. Verify the Invariant LOOP_spec
Axioms U {LOOP_spec} |-
<k> if(n){BODY LOOP}{} => .K </k>
<state>
n |-> (N => 0)
s |-> (S => S + N(N+1)/2)
</state>
when N >= 0
rule
<k> X => I ... </k>
<state>
  ... X |-> I ...
</state>
Axioms U {LOOP_spec} |-
<k> if(N){BODY LOOP}{} => .K </k>
<state>
n |-> (N => 0)
s |-> (S => S + N(N+1)/2)
</state>
when N >= 0
More symbolic execution.

25. Verify the Invariant LOOP_spec
Axioms U {LOOP_spec} |-
<k> if(N){BODY LOOP}{} => .K </k>
<state>
n |-> (N => 0)
s |-> (S => S + N(N+1)/2)
</state>
when N >= 0
Two cases: when N = 0 and when N >= 1.

26. Verify the Invariant LOOP_spec
Axioms U {LOOP_spec} |-
<k> if(N){BODY LOOP}{} => .K </k>
<state>
n |-> (N => 0)
s |-> (S => S + N(N+1)/2)
</state>
when N >= 1
This is the interesting case.
Axioms U {LOOP_spec} |-
<k> LOOP => .K </k>
<state>
 n |-> (N-1 => 0)
 s |-> (S+N => S + N(N+1)/2)
</state>
when N >= 1
More symbolic execution.

27. Verify the Invariant LOOP_spec
Axioms U {LOOP_spec} |-
<k> LOOP => .K </k>
<state>
 n |-> (N-1 => 0)
 s |-> (S+N => S+N(N+1)/2)
</state>
when N >= 1
// LOOP_spec (forall N,S)
<k> LOOP => .K </k>​
<state> ​
 n |-> (N => 0)​
 s |-> (S => S + N(N+1)/2)​
</state>​
when N >= 0​
Use LOOP_spec as a normal semantic axiom. Instantiate it with N-1 and S+N.
// LOOP_spec, the instance we need
<k> LOOP => .K </k>​
<state> ​
 n |-> (N-1 => 0)​
 s |-> (S+N => (S+N)+(N-1)((N-1)+1)/2))​
</state>​
when N-1 >= 0​

28. Verify the Invariant LOOP_spec
Axioms U {LOOP_spec} |-
<k> LOOP => .K </k>
<state>
 n |-> (N-1 => 0)
 s |-> (S+N => S + N(N+1)/2)
</state>
when N >= 1
// LOOP_spec instance
<k> LOOP => .K </k>​
<state> ​
 n |-> (N-1 => 0)​
 s |-> (S+N => (S+N)+(N-1)((N-1)+1)/2))​
</state>​
when N-1 >= 0​
Verity (using SMT solvers) that
N >= 1 implies N-1 >= 0
(S+N)+(N-1)((N-1)+1)/2 = S+N(N+1)/2

29. Conclusion
Language-independent verification.