Presentation is loading. Please wait.

Presentation is loading. Please wait.

Viper A Verification Infrastructure for Permission-Based Reasoning 1 st March 2015, ECOOP’15 PC Meeting, Zurich Uri Juhasz, Ioannis Kassios, Peter Müller,

Published byEthel Cummings Modified over 9 years ago

Similar presentations

Presentation on theme: "Viper A Verification Infrastructure for Permission-Based Reasoning 1 st March 2015, ECOOP’15 PC Meeting, Zurich Uri Juhasz, Ioannis Kassios, Peter Müller,"— Presentation transcript:

1 Viper A Verification Infrastructure for Permission-Based Reasoning 1 st March 2015, ECOOP’15 PC Meeting, Zurich Uri Juhasz, Ioannis Kassios, Peter Müller, Milos Novacek, Malte Schwerhoff, Alex Summers (and several students)

2 Automatic Program Verification −Safety (memory accesses, non- null, …) −Correctness (functional specs) −Termination, message replies, … 2 Our Vision

3 3 Verification using Automatic Provers Automatic prover + Automatic first-order logic tools – major progress in the last decade (SAT, SMT) + Intermediate verification languages - Boogie, Why, … + Back-end: verifier (verification condition generator) = Common infrastructure for building front-end verifiers ✔✘✔✘ Back-end IVL Front-end Prog. language + specifications Front-end Prog. language + specifications Front-ends Prog. languages + specifications

4 ✔✘✔✘ 4 Verification using Automatic Provers + Automatic first-order logic tools – major progress in the last decade (SAT, SMT) + Intermediate verification languages - Boogie, Why, … + Back-ends: verifiers - but also inference engines, slicers, static analysers, … = Common infrastructure for building front-end verifiers Automatic prover Back-end IVL Front-end Prog. language + specifications Automatic prover Back-end Automatic provers Back-ends Front-end Prog. language + specifications Front-ends Prog. languages + specifications

5 ✔✘✔✘ 5 Verification using Automatic Provers Common infrastructure enabled many success stories and tools − Microsoft Hypervisor (VCC) − Device drivers (Corral) − Spec#, Dafny − Krakatoa, Jessie − Frama-C, Why3 − … Automatic prover Back-end IVL Front-end Prog. language + specifications Automatic prover Back-end Automatic provers Back-ends Front-end Prog. language + specifications Front-ends Prog. languages + specifications

6 6 Permission-Based Reasoning Separation logic and others permission logics: −Locally reason about shared mutable state −Many successful applications, including −Device driver safety (Microsoft) −Belgian Electronic Identity Card −Many on going developments (esp. fine-grained concurrency) Not a first-order logic → Significantly complicates using existing provers

7 7 Permission-Based Reasoning Consequence: many custom verification engines (usually based on symbolic execution): Smallfoot, VeriFast, jStar, … Prog. language A + specifications Automatic prover Back-end B Prog. language B + specifications Back-end C Prog. language C + specifications Back-end A Alternative: Encoding SL into FOL (e.g. Chalice)

8 8 Viper: Our Verification Infrastructure Silver: −Native support for permissions −Few (but expressive) constructs −Designed with verification and inference in mind Back-ends: Two verifiers; plans to develop inference, slicer Front-ends (proof of concept): −Chalice (concurrency research) −Scala (very small subset) −Java (VerCors, U Twente) −OpenCL (VerCors, U Twente) Silver (IVL) Front-end Back-ends Automatic prover Front-end Front-ends

9 9 Modular Static Verification + Shared State foo(x)bar(x)

10 10 Modular Static Verification + Shared State foo(x)bar(x) ?

11 11 Modular Static Verification + Shared State foo(x)bar(x) ?

12 12 Permissions foo(x)bar(x)

13 13 Permission Transfer foo(x)bar(x) ?

14 14 Permission Transfer foo(x)bar(x) ?

15 15 Fractional Permissions foo(x)bar(x)

16 16 Splitting Fractional Permissions foo(x)bar(x) ?

17 17 Merging Fractional Permissions foo(x)bar(x) ?

18 18 Permission Transfer Idea of permission transfer generalises −Fork-join (transfer between threads) −Locks (transfer to/from lock invariant) −Message passing (pass permissions) Common operations − Gain permissions − Lose permissions foo(x)bar(x) ?

19 19 Silver: Inhale and Exhale Statements Statement exhale A means −Assert and remove permissions required by A −Assert logical constraints in A (e.g. c.f == 0 ) −Havoc locations to which all permissions is lost (i.e. forget their values) Statement inhale A means −Gain permissions required by A −Assume logical constraints in A

20 20 Silver: Assertion Language Basics Based on implicit dynamic frames Accessibility predicates denote permissions Assertions may be heap- dependent Fractional permissions Conjunction sums up permissions (similar to ∗ in separation logic) acc(c.f, ½) && acc(c.f, ½) acc(c.f) acc(c.f) && c.f == 0 acc(c.f, ½) Based on implicit dynamic frames

21 21 Demo

22 22 Silver: Language Features Objects and fields, if-then-else, methods (with pre/post specs), loops (with invariants) No notion of concurrency (encode via inhale / exhale ) Simple type system −Int, Bool, Ref, Perm −Mathematical sets Set[T] and sequences Seq[T]

23 23 Silver: Unbounded Data Structures Unbounded data structures via recursive predicates fold/unfold statements exchange predicate instances for their bodies (not automatic due to recursion) Heap-dependent, pure abstraction functions predicate list(x: Ref) { acc(x.val) && acc(x.next) && (x.next != null ==> list(x.next)) } function elems(x: Ref): Seq[Int] requires list(x) { unfolding list(x) in [x.val] ++ (x.next == null ? [] : elems(x.next)) }

24 24 Silver: Custom Mathematical Domains Domains to specify custom mathematical types −Type-parametric domains −Domain functions −Domain axioms domain Pair[X,Y] { function pair(x: X, y: Y): Pair[X,Y] function first(p: Pair[X,Y]): X axiom forall x: X, y: Y first(pair(x,y)) == x }... method foo(x: Ref, p: Pair[Int, Int]) requires acc(x.f) { x.f := first(p) }

25 25 Silver: Other Cool Features Abstract read permissions −Alternative to fractional permissions −No need to commit to concrete fractions, e.g. ½ Allows unbounded splitting and counting method foo(x: Ref, p: Perm) requires 0 < p && acc(x.f, p) { // read x.f if ( ∗ ) { var q: Ref constraining (q) { foo(x, q) // give away q < p } } }

26 26 Silver: Other Cool Features Paired assertions [A, B] −When inhale, A is used −When exhaled, B is used −Asymmetry justified elsewhere (type system, soundness proof, proof principle, …) [ forall x: Nat P(x), forall x: Nat (forall y: Nat y P(y)) ==> P(x) ]

27 Silver AST 27 http://bitbucket.org/viperproject/ SiliconCarbon Boogie (Microsoft) Z3 (Microsoft) verified by encodes in queries gene rate Static Analysis infer additional specifications Chalice OpenCL (U Twente) Scala Java (U Twente)

28 28 Questions? www.pm.inf.ethz.ch malte.schwerhoff@inf.ethz.ch

29 29 Framing with Permissions void foo(c: C) requires c.f == 0 && … ensures … { this.f = 1 assert c.f == 0 bar(c) assert this.f == 1 } Frame assumptions by splitting the heap into disjoint parts ? ? c.f this.f

30 30 Framing with Permissions void foo(c: C) requires c.f == 0 ensures true { this.f = 1 assert c.f == 0 bar(c) assert this.f == 1 } Frame assumptions by splitting the heap into disjoint parts Split heap at each statement into two parts: −Footprint: touched by the statement −Frame: left untouched c.f ? 0 this.f footprint frame

31 31 Framing with Permissions void foo(c: C) requires c.f == 0 ensures true { this.f = 1 assert c.f == 0 bar(c) assert this.f == 1 } Frame assumptions by splitting the heap into disjoint parts Split heap at each statement into two parts: −Footprint: touched by the statement −Frame: left untouched c.f 1 0 this.f footprint frame

32 32 Framing with Permissions void foo(c: C) requires c.f == 0 ensures true { this.f = 1 assert c.f == 0 bar(c) assert this.f == 1 } Frame assumptions by splitting the heap into disjoint parts Split heap at each statement into two parts: −Footprint: touched by the statement −Frame: left untouched Method footprints are defined by preconditions c.f 1 0 this.f frame footprint

33 33 Framing with Permissions void foo(c: C) requires c.f == 0 ensures true { this.f = 1 assert c.f == 0 bar(c) assert this.f == 1 } Frame assumptions by splitting the heap into disjoint parts Split heap at each statement into two parts: −Footprint: touched by the statement −Frame: left untouched Method footprints are defined by preconditions c.f 1 ? this.f frame footprint

34 34 Permission Transfer Method call (intuitive) −Give away permissions to the footprint and keep permissions to the frame −Get permissions (back) from the call foo(x)bar(x) ?

Download ppt "Viper A Verification Infrastructure for Permission-Based Reasoning 1 st March 2015, ECOOP’15 PC Meeting, Zurich Uri Juhasz, Ioannis Kassios, Peter Müller,"

Similar presentations

Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.

Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.

Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,

Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.

Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
HIP/SLEEK11 HIP/SLEEK :Automatic Verification and Specification Inference System Wei-Ngan Chin & Asankhaya Sharma Dept of Computer Science National University.

HIP/SLEEK11 HIP/SLEEK :Automatic Verification and Specification Inference System Wei-Ngan Chin & Asankhaya Sharma Dept of Computer Science National University.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 3 December 2008 U. Lugano Lugano, Switzerland.

K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 3 December 2008 U. Lugano Lugano, Switzerland.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
CS 355 – Programming Languages

CS 355 – Programming Languages
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 International Summer School Marktoberdorf Marktoberdorf,

K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 International Summer School Marktoberdorf Marktoberdorf,
Changing perspective can be useful Relating alternative logics for automatic software verification Alex Summers (ETH Zurich) partly based on joint work.

Changing perspective can be useful Relating alternative logics for automatic software verification Alex Summers (ETH Zurich) partly based on joint work.
Fractional Permissions without the Fractions Alex Summers ETH Zurich Joint work with: Stefan Heule, Rustan Leino, Peter Müller ETH Zurich MSR Redmond ETH.

Fractional Permissions without the Fractions Alex Summers ETH Zurich Joint work with: Stefan Heule, Rustan Leino, Peter Müller ETH Zurich MSR Redmond ETH.
ECI 2007: Specification and Verification of Object-Oriented Programs Lecture 2 Courtesy: K. Rustan M. Leino and Wolfram Schulte.

ECI 2007: Specification and Verification of Object-Oriented Programs Lecture 2 Courtesy: K. Rustan M. Leino and Wolfram Schulte.

Similar presentations

Ads by Google