Presentation is loading. Please wait.

Presentation is loading. Please wait.

Viper A Verification Infrastructure for Permission-Based Reasoning 24 th March 2015, JML Workshop, Leiden Uri Juhasz, Ioannis Kassios, Peter Müller, Milos.

Published byCandace Holmes Modified over 9 years ago

Similar presentations

Presentation on theme: "Viper A Verification Infrastructure for Permission-Based Reasoning 24 th March 2015, JML Workshop, Leiden Uri Juhasz, Ioannis Kassios, Peter Müller, Milos."— Presentation transcript:

1 Viper A Verification Infrastructure for Permission-Based Reasoning 24 th March 2015, JML Workshop, Leiden Uri Juhasz, Ioannis Kassios, Peter Müller, Milos Novacek, Malte Schwerhoff, Alex Summers (and several students)

2 Automatic Program Verification −Safety (memory accesses, non- null, …) −Correctness (functional specs) −Termination, message replies, … 2 Our Vision

3 3 Verification using Automatic Provers Automatic prover + Automatic first-order logic tools – major progress in the last decade (SAT, SMT) + Intermediate verification languages - Boogie, Why, … + Back-end: verifier (verification condition generator) = Common infrastructure for building front-end verifiers ✔✘✔✘ Back-end IVL Front-end Prog. language + specifications Front-end Prog. language + specifications Front-ends Prog. languages + specifications

4 ✔✘✔✘ 4 Verification using Automatic Provers + Automatic first-order logic tools – major progress in the last decade (SAT, SMT) + Intermediate verification languages - Boogie, Why, … + Back-ends: verifiers - but also inference engines, slicers, static analysers, … = Common infrastructure for building front-end verifiers Automatic prover Back-end IVL Front-end Prog. language + specifications Automatic prover Back-end Automatic provers Back-ends Front-end Prog. language + specifications Front-ends Prog. languages + specifications

5 ✔✘✔✘ 5 Verification using Automatic Provers Common infrastructure enabled many success stories and tools − Microsoft Hypervisor (VCC) − Device drivers (Corral) − Spec#, Dafny − Krakatoa, Jessie − Frama-C, Why3 − … Automatic prover Back-end IVL Front-end Prog. language + specifications Automatic prover Back-end Automatic provers Back-ends Front-end Prog. language + specifications Front-ends Prog. languages + specifications

6 6 Permission-Based Reasoning Separation logic and others permission logics: −Locally reason about shared mutable state −Many successful applications, including −Device driver safety (Microsoft) −Belgian Electronic Identity Card −Many ongoing developments (esp. fine-grained concurrency) Not a first-order logic → Significantly complicates using existing provers

7 7 Permission-Based Reasoning Consequence: many custom verification engines (usually based on symbolic execution): Smallfoot, VeriFast, jStar, … Prog. language A + specifications Automatic prover Back-end B Prog. language B + specifications Back-end C Prog. language C + specifications Back-end A Alternative: Encoding SL into FOL (e.g. Chalice)

8 8 Viper: Our Verification Infrastructure Silver: −Native support for permissions −Few (but expressive) constructs −Designed with verification and inference in mind Back-ends: Two verifiers; plans to develop inference, slicer Front-ends (proof of concept): −Chalice (concurrency research) −Scala (very small subset) −Java (VerCors, U Twente) −OpenCL (VerCors, U Twente) Silver (IVL) Front-end Back-ends Automatic prover Front-end Front-ends

9 9 Modular Static Verification + Shared State foo(x)bar(x)

10 10 Modular Static Verification + Shared State foo(x)bar(x) ?

11 11 Modular Static Verification + Shared State foo(x)bar(x) ?

12 12 Permissions foo(x)bar(x)

13 13 Permission Transfer foo(x)bar(x) ?

14 14 Permission Transfer foo(x)bar(x) ?

15 15 Fractional Permissions foo(x)bar(x)

16 16 Splitting Fractional Permissions foo(x)bar(x) ?

17 17 Merging Fractional Permissions foo(x)bar(x) ?

18 18 Permission Transfer Idea of permission transfer generalises −Fork-join (transfer between threads) −Locks (transfer to/from lock invariant) −Message passing (pass permissions) Common operations − Gain permissions − Lose permissions foo(x)bar(x) ?

19 19 Silver: Inhale and Exhale Statements Statement exhale A means −Assert and remove permissions required by A −Assert logical constraints in A (e.g. c.f == 0 ) −Havoc locations to which all permissions is lost (i.e. forget their values) Statement inhale A means −Gain permissions required by A −Assume logical constraints in A

20 20 Silver: Assertion Language Basics Based on implicit dynamic frames Accessibility predicates denote permissions Assertions may be heap- dependent Fractional permissions Conjunction sums up permissions (similar to ∗ in separation logic) acc(c.f, ½) && acc(c.f, ½) acc(c.f) acc(c.f) && c.f == 0 acc(c.f, ½) Based on implicit dynamic frames

21 21 Demo

22 22 Silver: Language Features Objects and fields, if-then-else, methods (with pre/post specs), loops (with invariants) No notion of concurrency (encode via inhale / exhale ) Simple type system −Int, Bool, Ref, Perm −Mathematical sets Set[T] and sequences Seq[T]

23 23 Silver: Unbounded Data Structures Unbounded data structures via recursive predicates fold/unfold statements exchange predicate instances for their bodies (not automatic due to recursion) Heap-dependent, pure abstraction functions predicate list(x: Ref) { acc(x.val) && acc(x.next) && (x.next != null ==> list(x.next)) } function elems(x: Ref): Seq[Int] requires list(x) { unfolding list(x) in [x.val] ++ (x.next == null ? [] : elems(x.next)) }

24 24 Silver: Custom Mathematical Domains Domains to specify custom mathematical types −Type-parametric domains −Domain functions −Domain axioms domain Pair[X,Y] { function pair(x: X, y: Y): Pair[X,Y] function first(p: Pair[X,Y]): X axiom forall x: X, y: Y first(pair(x,y)) == x }... method foo(x: Ref, p: Pair[Int, Int]) requires acc(x.f) { x.f := first(p) }

25 25 Silver: Other Cool Features Abstract read permissions −Alternative to fractional permissions −No need to commit to concrete fractions, e.g. ½ Allows unbounded splitting and counting method foo(x: Ref, p: Perm) requires 0 < p && acc(x.f, p) { // read x.f if ( ∗ ) { var q: Perm constraining (q) { foo(x, q) // give away q < p } } }

26 26 Silver: Other Cool Features Paired assertions [A, B] −When inhale, A is used −When exhaled, B is used −Asymmetry justified elsewhere (type system, soundness proof, induction schema, …) [ forall x: Nat P(x), forall x: Nat (forall y: Nat y P(y)) ==> P(x) ]

27 27 Magic Wands —∗

28 Boolean implication A ⇒ B Modus Ponens A ∧ (A ⇒ B) ⊨ B Separating implication A —∗ B Modus Ponens A ∗ (A —∗ B) ⊨ B A —∗ B can be understood as an exchange promise “If A and A —∗ B are given up, then B is guaranteed to hold“ 28 Magic Wands Primer

29 Semantics of the magic wand: h ⊨ A —∗ B ⇔ ∀ h’ h · (h’ ⊨ A ⇒ h ⊎ h’ ⊨ B) Quantification over state; typically not supported in automated verifiers Used in proofs by hand (e.g. data structure modifications, barrier synchronization) 29 Magic Wands Primer ⊢

30 30 Permission Bookkeeping and Recursive Predicates predicate list(xs: Ref) { acc(xs.next) && (xs.next != null ==> list(xs.next)) } method rec(xs: Ref) requires list(xs) ensures list(xs) { unfold list(xs) rec(xs.next) // Ignoring base case fold list(xs) }

31 31 Permission Bookkeeping and Recursive Predicates predicate list(xs: Ref) { acc(xs.next) && (xs.next != null ==> list(xs.next)) } method rec(xs: Ref) requires list(xs) ensures list(xs) { unfold list(xs) rec(xs.next) // Ignoring base case fold list(xs) } unfold fold recursive descent recursive ascent Bookkeeping implicitly done by the call stack

32 32 Permission Bookkeeping and Recursive Predicates predicate list(xs: Ref) { acc(xs.next) && (xs.next != null ==> list(xs.next)) } method it(xs: Ref) requires list(xs) ensures list(xs) { var cur := xs while (*) { unfold list(cur) cur := cur.next } } unfold iteration

33 33 Permission Bookkeeping and Recursive Predicates predicate list(xs: Ref) { acc(xs.next) && (xs.next != null ==> list(xs.next)) } method it(xs: Ref) requires list(xs) ensures list(xs) { var cur := xs while (*) inv ??? { unfold list(xs) cur := cur.next } ??? } unfold iteration ?

34 34 Permission Bookkeeping and Recursive Predicates predicate list(xs: Ref) { acc(xs.next) && (xs.next != null ==> list(xs.next)) } method it(xs: Ref) requires list(xs) ensures list(xs) { var cur := xs while (*) inv list(cur) --* list(xs) { unfold list(xs) cur := cur.next // Update wand } // Get list(xs) from wand } unfold iteration ∗

35 35 Magic Wands in Silver Specifying partial data structures is just one application We support arbitrary* wands Main contribution: automatic footprint computation −Recall A ∗ (A —∗ B) ⊨ B −Footprint = permission delta between A and B Examples −true —∗ acc(x.f)| acc(x.f) −acc(x.f) —∗ acc(x.f)| emp −acc(x.f, 1/3) —∗ acc(x.f, 1/1)| acc(x.f, 2/3) −acc(x.f) —∗ acc(y.f)| x != y ==> acc(y.f)

36 36 Demo

37 Silver AST 37 http://bitbucket.org/viperproject/ SiliconCarbon Boogie (Microsoft) Z3 (Microsoft) verified by encodes in queries generate Static Analysis infer additional specifications Chalice OpenCL (U Twente) Scala Java (U Twente)

Download ppt "Viper A Verification Infrastructure for Permission-Based Reasoning 24 th March 2015, JML Workshop, Leiden Uri Juhasz, Ioannis Kassios, Peter Müller, Milos."

Similar presentations

Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.

Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.

Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.

Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.
Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,

Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.

Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
HIP/SLEEK11 HIP/SLEEK :Automatic Verification and Specification Inference System Wei-Ngan Chin & Asankhaya Sharma Dept of Computer Science National University.

HIP/SLEEK11 HIP/SLEEK :Automatic Verification and Specification Inference System Wei-Ngan Chin & Asankhaya Sharma Dept of Computer Science National University.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.

A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 3 December 2008 U. Lugano Lugano, Switzerland.

K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 3 December 2008 U. Lugano Lugano, Switzerland.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
CS 355 – Programming Languages

CS 355 – Programming Languages
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 International Summer School Marktoberdorf Marktoberdorf,

K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 International Summer School Marktoberdorf Marktoberdorf,
Changing perspective can be useful Relating alternative logics for automatic software verification Alex Summers (ETH Zurich) partly based on joint work.

Changing perspective can be useful Relating alternative logics for automatic software verification Alex Summers (ETH Zurich) partly based on joint work.
Fractional Permissions without the Fractions Alex Summers ETH Zurich Joint work with: Stefan Heule, Rustan Leino, Peter Müller ETH Zurich MSR Redmond ETH.

Fractional Permissions without the Fractions Alex Summers ETH Zurich Joint work with: Stefan Heule, Rustan Leino, Peter Müller ETH Zurich MSR Redmond ETH.
Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,

Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 1 LASER.

Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 1 LASER.

Similar presentations

Ads by Google