modular program verification - sri internationalfm.csl.sri.com/ssft19/viper-lecture.pdf · 2020. 3....
TRANSCRIPT
![Page 1: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/1.jpg)
Modular Program VerificationPeter Müller
![Page 2: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/2.jpg)
2
TimSort is the default sorting algorithm for Collections in Sun’s JDK, OpenJDK, and Android SDKCertain large arrays (>= 67M) lead to index-out-of-bounds errorsBug was detected during a verification attemptPrevious attempts to fix related errors were ineffective
Testing and code reviews are not sufficient to detect certain bugs
![Page 3: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/3.jpg)
3
Real-time operating systems use priority inheritance protocol to ensure that low-priority processes do not block high-priority processesSeveral operating systems implement the protocol incorrectly,
leading to deadlocks and priority inversion
Code-level verification should complement reasoning on the algorithm/design level
![Page 4: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/4.jpg)
4
Chord is a distributed hash table developed at MIT
None of the seven properties claimed invariant of the original version is actually an invariant
Reasoning must be supported by tools
![Page 5: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/5.jpg)
Modular VerificationVerify each method separately
‐ Scalability
Do not use the implementation of callees‐ Software evolution‐ Dynamic method binding
Do not use the implementation of callers and other methods‐ Correctness guarantees for libraries‐ Software evolution
5
main
foo
![Page 6: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/6.jpg)
Outline
Permission-based Verification The Viper Intermediate LanguageBuilding VerifiersEncoding of Advanced Verification Techniques
6
![Page 7: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/7.jpg)
ContractsContracts specify the intended
behavior of parts of the program
For the verification of a method, use the contracts of the rest of the program, not the implementation
Verify calls in terms of method pre-and postconditions
77
main
foo
![Page 8: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/8.jpg)
Example: Contracts
8
method demo(a: Account)requires 0 <= a.bal
{a.deposit(200);a.withdraw(100);
}
class Account {var bal: int
method deposit(amount: int) requires 0 < amountensures bal == old(bal) + amount
{ … }
method withdraw(amount: int) requires 0 < amount && amount <= balensures bal == old(bal) - amount
{ … }}
![Page 9: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/9.jpg)
Example: Side Effects
9
method demo(a: Account, l: List)ensures l.len == old(l.len)
{a.deposit(200)
}
method demo(a: Account, l: List)ensures l.len == old(l.len)
{a.deposit(200)
}
class Account {var bal: int
method deposit(amount: int) requires 0 < amountensures bal == old(bal) + amount
{ … }}
![Page 10: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/10.jpg)
class Account {var bal: intvar transactions: List
method deposit(amount: int) requires 0 < amountensures bal == old(bal) + amount
{ transactions.add(amount) … }
method getTransactions() returns (t: List){ t := transactions }
}
Example: Side Effects
10
demo(a, a.getTransactions())
method demo(a: Account, l: List)ensures l.len == old(l.len)
{a.deposit(200)
}
![Page 11: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/11.jpg)
{ P } S { Q }FV(S) FV(R) = { }
{ P R } S { Q R }
The Frame Problem
11
{ P } S { Q }{ P R } S { Q R }
l.len
a.bal
l.len
a.bal
![Page 12: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/12.jpg)
Footprints
12
{ P } S { Q }footprint( S ) footprint( R ) = { }
{ P R } S { Q R }
l.len
a.bal
l.len
a.bal
![Page 13: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/13.jpg)
Heap properties are specified via points-to assertions
‐ Holds in a partial heap that maps the memory location x.f to value v
Each heap access to x.f requires the current partial heap to contain x.f
Separation Logic
13
{ x.f _ } x.f := v { x.f v }
x.f v v
x.f
v
x.f?
x.f
x.f := v
![Page 14: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/14.jpg)
Footprints in Separation Logic
14
{ P } S { Q }{ P R } S { Q R }
l.len
a.bal
{ P } S { Q }{ P R } S { Q R }
{ P } S { Q }{ P R } S { Q R }
{ P } S { Q }{ P R } S { Q R }
![Page 15: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/15.jpg)
{ P } S { Q }{ P R } S { Q R }
Composition of partial heaps is described using separating conjunction
‐ Holds in a partial heap if it can be split into two disjoint partial heaps, in which P and Q hold
‐ x.f _ x.f _ is equivalent to false‐ x.f _ y.f _ implies x ≠ y
Frame rule
Separation and Framing
15
P R
{ P R } S { Q R }
P R
QPS
R R
![Page 16: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/16.jpg)
class Account {var bal: int
method deposit(amount: int) requires 0 < amountensures bal == old(bal) + amount
{ … }}
class Account {var bal: int
method deposit(amount: int) requires this.bal B 0 < amountensures this.bal B + amount
{ … }}
method demo(a: Account, l: List)ensures l.len == old(l.len)
{ a.deposit(200) }
method demo(a: Account, l: List)requires a.bal B l.len Lensures l.len L
{ a.deposit(200) }
Example: Framing
16
L
l.lenL
l.lena.balB
a.bal
a.deposit(200)
B +200
![Page 17: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/17.jpg)
demo(a, a.getTransactions())demo(a, a.getTransactions())
method demo(a: Account, l: List)requires a.bal B l.len L requires a.ta T a.ta.len TLensures l.len L
{ a.deposit(200) }
class Account {var bal: intvar ta: List
method deposit(amount: int) requires this.bal B 0 < amount requires this.ta T this.ta.len TLensures …
{ ta.add(amount) … }}
Example: Framing
17
TL L
l.lenT
a.taB
a.bal
Recall x.f _ y.f _ implies x ≠ y
![Page 18: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/18.jpg)
Parallel Composition
Disjointness of footprints ensures data-race freedom
18
{ P1 } S1 { Q1 } { P2 } S2 { Q2 }{ P1 P2 } S1 || S2 { Q1 Q2 }
Q1P1 S1
Q2P2 S2
S1 || S2
![Page 19: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/19.jpg)
Implicit Dynamic Frames
Assertions must be self-framing
19
x.f v
acc(x.f) x.f == v
method demo(a: Account, l: List)requires a.bal B l.len Lensures l.len L
{ a.deposit(200) }
method demo(a: Account, l: List)requires acc(a.bal) acc(l.len)ensures acc(l.len) l.len == old(l.len)
{ a.deposit(200) }
![Page 20: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/20.jpg)
v
v
Total-Heap SemanticsPartial-heap semantics is not suitable
Define semantics relative to a total heap and permission mask‐ x.f == v holds if heap(x,f) yields v
‐ acc(x.f) holds if permission mask(x,f) yields true
‐ P Q holds if the mask can be split into twocompatible masks, in which P and Q hold
20
acc(x.f) x.f == v
x.fv
P
Q
v
x.f
x.f
![Page 21: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/21.jpg)
method demo(a: Account, l: List)requires acc(a.bal) acc(l.len)ensures acc(l.len) l.len == old(l.len)
{
a.deposit(200)
}
Ownership Transfer
21
class Account {var bal: int
method deposit(amount: int) requires acc(this.bal) …ensures acc(this.bal) …
{ … }}
?v
w
?
w
v’
![Page 22: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/22.jpg)
Fractional PermissionsPermissions can be split and recombined
‐ Read access requires a non-zero permission ‐ Write access requires full permission
Separating conjunction adds permissions
22
acc(x.f, 1/2)
acc(x.f, 1/2) acc(x.f, 1/2) acc(x.f)
![Page 23: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/23.jpg)
SummaryModularity is important for scalability,
components, and evolution
Contracts enable modular verification
Permissions‐ provide a solution to the
frame problem
23
{ P1 } S1 { Q1 } { P2 } S2 { Q2 }{ P1 P2 } S1 || S2 { Q1 Q2 }
{ P } S { Q }{ P R } S { Q R }
main
foo
‐ enable the verification of concurrent programs
![Page 24: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/24.jpg)
Chalice
Home page: www.pm.inf.ethz.ch/research/chalice.html
Try online: www.rise4fun.com/Chalice
Download: chalice.codeplex.com
24
![Page 25: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/25.jpg)
25
Prog. language,spec. language,
logic
Prog. language,spec. language,
logic
Verifier
Prog. language,spec. language,
logic
Verifier Verifier
Intermediateverificationlanguage
Front-endFront-end Front-end
![Page 26: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/26.jpg)
Outline
Permission-based Verification The Viper Intermediate LanguageBuilding VerifiersEncoding of Advanced Verification Techniques
26
![Page 27: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/27.jpg)
method demo(a: Account, l: List)requires acc(a.bal) acc(l.len)ensures acc(l.len) l.len == old(l.len)
{
a.deposit(200)
}
Ownership Transfer
27
class Account {var bal: int
method deposit(amount: int) requires acc(this.bal) …ensures acc(this.bal) …
{ … }}
?v
w
?
w
v’
![Page 28: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/28.jpg)
{ P1 } S1 { Q1 } { P2 } S2 { Q2 }{ P1 P2 } S1 || S2 { Q1 Q2 }
{ P1 P2 R } S1 || S2 { Q1 Q2 R }
Ownership Transfer
28
{ P } method m { Q }{ P } e.m() { Q }
{ P R } e.m() { Q R }
![Page 29: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/29.jpg)
Inhale and Exhale inhale A means:
‐ obtain all permissions required by A‐ assume all logical constraints
exhale A means:‐ assert all logical constraints‐ check and remove all permissions required by A ‐ havoc any locations to which all permission is lost
Analogues of assume and assert
29
?v
?v
x.f
x.f
inhale acc(x.f) x.f == v
exhale acc(x.f) x.f == v
![Page 30: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/30.jpg)
Encoding Ownership Transfer
30
{ P } method m { Q }{ P } e.m() { Q }
{ P R } e.m() { Q R }
exhale Pinhale Q
{ P1 } S1 { Q1 } { P2 } S2 { Q2 }{ P1 P2 } S1 || S2 { Q1 Q2 }
{ P1 P2 R } S1 || S2 { Q1 Q2 R }
exhale P1
exhale P2
inhale Q1
inhale Q2
![Page 31: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/31.jpg)
method demo(a: Account, l: List)requires acc(a.bal) acc(l.len)ensures acc(l.len) l.len == old(l.len)
{ a.deposit(200)
}
31
method deposit(amount: int) requires acc(this.bal)ensures acc(this.bal)
inhale acc(a.bal) acc(l.len)exhale acc(a.bal)inhale acc(a.bal)exhale acc(l.len) l.len == old(l.len)
![Page 32: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/32.jpg)
Encoding Monitors
32
class Account {var bal: int
invariant acc(this.bal)
method deposit(amount: int) { acquire thisthis.bal := this.bal + amountrelease this
}}
inhale acc(this.bal)this.bal := this.bal + amountexhale acc(this.bal)
![Page 33: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/33.jpg)
method demo(a: Account, l: List)requires acc(a.bal) acc(l.len)ensures acc(l.len) l.len == old(l.len)
{ a.deposit(200)
}
Abstraction
Mentioning field names in contracts:
Violates information hiding
Cannot express access to a statically-unknown set of locations
33
![Page 34: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/34.jpg)
Recursive Predicates
34
l predicate list(this: Ref) {acc(this.next) acc(this.data) (this.next != null ==> list(this.next))
}
![Page 35: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/35.jpg)
Predicate instances are manipulated similarly to access permissions
‐ Ownership is transferred via inhale and exhale
‐ But P(x) P(x) is not equivalent to false
Folding and unfolding is done manually
35
predicate P(this: Ref) { acc(this.f, 1/3) }
inhale list(a)exhale list(a)
unfold list(l)unfold list(l)l.data := 7unfold list(l)l.data := 7fold list(l)
77
l
![Page 36: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/36.jpg)
Examples: Recursive Predicates
36
predicate list(this: Ref) {acc(this.next) acc(this.data) (this.next != null ==> list(this.next)) 0 <= this.data
}
predicate list(this: Ref) {acc(this.next) acc(this.data) (this.next != null ==> list(this.next)
this.data <= this.next.data)}
predicate list(this: Ref) {acc(this.next) acc(this.data) (this.next != null ==> list(this.next)
this.data <= this.next.data)}
predicate list(this: Ref) {acc(this.next) acc(this.data) (this.next != null ==> list(this.next)
this.data <= unfolding list(this.next) in this.next.data)}
predicate lseg(this: Ref, last: Ref) {this != last ==>
acc(this.next) acc(this.data) lseg(this.next, last)
}
![Page 37: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/37.jpg)
Limitations
37
v Extending footprintsw
![Page 38: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/38.jpg)
Limitations
38
v Extending footprints
Sharing
![Page 39: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/39.jpg)
Limitations
39
v
w
Extending footprints
Sharing
Traversal order
![Page 40: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/40.jpg)
Quantified Permissions
40
predicate list( nodes: Set[ Ref ] ) {forall n: Ref :: n in nodes ==>
acc(n.next) n.next in nodes
}
v
w
list(nodes) v in nodes w in nodes
![Page 41: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/41.jpg)
method demo(a: Account, l: List)requires acc(a.bal) acc(l.len)ensures acc(l.len) l.len == old(l.len)
{ a.deposit(200)
}
Abstraction
Mentioning field names in contracts:
Violates information hiding
Cannot express access to a statically-unknown set of locations
41
![Page 42: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/42.jpg)
Heap-Dependent Functions
Predicates abstract over permissions
Functions abstract over expressions
42
function length(this: Ref): Intrequires list(this)
{unfolding list(this) inthis.next == null ? 1 : 1 + length(this.next)
}
predicate list(this: Ref) {acc(this.next) acc(this.data) (this.next != null ==> list(this.next))
}
![Page 43: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/43.jpg)
method demo(a: Account, l: List)requires account(a) list(l)ensures list(l) length(l) == old(length(l))
{ a.deposit(200)
}
Abstraction
Predicates and functions need not have definitions
43
![Page 44: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/44.jpg)
Function Framing
Heap-dependent functions are mathematical functions of their arguments and their footprint
44
function length(this: Ref): Intrequires list(this)
{unfolding list(this) inthis.next == null ? 1 : 1 + length(this.next)
}
![Page 45: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/45.jpg)
Intermediate verification languages facilitate the development of program verifiers
Inhale and exhale primitivesexpress ownership transfer
Summary
45
exhale acc(x.f) x.f == v
?v
x.f
Predicates and functions abstract over permissions and values
function length(this: Ref): Intrequires list(this)
![Page 46: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/46.jpg)
Viper
Home page: viper.ethz.ch
Try online: viper.ethz.ch/examples
Download: bitbucket.org/viperproject
Download a version for the tutorial on Friday
46
![Page 47: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/47.jpg)
47
Verifier
Intermediateverificationlanguage
Front-endFront-end Front-end Front-end
GoRust C11
PythonChalice Java OpenCL
![Page 48: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/48.jpg)
Outline
Permission-based Verification The Viper Intermediate LanguageBuilding VerifiersEncoding of Advanced Verification Techniques
48
![Page 49: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/49.jpg)
49
Verifier
Intermediateverificationlanguage
Front-endFront-end Front-end
SMT solver
Verification condition
generation
![Page 50: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/50.jpg)
Verification Condition Generation For a given program, verification condition generation computes a
logical formula whose validity implies the correctness of the program
Verification condition reflects semantics of the program and its specification
We will compute verification conditions in two steps:‐ Encode the Viper program into guarded commands‐ Compute weakest preconditions of guarded-commands programs
50
![Page 51: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/51.jpg)
Guarded Commands
Assertions P are first-order logic formulas‐ Including quantifiers, uninterpreted functions, arithmetic, etc.
51
S ::= x := E| S1; S2| S1 S2| assert P| assume P| havoc x
![Page 52: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/52.jpg)
Encoding into Guarded Commands
52
method abs(a: Int) returns (res: Int)ensures 0 <= res
{if(0 <= a) { res := a }else { res := -a }
}
(assume 0 <= ares := a
assume a < 0res := -a
)
method abs(a: Int) returns (res: Int)ensures 0 <= res
{if(0 <= a) { res := a }else { res := -a }
}
method abs(a: Int) returns (res: Int)ensures 0 <= res
{if(0 <= a) { res := a }else { res := -a }
}
(assume 0 <= ares := a
assume a < 0res := -a
)assert 0 <= res
![Page 53: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/53.jpg)
Weakest Preconditions
To verify statement S, prove that wp(S, true) holds
53
wp(x := E, Q) Q[E/x]wp(S1; S2, Q) wp(S1, wp(S2, Q))wp(S1 S2, Q) wp(S1, Q) wp(S2, Q)wp(assert P, Q) P Qwp(assume P, Q) P Qwp(havoc x, Q) x Q
![Page 54: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/54.jpg)
Heap ModelDefine semantics relative to a total heap and
permission mask‐ x.f == v holds if heap(x,f) yields v‐ acc(x.f) holds if permission mask(x,f) yields true
Model heap as total map
Model permission mask as total map
54
x.fv
Ref Field<T> T
Ref Field<T> Bool
![Page 55: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/55.jpg)
Encoding inhale
_ is the encoding function a is an assertion e is an expression (not containing permissions)
55
inhale e assume einhale acc(e.f) assume e ≠ null
assume mask(e, f) mask(e, f) := true
inhale a1 a2 inhale a1; inhale a2
![Page 56: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/56.jpg)
56
inhale acc(x.f) x.f == v
assume x ≠ nullassume mask(x,f)mask(x,f) := trueassume heap(x,f) == v
inhale acc(x.f) acc(y.f)
assume x ≠ nullassume mask(x,f)mask(x,f) := trueassume y ≠ nullassume mask(y,f)mask(y,f) := true
![Page 57: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/57.jpg)
Encoding exhale
57
exhale e assert eexhale acc(e.f) assert mask(e, f)
mask(e, f) := falseexhale a1 a2 exhale a1; exhale a2
exhale a exhale ah := heaphavoc heapassume x,f mask(x,f) heap(x,f) == h(x,f)
![Page 58: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/58.jpg)
58
exhale acc(x.f) x.f == v
assert mask(x,f)mask(x,f) := falseassert heap(x,f) == v// havoc heap(x,f)
exhale acc(x.f) acc(y.f)
assert mask(x,f)mask(x,f) := falseassert mask(y,f)mask(y,f) := false// havoc heap(x,f), heap(y,f)
![Page 59: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/59.jpg)
Predicates For each predicate, introduce a function that maps a predicate
instance to a field name
Use this field to index mask
59
predicate lseg(this: Ref, last: Ref) lsegField: Ref Ref Field<Int>
inhale lseg(a, b) mask(null, lsegField(a, b)) := true
![Page 60: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/60.jpg)
Heap-Dependent FunctionsEncode Viper function as mathematical function
Function applications evaluate footprint
60
function balance(this: Ref): Intbalance: Ref Heap Intbalance: Ref Int Int
balance(x)
function balance(this: Ref): Intrequires acc(this.bal)
balance(x, heap(x.bal))
![Page 61: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/61.jpg)
Encode Viper function as mathematical function
Give predicate instances a version number‐ Changes each time the predicate’s footprint may change
length: Ref ?? Intfunction length(this: Ref): Intrequires list(this)
Heap-Dependent Functions
61
length(x) length(x, heap(null, listField(x)))
balance: Ref Int Int
![Page 62: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/62.jpg)
Verification condition
generation
62
Intermediateverificationlanguage
Front-endFront-end Front-end
SMT solver
SMT solver
Boogie
![Page 63: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/63.jpg)
Verification condition
generation
63
Intermediateverificationlanguage
Front-endFront-end Front-end
SMT solverBoogie
Symbolicexecution
![Page 64: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/64.jpg)
Symbolic ExecutionSymbolic execution simulates the execution of a program statically,
using symbolic rather than concrete values‐ Introduce symbolic variables to represent inputs
A configuration consists of‐ The statement to be executed‐ An environment, mapping program variables to expressions over the symbolic
variables‐ A path condition, a logic formula representing information about the symbolic
variables
64
![Page 65: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/65.jpg)
65
method abs(a: Int) returns (res: Int)ensures 0 <= res
{if(0 <= a) { res := a }else { res := -a }
}
if(0 <= a) { res := a }else { res := -a }assert 0 <= res
a res
A R true
A R 0 A
A A 0 A
A R A < 0
A -A A < 0
res := a;assert 0 <= res
assert 0 <= res
res := -a;assert 0 <= res
assert 0 <= res
Statement Environment Path Condition
check 0 A 0 A
check A < 0 0 -A
![Page 66: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/66.jpg)
Algorithm
s is the program to be verified stop is an artificial stop-marker env0 maps each program variable to a fresh symbolic variable
66
:= { (s;stop, env0, true) }while ≠ { } do := take()r := step()if r = then return failure := r
endreturn success
![Page 67: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/67.jpg)
Algorithm
_ symbolically evaluates an expression to a symbolic expression check is a query to the SMT solver
67
step(x := e;s, env, ) = { (s, env[x := e], ) }step(if(e) { s1 } else { s2 };s, env, ) = { (s1;s, env, e), (s2;s, env, e) }step(assert e;s, env, ) = if check( e) then { (s, env, ) } else step(stop, env, ) = { }
![Page 68: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/68.jpg)
The symbolic heap models the partial-heap semantics
Heap Model
68
acc(x.f)x.f
Er.f Ev
Model heap as set of heap chunks (Er and Ev are symbolic expressions)
Extend configurations by a symbolic heap
![Page 69: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/69.jpg)
Executing inhale
69
step(inhale e;s, env, , h) { (s, env, e, h) }
step(inhale acc(e.f);s, env, , h) { (s, env, e ≠ null ⋀E.f_ h E ≠ e, h { e.fV }) }
step(inhale a1 a2;s, env, , h) step(inhale a1;inhale a2;s, env, , h)
![Page 70: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/70.jpg)
70
inhale acc(x.f)inhale x.f == v
x v
X V true { }
X V true { X.fW }
X V W = V { X.fW }
inhale x.f == v
Statement Environment Path Condition Heap
inhale acc(x.f)inhale acc(y.f)
x y
X Y true { }
X Y true { X.fW }
X Y X ≠ Y { X.fW, Y.fZ }
inhale acc(y.f)
Statement Environment Path Condition Heap
![Page 71: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/71.jpg)
Executing exhale
Solution: evaluate expressions in the heap before the exhale
71
inhale acc(x.f) x.f == vexhale acc(x.f) x.f == v
x v
X V true { }
X V true { X.fW }
X V W = V { X.fW }
X V W = V { }
Environment Path Condition Heapinhale acc(x.f) x.f == vexhale acc(x.f) x.f == vinhale acc(x.f) x.f == vexhale acc(x.f) x.f == vinhale acc(x.f) x.f == vexhale acc(x.f) x.f == v
![Page 72: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/72.jpg)
Executing exhale
72
step’(exhale e;s, env, , h, h0) if check( e0) then { (s, env, , h) } else
step’(exhale acc(e.f);s, env, , h, h0) if e0.f_ h then { (s, env, , h \ { e0.f_ }) } else
step’(exhale a1 a2;s, env, , h, h0) let = step’(exhale a1;exhale a2;s, env, , h, h0) inif = then else step’(, h0)
step(exhale a;s, env, , h) step’(exhale a;s, env, , h, h)
![Page 73: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/73.jpg)
PredicatesPredicate instances are represented by heap chunks of the form
where Ev is a symbolic expression denoting the instance’s footprint
73
p(E1, …, En) Ev
predicate list(this: Ref) {acc(this.next) acc(this.data) (this.next != null ==> list(this.next))
}
FPlist ::= (Ref, Int, FPlist) |
![Page 74: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/74.jpg)
Symbolic expressions may contain function applications
Predicate footprints allow framing
balance: Ref Int Intfunction balance(this: Ref): Intrequires acc(this.bal)
Heap-Dependent Functions
74
function length(this: Ref): Intrequires list(this)
length: Ref FPlist Int
![Page 75: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/75.jpg)
Pros and Cons of Symbolic ExecutionProsSmall prover queries lead to
better, more predictable performance
Higher control over proof search enables dedicated algorithms
ConsSeparation of path and heap
information can lead to incompleteness
Internal treatment of heap reasoning requires dedicated algorithms
75
![Page 76: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/76.jpg)
Viper
Verification condition
generation
76
Intermediateverificationlanguage
Front-endFront-end Front-end
SMT solverBoogie
Symbolicexecution
Abstractinterpretation
![Page 77: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/77.jpg)
SMT solvers can be used to automate permission-based verification
Verification condition generationencodes total-heap semantics
VCG can be implemented as anencoding into existing languagesand tools
Summary
77
Symbolic execution implements partial-heap semantics
Performs heap-reasoning internally, and uses SMT solver to reason about value information
![Page 78: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/78.jpg)
Outline
Permission-based Verification The Viper Intermediate LanguageBuilding VerifiersEncoding of Advanced Verification Techniques
78
![Page 79: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/79.jpg)
Reminder: Encoding Monitors
79
class Account {var bal: int
invariant acc(this.bal)
method deposit(amount: int) { acquire thisthis.bal := this.bal + amountrelease this
}}
inhale acc(this.bal)this.bal := this.bal + amountexhale acc(this.bal)
![Page 80: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/80.jpg)
Non-Blocking Data StructuresPermissions ensures data race freedom
‐ Monitors and other synchronization are used to transfer ownership between threads
Non-blocking data structures can increase performance by allowing extra concurrency‐ Synchronization is done through atomic operations
such as compare-and-swap (CAS)‐ Data races are permitted
80
typedef int SpinLock;
void Lock(SpinLock* sl) {while(CAS(sl, 0, 1)) ;
}
void UnLock(SpinLock* sl) {*sl = 0;
}
![Page 81: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/81.jpg)
Weak MemoryModern hardware often does not provide
sequentially consistent shared memory
Weak memory permits behaviors that are not possible under sequential consistency
However, data-race free programs have only sequentially consistent behaviors
81
a = 0;b = 0;
a = 1; b = 1;print(b); print(a);
Possible results:under SC: 10, 01, 11under WM: also 00
![Page 82: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/82.jpg)
C11 The C11 memory model provides several kinds of variables
Non-atomic variables‐ Data races are errors
Atomic variables with release-write and acquire-read ‐ Writes and reads are synchronized
Relaxed separation logic (RSL) supports some features of the C11 memory model
82
n = allocNA(0);
a = allocRA(0);
*n = 5; if(a.load() == 1)
a.store(1); assert *n == 5;
![Page 83: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/83.jpg)
{ x _ } *x = v { x v }
Non-Atomic VariablesPermissions prevent data races on non-atomic variables
83
{ true } x = allocNA(v) { x v }
{ x V } t = *x { x V t = V }
![Page 84: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/84.jpg)
Release-Acquire
Races on atomic variables are permittedRelease-acquire can be seen as message passingMessages may transfer ownership to non-atomic variables
84
n = allocNA(0);
a = allocRA(0);
*n = 5; if(a.load() == 1)
a.store(1); assert *n == 5;
![Page 85: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/85.jpg)
Reminder: Monitor InvariantsMonitor invariant Q specifies an
assertion that holds when monitor is not currently held
Acquire transfers ownership of Q from monitor to thread
Release transfers ownership of Q from thread to monitor
85
class Account {var bal: int
invariant acc(this.bal)
method deposit(amount: int) { acquire thisthis.bal := this.bal + amountrelease this
}}
![Page 86: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/86.jpg)
Location Invariants Location invariant Q(v) specifies
an assertion that holds when the location has value v
Acquire-read of value v transfers ownership of Q(v) from atomic variable to thread
Release-write of value v transfers ownership of Q(v) from thread to atomic variable
86
n = allocNA(0);
a = allocRA(0);
*n = 5; if(a.load() == 1)
a.store(1); assert *n == 5;
Q(v) n 5 if v = 1true otherwise
![Page 87: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/87.jpg)
Choose location invariant when allocating an atomic location
Release-write gives up ownership
Acquire-read gains ownership
Proof Rules
87
{ Q(v) } x = allocRA(v) { RelQ(x) AcqQ(x) }
{ RelQ(x) Q(v) } x.store(v) { RelQ(x) }
{ AcqQ(x) } t = x.load() { Q(t) AcqQ(x) }
![Page 88: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/88.jpg)
Proof Outline
88
n = allocNA(0);
a = allocRA(0);
*n = 5; if(a.load() == 1)
a.store(1); assert *n == 5;
Q(v) n 5 if v = 1true otherwise
{ true }
{ n 0 RelQ(a) AcqQ(a) }
{ n 0 }
{ n 0 RelQ(a) }
{ n 5 RelQ(a) }
{ RelQ(a) }
{ AcqQ(a) }
{ Q(1) AcqQ(a) }
![Page 89: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/89.jpg)
Proof Rules
Reading the same value more than once would duplicate permissions
89
{ AcqQ(x) } t = x.load() { Q(t) AcqQ(x) }
x = a.load();y = a.load();if(x == 1 && y == 1)
assert false;
Q(v) n 5 if v = 1true otherwise
{ AcqQ(x) } t = x.load() { Q(t) AcqQ[t := true](x) }
![Page 90: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/90.jpg)
Viper
Verification condition
generation
90
Intermediateverificationlanguage
Front-endFront-end Front-end
SMT solverBoogie
Symbolicexecution
Abstractinterpretation
Front-endChalice OpenCL
GoRust C11
Python Java
![Page 91: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/91.jpg)
91
Modularity is important for scalability, components, and evolution
main
foo
Permissions enable framing and reasoning about concurrency
{ P } S { Q }{ P R } S { Q R }
{ P1 } S1 { Q1 } { P2 } S2 { Q2 }{ P1 P2 } S1 || S2 { Q1 Q2 }
Viper lets you encode a wide variety of reasoning techniques
Intermediate languages enable reuse of infrastructure
![Page 92: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/92.jpg)
References: Lecture 1 J. C. Reynolds: Separation Logic: A Logic for Shared Mutable Data
Structures. LICS 2002P. W. O'Hearn: Resources, Concurrency and Local Reasoning.
CONCUR 2004 J. Smans, B. Jacobs, F. Piessens: Implicit Dynamic Frames:
Combining Dynamic Frames and Separation Logic. ECOOP 2009M. J. Parkinson, A. J. Summers: The Relationship between
Separation Logic and Implicit Dynamic Frames. Logical Methods in Computer Science 8(3), 2012K. R. M. Leino, P. Müller: A Basis for Verifying Multi-threaded
Programs. ESOP 200992
![Page 93: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/93.jpg)
References: Lecture 2P. Müller, M. Schwerhoff, A. J. Summers: Viper: A Verification
Infrastructure for Permission-Based Reasoning. VMCAI 2016
K. R. M. Leino, P. Müller: A Basis for Verifying Multi-threaded Programs. ESOP 2009
P. Müller, M. Schwerhoff, A. J. Summers: Automatic Verification of Iterated Separating Conjunctions using Symbolic Execution. CAV 2016
M. J. Parkinson, G. M. Bierman: Separation logic and abstraction. POPL 2005
93
![Page 94: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/94.jpg)
References: Lecture 3 K. R. M. Leino, P. Müller: A Basis for Verifying Multi-threaded Programs.
ESOP 2009 S. Heule, I. T. Kassios, P. Müller, A. J. Summers: Verification Condition Generation
for Permission Logics with Abstract Predicates and Abstraction Functions. ECOOP 2013 M. Barnett, B.-Y. E. Chang, R. DeLine, B. Jacobs, K. R. M. Leino:
Boogie: A Modular Reusable Verifier for Object-Oriented Programs. FMCO 2005 J. Berdine, C. Calcagno, P. W. O'Hearn: Smallfoot: Modular Automatic Assertion
Checking with Separation Logic. FMCO 2005 J. Smans, B. Jacobs, F. Piessens: Heap-Dependent Expressions in Separation
Logic. FMOODS/FORTE 2010 I. T. Kassios, P. Müller, M. Schwerhoff: Comparing Verification Condition
Generation with Symbolic Execution: An Experience Report. VSTTE 201294
![Page 95: Modular Program Verification - SRI Internationalfm.csl.sri.com/SSFT19/viper-lecture.pdf · 2020. 3. 17. · 2 TimSort is the default sorting algorithm for Collections in Sun’s JDK,](https://reader036.vdocuments.mx/reader036/viewer/2022071021/5fd55fa90090c77cc41842cf/html5/thumbnails/95.jpg)
References: Lecture 4A. J. Summers, P. Müller: Automating Deductive Verification for Weak-
Memory Programs, TACAS 2018
P. Müller, M. Schwerhoff, A. J. Summers: Viper: A Verification Infrastructure for Permission-Based Reasoning. VMCAI 2016
V. Vafeiadis, C. Narayan: Relaxed separation logic: a program logic for C11 concurrency. OOPSLA 2013
95