verifying safety policies with size properties and alias controls wei ngan chin 1,2, siau-cheng khoo...
TRANSCRIPT
![Page 1: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/1.jpg)
Verifying Safety Policies with Size Properties and Alias Controls
Wei Ngan Chin1,2, Siau-Cheng Khoo1, Shengchao Qin3, Corneliu Popeea1, Huu Hai Nguyen2
1 National University of Singapore2 Singapore-MIT Alliance
3 University of Durham
![Page 2: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/2.jpg)
2
Background
• Uses of Size Analysis :• array bound check elimin. [Xi-Pfenning'98]• data structure invariance [Xi-Pfenning'99]• termination analysis [Lee-Jones'01]• space complexity [Hofman-Jost'03]
• Current Status :• mostly for declarative languages (functional + logic)• restricted imperative language (e.g. Xanadu)
analyseandverify
![Page 3: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/3.jpg)
3
Our Goal
• Static Verification for Object-Based Programs
• Main Challenges :• objects may mutate• objects may be aliased
• Our ApproachUse size analysis and alias controls to specify and verify safety policies
![Page 4: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/4.jpg)
4
Type System for Size Analysis
• Uses annotated types ::= c<s1,…,sm>
• Types are annotated with size properties that capture:
Values : bool<b>, int<n>
Lengths : Array<s>, List<n>, Tree<s,h>
value True --> b=1value False --> b=0
value 3 --> n=3
![Page 5: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/5.jpg)
5
Methods with Size Annotation
mn (1 v1, … , n vn) where pre ; post { body }
• Examples
int<r> add (int<a> x, int<b> y) where true ; (r=a+b) { x+y }
int<r> sub (Array<s> A, int<i> i) where (0is) ; true { A[i] }
![Page 6: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/6.jpg)
6
Object with Size Invariant
• AVL Tree: s – number of nodes in treeh – height of tree
adt AVL<s,h> where s=1+s1+s2 Æ h=1+max(h1,h2) ;
s¸0 Æ h¸0 Æ -1·h1-h2·1
{ int<v> val ; AVL<s1,h1> left ;
AVL<s2,h2> right; … }
void insert (AVL<s,h> t, int<n> n) where true ; s’=s+1 Æ h·h’·h+1 { ... }
inv - AVL Tree is height-balanced
AVL’s invariant is preserved after node insertion
def - size definition
left sub-tree
right sub-tree
element value
![Page 7: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/7.jpg)
7
adt List<n> where n=m+1 ; n0 { int<v> val ; List<m> next; void setNext (List<n> x, List<l> y) where n>0 ; n’=l+1 { x.next = y } …}
Mutability & Aliasing
• Problem with aliasing and mutability :List<x> a = new List(5,new List(6,null)); // x’=2List<y> b = a; // y’=x Æ x’=xsetNext(b,null); // y’=1 Æ x’=x
Unsound conclusion: x’=2 Æ y’=1
tail of the list
![Page 8: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/8.jpg)
8
Alias Controls
Adopted annotations : Immutability + Uniqueness
Each reference (field/param/local var) is marked:• Read-Only (R) : always refers to the same object.• Unique (U) : sole reference to an object. • Shared (S) : maybe globally aliased.• Lent-Once (L) : unique parameter temporarily lent.
Goal: precisely and soundly capture size-properties.
![Page 9: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/9.jpg)
9
Size Property for List (1)
List with Read-Only (R) tail.adt List<n> where n=m+1 ; n¸0
{ int<v>@S val ; List<m>@R next ;
:}
read-only
List<a>@S x;List<b>@S y;x=y;y.val=4;y.next=x;
freely shared and trackable
![Page 10: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/10.jpg)
10
List with Unique (U) tail.adt MList<n> where n=m+1 ; n¸0
{ int<v>@S val ; MList<m>@U next ;
:}
Size Property for List (2)
mutable but unique
MList<a>@U x;MList<b>@U y;x=y;x.next=..…y…
y loses its uniqueness
![Page 11: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/11.jpg)
11
Lending Annotation
Properties of a Lent-once reference :• value does not escape the method• has exclusive/unique access to the object
void append (MList<m>@L xs, MList<n>@U ys) where m>0 ; m'=m+n
{ if xs.next==null then xs.next=ys
else append(xs.next,ys) }
lent & unique
![Page 12: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/12.jpg)
12
Lending Annotation
void append (MList<m>@L xs, MList<n>@U ys) where m>0 ; m'=m+n { … }
MList<a>@U x;MList<b>@U y;append(x,y);…x.next……y.next…
uniqueness of x is lent uniqueness of y is consumed
![Page 13: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/13.jpg)
13
Classification of Size-Variables
Three possible groups Vobj(hs*i) = (SI,ST,SN)
(i) Size-Immutable (freely shared)
(ii) Trackable (mutable and unique)
(iii) Non-Trackable (mutable and globally aliased)
![Page 14: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/14.jpg)
14
Outline
• Background on Size Analysis
• Size Tracking with Alias Controls
• Kernel Language and Protocol Specification
• Type System for Verification
• Implementation and Conclusion.
![Page 15: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/15.jpg)
15
Kernel Languagesource program
pre/post states
Presburger size constraint
annotated types
expression oriented language
define size size invariant
![Page 16: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/16.jpg)
16
How are Safety Policies Specified?
• Popular approach - finite state machine.
• Our approach : ADT with (i) Object’s Size Invariant. (ii) Methods’ Preconditions.
• Benefits: Relational PropertiesInfinite-State Policies
![Page 17: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/17.jpg)
17
File Protocol Safety policy : Read/Write after Successful Open.
1 2 3open close
read
write
new
openFile state1 - uninitialized2 - opened3 - closed
![Page 18: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/18.jpg)
18
File Protocol• Specified using sized typing.successful
file open
must be opened
closed state
![Page 19: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/19.jpg)
19
Bounded Buffer Protocol Safety policy : Buffer does not Under/Overflow.
s,c
add
get
new
n>0 ; s’=0 Æ c’=n
s<c ; s’=s+1 Æ c’=c
s>0 ; s’=s-1 Æ c’=c
0,c1,c
2,c
n,c
Buffer states - no of elementsc - capacity
![Page 20: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/20.jpg)
20
Outline
• Background on Size Analysis
• Size Tracking with Alias Controls
• Kernel Language and Protocol Specification
• Type System for Verification
• Implementation and Conclusion.
![Page 21: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/21.jpg)
21
Type System for Verification
Type judgement
type environment
pre/post states
expression to type-check
![Page 22: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/22.jpg)
22
Rule for IF: path-sensitivity
path-sensitivity for size information using disjunction
size of b corresponds to what branch is taken type of v
![Page 23: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/23.jpg)
23
types for actual parameters
Rule for Call
poststate effect
precondition checked
substitution from formal to actual parameters
method declaration
![Page 24: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/24.jpg)
24
Correctness of Type System
• Type Preservation – size type property is correctly preserved during reduction.
• Progress – a well-typed program never goes wrong.
Safety policies are guaranteed for well-typed programs.
![Page 25: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/25.jpg)
25
Implementation
• Prototype built using • Haskell language (GHC)• Omega Presburger solver
• Accepts a Java-like language (without concurrency and exceptions).
•Is this method viable?• Verification is fast because of modular type-checking. • Annotation is less than 5% of source code.
![Page 26: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/26.jpg)
26
Related Work
Size analysis for immutable data structures [Hughes et.al'96, Xi-Pfenning'98,'99, Jost-Hofman'03]
Alias controls for program reasoning[Chan-Boyland'98, Aldrich-Kostadinov-Chambers'02]
Other approaches to verification:• Finite type-state: Vault, Fugue
[Fahndrich-DeLine'02,'04]
• Theorem proving: ESC (may be unsound)[Flanagan-Leino-Lillibridge-Nelson et.al'02]
• Model checking: Bogor (requires test harness)[Robby-Dwyer-Hatcliff-Rodriguez'03,'04]
![Page 27: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/27.jpg)
27
Conclusion
• Formulate a precise relational size analysis for object-based programs.
• Use alias controls to track mutable size properties.
• Automatic verification for: Safety policies - files, bounded-buffers.Data invariants - lists, AVL trees.
• Working towards inference of alias and size annotations (for methods).
![Page 28: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/28.jpg)
28
End
![Page 29: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/29.jpg)
29
Experiments
JOldenbenchmar
ks
![Page 30: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/30.jpg)
30
adt Cell<n> where n=v ; true { int<v> val ; void incr(Cell<n> x) where true ; n’=n+1
{x.val =x.val + 1} …}
Object Declaration
size definition
fields can only be accessed via
methods Why use ADTs ?
Development: a client is based on ADT’s interface (the implementation details are hidden).
Modular analysis: correct usage of ADT verified against ADT’s interface.
![Page 31: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/31.jpg)
31
Mutable Size Properties
• Example with aliasing and mutability :Cell<x> a = new Cell(5); // x’=5Cell<y> b = a; // y’=x Æ x’=xincr(b); // y’=y+1 Æ x’=x
// x’=5 Æ y’=6 unsound!
new value
old value
adt Cell<n> where n=v ; true { int<v> val ; void incr(Cell<n> x) where true ; n’=n+1
{x.val =x.val + 1} …}
![Page 32: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/32.jpg)
32
adt Pair<p1,p2> where p1=s1Æp2=s2 ; true{ int<s1>@S fst; int<s2>@R snd; void setFst(Pair<p1,p2>@L p, int<x>@S x) { p.fst=x }}
Pair<r1,r2>@U r = new Pair(…);r.setFst(…);
Pair Example
int
({s1},,)
r@U (,{r1,r2},)
fst@S
(,{s1},)
Pair ({p2},{p1},)
int
snd@R
({s2},,)
({s2},,)
where true ; p1’=xÆp2’=p2
size definition
![Page 33: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/33.jpg)
33
adt Pair<p1,p2> where p1=s1Æp2=s2 ; true{ int<s1>@S fst; int<s2>@R snd; void setFst(Pair<p1,p2>@ p, int<x>@S x) { p.fst=x }}
Pair<m1,m2>@S m = new Pair(…);Pair<n1,n2>@S n = m;m.setFst(…); n.setFst(…);
Pair Example
int int
Pair
snd@Rfst@S
({s1},,) ({s2},,)
({p2},{p1},)
m@S
(,{m2},{m1})
(,{n2},{n1})
n@S
(,{s1},) ({s2},,)
where true ; p2’=p2
S
![Page 34: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/34.jpg)
34
Array Protocol
Safety policy : No Array Bounds Violation.
• Implementation: array primitive operations (that need no runtime tests).
sub(A,i) … A[i]update(A,i,v) … A[i] = v
no bounds violation
size never change
![Page 35: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/35.jpg)
35
Buffer Protocol
• Implemented using a cyclic array.• Implementation checked to comply with Array protocol.
safety preconditions
Safety policy : Buffer does not Under/Overflow.
![Page 36: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/36.jpg)
36
Lock Protocol
Safety policy : No double lock/unlock operations.
![Page 37: Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1,2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56649f345503460f94c51fc4/html5/thumbnails/37.jpg)
37
adt AVL<s,h> where s=1+s1+s2 Æ h=1+max(h1,h2) ;
s¸0 Æ h¸0 Æ -1·h1-h2·1
{ int<v>@S val ; AVL<s1,h1>@U left ;
AVL<s2,h2>@U right;
void insert (AVL<ts,th>@L t, int<n>@S n) where true ; ts’=ts+1 Æ th·th’·th+1 { ... }
}
AVL Tree