Semantics-Based Program Verifiers for All Languages
|
|
- Adrian Gibbs
- 5 years ago
- Views:
Transcription
1 Language-independent Semantics-Based Program Verifiers for All Languages Andrei Stefanescu Daejun Park Shijiao Yuwen Yilong Li Grigore Rosu Nov 2, OOPSLA 16
2 Problems with state-of-the-art verifiers Missing details of language behaviors e.g., VCC s false positives/negatives, undefinedness of SV-COMP benchmarks Fragmentation: specific to a fixed language
3 Missing details of language behaviors 1 unsigned x = UINT_MAX; 2 unsigned y = x + 1; 3 _(assert y == 0) VCC incorrectly reported an overflow error
4 Missing details of language behaviors 1 int assign(int *p, int x) 2 _(ensures *p == x) 3 _(writes p) 4 { 5 return (*p = x); 6 } 7 8 void main() { 9 int r; 10 assign(&r, 0) == assign(&r, 1); 11 _(assert r == 1) 12 } VCC incorrectly proved it, missing non-determinism
5 Missing details of language behaviors * Grigore Rosu,
6 Problems with state-of-the-art verifiers Missing details of language behaviors Fragmentation: specific to a fixed language e.g., KLEE (LLVM), JPF (JVM), Pex (.NET), CBMC (C), SAGE (x86), Implemented similar heuristics/optimizations: duplicating efforts
7 Our solution Clear separation, yet smooth integration, Between semantics reasoning and proof search, Using language-independent logic & proof system
8 Idea: separation of concerns Semantics Reasoning Proof Search Language semantics: C (c11, gcc, clang, ) Java (6, 7, 8, ) JavaScript (ES5, ES6, ) Verification techniques: Deductive verification Model checking Abstract interpretation Defined/implemented once, and reused for all others
9 Idea: separation of concerns Semantics Reasoning Proof Search Language semantics: C (c11, gcc, clang, ) Java (6, 7, 8, ) JavaScript (ES5, ES6, ) JPF VCC CBMC Verification techniques: Deductive verification Model checking Abstract interpretation Defined/implemented once, and reused for all others
10 Language-independent verification framework Semantics Program & Properties Language-independent uniform notation (logic) Language-independent proof systems ` Proof automation Provides a nice interface (logic) in which both language semantics and program properties can be described. Proof search in this logic becomes completely languageindependent.
11 Language-independent verification framework Operational semantics (C/Java/JavaScript semantics) Reachability properties (Functional correctness of heap manipulations) Language-independent uniform notation (Matching logic reachability) Language-independent proof systems (Matching logic reachability proof systems) Proof automation (Symbolic execution, SMT, Natural proofs, )
12 Operational semantics Easy to define and understand than axiomatic semantics Require little mathematical knowledge Similar to implement language interpreter Executable, thus testable Important when defining real large languages Shown to scale to defining full language semantics C, Java, JavaScript, Python, PHP,
13 Language-independent verification framework Operational semantics (C/Java/JavaScript semantics) Reachability properties (Functional correctness of heap manipulations) Language-independent uniform notation (Reachability logic) Language-independent proof systems (Reachability logic proof systems) Proof automation (Symbolic execution, SMT, Natural proofs, )
14 Reachability logic Unifying logic in which both language semantics and program correctness properties can be specified. reachability between patterns pattern formula representing a set of program states Pattern formula is FOL without predicate symbols. Similar to algebraic data types for pattern matching in functional languages such as OCaml and Haskell.
15 Expressiveness: semantics In OCaml: match e with ADD(x,y) => x + y SUB(x,y) => x - y MUL(x,y) => x * y DIV(x,y) when y!= 0 => x / y
16 Expressiveness: semantics In OCaml: match e with ADD(x,y) => x + y SUB(x,y) => x - y MUL(x,y) => x * y DIV(x,y) when y!= 0 => x / y In Reachability logic: ADD(x,y) => x + y SUB(x,y) => x - y MUL(x,y) => x * y DIV(x,y) /\ y!= 0 => x / y
17 Expressiveness: properties In Hoare logic: fun insert (v: elem, t: tree) return (t : bst(t ) and keys(t ) == keys(t) \union { v }
18 Expressiveness: properties In Hoare logic: fun insert (v: elem, t: tree) return (t : bst(t ) and keys(t ) == keys(t) \union { v } In Reachability logic: insert /\ bst(t) =>. /\ bst(t ) /\ keys(t ) == keys(t) \union { v }
19 Expressiveness Reachability formula can specify: Pre-/post-conditions Safety properties by augmenting semantics No liveness properties yet (ongoing work) Pattern formula can include: Recursive predicates Separation logic formula
20 Language-independent verification framework Operational semantics (C/Java/JavaScript semantics) Reachability properties (Functional correctness of heap manipulations) Language-independent uniform notation (Reachability logic) Language-independent proof systems (Reachability logic proof systems) Proof automation (Symbolic execution, SMT, Natural proofs, )
21 Proof system Language-independent proof system for deriving sequents of the form: Step : = '! W ' l ) 9 ' r 2 S 9FreeVars(' l ).' l = ((' ^ ' l ),? Cfg ) ^ ' r! ' 0 for each ' l ) 9 ' r 2 S S, A `C ' ) 8 ' 0 Axiom : ' ) Q ' 0 2 S [ A is FOL formula (logical frame) Reflexivity : S, A ` ' ) Q ' S, A `C ' ^ ) Q ' 0 ^ Transitivity : S, A `C ' 1 ) Q ' 2 S, A [ C ` ' 2 ) Q ' 3 S, A `C ' 1 ) Q ' 3 Consequence : = ' 1! ' 0 1 S, A `C ' 0 1 )Q ' 0 2 = ' 0 2! ' 2 S, A `C ' 1 ) Q ' 2 Case Analysis : S, A `C ' 1 ) Q ' S, A `C ' 2 ) Q ' S, A `C ' 1 _ ' 2 ) Q ' Abstraction : S, A `C ' ) Q ' 0 X \ FreeVars(' 0 ) = ; S, A `C 9X ' ) Q ' 0 Circularity : S, A `C[{') Q ' 0 } ' ) Q ' 0 S, A `C ' ) Q ' 0
22 Proof system Language-independent proof system for deriving sequents of the form: semantics ' 1 ) ' 0 1 ' 2 ) ' 0 2 ' 3 ) ' property ` ' ) ' 0 Step : = '! W ' l ) 9 ' r 2 S 9FreeVars(' l ).' l = ((' ^ ' l ),? Cfg ) ^ ' r! ' 0 for each ' l ) 9 ' r 2 S S, A `C ' ) 8 ' 0 Axiom : ' ) Q ' 0 2 S [ A is FOL formula (logical frame) Reflexivity : S, A ` ' ) Q ' S, A `C ' ^ ) Q ' 0 ^ Transitivity : S, A `C ' 1 ) Q ' 2 S, A [ C ` ' 2 ) Q ' 3 S, A `C ' 1 ) Q ' 3 Consequence : = ' 1! ' 0 1 S, A `C ' 0 1 )Q ' 0 2 = ' 0 2! ' 2 S, A `C ' 1 ) Q ' 2 Case Analysis : S, A `C ' 1 ) Q ' S, A `C ' 2 ) Q ' S, A `C ' 1 _ ' 2 ) Q ' Abstraction : S, A `C ' ) Q ' 0 X \ FreeVars(' 0 ) = ; S, A `C 9X ' ) Q ' 0 Circularity : S, A `C[{') Q ' 0 } ' ) Q ' 0 S, A `C ' ) Q ' 0
23 Proof system Language-independent proof system for deriving sequents of the form: semantics ' 1 ) ' 0 1 ' 2 ) ' 0 2 ' 3 ) ' property ` ' ) ' 0 Step : = '! W ' l ) 9 ' r 2 S 9FreeVars(' l ).' l = ((' ^ ' l ),? Cfg ) ^ ' r! ' 0 for each ' l ) 9 ' r 2 S S, A `C ' ) 8 ' 0 Axiom : ' ) Q ' 0 2 S [ A is FOL formula (logical frame) Reflexivity : S, A ` ' ) Q ' S, A `C ' ^ ) Q ' 0 ^ Transitivity : S, A `C ' 1 ) Q ' 2 S, A [ C ` ' 2 ) Q ' 3 S, A `C ' 1 ) Q ' 3 Consequence : = ' 1! ' 0 1 S, A `C ' 0 1 )Q ' 0 2 = ' 0 2! ' 2 ADD(x,y) => x + y SUB(x,y) => x - y MUL(x,y) => x * y... ` S, A `C ' 1 ) Q ' 2 insert /\ bst(t) Case Analysis : => S, A `C ' 1 ) Q ' S, A `C ' 2 ) Q '. /\ bst(t ) S, A `C ' 1 _ ' 2 ) Q ' /\ keys(t ) Abstraction == : keys(t) \union { v } S, A `C ' ) Q ' 0 X \ FreeVars(' 0 ) = ; S, A `C 9X ' ) Q ' 0 Circularity : S, A `C[{') Q ' 0 } ' ) Q ' 0 S, A `C ' ) Q ' 0
24 Language-independent verification framework Operational semantics (C/Java/JavaScript semantics) Reachability properties (Functional correctness of heap manipulations) Language-independent uniform notation (Reachability logic) Language-independent proof systems (Reachability logic proof systems) Proof automation (Symbolic execution, SMT, Natural proofs, )
25 Proof automation Deductive verification Symbolic execution for reachability space search Domain reasoning (e.g., integers, bit-vectors, floats, set, sequences, ) using SMT Natural proofs technique for quantifier instantiation for recursive heap predicates (e.g., list, tree, )
26 Language-independent verification framework Operational semantics (C/Java/JavaScript semantics) Reachability properties (Functional correctness of heap manipulations) Language-independent uniform notation (Reachability logic) Language-independent proof systems (Reachability logic proof systems) Proof automation (Symbolic execution, SMT, Natural proofs, ) Does it really work? Q1: How easy to instantiate the framework? Q2: Is performance OK?
27 Evaluation Instantiated framework by plugging-in three language semantics. Semantics of C [POPL 12, PLDI 15] Semantics of Java [POPL 15] Semantics of JavaScript [PLDI 15] Verification Framework C verifier Java verifier JavaScript verifier Verified challenging heap-manipulating programs implementing the same algorithms in all three languages.
28 Efforts C Java JavaScript Semantics development (months) Semantics size (LOC) 17,791 13,417 6,821 Language-specific e ort (days) Semantics changes size (#rules) Semantics changes size (LOC) Specifications Instantiating efforts include: Fixing bugs of semantics Specifying heap abstractions (e.g., lists and trees) instantiating framework (additional effort)
29 Efforts C Java JavaScript Semantics development (months) Semantics size (#rules) 2,572 1,587 1,378 Semantics size (LOC) 17,791 13,417 6,821 Language-specific e ort (days) Semantics size (LOC) 7 17, , ,821 Language-specific e ort (days) Semantics changes size (#rules) Semantics changes size (LOC) Specifications Instantiating efforts include: Fixing bugs of semantics Specifying heap abstractions (e.g., lists and trees) defining semantics (already given) instantiating framework (additional effort)
30 Experiments Time (secs) Programs C Java JS BST find BST insert BST delete AVL find AVL insert AVL delete RBT find RBT insert RBT delete 1, Programs C Java JS Treap find Treap insert Treap delete List reverse List append Bubble sort Insertion sort Quick sort Merge sort Total 4, Average
31 Experiments Time (secs) Programs C Java JS BST find BST insert BST delete Full functional correctness: AVL find Programs C Java JS Treap find Treap insert Treap delete List reverse AVL insert insert /\ bst(t) =>. /\ bst(t ) /\ keys(t ) == keys(t) \union { v } AVL delete RBT find List append Bubble sort Insertion sort RBT insert Quick sort RBT delete 1, Merge sort Total 4, Average
32 Experiments Time (secs) Programs C Java JS BST find BST insert BST delete AVL find AVL insert Programs C Java JS Treap find Treap insert Treap delete List reverse List append AVL delete Bubble sort Performance is comparable to a state-of-the-art Insertion sort verifier 61.9 for 31.1 C, 44.8 VCDryad [PLDI 14], based on a separation Quick sort logic 79.2 extension 47.1 of VCC: 48.1 e.g., AVL insert : 260s vs 280s (ours) RBT find RBT insert RBT delete 1, Merge sort Total 4, Average
33 Idea: separation of concerns Language-independent verification framework Semantics Semantics Reasoning Proof Search Program & Properties Semantics-Based Program Verifiers for All Languages Language-independent uniform notation (logic) Language semantics: Verification techniques: Andrei S, tefa nescu Daejun Park Deductive University of Illinois at verification University of Illinois at Urbana-Champaign, USA VCC C (c11, gcc, clang, ) Java (6, 7, 8, ) JavaScript (ES5, ES6, ) JPF Urbana-Champaign, USA Model checking CBMC stefane1@illinois.edu Abstract interpretation Defined/implemented once, and Yilong Li Runtime Verification, Inc., USA reused for all others yilong.li@runtimeverification.com Shijiaoproof Yuwen Language-independent systems University of Illinois at Urbana-Champaign, USA Proof automation yuwen2@illinois.edu ` Provides a nice interface (logic) in which both language Grigore Ros, u semantics and program properties can be described. University of Illinois at Urbana-Champaign, USA Proof search in grosu@illinois.edu this logic becomes completely languageindependent. Evaluation Abstract We present a language-independent verification framework that can be instantiated with an operational semantics to automatically generate verifier. The framework treats Instantiated framework by plugging-in threea program language semantics. both the operational semantics and the program correctness specifications as reachability rules between matching logic Semantics of C patterns, and uses the sound and relatively complete reachc verifier [POPL 12, PLDI 15] ability logic proof system to prove the specifications using the semantics. We instantiate the framework with the semansemantics of Java Verification Java verifier tics of one academic language, KernelC, as well as with [POPL 15] Framework three recent semantics of real-world languages, C, Java, and JavaScript, developed independently of our verification infrassemantics of JavaScript JavaScript tructure. We evaluate our approachverifier empirically and show that [PLDI 15] the generated program verifiers can check automatically the full functional correctness of challenging heap-manipulating programs implementing operations on list and tree data struc Verified challenging heap-manipulating programs tures, like AVL trees. This is the first approach that can implementing the same algorithms in all three languages. turn the operational semantics of real-world languages into correct-by-construction automatic verifiers. 1. Introduction Experiments Operational semantics are easy to define and understand, similarly to implementing an interpreter. They require little formal training, scale up well, and, being executable, can Time (secs) be tested. Thus, operational semanticsprograms are typicallycused asjava JS Programs C Java JS trusted reference models for the defined languages. Despite Treap find BST find these advantages, they are rarely used directly for program Treap insert BST insert verification, because proofs tend to be low-level, as they work Treap delete 90.4 or BST delete transition directly with71.7 the corresponding system. Hoare dynamic logics higher level reasoning cost of 4.1 List reverse at the AVL find 13.0 allow (re)defining281.3 the language as135.0 a set of abstract proof14.8 rules, 7.3 List append 5.3 AVL insert which are harder to understand and trust. The state-of-the-art Bubble sort 31.3 AVL delete in mechanical program verification is to develop and66.4 prove 38.8 Insertion sort 44.8 RBT find proof systems 6.8 such language-specific sound w.r.t. a 61.9 trusted 31.1 operational903.8 semantics [3, 26, ], but thatsort needs to be done 47.1 Quick RBT insert for each language separately and is labor intensive. Merge sort RBT delete 1, Defining multiple semantics for the same language and proving the soundness of one semantics in terms of antotal 4, other are highly uneconomical tasks when real languages are concerned, often taking several Average man-years to complete. Categories and Subject Descriptors D.2.4 [Software EngiFor these reasons, many program verification tools forgo neering]: Software/Program Verification correctness proofs; defining an operational or an axiomatic semantics altogether,
From Hoare Logic to Matching Logic Reachability. Grigore Rosu and Andrei Stefanescu University of Illinois, USA
From Hoare Logic to Matching Logic Reachability Grigore Rosu and Andrei Stefanescu University of Illinois, USA Matching Logic Reachability - Goal - Language independent program verification framework Derives
More informationMatching Logic A New Program Verification Approach
Matching Logic A New Program Verification Approach Grigore Rosu and Andrei Stefanescu University of Illinois at Urbana-Champaign (work started in 2009 with Wolfram Schulte at MSR) Usable Verification Relatively
More informationMatching Logic. Grigore Rosu University of Illinois at Urbana-Champaign
Matching Logic Grigore Rosu University of Illinois at Urbana-Champaign Joint work with Andrei Stefanescu and Chucky Ellison. Started with Wolfram Schulte at Microsoft Research in 2009 Question could it
More informationK and Matching Logic
K and Matching Logic Grigore Rosu University of Illinois at Urbana-Champaign Joint work with the FSL group at UIUC (USA) and the FMSE group at UAIC (Romania) Question could it be that, after 40 years of
More informationSemantics-Based Program Verifiers for All Languages
to Reuse * * Evaluated * OOPSLA * Artifact * AEC OOPSLA'16, ACM. 2016 Semantics-Based Program Verifiers for All Languages Andrei Ștefănescu University of Illinois at Urbana-Champaign, USA stefane1@illinois.edu
More informationMain Goal. Language-independent program verification framework. Derive program properties from operational semantics
Main Goal Language-independent program verification framework Derive program properties from operational semantics Questions: Is it possible? Is it practical? Answers: Sound and complete proof system,
More informationLow-Level Program Verification using Matching Logic Reachability
Low-Level Program Verification using Matching Logic Reachability Dwight Guth Andrei Ştefănescu Grigore Roşu University of Illinois at Urbana-Champaign {dguth2, stefane1, grosu}@illinois.edu Abstract Matching
More informationGrigore Rosu Founder, President and CEO Professor of Computer Science, University of Illinois
https://runtimeverification.com Grigore Rosu Founder, President and CEO Professor of Computer Science, University of Illinois Runtime Verification Company Licensed by University of Illinois at Urbana-Champaign
More informationFrom Hoare Logic to Matching Logic Reachability
From Hoare Logic to Matching Logic Reachability Grigore Roşu 1,2 and Andrei Ştefănescu 1 1 University of Illinois at Urbana-Champaign, USA 2 Alexandru Ioan Cuza University, Iaşi, Romania {grosu, stefane1}@illinois.edu
More informationVS 3 : SMT Solvers for Program Verification
VS 3 : SMT Solvers for Program Verification Saurabh Srivastava 1,, Sumit Gulwani 2, and Jeffrey S. Foster 1 1 University of Maryland, College Park, {saurabhs,jfoster}@cs.umd.edu 2 Microsoft Research, Redmond,
More information! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !
What Are Formal Methods? David S. Rosenblum ICS 221 Winter 2001! Use of formal notations! first-order logic, state machines, etc.! in software system descriptions! system models, constraints, specifications,
More informationLectures 20, 21: Axiomatic Semantics
Lectures 20, 21: Axiomatic Semantics Polyvios Pratikakis Computer Science Department, University of Crete Type Systems and Static Analysis Based on slides by George Necula Pratikakis (CSD) Axiomatic Semantics
More informationCMSC 330: Organization of Programming Languages. Operational Semantics
CMSC 330: Organization of Programming Languages Operational Semantics Notes about Project 4, Parts 1 & 2 Still due today (7/2) Will not be graded until 7/11 (along with Part 3) You are strongly encouraged
More informationProof Carrying Code(PCC)
Discussion p./6 Proof Carrying Code(PCC Languaged based security policy instead of OS-based A mechanism to determine with certainity that it is safe execute a program or not Generic architecture for providing
More informationTowards a Unified Theory of Operational and Axiomatic Semantics
Towards a Unified Theory of Operational and Axiomatic Semantics Grigore Roşu 1,2 and Andrei Ştefănescu 1 1 University of Illinois at Urbana-Champaign, USA {grosu,stefane1}@illinois.edu 2 Alexandru Ioan
More informationHoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré
Hoare Logic COMP2600 Formal Methods for Software Engineering Rajeev Goré Australian National University Semester 2, 2016 (Slides courtesy of Ranald Clouston) COMP 2600 Hoare Logic 1 Australian Capital
More informationChapter 1. Introduction
1 Chapter 1 Introduction An exciting development of the 21st century is that the 20th-century vision of mechanized program verification is finally becoming practical, thanks to 30 years of advances in
More informationSMT-LIB for HOL. Daniel Kroening Philipp Rümmer Georg Weissenbacher Oxford University Computing Laboratory. ITP Workshop MSR Cambridge 25 August 2009
1 / 13 SMT-LIB for HOL Daniel Kroening Philipp Rümmer Georg Weissenbacher Oxford University Computing Laboratory ITP Workshop MSR Cambridge 25 August 2009 2 / 13 The SMT-LIB Standard SMT Satisfiability
More informationCS558 Programming Languages
CS558 Programming Languages Fall 2016 Lecture 7a Andrew Tolmach Portland State University 1994-2016 Values and Types We divide the universe of values according to types A type is a set of values and a
More informationLecture Notes on Real-world SMT
15-414: Bug Catching: Automated Program Verification Lecture Notes on Real-world SMT Matt Fredrikson Ruben Martins Carnegie Mellon University Lecture 15 1 Introduction In the previous lecture we studied
More informationIntroduction to Axiomatic Semantics
Introduction to Axiomatic Semantics Meeting 10, CSCI 5535, Spring 2009 Announcements Homework 3 due tonight Homework 2 is graded 13 (mean), 14 (median), out of 21 total, but Graduate class: final project
More informationAn Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C
An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C Robbert Krebbers Radboud University Nijmegen January 22, 2014 @ POPL, San Diego, USA 1 / 16 What is this program supposed
More informationThe semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers.
Semantics The semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers. The semantics of a programming language assigns a precise
More informationChapter 3 (part 3) Describing Syntax and Semantics
Chapter 3 (part 3) Describing Syntax and Semantics Chapter 3 Topics Introduction The General Problem of Describing Syntax Formal Methods of Describing Syntax Attribute Grammars Describing the Meanings
More informationPart II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?
Part II. Hoare Logic and Program Verification Part II. Hoare Logic and Program Verification Dilian Gurov Props: Models: Specs: Method: Tool: safety of data manipulation source code logic assertions Hoare
More informationProgram verification. Generalities about software Verification Model Checking. September 20, 2016
Program verification Generalities about software Verification Model Checking Laure Gonnord David Monniaux September 20, 2016 1 / 43 The teaching staff Laure Gonnord, associate professor, LIP laboratory,
More informationHacking in C. Pointers. Radboud University, Nijmegen, The Netherlands. Spring 2019
Hacking in C Pointers Radboud University, Nijmegen, The Netherlands Spring 2019 Allocation of multiple variables Consider the program main(){ char x; int i; short s; char y;... } What will the layout of
More informationThe SMT-LIB 2 Standard: Overview and Proposed New Theories
1 / 23 The SMT-LIB 2 Standard: Overview and Proposed New Theories Philipp Rümmer Oxford University Computing Laboratory philr@comlab.ox.ac.uk Third Workshop on Formal and Automated Theorem Proving and
More informationTypes. Type checking. Why Do We Need Type Systems? Types and Operations. What is a type? Consensus
Types Type checking What is a type? The notion varies from language to language Consensus A set of values A set of operations on those values Classes are one instantiation of the modern notion of type
More informationAxiomatic Specification. Al-Said, Apcar, Jerejian
Axiomatic Specification Al-Said, Apcar, Jerejian 1 Axioms: Wffs that can be written down without any reference to any other Wffs. Wffs that are stipulated as unproved premises for the proof of other wffs
More informationFormalization of Incremental Simplex Algorithm by Stepwise Refinement
Formalization of Incremental Simplex Algorithm by Stepwise Refinement Mirko Spasić, Filip Marić Faculty of Mathematics, University of Belgrade FM2012, 30. August 2012. Overview 1 Introduction 2 Approach
More information3.4 Deduction and Evaluation: Tools Conditional-Equational Logic
3.4 Deduction and Evaluation: Tools 3.4.1 Conditional-Equational Logic The general definition of a formal specification from above was based on the existence of a precisely defined semantics for the syntax
More informationSeminar in Software Engineering Presented by Dima Pavlov, November 2010
Seminar in Software Engineering-236800 Presented by Dima Pavlov, November 2010 1. Introduction 2. Overview CBMC and SAT 3. CBMC Loop Unwinding 4. Running CBMC 5. Lets Compare 6. How does it work? 7. Conclusions
More informationTail Calls. CMSC 330: Organization of Programming Languages. Tail Recursion. Tail Recursion (cont d) Names and Binding. Tail Recursion (cont d)
CMSC 330: Organization of Programming Languages Tail Calls A tail call is a function call that is the last thing a function does before it returns let add x y = x + y let f z = add z z (* tail call *)
More informationSoftware Model Checking. Xiangyu Zhang
Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions
More informationHandling Loops in Bounded Model Checking of C Programs via k-induction
Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) Handling Loops in Bounded Model Checking of C Programs via k-induction Mikhail Y. R. Gadelha, Hussama I. Ismail, and
More informationAutomated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim
Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach Moonzoo Kim Contents Automated Software Analysis Techniques Background Concolic testing process Example of concolic
More informationSemantic Analysis Type Checking
Semantic Analysis Type Checking Maryam Siahbani CMPT 379 * Slides are modified version of Schwarz s compiler course at Stanford 4/8/2016 1 Type Checking Type errors arise when operations are performed
More informationWhy3 where programs meet provers
Why3 where programs meet provers Jean-Christophe Filliâtre CNRS KeY Symposium 2017 Rastatt, Germany October 5, 2017 history started in 2001, as an intermediate language in the process of verifying C and
More informationFormally Certified Satisfiability Solving
SAT/SMT Proof Checking Verifying SAT Solver Code Future Work Computer Science, The University of Iowa, USA April 23, 2012 Seoul National University SAT/SMT Proof Checking Verifying SAT Solver Code Future
More informationProgram Analysis and Code Verification
Program Analysis and Code Verification http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Language Lectures: English Labs: English Homework: Czech/English
More informationSymbolic Execution, Dynamic Analysis
Symbolic Execution, Dynamic Analysis http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Symbolic execution Pavel Parízek Symbolic Execution, Dynamic Analysis
More informationIntro to semantics; Small-step semantics Lecture 1 Tuesday, January 29, 2013
Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 1 Tuesday, January 29, 2013 1 Intro to semantics What is the meaning of a program? When we write a program, we use
More informationSemantic Subtyping with an SMT Solver
Semantic Subtyping with an SMT Solver Cătălin Hrițcu, Saarland University, Saarbrücken, Germany Joint work with Andy Gordon, Gavin Bierman, and Dave Langworthy (all from Microsoft) Refinement Types + Type-test
More informationCertified compilers. Do you trust your compiler? Testing is immune to this problem, since it is applied to target code
Certified compilers Do you trust your compiler? Most software errors arise from source code But what if the compiler itself is flawed? Testing is immune to this problem, since it is applied to target code
More informationCS422 - Programming Language Design
1 CS422 - Programming Language Design From SOS to Rewriting Logic Definitions Grigore Roşu Department of Computer Science University of Illinois at Urbana-Champaign In this chapter we show how SOS language
More informationType Theory meets Effects. Greg Morrisett
Type Theory meets Effects Greg Morrisett A Famous Phrase: Well typed programs won t go wrong. 1. Describe abstract machine: M ::= 2. Give transition relation: M 1 M 2
More informationBenchmarking of Java Verification Tools at the Software Verification Competition (SV-COMP) Lucas Cordeiro Daniel Kroening Peter Schrammel
Benchmarking of Java Verification Tools at the Software Verification Competition (SV-COMP) Lucas Cordeiro Daniel Kroening Peter Schrammel JPF Workshop 2018 What is SV-COMP? https://sv-comp.sosy-lab.org
More informationLecture 5 - Axiomatic semantics
Program Verification March 2014 Lecture 5 - Axiomatic semantics Lecturer: Noam Rinetzky Scribes by: Nir Hemed 1.1 Axiomatic semantics The development of the theory is contributed to Robert Floyd, C.A.R
More informationHoare triples. Floyd-Hoare Logic, Separation Logic
Hoare triples Floyd-Hoare Logic, Separation Logic 1. Floyd-Hoare Logic 1969 Reasoning about control Hoare triples {A} p {B} a Hoare triple partial correctness: if the initial state satisfies assertion
More informationSymbolic Execution. Joe Hendrix Galois, Inc SMT Summer School galois
Symbolic Execution Joe Hendrix Galois, Inc SMT Summer School 2015 Galois, Inc We solve hard research problems for clients. Symbolic Execution is a technique for mapping code into logic. is widely used
More informationCITS5501 Software Testing and Quality Assurance Formal methods
CITS5501 Software Testing and Quality Assurance Formal methods Unit coordinator: Arran Stewart May 1, 2018 1 / 49 Sources Pressman, R., Software Engineering: A Practitioner s Approach, McGraw-Hill, 2005
More informationAn Annotated Language
Hoare Logic An Annotated Language State and Semantics Expressions are interpreted as functions from states to the corresponding domain of interpretation Operators have the obvious interpretation Free of
More informationCom S 541. Programming Languages I
Programming Languages I Lecturer: TA: Markus Lumpe Department of Computer Science 113 Atanasoff Hall http://www.cs.iastate.edu/~lumpe/coms541.html TR 12:40-2, W 5 Pramod Bhanu Rama Rao Office hours: TR
More informationCS252 Advanced Programming Language Principles. Prof. Tom Austin San José State University Fall 2013
CS252 Advanced Programming Language Principles Prof. Tom Austin San José State University Fall 2013 What are some programming languages? Why are there so many? Different domains Mobile devices (Objective
More informationProgramming Languages Third Edition
Programming Languages Third Edition Chapter 12 Formal Semantics Objectives Become familiar with a sample small language for the purpose of semantic specification Understand operational semantics Understand
More informationOn the correctness of template metaprograms
Proceedings of the 7 th International Conference on Applied Informatics Eger, Hungary, January 28 31, 2007 Vol 2 pp 301 308 On the correctness of template metaprograms Ádám Sipos, István Zólyomi, Zoltán
More informationRAISE in Perspective
RAISE in Perspective Klaus Havelund NASA s Jet Propulsion Laboratory, Pasadena, USA Klaus.Havelund@jpl.nasa.gov 1 The Contribution of RAISE The RAISE [6] Specification Language, RSL, originated as a development
More informationRewriting Needs Constraints and Constraints Need Rewriting
Rewriting Needs Constraints and Constraints Need Rewriting José Meseguer Department of Computer Science, UIUC ints 14 November 2008 Motivation Symbolic Computation, Rewriting, and Constraints Rewriting
More informationBug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher
Bug Finding with Under-approximating Static Analyses Daniel Kroening, Matt Lewis, Georg Weissenbacher Overview Over- vs. underapproximating static analysis Path-based symbolic simulation Path merging Acceleration
More informationFormal Semantics of Programming Languages
Formal Semantics of Programming Languages Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson http://www.daimi.au.dk/~bra8130/wiley_book/wiley.html Benefits of formal
More information6. Hoare Logic and Weakest Preconditions
6. Hoare Logic and Weakest Preconditions Program Verification ETH Zurich, Spring Semester 07 Alexander J. Summers 30 Program Correctness There are many notions of correctness properties for a given program
More informationMIDTERM EXAMINATION - CS130 - Spring 2005
MIDTERM EAMINATION - CS130 - Spring 2005 Your full name: Your UCSD ID number: This exam is closed book and closed notes Total number of points in this exam: 231 + 25 extra credit This exam counts for 25%
More informationCritical Analysis of Computer Science Methodology: Theory
Critical Analysis of Computer Science Methodology: Theory Björn Lisper Dept. of Computer Science and Engineering Mälardalen University bjorn.lisper@mdh.se http://www.idt.mdh.se/ blr/ March 3, 2004 Critical
More informationCS4215 Programming Language Implementation. Martin Henz
CS4215 Programming Language Implementation Martin Henz Thursday 15 March, 2012 2 Chapter 11 impl: A Simple Imperative Language 11.1 Introduction So far, we considered only languages, in which an identifier
More informationDistributed Systems Programming (F21DS1) Formal Verification
Distributed Systems Programming (F21DS1) Formal Verification Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview Focus on
More informationFormal Semantics of Programming Languages
Formal Semantics of Programming Languages Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson http://www.daimi.au.dk/~bra8130/wiley_book/wiley.html Benefits of formal
More informationStatic verification of program running time
Static verification of program running time CIS 673 course project report Caleb Stanford December 2016 Contents 1 Introduction 2 1.1 Total Correctness is Not Enough.................................. 2
More informationFinding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar
Finding and Fixing Bugs in Liquid Haskell Anish Tondwalkar Overview Motivation Liquid Haskell Fault Localization Fault Localization Evaluation Predicate Discovery Predicate Discovery Evaluation Conclusion
More informationStatic Program Analysis Part 1 the TIP language
Static Program Analysis Part 1 the TIP language http://cs.au.dk/~amoeller/spa/ Anders Møller & Michael I. Schwartzbach Computer Science, Aarhus University Questions about programs Does the program terminate
More informationParameter Passing Styles
Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department of Computer Science Objectives You should be able to... The function call is one of the most fundamental elements of programming.
More informationPROGRAMMING IN HASKELL. CS Chapter 6 - Recursive Functions
PROGRAMMING IN HASKELL CS-205 - Chapter 6 - Recursive Functions 0 Introduction As we have seen, many functions can naturally be defined in terms of other functions. factorial :: Int Int factorial n product
More informationImproving Program Testing and Understanding via Symbolic Execution
Improving Program Testing and Understanding via Symbolic Execution Kin-Keung Ma PhD Dissertation Defense December 9 th, 2011 Motivation } Every year, billions of dollars are lost due to software system
More informationCSCI-GA Scripting Languages
CSCI-GA.3033.003 Scripting Languages 12/02/2013 OCaml 1 Acknowledgement The material on these slides is based on notes provided by Dexter Kozen. 2 About OCaml A functional programming language All computation
More informationComputing Fundamentals 2 Introduction to CafeOBJ
Computing Fundamentals 2 Introduction to CafeOBJ Lecturer: Patrick Browne Lecture Room: K408 Lab Room: A308 Based on work by: Nakamura Masaki, João Pascoal Faria, Prof. Heinrich Hußmann. See notes on slides
More informationDOM: Specification & Client Reasoning
DOM: Specification & Client Reasoning Azalea Raad José Fragoso Santos Philippa Gardner Imperial College London APLAS 16 23 November 2016 1 Document Object Model (DOM) Cross-platform, language-independent,
More informationReasoning About Imperative Programs. COS 441 Slides 10
Reasoning About Imperative Programs COS 441 Slides 10 The last few weeks Agenda reasoning about functional programming It s very simple and very uniform: substitution of equal expressions for equal expressions
More informationFormal C semantics: CompCert and the C standard
Formal C semantics: CompCert and the C standard Robbert Krebbers 1, Xavier Leroy 2, and Freek Wiedijk 1 1 ICIS, Radboud University Nijmegen, The Netherlands 2 Inria Paris-Rocquencourt, France Abstract.
More informationTo be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 Introduction SDN research directions as outlined in IRTF RG outlines i) need for more flexibility and programmability
More informationIntegration of SMT Solvers with ITPs There and Back Again
Integration of SMT Solvers with ITPs There and Back Again Sascha Böhme and University of Sheffield 7 May 2010 1 2 Features: SMT-LIB vs. Yices Translation Techniques Caveats 3 4 Motivation Motivation System
More informationIn Our Last Exciting Episode
In Our Last Exciting Episode #1 Lessons From Model Checking To find bugs, we need specifications What are some good specifications? To convert a program into a model, we need predicates/invariants and
More informationVerifying C & C++ with ESBMC
Verifying C & C++ with ESBMC Denis A Nicole dan@ecs.soton.ac.uk CyberSecuritySoton.org [w] @CybSecSoton [fb & tw] ESBMC ESBMC, the Efficient SMT-Based Context-Bounded Model Checker was originally developed
More informationThis is already grossly inconvenient in present formalisms. Why do we want to make this convenient? GENERAL GOALS
1 THE FORMALIZATION OF MATHEMATICS by Harvey M. Friedman Ohio State University Department of Mathematics friedman@math.ohio-state.edu www.math.ohio-state.edu/~friedman/ May 21, 1997 Can mathematics be
More informationEfficient Symbolic Execution for Software Testing
Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically
More informationCS 137 Part 8. Merge Sort, Quick Sort, Binary Search. November 20th, 2017
CS 137 Part 8 Merge Sort, Quick Sort, Binary Search November 20th, 2017 This Week We re going to see two more complicated sorting algorithms that will be our first introduction to O(n log n) sorting algorithms.
More informationType Systems COMP 311 Rice University Houston, Texas
Rice University Houston, Texas 1 Type Systems for Programming Language were invented by mathematicians before electronic computers were invented. What is a type? A meaningful subset of the set of the domain
More informationλ calculus is inconsistent
Content Rough timeline COMP 4161 NICTA Advanced Course Advanced Topics in Software Verification Gerwin Klein, June Andronick, Toby Murray λ Intro & motivation, getting started [1] Foundations & Principles
More informationAnnouncements. Written Assignment 2 due today at 5:00PM. Programming Project 2 due Friday at 11:59PM. Please contact us with questions!
Type-Checking Announcements Written Assignment 2 due today at 5:00PM. Programming Project 2 due Friday at 11:59PM. Please contact us with questions! Stop by office hours! Email the staff list! Ask on Piazza!
More informationA Verified Implementation of the Bounded List Container
A Verified Implementation of the Bounded List Container Raphaël Cauderlier, Mihaela Sighireanu March 26, 2018 1 / 32 Outline 1 Introduction 2 Bounded Doubly-Linked Lists 3 Verification 4 Conclusion 2 /
More informationA Context-Sensitive Memory Model for Verification of C/C++ Programs
A Context-Sensitive Memory Model for Verification of C/C++ Programs Arie Gurfinkel and Jorge A. Navas University of Waterloo and SRI International SAS 17, August 30th, 2017 Gurfinkel and Navas (UWaterloo/SRI)
More informationRethinking Automated Theorem Provers?
Rethinking Automated Theorem Provers? David J. Pearce School of Engineering and Computer Science Victoria University of Wellington @WhileyDave http://whiley.org http://github.com/whiley Background Verification:
More information1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.
1. true / false By a compiler we mean a program that translates to code that will run natively on some machine. 2. true / false ML can be compiled. 3. true / false FORTRAN can reasonably be considered
More informationThe Substitution Model
The Substitution Model Prof. Clarkson Fall 2017 Today s music: Substitute by The Who Review Previously in 3110: simple interpreter for expression language abstract syntax tree (AST) evaluation based on
More informationPrinciples of Program Analysis. Lecture 1 Harry Xu Spring 2013
Principles of Program Analysis Lecture 1 Harry Xu Spring 2013 An Imperfect World Software has bugs The northeast blackout of 2003, affected 10 million people in Ontario and 45 million in eight U.S. states
More informationReasoning About Loops Using Vampire
EPiC Series in Computing Volume 38, 2016, Pages 52 62 Proceedings of the 1st and 2nd Vampire Workshops Reasoning About Loops Using Vampire Laura Kovács and Simon Robillard Chalmers University of Technology,
More informationJBMC: A Bounded Model Checking Tool for Verifying Java Bytecode. Lucas Cordeiro Pascal Kesseli Daniel Kroening Peter Schrammel Marek Trtik
: A Bounded Model Checking Tool for Verifying Java Bytecode Lucas Cordeiro Pascal Kesseli Daniel Kroening Peter Schrammel Marek Trtik Computer Aided Verification 2018 Why? Java and JVM languages: Most
More informationCIS 1.5 Course Objectives. a. Understand the concept of a program (i.e., a computer following a series of instructions)
By the end of this course, students should CIS 1.5 Course Objectives a. Understand the concept of a program (i.e., a computer following a series of instructions) b. Understand the concept of a variable
More informationCS152 Programming Language Paradigms Prof. Tom Austin, Fall Syntax & Semantics, and Language Design Criteria
CS152 Programming Language Paradigms Prof. Tom Austin, Fall 2014 Syntax & Semantics, and Language Design Criteria Lab 1 solution (in class) Formally defining a language When we define a language, we need
More informationBrowser Security Guarantees through Formal Shim Verification
Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary Tatlock Sorin Lerner UC San Diego Browsers: Critical Infrastructure Ubiquitous: many platforms, sensitive apps Vulnerable:
More informationCMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics
Recall Architecture of Compilers, Interpreters CMSC 330: Organization of Programming Languages Source Scanner Parser Static Analyzer Operational Semantics Intermediate Representation Front End Back End
More information