Integrating Arrays into the Heap-Hop program prover
|
|
- Kelly Morgan
- 5 years ago
- Views:
Transcription
1 Integrating Arrays into the Heap-Hop program prover Ioana Cristescu under the supervision of Jules Villard Queen Mary University of London 7 September / 29
2 Program verification using Heap-Hop Program verification assert program s correctness programs that manipulate memory harder in a concurrent setting need for an automated tool Heap-Hop - program prover for concurrent programs that manipulate pointers 2 / 29
3 Outline Context Formal verification Manipulating memory Concurrency Automation Our contributions The parameters The arrays Concluding remarks 3 / 29
4 Outline Context Formal verification Manipulating memory Concurrency Automation Our contributions The parameters The arrays Concluding remarks 4 / 29
5 Formal verification model the specifications model the program s behavior match the two models 5 / 29
6 Formal verification model the specifications model the program s behavior match the two models The Hoare triple {φ} p {φ } the program p the precondition φ and postcondition φ example: {list(x, 0)} y = copy(x); {list(x, 0) list(y, 0)} 5 / 29
7 Using pointers Why is it difficult formal verification uses a syntactic representation proper representation of the memory access example: the problem of aliasing 6 / 29
8 Using pointers Why is it difficult formal verification uses a syntactic representation proper representation of the memory access example: the problem of aliasing Separation Logic local reasoning example if z, list(x, 0) and list(y, 0) are disjoint {z list(x, 0)} y = copy(x); {z list(x, 0) list(y, 0)} {list(x, 0)} y = copy(x); {list(x, 0) list(y, 0)} separation conjuction: P R frame rule: {φ} p {φ } {φ φ } p {φ φ } 6 / 29
9 Concurrency Apply the separation conjuction to a shared memory model p2 p1 φ φ 1 φ 2 7 / 29
10 Communication The message passing model using bidirectional channels a channel is guarded by two endpoints e, f communication respects a protocol, called a contract contract C{ initial state start {?data compute; } state compute {!result finish; } final state finish {} } the contract guarantees some safety properties a symbolic representation of the exchanged messages, called a message footprint [val ] 8 / 29
11 The copyless message passing model Ownership transfer p2 p2 p1 x p1 x 9 / 29
12 The copyless message passing model Ownership transfer p2 p2 p1 x p1 x The communication primitives open a communication channel {φ} (e, f ) = open(c) {φ e C[start] f C[start]} send a pointer x {φ x } send(a, e, x) {φ} receive a pointer x {φ} x = receive(a, f ) {φ x } close the channel {φ e C[finish] f C[finish]} close(e, f ) {φ} 9 / 29
13 Automation Annotate programs procedure_name [precondition] {procedure_body} [postcondition] message message_name [message footprint] example: message cell [val ] 10 / 29
14 Automation Annotate programs procedure_name [precondition] {procedure_body} [postcondition] message message_name [message footprint] example: message cell [val ] Semantics for the precondition and the postcondition σ, p σ σ, p error with σ the current state of a program p defined by a stack s for storing variables x = 4 [[x]] s = 4 [empty] a heap h representing the process memory x value := 4 h([[x]] s value) = 4 10 / 29
15 A semantic state models a separation logic formula the semantics - the actual behavior of the program a proof system using separation logic - allows to reason about the program s correctness 11 / 29
16 A semantic state models a separation logic formula the semantics - the actual behavior of the program a proof system using separation logic - allows to reason about the program s correctness Using the Hoare triples If {φ} p {φ } σ, p σ σ = φ then σ = φ. 11 / 29
17 The proof system Separation logic proof system symbolically execute each operation the inference rules {φ 3 } skip {φ }... {φ 2 } C {φ } {φ 1 } operation(); C {φ } 12 / 29
18 The proof system Separation logic proof system symbolically execute each operation the inference rules {φ 3 } skip {φ }... {φ 2 } C {φ } {φ 1 } operation(); C {φ } the entailment rules φ φ... φ 3 φ the proof system is sound and decidable 12 / 29
19 Heap-Hop Limitations no mechanism for retrieving data about previous communications no support for programs that manipulate arrays 13 / 29
20 Heap-Hop Limitations no mechanism for retrieving data about previous communications no support for programs that manipulate arrays Contributions 13 / 29
21 Heap-Hop Limitations no mechanism for retrieving data about previous communications no support for programs that manipulate arrays Contributions the parameters modify the proof system rules for the operations send, receive, open and close keep the proof system sound: the rules are consistent with the semantics 13 / 29
22 Heap-Hop Limitations no mechanism for retrieving data about previous communications no support for programs that manipulate arrays Contributions the parameters modify the proof system rules for the operations send, receive, open and close keep the proof system sound: the rules are consistent with the semantics the arrays add the proof system s rules for handling the predicate array add the corresponding semantic rules prove that the new proof system is sound and decidable 13 / 29
23 Heap-Hop Limitations no mechanism for retrieving data about previous communications no support for programs that manipulate arrays Contributions the parameters modify the proof system rules for the operations send, receive, open and close keep the proof system sound: the rules are consistent with the semantics the arrays add the proof system s rules for handling the predicate array add the corresponding semantic rules prove that the new proof system is sound and decidable implementation in Caml ( 1000 lines added) 13 / 29
24 Outline Context Formal verification Manipulating memory Concurrency Automation Our contributions The parameters The arrays Concluding remarks 14 / 29
25 The parameters Modify the endpoint e Contract[contract state], param 1 :, param 2 :,... update the parameter using a user-defined function p 1 = nextparam(e, f, val 1, p 1 ) p 2 = nextparam(e, f, val 2, p 2 )... update the parameter after a message is sent/received message message name [...]updating nextparam(endpoints, sent value, parameter) 15 / 29
26 Example of using the parameters Sending a list cell by cell x val next... val 0 inductive predicate list(x, 0) list(x, 0) (x = 0 empty) (x 0 x.x next : x list(x, 0)) the exchanged messages message cell [val next : param = val] nextparam(val,...) = val next 16 / 29
27 The rule for Receive in the proof system { (φ E cs : q, ctt : C, rl : r, pr : E, ρ)[x /x] γ a(e[x /x], E [x /x], r, x) succ(c, q,!a, r) = q } {C}{φ } {φ E cs : q, ctt : C, rl : r, pr : E, ρ} x = receive(a, E); C {φ } 17 / 29
28 The rule for Receive in the proof system { (φ E cs : q, ctt : C, rl : r, pr : E, ρ)[x /x] γ a(e[x /x], E [x /x], r, x) succ(c, q,!a, r) = q } {C}{φ } {φ E cs : q, ctt : C, rl : r, pr : E, ρ} x = receive(a, E); C {φ } receive a cell message cell [val next : param = val] nextparam(val,...) = val next {f C[transfer], p : y list(l, y)} x = receive(cell, f ); 17 / 29
29 The rule for Receive in the proof system { (φ E cs : q, ctt : C, rl : r, pr : E, ρ)[x /x] γ a(e[x /x], E [x /x], r, x) succ(c, q,!a, r) = q } {C}{φ } {φ E cs : q, ctt : C, rl : r, pr : E, ρ} x = receive(a, E); C {φ } receive a cell message cell [val next : param = val] nextparam(val,...) = val next {f C[transfer], p : y list(l, y)} x = receive(cell, f ); {f C[transfer], p : y list(l, y) x next : x x = y} 17 / 29
30 The rule for Receive in the proof system { (φ E cs : q, ctt : C, rl : r, pr : E, ρ)[x /x] γ a(e[x /x], E [x /x], r, x) succ(c, q,!a, r) = q } {C}{φ } {φ E cs : q, ctt : C, rl : r, pr : E, ρ} x = receive(a, E); C {φ } receive a cell message cell [val next : param = val] nextparam(val,...) = val next {f C[transfer], p : y list(l, y)} x = receive(cell, f ); {f C[transfer], p : y list(l, y) x next : x x = y} {f C[transfer], p : x list(l, x) x next : x } 17 / 29
31 The rule for Receive in the proof system { (φ E cs : q, ctt : C, rl : r, pr : E, ρ)[x /x] γ a(e[x /x], E [x /x], r, x) succ(c, q,!a, r) = q } {C}{φ } {φ E cs : q, ctt : C, rl : r, pr : E, ρ} x = receive(a, E); C {φ } receive a cell message cell [val next : param = val] nextparam(val,...) = val next {f C[transfer], p : y list(l, y)} x = receive(cell, f ); {f C[transfer], p : y list(l, y) x next : x x = y} {f C[transfer], p : x list(l, x) x next : x } {f C[transfer], p : x list(l, x) x next : x } 17 / 29
32 The rule for Receive in the proof system { (φ E cs : q, ctt : C, rl : r, pr : E, ρ)[x /x] γ a(e[x /x], E [x /x], r, x) succ(c, q,!a, r) = q } {C}{φ } {φ E cs : q, ctt : C, rl : r, pr : E, ρ} x = receive(a, E); C {φ } receive a cell message cell [val next : param = val] nextparam(val,...) = val next {f C[transfer], p : y list(l, y)} x = receive(cell, f ); {f C[transfer], p : y list(l, y) x next : x x = y} {f C[transfer], p : x list(l, x) x next : x } {f C[transfer], p : x list(l, x) x next : x } {f C[transfer], p : x list(l, x )} 17 / 29
33 The arrays Defined by the inductive predicate array(x, E 1, E 2, E 3 ) E 1, E 2 - the indices bounding the array that we can access {[[x + E 1 ]] s,..., [[x + E 2 1]] s } dom(h) E 3 - the size of the array array(x, E 1, E 2, E 3 ) (E 1 E 2 empty) ( i.e 1 i < E 2.array(x, E 1, i, E 3 ) array(x, i + 1, E 2, E 3 ) x[i] F ) x[i] h([[x + i]] s ) 18 / 29
34 Allocate and dispose arrays allocating the array disposing the array {empty} x = new(10); {array(x, 0, 10, 10)} {array(x, 0, 3, 10) x + 3 array(x, 4, 7, 10) array(x, 7, 10, 10)} dispose(x); {empty} we need to know the size of the array we disallocate an array only if all its elements are available 19 / 29
35 Example of using the arrays a server distributes the array x to several workers the exchanged messages: message rands [ array(x, val1, val2, 10)] nextparam(val i, param i,...) = val i with i {1, 2} message result [ array(x, param1, param2, 10)] nextparam(val i, param i,...) = param i with i {1, 2} 20 / 29
36 The server s function message rands [ array(x, val1, val2, 10)] nextparam(val, param) = val message result [ array(x, param1, param2, 10)] nextparam(val, param) = param {s C[start], p : (0, 5) array(x, 0, 10, 10)} 21 / 29
37 The server s function message rands [ array(x, val1, val2, 10)] nextparam(val, param) = val message result [ array(x, param1, param2, 10)] nextparam(val, param) = param {s C[start], p : (0, 5) array(x, 0, 10, 10)} {s C[start], p : (0, 5) array(x, 0, 5, 10) array(x, 5, 10, 10)} send(rands, s, x, 0, 5); 21 / 29
38 The server s function message rands [ array(x, val1, val2, 10)] nextparam(val, param) = val message result [ array(x, param1, param2, 10)] nextparam(val, param) = param {s C[start], p : (0, 5) array(x, 0, 10, 10)} {s C[start], p : (0, 5) array(x, 0, 5, 10) array(x, 5, 10, 10)} send(rands, s, x, 0, 5); {s C[compute], p : (0, 5) array(x, 5, 10, 10)} 21 / 29
39 The server s function message rands [ array(x, val1, val2, 10)] nextparam(val, param) = val message result [ array(x, param1, param2, 10)] nextparam(val, param) = param {s C[start], p : (0, 5) array(x, 0, 10, 10)} {s C[start], p : (0, 5) array(x, 0, 5, 10) array(x, 5, 10, 10)} send(rands, s, x, 0, 5); {s C[compute], p : (0, 5) array(x, 5, 10, 10)} y = receive(result, s); {s C[end], p : (0, 5) array(x, 0, 5, 10) array(x, 5, 10, 10)} 21 / 29
40 Outline Context Formal verification Manipulating memory Concurrency Automation Our contributions The parameters The arrays Concluding remarks 22 / 29
41 Concluding remarks Contributions theoretical results modify the proof system and the semantics in order to accomodate arrays and parameters properties on the new proof system Soundness Any provable entailment is valid. Decidability The entailment procedure terminates. features available in Heap-Hop Future work theoretical - prove that the new proof system is complete implementation - automatically discover the arrays and the values of the parameters 23 / 29
42 The proof system and the semantics - example The proof system {φ[x /x] array(x, 0, E, E)} C {φ } {φ} x = new(e); C {φ } Semantics σ = (s, h) ε,...ε + n / dom(h) σ = ([s x : ε, E : n], [h ε : (val 0, E, ε),...ε + n : (val n, E, ε)]) x = new(e); C, (σ, k) C, (σ.k) 24 / 29
43 Access one element of the array φ E 1 E < E 2 {φ array(x, E 1, E, E 3 ) array(x, E + 1, E 2, E 3 ) x[e] f } x[e] f := F ; p {φ } {φ array(x, E 1, E 2, E 3 )} x[e] f := F ; p {φ } 25 / 29
44 Access one element of the array φ E 1 E < E 2 {φ array(x, E 1, E, E 3 ) array(x, E + 1, E 2, E 3 ) x[e] f } x[e] f := F ; p {φ } {φ array(x, E 1, E 2, E 3 )} x[e] f := F ; p {φ } An entailment rule φ array(x, E, E + 1, E ) φ φ x[e] f φ 25 / 29
45 Example of using the arrays a server generates an array of random values two workers perform some computation on parts of the array the result is sent back to the server the exchanged messages: message rands [ array(x, val1, val2, 10)] nextparam(val i, param i,...) = val i with i {1, 2} message result [ array(x, param1, param2, 10)] nextparam(val i, param i,...) = param i with i {1, 2} contract contract C{ initial state start {!rands compute; } state compute {?result end; } final state end {} } 26 / 29
46 The server s function message rands [ array(x, val1, val2, 10)] nextparam(val, param) = val message result [ array(x, param1, param2, 10)] nextparam(val, param) = param {s1 C[start], p : (O, 5) s2 C[start], p : (5, 10) array(x, 0, 10, 10)} {s1 C[start], p : (O, 5) s2 C[start], p : (5, 10) array(x, 0, 5, 10) array(x, 5, 10, 10)} send(rands, s1, x, 0, 5); {s1 C[compute], p : (O, 5) s2 C[start], p : (5, 10) array(x, 5, 10, 10)} send(rands, s2, x, 5, 10); {s1 C[compute], p : (O, 5) s2 C[compute], p : (5, 10)} y = receive(result, s1); {s1 C[end], p : (O, 5) s2 C[compute], p : (5, 10) array(x, 0, 5, 10)} z = receive(result, s2); {s1 C[end], p : (O, 5) s2 C[end], p : (5, 10) array(x, 0, 5, 10) array(x, 5, 10, 10)} 27 / 29
47 The worker s function message rands [ array(x, val1, val2, 10)] nextparam(val, param) = val message result [ array(x, param1, param2, 10)] nextparam(val, param) = param {w C[start], p : (sindex, eindex)} (i, j) = receive(rands, w); {w C[compute], p : (sindex, eindex) array(x, i, j, 10)} {w C[compute], p : (i, j) array(x, i, j, 10)} res = computation(x[i], x[i + 1],..., x[j]); send(result, w, res); {w C[end], p : (i, j)} 28 / 29
48 The rule for Send in the proof system {φ E cs : q, ctt : C, rl : r, pr : E, p : P, ρ} p 1 = P; p 2 = nextparam(e, E, r, E 1, P); E p := p 2 ; send(a, E, E 1 ); C {φ } {φ E cs : q, ctt : C, rl : r, pr : E, p : P, ρ} send param(a, E, E 1 ); C {φ } 29 / 29
49 The rule for Send in the proof system {φ E cs : q, ctt : C, rl : r, pr : E, p : P, ρ} p 1 = P; p 2 = nextparam(e, E, r, E 1, P); E p := p 2 ; send(a, E, E 1 ); C {φ } {φ E cs : q, ctt : C, rl : r, pr : E, p : P, ρ} send param(a, E, E 1 ); C {φ } send a cell message cell [val next : param = val] nextparam(val,...) = val next {e C[transfer], p : x list(x, 0)} send(a, e, x); {e C[transfer], p : x list(x, 0) x next : x p 1 = x} {e C[transfer], p : x list(x, 0) x next : x p 1 = x} {e C[transfer], p : x list(x, 0)} 29 / 29
Hoare triples. Floyd-Hoare Logic, Separation Logic
Hoare triples Floyd-Hoare Logic, Separation Logic 1. Floyd-Hoare Logic 1969 Reasoning about control Hoare triples {A} p {B} a Hoare triple partial correctness: if the initial state satisfies assertion
More informationHoare logic. A proof system for separation logic. Introduction. Separation logic
Introduction Hoare logic Lecture 6: Examples in separation logic In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing separation logic.
More informationHoare Logic and Model Checking
Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Introduction In the
More informationHoare Logic and Model Checking. A proof system for Separation logic. Introduction. Separation Logic
Introduction Hoare Logic and Model Checking In the previous lecture we saw the informal concepts that Separation Logic is based on. Kasper Svendsen University of Cambridge CST Part II 2016/17 This lecture
More informationAn Annotated Language
Hoare Logic An Annotated Language State and Semantics Expressions are interpreted as functions from states to the corresponding domain of interpretation Operators have the obvious interpretation Free of
More informationHoare Logic and Model Checking
Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Pointers Pointers and
More informationCompilation and Program Analysis (#11) : Hoare triples and shape analysis
Compilation and Program Analysis (#11) : Hoare triples and shape analysis Laure Gonnord http://laure.gonnord.org/pro/teaching/capm1.html Laure.Gonnord@ens-lyon.fr Master 1, ENS de Lyon dec 2017 Inspiration
More informationThe Rule of Constancy(Derived Frame Rule)
The Rule of Constancy(Derived Frame Rule) The following derived rule is used on the next slide The rule of constancy {P } C {Q} {P R} C {Q R} where no variable assigned to in C occurs in R Outline of derivation
More informationIntroduction to Axiomatic Semantics
Introduction to Axiomatic Semantics Meeting 10, CSCI 5535, Spring 2009 Announcements Homework 3 due tonight Homework 2 is graded 13 (mean), 14 (median), out of 21 total, but Graduate class: final project
More informationChapter 1. Introduction
1 Chapter 1 Introduction An exciting development of the 21st century is that the 20th-century vision of mechanized program verification is finally becoming practical, thanks to 30 years of advances in
More informationHoare logic. WHILE p, a language with pointers. Introduction. Syntax of WHILE p. Lecture 5: Introduction to separation logic
Introduction Hoare logic Lecture 5: Introduction to separation logic In the previous lectures, we have considered a language, WHILE, where mutability only concerned program variables. Jean Pichon-Pharabod
More informationLectures 20, 21: Axiomatic Semantics
Lectures 20, 21: Axiomatic Semantics Polyvios Pratikakis Computer Science Department, University of Crete Type Systems and Static Analysis Based on slides by George Necula Pratikakis (CSD) Axiomatic Semantics
More informationHoare logic. Lecture 5: Introduction to separation logic. Jean Pichon-Pharabod University of Cambridge. CST Part II 2017/18
Hoare logic Lecture 5: Introduction to separation logic Jean Pichon-Pharabod University of Cambridge CST Part II 2017/18 Introduction In the previous lectures, we have considered a language, WHILE, where
More informationLecture 5 - Axiomatic semantics
Program Verification March 2014 Lecture 5 - Axiomatic semantics Lecturer: Noam Rinetzky Scribes by: Nir Hemed 1.1 Axiomatic semantics The development of the theory is contributed to Robert Floyd, C.A.R
More informationInferring Invariants in Separation Logic for Imperative List-processing Programs
Inferring Invariants in Separation Logic for Imperative List-processing Programs Stephen Magill Carnegie Mellon University smagill@cs.cmu.edu Aleksandar Nanevski Harvard University aleks@eecs.harvard.edu
More informationMain Goal. Language-independent program verification framework. Derive program properties from operational semantics
Main Goal Language-independent program verification framework Derive program properties from operational semantics Questions: Is it possible? Is it practical? Answers: Sound and complete proof system,
More informationProof Carrying Code(PCC)
Discussion p./6 Proof Carrying Code(PCC Languaged based security policy instead of OS-based A mechanism to determine with certainity that it is safe execute a program or not Generic architecture for providing
More informationPart II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?
Part II. Hoare Logic and Program Verification Part II. Hoare Logic and Program Verification Dilian Gurov Props: Models: Specs: Method: Tool: safety of data manipulation source code logic assertions Hoare
More informationAn Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C
An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C Robbert Krebbers Radboud University Nijmegen January 22, 2014 @ POPL, San Diego, USA 1 / 16 What is this program supposed
More informationFormal Systems II: Applications
Formal Systems II: Applications Functional Verification of Java Programs: Java Dynamic Logic Bernhard Beckert Mattias Ulbrich SS 2017 KIT INSTITUT FÜR THEORETISCHE INFORMATIK KIT University of the State
More informationAn Extended Behavioral Type System for Memory-Leak Freedom. Qi Tan, Kohei Suenaga, and Atsushi Igarashi Kyoto University
An Extended Behavioral Type System for Memory-Leak Freedom Qi Tan, Kohei Suenaga, and Atsushi Igarashi Kyoto University Introduction n Memory leak, forgetting to deallocate an allocated memory cell, is
More informationCompositional Resource Invariant Synthesis
Compositional Resource Invariant Synthesis Cristiano Calcagno 1, Dino Distefano 2, and Viktor Vafeiadis 3 1 Imperial College 2 Queen Mary University of London 3 Microsoft Research, Cambridge Abstract.
More informationCS 6110 S11 Lecture 25 Typed λ-calculus 6 April 2011
CS 6110 S11 Lecture 25 Typed λ-calculus 6 April 2011 1 Introduction Type checking is a lightweight technique for proving simple properties of programs. Unlike theorem-proving techniques based on axiomatic
More information1 Introduction. 3 Syntax
CS 6110 S18 Lecture 19 Typed λ-calculus 1 Introduction Type checking is a lightweight technique for proving simple properties of programs. Unlike theorem-proving techniques based on axiomatic semantics,
More informationHoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré
Hoare Logic COMP2600 Formal Methods for Software Engineering Rajeev Goré Australian National University Semester 2, 2016 (Slides courtesy of Ranald Clouston) COMP 2600 Hoare Logic 1 Australian Capital
More informationBi-Abductive Resource Invariant Synthesis
Bi-Abductive Resource Invariant Synthesis Cristiano Calcagno 1, Dino Distefano 2, and Viktor Vafeiadis 3 1 Imperial College 2 Queen Mary University of London 3 Microsoft Research, Cambridge Abstract. We
More informationReminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture
Reminder of the last lecture Aliasing Issues: Call by reference, Pointer programs Claude Marché Cours MPRI 2-36-1 Preuve de Programme 18 janvier 2017 Additional features of the specification language Abstract
More informationHarvard School of Engineering and Applied Sciences CS 152: Programming Languages
Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 19 Tuesday, April 3, 2018 1 Introduction to axiomatic semantics The idea in axiomatic semantics is to give specifications
More informationSeparation Logic Tutorial
Separation Logic Tutorial (To appear in Proceedings of ICLP 08) Peter O Hearn Queen Mary, University of London Separation logic is an extension of Hoare s logic for reasoning about programs that manipulate
More informationFrom Hoare Logic to Matching Logic Reachability. Grigore Rosu and Andrei Stefanescu University of Illinois, USA
From Hoare Logic to Matching Logic Reachability Grigore Rosu and Andrei Stefanescu University of Illinois, USA Matching Logic Reachability - Goal - Language independent program verification framework Derives
More informationInferring Invariants in Separation Logic for Imperative List-processing Programs
Inferring Invariants in Separation Logic for Imperative List-processing Programs Stephen Magill Carnegie Mellon University smagill@cs.cmu.edu Aleksandar Nanevski Harvard University aleks@eecs.harvard.edu
More informationIntroduction to Axiomatic Semantics (1/2)
#1 Introduction to Axiomatic Semantics (1/2) How s The Homework Going? Remember that you can t just define a meaning function in terms of itself you must use some fixed point machinery. #2 #3 Observations
More informationSoftware Security: Vulnerability Analysis
Computer Security Course. Software Security: Vulnerability Analysis Program Verification Program Verification How to prove a program free of buffer overflows? Precondition Postcondition Loop invariants
More informationRuntime Checking for Program Verification Systems
Runtime Checking for Program Verification Systems Karen Zee, Viktor Kuncak, and Martin Rinard MIT CSAIL Tuesday, March 13, 2007 Workshop on Runtime Verification 1 Background Jahob program verification
More informationWarm-Up Problem. 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment: x (assignment)
Warm-Up Problem 1 What is the definition of a Hoare triple satisfying partial correctness? 2 Recall the rule for assignment: x (assignment) Why is this the correct rule and not the following rule? x (assignment)
More informationIntroduction to Axiomatic Semantics (1/2)
#1 Introduction to Axiomatic Semantics (1/2) How s The Homework Going? Remember: just do the counterexample guided abstraction refinement part of DPLL(T). If you notice any other errors, those are good
More informationPrecision and the Conjunction Rule in Concurrent Separation Logic
Precision and the Conjunction Rule in Concurrent Separation Logic Alexey Gotsman a Josh Berdine b Byron Cook b,c a IMDEA Software Institute b Microsoft Research c Queen Mary University of London Abstract
More informationCITS5501 Software Testing and Quality Assurance Formal methods
CITS5501 Software Testing and Quality Assurance Formal methods Unit coordinator: Arran Stewart May 1, 2018 1 / 49 Sources Pressman, R., Software Engineering: A Practitioner s Approach, McGraw-Hill, 2005
More informationDenotational Semantics of a Simple Imperative Language Using Intensional Logic
Denotational Semantics of a Simple Imperative Language Using Intensional Logic Marc Bender bendermm@mcmaster.ca CAS 706 - Programming Languages Instructor: Dr. Jacques Carette Dept. of Computing and Software
More informationBI as an Assertion Language for Mutable Data Structures
BI as an Assertion Language for Mutable Data Structures Samin Ishtiaq Peter W. O Hearn Queen Mary & Westfield College, London ABSTRACT Reynolds has developed a logic for reasoning about mutable data structures
More informationHoare Logic: Proving Programs Correct
Hoare Logic: Proving Programs Correct 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich Reading: C.A.R. Hoare, An Axiomatic Basis for Computer Programming Some presentation ideas from a lecture
More informationA Programming Model for Concurrent Object-Oriented Programs
1 A Programming Model for Concurrent Object-Oriented Programs BART JACOBS, FRANK PIESSENS, and JAN SMANS Katholieke Universiteit Leuven and K. RUSTAN M. LEINO and WOLFRAM SCHULTE Microsoft Research Reasoning
More informationFrom OCL to Propositional and First-order Logic: Part I
22c181: Formal Methods in Software Engineering The University of Iowa Spring 2008 From OCL to Propositional and First-order Logic: Part I Copyright 2007-8 Reiner Hähnle and Cesare Tinelli. Notes originally
More informationLast class. CS Principles of Programming Languages. Introduction. Outline
Last class CS6848 - Principles of Programming Languages Principles of Programming Languages V. Krishna Nandivada IIT Madras Interpreters A Environment B Cells C Closures D Recursive environments E Interpreting
More informationLinear Logic, Heap-shape Patterns and Imperative Programming
Linear Logic, Heap-shape Patterns and Imperative Programming Limin Jia Princeton University ljia@cs.princeton.edu David Walker Princeton University dpw@cs.princeton.edu Abstract In this paper, we propose
More informationA Partial Correctness Proof for Programs with Decided Specifications
Applied Mathematics & Information Sciences 1(2)(2007), 195-202 An International Journal c 2007 Dixie W Publishing Corporation, U. S. A. A Partial Correctness Proof for Programs with Decided Specifications
More informationSymbolic Execution and Verification Conditions. Review of Verification Conditions. Survey from Homework 4. Time spent: 7.1 hrs (mean), 6 hrs (median)
Symbolic Execution and Verification Conditions Survey from Homework 4 Time spent: 7.1 hrs (mean), 6 hrs (median) Meeting 13, CSCI 5535, Spring 2009 2 Survey from Homework 4 Fun facts about your classmates:
More informationSeparation Logic: syntax, semantics and calculus
Separation Logic: syntax, semantics and calculus Syntax Semantics Calculus emp SL N/A FOL N/A = + Arithmetic N/A := ; while if then else [.] dispose(.) cons(.) State is a pair (Store,Heap) St(.) maps variables
More information6. Hoare Logic and Weakest Preconditions
6. Hoare Logic and Weakest Preconditions Program Verification ETH Zurich, Spring Semester 07 Alexander J. Summers 30 Program Correctness There are many notions of correctness properties for a given program
More informationWarm-Up Problem. Let be a set of well-formed Predicate logic formulas. Let be well-formed Predicate logic formulas. Prove or disprove the following.
Warm-Up Problem Let be a set of well-formed Predicate logic formulas Let be well-formed Predicate logic formulas Prove or disprove the following If then 1/35 Program Verification Carmen Bruni Lecture 18
More informationVerifying Concurrent Memory Reclamation Algorithms with Grace
Verifying Concurrent Memory Reclamation Algorithms with Grace Alexey Gotsman, Noam Rinetzky, and Hongseok Yang 1 IMDEA Software Institute 2 Tel-Aviv University 3 University of Oxford Abstract. Memory management
More informationProgramming Languages Third Edition
Programming Languages Third Edition Chapter 12 Formal Semantics Objectives Become familiar with a sample small language for the purpose of semantic specification Understand operational semantics Understand
More informationProgram Verification Using Separation Logic
Program Verification Using eparation Logic Dino Distefano Queen Mary University of London Lecture 5 Today s plan Adaptive hape Analysis Bi-Abduction and compositional analysis Part I Adaptive shape analysis
More informationPrinciples of Programming Languages
Principles of Programming Languages Lesson 14 Type Checking Collaboration and Management Dana Fisman www.cs.bgu.ac.il/~ppl172 1 Type Checking We return to the issue of type safety we discussed informally,
More informationLightweight Support for Magic Wands in an Automatic Verifier
Lightweight Support for Magic Wands in an Automatic Verifier Malte Schwerhoff and Alexander J. Summers ETH Zurich, Switzerland {malte.schwerhoff,alexander.summers}@inf.ethz.ch Abstract Permission-based
More informationProgram logics for relaxed consistency
Program logics for relaxed consistency UPMARC Summer School 2014 Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) 1st Lecture, 28 July 2014 Outline Part I. Weak memory models 1. Intro
More informationFormal Methods. CITS5501 Software Testing and Quality Assurance
Formal Methods CITS5501 Software Testing and Quality Assurance Pressman, R. Software Engineering: A Practitioner s Approach. Chapter 28. McGraw-Hill, 2005 The Science of Programming, David Gries, 1981
More informationA CRASH COURSE IN SEMANTICS
LAST TIME Recdef More induction NICTA Advanced Course Well founded orders Slide 1 Theorem Proving Principles, Techniques, Applications Slide 3 Well founded recursion Calculations: also/finally {P}... {Q}
More informationThe Pointer Assertion Logic Engine
The Pointer Assertion Logic Engine [PLDI 01] Anders Mφller Michael I. Schwartzbach Presented by K. Vikram Cornell University Introduction Pointer manipulation is hard Find bugs, optimize code General Approach
More informationShared Variables and Interference
Illinois Institute of Technology Lecture 24 Shared Variables and Interference CS 536: Science of Programming, Spring 2018 A. Why Parallel programs can coordinate their work using shared variables, but
More informationMatching Logic: An Alternative to Hoare/Floyd Logic
Matching Logic: An Alternative to Hoare/Floyd Logic Grigore Roşu 1, Chucky Ellison 1, and Wolfram Schulte 2 1 University of Illinois at Urbana-Champaign {grosu, celliso2}@illinois.edu 2 Microsoft Research,
More informationVS 3 : SMT Solvers for Program Verification
VS 3 : SMT Solvers for Program Verification Saurabh Srivastava 1,, Sumit Gulwani 2, and Jeffrey S. Foster 1 1 University of Maryland, College Park, {saurabhs,jfoster}@cs.umd.edu 2 Microsoft Research, Redmond,
More informationThe Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England
The Formal Semantics of Programming Languages An Introduction Glynn Winskel The MIT Press Cambridge, Massachusetts London, England Series foreword Preface xiii xv 1 Basic set theory 1 1.1 Logical notation
More informationA Shape Graph Logic and A Shape System
Li ZP, Zhang Y, Chen YY. A shape graph logic and a shape system. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 28(6): 1????? Nov. 2013. DOI 10.1007/s11390-013-1398-1 A Shape Graph Logic and A Shape System
More informationAbstract Interpretation
Abstract Interpretation Ranjit Jhala, UC San Diego April 22, 2013 Fundamental Challenge of Program Analysis How to infer (loop) invariants? Fundamental Challenge of Program Analysis Key issue for any analysis
More informationCombining Static and Dynamic Contract Checking for Curry
Michael Hanus (CAU Kiel) Combining Static and Dynamic Contract Checking for Curry LOPSTR 2017 1 Combining Static and Dynamic Contract Checking for Curry Michael Hanus University of Kiel Programming Languages
More informationSoftwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24
Softwaretechnik Program verification Albert-Ludwigs-Universität Freiburg June 28, 2012 Softwaretechnik June 28, 2012 1 / 24 Road Map Program verification Automatic program verification Programs with loops
More informationShared Variables and Interference
Solved Shared Variables and Interference CS 536: Science of Programming, Fall 2018 A. Why Parallel programs can coordinate their work using shared variables, but it s important for threads to not interfere
More informationAutomating Separation Logic for Concurrent C Minor
Automating Separation Logic for Concurrent C Minor William Mansky Princeton University, May 23, 2008 Abstract In this paper, I demonstrate the implementation of several tools for program analysis in a
More informationVerifying Java Programs Verifying Java Programs with KeY
Verifying Java Programs Verifying Java Programs with KeY Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at
More informationSeparation Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré. Australian National University Semester 2, 2016
Separation Logic COMP2600 Formal Methods for Software Engineering Rajeev Goré Australian National University Semester 2, 2016 COMP 2600 Separation Logic 1 Motivation: Reasoning About Pointers Recall this
More informationLocal Reasoning for Storable Locks and Threads
Local Reasoning for Storable Locks and Threads Alexey Gotsman 1, Josh Berdine 2, Byron Cook 2, Noam Rinetzky 3, and Mooly Sagiv 2,3 1 University of Cambridge 2 Microsoft Research 3 Tel-Aviv University
More informationPointer Programs, Separation Logic
Chapter 6 Pointer Programs, Separation Logic The goal of this section is to drop the hypothesis that we have until now, that is, references are not values of the language, and in particular there is nothing
More informationDynamic Logic with Non-rigid Functions
Dynamic Logic with Non-rigid Functions A Basis for Object-oriented Program Verification Bernhard Beckert 1 André Platzer 2 1 University of Koblenz-Landau, Department of Computer Science beckert@uni-koblenz.de
More informationApplication: Programming Language Semantics
Chapter 8 Application: Programming Language Semantics Prof. Dr. K. Madlener: Specification and Verification in Higher Order Logic 527 Introduction to Programming Language Semantics Programming Language
More informationConcurrent Programming Lecture 3
Concurrent Programming Lecture 3 3rd September 2003 Atomic Actions Fine grain atomic action We assume that all machine instructions are executed atomically: observers (including instructions in other threads)
More informationVerification Condition Generation
Verification Condition Generation Jorge Sousa Pinto Departamento de Informática / Universidade do Minho jsp@di.uminho.pt www.di.uminho.pt/~jsp Outline (1) - From Hoare Logic to VCGen algorithms: an architecture
More informationGeneralized Verification Support for Magic Wands
Generalized Verification Support for Magic Wands Bachelor s Thesis Nils Becker, nbecker@student.ethz.ch Supervisors: Malte Schwerhoff, malte.schwerhoff@inf.ethz.ch Alexander J. Summers, alexander.summers@inf.ethz.ch
More information1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.
1. true / false By a compiler we mean a program that translates to code that will run natively on some machine. 2. true / false ML can be compiled. 3. true / false FORTRAN can reasonably be considered
More informationSymbolic Execution and Proof of Properties
Chapter 7 Symbolic Execution and Proof of Properties Symbolic execution builds predicates that characterize the conditions under which execution paths can be taken and the effect of the execution on program
More informationLocal Reasoning about a Copying Garbage Collector
Local Reasoning about a Copying Garbage Collector NOAH TORP-SMITH and LARS BIRKEDAL IT University of Copenhagen and JOHN C. REYNOLDS Carnegie Mellon University We present a programming language, model,
More informationA Grainless Semantics for Parallel Programs with Shared Mutable Data
MFPS XX1 Preliminary Version A Grainless Semantics for Parallel Programs with Shared Mutable Data Stephen Brookes Department of Computer Science Carnegie Mellon University Pittsburgh, USA Abstract We provide
More informationCERTIFIED REASONING FOR AUTOMATED VERIFICATION ASANKHAYA SHARMA NATIONAL UNIVERSITY OF SINGAPORE
CERTIFIED REASONING FOR AUTOMATED VERIFICATION ASANKHAYA SHARMA NATIONAL UNIVERSITY OF SINGAPORE 2014 CERTIFIED REASONING FOR AUTOMATED VERIFICATION ASANKHAYA SHARMA B.Tech. in Computer Science & Engineering
More informationMatching Logic. Grigore Rosu University of Illinois at Urbana-Champaign
Matching Logic Grigore Rosu University of Illinois at Urbana-Champaign Joint work with Andrei Stefanescu and Chucky Ellison. Started with Wolfram Schulte at Microsoft Research in 2009 Question could it
More informationLecture 11 Lecture 11 Nov 5, 2014
Formal Verification/Methods Lecture 11 Lecture 11 Nov 5, 2014 Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems to be analyzed, and
More informationEfficient Substitution in Hoare Logic Expressions
HOOTS 00 to appear Efficient Substitution in Hoare Logic Expressions Andrew W. Appel Roberto Virga Kedar N. Swadi Department of Computer Science Princeton University Princeton, NJ, U.S.A. Email: {appel,kswadi,rvirga}@cs.princeton.edu
More informationProgram Verification. Aarti Gupta
Program Verification Aarti Gupta 1 Agenda Famous bugs Common bugs Testing (from lecture 6) Reasoning about programs Techniques for program verification 2 Famous Bugs The first bug: A moth in a relay (1945)
More informationStatic Program Analysis
Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ws-1617/spa/ Schedule of Lectures Jan 17/19: Interprocedural DFA
More informationCOS 320. Compiling Techniques
Topic 5: Types COS 320 Compiling Techniques Princeton University Spring 2016 Lennart Beringer 1 Types: potential benefits (I) 2 For programmers: help to eliminate common programming mistakes, particularly
More informationFormal Verification of a Real-Time Operating System
Formal Verification of a Real-Time Operating System A Thesis Submitted to the College of Graduate Studies and Research in Partial Fulfillment of the Requirements for the degree of Master of Science in
More informationSemantic Analysis. CSE 307 Principles of Programming Languages Stony Brook University
Semantic Analysis CSE 307 Principles of Programming Languages Stony Brook University http://www.cs.stonybrook.edu/~cse307 1 Role of Semantic Analysis Syntax vs. Semantics: syntax concerns the form of a
More informationGetting Started with AutoCorres
Getting Started with AutoCorres Japheth Lim Rohan Jacob-Rao David Greenaway September 10, 2018 Contents 1 Introduction 2 2 A First Proof with AutoCorres 2 2.1 Two simple functions: min and max...............
More informationPLSV, Mock Test, 2011
PLSV, Mock Test, 2011 Question 1 The lseg predicate describes a segment of a singly-linked list. It is defined to be the least predicate satisfying the following equation: lseg(e, F ) (E = F emp) (E F
More informationProving the Correctness of Distributed Algorithms using TLA
Proving the Correctness of Distributed Algorithms using TLA Khushboo Kanjani, khush@cs.tamu.edu, Texas A & M University 11 May 2007 Abstract This work is a summary of the Temporal Logic of Actions(TLA)
More informationLecture 6. Abstract Interpretation
Lecture 6. Abstract Interpretation Wei Le 2014.10 Outline Motivation History What it is: an intuitive understanding An example Steps of abstract interpretation Galois connection Narrowing and Widening
More informationRecap. Juan Pablo Galeotti,Alessandra Gorla, Software Engineering Chair Computer Science Saarland University, Germany
Recap Juan Pablo Galeotti,Alessandra Gorla, Software Engineering Chair Computer Science Saarland University, Germany 30% projects (10% each) At least 50% threshold for exam admittance Groups of 2 70% final
More informationThe semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers.
Semantics The semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers. The semantics of a programming language assigns a precise
More informationA semantics for concurrent separation logic
A semantics for concurrent separation logic Stephen Brookes Carnegie Mellon University Department of Computer Science Abstract. We present a denotational semantics based on action traces, for parallel
More informationA Hoare Logic Contract Theory: An Exercise in Denotational Semantics
A Hoare Logic Contract Theory: An Exercise in Denotational Semantics Dilian Gurov and Jonas Westman Abstract We sketch a simple theory of Hoare logic contracts for programs with procedures, presented in
More informationVerifying Java Programs Verifying Java Programs with KeY
Verifying Java Programs Verifying Java Programs with KeY Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at
More information