Main Goal. Language-independent program verification framework. Derive program properties from operational semantics

Similar documents
From Hoare Logic to Matching Logic Reachability. Grigore Rosu and Andrei Stefanescu University of Illinois, USA

K and Matching Logic

Matching Logic. Grigore Rosu University of Illinois at Urbana-Champaign

An Annotated Language

Abstract Interpretation

Lectures 20, 21: Axiomatic Semantics

Proof Carrying Code(PCC)

VS 3 : SMT Solvers for Program Verification

Chapter 1. Introduction

Semantics-Based Program Verifiers for All Languages

Verification Condition Generation via Theorem Proving

The Rule of Constancy(Derived Frame Rule)

Matching Logic A New Program Verification Approach

Hoare logic. A proof system for separation logic. Introduction. Separation logic

Program Static Analysis. Overview

A CRASH COURSE IN SEMANTICS

Hoare Logic and Model Checking

Hoare Logic and Model Checking. A proof system for Separation logic. Introduction. Separation Logic

Softwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24

Formal Methods. CITS5501 Software Testing and Quality Assurance

Principles of Program Analysis. Lecture 1 Harry Xu Spring 2013

Introduction to Axiomatic Semantics

Lecture 5 - Axiomatic semantics

The Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Chapter 3 (part 3) Describing Syntax and Semantics

Hoare Logic: Proving Programs Correct

6. Hoare Logic and Weakest Preconditions

Basic Verification Strategy

Numerical Computations and Formal Methods

Program Verification. Aarti Gupta

Hoare triples. Floyd-Hoare Logic, Separation Logic

CITS5501 Software Testing and Quality Assurance Formal methods

From OCL to Propositional and First-order Logic: Part I

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

CONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS522 Programming Language Semantics

Software Quality Assurance

Verification Condition Generation

Verification Conditions. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

Introduction to Axiomatic Semantics (1/2)

LOGIC AND DISCRETE MATHEMATICS

CS 161 Computer Security

Softwaretechnik. Program verification. Software Engineering Albert-Ludwigs-University Freiburg. June 30, 2011

Integrating Arrays into the Heap-Hop program prover

Verified Characteristic Formulae for CakeML. Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 27, 2017

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

An Extensible Programming Language for Verified Systems Software. Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012

A Partial Correctness Proof for Programs with Decided Specifications

4/24/18. Overview. Program Static Analysis. Has anyone done static analysis? What is static analysis? Why static analysis?

Chapter 3. Describing Syntax and Semantics ISBN

Second-Order Type Systems

Introduction to Axiomatic Semantics (1/2)

Total Score /1 /20 /41 /15 /23 Grader

Proving Properties on Programs From the Coq Tutorial at ITP 2015

Verifying Java Programs Verifying Java Programs with KeY

CORRECTNESS ISSUES AND LOOP INVARIANTS

Verifying JML specifications with model fields

Symbolic Execution and Verification Conditions. Review of Verification Conditions. Survey from Homework 4. Time spent: 7.1 hrs (mean), 6 hrs (median)

From Event-B Models to Dafny Code Contracts

1 Introduction. 3 Syntax

Plan of the lecture. Quick-Sort. Partition of lists (or using extra workspace) Quick-Sort ( 10.2) Quick-Sort Tree. Partitioning arrays

CONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS422 Programming Language Semantics

MatchC: A Matching Logic Reachability Verifier Using the K Framework

Correctness of specifications. Correctness. Correctness of specifications (2) Example of a Correctness Proof. Testing versus Correctness Proofs

Formal Methods of Software Design, Eric Hehner, segment 24 page 1 out of 5

Refinements to techniques for verifying shape analysis invariants in Coq

Towards a Unified Theory of Operational and Axiomatic Semantics

Finding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar

CONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS422 Programming Language Design

Programming Language Abstractions for Modularly Verified Distributed Systems. James R. Wilcox Zach Tatlock Ilya Sergey

Synchronization: Semaphores

Program Verification (6EC version only)

Why. an intermediate language for deductive program verification

Student number: Datenstrukturen & Algorithmen page 1

A Hoare Logic Contract Theory: An Exercise in Denotational Semantics

Reasoning about programs

Verifying Java Programs with KeY

Last time. Reasoning about programs. Coming up. Project Final Presentations. This Thursday, Nov 30: 4 th in-class exercise

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

CSE 307: Principles of Programming Languages

Proving Programs Correct

Low-Level Program Verification using Matching Logic Reachability

Lecture 4. First order logic is a formal notation for mathematics which involves:

From Hoare Logic to Matching Logic Reachability

Backward Reasoning: Rule for Assignment. Backward Reasoning: Rule for Sequence. Simple Example. Hoare Logic, continued Reasoning About Loops

Programming Languages Third Edition

Putting Static Analysis to Work for Verification

Runtime Checking and Test Case Generation for Python

Formally Certified Satisfiability Solving

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

2016 by Brandon Michael Moore.

Software verification using proof assistants

Verifying Java Programs Verifying Java Programs with KeY

The theory of Mezzo. François Pottier. IHP, April 2014 INRIA

IronFleet. Dmitry Bondarenko, Yixuan Chen

JML Class Specifications The Java Modeling Language (Part 2) A Java Class

Why3 where programs meet provers

Formal Verification of MIX Programs

Genie. Distributed Systems Synthesis and Verification. Marc Rosen. EN : Advanced Distributed Systems and Networks May 1, 2017

Contents. Chapter 1 SPECIFYING SYNTAX 1

Transcription:

Main Goal Language-independent program verification framework Derive program properties from operational semantics Questions: Is it possible? Is it practical? Answers: Sound and complete proof system, so YES, it is possible! Efficient automated verifier MatchC, so YES, it is practical! 1

Overview State-of-the-art in Certifiable Verification Our Approach Specifying Reachability Properties Reasoning about Reachability

Operational Semantics Easy to define and understand Can be regarded as formal implementations Require little mathematical knowledge Great introductory topics in PL courses Scale up well C (>1000 rules), Java, Scheme, Verilog,, defined Executable, so testable C semantics tested against real benchmarks 3

Operational Semantics Sample rule (may require a configuration context) Define languages only with rules of the form l, r are configuration terms b is a Boolean side condition 4

Unfortunately Operational semantics considered inappropriate for program verification; proofs are low-level and tedious: Formalization of and working with transition system Typically by induction on the structure of the program on the number of execution steps etc. 5

Axiomatic Semantics (Hoare Logic) Emphasis on program verification Programming language captured as a formal proof system deriving Hoare triples precondition postcondition 6

Axiomatic Semantics Not easy to define and understand, error-prone Not executable, hard to test Require program transformations, behavior loss Write e = 1 and you ve got a wrong semantics! 7

State-of-the-art in Certifiable Verification Define an operational semantics: trusted language model Define an axiomatic semantics: for verification purposes Prove axiomatic semantics sound for operational semantics Now we have trusted verification BUT Requires two semantics of the same language C operational semantics took more than 2 years! Must be done individually for each language 8

Overview State-of-the-art in Certifiable Verification Our Approach Specifying Reachability Properties Reasoning about Reachability

Our Approach Underlying belief: one semantics for each language! Executable (testable), easy to define and understand Suitable for program verification, as is Approach: language-independent proof system Takes operational semantics unchanged Derives program properties Both operational semantics rules and program specifications stated as reachability rules 10

Reachability Rules Pairs of configuration predicates Reachability: Any concrete configuration satisfying and terminating reaches a configuration satisfying, in the transition system induced by the operational semantics. 11

Overview State-of-the-art in Certifiable Verification Our Approach Specifying Reachability Properties Reasoning about Reachability

Reachability Rules - Operational + Axiomatic - Operational flavor Axiomatic flavor 13

Hoare Triple = Syntactic Sugar 14

Matching Logic State static properties of program configurations Parametric in a model of configurations Extends first-order logic with patterns Special predicates which are configuration terms Configurations satisfy patterns iff they match them C Configurations Extra 70 cells 15

Model of Configurations - Properties - Configuration abstraction (list) Separation achieved at term level Operations (reverse) 16

Separation Logic = Matching Logic Instance Separation logic: popular logic for heap properties Mechanical translation to matching logic (see paper) Configuration: Separation encoded using different sub-terms No expressiveness loss from using matching logic Matching logic gives structural separation anywhere in the configuration, not only in the heap 17

Operational and Axiomatic Semantics Rules as Reachability Rules Reachability rules generalize Operational semantics rules Hoare triples Operational semantics rule sugar for reachability rule is syntactic Hoare triple encoded in a reachability rule with the empty code in the right-hand-side (see FM 12) 18

Overview State-of-the-art in Certifiable Verification Our Approach Specifying Reachability Properties Reasoning about Reachability

Reasoning about Reachability The main result of our paper is a proof system deriving reachability rules from reachability rules: Trusted reachability rules (starts with operational semantics) Target reachability rule Claimed reachability rules 20

Reachability Proof System - 8 Rules - Symbolic execution Code (multiple with circular steps) Symbolic behavior execution (one step) 21

Circular behaviors Circularity and Transitivity proof rules Language-independent Hoare logic rule for while loops Language-specific 22

Soundness Theorem: If system, then is derivable by the proof is semantically valid. 23

Relative Completeness Theorem: If is semantically valid, then is derivable by the proof system, with the operational semantics of a language. Relativity Validity oracle for static configuration properties Language-independent result, unlike Hoare logics 24

MatchC Proof-of-concept verifier for a C fragment Derives program specifications from the operational semantics (in K framework) using the proof system No Hoare/separation logic, no WP, no VC generation Automated, user only provide Specifications for recursive functions and loops 25

MatchC Snapshot List reverse: code + invariant 26

Implementation Heuristics for applying the proof system (forward) symbolic execution Matching logic reasoning Maude: efficient structure matching and rearranging matching a list the heap, SMTs (CVC3, Z3): simplifying constraints small queries (milliseconds each) 27

Preliminary Evaluation Program Time (s) Buffered read-write 0.15 Stack inspection 0.24 Insertion sort Only annotated main functions 0.41 (insert/delete). Merge sort Inlined auxiliary functions 0.47 (balance, rotate, ). Quicksort 1.97 AVL find 0.15 AVL insert 43.5 AVL delete 133.58 Schorr-Waite (tree) 0.28 Schorr-Waite (graph) 1.73 Dozens more programs at matching-logic.org 28

Conclusions Matching logic reachability proof system Sound and (relatively) complete Practical MatchC, an automated verifier Expressive Efficient Operational semantics based verification is viable! matching-logic.org 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback