Semantics-Based Program Verifiers for All Languages

Similar documents
From Hoare Logic to Matching Logic Reachability. Grigore Rosu and Andrei Stefanescu University of Illinois, USA

Matching Logic A New Program Verification Approach

Matching Logic. Grigore Rosu University of Illinois at Urbana-Champaign

K and Matching Logic

Semantics-Based Program Verifiers for All Languages

Main Goal. Language-independent program verification framework. Derive program properties from operational semantics

Low-Level Program Verification using Matching Logic Reachability

Grigore Rosu Founder, President and CEO Professor of Computer Science, University of Illinois

From Hoare Logic to Matching Logic Reachability

VS 3 : SMT Solvers for Program Verification

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

Lectures 20, 21: Axiomatic Semantics

CMSC 330: Organization of Programming Languages. Operational Semantics

Proof Carrying Code(PCC)

Towards a Unified Theory of Operational and Axiomatic Semantics

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

Chapter 1. Introduction

SMT-LIB for HOL. Daniel Kroening Philipp Rümmer Georg Weissenbacher Oxford University Computing Laboratory. ITP Workshop MSR Cambridge 25 August 2009

CS558 Programming Languages

Lecture Notes on Real-world SMT

Introduction to Axiomatic Semantics

An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C

The semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers.

Chapter 3 (part 3) Describing Syntax and Semantics

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Program verification. Generalities about software Verification Model Checking. September 20, 2016

Hacking in C. Pointers. Radboud University, Nijmegen, The Netherlands. Spring 2019

The SMT-LIB 2 Standard: Overview and Proposed New Theories

Types. Type checking. Why Do We Need Type Systems? Types and Operations. What is a type? Consensus

Axiomatic Specification. Al-Said, Apcar, Jerejian

Formalization of Incremental Simplex Algorithm by Stepwise Refinement

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

Tail Calls. CMSC 330: Organization of Programming Languages. Tail Recursion. Tail Recursion (cont d) Names and Binding. Tail Recursion (cont d)

Software Model Checking. Xiangyu Zhang

Handling Loops in Bounded Model Checking of C Programs via k-induction

Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim

Semantic Analysis Type Checking

Why3 where programs meet provers

Formally Certified Satisfiability Solving

Program Analysis and Code Verification

Symbolic Execution, Dynamic Analysis

Intro to semantics; Small-step semantics Lecture 1 Tuesday, January 29, 2013

Semantic Subtyping with an SMT Solver

Certified compilers. Do you trust your compiler? Testing is immune to this problem, since it is applied to target code

CS422 - Programming Language Design

Type Theory meets Effects. Greg Morrisett

Benchmarking of Java Verification Tools at the Software Verification Competition (SV-COMP) Lucas Cordeiro Daniel Kroening Peter Schrammel

Lecture 5 - Axiomatic semantics

Hoare triples. Floyd-Hoare Logic, Separation Logic

Symbolic Execution. Joe Hendrix Galois, Inc SMT Summer School galois

CITS5501 Software Testing and Quality Assurance Formal methods

An Annotated Language

Com S 541. Programming Languages I

CS252 Advanced Programming Language Principles. Prof. Tom Austin San José State University Fall 2013

Programming Languages Third Edition

On the correctness of template metaprograms

RAISE in Perspective

Rewriting Needs Constraints and Constraints Need Rewriting

Bug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher

Formal Semantics of Programming Languages

6. Hoare Logic and Weakest Preconditions

MIDTERM EXAMINATION - CS130 - Spring 2005

Critical Analysis of Computer Science Methodology: Theory

CS4215 Programming Language Implementation. Martin Henz

Distributed Systems Programming (F21DS1) Formal Verification

Formal Semantics of Programming Languages

Static verification of program running time

Finding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar

Static Program Analysis Part 1 the TIP language

Parameter Passing Styles

PROGRAMMING IN HASKELL. CS Chapter 6 - Recursive Functions

Improving Program Testing and Understanding via Symbolic Execution

CSCI-GA Scripting Languages

Computing Fundamentals 2 Introduction to CafeOBJ

DOM: Specification & Client Reasoning

Reasoning About Imperative Programs. COS 441 Slides 10

Formal C semantics: CompCert and the C standard

To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

Integration of SMT Solvers with ITPs There and Back Again

In Our Last Exciting Episode

Verifying C & C++ with ESBMC

This is already grossly inconvenient in present formalisms. Why do we want to make this convenient? GENERAL GOALS

Efficient Symbolic Execution for Software Testing

CS 137 Part 8. Merge Sort, Quick Sort, Binary Search. November 20th, 2017

Type Systems COMP 311 Rice University Houston, Texas

λ calculus is inconsistent

Announcements. Written Assignment 2 due today at 5:00PM. Programming Project 2 due Friday at 11:59PM. Please contact us with questions!

A Verified Implementation of the Bounded List Container

A Context-Sensitive Memory Model for Verification of C/C++ Programs

Rethinking Automated Theorem Provers?

1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.

The Substitution Model

Principles of Program Analysis. Lecture 1 Harry Xu Spring 2013

Reasoning About Loops Using Vampire

JBMC: A Bounded Model Checking Tool for Verifying Java Bytecode. Lucas Cordeiro Pascal Kesseli Daniel Kroening Peter Schrammel Marek Trtik

CIS 1.5 Course Objectives. a. Understand the concept of a program (i.e., a computer following a series of instructions)

CS152 Programming Language Paradigms Prof. Tom Austin, Fall Syntax & Semantics, and Language Design Criteria

Browser Security Guarantees through Formal Shim Verification

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

Transcription:

Language-independent Semantics-Based Program Verifiers for All Languages Andrei Stefanescu Daejun Park Shijiao Yuwen Yilong Li Grigore Rosu Nov 2, 2016 @ OOPSLA 16

Problems with state-of-the-art verifiers Missing details of language behaviors e.g., VCC s false positives/negatives, undefinedness of SV-COMP benchmarks Fragmentation: specific to a fixed language

Missing details of language behaviors 1 unsigned x = UINT_MAX; 2 unsigned y = x + 1; 3 _(assert y == 0) VCC incorrectly reported an overflow error

Missing details of language behaviors 1 int assign(int *p, int x) 2 _(ensures *p == x) 3 _(writes p) 4 { 5 return (*p = x); 6 } 7 8 void main() { 9 int r; 10 assign(&r, 0) == assign(&r, 1); 11 _(assert r == 1) 12 } VCC incorrectly proved it, missing non-determinism

Missing details of language behaviors * Grigore Rosu, https://runtimeverification.com/blog/?p=200

Problems with state-of-the-art verifiers Missing details of language behaviors Fragmentation: specific to a fixed language e.g., KLEE (LLVM), JPF (JVM), Pex (.NET), CBMC (C), SAGE (x86), Implemented similar heuristics/optimizations: duplicating efforts

Our solution Clear separation, yet smooth integration, Between semantics reasoning and proof search, Using language-independent logic & proof system

Idea: separation of concerns Semantics Reasoning Proof Search Language semantics: C (c11, gcc, clang, ) Java (6, 7, 8, ) JavaScript (ES5, ES6, ) Verification techniques: Deductive verification Model checking Abstract interpretation Defined/implemented once, and reused for all others

Idea: separation of concerns Semantics Reasoning Proof Search Language semantics: C (c11, gcc, clang, ) Java (6, 7, 8, ) JavaScript (ES5, ES6, ) JPF VCC CBMC Verification techniques: Deductive verification Model checking Abstract interpretation Defined/implemented once, and reused for all others

Language-independent verification framework Semantics Program & Properties Language-independent uniform notation (logic) Language-independent proof systems ` Proof automation Provides a nice interface (logic) in which both language semantics and program properties can be described. Proof search in this logic becomes completely languageindependent.

Language-independent verification framework Operational semantics (C/Java/JavaScript semantics) Reachability properties (Functional correctness of heap manipulations) Language-independent uniform notation (Matching logic reachability) Language-independent proof systems (Matching logic reachability proof systems) Proof automation (Symbolic execution, SMT, Natural proofs, )

Operational semantics Easy to define and understand than axiomatic semantics Require little mathematical knowledge Similar to implement language interpreter Executable, thus testable Important when defining real large languages Shown to scale to defining full language semantics C, Java, JavaScript, Python, PHP,

Language-independent verification framework Operational semantics (C/Java/JavaScript semantics) Reachability properties (Functional correctness of heap manipulations) Language-independent uniform notation (Reachability logic) Language-independent proof systems (Reachability logic proof systems) Proof automation (Symbolic execution, SMT, Natural proofs, )

Reachability logic Unifying logic in which both language semantics and program correctness properties can be specified. reachability between patterns pattern formula representing a set of program states Pattern formula is FOL without predicate symbols. Similar to algebraic data types for pattern matching in functional languages such as OCaml and Haskell.

Expressiveness: semantics In OCaml: match e with ADD(x,y) => x + y SUB(x,y) => x - y MUL(x,y) => x * y DIV(x,y) when y!= 0 => x / y

Expressiveness: semantics In OCaml: match e with ADD(x,y) => x + y SUB(x,y) => x - y MUL(x,y) => x * y DIV(x,y) when y!= 0 => x / y In Reachability logic: ADD(x,y) => x + y SUB(x,y) => x - y MUL(x,y) => x * y DIV(x,y) /\ y!= 0 => x / y

Expressiveness: properties In Hoare logic: fun insert (v: elem, t: tree) return (t : tree) @requires bst(t) @ensures bst(t ) and keys(t ) == keys(t) \union { v }

Expressiveness: properties In Hoare logic: fun insert (v: elem, t: tree) return (t : tree) @requires bst(t) @ensures bst(t ) and keys(t ) == keys(t) \union { v } In Reachability logic: insert /\ bst(t) =>. /\ bst(t ) /\ keys(t ) == keys(t) \union { v }

Expressiveness Reachability formula can specify: Pre-/post-conditions Safety properties by augmenting semantics No liveness properties yet (ongoing work) Pattern formula can include: Recursive predicates Separation logic formula

Language-independent verification framework Operational semantics (C/Java/JavaScript semantics) Reachability properties (Functional correctness of heap manipulations) Language-independent uniform notation (Reachability logic) Language-independent proof systems (Reachability logic proof systems) Proof automation (Symbolic execution, SMT, Natural proofs, )

Proof system Language-independent proof system for deriving sequents of the form: Step : = '! W ' l ) 9 ' r 2 S 9FreeVars(' l ).' l = ((' ^ ' l ),? Cfg ) ^ ' r! ' 0 for each ' l ) 9 ' r 2 S S, A `C ' ) 8 ' 0 Axiom : ' ) Q ' 0 2 S [ A is FOL formula (logical frame) Reflexivity : S, A ` ' ) Q ' S, A `C ' ^ ) Q ' 0 ^ Transitivity : S, A `C ' 1 ) Q ' 2 S, A [ C ` ' 2 ) Q ' 3 S, A `C ' 1 ) Q ' 3 Consequence : = ' 1! ' 0 1 S, A `C ' 0 1 )Q ' 0 2 = ' 0 2! ' 2 S, A `C ' 1 ) Q ' 2 Case Analysis : S, A `C ' 1 ) Q ' S, A `C ' 2 ) Q ' S, A `C ' 1 _ ' 2 ) Q ' Abstraction : S, A `C ' ) Q ' 0 X \ FreeVars(' 0 ) = ; S, A `C 9X ' ) Q ' 0 Circularity : S, A `C[{') Q ' 0 } ' ) Q ' 0 S, A `C ' ) Q ' 0

Proof system Language-independent proof system for deriving sequents of the form: semantics ' 1 ) ' 0 1 ' 2 ) ' 0 2 ' 3 ) ' 0 3... property ` ' ) ' 0 Step : = '! W ' l ) 9 ' r 2 S 9FreeVars(' l ).' l = ((' ^ ' l ),? Cfg ) ^ ' r! ' 0 for each ' l ) 9 ' r 2 S S, A `C ' ) 8 ' 0 Axiom : ' ) Q ' 0 2 S [ A is FOL formula (logical frame) Reflexivity : S, A ` ' ) Q ' S, A `C ' ^ ) Q ' 0 ^ Transitivity : S, A `C ' 1 ) Q ' 2 S, A [ C ` ' 2 ) Q ' 3 S, A `C ' 1 ) Q ' 3 Consequence : = ' 1! ' 0 1 S, A `C ' 0 1 )Q ' 0 2 = ' 0 2! ' 2 S, A `C ' 1 ) Q ' 2 Case Analysis : S, A `C ' 1 ) Q ' S, A `C ' 2 ) Q ' S, A `C ' 1 _ ' 2 ) Q ' Abstraction : S, A `C ' ) Q ' 0 X \ FreeVars(' 0 ) = ; S, A `C 9X ' ) Q ' 0 Circularity : S, A `C[{') Q ' 0 } ' ) Q ' 0 S, A `C ' ) Q ' 0

Proof system Language-independent proof system for deriving sequents of the form: semantics ' 1 ) ' 0 1 ' 2 ) ' 0 2 ' 3 ) ' 0 3... property ` ' ) ' 0 Step : = '! W ' l ) 9 ' r 2 S 9FreeVars(' l ).' l = ((' ^ ' l ),? Cfg ) ^ ' r! ' 0 for each ' l ) 9 ' r 2 S S, A `C ' ) 8 ' 0 Axiom : ' ) Q ' 0 2 S [ A is FOL formula (logical frame) Reflexivity : S, A ` ' ) Q ' S, A `C ' ^ ) Q ' 0 ^ Transitivity : S, A `C ' 1 ) Q ' 2 S, A [ C ` ' 2 ) Q ' 3 S, A `C ' 1 ) Q ' 3 Consequence : = ' 1! ' 0 1 S, A `C ' 0 1 )Q ' 0 2 = ' 0 2! ' 2 ADD(x,y) => x + y SUB(x,y) => x - y MUL(x,y) => x * y... ` S, A `C ' 1 ) Q ' 2 insert /\ bst(t) Case Analysis : => S, A `C ' 1 ) Q ' S, A `C ' 2 ) Q '. /\ bst(t ) S, A `C ' 1 _ ' 2 ) Q ' /\ keys(t ) Abstraction == : keys(t) \union { v } S, A `C ' ) Q ' 0 X \ FreeVars(' 0 ) = ; S, A `C 9X ' ) Q ' 0 Circularity : S, A `C[{') Q ' 0 } ' ) Q ' 0 S, A `C ' ) Q ' 0

Language-independent verification framework Operational semantics (C/Java/JavaScript semantics) Reachability properties (Functional correctness of heap manipulations) Language-independent uniform notation (Reachability logic) Language-independent proof systems (Reachability logic proof systems) Proof automation (Symbolic execution, SMT, Natural proofs, )

Proof automation Deductive verification Symbolic execution for reachability space search Domain reasoning (e.g., integers, bit-vectors, floats, set, sequences, ) using SMT Natural proofs technique for quantifier instantiation for recursive heap predicates (e.g., list, tree, )

Language-independent verification framework Operational semantics (C/Java/JavaScript semantics) Reachability properties (Functional correctness of heap manipulations) Language-independent uniform notation (Reachability logic) Language-independent proof systems (Reachability logic proof systems) Proof automation (Symbolic execution, SMT, Natural proofs, ) Does it really work? Q1: How easy to instantiate the framework? Q2: Is performance OK?

Evaluation Instantiated framework by plugging-in three language semantics. Semantics of C [POPL 12, PLDI 15] Semantics of Java [POPL 15] Semantics of JavaScript [PLDI 15] Verification Framework C verifier Java verifier JavaScript verifier Verified challenging heap-manipulating programs implementing the same algorithms in all three languages.

Efforts C Java JavaScript Semantics development (months) 40 20 4 Semantics size (LOC) 17,791 13,417 6,821 Language-specific e ort (days) 7 4 5 Semantics changes size (#rules) 63 38 12 Semantics changes size (LOC) 468 95 49 Specifications 36 31 31 Instantiating efforts include: Fixing bugs of semantics Specifying heap abstractions (e.g., lists and trees) instantiating framework (additional effort)

Efforts C Java JavaScript Semantics development (months) 40 20 4 Semantics size (#rules) 2,572 1,587 1,378 Semantics size (LOC) 17,791 13,417 6,821 Language-specific e ort (days) Semantics size (LOC) 7 17,791 4 13,417 5 6,821 Language-specific e ort (days) 7 4 5 Semantics changes size (#rules) 63 38 12 Semantics changes size (LOC) 468 95 49 Specifications 36 31 31 Instantiating efforts include: Fixing bugs of semantics Specifying heap abstractions (e.g., lists and trees) defining semantics (already given) instantiating framework (additional effort)

Experiments Time (secs) Programs C Java JS BST find 14.0 4.7 6.3 BST insert 30.2 8.6 8.2 BST delete 71.7 24.9 21.2 AVL find 13.0 4.9 6.4 AVL insert 281.3 105.2 135.0 AVL delete 633.7 271.6 239.6 RBT find 14.5 5.0 6.8 RBT insert 903.8 115.6 114.5 RBT delete 1,902.1 171.2 183.6 Programs C Java JS Treap find 14.4 4.9 6.5 Treap insert 67.7 23.1 18.9 Treap delete 90.4 28.4 33.2 List reverse 11.4 4.1 5.5 List append 14.8 7.3 5.3 Bubble sort 66.4 38.8 31.3 Insertion sort 61.9 31.1 44.8 Quick sort 79.2 47.1 48.1 Merge sort 170.6 87.0 66.0 Total 4,441.1 983.5 981.2 Average 246.7 54.6 54.5

Experiments Time (secs) Programs C Java JS BST find 14.0 4.7 6.3 BST insert 30.2 8.6 8.2 BST delete 71.7 24.9 21.2 Full functional correctness: AVL find 13.0 4.9 6.4 Programs C Java JS Treap find 14.4 4.9 6.5 Treap insert 67.7 23.1 18.9 Treap delete 90.4 28.4 33.2 List reverse 11.4 4.1 5.5 AVL insert 281.3 105.2 135.0 insert /\ bst(t) =>. /\ bst(t ) /\ keys(t ) == keys(t) \union { v } AVL delete 633.7 271.6 239.6 RBT find 14.5 5.0 6.8 List append 14.8 7.3 5.3 Bubble sort 66.4 38.8 31.3 Insertion sort 61.9 31.1 44.8 RBT insert 903.8 115.6 114.5 Quick sort 79.2 47.1 48.1 RBT delete 1,902.1 171.2 183.6 Merge sort 170.6 87.0 66.0 Total 4,441.1 983.5 981.2 Average 246.7 54.6 54.5

Experiments Time (secs) Programs C Java JS BST find 14.0 4.7 6.3 BST insert 30.2 8.6 8.2 BST delete 71.7 24.9 21.2 AVL find 13.0 4.9 6.4 AVL insert 281.3 105.2 135.0 Programs C Java JS Treap find 14.4 4.9 6.5 Treap insert 67.7 23.1 18.9 Treap delete 90.4 28.4 33.2 List reverse 11.4 4.1 5.5 List append 14.8 7.3 5.3 AVL delete 633.7 271.6 239.6 Bubble sort 66.4 38.8 31.3 Performance is comparable to a state-of-the-art Insertion sort verifier 61.9 for 31.1 C, 44.8 VCDryad [PLDI 14], based on a separation Quick sort logic 79.2 extension 47.1 of VCC: 48.1 e.g., AVL insert : 260s vs 280s (ours) RBT find 14.5 5.0 6.8 RBT insert 903.8 115.6 114.5 RBT delete 1,902.1 171.2 183.6 Merge sort 170.6 87.0 66.0 Total 4,441.1 983.5 981.2 Average 246.7 54.6 54.5

Idea: separation of concerns Language-independent verification framework Semantics Semantics Reasoning Proof Search Program & Properties Semantics-Based Program Verifiers for All Languages Language-independent uniform notation (logic) Language semantics: Verification techniques: Andrei S, tefa nescu Daejun Park Deductive University of Illinois at verification University of Illinois at Urbana-Champaign, USA dpark69@illinois.edu VCC C (c11, gcc, clang, ) Java (6, 7, 8, ) JavaScript (ES5, ES6, ) JPF Urbana-Champaign, USA Model checking CBMC stefane1@illinois.edu Abstract interpretation Defined/implemented once, and Yilong Li Runtime Verification, Inc., USA reused for all others yilong.li@runtimeverification.com Shijiaoproof Yuwen Language-independent systems University of Illinois at Urbana-Champaign, USA Proof automation yuwen2@illinois.edu ` Provides a nice interface (logic) in which both language Grigore Ros, u semantics and program properties can be described. University of Illinois at Urbana-Champaign, USA Proof search in grosu@illinois.edu this logic becomes completely languageindependent. https://github.com/kframework/k Evaluation Abstract We present a language-independent verification framework that can be instantiated with an operational semantics to automatically generate verifier. The framework treats Instantiated framework by plugging-in threea program language semantics. both the operational semantics and the program correctness specifications as reachability rules between matching logic Semantics of C patterns, and uses the sound and relatively complete reachc verifier [POPL 12, PLDI 15] ability logic proof system to prove the specifications using the semantics. We instantiate the framework with the semansemantics of Java Verification Java verifier tics of one academic language, KernelC, as well as with [POPL 15] Framework three recent semantics of real-world languages, C, Java, and JavaScript, developed independently of our verification infrassemantics of JavaScript JavaScript tructure. We evaluate our approachverifier empirically and show that [PLDI 15] the generated program verifiers can check automatically the full functional correctness of challenging heap-manipulating programs implementing operations on list and tree data struc Verified challenging heap-manipulating programs tures, like AVL trees. This is the first approach that can implementing the same algorithms in all three languages. turn the operational semantics of real-world languages into correct-by-construction automatic verifiers. 1. Introduction Experiments Operational semantics are easy to define and understand, similarly to implementing an interpreter. They require little formal training, scale up well, and, being executable, can Time (secs) be tested. Thus, operational semanticsprograms are typicallycused asjava JS Programs C Java JS trusted reference models for the defined languages. Despite Treap find 14.4 4.9 6.5 BST find 14.0 4.7 6.3 these advantages, they are rarely used directly for program Treap insert 67.7 23.1 18.9 BST insert 30.2 8.6 8.2 verification, because proofs tend to be low-level, as they work Treap delete 90.4 or 28.4 33.2 BST delete 24.9 21.2transition directly with71.7 the corresponding system. Hoare dynamic logics higher level reasoning cost of 4.1 List reverse at the 11.4 5.5 AVL find 13.0 allow4.9 6.4 (re)defining281.3 the language as135.0 a set of abstract proof14.8 rules, 7.3 List append 5.3 AVL insert 105.2 which are harder to understand and trust. The state-of-the-art Bubble sort 31.3 AVL delete 633.7 271.6 239.6 in mechanical program verification is to develop and66.4 prove 38.8 Insertion sort 44.8 RBT find 14.5 5.0proof systems 6.8 such language-specific sound w.r.t. a 61.9 trusted 31.1 operational903.8 semantics [3, 26,114.5 36], but thatsort needs to be done 47.1 Quick 79.2 48.1 RBT insert 115.6 for each language separately and is labor intensive. Merge sort 170.6 87.0 66.0 RBT delete 1,902.1 171.2 183.6 Defining multiple semantics for the same language and proving the soundness of one semantics in terms of antotal 4,441.1 983.5 981.2 other are highly uneconomical tasks when real languages 246.7 54.6 54.5 are concerned, often taking several Average man-years to complete. Categories and Subject Descriptors D.2.4 [Software EngiFor these reasons, many program verification tools forgo neering]: Software/Program Verification correctness proofs; defining an operational or an axiomatic semantics altogether,

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback