Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.

Slides:



Advertisements
Similar presentations
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Advertisements

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.
Introduction to Proofs
Techniques for Proving the Completeness of a Proof System Hongseok Yang Seoul National University Cristiano Calcagno Imperial College.
Semantics Static semantics Dynamic semantics attribute grammars
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Reasoning About Code; Hoare Logic, continued
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.
(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 1 Symbolic Execution and Proof of Properties.
Partial correctness © Marcelo d’Amorim 2010.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN Chapter 3 Describing Syntax and Semantics.
Program Proving Notes Ellen L. Walker.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
CS 355 – Programming Languages
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Static and Dynamic Contract Verifiers For Java Hongming Liu.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Software Verification Bertrand Meyer Chair of Software Engineering Lecture 2: Axiomatic semantics.
Describing Syntax and Semantics
Eiffel Language and Design by Contract Contract –An agreement between the client and the supplier Characteristics –Expects some benefits and is prepared.
ISBN Chapter 3 Describing Syntax and Semantics.
Reasoning about Multiple Related Abstractions with MultiStar Stephan van Staden, Cristiano Calcagno Chair of Software Engineering.
Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.
Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
1 Inference Rules and Proofs (Z); Program Specification and Verification Inference Rules and Proofs (Z); Program Specification and Verification.
Proofs of Correctness: An Introduction to Axiomatic Verification Prepared by Stephen M. Thebaut, Ph.D. University of Florida CEN 5035 Software Engineering.
Freefinement Stephan van Staden, Cristiano Calcagno, Bertrand Meyer Chair of Software Engineering.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
CS 363 Comparative Programming Languages Semantics.
Today’s Agenda  Quick Review  Continue on JML Formal Methods in Software Engineering1.
1 cs205: engineering software university of virginia fall 2006 Avoiding Software Disasters.
Chapter 5: Sequences, Mathematical Induction, and Recursion 5.5 Application: Correctness of Algorithms 1 [P]rogramming reliability – must be an activity.
ISBN Chapter 3 Describing Semantics.
Chapter 3 Part II Describing Syntax and Semantics.
Semantics In Text: Chapter 3.
COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen.
13 Aug 2013 Program Verification. Proofs about Programs Why make you study logic? Why make you do proofs? Because we want to prove properties of programs.
L13: Design by Contract Definition Reliability Correctness Pre- and post-condition Asserts and Exceptions Weak & Strong Conditions Class invariants Conditions.
1 Assertions. 2 A boolean expression or predicate that evaluates to true or false in every state In a program they express constraints on the state that.
PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
DBC NOTES. Design By Contract l A contract carries mutual obligations and benefits. l The client should only call a routine when the routine’s pre-condition.
© Bertrand Meyer and Yishai Feldman Notice Some of the material is taken from Object-Oriented Software Construction, 2nd edition, by Bertrand Meyer (Prentice.
Chapter 3 of Programming Languages by Ravi Sethi
Reasoning about code CSE 331 University of Washington.
Formal Methods in Software Engineering 1
Stateful Manifest Contracts
Lecture 5 Floyd-Hoare Style Verification
CS 220: Discrete Structures and their Applications
Programming Languages 2nd edition Tucker and Noonan
Design by contract Object-Oriented Software Construction by Bertrand Meyer, Prentice Hall The presence of a precondition or postcondition in a routine.
Semantics In Text: Chapter 3.
Axiomatic Verification I
Predicate Transformers
Axiomatic Verification I
Java Modeling Language (JML)
CIS 720 Lecture 3.
Contract-Based Programming with/without Ada 2012
CIS 720 Lecture 3.
Programming Languages 2nd edition Tucker and Noonan
Programming Languages 2nd edition Tucker and Noonan
COP4020 Programming Languages
Presentation transcript:

Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer

Introduction Executable and separation logic specifications Examples: Executable specifications can be evaluated at runtime. Useful for debugging and testing. Lightweight Separation logic specifications are useful for verification 2

Executable specifications Verification questions: 1)Can we always execute them? Will their preconditions always be satisfied? Example: It does not make sense to talk about the first element of a newly created empty list 2)Will they always hold at runtime if executed? Example: A newly created empty list will not contain 10 elements 3)Will it matter if they are executed or not? Are they independent of the essence of the code? Complicated due to side-effects: modify object structures, nondeterministic, spawn threads, … Example: Does it matter if the postcondition of inserting an element checks whether it is in the list by allocating an iterator and affecting iterator bookkeeping? 3

Our contributions Allow both styles of specification. Reason about both using connecting implications, which answer all three questions posed before Reason about arbitrary side-effects in executable specifications with a new notion called relative purity 4

Existing approaches classify side-effects in executable specifications as intrinsically harmful or not If B is pure relative to P, then P is a footprint of B B can only perform side-effects permitted by P B must re-establish P, so it cannot “change things from the P point of view” Purity is in the eye of the asserter Relative purity 5

Examples x.f := e; False is pure relative to, but not pure relative to True insert(4); not is_empty is pure relative to, but not pure relative to 6

Given a sep logic predicate P and an executable assertion B which should hold at the same program point, does B somehow follow from P? Yes iff the connecting implication P B holds Lemma: If P B, then B is pure relative to P Precondition verification 7

Example For remove_first: Proof: 8

Postconditions may contain old-expressions: evaluated before the body is executed The connecting implication P,Q C means that any pre- state satisfying P and any post-state satisfying Q are sufficient to evaluate C to True: Let old(E1),…,old(En) be the old-expressions in B P,Q \ra B =def \exists R \cdot {P}(v1:=E1,…,vn:=En){P*R} and {Q*R}v:=B[v1;…;vn]{Q/\v=True} B[v1;…;vn] =def B[v1/old(E1),…,vn/old(En)] Postcondition verification 9

Example For remove_first: Proof: 10

Proof obligations summary 11

Implementation Reasoning support implemented in jStar Basic ingredients: symbolic execution, implication checking, frame inference Demonstration 12

Other work Class invariants Extracting predicates from executable specifications, i.e. work involving connecting implications of the form B P Connecting double implications of the form P B provide an integration of the two specification techniques 13

Related work Executable specifications Eiffel ESC Spec# JML: jmlc, JACK, LOOP Separation logic 14

In conclusion Give executable assertions a semantics based on their semantics as expressions Relative purity embraces side-effects in executable assertions Verification of executable specifications (i.e. answering the three questions) boils down to proving connecting implications The approach is general: also applicable to languages such as C 15

Thanks! Questions? 16

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.