Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.

Slides:

Advertisements

Similar presentations

Demand-driven inference of loop invariants in a theorem prover

Advertisements

Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Semantics Static semantics Dynamic semantics attribute grammars

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,

A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

K. Rustan M. Leino Microsoft Research Peter Müller ETH Zurich Angela Wallenburg Chalmers University.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Changing perspective can be useful Relating alternative logics for automatic software verification Alex Summers (ETH Zurich) partly based on joint work.

Chapter 9 Subprogram Control Consider program as a tree- –Each parent calls (transfers control to) child –Parent resumes when child completes –Copy rule.

Fractional Permissions without the Fractions Alex Summers ETH Zurich Joint work with: Stefan Heule, Rustan Leino, Peter Müller ETH Zurich MSR Redmond ETH.

ECI 2007: Specification and Verification of Object-Oriented Programs Lecture 2 Courtesy: K. Rustan M. Leino and Wolfram Schulte.

Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,

K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 Summer School on Logic and Theorem-Proving in Programming.

Building a program verifier K. Rustan M. Leino Microsoft Research, Redmond, WA 10 May 2006 Guest lecture, Shaz Qadeer’s cse599f, Formal Verification of.

ISBN Lecture 01 Preliminaries. Copyright © 2004 Pearson Addison-Wesley. All rights reserved.1-2 Lecture 01 Topics Motivation Programming.

Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA.

Chair of Software Engineering Automatic Verification of Computer Programs.

K. Rustan M. Leino Microsoft Research, Redmond, WA 10 Oct 2007 IFIP WG 2.3 meeting Santa Fe, NM.

Using data groups to specify and check side effects K. Rustan M. Leino Microsoft Research Arnd Poetzsch-Heffter Universität Kaiserslautern Yunhong Zhou.

K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Caltech Pasadena, CA 12 November 2009.

Mathematics throughout the CS Curriculum Support by NSF #

K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy.

K. Rustan M. Leino RiSE, Joint work with: Peter Müller (ETH Zurich) Jan Smans (KU Leuven) Special thanks to Mike Barnett VMCAI, Madrid, Spain, 18 January.

Maria-Cristina Marinescu Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology A Synthesis Algorithm for Modular Design of.

Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012.

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

CompSci 105 SS 2005 Principles of Computer Science Lecture 4 Lecturer: Santokh Singh.

1 Total Correctness of Recursive Functions Using JML4 FSPV George Karabotsos, Patrice Chalin, Perry R. James, Leveda Giannas Dependable Software Research.

Automated Software Verification with Implicit Dynamic Frames 5 th December 2013, Leuven Malte Schwerhoff, ETH Zürich/KU Leuven.

Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 3 Marktoberdorf.

20 th December 2012, Dagstuhl Comparing Verification Condition Generation with Symbolic Execution Malte Schwerhoff, ETH Zürich Joint work with Yannis Kassios,

Viper A Verification Infrastructure for Permission-Based Reasoning 1 st March 2015, ECOOP’15 PC Meeting, Zurich Uri Juhasz, Ioannis Kassios, Peter Müller,

Viper A Verification Infrastructure for Permission-Based Reasoning 24 th March 2015, JML Workshop, Leiden Uri Juhasz, Ioannis Kassios, Peter Müller, Milos.

Rustan Leino RiSE, Microsoft Research, Redmond MIT 5 June 2009 Joint work with: Peter Müller, ETH Zurich Jan Smans, KU Leuven.

A Certifying Compiler and Pointer Logic Zhaopeng Li Software Security Lab. Department of Computer Science and Technology, University of Science and Technology.

Cristian Gherghina 1, Cristina David 1, Shengchao Qin 2, Wei-Ngan Chin 1 1 National University of Singapore 2 University of Teesside Structured Specifications.

Eran Yahav 1. Previously…  An algorithmic view  Abstract data types (ADT)  Correctness Conditions  Sequential consistency  Linearizability  Treiber’s.

Certifying Intermediate Programming Zhaopeng Li

Automated and Modular Refinement Reasoning for Concurrent Programs Shaz Qadeer.

Spec# Andreas Vida. Motivation Correct and maintainable software Correct and maintainable software Cost effective software production Cost effective software.

Specifying and verifying programs in Spec# K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Invited talk, PSI 2006 Novosibirsk, Russia 27 June 2006.

Lightweight Support for Magic Wands in an Automatic Verifier Malte Schwerhoff and Alexander J. Summers 10 th July 2015, ECOOP, Prague.

An Introduction to Automated Program Verification with Permission Logics 15 th May 2015, Systems Group, ETH Zurich Uri Juhasz, Ioannis Kassios, Peter Müller,

K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 1 2 September 2009 FOSAD 2009, Bertinoro, Italy.

VSTTE’12 29 th January 2012, Philadelphia Comparing Verification Condition Generation with Symbolic Execution Malte Schwerhoff, ETH Zurich Joint work with.

ESOP 2010, Paphos, Cyprus, 22 March 2010 K. Rustan M. Leino (RiSE group, Microsoft Research) Peter Müller (ETH Zurich) Jan Smans (KU Leuven)

Faithful mapping of model classes to mathematical structures Ádám Darvas ETH Zürich Switzerland Peter Müller Microsoft Research Redmond, WA, USA SAVCBS.

Rely: Verifying Quantitative Reliability for Programs that Execute on Unreliable Hardware Michael Carbin, Sasa Misailovic, and Martin Rinard MIT CSAIL.

NIRICT RECONNAISSANCE TOPIC PERFORMANCE AND CORRECTNESS OF GPGPU MARIEKE HUISMAN ALEXANDRU IOSUP ANA LUCIA VARBANESCU ANTON WIJS.

Deductive Verification Tools Tutorial for Dagstuhl Seminar 16201

Weakest Precondition of Unstructured Programs

A Verification Infrastructure for Permission-based Reasoning

The Relationship Between Separation Logic and Implicit Dynamic Frames

The Relationship Between Separation Logic and Implicit Dynamic Frames

Modular Verification of Message Passing Programs

A Verification Infrastructure for Permission-Based Reasoning

Hoare-style program verification

Programming Languages and Compilers (CS 421)

Presentation transcript:

Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich

Outline 1.Motivation 2.Permissions 3.Viper 4.Demo

‐ We have ‐ Mutable state (heap locations) ‐ Method calls, loops ‐ Concurrency ‐ We want: ‐ Automated static verification ‐ Modularity 3 Automated Software Verification

4 Example class Cell { var v: int method add(c: Cell) { v := v + c.v } } method client() { var c1 := new Cell c1.v := 1 var c2 := new Cell c2.v := 2 c1.add(c2) assert c1.v == 3 assert c2.v == 2 }

5 Modularity class Cell { var v: int method add(c: Cell) { v := v + c.v } } method client() { var c1 := new Cell c1.v := 1 var c2 := new Cell c2.v := 2 c1.add(c2) assert c1.v == 3 assert c2.v == 2 } ?

6 Specifications class Cell { var v: int method add(c: Cell) requires c != null ensures v == old(v) + old(c.v) { v := v + c.v } } method client() { var c1 := new Cell c1.v := 1 var c2 := new Cell c2.v := 2 c1.add(c2) assert c1.v == 3 assert c2.v == 2 }

7 Reasoning with Specifications class Cell { var v: int method add(c: Cell) requires c != null ensures v == old(v) + old(c.v) { v := v + c.v } } method client() { var c1 := new Cell c1.v := 1 var c2 := new Cell c2.v := 2 c1.add(c2) assert c1.v == 3 assert c2.v == 2 } ?

8 An Incorrect Implementation class Cell { var v: int method add(c: Cell) requires c != null ensures v == old(v) + old(c.v) { v := v + c.v c.v := 0 } method client() { var c1 := new Cell c1.v := 1 var c2 := new Cell c2.v := 2 c1.add(c2) assert c1.v == 3 assert c2.v == 2 }  

9 Strengthening Specifications class Cell { var v: int method add(c: Cell) requires c != null ensures v == old(v) + old(c.v) ensures c.v == old(c.v) { v := v + c.v c.v := 0 } method client() { var c1 := new Cell c1.v := 1 var c2 := new Cell c2.v := 2 c1.add(c2) assert c1.v == 3 assert c2.v == 2 } 

10 Strengthening Specifications method client() { var c1 := new Cell c1.v := 1 var c2 := new Cell c2.v := 2 c1.add(c2) assert c1.v == 3 assert c2.v == 2 } class Cell { var v: int method add(c: Cell) requires c != null ensures v == old(v) + old(c.v) ensures c.v == old(c.v) { v := v + c.v } } ?

11 Aliasing class Cell { var v: int method add(c: Cell) requires c != null ensures v == old(v) + old(c.v) ensures c.v == old(c.v) { v := v + c.v } } method client() { var c1 := new Cell c1.v := 1 var c2 := new Cell c2.v := 2 c1.add(c1) // ensures c1.v == // ensures c1.v == 1 assert c1.v == 3 assert c2.v == 2 }   

Reason about Shared State & Control Aliasing 12 Challenges

‐ Use permissions to control access to shared state ‐ Permissions only exist conceptually, not at run-time ‐ Permissions ‐ Per field x.f ‐ Exclusive write permissions (allows reading as well) ‐ Non-exclusive read permissions 13 Permission-Based Verification

‐ Permissions to a location x.f can be ‐ Split into multiple read permissions ‐ Transferred between methods (or threads) ‐ Recombined again 14 Permission-Based Verification

15 Fractional Permissions client(x) add(x)

16 Splitting & Transferring Fractional Permissions ? client(x) add(x)

17 Merging Fractional Permissions ? client(x) add(x)

‐ Assumptions such as x.f == 0 can only be made if permissions to x.f are available ‐ If all permissions to x.f are lost, assumptions about x.f must be havoced (forgotten) 18 Permission-Based Verification

‐ Permissions can be split: acc(x.f, 1) ⇔ acc(x.f, 1/2) && acc(x.f, 1/2) ‐ Write permissions are exclusive: acc(x.f, 1) && acc(y.f, 1) ⇒ x ≠ y ‐ Write permissions are “maximal”: acc(x.f, 1) && acc(y.f, 1/100000) ⇒ x ≠ y 19 Syntax, Separating Conjunction

20 Return of the Example 20 method add(c: Cell) requires acc(v) && acc(c.v, 1/2) ensures acc(v) && acc(c.v, 1/2) ensures v == old(v) + c.v method client() { var c1 := new Cell // acc(c1.v) c1.v := 1 // c1.v == 1 var c2 := new Cell // acc(c2.v) c2.v := 2 // c2.v == 2 c1.add(c2) assert c1.v == 3 && c2.v == 2 } ?

21 Return of the Example 21 method add(c: Cell) requires acc(v) && acc(c.v, 1/2) ensures acc(v) && acc(c.v, 1/2) ensures v == old(v) + c.v method client() { var c1 := new Cell // acc(c1.v, 1) c1.v := 1 // c1.v == 1 var c2 := new Cell // acc(c2.v, 1) c2.v := 2 // c2.v == 2 c1.add(c2) assert c1.v == 3 && c2.v == 2 } Reason about call by exhaling precondition followed by inhaling postcondition

22 Return of the Example 22 method add(c: Cell) requires acc(v) && acc(c.v, 1/2) ensures acc(v) && acc(c.v, 1/2) ensures v == old(v) + c.v method client() {... // c1.add(c2) // acc(c1.v, 1) && c1.v == 1 && acc(c2.v, 1) && c2.v == 2 exhale acc(c1.v) && acc(c2.v, 1/2) // && acc(c2.v, 1/2) && c2.v == 2 inhale acc(c1.v) && acc(c.v, 1/2) // acc(c1.v, 1) && acc(c2.v, 1) && c2.v == 2 inhale c1.v == old(c1.v) + c2.v // acc(c1.v, 1) && c1.v == 3 && acc(c2.v, 1) && c2.v == 2 assert c1.v == 3 && c2.v == 2 }

23 Viper Silver SiliconCarbon Boogie (Microsoft) Z3 (Microsoft) verified by queries Verification Condition Generation Symbolic Execution

24 Silver ‐ Silver is an intermediate verification language ‐ Encode source languages (with specs) in Silver ‐ Use Silver verifier to verify encoding ‐ Simple: ‐ Objects, fields (heap), methods, loops, if-then-else ‐ Rudimentary type system (primitives + Ref) ‐ Verification features such as specifications ‐ No concurrency primitives ‐ Silver programs can be used for ‐ Verification ‐ Specification inference

25 Demo

26 Symbolic Execution with Silicon - Symbolically each method (method-modular) - At each statement: - query state (and prover) to decide if statement is executable - update state by exhaling precondition and inhaling postcondition - Branch over conditionals ProgramVerifier verifies maintains Symbolic State σ Prover uses σ1σ1 σ2σ2 σ3σ3 σ4σ4 σ5σ5 queries

Symbolic state σ comprises ‐ γ:Store mapping local variables to symbolic values (terms) c1 ↦ tc1, c2 ↦ tc2 ‐ h:Heap recording permissions to and values of fields in the form of heap chunks tc1.v ↦ tv1 # p1, tc2 ↦ tv2 # p2 ‐ π: Path conditions with assumptions about values tc1 ≠ null, tv1 > 0 27 Symbolic Execution with Silicon

28 Slide of the Undead Example 28 method client() {... // γ: c1 ↦ tc1, c2 ↦ tc2 // h: tc1.v ↦ tv1 # 1, tc2.v ↦ tv2 # 1 // π: tv1 == 1, tv2 == 2 exhale acc(c1.v) && acc(c2.v, 1/2) // h: tc2.v ↦ tv2 # 1/2 // π: tv1 == 1, tv2 == 2 inhale acc(c1.v) && acc(c.v, 1/2) // h: tc1.v ↦ tv1 # 1, tc2.v ↦ tv3 # 1 // π: tv1 == 1, tv2 == 2 inhale c1.v == old(c1.v) + c2.v // π: tv1 == 1, tv2 == 2, tv3 == tv1 + tv2 assert c1.v == 3 && c2.v == 2 // π ⊢ tv3 == 3 && tv2 == 2 }

‐ Information hiding and abstraction ‐ Recursive data structures ‐ Opposite of permissions: obligations ‐ Translation of high-level features ‐ Immutable data (vs. permissions) ‐ Lazy evaluation (vs. permissions) ‐ Closures ‐ Actor-based concurrency ‐ Specification inference 29 Outlook

30 Questions?