Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012
Outline Background on Higher Order Store (HOS) -What is HOS? Why should I care? -Reasoning about HOS programs: Hoare logic with nested triples Automated reasoning in Hoare logics with nested triples -What are the difficulties? -How we address them in our Crowfoot tool Some things we have verified using Crowfoot
What is higher order store? A programming language is said to feature HOS when: a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs
What is higher order store? A programming language is said to feature HOS when: a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs So HOS programs can modify their own code while running
What is higher order store? A programming language is said to feature HOS when: a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs So HOS programs can modify their own code while running Where does HOS occur? -in functional languages with mutable higher order state e.g. ML -dynamic loading and unloading of code e.g. Plugins, OSes -“hot update” – updating a program while it is running -runtime code generation
square brackets indicate heap access
stores procedure onto the heap, possibly doing partial application at the same time
square brackets indicate heap access stores procedure onto the heap, possibly doing partial application at the same time runs the procedure stored in the heap at address, with arguments
square brackets indicate heap access stores procedure onto the heap, possibly doing partial application at the same time runs the procedure stored in the heap at address, with arguments ordinary procedure call
But what should we write here? We need to describe the code which must be stored on the heap at address f
First attempt: says exactly which code is stored at f. But only allows us to invoke P if we’re adding 10!
Second attempt: better. But still not really satisfying. Doesn’t seem like a generic specification.
Instead, we use a nested Hoare triple to talk about the behaviour of the code, rather than which exact code it is.
Nested triples first appear in work by Honda, Yoshida and Berger; later developments by many others.
Our tool Crowfoot Our tool Crowfoot implements (semi-) automated verification of HOS programs, using nested triples Employs symbolic execution with separation logic technique, as in Smallfoot, VeriFast, jStar... What issues did we face in implementing Crowfoot?
Issues for implementation Assertion language: must include nested triples but still be restricted enough that automated reasoning is possible
Assertion language
This is all circular! So triples can be nested to arbitrary depth.
Issues for implementation Assertion language: must include nested triples but still be restricted enough that automated reasoning is possible New symbolic execution rules for the HOS statements: those which write code to the heap, and invoke code stored on the heap
Issues for implementation Assertion language: must include nested triples but still be restricted enough that automated reasoning is possible New symbolic execution rules for the HOS statements: those which write code to the heap, and invoke code stored on the heap Entailment prover for assertions involving nested triples
Consider the following entailment between symbolic states:
We need to find c to make this entailment between specifications hold:
Consider the following entailment between symbolic states: We need to find c to make this entailment between specifications hold: So, unlike in existing tools -Solving entailments between symbolic states requires solving entailments between specifications -And vice versa
Issues for implementation Assertion language: must include nested triples but still be restricted enough that automated reasoning is possible New symbolic execution rules for the HOS statements: those which write code to the heap, and invoke code stored on the heap Entailment prover for assertions involving nested triples Recursive specifications for programs which perform “recursion through the store”
Issues for implementation Assertion language: must include nested triples but still be restricted enough that automated reasoning is possible New symbolic execution rules for the HOS statements: those which write code to the heap, and invoke code stored on the heap Entailment prover for assertions involving nested triples Recursive specifications for programs which perform “recursion through the store” Implementing the deep frame rule
Provers: the of Crowfoot At its heart, crowfoot implements provers for five related judgements. 1.Symbolic execution:
Provers: the of Crowfoot At its heart, crowfoot implements provers for five related judgements. 1.Symbolic execution: predicate definitions, procedure context
Provers: the of Crowfoot At its heart, crowfoot implements provers for five related judgements. 1.Symbolic execution: For example: predicate definitions, procedure context
2.Entailment between symbolic states: Inferred frame I maps existentially bound variables to appropriate instance
2.Entailment between symbolic states: For example: Inferred frame I maps existentially bound variables to appropriate instance
2.Entailment between symbolic states: For example: Inferred frame I maps existentially bound variables to appropriate instance
2.Entailment between symbolic states: For example: 3.Entailment between specifications: For example: Inferred frame I maps existentially bound variables to appropriate instance
4.Computing the post-condition for a ‘call’ or ‘eval’: current symbolic state specification of routine about to be run
4.Computing the post-condition for a ‘call’ or ‘eval’: For example: current symbolic state specification of routine about to be run
4.Computing the post-condition for a ‘call’ or ‘eval’: For example: current symbolic state specification of routine about to be run
4.Computing the post-condition for a ‘call’ or ‘eval’: For example: 5.Finding a nested triple to use with ‘eval’: current symbolic state specification of routine about to be run current symbolic state address of code on heap to be run
4.Computing the post-condition for a ‘call’ or ‘eval’: For example: 5.Finding a nested triple to use with ‘eval’: For example: current symbolic state specification of routine about to be run current symbolic state address of code on heap to be run
4.Computing the post-condition for a ‘call’ or ‘eval’: For example: 5.Finding a nested triple to use with ‘eval’: For example: current symbolic state specification of routine about to be run current symbolic state address of code on heap to be run
Two of the proof rules
Recursion through the store Recursion through the store is when code on the heap invokes itself through a pointer Specifications for such code needs to appear in their own pre- conditions! Crowfoot allows the declaration of such specifications:
The deep frame rule The deep frame rule (introduced by Birkedal, Torp-Smith and Yang) allows adding invariants to a specification -like the regular frame rule -but the invariant is added at all nesting levels -allows some very nice modular proofs -we’ve implemented this in Crowfoot
The deep frame rule The deep frame rule (introduced by Birkedal, Torp-Smith and Yang) allows adding invariants to a specification -like the regular frame rule -but the invariant is added at all nesting levels: -allows some very nice modular proofs -we’ve implemented this in Crowfoot
Some things we have verified We have used Crowfoot to verify for example (models of): A generic memoiser for recursive functions (see the paper) -Makes very neat use of deep frame rule Updateable web server -A server which can be updated without stopping it running Programs that load and unload plugins as they run Higher order expression evaluator
Try Crowfoot online The End
Main rule for