Presentation is loading. Please wait.

Presentation is loading. Please wait.

Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012.

Published byNorman Long Modified over 8 years ago

Similar presentations

Presentation on theme: "Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012."— Presentation transcript:

1 Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012

2 Outline Background on Higher Order Store (HOS) -What is HOS? Why should I care? -Reasoning about HOS programs: Hoare logic with nested triples Automated reasoning in Hoare logics with nested triples -What are the difficulties? -How we address them in our Crowfoot tool Some things we have verified using Crowfoot

3 What is higher order store? A programming language is said to feature HOS when: a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs

4 What is higher order store? A programming language is said to feature HOS when: a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs So HOS programs can modify their own code while running

5 What is higher order store? A programming language is said to feature HOS when: a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs So HOS programs can modify their own code while running Where does HOS occur? -in functional languages with mutable higher order state e.g. ML -dynamic loading and unloading of code e.g. Plugins, OSes -“hot update” – updating a program while it is running -runtime code generation

6

7 square brackets indicate heap access

8 stores procedure onto the heap, possibly doing partial application at the same time

9 square brackets indicate heap access stores procedure onto the heap, possibly doing partial application at the same time runs the procedure stored in the heap at address, with arguments

10 square brackets indicate heap access stores procedure onto the heap, possibly doing partial application at the same time runs the procedure stored in the heap at address, with arguments ordinary procedure call

11

12

13

14 But what should we write here? We need to describe the code which must be stored on the heap at address f

15 First attempt: says exactly which code is stored at f. But only allows us to invoke P if we’re adding 10! 

16 Second attempt: better. But still not really satisfying. Doesn’t seem like a generic specification.

17 Instead, we use a nested Hoare triple to talk about the behaviour of the code, rather than which exact code it is.

18

19 Nested triples first appear in work by Honda, Yoshida and Berger; later developments by many others.

20 Our tool Crowfoot Our tool Crowfoot implements (semi-) automated verification of HOS programs, using nested triples Employs symbolic execution with separation logic technique, as in Smallfoot, VeriFast, jStar... What issues did we face in implementing Crowfoot?

21 Issues for implementation Assertion language: must include nested triples but still be restricted enough that automated reasoning is possible

22 Assertion language

23 This is all circular! So triples can be nested to arbitrary depth.

24 Issues for implementation Assertion language: must include nested triples but still be restricted enough that automated reasoning is possible New symbolic execution rules for the HOS statements: those which write code to the heap, and invoke code stored on the heap

25

26

27

28

29 Issues for implementation Assertion language: must include nested triples but still be restricted enough that automated reasoning is possible New symbolic execution rules for the HOS statements: those which write code to the heap, and invoke code stored on the heap Entailment prover for assertions involving nested triples

30 Consider the following entailment between symbolic states:

31

32 We need to find c to make this entailment between specifications hold:

33 Consider the following entailment between symbolic states: We need to find c to make this entailment between specifications hold: So, unlike in existing tools -Solving entailments between symbolic states requires solving entailments between specifications -And vice versa

34 Issues for implementation Assertion language: must include nested triples but still be restricted enough that automated reasoning is possible New symbolic execution rules for the HOS statements: those which write code to the heap, and invoke code stored on the heap Entailment prover for assertions involving nested triples Recursive specifications for programs which perform “recursion through the store”

35 Issues for implementation Assertion language: must include nested triples but still be restricted enough that automated reasoning is possible New symbolic execution rules for the HOS statements: those which write code to the heap, and invoke code stored on the heap Entailment prover for assertions involving nested triples Recursive specifications for programs which perform “recursion through the store” Implementing the deep frame rule

36 Provers: the of Crowfoot At its heart, crowfoot implements provers for five related judgements. 1.Symbolic execution:

37 Provers: the of Crowfoot At its heart, crowfoot implements provers for five related judgements. 1.Symbolic execution: predicate definitions, procedure context

38 Provers: the of Crowfoot At its heart, crowfoot implements provers for five related judgements. 1.Symbolic execution: For example: predicate definitions, procedure context

39 2.Entailment between symbolic states: Inferred frame I maps existentially bound variables to appropriate instance

40 2.Entailment between symbolic states: For example: Inferred frame I maps existentially bound variables to appropriate instance

41 2.Entailment between symbolic states: For example: Inferred frame I maps existentially bound variables to appropriate instance

42 2.Entailment between symbolic states: For example: 3.Entailment between specifications: For example: Inferred frame I maps existentially bound variables to appropriate instance

43 4.Computing the post-condition for a ‘call’ or ‘eval’: current symbolic state specification of routine about to be run

44 4.Computing the post-condition for a ‘call’ or ‘eval’: For example: current symbolic state specification of routine about to be run

45 4.Computing the post-condition for a ‘call’ or ‘eval’: For example: current symbolic state specification of routine about to be run

46 4.Computing the post-condition for a ‘call’ or ‘eval’: For example: 5.Finding a nested triple to use with ‘eval’: current symbolic state specification of routine about to be run current symbolic state address of code on heap to be run

47 4.Computing the post-condition for a ‘call’ or ‘eval’: For example: 5.Finding a nested triple to use with ‘eval’: For example: current symbolic state specification of routine about to be run current symbolic state address of code on heap to be run

48 4.Computing the post-condition for a ‘call’ or ‘eval’: For example: 5.Finding a nested triple to use with ‘eval’: For example: current symbolic state specification of routine about to be run current symbolic state address of code on heap to be run

49 Two of the proof rules

50 Recursion through the store Recursion through the store is when code on the heap invokes itself through a pointer Specifications for such code needs to appear in their own pre- conditions! Crowfoot allows the declaration of such specifications:

51 The deep frame rule The deep frame rule (introduced by Birkedal, Torp-Smith and Yang) allows adding invariants to a specification -like the regular frame rule -but the invariant is added at all nesting levels -allows some very nice modular proofs -we’ve implemented this in Crowfoot

52 The deep frame rule The deep frame rule (introduced by Birkedal, Torp-Smith and Yang) allows adding invariants to a specification -like the regular frame rule -but the invariant is added at all nesting levels: -allows some very nice modular proofs -we’ve implemented this in Crowfoot

53 Some things we have verified We have used Crowfoot to verify for example (models of): A generic memoiser for recursive functions (see the paper) -Makes very neat use of deep frame rule Updateable web server -A server which can be updated without stopping it running Programs that load and unload plugins as they run Higher order expression evaluator

54 Try Crowfoot online www.sussex.ac.uk/informatics/crowfoot The End

55 Main rule for

56

57

58

59

Download ppt "Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012."

Similar presentations

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.

Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.

Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
1 Programming Languages (CS 550) Lecture Summary Functional Programming and Operational Semantics for Scheme Jeremy R. Johnson.

1 Programming Languages (CS 550) Lecture Summary Functional Programming and Operational Semantics for Scheme Jeremy R. Johnson.
The Fundamental Rule for Testing Methods Every method should be tested in a program in which every other method in the testing program has already been.

The Fundamental Rule for Testing Methods Every method should be tested in a program in which every other method in the testing program has already been.
Formal reasoning about runtime code update Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus HotSWUp 2011.

Formal reasoning about runtime code update Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus HotSWUp 2011.
Chapter 5: Elementary Data Types Properties of types and objects –Data objects, variables and constants –Data types –Declarations –Type checking –Assignment.

Chapter 5: Elementary Data Types Properties of types and objects –Data objects, variables and constants –Data types –Declarations –Type checking –Assignment.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
CS 355 – Programming Languages

CS 355 – Programming Languages
Changing perspective can be useful Relating alternative logics for automatic software verification Alex Summers (ETH Zurich) partly based on joint work.

Changing perspective can be useful Relating alternative logics for automatic software verification Alex Summers (ETH Zurich) partly based on joint work.
Cmput 115 - Lecture 8 Department of Computing Science University of Alberta ©Duane Szafron 2000 Revised 1/26/00 The Java Memory Model.

Cmput Lecture 8 Department of Computing Science University of Alberta ©Duane Szafron 2000 Revised 1/26/00 The Java Memory Model.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

Similar presentations

Ads by Google