Verification of Pointer-Based Programs with Partial Information

The proliferation of software across all aspects of people's life means that software failure can bring catastrophic result. It is therefore highly desirable to be able to develop software that is verified to meet its expected specification. This has also been identified as a key objective in one of the UK Grand Challenges (GC6) (Jones et al., 2006; Woodcock, 2006). However, many difficult problems still remain in achieving this objective, partially due to the wide use of (recursive) shared mutable data structures which are hard to keep track of statically in a precise and concise way. This thesis aims at building a verification system for both memory safety and functional correctness of programs manipulating pointer-based data structures, which can deal with two scenarios where only partial information about the program is available. For instance the verifier may be supplied with only partial program specification, or with full specification but only part of the program code. For the first scenario, previous state-of-the-art works (Nguyen et al., 2007; Chin et al., 2007; Nguyen and Chin, 2008; Chin et al, 2010) generally require users to provide full specifications for each method of the program to be verified. Their approach seeks much intellectual effort from users, and meanwhile users are liable to make mistakes in writing such specifications. This thesis proposes a new approach to program verification that allows users to provide only partial specification to methods. Our approach will then refine the given annotation into a more complete specification by discovering missing constraints. The discovered constraints may involve both numerical and multiset properties that could be later confirmed or revised by users. Meanwhile, we further augment our approach by requiring only partial specification to be given for primary methods of a program. Specifications for loops and auxiliary methods can then be systematically discovered by our augmented mechanism, with the help of information propagated from the primary methods. This work is aimed at verifying beyond shape properties, with the eventual goal of analysing both memory safety and functional properties for pointer-based data structures. Initial experiments have confirmed that we can automatically refine partial specifications with non-trivial constraints, thus making it easier for users to handle specifications with richer properties. For the second scenario, many programs contain invocations to unknown components and hence only part of the program code is available to the verifier. As previous works generally require the whole of program code be present, we target at the verification of memory safety and functional correctness of programs manipulating pointer-based data structures, where the program code is only partially available due to invocations to unknown components. Provided with a Hoare-style specification ({Pre} prog {Post}) where program (prog) contains calls to some unknown procedure (unknown), we infer a specification (mspecu) for the unknown part (unknown) from the calling contexts, such that the problem of verifying program (prog) can be safely reduced to the problem of proving that the unknown procedure (unknown) (once its code is available) meets the derived specification (mspecu). The expected specification (mspecu) is automatically calculated using an abduction-based shape analysis specifically designed for a combined abstract domain. We have implemented a system to validate the viability of our approach, with encouraging experimental results

Graphs and Graph Transformations for Object-Oriented and Service-Oriented Systems

Theories of graphs and graph transformations form an important part of the mathematical foundations of computing, and have been applied in a wide range of areas from the design and analysis of algorithms to the formalization of various computer systems and programs. In this thesis, we study how graphs and graph transformations can be used to model the static structure and dynamic behavior of object-orientated and service-oriented systems. Our work is mainly motivated by the difficulty in understanding and reasoning about objectorientated and service-oriented programs, which have more sophisticated features compared with traditional procedural programs. We show that the use of graphs and graphs transformations provides both an intuitive visualization and a formal representation of object-orientated and serviceoriented programs with these features, improving people’s understanding of the execution states and behaviors of these programs. We provide a graph-based type system, operational semantics and refinement calculus for an object-oriented language. In this framework, we define class structures and execution states of oo programs as directed and labeled graphs, called class graphs and state graphs, respectively. The type system checks whether a program is well-typed based on its class graph, while the operational semantics defines each step of program execution as a simple graph transformations between state graphs. We show the operational semantics is type-safe in that the execution of a well-typed program does not “go wrong”. Based on the operational semantics, we study the notion of structure refinement of oo programs as graph transformations between their class graphs. We provide a few groups of refinement rules for various purposes such as class expansion and polymorphism elimination and prove their soundness and relative completeness. We also propose a graph-based representation of service-oriented systems specified in a serviceoriented process calculus. In this framework, we define states of service-oriented systems as hier- archical graphs that naturally capture the hierarchical nature of service structures. For this, we exploit a suitable graph algebra and set up a hierarchical graph model, in which graph transformations are studied following the well-known Double-Pushout approach. Based on this model, we provide a graph transformation system with a few sets of graph transformation rules for various purposes such as process copy and process reduction. We prove that the graph transformation system is sound and complete with respect to the reduction semantics of the calculus

Investigating communicating sequential processes for Java to support ubiquitous computing

Ubiquitous Computing promises to enrich our everyday lives by enabling the environment to be enhanced via computational elements. These elements are designed to augment and support our lives, thus allowing us to perform our tasks and goals. The main facet of Ubiquitous Computing is that computational devices are embedded in the environment, and interact with users and themselves to provide novel and unique applications. Ubiquitous Computing requires an underlying architecture that helps to promote and control the dynamic properties and structures that the applications require. In this thesis, the Networking package of Communicating Sequential Processes for Java (JCSP) is examined to analyse its suitability as the underlying architecture for Ubiquitous Computing. The reason to use JCSP Networking as a case study is that one of the proposed models for Ubiquitous Computing, the ?-Calculus, has the potential to have its abstractions implemented within JCSP Networking. This thesis examines some of the underlying properties of JCSP Networking and examines them within the context of Ubiquitous Computing. There is also an examination into the possibility of implementing the mobility constructs of the ?-Calculus and similar mobility models within JCSP Networking. It has been found that some of the inherent properties of Java and JCSP Networking do cause limitations, and hence a generalisation of the architecture has been made that should provide greater suitability of the ideas behind JCSP Networking to support Ubiquitous Computing. The generalisation has resulted in the creation of a verified communication protocol that can be applied to any Communicating Process Architecture

A Trace Model for Pointers and Objects

Object-oriented programs [Dahl, Goldberg, Meyer] are notoriously prone to the following kinds of error, which could lead to increasingly severe problems in the presence of tasking 1. Following a null pointer 2. Deletion of an accessible object 3. Failure to delete an inaccessible object 4. Interference due to equality of pointers 5. Inhibition of optimisation due to fear of (4) Type disciplines and object classes are a great help in avoiding these errors. Stronger protection may be obtainable with the help of assertions, particularly invariants, which are intended to be true before and after each call of a method that updates the structure of the heap. This note introduces a mathematical model and language for the formulation of assertions about objects and pointers, and suggests that a graphical calculus [Curtis, Lowe] may help in reasoning about program correctness. It deals with both garbage-collected heaps and the other kind. The theory is based on a trace model of graphs, using ideas from process algebra; and our development seeks to exploit this analogy as a unifying principle.