42 research outputs found
Featherweight VeriFast
VeriFast is a leading research prototype tool for the sound modular
verification of safety and correctness properties of single-threaded and
multithreaded C and Java programs. It has been used as a vehicle for
exploration and validation of novel program verification techniques and for
industrial case studies; it has served well at a number of program verification
competitions; and it has been used for teaching by multiple teachers
independent of the authors. However, until now, while VeriFast's operation has
been described informally in a number of publications, and specific
verification techniques have been formalized, a clear and precise exposition of
how VeriFast works has not yet appeared. In this article we present for the
first time a formal definition and soundness proof of a core subset of the
VeriFast program verification approach. The exposition aims to be both
accessible and rigorous: the text is based on lecture notes for a graduate
course on program verification, and it is backed by an executable
machine-readable definition and machine-checked soundness proof in Coq
Holistic specifications for robust programs
Functional specifications describe what program components can do: the sufficient conditions to invoke components' operations. They allow us to reason about the use of components in a closed world setting, where components interact with known client code, and where the client code must establish the appropriate pre-conditions before calling into a component. Sufficient conditions are not enough to reason about the use of components in an \emph{open world} setting, where components interact with external code, possibly of unknown provenance, and where components may evolve over time. In this open world setting, we must also consider the possible external code. \emph{necessary} conditions, i.e, what are the conditions without which an effect will not happen. In this paper we propose the Chainmail specification language for writing {holistic specifications that focus on necessary conditions (as well as sufficient conditions). We give a formal semantics for \Chainmail, and discuss several examples. The core of \Chainmail has been mechanised in the Coq proof assistant
Shoggoth: A Formal Foundation for Strategic Rewriting
Rewriting is a versatile and powerful technique used in many domains. Strategic rewriting allows programmers to control the application of rewrite rules by composing individual rewrite rules into complex rewrite strategies. These strategies are semantically complex, as they may be nondeterministic, they may raise errors that trigger backtracking, and they may not terminate.Given such semantic complexity, it is necessary to establish a formal understanding of rewrite strategies and to enable reasoning about them in order to answer questions like: How do we know that a rewrite strategy terminates? How do we know that a rewrite strategy does not fail because we compose two incompatible rewrites? How do we know that a desired property holds after applying a rewrite strategy?In this paper, we introduce Shoggoth: a formal foundation for understanding, analysing and reasoning about strategic rewriting that is capable of answering these questions. We provide a denotational semantics of System S, a core language for strategic rewriting, and prove its equivalence to our big-step operational semantics, which extends existing work by explicitly accounting for divergence. We further define a location-based weakest precondition calculus to enable formal reasoning about rewriting strategies, and we prove this calculus sound with respect to the denotational semantics. We show how this calculus can be used in practice to reason about properties of rewriting strategies, including termination, that they are well-composed, and that desired postconditions hold. The semantics and calculus are formalised in Isabelle/HOL and all proofs are mechanised
Automating Deductive Verification for Weak-Memory Programs
Writing correct programs for weak memory models such as the C11 memory model
is challenging because of the weak consistency guarantees these models provide.
The first program logics for the verification of such programs have recently
been proposed, but their usage has been limited thus far to manual proofs.
Automating proofs in these logics via first-order solvers is non-trivial, due
to reasoning features such as higher-order assertions, modalities and rich
permission resources. In this paper, we provide the first implementation of a
weak memory program logic using existing deductive verification tools. We
tackle three recent program logics: Relaxed Separation Logic and two forms of
Fenced Separation Logic, and show how these can be encoded using the Viper
verification infrastructure. In doing so, we illustrate several novel encoding
techniques which could be employed for other logics. Our work is implemented,
and has been evaluated on examples from existing papers as well as the Facebook
open-source Folly library.Comment: Extended version of TACAS 2018 publicatio
Necessity Specifications for Robustness
Robust modules guarantee to do only what they are supposed to do - even in
the presence of untrusted, malicious clients, and considering not just the
direct behaviour of individual methods, but also the emergent behaviour from
calls to more than one method. Necessity is a language for specifying
robustness, based on novel necessity operators capturing temporal implication,
and a proof logic that derives explicit robustness specifications from
functional specifications. Soundness and an exemplar proof are mechanised in
Coq