1,119 research outputs found
Matching Logic
This paper presents matching logic, a first-order logic (FOL) variant for
specifying and reasoning about structure by means of patterns and pattern
matching. Its sentences, the patterns, are constructed using variables,
symbols, connectives and quantifiers, but no difference is made between
function and predicate symbols. In models, a pattern evaluates into a power-set
domain (the set of values that match it), in contrast to FOL where functions
and predicates map into a regular domain. Matching logic uniformly generalizes
several logical frameworks important for program analysis, such as:
propositional logic, algebraic specification, FOL with equality, modal logic,
and separation logic. Patterns can specify separation requirements at any level
in any program configuration, not only in the heaps or stores, without any
special logical constructs for that: the very nature of pattern matching is
that if two structures are matched as part of a pattern, then they can only be
spatially separated. Like FOL, matching logic can also be translated into pure
predicate logic with equality, at the same time admitting its own sound and
complete proof system. A practical aspect of matching logic is that FOL
reasoning with equality remains sound, so off-the-shelf provers and SMT solvers
can be used for matching logic reasoning. Matching logic is particularly
well-suited for reasoning about programs in programming languages that have an
operational semantics, but it is not limited to this
Meta-F*: Proof Automation with SMT, Tactics, and Metaprograms
We introduce Meta-F*, a tactics and metaprogramming framework for the F*
program verifier. The main novelty of Meta-F* is allowing the use of tactics
and metaprogramming to discharge assertions not solvable by SMT, or to just
simplify them into well-behaved SMT fragments. Plus, Meta-F* can be used to
generate verified code automatically.
Meta-F* is implemented as an F* effect, which, given the powerful effect
system of F*, heavily increases code reuse and even enables the lightweight
verification of metaprograms. Metaprograms can be either interpreted, or
compiled to efficient native code that can be dynamically loaded into the F*
type-checker and can interoperate with interpreted code. Evaluation on
realistic case studies shows that Meta-F* provides substantial gains in proof
development, efficiency, and robustness.Comment: Full version of ESOP'19 pape
Program analysis is harder than verification: A computability perspective
We study from a computability perspective static program analysis, namely detecting sound program assertions, and verification, namely sound checking of program assertions. We first design a general computability model for domains of program assertions and correspond- ing program analysers and verifiers. Next, we formalize and prove an instantiation of Rice\u2019s theorem for static program analysis and verifica- tion. Then, within this general model, we provide and show a precise statement of the popular belief that program analysis is a harder prob- lem than program verification: we prove that for finite domains of pro- gram assertions, program analysis and verification are equivalent prob- lems, while for infinite domains, program analysis is strictly harder than verification
Proving Differential Privacy with Shadow Execution
Recent work on formal verification of differential privacy shows a trend
toward usability and expressiveness -- generating a correctness proof of
sophisticated algorithm while minimizing the annotation burden on programmers.
Sometimes, combining those two requires substantial changes to program logics:
one recent paper is able to verify Report Noisy Max automatically, but it
involves a complex verification system using customized program logics and
verifiers.
In this paper, we propose a new proof technique, called shadow execution, and
embed it into a language called ShadowDP. ShadowDP uses shadow execution to
generate proofs of differential privacy with very few programmer annotations
and without relying on customized logics and verifiers. In addition to
verifying Report Noisy Max, we show that it can verify a new variant of Sparse
Vector that reports the gap between some noisy query answers and the noisy
threshold. Moreover, ShadowDP reduces the complexity of verification: for all
of the algorithms we have evaluated, type checking and verification in total
takes at most 3 seconds, while prior work takes minutes on the same algorithms.Comment: 23 pages, 12 figures, PLDI'1
Verification-Preserving Inlining in Automatic Separation Logic Verifiers (extended version)
Bounded verification has proved useful to detect bugs and to increase
confidence in the correctness of a program. In contrast to unbounded
verification, reasoning about calls via (bounded) inlining and about loops via
(bounded) unrolling does not require method specifications and loop invariants
and, therefore, reduces the annotation overhead to the bare minimum, namely
specifications of the properties to be verified. For verifiers based on
traditional program logics, verification is preserved by inlining (and
unrolling): successful unbounded verification of a program w.r.t. some
annotation implies successful verification of the inlined program. That is, any
error detected in the inlined program reveals a true error in the original
program. However, this essential property might not hold for automatic
separation logic verifiers such as Caper, GRASShopper, RefinedC, Steel,
VeriFast, and verifiers based on Viper. In this setting, inlining generally
changes the resources owned by method executions, which may affect automatic
proof search algorithms and introduce spurious errors.
In this paper, we present the first technique for verification-preserving
inlining in automatic separation logic verifiers. We identify a semantic
condition on programs and prove in Isabelle/HOL that it ensures
verification-preserving inlining for state-of-the-art automatic separation
logic verifiers. We also prove a dual result: successful verification of the
inlined program ensures that there are method and loop annotations that enable
the verification of the original program for bounded executions. To check our
semantic condition automatically, we present two approximations that can be
checked syntactically and with a program verifier, respectively. We implement
these checks in Viper and demonstrate that they are effective for non-trivial
examples from different verifiers
- …