2,394 research outputs found
Featherweight VeriFast
VeriFast is a leading research prototype tool for the sound modular
verification of safety and correctness properties of single-threaded and
multithreaded C and Java programs. It has been used as a vehicle for
exploration and validation of novel program verification techniques and for
industrial case studies; it has served well at a number of program verification
competitions; and it has been used for teaching by multiple teachers
independent of the authors. However, until now, while VeriFast's operation has
been described informally in a number of publications, and specific
verification techniques have been formalized, a clear and precise exposition of
how VeriFast works has not yet appeared. In this article we present for the
first time a formal definition and soundness proof of a core subset of the
VeriFast program verification approach. The exposition aims to be both
accessible and rigorous: the text is based on lecture notes for a graduate
course on program verification, and it is backed by an executable
machine-readable definition and machine-checked soundness proof in Coq
Program transformations using temporal logic side conditions
This paper describes an approach to program optimisation based on transformations, where temporal logic is used to specify side conditions, and strategies are created which expand the repertoire of transformations and provide a suitable level of abstraction. We demonstrate the power of this approach by developing a set of optimisations using our transformation language and showing how the transformations can be converted into a form which makes it easier to apply them, while maintaining trust in the resulting optimising steps. The approach is illustrated through a transformational case study where we apply several optimisations to a small program
Computer-Assisted Program Reasoning Based on a Relational Semantics of Programs
We present an approach to program reasoning which inserts between a program
and its verification conditions an additional layer, the denotation of the
program expressed in a declarative form. The program is first translated into
its denotation from which subsequently the verification conditions are
generated. However, even before (and independently of) any verification
attempt, one may investigate the denotation itself to get insight into the
"semantic essence" of the program, in particular to see whether the denotation
indeed gives reason to believe that the program has the expected behavior.
Errors in the program and in the meta-information may thus be detected and
fixed prior to actually performing the formal verification. More concretely,
following the relational approach to program semantics, we model the effect of
a program as a binary relation on program states. A formal calculus is devised
to derive from a program a logic formula that describes this relation and is
subject for inspection and manipulation. We have implemented this idea in a
comprehensive form in the RISC ProgramExplorer, a new program reasoning
environment for educational purposes which encompasses the previously developed
RISC ProofNavigator as an interactive proving assistant.Comment: In Proceedings THedu'11, arXiv:1202.453
Memory usage verification using Hip/Sleek.
Embedded systems often come with constrained memory footprints. It is therefore essential to ensure that software running on such platforms fulfils memory usage specifications at compile-time, to prevent memory-related software failure after deployment. Previous proposals on memory usage verification are not satisfactory as they usually can only handle restricted subsets of programs, especially when shared mutable data structures are involved. In this paper, we propose a simple but novel solution. We instrument programs with explicit memory operations so that memory usage verification can be done along with the verification of other properties, using an automated verification system Hip/Sleek developed recently by Chin et al.[10,19]. The instrumentation can be done automatically and is proven sound with respect to an underlying semantics. One immediate benefit is that we do not need to develop from scratch a specific system for memory usage verification. Another benefit is that we can verify more programs, especially those involving shared mutable data structures, which previous systems failed to handle, as evidenced by our experimental results
Size-Change Termination as a Contract
Termination is an important but undecidable program property, which has led
to a large body of work on static methods for conservatively predicting or
enforcing termination. One such method is the size-change termination approach
of Lee, Jones, and Ben-Amram, which operates in two phases: (1) abstract
programs into "size-change graphs," and (2) check these graphs for the
size-change property: the existence of paths that lead to infinite decreasing
sequences.
We transpose these two phases with an operational semantics that accounts for
the run-time enforcement of the size-change property, postponing (or entirely
avoiding) program abstraction. This choice has two key consequences: (1)
size-change termination can be checked at run-time and (2) termination can be
rephrased as a safety property analyzed using existing methods for systematic
abstraction.
We formulate run-time size-change checks as contracts in the style of Findler
and Felleisen. The result compliments existing contracts that enforce partial
correctness specifications to obtain contracts for total correctness. Our
approach combines the robustness of the size-change principle for termination
with the precise information available at run-time. It has tunable overhead and
can check for nontermination without the conservativeness necessary in static
checking. To obtain a sound and computable termination analysis, we apply
existing abstract interpretation techniques directly to the operational
semantics, avoiding the need for custom abstractions for termination. The
resulting analyzer is competitive with with existing, purpose-built analyzers
Bounded Expectations: Resource Analysis for Probabilistic Programs
This paper presents a new static analysis for deriving upper bounds on the
expected resource consumption of probabilistic programs. The analysis is fully
automatic and derives symbolic bounds that are multivariate polynomials of the
inputs. The new technique combines manual state-of-the-art reasoning techniques
for probabilistic programs with an effective method for automatic
resource-bound analysis of deterministic programs. It can be seen as both, an
extension of automatic amortized resource analysis (AARA) to probabilistic
programs and an automation of manual reasoning for probabilistic programs that
is based on weakest preconditions. As a result, bound inference can be reduced
to off-the-shelf LP solving in many cases and automatically-derived bounds can
be interactively extended with standard program logics if the automation fails.
Building on existing work, the soundness of the analysis is proved with respect
to an operational semantics that is based on Markov decision processes. The
effectiveness of the technique is demonstrated with a prototype implementation
that is used to automatically analyze 39 challenging probabilistic programs and
randomized algorithms. Experimental results indicate that the derived constant
factors in the bounds are very precise and even optimal for many programs
Amortised resource analysis with separation logic
Type-based amortised resource analysis following Hofmann and Jost—where resources are associated with individual elements of data structures and doled out to the programmer under a linear typing discipline—have been successful in providing concrete resource bounds for functional programs, with good support for inference. In this work we translate the idea of amortised resource analysis to imperative languages by embedding a logic of resources, based on Bunched Implications, within Separation Logic. The Separation Logic component allows us to assert the presence and shape of mutable data structures on the heap, while the resource component allows us to state the resources associated with each member of the structure. We present the logic on a small imperative language with procedures and mutable heap, based on Java bytecode. We have formalised the logic within the Coq proof assistant and extracted a certified verification condition generator. We demonstrate the logic on some examples, including proving termination of in-place list reversal on lists with cyclic tails
- …