13 research outputs found
The VerCors tool for verification of concurrent programs
The VerCors tool implements thread-modular static verification of concurrent programs, annotated with functional properties and heap access permissions. The tool supports both generic multithreaded and vector-based programming models. In particular, it can verify multithreaded programs written in Java, specified with JML extended with separation logic. It can also verify parallelizable programs written in a toy language that supports the characteristic features of OpenCL. The tool verifies programs by first encoding the specified program into a much simpler programming language and then applying the Chalice verifier to the simplified program. In this paper we discuss both the implementation of the tool and the features of its specification language
Automating Deductive Verification for Weak-Memory Programs
Writing correct programs for weak memory models such as the C11 memory model
is challenging because of the weak consistency guarantees these models provide.
The first program logics for the verification of such programs have recently
been proposed, but their usage has been limited thus far to manual proofs.
Automating proofs in these logics via first-order solvers is non-trivial, due
to reasoning features such as higher-order assertions, modalities and rich
permission resources. In this paper, we provide the first implementation of a
weak memory program logic using existing deductive verification tools. We
tackle three recent program logics: Relaxed Separation Logic and two forms of
Fenced Separation Logic, and show how these can be encoded using the Viper
verification infrastructure. In doing so, we illustrate several novel encoding
techniques which could be employed for other logics. Our work is implemented,
and has been evaluated on examples from existing papers as well as the Facebook
open-source Folly library.Comment: Extended version of TACAS 2018 publicatio
Matching Logic
This paper presents matching logic, a first-order logic (FOL) variant for
specifying and reasoning about structure by means of patterns and pattern
matching. Its sentences, the patterns, are constructed using variables,
symbols, connectives and quantifiers, but no difference is made between
function and predicate symbols. In models, a pattern evaluates into a power-set
domain (the set of values that match it), in contrast to FOL where functions
and predicates map into a regular domain. Matching logic uniformly generalizes
several logical frameworks important for program analysis, such as:
propositional logic, algebraic specification, FOL with equality, modal logic,
and separation logic. Patterns can specify separation requirements at any level
in any program configuration, not only in the heaps or stores, without any
special logical constructs for that: the very nature of pattern matching is
that if two structures are matched as part of a pattern, then they can only be
spatially separated. Like FOL, matching logic can also be translated into pure
predicate logic with equality, at the same time admitting its own sound and
complete proof system. A practical aspect of matching logic is that FOL
reasoning with equality remains sound, so off-the-shelf provers and SMT solvers
can be used for matching logic reasoning. Matching logic is particularly
well-suited for reasoning about programs in programming languages that have an
operational semantics, but it is not limited to this
SteelCore: An extensible concurrent separation logic for effectful dependently typed programs
Much recent research has been devoted to modeling effects within type theory. Building on this work, we observe that effectful type theories can provide a foundation on which to build semantics for more complex programming constructs and program logics, extending the reasoning principles that apply within the host effectful type theory itself. Concretely, our main contribution is a semantics for concurrent separation logic (CSL) within the F* proof assistant in a manner that enables dependently typed, effectful F* programs to make use of concurrency and to be specified and verified using a full-featured, extensible CSL. In contrast to prior approaches, we directly derive the partial-correctness Hoare rules for CSL from the denotation of computations in the effectful semantics of non-deterministically interleaved atomic actions. Demonstrating the flexibility of our semantics, we build generic, verified libraries that support various concurrency constructs, ranging from dynamically allocated, storable spin locks, to protocol-indexed channels. We conclude that our effectful semantics provides a simple yet expressive basis on which to layer domain-specific languages and logics for verified, concurrent programming.Fil: Swamy, Nikhil. Microsoft Research; Estados UnidosFil: Rastogi, Aseem. Microsoft Research; IndiaFil: Fromherz, Aymeric. University of Carnegie Mellon; Estados UnidosFil: Merigoux, Denis. Institut National de Recherche en Informatique et en Automatique; FranciaFil: Ahman, Danel. University of Ljubljana; EsloveniaFil: MartÃnez, Guido. Consejo Nacional de Investigaciones CientÃficas y Técnicas. Centro CientÃfico Tecnológico Conicet - Rosario. Centro Internacional Franco Argentino de Ciencias de la Información y de Sistemas. Universidad Nacional de Rosario. Centro Internacional Franco Argentino de Ciencias de la Información y de Sistemas; Argentin
On Effect Analysis for Programs with Callbacks
We introduce a precise interprocedural effect analysis for programs with mutable state, dynamic object allocation, and dynamic dispatch. Our analysis is precise even in the presence of dynamic dispatch where the context-insensitive estimate on the number of targets is very large. This feature makes our analysis appropriate for programs that manipulate first-class functions (callbacks). We first present a framework in which programs are enriched with special effect statements, and define the semantics of both program and effect statements as relations on states. Our framework defines a program composition operator that is sound with respect to relation composition. Computing the summary of a procedure then consists of composing all its program statements to produce a single effect statement. We propose a strategy for applying the composition operator in a way that balances precision and efficiency. We instantiate this framework with a domain for tracking read and write effects, where relations on program states are abstracted as graphs. We implemented the analysis as a plugin for the Scala compiler. We analyzed the Scala standard library containing 58K methods and classified them into several categories according to their effects. Our analysis proves that over one half of all methods are pure. We also analyze how context sensitivity and composition operator application strategies impact the analysis precision and performance
Separation Logic
Separation logic is a key development in formal reasoning about programs, opening up new lines of attack on longstanding problems
Reasoning About Frame Properties in Object-oriented Programs
Framing is important for specification and verification of object-oriented programs. This dissertation develops the local reasoning approach for framing in the presence of data structures with unrestricted sharing and subtyping. It can verify shared data structures specified in a concise way by unifying fine-grained region logic and separation logic. Then the fine-grained region logic is extended to reason about subtyping. First, fine-grained region logic is adapted from region logic to express regions at the granularity of individual fields. Conditional region expressions are introduced; not only does this allow one to specify more precise frame conditions, it also has the ability to express footprints of separation logic assertions. Second, fine-grained region logic is generalized to a new logic called unified fine-grained region logic by allowing the logic to restrict the heap in which a program runs. This feature allows one to express specifications in separation logic. Third, both fine-grained region logic and separation logic can be encoded to unified fine-grained region logic. This result allows the proof system to reason about programs specified in both styles. Finally, fine-grained region logic is extended to reason about a programming language that is similar to Java. To reason about inheritance locally, a frame condition for behavioral subtyping is defined and proved sound