Featherweight VeriFast

VeriFast is a leading research prototype tool for the sound modular verification of safety and correctness properties of single-threaded and multithreaded C and Java programs. It has been used as a vehicle for exploration and validation of novel program verification techniques and for industrial case studies; it has served well at a number of program verification competitions; and it has been used for teaching by multiple teachers independent of the authors. However, until now, while VeriFast's operation has been described informally in a number of publications, and specific verification techniques have been formalized, a clear and precise exposition of how VeriFast works has not yet appeared. In this article we present for the first time a formal definition and soundness proof of a core subset of the VeriFast program verification approach. The exposition aims to be both accessible and rigorous: the text is based on lecture notes for a graduate course on program verification, and it is backed by an executable machine-readable definition and machine-checked soundness proof in Coq

The Belgian Electronic Identity Card: a Verification Case Study

In the field of annotation-based source code level program verification for Java-like languages, separation-logic based verifiers offer a promising alternative to classic JML based verifiers such as ESC/Java2, the Mobius tool or Spec#. Researchers have demonstrated the advantages of separation logic based verification by showing that it is feasible to verify very challenging (though very small) sample code, such as design patterns, or highly concurrent code. However, there is little experience in using this new breed of verifiers on real code. In this paper we report on our experience of verifying several thousands of lines of Java Card code using VeriFast, one of the state-of-the-art separation logic based verifiers. We quantify annotation overhead, verification performance, and impact on code quality (number of bugs found). Finally, our experiments suggest a number of potential improvements to the VeriFast tool

Typical features of Parkinson disease and diagnostic challenges with microdeletion 22q11.2

Objective: To delineate the natural history, diagnosis, and treatment response of Parkinson disease (PD) in individuals with 22q11.2 deletion syndrome (22q11.2DS), and to determine if these patients differ from those with idiopathic PD. Methods: In this international observational study, we characterized the clinical and neuroimaging features of 45 individuals with 22q11.2DS and PD (mean follow-up 7.5 ± 4.1 years). Results: 22q11.2DS PD had a typical male excess (32 male, 71.1%), presentation and progression of hallmark motor symptoms, reduced striatal dopamine transporter binding with molecular imaging, and initial positive response to levodopa (93.3%). Mean age at motor symptom onset was relatively young (39.5 ± 8.5 years); 71.4% of cases had early-onset PD (<45 years). Despite having a similar age at onset, the diagnosis of PD was delayed in patients with a history of antipsychotic treatment compared with antipsychotic-naive patients (median 5 vs 1 year, p = 0.001). Preexisting psychotic disorders (24.5%) and mood or anxiety disorders (31.1%) were common, as were early dystonia (19.4%) and a history of seizures (33.3%). Conclusions: Major clinical characteristics and response to standard treatments appear comparable in 22q11.2DS-associated PD to those in idiopathic PD, although the average age at onset is earlier. Importantly, treatment of preexisting psychotic illness may delay diagnosis of PD in 22q11.DS patients. An index of suspicion and vigilance for complex comorbidity may assist in identifying patients to prioritize for genetic testing

25th annual computational neuroscience meeting: CNS-2016

The same neuron may play different functional roles in the neural circuits to which it belongs. For example, neurons in the Tritonia pedal ganglia may participate in variable phases of the swim motor rhythms [1]. While such neuronal functional variability is likely to play a major role the delivery of the functionality of neural systems, it is difficult to study it in most nervous systems. We work on the pyloric rhythm network of the crustacean stomatogastric ganglion (STG) [2]. Typically network models of the STG treat neurons of the same functional type as a single model neuron (e.g. PD neurons), assuming the same conductance parameters for these neurons and implying their synchronous firing [3, 4]. However, simultaneous recording of PD neurons shows differences between the timings of spikes of these neurons. This may indicate functional variability of these neurons. Here we modelled separately the two PD neurons of the STG in a multi-neuron model of the pyloric network. Our neuron models comply with known correlations between conductance parameters of ionic currents. Our results reproduce the experimental finding of increasing spike time distance between spikes originating from the two model PD neurons during their synchronised burst phase. The PD neuron with the larger calcium conductance generates its spikes before the other PD neuron. Larger potassium conductance values in the follower neuron imply longer delays between spikes, see Fig. 17.Neuromodulators change the conductance parameters of neurons and maintain the ratios of these parameters [5]. Our results show that such changes may shift the individual contribution of two PD neurons to the PD-phase of the pyloric rhythm altering their functionality within this rhythm. Our work paves the way towards an accessible experimental and computational framework for the analysis of the mechanisms and impact of functional variability of neurons within the neural circuits to which they belong

Formalisation and Soundness of Static Verification Algorithms for Imperative Programs (Formalisatie en correctheid van statische verificatiealgoritmes voor imperatieve programma's)

Not only does our software grow larger and more complex, we also become more dependent on it, thus making it all the more necessary to develop tools that assist us in writing correct programs. As a consequence, much research has been done in the field of static verification, i.e. the development of algorithms that analyse source code and determine whether it contains certain kinds of errors. This can range from checking that no null dereferences can occur at runtimeto full functional correctness.Verification algorithms, however, are just as much subject to mistakes. Therefore, it is important to put these algorithms under scrutiny: our trust in software can only be as strong as the confidence we can have in our verification tools. In a first step, we closely examine some existing approaches to verification. More specifically, we fully formalise the verification algorithms and prove their soundness.If we are not willing to trust our software nor our verification algorithms, one can wonder why we should trust our formalisations and proofs. For this reason, we also provide full Coq implementations of all verification algorithms we consider, and, for most of them, machine check the soundness proofs.This thesis is divided into two parts. In the first part, we discuss verification condition generation. This approach consists of deriving a logical formula (called verification condition) from a program's source code, whose validity implies the correctness of the program with respect to given specifications. Three such algorithms are investigated, namely the strongest postcondition, the weakest liberal precondition and the weakest precondition. Extra attention is given to the weakest precondition algorithm. In its classic form, it produces a verification condition that grows exponentially with respect to the size of the program. An alternative formulation is available which generates a verification condition that grows only polynomially, but requires the program to be passive, i.e. to not contain any assignments. Fortunately, it is possible to transform any program into an equivalent passive form.We implement this transformation in Coq as well as the more efficient variant of the weakest precondition algorithm, and we provide fully machine checked proofs that this approach is sound.In the second part of the thesis, we turn our attention to symbolic execution. This approach consists of abstractly interpreting the program in such a way that all possible execution paths are considered simultaneously. Verification succeeds if no errors are encountered during this execution.Based on this technique we develop Featherweight VeriFast, representing the core part of VeriFast, an existing verifier developed at the KU Leuven. Featherweight VeriFast is formally defined as a denotational semantics, but it has been implemented in Coq and is extractable, making it usable as a standalone verifier.Featherweight VeriFast's formalisation is built on top of three abstraction layers. The first layer, the result algebra, allows us to reason about angelic and demonic choices, both needed to express the result of a symbolic execution. The second layer defines operators, composable monadic functions which allow us to elegantly deal with the two kinds of nondeterminism and state in a purely functional setting. The third layer provides basic operators, which together form a domain specific language, abstracting away the details of the result algebra. The symbolic execution, central to Featherweight VeriFast's operation, is then defined in terms of these basic operators. Finally, we also provide a (partially machine checked) soundness proof for Featherweight VeriFast. A last chapter discusses verification automation techniques. Some verifiers, for example VeriFast, require the code to be annotated (with for example routine contracts or loop invariants) to be able to determine a program's correctness. Generating these annotations automatically can dramatically decrease the effort required to verify programs. We discuss and compare three different automation techniques. Lastly, we propose a framework in which automation techniques can be added without compromising the soundness of the verification.1 Introduction 1 1.1 Static Verification Of Imperative Programs 1.2 Overview of Contributions 1.3 Summary I Verification Condition Generation 2 Overview 3 Phase I: From Source to Intermediate Language 13 3.1 BoogiePL 3.2 Source Language 3.2.1 Syntax 3.2.2 Typing 3.2.3 Operational semantics 3.2.4 Modularisation 3.3 Translation 3.3.1 Logical Part 3.3.2 Procedural Part 4 Formal Semantics of the Intermediate Verification Language 4.1 Syntax 4.2 Operational Semantics 4.3 Conclusion 5 Phase II: Generating Verification Conditions 5.1 Hoare Logic 5.2 Strongest Postcondition 5.3 Weakest Liberal Precondition 5.4 Weakest Precondition 5.5 Conclusion 6 Efficient Weakest Preconditions 6.1 Single Assignment Form 6.2 Passification 6.3 EfficientWeakest Preconditions 6.4 Soundness and Size 6.5 Conclusion II Symbolic Execution and Separation Logic 7 Introduction 8 VeriFast Introduction 8.1 Separation Logic 8.1.1 Rationale 8.1.2 Separating Conjunction and Frame Rule 8.2 VeriFast: Hands On 8.2.1 Basics 8.2.2 User Defined Predicates 8.2.3 Recursive User Defined Predicates 8.2.4 List Reversal 8.2.5 Ambiguous Matches 8.3 Related Verification Tools 8.4 Conclusion 9 Featherweight VeriFast 9.1 Small Imperative Language 9.2 Overview 9.3 Result Algebra 9.3.1 Examples 9.3.2 Operations and Axioms 9.3.3 Lemmas 9.4 Operators 9.5 Basic Operators 9.6 Result Algebra Models 9.6.1 Inductive Formulae 9.6.2 Weakest Preconditions 9.7 Operator Lemmas 9.8 Concrete Execution 9.8.1 Formalisation 9.8.2 Shortcomings 9.9 Semiconcrete Execution 9.9.1 Formalisation 9.9.2 Relation with Concrete Execution 9.10 Symbolic Execution 9.10.1 Formalisation 9.10.2 Relation with Semiconcrete Execution 9.10.3 Relation with Concrete Execution 9.11 Conclusion 10 Automation 10.1 General Approach And Rationale 10.2 Working Example 10.3 Auto-open and Auto-close 10.4 Autolemmas 10.5 Shape Analysis 10.6 Comparison 10.7 Conclusion 11 Conclusion and Future Work 11.1 Summary 11.2 Verification Condition Generation vs Symbolic Execution 11.2.1 Similarities 11.2.2 Performance 11.3 RelatedWork 11.3.1 Verification Condition Generation 11.3.2 Symbolic Execution and Separation Logic 11.4 Future Work 11.4.1 Further Formalisation of Verification Condition Generation 11.4.2 Featherweight VeriFast 11.4.3 VeriFast 11.4.4 Reflectionnrpages: 482status: publishe

Idea: Towards an inverted cloud

In this paper we propose the concept of an inverted cloud infrastructure. The traditional view of a cloud is turned upside down: instead of having services or infrastructure offered by a single provider, the same can be achieved by an aggregation of a multitude of mini providers. Even though the contribution of an individual mini provider in an inverted cloud can be limited, the combination would nevertheless be significant. We propose an architecture for an implementation of an inverted cloud infrastructure to allow mini providers to offer processor time. Security and efficiency can be achieved by building upon Intel's new SGX technology.status: publishe

A machine checked soundness proof for an intermediate verification language

Machine-checked proofs of properties of programming languages have gained in importance significantly over the past few years. This paper contributes to this trend by proposing an approach for doing machine-checked soundness proofs for verification condition (VC) generators. Our approach embraces the multi-phase VC generation common in modern program verifiers. Such verifiers split the generation of VCs in two (or even more) phases, using an intermediate verification language as the bridge between the programming language and logic. In our approach, we define a formal operational semantics of the intermediate verification language, and we prove the soundness of two translations separately: (1) the translation of the intermediate verification language to VCs, and (2) the translation of the source programming language to the intermediate language. This paper presents a fully machine checked proof of step (1) for a prototypical intermediate verification language,and then illustrates step (2) for very small object oriented programming language. © Springer-Verlag Berlin Heidelberg 2009.status: publishe

A machine-checked soundness proof for an efficient verification condition generator: technical report

Verification conditions (VCs) are logical formulae whose validity implies the correctness of a program with respect to a specification. The technique of checking software properties by specifying them in a program logic, then generating VCs, and finally feeding these VCs to a theorem prover, is several decades old. It is the underlying technology for state-of-the-art program verifiers such as the Spec# programming system, or ESC/Java. The classic way of computing VCs is by means of Dijkstra's weakest precondition calculus. However, modern verification condition generators (VCgens), including Spec# and ESC/Java's VCgens, are based on an optimized version of this algorithm, that avoids an exponential growth of the VCs in the length of the program to be verified. For this optimized VCgen algorithm, only informal soundness arguments are available. The paper "A machine-checked soundness proof for an efficient verification condition generator" by the same authors describes a fully formal, machine-checked proof of the soundness of such an efficient VCgen algorithm. This technical report elaborates further on the subject by fully detailing all definitions, theorems and proofs.nrpages: 156status: publishe