1 / 30

Automated Software Verification with a Permission-Based Logic

Automated Software Verification with a Permission-Based Logic. Malte Schwerhoff , ETH Zürich. 20 th June 2014, Zürich. Outline. Motivation Permissions Viper Demo. Automated Software Verification. We have Mutable state (heap locations) Method calls, loops Concurrency We want:

john
Download Presentation

Automated Software Verification with a Permission-Based Logic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automated Software Verification with aPermission-Based Logic Malte Schwerhoff, ETH Zürich 20th June 2014, Zürich

  2. Outline Motivation Permissions Viper Demo

  3. Automated Software Verification • We have • Mutable state (heap locations) • Method calls, loops • Concurrency • We want: • Automated static verification • Modularity

  4. Example class Cell { varv: int methodadd(c: Cell) { v := v + c.v } } methodclient() { varc1 := newCell c1.v := 1 var c2 := newCell c2.v := 2 c1.add(c2) assertc1.v == 3 assertc2.v == 2 }

  5. Modularity class Cell { varv: int methodadd(c: Cell) { v := v + c.v } } methodclient() { varc1 := newCell c1.v := 1 var c2 := newCell c2.v := 2 c1.add(c2) assert c1.v == 3 assertc2.v == 2 } ?

  6. Specifications class Cell { varv: int methodadd(c: Cell) requires c != nullensures v == old(v) + old(c.v) { v := v + c.v } } methodclient() { varc1 := newCell c1.v := 1 var c2 := newCell c2.v := 2 c1.add(c2) assert c1.v == 3 assertc2.v == 2 }

  7. Reasoning with Specifications class Cell { varv: int methodadd(c: Cell) requires c != nullensures v == old(v) + old(c.v) { v := v + c.v } } methodclient() { varc1 := newCell c1.v := 1 var c2 := newCell c2.v := 2 c1.add(c2) assert c1.v == 3 assertc2.v == 2 } ?

  8. An Incorrect Implementation class Cell { varv: int methodadd(c: Cell) requires c != nullensures v == old(v) + old(c.v) { v := v + c.v c.v := 0 } } methodclient() { varc1 := newCell c1.v := 1 var c2 := newCell c2.v := 2 c1.add(c2) assert c1.v == 3 assertc2.v == 2 }  

  9. Strengthening Specifications class Cell { varv: int methodadd(c: Cell) requires c != nullensures v == old(v) + old(c.v) ensures c.v == old(c.v) { v := v + c.v c.v := 0 } } methodclient() { varc1 := newCell c1.v := 1 var c2 := newCell c2.v := 2 c1.add(c2) assert c1.v == 3 assertc2.v == 2 } 

  10. Strengthening Specifications class Cell { varv: int methodadd(c: Cell) requires c != nullensures v == old(v) + old(c.v) ensures c.v == old(c.v) { v := v + c.v } } methodclient() { varc1 := newCell c1.v := 1 var c2 := newCell c2.v := 2 c1.add(c2) assert c1.v == 3 assertc2.v == 2 } ?

  11. Aliasing class Cell { varv: int methodadd(c: Cell) requires c != nullensures v == old(v) + old(c.v) ensures c.v == old(c.v) { v := v + c.v } } methodclient() { varc1 := newCell c1.v := 1 varc2 := new Cell c2.v := 2 c1.add(c1)// ensures c1.v == 1 + 1 // ensures c1.v == 1 assert c1.v == 3 assertc2.v == 2 }   

  12. Challenges Reason about Shared State & Control Aliasing

  13. Permission-Based Verification • Use permissions to control access to shared state • Permissions only exist conceptually, not at run-time • Permissions • Per field x.f • Exclusive write permissions (allows reading as well) • Non-exclusive read permissions

  14. Permission-Based Verification • Permissions to a location x.f can be • Splitinto multiple read permissions • Transferred between methods (or threads) • Recombinedagain

  15. Fractional Permissions client(x) add(x)  

  16. Splitting & Transferring Fractional Permissions client(x) add(x)  ? ?

  17. Merging Fractional Permissions client(x) add(x)  ? 

  18. Permission-Based Verification • Assumptions such as x.f == 0can only be made if permissions to x.f are available • If all permissions to x.f are lost, assumptions about x.f must be havoced (forgotten)

  19. Syntax, Separating Conjunction • Permissions can be split: acc(x.f, 1) ⇔ acc(x.f, 1/2) && acc(x.f, 1/2) • Write permissions are exclusive: acc(x.f, 1) && acc(y.f, 1)⇒x ≠ y • Write permissions are “maximal”: acc(x.f, 1) && acc(y.f, 1/100000) ⇒ x ≠ y

  20. Return of the Example method add(c: Cell) requiresacc(v) && acc(c.v, 1/2) ensuresacc(v) && acc(c.v, 1/2) ensures v == old(v) + c.v methodclient() { varc1 := newCell // acc(c1.v) c1.v := 1 //c1.v == 1 var c2 := new Cell // acc(c2.v) c2.v := 2 //c2.v == 2 c1.add(c2) assertc1.v == 3 && c2.v == 2 } ? 20

  21. Return of the Example method add(c: Cell) requiresacc(v) && acc(c.v, 1/2) ensuresacc(v) && acc(c.v, 1/2) ensures v == old(v) + c.v methodclient() { varc1 := newCell // acc(c1.v, 1) c1.v := 1 //c1.v == 1 var c2 := new Cell // acc(c2.v, 1) c2.v := 2 //c2.v == 2 c1.add(c2) assertc1.v == 3 && c2.v == 2 } Reason about call byexhaling precondition followed byinhalingpostcondition 21

  22. Return of the Example method add(c: Cell) requiresacc(v) && acc(c.v, 1/2) ensuresacc(v) && acc(c.v, 1/2) ensures v == old(v) + c.v methodclient() { ... // c1.add(c2) // acc(c1.v, 1) && c1.v == 1 && acc(c2.v, 1) && c2.v == 2 exhale acc(c1.v) && acc(c2.v, 1/2) // && acc(c2.v, 1/2) && c2.v == 2 inhale acc(c1.v) && acc(c.v, 1/2) // acc(c1.v, 1) && acc(c2.v, 1) && c2.v == 2 inhale c1.v == old(c1.v) + c2.v // acc(c1.v, 1) && c1.v == 3 && acc(c2.v, 1) && c2.v == 2 assert c1.v == 3 && c2.v == 2 }  22

  23. Viper Silver verified by Carbon Silicon queries Boogie(Microsoft) Z3(Microsoft) VerificationConditionGeneration Symbolic Execution

  24. Silver • Silver is an intermediate verification language • Encode source languages (with specs) in Silver • Use Silver verifier to verify encoding • Simple: • Objects, fields (heap), methods, loops, if-then-else • Rudimentary type system (primitives + Ref) • Verification features such as specifications • No concurrency primitives • Silver programs can be used for • Verification • Specification inference

  25. Demo

  26. Symbolic Execution with Silicon maintains verifies Verifier Program Symbolic State σ queries uses Prover - Symbolically each method (method-modular) - At each statement:- querystate (and prover) to decide if statement is executable - update state by exhaling precondition and inhaling postcondition - Branch over conditionals σ1 σ2 σ3 σ4 σ5

  27. Symbolic Execution with Silicon Symbolic state σ comprises • γ:Store mapping local variables to symbolic values (terms) c1 ↦ tc1, c2 ↦ tc2 • h:Heap recording permissions to and values of fields in the form of heap chunks tc1.v ↦ tv1 # p1, tc2 ↦ tv2 # p2 • π:Path conditions with assumptions about values tc1 ≠ null, tv1 > 0

  28. Slide of the Undead Example methodclient() { ... // γ: c1 ↦ tc1, c2 ↦ tc2 // h: tc1.v ↦ tv1 # 1, tc2.v ↦ tv2 # 1 // π: tv1 == 1, tv2 == 2 exhale acc(c1.v) && acc(c2.v, 1/2) // h: tc2.v ↦ tv2 # 1/2 // π: tv1 == 1, tv2 == 2 inhale acc(c1.v) && acc(c.v, 1/2) // h: tc1.v ↦ tv1 # 1, tc2.v ↦ tv3 # 1 // π: tv1 == 1, tv2 == 2 inhale c1.v == old(c1.v) + c2.v // π: tv1 == 1, tv2 == 2, tv3 == tv1 + tv2 assert c1.v == 3 && c2.v == 2 // π ⊢ tv3 == 3 && tv2 == 2 }  28

  29. Outlook • Information hiding and abstraction • Recursive data structures • Opposite of permissions: obligations • Translation of high-level features • Immutable data (vs. permissions) • Lazy evaluation (vs. permissions) • Closures • Actor-based concurrency • Specification inference

  30. Questions?

More Related