Structuring the verification of heap-manipulating programs
|
|
- Scarlett Fowler
- 5 years ago
- Views:
Transcription
1 Structuring the verification of heap-manipulating programs Aleksandar Nanevski (IMDEA Madrid) Viktor Vafeiadis (MSR / Univ. of Cambridge) Josh Berdine (MSR Cambridge)
2 Hoare/Separation Logic Hoare logic precondition { p } C { q } program postcondition In separation logic, p, q : Heap Prop where heap is finite map from Loc to Val
3 Separation logic rules syntax directed rules {emp} move x v {x = v emp} {x } store x v {x v} {x v} load y x {x v y = v} {emp} alloc y v {y v} {x } dealloc x {emp} {p} e 1 {q} {q} e 2 {r} [seq] {p} e 1 ; e 2 {r} structural rules p p {p} e {q} {p r} e {q r} [frame] {p } e {q } q q {p} e {q} [consequence] {p} e {q 1 } {p} e {q 2 } {p} e {q 1 q 2 } [ ] {p} e {q} x FV(e, p) {p} e { x. q} [ ] {p 1 } e {q} {p 2 } e {q} {p 1 p 2 } e {q} [ ] {p x} e {q} x FV(e, q) { x. p} e {q} [ ]
4 Dependent types expression Dependent types: e : τ type Σ-types: even { x : int. k. x = 2 * k} Π-types: twice : Πx : int. 2 * x - add : Πx : int. Πy : int. { z : int. z = x + y } - enable abstraction & proof reuse
5 Hoare Type Theory Hoare types expression... a monad e : STsep τ (p, q) precondition return type postcondition pre post initial p : Heap Prop q : τ Heap Heap Prop res initial final
6 Deep & shallow embedding deep embedding: syntax of inner logic as an object of the outer logic shallow embedding: inner logic shorthand for its semantics Usually HTT Programs deep shallow Assertions shallow* shallow * Deep embedding for completess results
7 Return (~ move) takes v as an argument return : Πv:A. STsep A (emp, fun y i m. y = v emp m) : Πx: v:a. pre: initial heap is empty post: return value = v post: final heap is empty
8 Store := : Πx:loc v:a. STsep unit (x, fun y i m. (x v) m y = ( )) : Πx:. A (x, y i m. v. (x v) i pre: initial heap is [(x,_)] post: final heap is [(x,v)] post: return value = ()
9 pre: initial heap is [(x,_)] Load for whatever value v such that the initial heap is [(x, v)]! : Πx:loc. STsep A (x, fun y i m. v. (x v) i (x v) m y = v) : Πv:A. (, y i m. (y v) m) post: final heap is [(x, v)] post: return value = v
10 Alloc & dealloc pre: initial heap is empty pre: initial heap is [(x,_)] post: final heap is [(return_value, v)] alloc : Πv:A. STsep loc (emp, fun y i m. (y v) m) dealloc : Πx:loc. STsep unit (x, fun y i m. emp m y = ( )) post: final heap is empty (x deallocated) post: return value = ()
11 Bind (~ seq. composition) NB: e2 spec may depend on e1 return value bind : Πe 1 :STsep A 1 s 1. Πe 2 :(Πx:A 1. STsep A 2 (s 2 x)). STsep A 2 (bind s s 1 s 2 ), where bind s s 1 s 2 is proof obligation: post s1 implies pre s2 (fun i. pre s 1 i x h. post s 1 x i h pre (s 2 x) h, fun y i m. x h. post s 1 x i h post (s 2 x) y h m). exists intermediate value x and interm. heap h...
12 Consequence do : STsep A s 1 ( i. pre s 2 i verify i s 1 (fun y m. post s 2 y i m)) STsep A s 2 where verify i s q = pre s i y m. post s y i m q y m. Example: dependent if-then-else: If : Πb:bool. STsep A s 1 STsep A s 2 STsep A (if b then s 1 else s 2 ) = fun b e 1 e 2. if b then (do e 1 ) else (do e 2 )
13 Other structural rules are just lemmas about verify... conj : verify i s q 1 verify i s q 2 verify i s (fun y h. q 1 y h q 2 y h) all : ( x:b. verify i s (q x)) B verify i s (fun y m. x:b. q x y m) disj : (p 1 i verify i s q) (p 2 i verify i s q) p 1 i p 2 i verify i s q exist : ( x. p x verify i s q) ( x. p x) verify i s q frame : verify i s (fun y m. def (m h) q y (m h)) def (i h) verify (i h) s q. many more structural rules / lemmas
14 type constructor Arrays (indexed by any finite type) Module Array array : fintype Type Type type of indexes type of contents predicate describing shape : array I T (I T ) Prop array contents logical contents of array read : Πa:array I T. Πk:I. STsep T (fun i. f. shape a f i, fun y i m. f. shape a f i y = f k i = m)
15 Arrays (continued) take a, k, x as arguments write : Πa:array I T. Πk:I. Πx:T. STsep unit (fun i. f. shape a f i, fun y i m. f. shape a f i shape a f[k x] m) for whatever initial contents f of the array pre: initial heap contains the array its final contents are f [k v]
16 How not to represent heaps (1) combine : Heap Heap Heap Prop Cannnot rewrite => proofs too long
17 How not to represent heaps (2) shows up when one considers heap union. 8 < h 2 x if h 1 x = None h 1 h 2 = fun x. Some v if h 1 x = Some v and h 2 x = None : None if h 1 x = Some v and h 2 x = Some w commute : h 1 h 2 = h 2 h 1 assoc : disjoint h 1 h 2 disjoint h 2 h 3 disjoint h 3 h 1 h 1 (h 2 h 3 ) = (h 1 h 2 ) h 3 Annoying sidecondition
18 Possibly defined heaps heap = Undef Def of {l : list (loc dynamic), : sorted l} empty = Def (nil, sorted nil) [x v] = if x == null then Undef else Def ((x, v)::nil, sorted cons x v) h 1 h 2 = if (h 1, h 2 ) is (Def (l 1, ), Def (l 2, )) then if disj l 1 l 2 then Def (sort (l 1 ++ l 2 ), sorted cat l 1 l 2 ) else Undef else Undef def h = if h is Undef then false else true
19 Lemmas unc : h 1 h 2 = h 2 h 1 unca : h 1 (h 2 h 3 ) = h 2 (h 1 h 3 ) unac : (h 1 h 2 ) h 3 = (h 1 h 3 ) h 2 una : (h 1 h 2 ) h 3 = h 1 (h 2 h 3 ) un0h : empty h = h unh0 : h empty = h Coq equalities, can rewrite No sideconditions!
20 Case study Verified the fast congruence closure algorithm (Nieuwenhuis & Oliveras, 2007) state-of-the-art algorithm used in Barcelogic SMT solver uses several imperative data structures: arrays, hash tables, (imperative) linked lists
21 Congruence exp = const of symb app of exp exp. R is a congruence iff monotone: R(a, b) R(c, d) R(a.c, b.d) reflexive : R(a, a) transitive : R(a, b) R(b, c) R(a, c)
22 Congruence closure Two operations: merge add an equality to R check check whether an equality is in the congruence closure Accept only equations of the form: a=b and a = b.c, where a,b,c symbols. break complex terms to many equations.
23 Data structures array of representatives array of class lists (symbols in same equiv. class) data = {rep : symb symb; class : symb list symb; use : symb list (symb symb symb); lookup : symb symb option (symb symb symb); pending : list (symb symb))} use lists (eqs using symb) lookup table (rep. for compound terms) pending equations
24 The source code where merge merge (eq : Eq) : STsep unit (fun i. R. shape p R i, fun y i m. R. shape p R i shape p (closure (R rel of eq)) m) = match eq with simp a b do (q!p; x insert q (a, b); p := x; hpropagate) comp c c 1 c 2 do (c 1 Array.read r c 1; c 2 Array.read r c 2; v Hashtab.lookup htab (c 1, c 2 ); match v with None Hashtab.insert htab (c 1, c 2 ) (c, c 1, c 2 ); u 1 Array.read ulist c 1 ; x insert u 1 (c, c 1, c 2 ); Array.write ulist c 1 x; u 2 Array.read ulist c 2 ; x insert u 2 (c, c 1, c 2 ); Array.write ulist c 2 x Some (b, b 1, b 2 ) q!p; x insert q (c, b); p := x; hpropagate end) end check check (t 1 t 2 : exp) : STsep bool (fun i. R. shape p R i, fun y i m. R. shape p R i shape p R m y = true R (t 1, t 2 )) = do (u 1 hnorm t 1 ; u 2 hnorm t 2 ; return (u 1 == u 2 )) rel of (eq : Eq) : exp exp Prop := match eq with simp a b fun t. t.1 = const a t.2 = const b comp c c 1 c 2 fun t. t.1 = const c t.2 = app (const c 1 ) (const c 2 ) end norm hnorm (t : exp) = fix (fun hnorm (t:exp). do (match t with const a a Array.read r a; return (const a ) app t 1 t 2 u 1 hnorm t 1 ; u 2 hnorm t 2 ; match u 1, u 2 with const w 1, const w 2 v Hashtab.lookup htab (w 1, w 2 ); match v with None return (app u 1 u 2 ) Some (b,, ) b Array.read r b; return (const b ) end, return (app u 1 u 2 ) end end)) t propagate hpropagate = fix (fun loop (x:unit). do (q!p; if q == null then return ( ) else eq!q; next!(q + 1); p := next; dealloc q; dealloc (q + 1); a Array.read r (eq.1); b Array.read r (eq.2); if a == b then loop ( ) else hjoin class a b ; hjoin use a b ; loop ( ))) ( ) hjoin class (a b : symb) = fix (fun loop (x : unit). do (ua Array.read clist a ; ub Array.read clist b ; if ua == null then return( ) else s!ua; next!(ua + 1); ua + 1 := ub; Array.write clist b ua; Array.write clist a next; Array.write r s b ; loop ( ))) ( ) join_class join_use hjoin use (a b : symb) = fix (fun loop (x:unit). do (ua Array.read ulist a ; if ua == null then return ( ) else eqc!ua; next!(ua + 1); Array.write ulist a next; c 2 Array.read r eqc.2 c 3 Array.read r eqc.3 v Hashtab.lookup htab (c 2, c 3 ); match v with None Hashtab.insert htab (c 2, c 3 ) eqc; ub Array.read ulist b ; ua + 1 := ub; Array.write ulist b ua; loop ( ) Some eqd dealloc ua; dealloc (ua + 1); p!p; q insert p (eqc.1, eqd.1); p := q; loop ( ) end)) ( ))
25 Proof strategy 120 lines Easy 80 lines Easy 280 lines OK 630 lines Difficult 650 lines Imperative source code Define functional versions of the helper functions (norm, propagate, join_class, join_use) Specify & verify the imperative helper functions in terms of the respective functional ones. Formalize congruence closure & prove basic lemmas Verify the functional helper functions
26 Proof strategy 120 lines Easy 80 lines Easy 280 lines OK 630 lines Difficult 650 lines Imperative source code Define functional versions of the helper functions (norm, propagate, join_class, join_use) Specify & verify the imperative helper functions in terms of the respective functional ones. Formalize congruence closure & prove basic lemmas Verify the functional helper functions Actually, this part was very difficult: one loop invariant is 120 lines long (spent several weeks to find it!)
27 More about the proof Use SSReflect extensions to Coq Gives much better language for writing proofs Explicit proofs (almost) no tactics! A lot of rewriting (equational reasoning) Decidable types wherever possible (e.g. disjoint composition of heaps)
28 Conclusion Hoare types Case study: fast congruence closure
Verified Characteristic Formulae for CakeML. Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 18, 2017
Verified Characteristic Formulae for CakeML Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 18, 2017 CakeML Has: references, modules, datatypes, exceptions, a FFI,... Doesn t have:
More informationA Short Introduction to Hoare Logic
A Short Introduction to Hoare Logic Supratik Chakraborty I.I.T. Bombay June 23, 2008 Supratik Chakraborty (I.I.T. Bombay) A Short Introduction to Hoare Logic June 23, 2008 1 / 34 Motivation Assertion checking
More informationReasoning About Imperative Programs. COS 441 Slides 10b
Reasoning About Imperative Programs COS 441 Slides 10b Last time Hoare Logic: { P } C { Q } Agenda If P is true in the initial state s. And C in state s evaluates to s. Then Q must be true in s. Program
More informationA New Look At Generalized Rewriting in Type Theory
A New Look At Generalized Rewriting in Type Theory Matthieu Sozeau Harvard University TYPES 09 May 13th 2009 Aussois, France Generalized Rewriting Equational reasoning x = y - x + 1 ==> y + 1 Logical reasoning
More informationProgramming with Dependent Types in Coq
Programming with Dependent Types in Coq Matthieu Sozeau LRI, Univ. Paris-Sud - Démons Team & INRIA Saclay - ProVal Project PPS Seminar February 26th 2009 Paris, France Coq A higher-order, polymorphic logic:
More information6.001 Recitation 22: Streams
6.001 Recitation 22: Streams RI: Gerald Dalley, dalleyg@mit.edu, 4 May 2007 http://people.csail.mit.edu/dalleyg/6.001/sp2007/ The three chief virtues of a programmer are: Laziness, Impatience and Hubris
More informationRelational Parametricity and Separation Logic. Hongseok Yang, Queen Mary, Univ. of London Lars Birkedal, IT Univ. of Copenhagen
Relational Parametricity and Separation Logic Hongseok Yang, Queen Mary, Univ. of London Lars Birkedal, IT Univ. of Copenhagen Challenge Develop a theory of data abstraction for pointer programs. When
More informationRecent developments in concurrent program logics
Recent developments in concurrent program logics Viktor Vafeiadis University of Cambridge PSPL 2010 Why program logic? Reasoning framework Capture common reasoning principles Reduce accidental proof complexity
More informationA New Look at Generalized Rewriting in Type Theory
A New Look at Generalized Rewriting in Type Theory Matthieu Sozeau Harvard University 1st Coq Workshop August 21th 2009 Munich, Germany Generalized Rewriting Equational reasoning x = y - x + 1 ==> y +
More informationProgram Analysis and Verification
Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 4: Axiomatic Semantics Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik Poll, Mooly Sagiv, Jean Souyris, Eran Tromer, Avishai
More informationAn Introduction to Z3
An Introduction to Z3 Huixing Fang National Trusted Embedded Software Engineering Technology Research Center April 12, 2017 Outline 1 SMT 2 Z3 Huixing Fang (ECNU) An Introduction to Z3 April 12, 2017 2
More informationHoare Logic: Reasoning About Imperative Programs
Hoare Logic: Reasoning About Imperative Programs COMP1600 / COMP6260 Dirk Pattinson Australian National University Semester 2, 2018 Programming Paradigms Functional. (Haskell, SML, OCaml,... ) main paradigm:
More informationLectures on Separation Logic. Lecture 2: Foundations
Lectures on Separation Logic. Lecture 2: Foundations Peter O Hearn Queen Mary, University of London Marktoberdorf Summer School, 2011 Outline for this lecture Part I : Assertions and Their Semantics Part
More information0.1 Random useful facts. 0.2 Language Definition
0.1 Random useful facts Lemma double neg : P : Prop, {P} + { P} P P. Lemma leq dec : n m, {n m} + {n > m}. Lemma lt dec : n m, {n < m} + {n m}. 0.2 Language Definition Definition var := nat. Definition
More informationCOMP2111 Glossary. Kai Engelhardt. Contents. 1 Symbols. 1 Symbols 1. 2 Hoare Logic 3. 3 Refinement Calculus 5. rational numbers Q, real numbers R.
COMP2111 Glossary Kai Engelhardt Revision: 1.3, May 18, 2018 Contents 1 Symbols 1 2 Hoare Logic 3 3 Refinement Calculus 5 1 Symbols Booleans B = {false, true}, natural numbers N = {0, 1, 2,...}, integers
More informationHoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples
Hoare Logic I Introduction to Deductive Program Verification Işıl Dillig Program Spec Deductive verifier FOL formula Theorem prover valid contingent Example specs: safety (no crashes), absence of arithmetic
More informationProgram verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program
Program verification Assertional semantics of a program Meaning of a program: relation between its inputs and outputs; specified by input assertions (pre-conditions) and output assertions (post-conditions)
More informationImperative Insertion Sort
Imperative Insertion Sort Christian Sternagel October 11, 2017 Contents 1 Looping Constructs for Imperative HOL 1 1.1 While Loops............................ 1 1.2 For Loops.............................
More informationSpring 2014 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University
Spring 2014 Program Analysis and Verification Lecture 6: Axiomatic Semantics III Roman Manevich Ben-Gurion University Syllabus Semantics Static Analysis Abstract Interpretation fundamentals Analysis Techniques
More informationSyntax and semantics of a GPU kernel programming language
Syntax and semantics of a GPU kernel programming language John Wickerson April 17, 2016 Abstract This document accompanies the article The Design and Implementation of a Verification Technique for GPU
More informationProgram Analysis Part I : Sequential Programs
Program Analysis Part I : Sequential Programs IN5170/IN9170 Models of concurrency Program Analysis, lecture 5 Fall 2018 26. 9. 2018 2 / 44 Program correctness Is my program correct? Central question for
More informationIntroduction to Permission-Based Program Logics Part II Concurrent Programs
Introduction to Permission-Based Program Logics Part II Concurrent Programs Thomas Wies New York University Example: Lock-Coupling List 2 3 5 7 8 9 There is one lock per node; threads acquire locks in
More informationHoare Logic: Reasoning About Imperative Programs
Hoare Logic: Reasoning About Imperative Programs COMP1600 / COMP6260 Dirk Pattinson Australian National University Semester 2, 2017 Catch Up / Drop in Lab When Fridays, 15.00-17.00 Where N335, CSIT Building
More informationHoare Calculus and Predicate Transformers
Hoare Calculus and Predicate Transformers Wolfgang Schreiner Wolfgang.Schreiner@risc.uni-linz.ac.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.uni-linz.ac.at
More informationUniversität Augsburg
Universität Augsburg Algebraic Separation Logic H.-H. Dang P. Höfner B. Möller Report 2010-06 July 2010 Institut für Informatik D-86135 Augsburg Copyright c H.-H. Dang P. Höfner B. Möller Institut für
More informationNormalization by Evaluation
Normalization by Evaluation Andreas Abel Department of Computer Science and Engineering Chalmers and Gothenburg University PhD Seminar in Mathematical Engineering EAFIT University, Medellin, Colombia 9
More informationSpring 2015 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University
Spring 2015 Program Analysis and Verification Lecture 6: Axiomatic Semantics III Roman Manevich Ben-Gurion University Tentative syllabus Semantics Static Analysis Abstract Interpretation fundamentals Analysis
More informationIntegrating Answer Set Programming and Satisfiability Modulo Theories
Integrating Answer Set Programming and Satisfiability Modulo Theories Ilkka Niemelä Helsinki University of Technology (TKK) Department of Information and Computer Science http://www.tcs.tkk.fi/ ini/ References:
More informationAxiomatic Semantics. Lecture 9 CS 565 2/12/08
Axiomatic Semantics Lecture 9 CS 565 2/12/08 Axiomatic Semantics Operational semantics describes the meaning of programs in terms of the execution steps taken by an abstract machine Denotational semantics
More informationDeductive Verification
Deductive Verification Mooly Sagiv Slides from Zvonimir Rakamaric First-Order Logic A formal notation for mathematics, with expressions involving Propositional symbols Predicates Functions and constant
More informationProgram Verification Using Separation Logic
Program Verification Using Separation Logic Cristiano Calcagno Adapted from material by Dino Distefano Lecture 1 Goal of the course Study Separation Logic having automatic verification in mind Learn how
More informationProgram Verification using Separation Logic Lecture 0 : Course Introduction and Assertion Language. Hongseok Yang (Queen Mary, Univ.
Program Verification using Separation Logic Lecture 0 : Course Introduction and Assertion Language Hongseok Yang (Queen Mary, Univ. of London) Dream Automatically verify the memory safety of systems software,
More informationImperative Insertion Sort
Imperative Insertion Sort Christian Sternagel April 17, 2016 Contents 1 Looping Constructs for Imperative HOL 1 1.1 While Loops............................ 1 1.2 For Loops.............................
More informationFoundations of Computation
The Australian National University Semester 2, 2018 Research School of Computer Science Tutorial 6 Dirk Pattinson Foundations of Computation The tutorial contains a number of exercises designed for the
More informationBeyond First-Order Logic
Beyond First-Order Logic Software Formal Verification Maria João Frade Departmento de Informática Universidade do Minho 2008/2009 Maria João Frade (DI-UM) Beyond First-Order Logic MFES 2008/09 1 / 37 FOL
More informationInteractive Theorem Provers
Interactive Theorem Provers from the perspective of Isabelle/Isar Makarius Wenzel Univ. Paris-Sud, LRI July 2014 = Isabelle λ β Isar α 1 Introduction Notable ITP systems LISP based: ACL2 http://www.cs.utexas.edu/users/moore/acl2
More informationWhat happens to the value of the expression x + y every time we execute this loop? while x>0 do ( y := y+z ; x := x:= x z )
Starter Questions Feel free to discuss these with your neighbour: Consider two states s 1 and s 2 such that s 1, x := x + 1 s 2 If predicate P (x = y + 1) is true for s 2 then what does that tell us about
More informationHoare Logic: Part II
Hoare Logic: Part II COMP2600 Formal Methods for Software Engineering Jinbo Huang Australian National University COMP 2600 Hoare Logic II 1 Factorial {n 0} fact := 1; i := n; while (i >0) do fact := fact
More informationThe syntactic guard condition of Coq
The syntactic guard condition of Coq Bruno Barras February 2, 2010 Overview 1 Theory Basic criterion Extensions 2 Algorithm Efficiency 3 Discussion 4 Attic A short history of the syntactic guard criterion
More informationIris: Higher-Order Concurrent Separation Logic. Lecture 9: Concurrency Intro and Invariants
1 Iris: Higher-Order Concurrent Separation Logic Lecture 9: Concurrency Intro and Invariants Lars Birkedal Aarhus University, Denmark November 21, 2017 Overview Earlier: Operational Semantics of λ ref,conc
More informationCoinductive big-step semantics and Hoare logics for nontermination
Coinductive big-step semantics and Hoare logics for nontermination Tarmo Uustalu, Inst of Cybernetics, Tallinn joint work with Keiko Nakata COST Rich Models Toolkit meeting, Madrid, 17 18 October 2013
More informationSoftware Engineering
Software Engineering Lecture 07: Design by Contract Peter Thiemann University of Freiburg, Germany 02.06.2014 Table of Contents Design by Contract Contracts for Procedural Programs Contracts for Object-Oriented
More informationCS558 Programming Languages
CS558 Programming Languages Winter 2017 Lecture 2b Andrew Tolmach Portland State University 1994-2017 Semantics Informal vs. Formal Informal semantics Descriptions in English (or other natural language)
More informationVeriML: Typed Computation of Logical Terms inside a Language with Effects
VeriML: Typed Computation of Logical Terms inside a Language with Effects Antonis Stampoulis Zhong Shao Department of Computer Science, Yale University ICFP 2010 Proof assistants are becoming popular in
More informationChapter 2. Assertions. An Introduction to Separation Logic c 2011 John C. Reynolds February 3, 2011
Chapter 2 An Introduction to Separation Logic c 2011 John C. Reynolds February 3, 2011 Assertions In this chapter, we give a more detailed exposition of the assertions of separation logic: their meaning,
More informationCOP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen
COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen Assertions and Preconditions Assertions are used by programmers to verify run-time execution An assertion is a
More informationTheories of Programming Languages Assignment 5
Theories of Programming Languages Assignment 5 December 17, 2012 1. Lambda-Calculus (see Fig. 1 for initions of = β, normal order evaluation and eager evaluation). (a) Let Ω = ((λx. x x) (λx. x x)), and
More informationMonadic Refinements for Relational Cost Analysis (Appendix)
Monadic Refinements for Relational Cost Analysis (Appendix) Ivan Radiček Gilles Barthe Marco Gaboardi Deepak Garg Florian Zuleger Structure of the Appendix In the appendix we give material that was omitted
More informationFlow Interfaces Compositional Abstractions of Concurrent Data Structures. Siddharth Krishna, Dennis Shasha, and Thomas Wies
Flow Interfaces Compositional Abstractions of Concurrent Data Structures Siddharth Krishna, Dennis Shasha, and Thomas Wies Background Verifying programs, separation logic, inductive predicates Verifying
More informationFloyd-Hoare Style Program Verification
Floyd-Hoare Style Program Verification Deepak D Souza Department of Computer Science and Automation Indian Institute of Science, Bangalore. 9 Feb 2017 Outline of this talk 1 Overview 2 Hoare Triples 3
More informationClassical Program Logics: Hoare Logic, Weakest Liberal Preconditions
Chapter 1 Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions 1.1 The IMP Language IMP is a programming language with an extensible syntax that was developed in the late 1960s. We will
More informationPropositional Resolution Introduction
Propositional Resolution Introduction (Nilsson Book Handout) Professor Anita Wasilewska CSE 352 Artificial Intelligence Propositional Resolution Part 1 SYNTAX dictionary Literal any propositional VARIABLE
More informationCIS 500 Software Foundations. Final Exam. May 9, Answer key. Hoare Logic
CIS 500 Software Foundations Final Exam May 9, 2011 Answer key Hoare Logic 1. (7 points) What does it mean to say that the Hoare triple {{P}} c {{Q}} is valid? Answer: {{P}} c {{Q}} means that, for any
More informationChapter 3. Specifications. 3.1 Hoare Triples. An Introduction to Separation Logic c 2011 John C. Reynolds February 3, 2011
Chapter 3 An Introduction to Separation Logic c 2011 John C. Reynolds February 3, 2011 Specifications From assertions, we move on to specifications, which describe the behavior of commands. In this chapter,
More informationFunctional Big-step Semantics
Functional Big-step Semantics FM talk, 11 Mar 2015 Magnus Myréen Books Big-step semantics are defined as inductively defined relation. Functions are better! me Context: CakeML verified compiler Old compiler:
More informationConcurrent separation logic and operational semantics
MFPS 2011 Concurrent separation logic and operational semantics Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS), Germany Abstract This paper presents a new soundness proof for concurrent
More informationDynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics
Dynamic Semantics Operational Semantics Denotational Semantic Dynamic Semantics Operational Semantics Operational Semantics Describe meaning by executing program on machine Machine can be actual or simulated
More informationProbabilistic Guarded Commands Mechanized in HOL
Probabilistic Guarded Commands Mechanized in HOL Joe Hurd joe.hurd@comlab.ox.ac.uk Oxford University Joint work with Annabelle McIver (Macquarie University) and Carroll Morgan (University of New South
More informationAxiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements
Axiomatic Semantics: Verification Conditions Meeting 18, CSCI 5535, Spring 2010 Announcements Homework 6 is due tonight Today s forum: papers on automated testing using symbolic execution Anyone looking
More informationCompleteness of Pointer Program Verification by Separation Logic
ISSN 1346-5597 NII Technical Report Completeness of Pointer Program Verification by Separation Logic Makoto Tatsuta, Wei-Ngan Chin, and Mahmudul Faisal Al Ameen NII-2009-013E June 2009 Completeness of
More informationFlow Interfaces Compositional Abstractions of Concurrent Data Structures. Siddharth Krishna, Dennis Shasha, and Thomas Wies
Flow Interfaces Compositional Abstractions of Concurrent Data Structures Siddharth Krishna, Dennis Shasha, and Thomas Wies Background Verifying programs, separation logic, inductive predicates Slides courtesy
More informationMatching Logic: Syntax and Semantics
Matching Logic: Syntax and Semantics Grigore Roșu 1 and Traian Florin Șerbănuță 2 1 University of Illinois at Urbana-Champaign, USA grosu@illinois.edu 2 University of Bucharest, Romania traian.serbanuta@unibuc.ro
More informationAdapted with permission from: Seif Haridi KTH Peter Van Roy UCL. C. Varela; Adapted w. permission from S. Haridi and P. Van Roy 1
Higher-Order Programming: Iterative computation (CTM Section 3.2) Closures, procedural abstraction, genericity, instantiation, embedding (CTM Section 3.6.1) Carlos Varela RPI September 15, 2017 Adapted
More informationVerifying Java-KE Programs
Verifying Java-KE Programs A Small Case Study Arnd Poetzsch-Heffter July 22, 2014 Abstract This report investigates the specification and verification of a simple list class. The example was designed such
More informationSoftwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany
Softwaretechnik Lecture 13: Design by Contract Peter Thiemann University of Freiburg, Germany 25.06.2012 Table of Contents Design by Contract Contracts for Procedural Programs Contracts for Object-Oriented
More informationAbstracting Definitional Interpreters. David Van Horn
Abstracting Definitional Interpreters David Van Horn Abstracting Definitional Interpreters David Van Horn Northeastern University Definitional interpreters written in monadic style can express a wide variety
More informationSoftwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany
Softwaretechnik Lecture 13: Design by Contract Peter Thiemann University of Freiburg, Germany 25.06.2012 Table of Contents Design by Contract Contracts for Procedural Programs Contracts for Object-Oriented
More informationAN INTRODUCTION TO SEPARATION LOGIC. 2. Assertions
AN INTRODUCTION TO SEPARATION LOGIC 2. Assertions John C. Reynolds Carnegie Mellon University January 7, 2011 c 2011 John C. Reynolds Pure Assertions An assertion p is pure iff, for all stores s and all
More informationProgram verification using Hoare Logic¹
Program verification using Hoare Logic¹ Automated Reasoning - Guest Lecture Petros Papapanagiotou Part 2 of 2 ¹Contains material from Mike Gordon s slides: Previously on Hoare Logic A simple while language
More informationMP 5 Program Transition Systems and Linear Temporal Logic
MP 5 Program Transition Systems and Linear Temporal Logic CS 477 Spring 2018 Revision 1.0 Assigned April 10, 2018 Due April 17, 2018, 9:00 PM Extension extend48 hours (penalty 20% of total points possible)
More informationDependent Types for JavaScript Appendix
Dependent Types for JavaScript Appendix Ravi Chugh University of California, San Diego rchugh@cs.ucsd.edu David Herman Mozilla Research dherman@mozilla.com Ranjit Jhala University of California, San Diego
More informationRealizability Semantics of Parametric Polymorphism, General References, and Recursive Types
Realizability Semantics of Parametric Polymorphism, General References, and Recursive Types Lars Birkedal IT University of Copenhagen Joint work with Kristian Støvring and Jacob Thamsborg Oct, 2008 Lars
More informationA PROOF SYSTEM FOR SEPARATION LOGIC WITH MAGIC WAND
A PROOF SYSTEM FOR SEPARATION LOGIC WITH MAGIC WAND WONYEOL LEE, JINEON BAEK, AND SUNGWOO PARK Stanford, USA e-mail address: wonyeol@stanfordedu POSTECH, Republic of Korea e-mail address: gok01172@postechackr
More informationAbstraction and Refinement for Local Reasoning
Under consideration for publication in Math. Struct. in Comp. Science Abstraction and Refinement for Local Reasoning Thomas Dinsdale-Young, Philippa Gardner and Mark Wheelhouse Department of Computing,
More informationSMT BASICS WS 2017/2018 ( ) LOGIC SATISFIABILITY MODULO THEORIES. Institute for Formal Models and Verification Johannes Kepler Universität Linz
LOGIC SATISFIABILITY MODULO THEORIES SMT BASICS WS 2017/2018 (342.208) Armin Biere Martina Seidl biere@jku.at martina.seidl@jku.at Institute for Formal Models and Verification Johannes Kepler Universität
More informationlogical verification lecture program extraction and prop2
logical verification lecture 7 2017-05-04 program extraction and prop2 overview program extraction program extraction: examples verified programs: alternative approach formulas of prop2 terminology proofs
More informationn Empty Set:, or { }, subset of all sets n Cardinality: V = {a, e, i, o, u}, so V = 5 n Subset: A B, all elements in A are in B
Discrete Math Review Discrete Math Review (Rosen, Chapter 1.1 1.7, 5.5) TOPICS Sets and Functions Propositional and Predicate Logic Logical Operators and Truth Tables Logical Equivalences and Inference
More informationSpring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University
Spring 2016 Program Analysis and Verification Lecture 3: Axiomatic Semantics I Roman Manevich Ben-Gurion University Warm-up exercises 1. Define program state: 2. Define structural semantics configurations:
More informationPrinciples of Program Analysis: Control Flow Analysis
Principles of Program Analysis: Control Flow Analysis Transparencies based on Chapter 3 of the book: Flemming Nielson, Hanne Riis Nielson and Chris Hankin: Principles of Program Analysis. Springer Verlag
More informationProgram-ing in Coq. Matthieu Sozeau under the direction of Christine Paulin-Mohring
Program-ing in Coq Matthieu Sozeau under the direction of Christine Paulin-Mohring LRI, Univ. Paris-Sud - Démons Team & INRIA Saclay - ProVal Project Foundations of Programming seminar February 15th 2008
More informationReasoning about Trace Properties of Higher-order Programs
Reasoning about Trace Properties of Higher-order Programs Limin Jia Joint work with Deepak Garg and Anupam Datta CyLab University Goal: Compositional security S 1 ψ 1 + ϕ S 2 ψ 2! Do S 1 + S 2 satisfy
More informationDecision Procedures. Jochen Hoenicke. Software Engineering Albert-Ludwigs-University Freiburg. Winter Term 2016/17
Decision Procedures Jochen Hoenicke Software Engineering Albert-Ludwigs-University Freiburg Winter Term 2016/17 Jochen Hoenicke (Software Engineering) Decision Procedures Winter Term 2016/17 1 / 436 Program
More informationRoy L. Crole. Operational Semantics Abstract Machines and Correctness. University of Leicester, UK
Midlands Graduate School, University of Birmingham, April 2008 1 Operational Semantics Abstract Machines and Correctness Roy L. Crole University of Leicester, UK Midlands Graduate School, University of
More informationUnifying Theories of Programming
1&2 Unifying Theories of Programming Unifying Theories of Programming 3&4 Theories Unifying Theories of Programming designs predicates relations reactive CSP processes Jim Woodcock University of York May
More informationCSC 7101: Programming Language Structures 1. Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11.
Axiomatic Semantics Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 1 Overview We ll develop proof rules, such as: { I b } S { I } { I } while b do S end { I b } That allow us to verify
More informationThe Locally Nameless Representation
Noname manuscript No. (will be inserted by the editor) The Locally Nameless Representation Arthur Charguéraud Received: date / Accepted: date Abstract This paper provides an introduction to the locally
More informationA Certified Denotational Abstract Interpreter (Proof Pearl)
A Certified Denotational Abstract Interpreter (Proof Pearl) David Pichardie INRIA Rennes David Cachera IRISA / ENS Cachan (Bretagne) Static Analysis Static Analysis Static analysis by abstract interpretation
More informationA proof checking kernel for the λπ-calculus modulo
A proof checking kernel for the λπ-calculus modulo Mathieu Boespflug, École Polytechnique PhD defense, 18 january 2011 Funded by Pythia of Delphi Pythia of Delphi True False Proof implies truth. 1 1 For
More informationChapter 4. Lists and List Segments. An Introduction to Separation Logic c 2011 John C. Reynolds February 17, 2011
Chapter 4 An Introduction to Separation Logic c 2011 John C. Reynolds February 17, 2011 Lists and List Segments In this chapter, we begin to explore data structures that represent abstract types of data.
More informationThe Curry-Howard Isomorphism
The Curry-Howard Isomorphism Software Formal Verification Maria João Frade Departmento de Informática Universidade do Minho 2008/2009 Maria João Frade (DI-UM) The Curry-Howard Isomorphism MFES 2008/09
More informationLeonardo de Moura Microsoft Research
Leonardo de Moura Microsoft Research Is formula F satisfiable modulo theory T? SMT solvers have specialized algorithms for T b + 2 = c and f(read(write(a,b,3), c-2)) f(c-b+1) b + 2 = c and f(read(write(a,b,3),
More informationDefinability in Boolean bunched logic
Definability in Boolean bunched logic James Brotherston Programming Principles, Logic and Verification Group Dept. of Computer Science University College London, UK J.Brotherston@ucl.ac.uk Logic Summer
More informationAdapted with permission from: Seif Haridi KTH Peter Van Roy UCL. C. Varela; Adapted w. permission from S. Haridi and P. Van Roy 1
Higher-Order Programming: Iterative computation (CTM Section 3.2) Closures, procedural abstraction, genericity, instantiation, embedding (CTM Section 3.6.1) Carlos Varela RPI September 15, 2015 Adapted
More informationFormal Reasoning CSE 331. Lecture 2 Formal Reasoning. Announcements. Formalization and Reasoning. Software Design and Implementation
CSE 331 Software Design and Implementation Lecture 2 Formal Reasoning Announcements Homework 0 due Friday at 5 PM Heads up: no late days for this one! Homework 1 due Wednesday at 11 PM Using program logic
More informationSAT Solver verification
SAT Solver verification By Filip Marić April 17, 2016 Abstract This document contains formall correctness proofs of modern SAT solvers. Two different approaches are used state-transition systems shallow
More informationCompositional Invariant Checking for Overlaid and Nested Linked Lists
Compositional Invariant Checking for Overlaid and Nested Linked Lists Constantin Enea, Vlad Saveluc, and Mihaela Sighireanu Univ Paris Diderot, Sorbonne Paris Cite, LIAFA CNRS UMR 7089, Paris, {cenea,sighirea}@liafa.univ-paris-diderot.fr
More informationProgram Construction and Reasoning
Program Construction and Reasoning Shin-Cheng Mu Institute of Information Science, Academia Sinica, Taiwan 2010 Formosan Summer School on Logic, Language, and Computation June 28 July 9, 2010 1 / 97 Introduction:
More informationPropositional Dynamic Logic
Propositional Dynamic Logic Contents 1 Introduction 1 2 Syntax and Semantics 2 2.1 Syntax................................. 2 2.2 Semantics............................... 2 3 Hilbert-style axiom system
More informationCombined Satisfiability Modulo Parametric Theories
Intel 07 p.1/39 Combined Satisfiability Modulo Parametric Theories Sava Krstić*, Amit Goel*, Jim Grundy*, and Cesare Tinelli** *Strategic CAD Labs, Intel **The University of Iowa Intel 07 p.2/39 This Talk
More informationAxiomatic semantics. Semantics and Application to Program Verification. Antoine Miné. École normale supérieure, Paris year
Axiomatic semantics Semantics and Application to Program Verification Antoine Miné École normale supérieure, Paris year 2015 2016 Course 6 18 March 2016 Course 6 Axiomatic semantics Antoine Miné p. 1 /
More information