Add to collection(s) Add to saved
  1. Science
  2. Health Science
  3. Cardiology

here - Billiejoe

advertisement 
Crowfoot: a verifier for higher
order store programs
Billiejoe (Nathaniel) Charlton
Ben Horsfall
Bernhard Reus
University of Sussex
VMCAI 2012
Outline
•
Background on Higher Order Store (HOS)
- What is HOS? Why should I care?
- Reasoning about HOS programs: Hoare logic with nested triples
•
Automated reasoning in Hoare logics with nested triples
- What are the difficulties?
- How we address them in our Crowfoot tool
•
Some things we have verified using Crowfoot
What is higher order store?
•
A programming language is said to feature HOS when:
a program’s code / commands / procedures are part of the
mutable store which the program manipulates as it runs
What is higher order store?
•
A programming language is said to feature HOS when:
a program’s code / commands / procedures are part of the
mutable store which the program manipulates as it runs
•
So HOS programs can modify their own code while running
What is higher order store?
•
A programming language is said to feature HOS when:
a program’s code / commands / procedures are part of the
mutable store which the program manipulates as it runs
•
So HOS programs can modify their own code while running
•
Where does HOS occur?
- in functional languages with mutable higher order state e.g. ML
- dynamic loading and unloading of code e.g. Plugins, OSes
- “hot update” – updating a program while it is running
- runtime code generation
square brackets indicate heap access
square brackets indicate heap access
stores procedure
onto the
heap, possibly doing partial
application at the same time
square brackets indicate heap access
stores procedure
onto the
heap, possibly doing partial
application at the same time
runs the procedure stored in the heap
at address , with arguments
square brackets indicate heap access
stores procedure
onto the
heap, possibly doing partial
application at the same time
ordinary procedure call
runs the procedure stored in the heap
at address , with arguments
But what should we write here?
We need to describe the code
which must be stored on the
heap at address f
First attempt: says exactly
which code is stored at f.
But only allows us to invoke
P if we’re adding 10! 
Second attempt: better.
But still not really satisfying.
Doesn’t seem like a generic
specification.
Instead, we use a nested Hoare triple to
talk about the behaviour of the code,
rather than which exact code it is.
Instead, we use a nested Hoare triple to
talk about the behaviour of the code,
rather than which exact code it is.
Instead, we use a nested Hoare triple to
talk about the behaviour of the code,
rather than which exact code it is.
Nested triples first
appear in work by
Honda, Yoshida
and Berger; later
developments by
many others.
Our tool Crowfoot
•
Our tool Crowfoot implements (semi-) automated verification of HOS
programs, using nested triples
•
Employs symbolic execution with separation logic technique, as in
Smallfoot, VeriFast, jStar ...
•
What issues did we face in implementing Crowfoot?
Issues for implementation
•
Assertion language: must include nested triples but still be restricted
enough that automated reasoning is possible
Assertion language
Assertion language
This is all circular! So triples can be nested to arbitrary depth.
Issues for implementation
•
Assertion language: must include nested triples but still be restricted
enough that automated reasoning is possible
•
New symbolic execution rules for the HOS statements: those which
write code to the heap, and invoke code stored on the heap
Issues for implementation
•
Assertion language: must include nested triples but still be restricted
enough that automated reasoning is possible
•
New symbolic execution rules for the HOS statements: those which
write code to the heap, and invoke code stored on the heap
•
Entailment prover for assertions involving nested triples
Consider the following entailment between symbolic states:
Consider the following entailment between symbolic states:
Consider the following entailment between symbolic states:
We need to find c to make this entailment between specifications hold:
Consider the following entailment between symbolic states:
We need to find c to make this entailment between specifications hold:
So, unlike in existing tools
-
Solving entailments between symbolic states requires solving
entailments between specifications
-
And vice versa
Issues for implementation
•
Assertion language: must include nested triples but still be restricted
enough that automated reasoning is possible
•
New symbolic execution rules for the HOS statements: those which
write code to the heap, and invoke code stored on the heap
•
Entailment prover for assertions involving nested triples
•
Recursive specifications for programs which perform “recursion through
the store”
Issues for implementation
•
Assertion language: must include nested triples but still be restricted
enough that automated reasoning is possible
•
New symbolic execution rules for the HOS statements: those which
write code to the heap, and invoke code stored on the heap
•
Entailment prover for assertions involving nested triples
•
Recursive specifications for programs which perform “recursion through
the store”
•
Implementing the deep frame rule
Provers: the
of Crowfoot
At its heart, crowfoot implements provers for five related judgements.
1. Symbolic execution:
Provers: the
of Crowfoot
At its heart, crowfoot implements provers for five related judgements.
1. Symbolic execution:
predicate definitions,
procedure context
Provers: the
of Crowfoot
At its heart, crowfoot implements provers for five related judgements.
1. Symbolic execution:
predicate definitions,
procedure context
For example:
2. Entailment between symbolic states:
I maps existentially bound variables
to appropriate instance
Inferred frame
2. Entailment between symbolic states:
I maps existentially bound variables
to appropriate instance
For example:
Inferred frame
2. Entailment between symbolic states:
I maps existentially bound variables
to appropriate instance
For example:
Inferred frame
2. Entailment between symbolic states:
I maps existentially bound variables
to appropriate instance
For example:
3. Entailment between specifications:
For example:
Inferred frame
4. Computing the post-condition for a ‘call’ or ‘eval’:
specification of
routine about
to be run
current symbolic state
4. Computing the post-condition for a ‘call’ or ‘eval’:
specification of
routine about
to be run
current symbolic state
For example:
4. Computing the post-condition for a ‘call’ or ‘eval’:
specification of
routine about
to be run
current symbolic state
For example:
4. Computing the post-condition for a ‘call’ or ‘eval’:
specification of
routine about
to be run
current symbolic state
For example:
5. Finding a nested triple to use with ‘eval’:
current symbolic state
address of
code on heap
to be run
4. Computing the post-condition for a ‘call’ or ‘eval’:
specification of
routine about
to be run
current symbolic state
For example:
5. Finding a nested triple to use with ‘eval’:
For example:
current symbolic state
address of
code on heap
to be run
4. Computing the post-condition for a ‘call’ or ‘eval’:
specification of
routine about
to be run
current symbolic state
For example:
5. Finding a nested triple to use with ‘eval’:
For example:
current symbolic state
address of
code on heap
to be run
Two of the proof rules
Recursion through the store
•
Recursion through the store is when code on the heap invokes itself
through a pointer
•
Specifications for such code needs to appear in their own preconditions!
•
Crowfoot allows the declaration of such specifications:
The deep frame rule
•
The deep frame rule (introduced by Birkedal, Torp-Smith and Yang)
allows adding invariants to a specification
- like the regular frame rule
- but the invariant is added at all nesting levels
- allows some very nice modular proofs
- we’ve implemented this in Crowfoot
The deep frame rule
•
The deep frame rule (introduced by Birkedal, Torp-Smith and Yang)
allows adding invariants to a specification
- like the regular frame rule
- but the invariant is added at all nesting levels:
- allows some very nice modular proofs
- we’ve implemented this in Crowfoot
Some things we have verified
We have used Crowfoot to verify for example (models of):
•
A generic memoiser for recursive functions (see the paper)
- Makes very neat use of deep frame rule
•
Updateable web server
- A server which can be updated without stopping it running
•
Programs that load and unload plugins as they run
•
Higher order expression evaluator
Try Crowfoot online
www.sussex.ac.uk/informatics/crowfoot
The End
Main rule for
Main rule for
Main rule for
Main rule for
Main rule for
Related documents
Chapter 1: Symbols, Meaning and the Social Self
Chapter 1: Symbols, Meaning and the Social Self
HOA 300:002
HOA 300:002
The Minister`s Black Veil – Allegory
The Minister`s Black Veil – Allegory
&CHAPTER 3 Assembly Language Programming In Chapter 2 we
&CHAPTER 3 Assembly Language Programming In Chapter 2 we
The Interactionist Tradition In Symbolic Interaction
The Interactionist Tradition In Symbolic Interaction
Family Tree Assignment
Family Tree Assignment
File - Natima Walker
File - Natima Walker
Download
advertisement