Abstract
Many verifications of realistic software systems are monolithic, in the sense that they define single global invariants over complete system state. More modular proof techniques promise to support reuse of component proofs and even reduce the effort required to verify one concrete system, just as modularity simplifies standard software development. This paper reports on one case study applying modular proof techniques in the Coq proof assistant. To our knowledge, it is the first modular verification certifying a system that combines infrastructure with an application of interest to end users. We assume a nonblocking API for managing TCP networking streams, and on top of that we work our way up to certifying multithreaded, database-backed Web applications. Key verified components include a cooperative threading library and an implementation of a domain-specific language for XML processing. We have deployed our case-study system on mobile robots, where it interfaces with off-the-shelf components for sensing, actuation, and control.
Supplemental Material
- E. Alkassar, W. J. Paul, A. Starostin, and A. Tsyban. Pervasive verification of an OS microkernel: inline assembly, memory consumption, concurrent devices. In Proc. VSTTE, pages 71--85. Springer-Verlag, 2010. Google Scholar
Digital Library
- A. W. Appel and D. McAllester. An indexed model of recursive types for foundational proof-carrying code. TOPLAS, 23(5):657--683, Sept. 2001. Google Scholar
Digital Library
- H. Cai, Z. Shao, and A. Vaynberg. Certified self-modifying code. In Proc. PLDI, pages 66--77. ACM, 2007. Google Scholar
Digital Library
- A. Chlipala. Mostly-automated verification of low-level programs in computational separation logic. In Proc.\ PLDI, pages 234--245. ACM, 2011. Google Scholar
Digital Library
- A. Chlipala. The Bedrock structured programming system: Combining generative metaprogramming and Hoare logic in an extensible program verifier. In Proc.\ ICFP, pages 391--402. ACM, 2013. Google Scholar
Digital Library
- A. Chlipala, G. Malecha, G. Morrisett, A. Shinnar, and R. Wisnesky. Effective interactive proofs for higher-order imperative programs. In Proc. ICFP, pages 79--90. ACM, 2009. Google Scholar
Digital Library
- E. Cohen, M. Dahlweid, M. Hillebrand, D. Leinenbach, M. Moskal, T. Santen, W. Schulte, and S. Tobies. VCC: A practical system for verifying concurrent C. In Proc. TPHOLs, pages 23--42. Springer-Verlag, 2009. Google Scholar
Digital Library
- M. Daum, N. W. Schirmer, and M. Schmidt. From operating-system correctness to pervasively verified applications. In Proc. IFM, pages 105--120. Springer-Verlag, 2010. Google Scholar
Digital Library
- X. Feng and Z. Shao. Modular verification of concurrent assembly code with dynamic thread creation and termination. In Proc. ICFP, pages 254--267. ACM, 2005. Google Scholar
Digital Library
- X. Feng, Z. Shao, Y. Dong, and Y. Guo. Certifying low-level programs with hardware interrupts and preemptive threads. In Proc. PLDI, pages 170--182. ACM, 2008. Google Scholar
Digital Library
- X. Feng, Z. Shao, Y. Guo, and Y. Dong. Combining domain-specific and foundational logics to verify complete software systems. In Proc. VSTTE, pages 54--69. Springer-Verlag, 2008. Google Scholar
Digital Library
- X. Feng, Z. Shao, A. Vaynberg, S. Xiang, and Z. Ni. Modular verification of assembly code with stack-based control abstractions. In Proc. PLDI, pages 401--414. ACM, 2006. Google Scholar
Digital Library
- V. Gapeyev, M. Y. Levin, B. C. Pierce, and A. Schmitt. The Xtatic experience. In Proc. PLAN-X, 2005. University of Pennsylvania Technical Report MS-CIS-04--24, Oct 2004.Google Scholar
- C. S. Gordon, M. D. Ernst, and D. Grossman. Rely-guarantee references for refinement types over aliased mutable data. In Proc. PLDI. ACM, 2013. Google Scholar
Digital Library
- A. Gotsman, J. Berdine, B. Cook, N. Rinetzky, and M. Sagiv. Local reasoning for storable locks and threads. In Proc. APLAS, pages 19--37. Springer-Verlag, 2007. Google Scholar
Digital Library
- A. Gotsman and H. Yang. Modular verification of preemptive OS kernels. In Proc. ICFP, pages 404--417. ACM, 2011. Google Scholar
Digital Library
- A. Guha, M. Reitblatt, and N. Foster. Machine-verified network controllers. In Proc. PLDI, pages 483--494. ACM, 2013. Google Scholar
Digital Library
- H. Hosoya and B. C. Pierce. XDuce: A statically typed XML processing language. ACM Transactions on Internet Technology, 3(2):117--148, May 2003. Google Scholar
Digital Library
- C.-K. Hur and D. Dreyer. A Kripke logical relation between ML and assembly. In Proc. POPL, pages 133--146. ACM, 2011. Google Scholar
Digital Library
- C. B. Jones. Tentative steps toward a development method for interfering programs. ACM Trans. Program. Lang. Syst., 5(4):596--619, Oct. 1983. Google Scholar
Digital Library
- G. Klein. From a verified kernel towards verified systems. In Proc APLAS, pages 21--33. Springer-Verlag, 2010. Google Scholar
Digital Library
- G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal verification of an OS kernel. In Proc. SOSP, pages 207--220. ACM, 2009. Google Scholar
Digital Library
- X. Leroy. Formal certification of a compiler back-end or: programming a compiler with a proof assistant. In Proc. POPL, pages 42--54. ACM, 2006. Google Scholar
Digital Library
- D. MacQueen. Modules for Standard ML. In Proc. LFP, pages 198--207. ACM, 1984. Google Scholar
Digital Library
- G. Malecha, A. Chlipala, and T. Braibant. Compositional computational reflection. In Proc. ITP, pages 374--389. Springer-Verlag, 2014.Google Scholar
Cross Ref
- G. Malecha, G. Morrisett, A. Shinnar, and R. Wisnesky. Toward a verified relational database management system. In Proc. POPL, pages 237--248. ACM, 2010. Google Scholar
Digital Library
- G. Malecha, G. Morrisett, and R. Wisnesky. Trace-based verification of imperative programs with I/O. J. Symb. Comput., 46(2):95--118, Feb. 2011. Google Scholar
Digital Library
- A. McCreight, Z. Shao, C. Lin, and L. Li. A general framework for certifying garbage collectors and their mutators. In Proc. PLDI, pages 468--479. ACM, 2007. Google Scholar
Digital Library
- Z. Ni and Z. Shao. Certified assembly programming with embedded code pointers. In Proc. POPL, pages 320--333. ACM, 2006. Google Scholar
Digital Library
- Z. Ni, D. Yu, and Z. Shao. Using XCAP to certify realistic systems code: Machine context management. In Proc. TPHOLs, pages 189--206. Springer-Verlag, 2007. Google Scholar
Digital Library
- F. Pottier. Hiding local state in direct style: A higher-order anti-frame rule. In Proc. LICS, pages 331--340. IEEE Computer Society, 2008. Google Scholar
Digital Library
- M. Quigley, B. Gerkey, K. Conley, J. Faust, T. Foote, J. Leibs, E. Berger, R. Wheeler, and A. Ng. ROS: an open-source robot operating system. ICRA Workshop on Open Source Software, 2009.Google Scholar
- J. C. Reynolds. Separation logic: A logic for shared mutable data structures. In Proc. LICS, pages 55--74. IEEE Computer Society, 2002. Google Scholar
Digital Library
- T. Streicher. Investigations into intensional type theory. Habilitation thesis, 1993.Google Scholar
- K. Svendsen and L. Birkedal. Impredicative concurrent abstract predicates. In Proc. ESOP, pages 149--168. Springer-Verlag, 2014.Google Scholar
Digital Library
- P. Wang, S. Cuellar, and A. Chlipala. Compiler verification meets cross-language linking via data abstraction. In Proc. OOPSLA, pages 675--690. ACM, 2014. Google Scholar
Digital Library
- J. Yang and C. Hawblitzel. Safe to the last instruction: automated verification of a type-safe operating system. In Proc. PLDI, pages 99--110. ACM, 2010. Google Scholar
Digital Library
Index Terms
From Network Interface to Multithreaded Web Applications: A Case Study in Modular Program Verification
Recommendations
seL4: formal verification of an OS kernel
SOSP '09: Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principlesComplete formal verification is the only known way to guarantee that a system is free of programming errors.
We present our experience in performing the formal, machine-checked verification of the seL4 microkernel from an abstract specification down to ...
From Network Interface to Multithreaded Web Applications: A Case Study in Modular Program Verification
POPL '15: Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming LanguagesMany verifications of realistic software systems are monolithic, in the sense that they define single global invariants over complete system state. More modular proof techniques promise to support reuse of component proofs and even reduce the effort ...
Exploring C semantics and pointer provenance
The semantics of pointers and memory objects in C has been a vexed question for many years. C values cannot be treated as either purely abstract or purely concrete entities: the language exposes their representations, but compiler optimisations rely on ...







Comments