Abstract
Verifying imperative programs is hard. A key difficulty is that the specification of what an imperative program does is often intertwined with details about pointers and imperative state. Although there are a number of powerful separation logics that allow the details of imperative state to be captured and managed, these details are complicated and reasoning about them requires significant time and expertise. In this paper, we take a different approach: a memory-safe type system that, as part of type-checking, extracts functional specifications from imperative programs. This disentangles imperative state, which is handled by the type system, from functional specifications, which can be verified without reference to pointers. A key difficulty is that sometimes memory safety depends crucially on the functional specification of a program; e.g., an array index is only memory-safe if the index is in bounds. To handle this case, our specification extraction inserts dynamic checks into the specification. Verification then requires the additional proof that none of these checks fail. However, these checks are in a purely functional language, and so this proof also requires no reasoning about pointers.
Supplemental Material
- Andrew W. Appel, Robert Dockins, Aquinas Hobor, Lennart Beringer, Josiah Dodds, Gordon Stewart, Sandrine Blazy, and Xavier Leroy. 2014. Program Logics for Certified Compilers. Cambridge University Press.Google Scholar
Digital Library
- Vytautas Astrauskas, Peter Müller, Federico Poli, and Alexander J. Summers. 2019. Leveraging Rust Types for Modular Specification and Verification. In Proceedings of the 34th Annual ACM Conference on Object-Oriented Programming Systems, Languages and Applications (OOPSLA).Google Scholar
- Lennart Beringer and Andrew W. Appel. 2019. Abstraction and Subsumption in Modular Verification of C Programs. In Proceedings of the 23rd International Symposium on Formal Methods (FM).Google Scholar
- Aleš Bizjak and Lars Birkedal. 2017. On Models of Higher-Order Separation Logic. In Proceedings of the 33rd Conference on the Mathematical Foundations of Programming Semantics.Google Scholar
- Samuel Boutin. 1997. Using reflection to build efficient and certified decision procedures. In Proceedings of the Third International Symposium on Theoretical Aspects of Computer Software (TACS).Google Scholar
Digital Library
- Michael C Browne, Edmund Clarke, and Orna Grumberg. 1988. Characterizing finite Kripke structures in propositional temporal logic. Theoretical Computer Science, 59 (1988).Google Scholar
- Cristiano Calcagno, Peter W. O’Hearn, and Hongseok Yang. 2007. Local Action and Abstract Separation Logic. In Proceedings of the Twenty-Second Annual IEEE Symposium on Logic in Computer Science (LICS).Google Scholar
Digital Library
- Andrey Chudnov, Nathan Collins, Byron Cook, Joey Dodds, Brian Huffman, Colm MacCárthaigh, Stephen Magill, Eric Mertens, Eric Mullen, Serdar Tasiran, Aaron Tomb, and Eddy Westbrook. 2018. Continuous Formal Verification of Amazon s2n. In Proceedings of the 30th International Conference on Computer Aided Verification (CAV).Google Scholar
Cross Ref
- Edmund M. Clarke and E. Allen Emerson. 1981. Design and synthesis of synchronization skeletons using branching time temporal logic. In Proceedings of the Workshop on Logics of Programs.Google Scholar
Digital Library
- Edmund M. Clarke, Orna Grumberg, and Doron A. Peled. 1999. Model Checking. MIT Press.Google Scholar
Digital Library
- Rocco de Nicola and Frits Vaandrager. 1990. Three Logics for Branching Bisimulation. In Proceedings of the Fifth Annual IEEE Symposium on Logic in Computer Science (LICS).Google Scholar
Cross Ref
- Thomas Dinsdale-Young, Lars Birkedal, Philippa Gardner, Matthew Parkinson, and Hongseok Yang. 2013. Views: Compositional Reasoning for Concurrent Programs. In Proceedings of the 40th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL).Google Scholar
Digital Library
- Robert Dockins, Adam Foltzer, Joe Hendrix, Brian Huffman, Dylan McNamee, and Aaron Tomb. 2016. Constructing Semantic Models of Programs with the Software Analysis Workbench. In Proceedings of the 8th International Conference on Verified Software. Theories, Tools, and Experiments (VSTTE).Google Scholar
Cross Ref
- Mike Dodds, Xinyu Feng, Matthew Parkinson, and Viktor Vafeiadis. 2009. Deny-Guarantee Reasoning. In 18th European Symposium on Programming (ESOP).Google Scholar
- Xinyu Feng. 2009. Local Rely-Guarantee Reasoning. In Proceedings of the 36th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL).Google Scholar
Digital Library
- Léon Gondelman, Simon Oddershede Gregersen, Abel Nieto, Amin Timany, and Lars Birkedal. 2021. Distributed Causal Memory: Modular Specification and Verification in Higher-Order Distributed Separation Logic. In Proceedings of the 48th Annual ACM SIGPLAN Symposium on Principles of Programming Languages (POPL).Google Scholar
Digital Library
- Colin S. Gordon, Michael D. Ernst, and Dan Grossman. 2013. Rely-Guarantee References for Refinement Types over Aliased Mutable Data. In Proceedings of the 34th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI).Google Scholar
Digital Library
- Claudio Jeker. 2008. OpenBSD Network Stack Internals. In Proceedings of AsiaBSDCon.Google Scholar
- Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Aleš Bizjak, Lars Birkedal, and Derek Dreyer. 2018. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. Journal of Functional Programming, 28 (2018).Google Scholar
- Ralf Jung, Rodolphe Lepigre, Gaurav Parthasarathy, Marianna Rapoport, Amin Timany, Derek Dreyer, and Bart Jacobs. 2020. The future is ours: prophecy variables in separation logic. In Proceedings of the 47th Annual ACM SIGPLAN Symposium on Principles of Programming Languages (POPL).Google Scholar
Digital Library
- Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Joseph Turon, Lars Birkedal, and Derek R Dreyer. 2015. Iris: Monoids and Invariants as an Orthogonal Basis for Concurrent Reasoning. In Proceedings of the 42nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL).Google Scholar
Digital Library
- Nicolas Koh, Yao Li, Yishuai Li, Li-yao Xia, Lennart Beringer, Wolf Honoré, William Mansky, Benjamin C. Pierce, and Steve Zdancewic. 2019. From C to Interaction Trees: Specifying, Verifying, and Testing a Networked Server. In Proceedings of the 8th ACM SIGPLAN International Conference on Certified Programs and Proofs (CPP 2019). Association for Computing Machinery, New York, NY, USA. 234–248. isbn:9781450362221 https://doi.org/10.1145/3293880.3294106 Google Scholar
Digital Library
- Siddharth Krishna, Nisarg Patel, Dennis Shasha, and Thomas Wies. 2020. Verifying Concurrent Search Structure Templates. In Proceedings of the 41st ACM SIGPLAN International Conference on Programming Language Design and Implementation (PLDI).Google Scholar
Digital Library
- Xavier Leroy and Sandrine Blazy. 2008. Formal verification of a C-like memory model and its uses for verifying program transformations. Journal of Automated Reasoning, 41, 1 (2008).Google Scholar
Digital Library
- Kenji Maillard, Danel Ahman, Robert Atkey, Guido Martinez, Catalin Hritcu, Exequiel Rivas, and Éric Tanter. 2019. Dijkstra Monads for All. In Proceedings of the 24th ACM SIGPLAN International Conference on Functional Programming (ICFP).Google Scholar
Digital Library
- Gregory Malecha, Adam Chlipala, and Thomas Braibant. 2014. Compositional Computational Reflection. In Proceedings of the 5th International Conference on Interactive Theorem Proving (ITP).Google Scholar
Cross Ref
- Yusuke Matsushita, Takeshi Tsukada, and Naoki Kobayashi. 2020. RustHorn: CHC-based verification for Rust programs. In European Symposium on Programming. 484–514.Google Scholar
Cross Ref
- Robin Milner. 1978. A theory of type polymorphism in programming. Journal of computer and system sciences, 17, 3 (1978), 348–375.Google Scholar
Cross Ref
- Peter Müller, Malte Schwerhoff, and Alexander J. Summers. 2016. Viper: A Verification Infrastructure for Permission-Based Reasoning. In Proceedings of the 17th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI).Google Scholar
- Matthew J. Parkinson and Alexander J. Summers. 2011. The Relationship between Separation Logic and Implicit Dynamic Frames. In Proceedings of the 20th European Symposium on Programming (ESOP).Google Scholar
- Redox Developers. [n.d.]. The Redox Operating System. https://doc.redox-os.org/book/ Accessed: Nov 13, 2020.Google Scholar
- John C Reynolds. 2002. Separation Logic: A Logic for Shared Mutable Data Structures. In Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science (LICS).Google Scholar
Cross Ref
- Lucas Silver and Steve Zdancewic. 2021. Dijkstra Monads Forever: Termination-Sensitive Specifications for Interaction Trees. In 48th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL).Google Scholar
- Jan Smans, Bart Jacobs, and Frank Piessens. 2012. Implicit dynamic frames. ACM Transactions on Programming Languages and Systems, 34, 1 (2012).Google Scholar
Digital Library
- Christoph Sprenger, Tobias Klenze, Marco Eilers, Felix A. Wolf, Peter Müller, Martin Clochard, and David Basin. 2020. Igloo: Soundly Linking Compositional Refinement and Separation Logic for Distributed System Verification. In Proceedings of the 2020 ACM SIGPLAN International Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA).Google Scholar
Digital Library
- Wouter Swierstra. 2008. Datatypes à la Carte. Journal of Functional Programming, 18, 4 (2008).Google Scholar
Digital Library
- Sebastian Ullrich. 2016. Simple Verification of Rust Programs via Functional Purification. Master’s thesis. Karlsruhe Institute of Technology.Google Scholar
- Viktor Vafeiadis and Matthew Parkinson. 2007. A Marriage of Rely/Guarantee and Separation Logic. In Proceedings of the 18th International Conference on Concurrency Theory (CONCUR).Google Scholar
Cross Ref
- Li-yao Xia, Yannick Zakowski, Paul He, Chung-Kil Hur, Gregory Malecha, Benjamin C. Pierce, and Steve Zdancewic. 2020. Interaction Trees. In Proceedings of the 47th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL).Google Scholar
Index Terms
A type system for extracting functional specifications from memory-safe imperative programs
Recommendations
Flow sensitive-insensitive pointer analysis based memory safety for multithreaded programs
ICCSA'11: Proceedings of the 2011 international conference on Computational science and Its applications - Volume Part VThe competency of pointer analysis is crucial for many compiler optimizations, transformations, and checks like memory safety. The potential interaction between threads in multithreaded programs complicates their pointer analysis and memory-safety ...
Type-Safe Code Transformations in Haskell
The use of typed intermediate languages can significantly increase the reliability of a compiler. By type-checking the code produced at each transformation stage, one can identify bugs in the compiler that would otherwise be much harder to find. We ...
A polymorphic modal type system for lisp-like multi-staged languages
POPL '06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languagesThis article presents a polymorphic modal type system and its principal type inference algorithm that conservatively extend ML by all of Lisp's staging constructs (the quasi-quotation system). The combination is meaningful because ML is a practical ...






Comments