Abstraction and subsumption in modular verification of C programs

Representation predicates enable data abstraction in separation logic, but when the same concrete implementation may need to be abstracted in different ways, one needs a notion of subsumption. We demonstrate function-specification subtyping, analogous to subtyping, with a subsumption rule: if \(\phi \) is a Open image in new window of \(\psi \), that is \(\phi <:\psi \), then \(x:\phi \) implies \(x:\psi \), meaning that any function satisfying specification \(\phi \) can be used wherever a function satisfying \(\psi \) is demanded. We extend previous notions of Hoare-logic sub-specification, which already included parameter adaption, to include framing (necessary for separation logic) and impredicative bifunctors (necessary for higher-order functions, i.e. function pointers). We show intersection specifications, with the expected relation to subtyping. We show how this enables compositional modular verification of the functional correctness of C programs, in Coq, with foundational machine-checked proofs of soundness.

[1]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[2]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[3]  Joseph Tassarotti,et al.  Verifying concurrent, crash-safe systems with Perennial , 2019, SOSP.

[4]  Benjamin C. Pierce,et al.  Types and programming languages: the next generation , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[5]  Shengyi Wang,et al.  Certifying graph-manipulating C programs via localizations within data structures , 2019, Proc. ACM Program. Lang..

[6]  Ioannis T. Kassios Dynamic Frames: Support for Framing, Dependencies and Sharing Without Restrictions , 2006, FM.

[7]  Andrew W. Appel,et al.  A verified messaging system , 2017, Proc. ACM Program. Lang..

[8]  Andrew W. Appel,et al.  VST-Floyd: A Separation Logic Tool to Verify Correctness of C Programs , 2018, Journal of Automated Reasoning.

[9]  Andrew W. Appel,et al.  Verified Correctness and Security of mbedTLS HMAC-DRBG , 2017, CCS.

[10]  Andrew W. Appel,et al.  Program Logics for Certified Compilers , 2014 .

[11]  Derek Dreyer,et al.  RustBelt: securing the foundations of the rust programming language , 2017, Proc. ACM Program. Lang..

[12]  Peter H. Schmitt,et al.  Dynamic Frames in Java Dynamic Logic , 2010, FoVeOOS.

[13]  Gary T. Leavens,et al.  Behavioral Subtyping, Specification Inheritance, and Modular Reasoning , 2015, ACM Trans. Program. Lang. Syst..

[14]  Benjamin C. Pierce,et al.  From C to interaction trees: specifying, verifying, and testing a networked server , 2018, CPP.

[15]  Frank Piessens,et al.  VeriFast: A Powerful, Sound, Predictable, Fast Verifier for C and Java , 2011, NASA Formal Methods.

[16]  Lars Birkedal,et al.  Iris from the ground up: A modular foundation for higher-order concurrent separation logic , 2018, Journal of Functional Programming.

[17]  Lennart Beringer,et al.  Relational Decomposition , 2011, ITP.

[18]  Gavin M. Bierman,et al.  Separation logic and abstraction , 2005, POPL '05.

[19]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[20]  Nikolai Kosmatov,et al.  Frama-C: A software analysis perspective , 2015, Formal Aspects of Computing.

[21]  John C. Mitchell,et al.  Abstract types have existential type , 1988, TOPL.

[22]  Thomas Kleymann,et al.  Hoare Logic and Auxiliary Variables , 1999, Formal Aspects of Computing.

[23]  Bernhard Beckert,et al.  Dynamic Logic , 2007, The KeY Approach.

[24]  Tobias Nipkow,et al.  Hoare Logics for Recursive Procedures and Unbounded Nondeterminism , 2002, CSL.

[25]  Andrew W. Appel,et al.  Verification of a Cryptographic Primitive: SHA-256 , 2015, TOPL.

[26]  Peter H. Schmitt,et al.  Dynamic Frames in Java Dynamic Logic. Formalisation and Proofs , 2010 .

[27]  Bernhard Beckert,et al.  Deductive Software Verification – The KeY Book , 2016, Lecture Notes in Computer Science.

[28]  Frank S. de Boer,et al.  A proof outline logic for object-oriented programming , 2005, Theor. Comput. Sci..

[29]  Chung-Kil Hur,et al.  Interaction trees: representing recursive and impure programs in Coq , 2020, Proc. ACM Program. Lang..

[30]  Jeannette M. Wing,et al.  A behavioral notion of subtyping , 1994, TOPL.

[31]  Andrew W. Appel,et al.  Verified sequential Malloc/Free , 2020, ISMM.

[32]  Pierre America,et al.  Solving Reflexive Domain Equations in a Category of Complete Metric Spaces , 1987, J. Comput. Syst. Sci..

[33]  Andrew W. Appel,et al.  Verified Correctness and Security of OpenSSL HMAC , 2015, USENIX Security Symposium.