The bedrock structured programming system: combining generative metaprogramming and hoare logic in an extensible program verifier

We report on the design and implementation of an extensible programming language and its intrinsic support for formal verification. Our language is targeted at low-level programming of infrastructure like operating systems and runtime systems. It is based on a cross-platform core combining characteristics of assembly languages and compiler intermediate languages. From this foundation, we take literally the saying that C is a "macro assembly language": we introduce an expressive notion of certified low-level macros, sufficient to build up the usual features of C and beyond as macros with no special support in the core. Furthermore, our macros have integrated support for strongest postcondition calculation and verification condition generation, so that we can provide a high-productivity formal verification environment within Coq for programs composed from any combination of macros. Our macro interface is expressive enough to support features that low-level programs usually only access through external tools with no formal guarantees, such as declarative parsing or SQL-inspired querying. The abstraction level of these macros only imposes a compile-time cost, via the execution of functional Coq programs that compute programs in our intermediate language; but the run-time cost is not substantially greater than for more conventional C code. We describe our experiences constructing a full C-like language stack using macros, with some experiments on the verifiability and performance of individual programs running on that stack.

[1]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[2]  Robert Grimm,et al.  Better extensibility through modular syntax , 2006, PLDI '06.

[3]  Xinyu Feng,et al.  Modular verification of concurrent assembly code with dynamic thread creation and termination , 2005, ICFP '05.

[4]  Gerwin Klein,et al.  Bridging the Gap: Automatic Verified Abstraction of C , 2012, ITP.

[5]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[6]  Dirk Kleeblatt,et al.  Harpy: run-time code generation in haskell , 2007, Haskell '07.

[7]  Adam Chlipala,et al.  Mostly-automated verification of low-level programs in computational separation logic , 2011, PLDI '11.

[8]  Long Li,et al.  A general framework for certifying garbage collectors and their mutators , 2007, PLDI '07.

[9]  Peter W. O'Hearn,et al.  Scalable Shape Analysis for Systems Code , 2008, CAV.

[10]  Mitchell Wand,et al.  A Theory of Hygienic Macros , 2008, ESOP.

[11]  Zhong Shao,et al.  Certified assembly programming with embedded code pointers , 2006, POPL '06.

[12]  Magnus O. Myreen,et al.  Hoare Logic for Realistically Modelled Machine Code , 2007, TACAS.

[13]  Xinyu Feng,et al.  Modular verification of assembly code with stack-based control abstractions , 2006, PLDI '06.

[14]  Eddie Kohler,et al.  Xoc, an extension-oriented compiler for systems programming , 2008, ASPLOS.

[15]  Geoffrey Mainland,et al.  Explicitly heterogeneous metaprogramming with MetaHaskell , 2012, ICFP.

[16]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[17]  FengXinyu,et al.  Modular verification of concurrent assembly code with dynamic thread creation and termination , 2005 .

[18]  Bor-Yuh Evan Chang,et al.  Relational inductive shape analysis , 2008, POPL '08.

[19]  James R. Larus,et al.  Singularity: rethinking the software stack , 2007, OPSR.

[20]  Gavin M. Bierman,et al.  Separation logic and abstraction , 2005, POPL '05.

[21]  Magnus O. Myreen Verified just-in-time compiler on x86 , 2010, POPL '10.

[22]  Thomas Tuerk Local Reasoning about While-Loops , 2010 .

[23]  Walid Taha,et al.  Multi-stage programming with explicit annotations , 1997 .

[24]  Nick Benton,et al.  High-level separation logic for low-level code , 2013, POPL.

[25]  Andrew W. Appel,et al.  Verified Software Toolchain , 2012, NASA Formal Methods.

[26]  Yu Guo,et al.  Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads , 2009, Journal of Automated Reasoning.

[27]  Peter W. O'Hearn,et al.  Smallfoot: Modular Automatic Assertion Checking with Separation Logic , 2005, FMCO.

[28]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[29]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[30]  Amr Sabry,et al.  Macros as multi-stage computations: type-safe, generative, binding macros in MacroML , 2001, ICFP '01.

[31]  Zhong Shao,et al.  Certified self-modifying code , 2007, PLDI '07.

[32]  Peter W. O'Hearn,et al.  Compositional Shape Analysis by Means of Bi-Abduction , 2011, JACM.

[33]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.