Local Reasoning About the Presence of Bugs: Incorrectness Separation Logic

There has been a large body of work on local reasoning for proving the absence of bugs, but none for proving their presence. We present a new formal framework for local reasoning about the presence of bugs, building on two complementary foundations: 1) separation logic and 2) incorrectness logic. We explore the theory of this new incorrectness separation logic (ISL), and use it to derive a begin-anywhere, intra-procedural symbolic execution analysis that has no false positives by construction. In so doing, we take a step towards transferring modular, scalable techniques from the world of program verification to bug catching.

[1]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[2]  George Candea,et al.  A Formally Verified NAT Stack , 2018, KBNets@SIGCOMM.

[3]  Lauretta O. Osho,et al.  Axiomatic Basis for Computer Programming , 2013 .

[4]  Peter W. O'Hearn,et al.  A Local Shape Analysis Based on Separation Logic , 2006, TACAS.

[5]  Patrice Godefroid,et al.  Fuzzing: hack, art, and science , 2020, Commun. ACM.

[6]  Edsko de Vries,et al.  Reverse Hoare Logic , 2011, SEFM.

[7]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[8]  Peter W. O'Hearn,et al.  Footprint Analysis: A Shape Analysis That Discovers Preconditions , 2007, SAS.

[9]  Patrick Cousot,et al.  Modular Static Program Analysis , 2002, CC.

[10]  Murali Krishna Ramanathan,et al.  Scalable and incremental software bug detection , 2013, ESEC/FSE 2013.

[11]  Peter W. O'Hearn,et al.  Local Reasoning about Programs that Alter Data Structures , 2001, CSL.

[12]  Peter W. O'Hearn,et al.  Smallfoot: Modular Automatic Assertion Checking with Separation Logic , 2005, FMCO.

[13]  Zhong Shao,et al.  A Case for Behavior-Preserving Actions in Separation Logic , 2012, APLAS.

[14]  Peter W. O'Hearn,et al.  Continuous Reasoning: Scaling the impact of formal methods , 2018, LICS.

[15]  Wolfram Schulte,et al.  Local Verification of Global Invariants in Concurrent Programs , 2010, CAV.

[16]  Patrice Godefroid,et al.  Compositional dynamic test generation , 2007, POPL '07.

[17]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[18]  Dawson R. Engler,et al.  Under-Constrained Symbolic Execution: Correctness Checking for Real Code , 2015, USENIX Annual Technical Conference.

[19]  Lukás Holík,et al.  Counterexample Validation and Interpolation-Based Refinement for Forest Automata , 2017, VMCAI.

[20]  Peter W. O'Hearn,et al.  BI as an assertion language for mutable data structures , 2001, POPL '01.

[21]  Peter W. O'Hearn,et al.  A Semantic Basis for Local Reasoning , 2002, FoSSaCS.

[22]  Philippa Gardner,et al.  Footprints in Local Reasoning , 2009, Log. Methods Comput. Sci..

[23]  Antoine Meyer,et al.  A logic of reachable patterns in linked data-structures , 2007, J. Log. Algebraic Methods Program..

[24]  Peter W. O'Hearn,et al.  A true positives theorem for a static race detector , 2018, Proc. ACM Program. Lang..

[25]  Ciera Jaspan,et al.  Lessons from building static analysis tools at Google , 2018, Commun. ACM.

[26]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[27]  Philippa Gardner,et al.  Gillian, part i: a multi-language platform for symbolic execution , 2020, PLDI.

[28]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[29]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[30]  Ioannis T. Kassios The dynamic frames theory , 2010, Formal Aspects of Computing.

[31]  Philippa Gardner,et al.  Towards a program logic for JavaScript , 2012, POPL '12.

[32]  Peter W. O'Hearn,et al.  Concurrent separation logic , 2016, SIGL.

[33]  P. Madhusudan,et al.  Deciding memory safety for single-pass heap-manipulating programs , 2019, Proc. ACM Program. Lang..

[34]  Peter W. O'Hearn,et al.  Compositional Shape Analysis by Means of Bi-Abduction , 2011, JACM.

[35]  Peter W. O'Hearn,et al.  Scalable Shape Analysis for Systems Code , 2008, CAV.

[36]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[37]  Thomas Wies,et al.  Deciding Local Theory Extensions via E-matching , 2015, CAV.

[38]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[39]  Anindya Banerjee,et al.  Local Reasoning for Global Invariants, Part I: Region Logic , 2013, JACM.

[40]  Dawson R. Engler,et al.  A few billion lines of code later , 2010, Commun. ACM.

[41]  Antoine Meyer,et al.  A logic of reachable patterns in linked data-structures , 2006, J. Log. Algebraic Methods Program..

[42]  Christof Löding,et al.  A First-Order Logic with Frames , 2019, ESOP.

[43]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[44]  Peter W. O'Hearn Incorrectness logic , 2020, Proc. ACM Program. Lang..

[45]  Peter W. O'Hearn,et al.  Scaling static analyses at Facebook , 2019, Commun. ACM.

[46]  Marsha Chechik,et al.  From Under-Approximations to Over-Approximations and Back , 2012, TACAS.

[47]  MaffeisSergio,et al.  Towards a program logic for JavaScript , 2012 .