A foundation for flow-based program matching: using temporal logic and model checking

Reasoning about program control-flow paths is an important functionality of a number of recent program matching languages and associated searching and transformation tools. Temporal logic provides a well-defined means of expressing properties of control-flow paths in programs, and indeed an extension of the temporal logic CTL has been applied to the problem of specifying and verifying the transformations commonly performed by optimizing compilers. Nevertheless, in developing the Coccinelle program transformation tool for performing Linux collateral evolutions in systems code, we have found that existing variants of CTL do not adequately support rules that transform subterms other than the ones matching an entire formula. Being able to transform any of the subterms of a matched term seems essential in the domain targeted by Coccinelle. In this paper, we propose an extension to CTL named CTLVW (CTL with variables and witnesses) that is a suitable basis for the semantics and implementation of the Coccinelles program matching language. Our extension to CTL includes existential quantification over program fragments, which allows metavariables in the program matching language to range over different values within different control-flow paths, and a notion of witnesses that record such existential bindings for use in the subsequent program transformation process. We formalize CTL-VW and describe its use in the context of Coccinelle. We then assess the performance of the approach in practice, using a transformation rule that fixes several reference count bugs in Linux code.

[1]  D. J. Lacey,et al.  Program transformation using temporal logic specifications , 2003 .

[2]  Frank Pfenning,et al.  System Description: Twelf - A Meta-Logical Framework for Deductive Systems , 1999, CADE.

[3]  Sriram K. Rajamani,et al.  Thorough static analysis of device drivers , 2006, EuroSys.

[4]  Oege de Moor,et al.  Imperative Program Transformation by Rewriting , 2001, CC.

[5]  James Cheney,et al.  First-Class Phantom Types , 2003 .

[6]  Philip Wadler,et al.  How to make ad-hoc polymorphism less ad hoc , 1989, POPL '89.

[7]  James C. Corbett,et al.  A Language Framework for Expressing Checkable Properties of Dynamic Software , 2000, SPIN.

[8]  Matthieu Sozeau,et al.  First-Class Type Classes , 2008, TPHOLs.

[9]  Neil D. Jones,et al.  The Semantics of "Semantic Patches" in Coccinelle: Program Transformation for the Working Programmer , 2007, APLAS.

[10]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[11]  Simon L. Peyton Jones,et al.  System F with type equality coercions , 2007, TLDI '07.

[12]  Stefan Monnier,et al.  A type-preserving compiler in Haskell , 2008, ICFP 2008.

[13]  Oege de Moor,et al.  JunGL: a scripting language for refactoring , 2006, ICSE.

[14]  Simon L. Peyton Jones,et al.  Simple unification-based type inference for GADTs , 2006, ICFP '06.

[15]  Mark P. Jones,et al.  Type Classes with Functional Dependencies , 2000, ESOP.

[16]  Julia L. Lawall,et al.  On the automatic evolution of an OS kernel using temporal logic and AOP , 2003, 18th IEEE International Conference on Automated Software Engineering, 2003. Proceedings..

[17]  Tom Schrijvers,et al.  Unified type checking for type classes and type families , 2008, ICFP 2008.

[18]  Frank Tip Refactoring Using Type Constraints , 2007, SAS.

[19]  Christine Paulin-Mohring,et al.  Inductive Definitions in the system Coq - Rules and Properties , 1993, TLCA.

[20]  Tim Sheard,et al.  Shared subtypes: subtyping recursive parametrized algebraic data types , 2008, Haskell '08.

[21]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[22]  David Chan,et al.  Constructive Negation Based on the Completed Database , 1988, ICLP/SLP.

[23]  David Lee The semantics of just , 1987 .

[24]  Julia L. Lawall,et al.  Documenting and automating collateral evolutions in linux device drivers , 2008, Eurosys '08.

[25]  Mark R. Greenstreet,et al.  Formal verification in hardware design: a survey , 1999, TODE.

[26]  Valentin Goranko,et al.  Logic in Computer Science: Modelling and Reasoning About Systems , 2007, J. Log. Lang. Inf..

[27]  Masataka Sassa,et al.  Validating Correctness of Compiler Optimizer Execution Using Temporal Logic , 2008 .

[28]  Tim Sheard,et al.  WHAT IS A PROOF , 2005 .

[29]  Julia L. Lawall,et al.  WYSIWIB: A declarative approach to finding API protocols and bugs in Linux code , 2009, DSN.

[30]  Eric Van Wyk,et al.  Universal Regular Path Queries , 2003, High. Order Symb. Comput..

[31]  David A. Schmidt,et al.  Program Analysis as Model Checking of Abstract Interpretations , 1998, SAS.

[32]  Hardi Hungar,et al.  First-Order-CTL Model Checking , 1998, FSTTCS.

[33]  Aarti Gupta,et al.  Formal hardware verification methods: A survey , 1992, Formal Methods Syst. Des..

[34]  Eric Van Wyk,et al.  Compiler Optimization Correctness by Temporal Logic , 2004, High. Order Symb. Comput..

[35]  Pierre Castéran,et al.  Interactive Theorem Proving and Program Development , 2004, Texts in Theoretical Computer Science An EATCS Series.

[36]  Dominic Duggan,et al.  Type-checking multi-parameter type classes , 2002, J. Funct. Program..

[37]  Simon L. Peyton Jones,et al.  Understanding functional dependencies via constraint handling rules , 2007, J. Funct. Program..

[38]  Gang Chen,et al.  Guarded recursive datatype constructors , 2003, POPL '03.