Verified Software Units

Modularity - the partitioning of software into units of functionality that interact with each other via interfaces - has been the mainstay of software development for half a century. In case of the C language, the main mechanism for modularity is the compilation unit / header file abstraction. This paper complements programmatic modularity for C with modularity idioms for specification and verification in the context of Verifiable C, an expressive separation logic for CompCert Clight. Technical innovations include (i) abstract predicate declarations – existential packages that combine Parkinson & Bierman’s abstract predicates with their client-visible reasoning principles; (ii) residual predicates, which help enforcing data abstraction in callback-rich code; and (iii) an application to pure (Smalltalk-style) objects that connects code verification to model-level reasoning about features such as subtyping, self, inheritance, and late binding. We introduce our techniques using concrete example modules that have all been verified using the Coq proof assistant and combine to fully linked verified programs using a novel, abstraction-respecting component composition rule for Verifiable C.

[1]  Bart Jacobs,et al.  Objects and Classes, Co-Algebraically , 1995, Object Orientation with Parallelism and Persistence.

[2]  Benjamin Chung,et al.  Wyvern: a simple, typed, and pure object-oriented language , 2013 .

[3]  Hans-Jörg Schek,et al.  Object Orientation with Parallelism and Persistence , 1996 .

[4]  Manuel V. Hermenegildo,et al.  Abstraction-Carrying Code , 2005, LPAR.

[5]  Sophia Drossopoulou,et al.  Aliasing, Confinement, and Ownership in Object-Oriented Programming , 2008, ECOOP Workshops.

[6]  Benjamin C. Pierce,et al.  From C to interaction trees: specifying, verifying, and testing a networked server , 2018, CPP.

[7]  Anindya Banerjee,et al.  Local Reasoning for Global Invariants, Part II: Dynamic Boundaries , 2013, JACM.

[9]  Alan C. Kay The early history of Smalltalk , 1993, HOPL-II.

[10]  Michael Barnett,et al.  Friends Need a Bit More: Maintaining Invariants Over Shared State , 2004, MPC.

[11]  Peter W. O'Hearn,et al.  Separation logic , 2019, Commun. ACM.

[12]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[13]  Gary T. Leavens,et al.  Beyond Assertions: Advanced Specification and Verification with JML and ESC/Java2 , 2005, FMCO.

[14]  Andrew W. Appel,et al.  Abstraction and subsumption in modular verification of C programs , 2019, Formal Methods in System Design.

[15]  Bart Jacobs,et al.  Inheritance in Higher Order Logic: Modeling and Reasoning , 2000, TPHOLs.

[16]  Martin Hofmann,et al.  Automatic Certification of Heap Consumption , 2004, LPAR.

[17]  Furio Honsell,et al.  Coalgebraic Semantics and Observational Equivalences of an Imperative Class-based OO-Language , 2004, Electron. Notes Theor. Comput. Sci..

[18]  David Pichardie,et al.  Proof-carrying code from certified abstract interpretation and fixpoint compression , 2006, Theor. Comput. Sci..

[19]  Tobias Nipkow,et al.  Hoare Logics for Recursive Procedures and Unbounded Nondeterminism , 2002, CSL.

[20]  G. Barthe,et al.  Mobile Resource Guarantees for Smart Devices , 2005 .

[21]  Jeannette M. Wing,et al.  A behavioral notion of subtyping , 1994, TOPL.

[22]  Jonathan Aldrich,et al.  Object Propositions , 2014, FM.

[23]  Andrew W. Appel,et al.  Semantic foundations for typed assembly languages , 2010, TOPL.

[24]  Andrew W. Appel,et al.  Program Logics for Certified Compilers , 2014 .

[25]  Luca Cardelli,et al.  Comparing Object Encodings , 1997, Inf. Comput..

[26]  Zhong Shao,et al.  DeepSEA: a language for certified system software , 2019, Proc. ACM Program. Lang..

[27]  Lars Birkedal,et al.  Iris from the ground up: A modular foundation for higher-order concurrent separation logic , 2018, Journal of Functional Programming.

[28]  Axel-Tobias Schreiner Objektorientierte Programmierung mit ANSI C , 1994 .

[29]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[30]  Sophia Drossopoulou,et al.  The need for flexible object invariants , 2009, ECOOP 2009.

[31]  Thomas Kleymann,et al.  Hoare Logic and Auxiliary Variables , 1999, Formal Aspects of Computing.

[32]  K. Rustan M. Leino,et al.  Verification of Object-Oriented Programs with Invariants , 2003, J. Object Technol..

[33]  Andrew W. Appel,et al.  Foundational proof-carrying code , 2001, Proceedings 16th Annual IEEE Symposium on Logic in Computer Science.

[34]  Andrew W. Appel,et al.  Verified sequential Malloc/Free , 2020, ISMM.

[35]  Gary T. Leavens,et al.  Modular invariants for layered object structures , 2006, Sci. Comput. Program..

[36]  Gary T. Leavens,et al.  Behavioral Subtyping, Specification Inheritance, and Modular Reasoning , 2015, ACM Trans. Program. Lang. Syst..

[37]  Jonathan Aldrich,et al.  A theory of typestate-oriented programming , 2010, FTfJP@ECOOP.

[38]  Gavin M. Bierman,et al.  Separation logic and abstraction , 2005, POPL '05.

[39]  Zhong Shao,et al.  A Syntactic Approach to Foundational Proof-Carrying Code , 2004, Journal of Automated Reasoning.

[40]  B. Liskov Keynote address - data abstraction and hierarchy , 1988, OOPSLA '87.

[41]  Robert Balzer Dataless programming , 1967, AFIPS '67 (Fall).

[42]  Martin Hofmann,et al.  Positive subtyping , 1995, POPL '95.

[43]  John Tang Boyland,et al.  Formal Techniques for Java-Like Programs , 2007, ECOOP Workshops.

[44]  Rod M. Burstall,et al.  Deliverables: A Categorial Approach to Program Development in Type Theory , 1993, MFCS.

[45]  Chung-Kil Hur,et al.  Interaction trees: representing recursive and impure programs in Coq , 2020, Proc. ACM Program. Lang..

[46]  Yu Guo,et al.  Deep Specifications and Certified Abstraction Layers , 2015, POPL.

[47]  Benjamin Grégoire,et al.  The MOBIUS Proof Carrying Code Infrastructure , 2008, FMCO.

[48]  Frank Piessens,et al.  VeriFast: A Powerful, Sound, Predictable, Fast Verifier for C and Java , 2011, NASA Formal Methods.

[49]  Manish Mahajan,et al.  Proof carrying code , 2015 .

[50]  John C. Reynolds,et al.  GEDANKEN—a simple typeless language based on the principle of completeness and the reference concept , 1970, Commun. ACM.

[51]  Markku Sakkinen Proceedings of the 5th Workshop on MechAnisms for SPEcialization, Generalization and inHerItance , 2013, ECOOP 2013.

[52]  Stephanie Balzer,et al.  Rumer: A programming language and modular verification technique based on relationships , 2011 .

[53]  Gavin M. Bierman,et al.  Separation logic, abstraction and inheritance , 2008, POPL '08.

[54]  John C. Mitchell,et al.  Abstract types have existential type , 1988, TOPL.

[55]  Sophia Drossopoulou,et al.  Considerate Reasoning and the Composite Design Pattern , 2010, VMCAI.

[56]  Sophia Drossopoulou,et al.  A Unified Framework for Verification Techniques for Object Invariants , 2008, ECOOP.

[57]  Sagar Chaki,et al.  überSpark: Enforcing Verifiable Object Abstractions for Automated Compositional Security Analysis of a Hypervisor , 2016, USENIX Security Symposium.

[58]  Benjamin C. Pierce,et al.  Types and programming languages: the next generation , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[59]  Frank Piessens,et al.  Verifying the Composite pattern using separation logic , 2008 .

[60]  Zhong Shao,et al.  Building certified concurrent OS kernels , 2019, Commun. ACM.

[61]  Lars Birkedal,et al.  Design patterns in separation logic , 2009, TLDI '09.

[62]  Zhong Shao,et al.  Certified concurrent abstraction layers , 2018, PLDI.

[63]  Bertrand Meyer,et al.  Flexible Invariants through Semantic Collaboration , 2013, FM.

[64]  Danfeng Zhang,et al.  Ironclad Apps: End-to-End Security via Automated Full-System Verification , 2014, OSDI.

[65]  Peter W. O'Hearn,et al.  Separation and information hiding , 2004, POPL.