论文信息 - Verification by Reduction to Functional Programs

Verification by Reduction to Functional Programs

In this thesis, we explore techniques for the development and verification of programs in a high-level, expressive, and safe programming language. Our programs can express problems over unbounded domains and over recursive and mutable data structures. We present an implementation language flexible enough to build interesting and useful systems. We mostly maintain a core shared language for the specifications and the implementation, with only a few extensions specific to expressing the specifications. Extensions of the core shared language include imperative features with state and side effects, which help when implementing efficient systems. Our language is a subset of the Scala programming language. Once verified, programs can be compiled and executed using the existing Scala tools. We present algorithms for verifying programs written in this language. We take a layer-based approach, where we reduce, at each step, the program to an equivalent program in a simpler language. We first purify functions by transforming away mutations into explicit return types in the functions' signatures. This step rewrites all mutations of data structures into cloning operations. We then translate local state into a purely functional code, hence eliminating all traces of imperative programming. The final language is a functional subset of Scala, on which we apply verification. We integrate our pipeline of translations into Leon, a verifier for Scala. We verify the core functional language by using an algorithm already developed inside Leon. The program is encoded into equivalent first-order logic formulas over a combination of theories and recursive functions. The formulas are eventually discharged to an external SMT solver. We extend this core language and the solving algorithm with support for both infinite-precision integers and bit-vectors. The algorithm takes into account the semantics gap between the two domains, and the programmer is ultimately responsible to use the proper type to represent the data. We build a reusable interface for SMT-LIB that enables us to swap solvers transparently in order to validate the formulas emitted by Leon. We experiment with writing solvers in Scala; they could offer both a better and safer integration with the rest of the system. We evaluate the cost of using a higher-order language to implement such solvers, traditionally written in C/C++. Finally, we experiment with the system by building fully working and verified applications. We rely on the intersection of many features including higher-order functions, mutable data structures, recursive functions, and nondeterministic environment dependencies, to build concise and verified applications.

Régis Blanc | Régis Blanc

[1] David Brumley,et al. RICH: Automatically Protecting Against Integer-Based Vulnerabilities , 2007, NDSS.

[2] Niklas Sörensson,et al. An Extensible SAT-solver , 2003, SAT.

[3] A. D. R I E N N E Bloss,et al. An Optimising Compiler for a Modern Functional Language , 1989 .

[4] Viktor Kuncak,et al. Full functional verification of linked data structures , 2008, PLDI '08.

[5] John Darlington,et al. A system which automatically improves programs , 1973, Acta Informatica.

[6] Martin Odersky,et al. Contracts for Scala , 2010, RV.

[7] Liuba Shrira,et al. Ownership types for object encapsulation , 2003, POPL '03.

[8] Viktor Kuncak,et al. Automating Verification of Functional Programs with Quantified Invariants , 2016 .

[9] Thomas A. Henzinger,et al. Abstractions from proofs , 2004, SIGP.

[10] Andrew W. Appel,et al. SSA is functional programming , 1998, SIGP.

[11] Albert Oliveras,et al. Fast congruence closure and extensions , 2007, Inf. Comput..

[12] Frank Piessens,et al. Implicit dynamic frames , 2008, TOPL.

[13] Cesare Tinelli,et al. An Abstract Decision Procedure for Satisfiability in the Theory of Recursive Data Types , 2007, PDPAR/PaUL@FLoC.

[14] John McCarthy,et al. Towards a Mathematical Science of Computation , 1962, IFIP Congress.

[15] Sanjit A. Seshia,et al. Beaver: Engineering an Efficient SMT Solver for Bit-Vector Arithmetic , 2009, CAV.

[16] Albert Oliveras,et al. Congruence Closure with Integer Offsets , 2003, LPAR.

[17] Amit Goel,et al. Architecting Solvers for SAT Modulo Theories: Nelson-Oppen with DPLL , 2007, FroCoS.

[18] Greg Nelson,et al. Fast Decision Procedures Based on Congruence Closure , 1980, JACM.

[19] Christoph Walther,et al. About VeriFun , 2003, CADE.

[20] Ioannis T. Kassios. Dynamic Frames: Support for Framing, Dependencies and Sharing Without Restrictions , 2006, FM.

[21] Joao Marques-Silva,et al. GRASP-A new search algorithm for satisfiability , 1996, Proceedings of International Conference on Computer Aided Design.

[22] John Hogg,et al. Islands: aliasing protection in object-oriented languages , 1991, OOPSLA '91.

[23] Jeffrey M. Barth. A practical interprocedural data flow analysis algorithm , 1978, CACM.

[24] Alexander J. Summers,et al. Lightweight Support for Magic Wands in an Automatic Verifier , 2015, ECOOP.

[25] Dave Clarke,et al. External Uniqueness Is Unique Enough , 2003, ECOOP.

[26] David B. Whalley,et al. Supporting Timing Analysis by Automatic Bounding of Loop Iterations , 2000, Real-Time Systems.

[27] Lawrence Charles Paulson,et al. Isabelle: A Generic Theorem Prover , 1994 .

[28] Raymond T. Boute,et al. The Euclidean definition of the functions div and mod , 1992, TOPL.

[29] Cormac Flanagan,et al. Avoiding exponential explosion: generating compact verification conditions , 2001, POPL '01.

[30] Gordon D. Plotkin,et al. Algebraic Operations and Generic Effects , 2003, Appl. Categorical Struct..

[31] Bowen Alpern,et al. Detecting equality of variables in programs , 1988, POPL '88.

[32] Tobias Nipkow,et al. A Proof Assistant for Higher-Order Logic , 2002 .

[33] Daniel Marino,et al. A generic type-and-effect system , 2009, TLDI '09.

[34] Na Xu. Static contract checking for Haskell , 2009, POPL '09.

[35] Régis Blanc. CafeSat: a modern SAT solver for Scala , 2013, SCALA@ECOOP.

[36] K. Rustan M. Leino,et al. Abstract Read Permissions: Fractional Permissions without the Fractions , 2013, VMCAI 2013.

[37] Stephen N. Freund,et al. Type-based race detection for Java , 2000, PLDI '00.

[38] Yves Bertot,et al. Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions , 2010 .

[39] Gary T. Leavens. Tutorial on JML, the java modeling language , 2007, ASE '07.

[40] Stephan Schulz,et al. System Description: E 1.8 , 2013, LPAR.

[41] K. Rustan M. Leino,et al. Object Invariants in Dynamic Contexts , 2004, ECOOP.

[42] David K. Gifford,et al. Integrating functional and imperative programming , 1986, LFP '86.

[43] David Walker,et al. On Regions and Linear Types , 2001, ACM SIGPLAN International Conference on Functional Programming.

[44] Henry S. Warren,et al. Hacker's Delight , 2002 .

[45] Martin Odersky,et al. A flow-insensitive, modular effect system for purity , 2013, FTfJP@ECOOP.

[46] Martin Odersky,et al. Capabilities for Uniqueness and Borrowing , 2010, ECOOP.

[47] Philippe Suter,et al. Programming with Specifications , 2012 .

[48] Viktor Kuncak,et al. Disjunctive Interpolants for Horn-Clause Verification (Extended Technical Report) , 2013, ArXiv.

[49] Marco Antognini. Extending Safe C Support In Leon , 2017 .

[50] Viktor Kuncak,et al. Effect Analysis for Programs with Callbacks , 2013, VSTTE.

[51] Martín Abadi,et al. Semantics of transactional memory and automatic mutual exclusion , 2011, TOPL.

[52] Laura Kovács,et al. Tree Interpolation in Vampire , 2013, LPAR.

[53] Viktor Kuncak,et al. An overview of the Leon verification system: verification by translation to recursive functions , 2013, SCALA@ECOOP.

[54] Lars Hupel,et al. Translating Scala Programs to Isabelle/HOL , 2016, ArXiv.

[55] Magnus O. Myreen,et al. Transforming Programs into Recursive Functions , 2009, Electron. Notes Theor. Comput. Sci..

[56] Robert DeLine,et al. Adoption and focus: practical linear types for imperative programming , 2002, PLDI '02.

[57] Martin Odersky,et al. Lightweight Polymorphic Effects , 2012, ECOOP.

[58] Reinhold Heckmann,et al. Worst case execution time prediction by static program analysis , 2004, 18th International Parallel and Distributed Processing Symposium, 2004. Proceedings..

[59] K. McMillan,et al. Solving Constrained Horn Clauses using Interpolation , 2013 .

[60] Konstantin Korovin. System Description : iProver – An Instantiation-Based Theorem Prover for First-Order Logic , 2008 .

[61] J. Filliâtre,et al. Proof of Imperative Programs in Type Theory , 1998, TYPES.

[62] James C. Browne,et al. Gypsy: A language for specification and implementation of verifiable programs , 1977 .

[63] David K. Gifford,et al. Polymorphic effect systems , 1988, POPL '88.

[64] Thomas A. Henzinger,et al. ABC: Algebraic Bound Computation for Loops , 2010, LPAR.

[65] Daan Leijen. Algebraic Effects for Functional Programming , 2016 .

[66] K. Rustan M. Leino. Developing verified programs with Dafny , 2012 .

[67] Derek C. Oppen,et al. Reasoning about recursively defined data structures , 1978, POPL.

[68] Michael J. C. Gordon,et al. Forward with Hoare , 2010, Reflections on the Work of C. A. R. Hoare.

[69] Panagiotis Manolios,et al. Computer-aided reasoning : ACL2 case studies , 2000 .

[70] Daniel Le Berre,et al. The Sat4j library, release 2.2 , 2010, J. Satisf. Boolean Model. Comput..

[71] Jan Gustafsson,et al. Automatic Derivation of Loop Bounds and Infeasible Paths for WCET Analysis Using Abstract Execution , 2006, 2006 27th IEEE International Real-Time Systems Symposium (RTSS'06).

[72] Viktor Kuncak,et al. Sound reasoning about integral data types with a reusable SMT solver interface , 2015, Scala@PLDI.

[73] Armin Biere,et al. Boolector: An Efficient SMT Solver for Bit-Vectors and Arrays , 2009, TACAS.

[74] Mark N. Wegman,et al. An efficient method of computing static single assignment form , 1989, POPL '89.

[75] Viktor Kuncak,et al. Deductive Program Repair , 2015, CAV.

[76] C. A. R. HOARE,et al. An axiomatic basis for computer programming , 1969, CACM.

[77] David A. Plaisted,et al. A Structure-Preserving Clause Form Translation , 1986, J. Symb. Comput..

[78] K. Rustan M. Leino,et al. Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[79] Flemming Nielson,et al. Type and Effect Systems , 1999, Correct System Design.

[80] Régis William Blanc,et al. Verification of Imperative Programs in Scala , 2012 .

[81] Gordon D. Plotkin,et al. Handling Algebraic Effects , 2013, Log. Methods Comput. Sci..

[82] Viktor Kuncak,et al. Sound compilation of reals , 2013, POPL.

[83] Peter Müller,et al. Viper: A Verification Infrastructure for Permission-Based Reasoning , 2016, VMCAI.

[84] dizayn İç dekor. Design by Contract , 2010 .

[85] John Banning,et al. : An Efficient , 2022 .

[86] Zohar Manna,et al. Toward automatic program synthesis , 1971, Symposium on Semantics of Algorithmic Languages.

[87] Eva Darulova,et al. Programming with Numerical Uncertainties , 2014 .

[88] Naftaly H. Minsky. Towards Alias-Free Pointers , 1996, ECOOP.

[89] Cesare Tinelli,et al. DPLL( T): Fast Decision Procedures , 2004, CAV.

[90] Viktor Kuncak,et al. Interpolation for synthesis on unbounded domains , 2013, 2013 Formal Methods in Computer-Aided Design.

[91] Sam Tobin-Hochstadt,et al. Higher-order symbolic execution via contracts , 2012, OOPSLA '12.

[92] Viktor Kuncak,et al. Satisfiability Modulo Recursive Programs , 2011, SAS.

[93] Zohar Manna,et al. A Deductive Approach to Program Synthesis , 1979, TOPL.

[94] David L. Dill,et al. A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[95] Sharad Malik,et al. Efficient conflict driven learning in a Boolean satisfiability solver , 2001, IEEE/ACM International Conference on Computer Aided Design. ICCAD 2001. IEEE/ACM Digest of Technical Papers (Cat. No.01CH37281).

[96] Butler W. Lampson,et al. Proof rules for the programming language Euclid , 2004, Acta Informatica.

[97] Viktor Kuncak,et al. Symbolic Resource Bound Inference for Functional Programs , 2014, CAV.

[98] Peng Li,et al. Understanding integer overflow in C/C++ , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[99] Jong-Deok Choi,et al. Efficient flow-sensitive interprocedural computation of pointer-induced aliases and side effects , 1993, POPL '93.

[100] Philipp Haller,et al. LaCasa: lightweight affinity and object capabilities in Scala , 2016, OOPSLA.

[101] George C. Necula,et al. The design and implementation of a certifying compiler , 1998, PLDI.

[102] Sharad Malik,et al. Chaff: engineering an efficient SAT solver , 2001, Proceedings of the 38th Design Automation Conference (IEEE Cat. No.01CH37232).

[103] John C. Reynolds,et al. Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[104] John Tang Boyland,et al. Capabilities for Sharing: A Generalisation of Uniqueness and Read-Only , 2001, ECOOP.

[105] Jean-Christophe Filliâtre,et al. Verification of non-functional programs using interpretations in type theory , 2003, J. Funct. Program..

[106] Nikolaj Bjørner,et al. Generalized, efficient array decision procedures , 2009, 2009 Formal Methods in Computer-Aided Design.

[107] Viktor Kuncak,et al. Synthesis modulo recursive functions , 2013, OOPSLA.

[108] Panagiotis Manolios,et al. Computer-Aided Reasoning: An Approach , 2011 .

[109] Dana N. Xu. Hybrid contract checking via symbolic simplification , 2012, PEPM '12.

[110] Peter W. O'Hearn,et al. Compositional Shape Analysis by Means of Bi-Abduction , 2011, JACM.

[111] Jean-Christophe Filliâtre,et al. Why3 - Where Programs Meet Provers , 2013, ESOP.

[112] Etienne Kneuss,et al. Deductive Synthesis and Repair , 2016 .

[113] Philipp Rümmer,et al. A Constraint Sequent Calculus for First-Order Logic with Linear Integer Arithmetic , 2008, LPAR.

[114] Martin C. Rinard,et al. Purity and Side Effect Analysis for Java Programs , 2005, VMCAI.