From Network Interface to Multithreaded Web Applications: A Case Study in Modular Program Verification

Many verifications of realistic software systems are monolithic, in the sense that they define single global invariants over complete system state. More modular proof techniques promise to support reuse of component proofs and even reduce the effort required to verify one concrete system, just as modularity simplifies standard software development. This paper reports on one case study applying modular proof techniques in the Coq proof assistant. To our knowledge, it is the first modular verification certifying a system that combines infrastructure with an application of interest to end users. We assume a nonblocking API for managing TCP networking streams, and on top of that we work our way up to certifying multithreaded, database-backed Web applications. Key verified components include a cooperative threading library and an implementation of a domain-specific language for XML processing. We have deployed our case-study system on mobile robots, where it interfaces with off-the-shelf components for sensing, actuation, and control.

[1]  Chris Hawblitzel,et al.  Safe to the last instruction: automated verification of a type-safe operating system , 2011, CACM.

[2]  Xinyu Feng,et al.  Modular verification of assembly code with stack-based control abstractions , 2006, PLDI '06.

[3]  François Pottier Hiding Local State in Direct Style: A Higher-Order Anti-Frame Rule , 2008, 2008 23rd Annual IEEE Symposium on Logic in Computer Science.

[4]  Long Li,et al.  A general framework for certifying garbage collectors and their mutators , 2007, PLDI '07.

[5]  Norbert Schirmer,et al.  From Operating-System Correctness to Pervasively Verified Applications , 2010, IFM.

[6]  Adam Chlipala,et al.  Mostly-automated verification of low-level programs in computational separation logic , 2011, PLDI '11.

[7]  Xinyu Feng,et al.  Combining Domain-Specific and Foundational Logics to Verify Complete Software Systems , 2008, VSTTE.

[8]  J. Gregory Morrisett,et al.  Toward a verified relational database management system , 2010, POPL '10.

[9]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[10]  Wolfgang J. Paul,et al.  Pervasive Verification of an OS Microkernel - Inline Assembly, Memory Consumption, Concurrent Devices , 2010, VSTTE.

[11]  Benjamin C. Pierce,et al.  The XTATIC Experience , 2004 .

[12]  Adam Chlipala,et al.  The bedrock structured programming system: combining generative metaprogramming and hoare logic in an extensible program verifier , 2013, ICFP.

[13]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[14]  Benjamin C. Pierce,et al.  XDuce: A statically typed XML processing language , 2003, TOIT.

[15]  Adam Chlipala,et al.  Effective interactive proofs for higher-order imperative programs , 2009, ICFP.

[16]  David B. MacQueen Modules for standard ML , 1984, LFP '84.

[17]  Adam Chlipala,et al.  Compositional Computational Reflection , 2014, ITP.

[18]  Michael D. Ernst,et al.  Rely-guarantee references for refinement types over aliased mutable data , 2013, PLDI.

[19]  Morgan Quigley,et al.  ROS: an open-source Robot Operating System , 2009, ICRA 2009.

[20]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[21]  Zhong Shao,et al.  Certified assembly programming with embedded code pointers , 2006, POPL '06.

[22]  J. Gregory Morrisett,et al.  Trace-based verification of imperative programs with I/O , 2011, J. Symb. Comput..

[23]  Zhong Shao,et al.  Certified self-modifying code , 2007, PLDI '07.

[24]  Arjun Guha,et al.  Machine-verified network controllers , 2013, PLDI.

[25]  Andrew W. Appel,et al.  An indexed model of recursive types for foundational proof-carrying code , 2001, TOPL.

[26]  Hongseok Yang,et al.  Modular verification of preemptive OS kernels , 2011, Journal of Functional Programming.

[27]  Zhong Shao,et al.  Using XCAP to Certify Realistic Systems Code: Machine Context Management , 2007, TPHOLs.

[28]  Peng Wang,et al.  Compiler verification meets cross-language linking via data abstraction , 2014, OOPSLA.

[29]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[30]  Lars Birkedal,et al.  Impredicative Concurrent Abstract Predicates , 2014, ESOP.

[31]  Yu Guo,et al.  Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads , 2009, Journal of Automated Reasoning.

[32]  Chung-Kil Hur,et al.  A kripke logical relation between ML and assembly , 2011, POPL '11.

[33]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[34]  Xinyu Feng,et al.  Modular verification of concurrent assembly code with dynamic thread creation and termination , 2005, ICFP '05.

[35]  Alexey Gotsman,et al.  Local Reasoning for Storable Locks and Threads , 2007, APLAS.

[36]  Gerwin Klein,et al.  From a Verified Kernel towards Verified Systems , 2010, APLAS.