A type system for extracting functional specifications from memory-safe imperative programs

Verifying imperative programs is hard. A key difficulty is that the specification of what an imperative program does is often intertwined with details about pointers and imperative state. Although there are a number of powerful separation logics that allow the details of imperative state to be captured and managed, these details are complicated and reasoning about them requires significant time and expertise. In this paper, we take a different approach: a memory-safe type system that, as part of type-checking, extracts functional specifications from imperative programs. This disentangles imperative state, which is handled by the type system, from functional specifications, which can be verified without reference to pointers. A key difficulty is that sometimes memory safety depends crucially on the functional specification of a program; e.g., an array index is only memory-safe if the index is in bounds. To handle this case, our specification extraction inserts dynamic checks into the specification. Verification then requires the additional proof that none of these checks fail. However, these checks are in a purely functional language, and so this proof also requires no reasoning about pointers.

[1]  Lars Birkedal,et al.  Iris from the ground up: A modular foundation for higher-order concurrent separation logic , 2018, Journal of Functional Programming.

[2]  Brian Huffman,et al.  Continuous Formal Verification of Amazon s2n , 2018, CAV.

[3]  Peter W. O'Hearn,et al.  Local Action and Abstract Separation Logic , 2007, 22nd Annual IEEE Symposium on Logic in Computer Science (LICS 2007).

[4]  Robert Atkey,et al.  Dijkstra monads for all , 2019, Proc. ACM Program. Lang..

[5]  Edmund M. Clarke,et al.  Characterizing Finite Kripke Structures in Propositional Temporal Logic , 1988, Theor. Comput. Sci..

[6]  Adam Chlipala,et al.  Compositional Computational Reflection , 2014, ITP.

[7]  Peter Müller,et al.  Viper: A Verification Infrastructure for Permission-Based Reasoning , 2016, VMCAI.

[8]  Lars Birkedal,et al.  Iris: Monoids and Invariants as an Orthogonal Basis for Concurrent Reasoning , 2015, POPL.

[9]  B. Pierce,et al.  Interaction Trees , 2019 .

[10]  Brian Huffman,et al.  Constructing Semantic Models of Programs with the Software Analysis Workbench , 2016, VSTTE.

[11]  Xinyu Feng Local rely-guarantee reasoning , 2009, POPL '09.

[12]  Xavier Leroy,et al.  Formal Verification of a C-like Memory Model and Its Uses for Verifying Program Transformations , 2008, Journal of Automated Reasoning.

[13]  Andrew W. Appel,et al.  Program Logics for Certified Compilers , 2014 .

[14]  Andrew W. Appel,et al.  Abstraction and subsumption in modular verification of C programs , 2019, Formal Methods in System Design.

[15]  Hongseok Yang,et al.  Views: compositional reasoning for concurrent programs , 2013, POPL.

[16]  Dennis Shasha,et al.  Verifying concurrent search structure templates , 2020, PLDI.

[17]  Michael D. Ernst,et al.  Rely-guarantee references for refinement types over aliased mutable data , 2013, PLDI.

[18]  Robin Milner,et al.  A Theory of Type Polymorphism in Programming , 1978, J. Comput. Syst. Sci..

[19]  Peter Müller,et al.  Leveraging rust types for modular specification and verification , 2019, Proc. ACM Program. Lang..

[20]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[21]  Lars Birkedal,et al.  On Models of Higher-Order Separation Logic , 2018, MFPS.

[22]  Derek Dreyer,et al.  The future is ours: prophecy variables in separation logic , 2020, Proc. ACM Program. Lang..

[23]  Rocco De Nicola,et al.  Three logics for branching bisimulation , 1995, JACM.

[24]  Steve Zdancewic,et al.  Dijkstra monads forever: termination-sensitive specifications for interaction trees , 2021, Proc. ACM Program. Lang..

[25]  Viktor Vafeiadis,et al.  A Marriage of Rely/Guarantee and Separation Logic , 2007, CONCUR.

[26]  Naoki Kobayashi,et al.  RustHorn: CHC-Based Verification for Rust Programs , 2020, ESOP.

[27]  Martin Clochard,et al.  Igloo: soundly linking compositional refinement and separation logic for distributed system verification , 2020, Proc. ACM Program. Lang..

[28]  LÉON GONDELMAN,et al.  Distributed causal memory: modular specification and verification in higher-order distributed separation logic , 2021, Proc. ACM Program. Lang..

[29]  Matthew J. Parkinson,et al.  The Relationship between Separation Logic and Implicit Dynamic Frames , 2011, ESOP.

[30]  Stephan Merz,et al.  Model Checking , 2000 .

[31]  Xinyu Feng,et al.  Deny-Guarantee Reasoning , 2009, ESOP.

[32]  Frank Piessens,et al.  Implicit dynamic frames , 2008, TOPL.

[33]  Samuel Boutin,et al.  Using Reflection to Build Efficient and Certified Decision Procedures , 1997, TACS.

[34]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching Time Temporal Logic , 2008, 25 Years of Model Checking.

[35]  Benjamin C. Pierce,et al.  From C to interaction trees: specifying, verifying, and testing a networked server , 2018, CPP.