Unifying type checking and property checking for low-level code

We present a unified approach to type checking and property checking for low-level code. Type checking for low-level code is challenging because type safety often depends on complex, program-specific invariants that are difficult for traditional type checkers to express. Conversely, property checking for low-level code is challenging because it is difficult to write concise specifications that distinguish between locations in an untyped program's heap. We address both problems simultaneously by implementing a type checker for low-level code as part of our property checker. We present a low-level formalization of a C program's heap and its types that can be checked with an SMT solver, and we provide a decision procedure for checking type safety. Our type system is flexible enough to support a combination of nominal and structural subtyping for C, on a per-structure basis. We discuss several case studies that demonstrate the ability of this tool to express and check complex type invariants in low-level C code, including several small Windows device drivers.

[1]  Claude Marché,et al.  The Why/Krakatoa/Caduceus Platform for Deductive Program Verification , 2007, CAV.

[2]  George C. Necula,et al.  Dependent Types for Low-Level Programming , 2007, ESOP.

[3]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[4]  Shuvendu K. Lahiri,et al.  A Reachability Predicate for Analyzing Low-Level Software , 2007, TACAS.

[5]  Peter W. O'Hearn,et al.  Beyond Reachability: Shape Abstraction in the Presence of Pointer Arithmetic , 2006, SAS.

[6]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[7]  Andrew W. Appel,et al.  Foundational proof-carrying code , 2001, Proceedings 16th Annual IEEE Symposium on Logic in Computer Science.

[8]  Karl Crary,et al.  An expressive, scalable type theory for certified code , 2002, ICFP '02.

[9]  Richard Bornat,et al.  Proving Pointer Programs in Hoare Logic , 2000, MPC.

[10]  Yu Guo,et al.  An open framework for foundational proof-carrying code , 2007, TLDI '07.

[11]  Andrew W. Appel,et al.  An indexed model of recursive types for foundational proof-carrying code , 2001, TOPL.

[12]  George C. Necula,et al.  The open verifier framework for foundational verifiers , 2005, TLDI '05.

[13]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[14]  Shuvendu K. Lahiri,et al.  Back to the future: revisiting precise program verification using SMT solvers , 2008, POPL '08.

[15]  Andrew W. Appel,et al.  A semantic model of types and machine instructions for proof-carrying code , 2000, POPL '00.

[16]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[17]  Frank Pfenning,et al.  Dependent types in practical programming , 1999, POPL '99.

[18]  K. Rustan M. Leino,et al.  Weakest-precondition of unstructured programs , 2005, PASTE '05.

[19]  Greg Nelson,et al.  Simplification by Cooperating Decision Procedures , 1979, TOPL.

[20]  Yann Régis-Gianas,et al.  A Hoare Logic for Call-by-Value Functional Programs , 2008, MPC.

[21]  Hongwei Xi,et al.  Imperative programming with dependent types , 2000, Proceedings Fifteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.99CB36332).

[22]  Peter W. O'Hearn,et al.  Scalable Shape Analysis for Systems Code , 2008, CAV.

[23]  Информатика Windows Driver Kit , 2010 .

[24]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[25]  George C. Necula,et al.  The design and implementation of a certifying compiler , 1998, PLDI.

[26]  Patrick Maxim Rondon,et al.  Liquid types , 2008, PLDI '08.

[27]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy software , 2005, TOPL.

[28]  Shane Markstrum,et al.  Semantic type qualifiers , 2005, PLDI '05.

[29]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[30]  Andrew W. Appel,et al.  A stratified semantics of general references embeddable in higher-order logic , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[31]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[32]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[33]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[34]  Frank Piessens,et al.  A glimpse of a verifying C compiler , 2007 .

[35]  Anna Philippou,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2018, Lecture Notes in Computer Science.