The spirit of ghost code

In the context of deductive program verification, ghost code is a part of the program that is added for the purpose of specification. Ghost code must not interfere with regular code, in the sense that it can be erased without observable difference in the program outcome. In particular, ghost data cannot participate in regular computations and ghost code cannot mutate regular data or diverge. The idea exists in the folklore since the early notion of auxiliary variables and is implemented in many state-of-the-art program verification tools. However, ghost code deserves rigorous definition and treatment, and few formalizations exist. In this article, we describe a simple ML-style programming language with mutable state and ghost code. Non-interference is ensured by a type system with effects, which allows, notably, the same data types and functions to be used in both regular and ghost code. We define the procedure of ghost code erasure and we prove its safety using bisimulation. A similar type system, with numerous extensions which we briefly discuss, is implemented in the program verification environment Why3.

[1]  Cliff B. Jones,et al.  Reflections on the Work of C. A. R. Hoare , 2010 .

[2]  K. Rustan M. Leino,et al.  Co-induction Simply - Automatic Co-inductive Proofs in a Program Verifier , 2014, FM.

[3]  Christine Paulin-Mohring,et al.  Extracting ω's programs from proofs in the calculus of constructions , 1989, POPL '89.

[4]  Thomas Kleymann,et al.  Hoare Logic and Auxiliary Variables , 1999, Formal Aspects of Computing.

[5]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[6]  Frank Piessens,et al.  The VeriFast program verifier , 2008 .

[7]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[8]  Gordon D. Plotkin,et al.  Call-by-Name, Call-by-Value and the lambda-Calculus , 1975, Theor. Comput. Sci..

[9]  Christine Paulin-Mohring Extraction de programmes dans le Calcul des Constructions. (Program Extraction in the Calculus of Constructions) , 1989 .

[10]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[11]  Gary T. Leavens,et al.  Behavioral interface specification languages , 2012, CSUR.

[12]  Amr Sabry,et al.  The essence of compiling with continuations , 1993, PLDI '93.

[13]  Xinyu Feng,et al.  A Structural Approach to Prophecy Variables , 2012, TAMC.

[14]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[15]  John C. Reynolds,et al.  The craft of programming , 1981, Prentice Hall International series in computer science.

[16]  Jean-Christophe Filliâtre,et al.  Why3 - Where Programs Meet Provers , 2013, ESOP.

[17]  Jean-Christophe Filliâtre,et al.  The spirit of ghost code , 2014, Formal Methods Syst. Des..

[18]  Benjamin C. Pierce,et al.  Types and programming languages: the next generation , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[19]  Matthias Felleisen,et al.  A Syntactic Approach to Type Soundness , 1994, Inf. Comput..

[20]  Sylvain Conchon,et al.  Information flow inference for free , 2000, ICFP '00.

[21]  Sabine Schmaltz,et al.  Towards the pervasive formal verification of multi-core operating systems and hypervisors implemented in C , 2012 .