Principled Software Development

and Concrete Data Types vs Object Capabilities . . . . . . . . . . . . . . . . . . 221 James Noble, Alex Potanin, Toby Murray, and Mark S. Miller A Personal History of Delta Modelling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Ina Schaefer Are Synchronous Programs Logic Programs? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Klaus Schneider and Marc Dahlem Illi Isabellistes Se Custodes Egregios Praestabant . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Simon Bischof, Joachim Breitner, Denis Lohner, and Gregor Snelting Reasoning About Weak Semantics via Strong Semantics . . . . . . . . . . . . . . . . . . . 283 Roland Meyer and Sebastian Wolff Recipes for Coffee: Compositional Construction of JAVA Control Flow Graphs in GROOVE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 Eduardo Zambon and Arend Rensink Smart Contracts: A Killer Application for Deductive Source Code Verification Wolfgang Ahrendt, Gordon J. Pace, and Gerardo Schneider Abstract Smart contracts are agreements between parties which, not only describe the ideal behaviour expected from those parties, but also automates such ideal performance. Blockchain, and similar distributed ledger technologies have enabledSmart contracts are agreements between parties which, not only describe the ideal behaviour expected from those parties, but also automates such ideal performance. Blockchain, and similar distributed ledger technologies have enabled the realisation of smart contracts without the need of trusted parties—typically using computer programs which have access to digital assets to describe smart contracts, storing and executing them in a transparent and immutable manner on a blockchain. Many approaches have adopted fully fledged programming languages to describe smart contract, thus inheriting from software the challenge of correctness and verification—just as in software systems, in smart contracts mistakes happen easily, leading to unintended and undesirable behaviour. Such wrong behaviour may show accidentally, but as the contract code is public, malicious users can seek for vulnerabilities to exploit, causing severe damage. This is witnessed by the increasing number of real world incidents, many leading to huge financial losses. As in critical software, the formal verification of smart contracts is thus paramount. In this paper we argue for the use of deductive software verification as a way to increase confidence in the correctness of smart contracts. We describe challenges and opportunities, and a concrete research program, for deductive source code level verification, focussing on the most widely used smart contract platform and language, Ethereum and Solidity. W. Ahrendt ( ) Chalmers University of Technology, Gothenburg, Sweden e-mail: ahrendt@chalmers.se G. J. Pace University of Malta, Msida, Malta e-mail: gordon.pace@um.edu.mt G. Schneider University of Gothenburg, Gothenburg, Sweden e-mail: gerardo@cse.gu.se © Springer Nature Switzerland AG 2018 P. Müller, I. Schaefer (eds.), Principled Software Development, https://doi.org/10.1007/978-3-319-98047-8_1 1

[1]  Daan Leijen,et al.  Integrating a set of contract checking tools into Visual Studio , 2012, 2012 Second International Workshop on Developing Tools as Plug-Ins (TOPI).

[2]  Aaron R. Bradley,et al.  SAT-Based Model Checking without Unrolling , 2011, VMCAI.

[3]  Reiner Hähnle,et al.  Deductive Software Verification: From Pen-and-Paper Proofs to Industrial Tools , 2019, Computing and Software Science.

[4]  Hongseok Yang,et al.  Views: compositional reasoning for concurrent programs , 2013, POPL.

[5]  David R. Cok,et al.  OpenJML: JML for Java 7 by Extending OpenJDK , 2011, NASA Formal Methods.

[6]  Marieke Huisman A verification technique for deterministic parallel programs , 2017, PPDP.

[7]  David R. Cok,et al.  OpenJML: Software verification for Java 7 using JML, OpenJDK, and Eclipse , 2014, F-IDE.

[8]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[9]  Francesco Logozzo Practical Verification for the Working Programmer with CodeContracts and Abstract Interpretation - (Invited Talk) , 2011, VMCAI.

[10]  Philippa Gardner,et al.  Steps in modular specifications for concurrent modules , 2015 .

[11]  Arnd Poetzsch-Heffter,et al.  An Architecture for Interactive Program Provers , 2000, TACAS.

[12]  Peter W. O'Hearn,et al.  Resources, concurrency, and local reasoning , 2007 .

[13]  Jie Shen,et al.  Efficient High Performance Computing on Heterogeneous Platforms , 2015 .

[14]  Ilya Sergey,et al.  Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity , 2014, ESOP.

[15]  Krzysztof R. Apt,et al.  Ten Years of Hoare's Logic: A Survey—Part I , 1981, TOPL.

[16]  David R. Cok,et al.  ESC/Java2: Uniting ESC/Java and JML Progress and Issues in Building and Using ESC/Java2, Including a Case Study Involving the Use of the Tool to Verify Portions of an Internet Voting Tally System , 2005 .

[17]  Lauretta O. Osho,et al.  Axiomatic Basis for Computer Programming , 2013 .

[18]  Frank Piessens,et al.  VeriFast for Java: A Tutorial , 2013, Aliasing in Object-Oriented Programming.

[19]  Peter W. O'Hearn,et al.  Concurrent separation logic , 2016, SIGL.

[20]  Marieke Huisman,et al.  History-Based Verification of Functional Behaviour of Concurrent Programs , 2015, SEFM.

[21]  Peter W. O'Hearn,et al.  Local Reasoning about Programs that Alter Data Structures , 2001, CSL.

[22]  Peter Müller,et al.  Permission Inference for Array Programs , 2018, CAV.

[23]  Swarat Chaudhuri,et al.  Temporal Reasoning for Procedural Programs , 2010, VMCAI.

[24]  Bertrand Meyer,et al.  Applying 'design by contract' , 1992, Computer.

[25]  Andreas Podelski,et al.  Thread-Modular Counterexample-Guided Abstraction Refinement , 2010, SAS.

[26]  Andreas Zeller,et al.  Inferring Loop Invariants by Mutation, Dynamic Analysis, and Static Checking , 2014, IEEE Transactions on Software Engineering.

[27]  Michiel van Genuchten,et al.  Metrics with Impact , 2013, IEEE Software.

[28]  Viktor Vafeiadis Automatically Proving Linearizability , 2010, CAV.

[29]  Marieke Huisman,et al.  The VerCors Tool Set: Verification of Parallel and Concurrent Software , 2017, IFM.

[30]  Elaine J. Weyuker,et al.  The distribution of faults in a large industrial software system , 2002, ISSTA '02.

[31]  Frank Piessens,et al.  The VeriFast program verifier , 2008 .

[32]  Elaine J. Weyuker,et al.  Where the bugs are , 2004, ISSTA '04.

[33]  Lars Birkedal,et al.  The Essence of Higher-Order Concurrent Separation Logic , 2017, ESOP.

[34]  Viktor Vafeiadis,et al.  A Marriage of Rely/Guarantee and Separation Logic , 2007, CONCUR.

[35]  Frank S. de Boer,et al.  OpenJDK's Java.utils.Collection.sort() Is Broken: The Good, the Bad and the Worst Case , 2015, CAV.

[36]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[37]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[38]  Viktor Vafeiadis,et al.  Modular Verification of Concurrency-Aware Linearizability , 2015, DISC.

[39]  Philippa Gardner,et al.  TaDA: A Logic for Time and Data Abstraction , 2014, ECOOP.

[40]  Rivalino Matias,et al.  An empirical exploratory study on operating system reliability , 2014, SAC.

[41]  Marieke Huisman,et al.  Future-based Static Analysis of Message Passing Programs , 2016, PLACES.

[42]  Lars Birkedal,et al.  Iris: Monoids and Invariants as an Orthogonal Basis for Concurrent Reasoning , 2015, POPL.

[43]  Lars Birkedal,et al.  Impredicative Concurrent Abstract Predicates , 2014, ESOP.

[44]  Marieke Huisman,et al.  Reasoning about Java programs in higher order logic using PVS and Isabelle , 2001 .

[45]  Flemming Nielson,et al.  Semantics with Applications: An Appetizer , 2007, Undergraduate Topics in Computer Science.

[46]  David von Oheimb Hoare Logic for Mutual Recursion and Local Variables , 1999, FSTTCS.

[47]  Peter Müller,et al.  Viper: A Verification Infrastructure for Permission-Based Reasoning , 2016, VMCAI.

[48]  Archana Ganapathi,et al.  Crash data collection: a Windows case study , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[49]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[50]  Jonas Westman,et al.  Conditions of contracts for separating responsibilities in heterogeneous systems , 2018, Formal Methods Syst. Des..

[51]  Jürgen Giesl,et al.  Proving Termination of Programs Automatically with AProVE , 2014, IJCAR.

[52]  Marina Zaharieva Stojanovski Closer to reliable software: verifying functional behaviour of concurrent programs , 2015 .

[53]  Susan Owicki,et al.  An axiomatic proof technique for parallel programs I , 1976, Acta Informatica.

[54]  Marc Brockschmidt,et al.  Certifying Safety and Termination Proofs for Integer Transition Systems , 2017, CADE.

[55]  Stephen Brookes A semantics for concurrent separation logic , 2007, Theor. Comput. Sci..

[56]  Viktor Vafeiadis,et al.  Concurrent Abstract Predicates , 2010, ECOOP.

[57]  Simon L. Peyton Jones,et al.  HALO: haskell to logic through denotational semantics , 2013, POPL.

[58]  Mikoláš Janota Assertion-based loop invariant generation , 2007 .

[59]  Dilian Gurov,et al.  Formal architecture modeling of sequential non-recursive C programs , 2017, Sci. Comput. Program..

[60]  Ilya Sergey,et al.  Communicating State Transition Systems for Fine-Grained Concurrent Resources , 2014, ESOP.

[61]  Pietro Ferrara,et al.  Automatic Inference of Access Permissions , 2012, VMCAI.

[62]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[63]  Marieke Huisman,et al.  An Abstraction Technique for Describing Concurrent Program Behaviour , 2017, VSTTE.

[64]  Kim G. Larsen,et al.  A modal process logic , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.