Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012.

Crowfoot: a verifier for higher order store programs

Billiejoe (Nathaniel) CharltonBen Horsfall

Bernhard Reus

University of Sussex

VMCAI 2012

Outline

• Background on Higher Order Store (HOS)

- What is HOS? Why should I care?

- Reasoning about HOS programs: Hoare logic with nested triples

• Automated reasoning in Hoare logics with nested triples

- What are the difficulties?

- How we address them in our Crowfoot tool

• Some things we have verified using Crowfoot

What is higher order store?

• A programming language is said to feature HOS when:

a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs

What is higher order store?

• A programming language is said to feature HOS when:

a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs

• So HOS programs can modify their own code while running

What is higher order store?

• A programming language is said to feature HOS when:

a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs

• So HOS programs can modify their own code while running

• Where does HOS occur?

- in functional languages with mutable higher order state e.g. ML

- dynamic loading and unloading of code e.g. Plugins, OSes

- “hot update” – updating a program while it is running

- runtime code generation

square brackets indicate heap access

square brackets indicate heap access

stores procedure onto the heap, possibly doing partial application at the same time

square brackets indicate heap access

stores procedure onto the heap, possibly doing partial application at the same time

runs the procedure stored in the heap at address , with arguments

square brackets indicate heap access

stores procedure onto the heap, possibly doing partial application at the same time

runs the procedure stored in the heap at address , with arguments

ordinary procedure call

But what should we write here?

We need to describe the code which must be stored on the heap at address f

First attempt: says exactly which code is stored at f.

But only allows us to invoke P if we’re adding 10!

Second attempt: better.

But still not really satisfying.Doesn’t seem like a generic specification.

Instead, we use a nested Hoare triple to talk about the behaviour of the code, rather than which exact code it is.

Instead, we use a nested Hoare triple to talk about the behaviour of the code, rather than which exact code it is.

Instead, we use a nested Hoare triple to talk about the behaviour of the code, rather than which exact code it is.

Nested triples first appear in work by Honda, Yoshida and Berger; later developments by many others.

Our tool Crowfoot

• Our tool Crowfoot implements (semi-) automated verification of HOS programs, using nested triples

• Employs symbolic execution with separation logic technique, as in Smallfoot, VeriFast, jStar ...

• What issues did we face in implementing Crowfoot?

Issues for implementation

• Assertion language: must include nested triples but still be restricted enough that automated reasoning is possible

Assertion language

Assertion language

This is all circular! So triples can be nested to arbitrary depth.

Issues for implementation

• Assertion language: must include nested triples but still be restricted enough that automated reasoning is possible

• New symbolic execution rules for the HOS statements: those which write code to the heap, and invoke code stored on the heap

Issues for implementation

• Assertion language: must include nested triples but still be restricted enough that automated reasoning is possible

• New symbolic execution rules for the HOS statements: those which write code to the heap, and invoke code stored on the heap

• Entailment prover for assertions involving nested triples

Consider the following entailment between symbolic states:

Consider the following entailment between symbolic states:

Consider the following entailment between symbolic states:

We need to find c to make this entailment between specifications hold:

Consider the following entailment between symbolic states:

We need to find c to make this entailment between specifications hold:

So, unlike in existing tools

- Solving entailments between symbolic states requires solving entailments between specifications

- And vice versa

Issues for implementation

• Assertion language: must include nested triples but still be restricted enough that automated reasoning is possible

• New symbolic execution rules for the HOS statements: those which write code to the heap, and invoke code stored on the heap

• Entailment prover for assertions involving nested triples

• Recursive specifications for programs which perform “recursion through the store”

Issues for implementation

• Assertion language: must include nested triples but still be restricted enough that automated reasoning is possible

• New symbolic execution rules for the HOS statements: those which write code to the heap, and invoke code stored on the heap

• Entailment prover for assertions involving nested triples

• Recursive specifications for programs which perform “recursion through the store”

• Implementing the deep frame rule

Provers: the of Crowfoot

At its heart, crowfoot implements provers for five related judgements.

1. Symbolic execution:

Provers: the of Crowfoot

At its heart, crowfoot implements provers for five related judgements.

1. Symbolic execution:

predicate definitions, procedure context

Provers: the of Crowfoot

At its heart, crowfoot implements provers for five related judgements.

1. Symbolic execution:

For example:

predicate definitions, procedure context

2. Entailment between symbolic states:

Inferred frameI maps existentially bound variablesto appropriate instance

2. Entailment between symbolic states:

For example:

Inferred frameI maps existentially bound variablesto appropriate instance

2. Entailment between symbolic states:

For example:

Inferred frameI maps existentially bound variablesto appropriate instance

2. Entailment between symbolic states:

For example:

3. Entailment between specifications:

For example:

Inferred frameI maps existentially bound variablesto appropriate instance

4. Computing the post-condition for a ‘call’ or ‘eval’:

current symbolic state

specification of routine about to be run

4. Computing the post-condition for a ‘call’ or ‘eval’:

For example:

current symbolic state

specification of routine about to be run

4. Computing the post-condition for a ‘call’ or ‘eval’:

For example:

current symbolic state

specification of routine about to be run

4. Computing the post-condition for a ‘call’ or ‘eval’:

For example:

5. Finding a nested triple to use with ‘eval’:

current symbolic state

specification of routine about to be run

current symbolic state

address of code on heapto be run

4. Computing the post-condition for a ‘call’ or ‘eval’:

For example:

5. Finding a nested triple to use with ‘eval’:

For example:

current symbolic state

specification of routine about to be run

current symbolic state

address of code on heapto be run

4. Computing the post-condition for a ‘call’ or ‘eval’:

For example:

5. Finding a nested triple to use with ‘eval’:

For example:

current symbolic state

specification of routine about to be run

current symbolic state

address of code on heapto be run

Two of the proof rules

Recursion through the store

• Recursion through the store is when code on the heap invokes itself through a pointer

• Specifications for such code needs to appear in their own pre-conditions!

• Crowfoot allows the declaration of such specifications:

The deep frame rule

• The deep frame rule (introduced by Birkedal, Torp-Smith and Yang) allows adding invariants to a specification

- like the regular frame rule

- but the invariant is added at all nesting levels

- allows some very nice modular proofs

- we’ve implemented this in Crowfoot

The deep frame rule

• The deep frame rule (introduced by Birkedal, Torp-Smith and Yang) allows adding invariants to a specification

- like the regular frame rule

- but the invariant is added at all nesting levels:

- allows some very nice modular proofs

- we’ve implemented this in Crowfoot

Some things we have verified

We have used Crowfoot to verify for example (models of):

• A generic memoiser for recursive functions (see the paper)

- Makes very neat use of deep frame rule

• Updateable web server

- A server which can be updated without stopping it running

• Programs that load and unload plugins as they run

• Higher order expression evaluator

Try Crowfoot online

www.sussex.ac.uk/informatics/crowfoot

The End

Main rule for

Main rule for

Main rule for

Main rule for

Main rule for