gradual program verification
play

Gradual Program Verification (with Implicit Dynamic Frames) Johannes - PowerPoint PPT Presentation

Feb 03, 2024 •165 likes •789 views

Gradual Program Verification (with Implicit Dynamic Frames) Johannes Bader , Karlsruhe Institute of Technology / Microsoft Jonathan Aldrich , Carnegie Mellon University ric Tanter , University of Chile int getFour(int i) requires ?; // not sure

  1. Gradual Program Verification (with Implicit Dynamic Frames) Johannes Bader , Karlsruhe Institute of Technology / Microsoft Jonathan Aldrich , Carnegie Mellon University Éric Tanter , University of Chile int getFour(int i) requires ?; // not sure what this should be yet ensures result = 4; { i = i + 1; return i; }

  2. Motivation • Program verification (against some specification) • Two flavors: dynamic & static // spec: callable only if (this.balance >= amount) void withdrawCoins(int amount) { // business logic this.balance ‐ = amount; } Johannes Bader Gradual Verification 3

  3. Dynamic Verification • runtime checks • testing techniques • guarantee compliance at run time void withdrawCoins(int amount) // spec: callable only if (this.balance >= amount) void withdrawCoins(int amount) { { assert this.balance >= amount; // business logic // business logic this.balance ‐ = amount; this.balance ‐ = amount; } } Johannes Bader Gradual Verification 4

  4. Dynamic Verification – Drawbacks • runtime checks runtime overhead • testing techniques additional effort • guarantee compliance at run time late detection void withdrawCoins(int amount) { assert this.balance >= amount; // business logic this.balance ‐ = amount; } Johannes Bader Gradual Verification 5

  5. Static Verification • declarative • formal logic • guarantee compliance in advance void withdrawCoins(int amount) requires this.balance >= amount; { // business logic this.balance ‐ = amount; } Johannes Bader Gradual Verification 6

  6. Static Verification – Drawbacks • declarative limited expressiveness • formal logic and/or decidability • guarantee compliance in advance annotation overhead (viral) void withdrawCoins(int amount) void withdrawCoins(int amount) requires this.balance >= amount; ensures requires this.balance >= amount; this.balance == old(this.balance) – amount; { { // business logic // business logic this.balance ‐ = amount; this.balance ‐ = amount; } } Johannes Bader Gradual Verification 7

  7. Viral Specifications void withdrawCoins(int amount) requires this.balance >= amount; void withdrawCoins(int amount) ensures this.balance == old(this.balance) – amount; requires this.balance >= amount; { { // business logic // business logic this.balance ‐ = amount; this.balance ‐ = amount; } } … acc.balance = 100; acc.withdrawCoins(50); // statically checks OK! acc.withdrawCoins(30); // oops, don’t know balance! Specification becomes almost all ‐ or ‐ nothing ; keep Can only remove getting warnings until spec is highly complete. false warnings by Want gradual return on investment—reasonable adding specifications behavior at every level of specification.! Johannes Bader Gradual Verification 8

  8. Solution: Combining Static + Dynamic • Hybrid approach Static checking, but failure is only a warning • Run ‐ time assertions catch anything missed statically • • Benefits + Catch some errors early + Still catch remaining errors dynamically + Can eliminate run ‐ time overhead if an assertion is statically discharged • Drawbacks ‐ Still false positive warnings / viral specification problem ‐ Run ‐ time checking may still impose too much overhead, and/or is an open problem (e.g. for implicit dynamic frames) • Challenges / opportunities Can we warn statically only if there is a definite error, and avoid viral specifications? • Can we reduce run ‐ time overhead when we have partial information? • How to support dynamic checks for more powerful specification approaches (e.g. implicit • dynamic frames) Johannes Bader Gradual Verification 9

  9. Engineering Verification • Ideal: an engineering approach to verification • Choose what to specify based on costs, benefits • May focus on critical components • Leave others unspecified • May focus on certain properties • Those most critical to users • Those easiest to verify • May add more specifications over time • Want incremental costs/rewards • Viral nature of static checkers makes this difficult • Warnings when unspecified code calls specified code • May have to write many extra specifications to verify the ones you care about Johannes Bader Gradual Verification 10

  10. Gradual Verification A verification approach that supports gradually adding specifications to a program • Novel feature: support unknown and imprecise specs void withdrawCoins(int amount) void withdrawCoins(int amount) void withdrawCoins(int amount) void withdrawCoins(int amount) void withdrawCoins(int amount) requires amount > 0 && this.balance >= amount; requires amount > 0 && this.balance >= amount; requires ? && this.balance >= amount; requires ? && this.balance >= amount; requires ?; ensures ensures ? && this.balance < old(this.balance); ensures ensures ensures ?; ? && this.balance < old(this.balance); ?; this.balance = old(this.balance) – amount; • Analogous to Gradual Typing [Siek & Taha, 2006] Johannes Bader Gradual Verification 11

  11. Gradual Verification A verification approach that supports gradually adding specifications to a program • Novel feature: support unknown and imprecise specs void withdrawCoins(int amount) requires this.balance >= amount; ensures ? && this.balance < old(this.balance); • Warning if we statically detect an inconsistency • The spec above would be statically OK with a ? added to the precondition, or an assertion that amount > 0 • But the given precondition alone can’t assure the part of the postcondition that we know Johannes Bader Gradual Verification 12

  12. Gradual Verification A verification approach that supports gradually adding specifications to a program • Novel feature: support unknown and imprecise specs void withdrawCoins(int amount) requires ? && this.balance >= amount; ensures ? && this.balance < old(this.balance); • Warning if we statically detect an inconsistency • Warning if spec is violated at run time acc.balance = 100; acc.withdrawCoins(50); // statically guaranteed safe acc.withdrawCoins(30); // dynamic check OK acc.withdrawCoins(30); // dynamic check: error! Johannes Bader Gradual Verification 13

  13. Gradual Verification A verification approach that supports gradually adding specifications to a program • Novel feature: support unknown and imprecise specs • Engineering properties • Same as dynamic verification when specs fully imprecise • Same as static verification when specs fully precise • Applies to any part of the program whose code and libraries used are specified precisely • Smooth path from dynamic to static checking (non ‐ viral) • Gradual Guarantee [Siek et al. 2015]: Given a verified program and correct input, no static or dynamic errors will be raised for the same program and input with a less ‐ precise specification Johannes Bader Gradual Verification 14

  14. True ≠ ? • Prior verifiers are not “gradual” • No support for imprecise/unknown specifications • Treating missing specs as “true” is insufficient class Account { void withdrawCoins(int amount) requires this.balance >= amount; ensures true; ... } Account a = new Account(100) a.withdrawCoins(40); a.withdrawCoins(30); // error: only know “true” here Johannes Bader Gradual Verification 15

  15. True ≠ ? • Prior verifiers are not “gradual” • No support for imprecise/unknown specifications • Treating missing specs as “true” is insufficient class Account { void withdrawCoins(int amount) requires this.balance >= amount; ensures ?; ... } Account a = new Account(100) a.withdrawCoins(40); a.withdrawCoins(30); // OK: ? consistent with precondition Johannes Bader Gradual Verification 16

  16. Gradual Verification Roadmap • Motivation and Intuition • Engineering: need good support for partial specs • Key new idea: a (partly) unknown spec: “?” • Overview: Abstracting Gradual Verification • A static verification system • Deriving a gradual verification system • Demonstration! • Extension to Implicit Dynamic Frames Johannes Bader Gradual Verification 17

  17. Gradual Verification Roadmap • Motivation and Intuition • Engineering: need good support for partial specs • Key new idea: a (partly) unknown spec: “?” • Overview: Abstracting Gradual Verification • A static verification system • Deriving a gradual verification system • Demonstration! • Extension to Implicit Dynamic Frames Johannes Bader Gradual Verification 18

  18. Inspiration: Gradual Typing [Siek & Taha, 2006] • Allows programmers to selectively omit types • Mixing dynamically ‐ typed code (e.g. as in Python) with statically ‐ typed code • Missing types denoted with a “?” or “dynamic” keyword • Can have “partly dynamic” types like “? ‐ > int” Johannes Bader Gradual Verification 19

  19. Abstracting Gradual Typing [Garcia et al., 2016] • Semantic foundation for Gradual Typing • Gradual types represent sets of possible static types • Use abstract interpretation to derive gradual type system from static type system Gradual System gradual lifting Static System Johannes Bader Gradual Verification 20

  20. How does this relate to Verification? int getFour(int i) requires ?; // not sure what this should be yet ensures result = 4; { i = i + 1; return i; } Types restrict which values are valid for a certain variable Formulas restrict which program states are valid at a certain point during execution Johannes Bader Gradual Verification 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Recursive Union of Some Gradual Types Jeremy G. Siek Sam Tobin-Hochstadt Indiana

The Recursive Union of Some Gradual Types Jeremy G. Siek Sam Tobin-Hochstadt Indiana

The Recursive Union of Some Gradual Types Jeremy G. Siek Sam Tobin-Hochstadt Indiana University, Bloomington 1/ 24 Gradual Typing Goal: support the entire spectrum in one language. Program Dependent Static Dynamic Logics Types Typing

382 views • 24 slides
Performance Evaluation for Gradual Typing Asumu Takikawa Daniel Feltey *Ben Greenman Max S.

Performance Evaluation for Gradual Typing Asumu Takikawa Daniel Feltey *Ben Greenman Max S.

Performance Evaluation for Gradual Typing Asumu Takikawa Daniel Feltey *Ben Greenman Max S. New Jan Vitek Matthias Felleisen 9 years of sound gradual typing Gradual Typing for Functional Languages, Jeremy Siek &amp; Walid Taha. SFP '06

829 views • 41 slides
Program Verification (Rosen, Sections 5.5) TOPICS Program Correctness Preconditions &amp;

Program Verification (Rosen, Sections 5.5) TOPICS Program Correctness Preconditions &amp;

Program Verification (Rosen, Sections 5.5) TOPICS Program Correctness Preconditions &amp; Postconditions Program Verification Assignments Composition Conditionals Loops Proofs about Programs Why

537 views • 36 slides
Program Verification as a Toolbox 2005Now Todays Verification A Brief, Subjective History

Program Verification as a Toolbox 2005Now Todays Verification A Brief, Subjective History

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems Program Verification as a Toolbox 2005Now Todays Verification A Brief, Subjective History Toolbox Whats Next? David Cock January 23, 2015 1

432 views • 32 slides
From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91

From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91

From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91 Reference From Program Verification to Program Synthesis. @ POPL10; January 17-23, 2010 Saurabh Srivastava , University of Maryland, College Park

1.21k views • 91 slides
The effectiveness of gradual learning EN S EMBLE METH ODS IN P YTH ON Romn de las Heras

The effectiveness of gradual learning EN S EMBLE METH ODS IN P YTH ON Romn de las Heras

The effectiveness of gradual learning EN S EMBLE METH ODS IN P YTH ON Romn de las Heras Data Scientist, SAP / Agile Solutions Collective vs gradual learning Collective Learning Gradual Learning Principle: wisdom of the crowd Principle:

461 views • 23 slides
Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive

Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive

The Center for Verification and Evaluation (CVE) Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive Support Services Agenda What is Re-Verification? o Simplified Reverification Program VIP

320 views • 21 slides
Towards full verification of concurrent libraries Viktor Vafeiadis Program verification

Towards full verification of concurrent libraries Viktor Vafeiadis Program verification

Towards full verification of concurrent libraries Viktor Vafeiadis Program verification Programs considered: Small (&lt;100 LOC) Medium (KLOC) Large (MLOC) Simple

577 views • 45 slides
Quo Vadis Program Verification Krzysztof R. Apt CWI, Amsterdam, the Netherlands , University of

Quo Vadis Program Verification Krzysztof R. Apt CWI, Amsterdam, the Netherlands , University of

Quo Vadis Program Verification Krzysztof R. Apt CWI, Amsterdam, the Netherlands , University of Amsterdam Quo Vadis Program Verification p. 1/1 One Page Summary Assertional approach to program verification is here to stay. Gap between

629 views • 19 slides
DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification Projects Birth Record Verification State to State Verification DIVS State to State Verification Service (S2S) Program Benefits Mission

349 views • 8 slides
Verification &amp; Validation Verification is getting the system right : Verification and

Verification &amp; Validation Verification is getting the system right : Verification and

Verification &amp; Validation Verification is getting the system right : Verification and Validation Does the program you built do what you designed it to do? Dr. James A. Bednar Validation is getting the right system : jbednar@inf.ed.ac.uk

331 views • 8 slides
7. Refined Verification Condition Generation Program Verification ETH Zurich, Spring Semester

7. Refined Verification Condition Generation Program Verification ETH Zurich, Spring Semester

7. Refined Verification Condition Generation Program Verification ETH Zurich, Spring Semester 2018 Alexander J. Summers 158 Weakest Preconditions So Far Weakest preconditions provide a means of reducing the question: does a program have

339 views • 16 slides
Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen

Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen

Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen Overview Program Verification using Verification Condition Generators JML a formal specification language for Java Used for the

620 views • 41 slides
Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform for deductive program verification Made by: Franois Bobot Martin Clochard Lon Gondelman Jean-Christophe Fillitre Claude

98 views • 9 slides
Gradual Ownership Types Ilya Sergey Dave Clarke ESOP 2012 Ownership Types (a gradual

Gradual Ownership Types Ilya Sergey Dave Clarke ESOP 2012 Ownership Types (a gradual

Gradual Ownership Types Ilya Sergey Dave Clarke ESOP 2012 Ownership Types (a gradual introduction) class List { Link head; void add(Data d) { Data Data head = new Link(head, d); } owner Iterator makeIterator() { return new

781 views • 38 slides
Gradual Python with Colored Local Type Inference Joe Angell April 29, 2009 Joe Angell Gradual

Gradual Python with Colored Local Type Inference Joe Angell April 29, 2009 Joe Angell Gradual

Gradual Python with Colored Local Type Inference Joe Angell April 29, 2009 Joe Angell Gradual Python with Colored Local Type Inference Motivation Python programmers use dynamic typing Lets type check what we can, and what the programmer

303 views • 11 slides
Experiences and Challenges Scaling PFLOTRAN, a PETSc-based Code For Implicit Solution of

Experiences and Challenges Scaling PFLOTRAN, a PETSc-based Code For Implicit Solution of

Experiences and Challenges Scaling PFLOTRAN, a PETSc-based Code For Implicit Solution of Subsurface Reactive Flow Problems, Towards the Petascale on Cray XT systems Richard Tran Mills Computational Earth Sciences Group Computer Science and

429 views • 41 slides
www.Novotechsoftware.com Soil void ratio Soil density sity Soil permeab meabil ility ity

www.Novotechsoftware.com Soil void ratio Soil density sity Soil permeab meabil ility ity

www.Novotechsoftware.com Soil void ratio Soil density sity Soil permeab meabil ility ity Geological logical histo tory y of site Groun und water r level Nature ure of the earth thqu quake ake shaking ing www.NovotechSoftware.com

246 views • 23 slides
Fast and Wild: Bootstrap Inference in Stata Using boottest David Roodman James G. MacKinnon Open

Fast and Wild: Bootstrap Inference in Stata Using boottest David Roodman James G. MacKinnon Open

Q ED Queens Economics Department Working Paper No. 1406 Fast and Wild: Bootstrap Inference in Stata using boottest David Roodman, Open Philanthropy Project James G. MacKinnon, Queens University Morten rregaard Nielsen, Queens

843 views • 48 slides
HAND Diagnostic Issues HAND Diagnostic Issues Addressing Mental Addressing Mental Health Health

HAND Diagnostic Issues HAND Diagnostic Issues Addressing Mental Addressing Mental Health Health

HAND Diagnostic Issues HAND Diagnostic Issues Addressing Mental Addressing Mental Health Health Dr. Adriana Carvalhal, MD, MSc, PhD University of Toronto St. Michaels Hospital Disclosure Research: Canadian Institute Health Research

457 views • 21 slides
Cross ring data move 1. Segmentation based protection breaks 2. Kernel level actual data move

Cross ring data move 1. Segmentation based protection breaks 2. Kernel level actual data move

Advanced Operating Systems MS degree in Computer Engineering University of Rome Tor Vergata Lecturer: Francesco Quaglia Cross ring data move 1. Segmentation based protection breaks 2. Kernel level actual data move facilities 3. Enhanced

359 views • 24 slides
Many stories, two basic plots. common Fun with Gaussian distributions: average A few billion

Many stories, two basic plots. common Fun with Gaussian distributions: average A few billion

average Many stories, two basic plots. common Fun with Gaussian distributions: average A few billion lines of code later: static common (n inf) checking in the real world Andy Chou, Ben Chelf, Seth Hallem Scott McPeak, Bryan Fulton,

666 views • 12 slides
Structural Health Monitoring Mechanical and impact damage

Structural Health Monitoring Mechanical and impact damage

Structural Health Monitoring Mechanical and impact damage detec5on via fluorescent coa5ngs OBJECTIVE: RESULTS: Improve inspec0on capability by

472 views • 22 slides
Automation and Programming with Stata Christopher F Baum Boston College and DIW Berlin NCER,

Automation and Programming with Stata Christopher F Baum Boston College and DIW Berlin NCER,

Automation and Programming with Stata Christopher F Baum Boston College and DIW Berlin NCER, Queensland University of Technology, March 2014 Christopher F Baum (BC / DIW) Automation &amp; Programming NCER/QUT, 2014 1 / 179 Overview Overview

1.92k views • 179 slides

More recommend