Local Reasoning about the Presence of Bugs: Incorrectness Separation - - PowerPoint PPT Presentation
Local Reasoning about the Presence of Bugs: Incorrectness Separation Logic (ISL) Azalea Raad 1,2 Josh Berdine 3 Hoang-Hai Dang 2 Derek Dreyer 2 Peter OHearn 3,4 Jules Villard 3 1 Imperial College London 2 Max Planck Institute for Software
Local Reasoning about the Presence of Bugs: Incorrectness Separation Logic (ISL)
Azalea Raad1,2 Josh Berdine3 Hoang-Hai Dang2 Derek Dreyer2 Peter O’Hearn3,4 Jules Villard3
azalea@imperial.ac.uk @azalearaad SoundAndComplete.org
1 Imperial College London 2 Max Planck Institute for Software Systems (MPI-SWS) 3 Facebook London 4 University College London
❖ Lots of work on local reasoning for proving correctness
State of the Art: Correctness
➡ Prove the absence of bugs ➡ Over-approximate reasoning
2
❖ Lots of work on local reasoning for proving correctness
State of the Art: Correctness
➡ Compositionality
in resources accessed ⇒ spatial locality in code ⇒ reasoning about incomplete components
➡ Prove the absence of bugs ➡ Over-approximate reasoning
2
❖ Lots of work on local reasoning for proving correctness
State of the Art: Correctness
➡ Compositionality
in resources accessed ⇒ spatial locality in code ⇒ reasoning about incomplete components
➡ Scalability to large teams and codebases ➡ Prove the absence of bugs ➡ Over-approximate reasoning
2
State of the Art: Bug Catching
❖ Lots of work on bug catching
➡ Prove the presence of bugs ➡ E.g. symbolic model checking, symbolic execution for testing ➡ Under-approximate reasoning
3
State of the Art: Bug Catching
❖ Lots of work on bug catching
➡ Prove the presence of bugs ➡ E.g. symbolic model checking, symbolic execution for testing ➡ Under-approximate reasoning
❖ Based on global reasoning
3
State of the Art: Bug Catching
➡ e.g. Infer
❖ Lots of work on bug catching
➡ Prove the presence of bugs ➡ E.g. symbolic model checking, symbolic execution for testing ➡ Under-approximate reasoning
❖ Based on global reasoning ❖ Exceptions using local reasoning
3
State of the Art: Bug Catching
➡ e.g. Infer
❖ Lots of work on bug catching
➡ Prove the presence of bugs ➡ E.g. symbolic model checking, symbolic execution for testing ➡ Under-approximate reasoning
❖ Based on global reasoning ❖ Exceptions using local reasoning
➡ Using correctness-based compositional analysis
3
State of the Art: Bug Catching
➡ e.g. Infer
❖ Lots of work on bug catching
➡ Prove the presence of bugs ➡ E.g. symbolic model checking, symbolic execution for testing ➡ Under-approximate reasoning
❖ Based on global reasoning ❖ Exceptions using local reasoning
➡ Using correctness-based compositional analysis
Incorrectness Logic (O’Hearn) Formal Foundations for Bug Catching
3
4
Hoare triples
4
For all states s in p if running C on s terminates in s’, then s’ is in q
Hoare triples
4
iff
For all states s in p if running C on s terminates in s’, then s’ is in q
post(C)p ⊆ q
Hoare triples
4
iff
For all states s in p if running C on s terminates in s’, then s’ is in q
post(C)p ⊆ q
Hoare triples
post(C)p q ⊆
4
iff
For all states s in p if running C on s terminates in s’, then s’ is in q
post(C)p ⊆ q
Hoare triples
post(C)p q ⊇
4
iff
For all states s in p if running C on s terminates in s’, then s’ is in q
post(C)p ⊆ q
Hoare triples
iff
post(C)p q ⊇
4
iff
For all states s in p if running C on s terminates in s’, then s’ is in q
post(C)p ⊆ q
Hoare triples
iff Incorrectness triples
post(C)p q ⊇
4
iff
For all states s in p if running C on s terminates in s’, then s’ is in q
post(C)p ⊆ q
Hoare triples
iff Incorrectness triples
For all states s in q s can be reached by running C on some s’ in p
post(C)p q ⊇
5
iff
post(C)p ⊆ q
Hoare triples
5
iff
post(C)p ⊆ q
Hoare triples
q over-approximates post(C)p
5
iff
post(C)p ⊆ q
Hoare triples
q over-approximates post(C)p post(C)p
q
5
iff
post(C)p ⊆ q
Hoare triples
q over-approximates post(C)p post(C)p
q
true positive
5
iff
post(C)p ⊆ q
Hoare triples
q over-approximates post(C)p post(C)p
q
false positive true positive
5
iff
post(C)p ⊆ q
Hoare triples
q over-approximates post(C)p post(C)p
q
false positive true positive
⊇
iff Incorrectness triples
post(C)p q
q under-approximates post(C)p
5
iff
post(C)p ⊆ q
Hoare triples
q over-approximates post(C)p post(C)p
q
false positive true positive
⊇
iff Incorrectness triples
post(C)p q
q under-approximates post(C)p
q
post(C)p true positive
5
iff
post(C)p ⊆ q
Hoare triples
q over-approximates post(C)p post(C)p
q
false positive true positive
⊇
iff Incorrectness triples
post(C)p q
q under-approximates post(C)p
q
post(C)p false negative true positive
6
er : erroneous execution
6
er : erroneous execution
[y=v] x:=y [ok: x=y=v]
6
er : erroneous execution
[y=v] x:=y [ok: x=y=v] [p] error( ) [er: p]
7
iff
post(C, 𝜁)p ⊇ q
iff
∀ s ∈ q. ∃ s’ ∈ p. (s’,s) ∈ [C]𝜁
Equivalent Definition (reachability)
+ Under-approximate analogue of Hoare Logic
Incorrectness Logic: Summary
+ Formal foundation for bug catching
8
+ Under-approximate analogue of Hoare Logic
Incorrectness Logic: Summary
+ Formal foundation for bug catching
— Global reasoning: non-compositional (as in original Hoare Logic) — Cannot target memory safety bugs (e.g. use-after-free)
8
+ Under-approximate analogue of Hoare Logic
Incorrectness Logic: Summary
+ Formal foundation for bug catching
— Global reasoning: non-compositional (as in original Hoare Logic) — Cannot target memory safety bugs (e.g. use-after-free)
Incorrectness Separation Logic
8
9
❖ Incorrectness Separation Logic (ISL)
➡ IL + SL for compositional bug catching
9
❖ Incorrectness Separation Logic (ISL)
➡ IL + SL for compositional bug catching ➡ Under-approximate analogue of SL ➡ Targets memory safety bugs (e.g. use-after-free) ➡ Scalable: inspired by Facebook Pulse
9
❖ Incorrectness Separation Logic (ISL)
➡ IL + SL for compositional bug catching ➡ Under-approximate analogue of SL ➡ Targets memory safety bugs (e.g. use-after-free) ➡ Scalable: inspired by Facebook Pulse
❖ Combining IL+SL: not straightforward
➡ invalid frame rule!
9
❖ Incorrectness Separation Logic (ISL)
➡ IL + SL for compositional bug catching ➡ Under-approximate analogue of SL ➡ Targets memory safety bugs (e.g. use-after-free) ➡ Scalable: inspired by Facebook Pulse
❖ Combining IL+SL: not straightforward
➡ invalid frame rule!
❖ Fix: a monotonic model for frame preservation
9
❖ Incorrectness Separation Logic (ISL)
➡ IL + SL for compositional bug catching ➡ Under-approximate analogue of SL ➡ Targets memory safety bugs (e.g. use-after-free) ➡ Scalable: inspired by Facebook Pulse
❖ Combining IL+SL: not straightforward
➡ invalid frame rule!
❖ Fix: a monotonic model for frame preservation ❖ Recovering the footprint property for completeness
9
❖ Incorrectness Separation Logic (ISL)
➡ IL + SL for compositional bug catching ➡ Under-approximate analogue of SL ➡ Targets memory safety bugs (e.g. use-after-free) ➡ Scalable: inspired by Facebook Pulse
❖ Combining IL+SL: not straightforward
➡ invalid frame rule!
❖ Fix: a monotonic model for frame preservation ❖ Recovering the footprint property for completeness ❖ ISL-based analysis
➡ No-false-positives theorem: All bugs found are true bugs
9
❖ Incorrectness Separation Logic (ISL)
➡ IL + SL for compositional bug catching ➡ Under-approximate analogue of SL ➡ Targets memory safety bugs (e.g. use-after-free) ➡ Scalable: inspired by Facebook Pulse
❖ Combining IL+SL: not straightforward
➡ invalid frame rule!
❖ Fix: a monotonic model for frame preservation ❖ Recovering the footprint property for completeness ❖ ISL-based analysis
➡ No-false-positives theorem: All bugs found are true bugs
9
This talk
10
What Is Separation Logic (SL)?
SL : Local & compositional reasoning via ownership & separation ☛ ideal for heap-manipulating programs with aliasing
10
What Is Separation Logic (SL)?
[x]:= 1; [y]:= 2; [z]:= 3;
SL : Local & compositional reasoning via ownership & separation ☛ ideal for heap-manipulating programs with aliasing
10
What Is Separation Logic (SL)?
[x]:= 1; [y]:= 2; [z]:= 3;
SL : Local & compositional reasoning via ownership & separation ☛ ideal for heap-manipulating programs with aliasing
10
What Is Separation Logic (SL)?
[x]:= 1; [y]:= 2; [z]:= 3;
SL : Local & compositional reasoning via ownership & separation ☛ ideal for heap-manipulating programs with aliasing
10
What Is Separation Logic (SL)?
SL : Local & compositional reasoning via ownership & separation ☛ ideal for heap-manipulating programs with aliasing
[x1]:= 1; [x2]:= 2; … [xn]:= n;
10
What Is Separation Logic (SL)?
SL : Local & compositional reasoning via ownership & separation ☛ ideal for heap-manipulating programs with aliasing
[x1]:= 1; [x2]:= 2; … [xn]:= n;
n!/2 conjuncts !
11
What Is Separation Logic (SL)?
SL : Local & compositional reasoning via ownership & separation ☛ ideal for heap-manipulating programs with aliasing
[x]:= 1; [y]:= 2; [z]:= 3;
11
What Is Separation Logic (SL)?
SL : Local & compositional reasoning via ownership & separation ☛ ideal for heap-manipulating programs with aliasing
[x]:= 1; [y]:= 2; [z]:= 3;
‘and separately’
11
What Is Separation Logic (SL)?
SL : Local & compositional reasoning via ownership & separation ☛ ideal for heap-manipulating programs with aliasing
[x]:= 1; [y]:= 2; [z]:= 3;
‘and separately’
11
What Is Separation Logic (SL)?
SL : Local & compositional reasoning via ownership & separation ☛ ideal for heap-manipulating programs with aliasing
[x]:= 1; [y]:= 2; [z]:= 3;
‘and separately’
12
The Essence of Separation Logic (SL)
{p✽r} C {q✽r} {p} C {q}
Frame Rule
x ↦ v ✽ x ↦ v’ ⇔ false x ↦ v ✽ emp ⇔ x ↦ v
12
The Essence of Separation Logic (SL)
{p✽r} C {q✽r} {p} C {q}
Frame Rule
{x ↦ -} [x]:= v {x ↦ v}
Local Axioms
x ↦ v ✽ x ↦ v’ ⇔ false x ↦ v ✽ emp ⇔ x ↦ v
WRITE
12
The Essence of Separation Logic (SL)
{p✽r} C {q✽r} {p} C {q}
Frame Rule
{x ↦ -} [x]:= v {x ↦ v}
Local Axioms
{x ↦ v} y:= [x] {x ↦ v ∧ y=v} x ↦ v ✽ x ↦ v’ ⇔ false x ↦ v ✽ emp ⇔ x ↦ v
WRITE READ
12
The Essence of Separation Logic (SL)
{p✽r} C {q✽r} {p} C {q}
Frame Rule
{x ↦ -} [x]:= v {x ↦ v}
Local Axioms
{x ↦ v} y:= [x] {x ↦ v ∧ y=v} {emp} x:= alloc() {∃l. l ↦ -∧ x=l} x ↦ v ✽ x ↦ v’ ⇔ false x ↦ v ✽ emp ⇔ x ↦ v
WRITE READ ALLOC
12
The Essence of Separation Logic (SL)
{p✽r} C {q✽r} {p} C {q}
Frame Rule
{x ↦ -} [x]:= v {x ↦ v}
Local Axioms
{x ↦ v} y:= [x] {x ↦ v ∧ y=v} {emp} x:= alloc() {∃l. l ↦ -∧ x=l} {x ↦ -} free(x) { emp } x ↦ v ✽ x ↦ v’ ⇔ false x ↦ v ✽ emp ⇔ x ↦ v
WRITE READ ALLOC FREE
13
Incorrectness Separation Logic (ISL)
[p] C [𝜁: q]
IL
{p✽r} C {q✽r} {p} C {q}
x ↦ - ✽ x ↦ - ⇔ false x ↦ v ✽ emp ⇔ x ↦ v
SL
13
Incorrectness Separation Logic (ISL)
[p] C [𝜁: q]
IL
{p✽r} C {q✽r} {p} C {q}
x ↦ - ✽ x ↦ - ⇔ false x ↦ v ✽ emp ⇔ x ↦ v
SL
[p✽r] C [𝜁: q✽r] [p] C [𝜁: q]
x ↦ v ✽ x ↦ v’ ⇔ false x ↦ v ✽ emp ⇔ x ↦ v ISL
14
ISL: Local Axioms (First Attempt)
[x ↦ v’] [x]:= v [ok: x ↦ v]
WRITE
14
ISL: Local Axioms (First Attempt)
[x ↦ v’] [x]:= v [ok: x ↦ v]
WRITE
[x=null] [x]:= v [er: x=null]
14
ISL: Local Axioms (First Attempt)
[x ↦ v’] [x]:= v [ok: x ↦ v]
WRITE
[x=null] [x]:= v [er: x=null]
null-pointer dereference error
14
ISL: Local Axioms (First Attempt)
[x ↦ v’] [x]:= v [ok: x ↦ v]
WRITE
[x=null] [x]:= v [er: x=null] [x ↦ v] y:= [x] [ok: x ↦ v∧y=v] [x=null] y:= [x] [er: x=null]
READ
null-pointer dereference error
14
ISL: Local Axioms (First Attempt)
[x ↦ v’] [x]:= v [ok: x ↦ v]
WRITE
[x=null] [x]:= v [er: x=null] [x ↦ v] y:= [x] [ok: x ↦ v∧y=v] [x=null] y:= [x] [er: x=null]
READ
[emp] x:= alloc() [ok:∃l. l ↦ v ∧ x=l]
ALLOC
null-pointer dereference error
14
ISL: Local Axioms (First Attempt)
[x ↦ v’] [x]:= v [ok: x ↦ v]
WRITE
[x=null] [x]:= v [er: x=null] [x ↦ v] y:= [x] [ok: x ↦ v∧y=v] [x=null] y:= [x] [er: x=null]
READ
[emp] x:= alloc() [ok:∃l. l ↦ v ∧ x=l]
ALLOC
[x ↦ v] free(x) [ok: emp] [x=null] free(x) [er: x=null]
FREE
null-pointer dereference error
14
ISL: Local Axioms (First Attempt)
[x ↦ v’] [x]:= v [ok: x ↦ v]
WRITE
[x=null] [x]:= v [er: x=null] [x ↦ v] y:= [x] [ok: x ↦ v∧y=v] [x=null] y:= [x] [er: x=null]
READ
[emp] x:= alloc() [ok:∃l. l ↦ v ∧ x=l]
ALLOC
[x ↦ v] free(x) [ok: emp] [x=null] free(x) [er: x=null]
FREE
null-pointer dereference error
15
iff
∀ s ∈ q. ∃ s’ ∈ p. (s’,s) ∈ [C]𝜁
[x ↦ v] free(x) [ok: emp]
[p✽r] C [𝜁: q✽r] [p] C [𝜁: q]
x ↦ v ✽ x ↦ v’ ⇔ false x ↦ v ✽ emp ⇔ x ↦ v ISL
ISL: Local Axioms (First Attempt)
15
iff
∀ s ∈ q. ∃ s’ ∈ p. (s’,s) ∈ [C]𝜁
[x ↦ v] free(x) [ok: emp] [x ↦ v✽x ↦ v] free(x) [ok: emp✽x ↦ v]
[p✽r] C [𝜁: q✽r] [p] C [𝜁: q]
x ↦ v ✽ x ↦ v’ ⇔ false x ↦ v ✽ emp ⇔ x ↦ v ISL
ISL: Local Axioms (First Attempt)
(Frame)
15
iff
∀ s ∈ q. ∃ s’ ∈ p. (s’,s) ∈ [C]𝜁
[x ↦ v] free(x) [ok: emp] [x ↦ v✽x ↦ v] free(x) [ok: emp✽x ↦ v] [false] free(x) [ok: x ↦ v]
[p✽r] C [𝜁: q✽r] [p] C [𝜁: q]
x ↦ v ✽ x ↦ v’ ⇔ false x ↦ v ✽ emp ⇔ x ↦ v ISL
ISL: Local Axioms (First Attempt)
(Frame) (Cons)
15
iff
∀ s ∈ q. ∃ s’ ∈ p. (s’,s) ∈ [C]𝜁
[x ↦ v] free(x) [ok: emp] [x ↦ v✽x ↦ v] free(x) [ok: emp✽x ↦ v] [false] free(x) [ok: x ↦ v]
[p✽r] C [𝜁: q✽r] [p] C [𝜁: q]
x ↦ v ✽ x ↦ v’ ⇔ false x ↦ v ✽ emp ⇔ x ↦ v ISL
(unless q ⇒ false)
ISL: Local Axioms (First Attempt)
(Frame) (Cons)
15
iff
∀ s ∈ q. ∃ s’ ∈ p. (s’,s) ∈ [C]𝜁
[x ↦ v] free(x) [ok: emp] [x ↦ v✽x ↦ v] free(x) [ok: emp✽x ↦ v] [false] free(x) [ok: x ↦ v]
[p✽r] C [𝜁: q✽r] [p] C [𝜁: q]
x ↦ v ✽ x ↦ v’ ⇔ false x ↦ v ✽ emp ⇔ x ↦ v ISL
(unless q ⇒ false)
ISL: Local Axioms (First Attempt)
(Frame) (Cons)
16
Solution: Track Deallocated Locations!
[x ↦ v] free(x) [ok: ] emp
16
Solution: Track Deallocated Locations!
[x ↦ v] free(x) [ok: ] ↦ x
16
Solution: Track Deallocated Locations!
x is deallocated
[x ↦ v] free(x) [ok: ] ↦ x
16
Solution: Track Deallocated Locations!
x ↦ v ✽ x ↦ v’ ⇔ false x ↦ v ✽ emp ⇔ x ↦ v
x is deallocated
[x ↦ v] free(x) [ok: ] ↦ x
16
Solution: Track Deallocated Locations!
x ↦ v ✽ x ↦ v’ ⇔ false x ↦ v ✽ emp ⇔ x ↦ v x ↦ ✽ x ↦ ⇔ false
x is deallocated
x ↦ v ✽ x ↦ ⇔ false [x ↦ v] free(x) [ok: ] ↦ x
17
Solution: Track Deallocated Locations!
[x ↦ v] free(x) [ok: x ] ↦
17
Solution: Track Deallocated Locations!
[x ↦ v] free(x) [ok: x ] ↦ [x ↦ v✽x ↦ v] free(x) [ok: x ✽x ↦ v] ↦
17
Solution: Track Deallocated Locations!
[x ↦ v] free(x) [ok: x ] ↦ [false] free(x) [ok: false] [x ↦ v✽x ↦ v] free(x) [ok: x ✽x ↦ v] ↦
iff
∀ s ∈ q. ∃ s’ ∈ p. (s’,s) ∈ [C]𝜁
18
[x ↦ v] free(x) [ok: x ] [x=null] free(x) [er: x=null]
↦
FREE
18
[x ↦ v] free(x) [ok: x ] [x=null] free(x) [er: x=null]
↦
FREE
[x ] free(x) [er: x ]
↦ ↦
18
[x ↦ v] free(x) [ok: x ] [x=null] free(x) [er: x=null]
↦
FREE
use-after-free error
[x ] free(x) [er: x ]
↦ ↦
18
[x ↦ v] free(x) [ok: x ] [x=null] free(x) [er: x=null]
↦
FREE
use-after-free error
[x ] free(x) [er: x ]
↦ ↦
[x ↦ v’] [x]:= v [ok: x ↦ v] [x=null] [x]:= v [er: x=null] [x ] [x]:= v [er: x ]
↦ ↦
WRITE
18
[x ↦ v] free(x) [ok: x ] [x=null] free(x) [er: x=null]
↦
FREE
use-after-free error
[x ] free(x) [er: x ]
↦ ↦
[x ↦ v’] [x]:= v [ok: x ↦ v] [x=null] [x]:= v [er: x=null] [x ] [x]:= v [er: x ]
↦ ↦
WRITE
[x ↦ v] y:= [x] [ok: x ↦ v∧y=v] [x=null] y:= [x] [er: x=null] [x ] y:= [x] [er: x ]
↦ ↦
READ
18
[x ↦ v] free(x) [ok: x ] [x=null] free(x) [er: x=null]
↦
FREE
use-after-free error
[x ] free(x) [er: x ]
↦ ↦
[x ↦ v’] [x]:= v [ok: x ↦ v] [x=null] [x]:= v [er: x=null] [x ] [x]:= v [er: x ]
↦ ↦
WRITE
[x ↦ v] y:= [x] [ok: x ↦ v∧y=v] [x=null] y:= [x] [er: x=null] [x ] y:= [x] [er: x ]
↦ ↦
READ
[emp] x:= alloc() [ok:∃l. l ↦ v ∧ x=l ]
ALLOC
18
[x ↦ v] free(x) [ok: x ] [x=null] free(x) [er: x=null]
↦
FREE
use-after-free error
[x ] free(x) [er: x ]
↦ ↦
[x ↦ v’] [x]:= v [ok: x ↦ v] [x=null] [x]:= v [er: x=null] [x ] [x]:= v [er: x ]
↦ ↦
WRITE
[x ↦ v] y:= [x] [ok: x ↦ v∧y=v] [x=null] y:= [x] [er: x=null] [x ] y:= [x] [er: x ]
↦ ↦
READ
[emp] x:= alloc() [ok:∃l. l ↦ v ∧ x=l ]
ALLOC
[y ] x:= alloc() [ok: y ↦ v ∧ x=y ]
↦
➡ A rigorous foundation for bug catching ➡ A unifying theory of testing and verification
➡ A rigorous foundation for bug catching ➡ A unifying theory of testing and verification
➡ Combining IL and SL for compositional bug catching ➡ A monotonic model for frame preservation ➡ Recovering the footprint property for completeness
➡ A rigorous foundation for bug catching ➡ A unifying theory of testing and verification
➡ Combining IL and SL for compositional bug catching ➡ A monotonic model for frame preservation ➡ Recovering the footprint property for completeness
➡ Concurrent Incorrectness Separation Logic (CISL) Extending ISL with concurrency Tools for deadlock detection, race detection, …
➡ A rigorous foundation for bug catching ➡ A unifying theory of testing and verification
➡ Combining IL and SL for compositional bug catching ➡ A monotonic model for frame preservation ➡ Recovering the footprint property for completeness
➡ Concurrent Incorrectness Separation Logic (CISL) Extending ISL with concurrency Tools for deadlock detection, race detection, …
azalea@imperial.ac.uk @azalearaad SoundAndComplete.org
Thank You for Listening!
Incorrectness Separation Logic
Correctness
➡ in code (incomplete code) ➡ in resources accessed
Verification
. O’Hearn J. Villard July 23rd @ 9:15
Incorrectness Separation Logic
Correctness
➡ in code (incomplete code) ➡ in resources accessed
Bug Catching (incorrectness)
➡ e.g. symbolic model checking
➡ Based on correctness
Verification
. O’Hearn J. Villard July 23rd @ 9:15
Incorrectness Separation Logic
Correctness
➡ in code (incomplete code) ➡ in resources accessed
Bug Catching (incorrectness)
➡ e.g. symbolic model checking
➡ Based on correctness
Incorrectness Separation Logic (ISL) Incorrectness logic: global reasoning for bug catching
+
Separation logic: correctness-based local reasoning
Verification
. O’Hearn J. Villard July 23rd @ 9:15
Incorrectness Separation Logic
Correctness
➡ in code (incomplete code) ➡ in resources accessed
Bug Catching (incorrectness)
➡ e.g. symbolic model checking
➡ Based on correctness
Incorrectness Separation Logic (ISL) Incorrectness logic: global reasoning for bug catching
+
Separation logic: correctness-based local reasoning Formal foundation for local & compositional bug catching
Verification
. O’Hearn J. Villard July 23rd @ 9:15