+ The HARPO Verifier Status 2018 October 15 Verifying the - - PowerPoint PPT Presentation

the harpo verifier status 2018 october 15 verifying the
SMART_READER_LITE
LIVE PREVIEW

+ The HARPO Verifier Status 2018 October 15 Verifying the - - PowerPoint PPT Presentation

Mar 12, 2024 252 likes •495 views

+ The HARPO Verifier Status 2018 October 15 Verifying the Correctness of HARPO Programs 1 Verifying the Correctness of HARPO Programs Presented at NECEC 2018, St. Johns NL Inaam Ahmed Computer Engineering Research Labs, Dept. ECE, MUN

slide-1
SLIDE 1

+

The HARPO Verifier

Status 2018 October 15

Verifying the Correctness of HARPO Programs 1

slide-2
SLIDE 2

Presented at NECEC 2018, St. John’s NL Inaam Ahmed

Computer Engineering Research Labs, Dept. ECE, MUN

2018 November 13

Verifying the Correctness of HARPO Programs

Verifying the Correctness of HARPO Programs 2

slide-3
SLIDE 3

+ Review ofHarpo

◼ HARdware Parallel Objects ◼ An executing Harpo program is a static network of objects.

◼ Each contains 0 or more threads ◼ Each contains 0 or more locations or arrays and connects to 0 or

more other objects.

◼ Objects communicate via client/server rendezvous.

◼ Objects are implemented as software (e.g. concurrent C) or

hardware (e.g. FPGA).

Verifying the Correctness of HARPO Programs 3

slide-4
SLIDE 4

+ Data flowarchitecture

Harpo source First Pass Attributed AST C Back End C source Checker Abstract Syntax Tree VHDL Back end VHDL source Boogie Back end Boogie

Verifying the Correctness of HARPO Programs 4

slide-5
SLIDE 5

+ HARPO Program

◼ HARPO Programs

Program (ClassDecl | IntfDecl | ObjectDecl | ConstDecl |; )

◼ Interfaces

Contains method declaration with ghost parameters

◼ Classes

Classes have the annotations claim and invariant

◼ Objects

Ghost objects are annotated with ghost keyword

◼ Constants

Constants having HARPO primitive type

Verifying the Correctness of HARPO Programs 5

slide-6
SLIDE 6

+ Program Translation into Boogie

Harpo source First Pass Attributed AST Checker Abstract Syntax Tree VHDL Back end Boogie Back end Boogie Z3 Verification Report

Verifying the Correctness of HARPO Programs 6

slide-7
SLIDE 7

+ Running example:Input

(class Math

  • bj c:int32 :=0;

(thread (*t0*)claim c c:=2+2; assert c=4; thread) class)

Verifying the Correctness of HARPO Programs 7

slide-8
SLIDE 8

+ class AST { // slightly simplified

[ClassDeclNd( ObjDeclNd[c]( NamedTypeNd( Int32 ) : loc{Int32}, ValueInitExpNd(IntLiteralExpNd(0):Int32):Int32), ThreadDeclNd[t#0]( ThrdClaimNd( [ NameExpNd( c ) : Int32), SeqCommandNd( AssertCmdNd( ChainExpNd( [ LessOp ], [ FetchExpNd( NameExpNd( c ) : loc{Int32} ) : Int32, IntLiteralExpNd( 20 ) : Int32 ] ) : Bool ) ) ) ) ) ) ,]

Verifying the Correctness of HARPO Programs 8

slide-9
SLIDE 9

+ AST after firstpass

Verifying the Correctness of HARPO Programs 9

slide-10
SLIDE 10

+ Checker Passes

modify and add attributes to the AST in-place

Symbol Table Builder Resolver Type Creator Symbol Table Abstract Syntax Tree Type Checker Class Environment Creator Class Envoron- ment

Verifying the Correctness of HARPO Programs 10

slide-11
SLIDE 11

+ Running example after TableCreator

◼ Creates a map

◼ from fully qualified names ◼ to declaration nodes in the AST

Math Math.c Math.*t0* Int32

Verifying the Correctness of HARPO Programs 11

slide-12
SLIDE 12

+ Resolver pass

◼ Links each Name node to a declaration ◼ After this, the symbol table is no longer needed!

Verifying the Correctness of HARPO Programs 12

slide-13
SLIDE 13

+ Type CreatorPass

◼ Creates types as needed. ◼ Associates all Type nodes (except NoType nodes) witha

type.

◼ TypeNodes –syntactic representation of types ◼ Types –semantic representation of types

Verifying the Correctness of HARPO Programs 13

slide-14
SLIDE 14

+ Running Example afterType Creation Pass

LocationType PrimitiveType(Int32)

Verifying the Correctness of HARPO Programs 14

slide-15
SLIDE 15

+ Boogie Back-end

◼ Goal: Translate Harpo to Boogie that can run on Boogie

Verification Tool

◼ A standard approach for program verification is to use the

theorem proving

◼ Source code with program specifications is converted into the

verification conditions

◼ Theorem prover use the verification to determine the

correctness of the program

◼ Longer term goal: Implement the Boogie backend into an

interactive tool

Verifying the Correctness of HARPO Programs 15

slide-16
SLIDE 16

+ Complexity

◼ Generating the verification conditions is complex task ◼ Mitigate the complexity by dividing the task into two

steps:

◼ Convert source into IVL (Boogie) ◼ Let Boogie talk with theorem prover (Z3)

Verifying the Correctness of HARPO Programs 16

slide-17
SLIDE 17

+ Memory Model

◼ We are using heap memory model which maps the fields

and object references to values.

◼ Objects Heap ◼ Array Heap

x y z bool m <Ref> 12 13 T <Ref> 15 16 4.0

  • 2
  • 1

1 2 3 T T T F F T 1 2 56 7 98 62 2.6 76.0 8.6 233.6 8.8 98.0 Boolean Integer Real Ref

Verifying the Correctness of HARPO Programs 17

slide-18
SLIDE 18

+Boogie Prelude

◼ Independent of the source program being translated. ◼ Contains some important properties such as,

◼ modeling memory ◼ reference types ◼ type axioms ◼ array length and permission type

◼ Required for translation of HARPO program. ◼ Final output program consists of boogie prelude and the

translation of specific HARPO program.

Verifying the Correctness of HARPO Programs 18

slide-19
SLIDE 19

+ Boogie Back End Pass

Traverse Tree Abstract Syntax Tree Translate Decls to Boogie String Buffer Builder Boogie Source Code Boogie Prelude String

Verifying the Correctness of HARPO Programs 19

slide-20
SLIDE 20

+A Few Translations

Program components HARPO Code Boogie Code Class (class A class members class) const unique A: ClassName; Interface (interface B Interface members interface) const unique B: ClassName; Field

  • bj h: Int8: = Exp

const unique A.h: Field int; Constants const c: real16: = Exph const c: real; axiom x == Expb While Statement (while Gh invariant I statement(s) while) while (Gb) invariant I Boogie statements Thread (thread T claim init_Permission block thread) Procedure A.T(this: Ref) Modifies H. ArrayH; Requires dtype(this) <: C; {…thread block …claim translation}

Verifying the Correctness of HARPO Programs 20

slide-21
SLIDE 21

Listing 0 Translated

◼ Boogie Source //prelude

  • 1. type Ref;
  • 2. type Field a;
  • 3. type HeapType = <a> [Ref,Field a]a;
  • 4. var Heap:HeapType;
  • 5. type Perm = real ;
  • 6. type PermissionType = <a>[Ref, Field a]Perm;

// Specific translated part of Listing 0

  • 7. type className;
  • 8. function dtype(Ref) returns (className);
  • 9. const unique Math:className;

10.const unique Math.c : Field int; 11.procedure Math.t0(this:Ref) 12.modifies Heap; 13.{ var Permission : PermissionType where

  • a. (forall <a> r:Ref, f : Field a :: Permission[r,f] == 0.0 ) ;

14.var oldHeap, tmpHeap : HeapType ; 15.Permission[this, Math.c] := 1.0; 16.assert Permission[ this, Math.c ] == 1.0 ; 17.Heap[this,Math.c]:= 2+2; 18.assert Permission[ this, Math.c ] > 0.0 ; 19.assert Heap[this,Math.c]==4 ;}

Verifying the Correctness of HARPO Programs 21

slide-22
SLIDE 22

Conclusion and Future Work

Verifying the Correctness of HARPO Programs 22

◼ Automated the process of translation ◼ Implementation will result an independent backend of

verifier

◼ Support concurrent threads verification ◼ Some Language features, like functions and predicates, are

needed to be added

◼ Develop a verification tool like Dafny

slide-23
SLIDE 23

+

The End

Verifying the Correctness of HARPO Programs 23