Towards an Axiomatic Basis for C++ Gregory Malecha, Abhishek Anand, - - PowerPoint PPT Presentation

towards an axiomatic basis for c
SMART_READER_LITE
LIVE PREVIEW

Towards an Axiomatic Basis for C++ Gregory Malecha, Abhishek Anand, - - PowerPoint PPT Presentation

May 25, 2023 128 likes •496 views

Towards an Axiomatic Basis for C++ Gregory Malecha, Abhishek Anand, Gordon Stewart BedRock Systems BedRock Systems Formally verifjed, deep specifjcations. Unbreakable Foundation for the Software Defjned World Enable everyone to write and

slide-1
SLIDE 1

Towards an Axiomatic Basis for C++

Gregory Malecha, Abhishek Anand, Gordon Stewart

BedRock Systems

slide-2
SLIDE 2

The future is built on BedRock.

BedRock Systems

Unbreakable Foundation for the Software Defjned World

Enable everyone to write and share verifjed code! Formally verifjed, deep specifjcations.

slide-3
SLIDE 3

The future is built on BedRock.

...

Verifjcation target

NOVA (microhypervisor) Zeta Userspace vETH Switch vUART Mux ... VMM Guest VMM Guest

slide-4
SLIDE 4

The future is built on BedRock.

...

Verifjcation target

NOVA (microhypervisor) Zeta Userspace vETH Switch vUART Mux ... VMM Guest VMM Guest

C++ Code C++ Code

Deep correctness properties of highly concurrent, low-level code. Deep correctness properties of highly concurrent, low-level code.

slide-5
SLIDE 5

The future is built on BedRock.

Working with C++

slide-6
SLIDE 6

The future is built on BedRock.

The verifjcation toolchain

a.cpp a_cpp_proof.v From source to proof?

slide-7
SLIDE 7

The future is built on BedRock.

The verifjcation toolchain

a.cpp a_cpp_proof.v syntax.v logic.v

slide-8
SLIDE 8

The future is built on BedRock.

The verifjcation toolchain

a.cpp a_cpp.v a_cpp_proof.v cpp2v syntax.v logic.v

slide-9
SLIDE 9

The future is built on BedRock.

The verifjcation toolchain

a.cpp a_cpp.v a_cpp_spec.v a_cpp_proof.v cpp2v syntax.v logic.v

slide-10
SLIDE 10

The future is built on BedRock.

The verifjcation toolchain

a.cpp a_cpp.v a_cpp_spec.v a_cpp_proof.v cpp2v syntax.v logic.v

slide-11
SLIDE 11

The future is built on BedRock.

The verifjcation toolchain

a.cpp a_cpp.v a_cpp_spec.v a_cpp_proof.v cpp2v auto.v syntax.v logic.v

slide-12
SLIDE 12

The future is built on BedRock.

The verifjcation toolchain

a.cpp a_cpp.v a_cpp_spec.v a_cpp_proof.v cpp2v auto.v syntax.v logic.v

slide-13
SLIDE 13

The future is built on BedRock.

Building on previous work

C

(CompCert,VST)

Imp

Iris separation logic library

slide-14
SLIDE 14

The future is built on BedRock.

C++

(.., 14, 17, ...)

C++

(.., 14, 17, ...)

Building on previous work

C

(CompCert,VST)

Imp

Iris separation logic library

slide-15
SLIDE 15

The future is built on BedRock.

Features of C++

Semantic Challenges

  • Value categories
  • Side-effects
  • Modularity

Classes + Objects

  • Constructors
  • Destructors
  • Inheritance

Surface Complexities

  • Parsing
  • Type checking
  • Overload resolution
  • Syntactic sugar
slide-16
SLIDE 16

The future is built on BedRock.

Features of C++

Semantic Challenges

  • Value categories
  • Side-effects
  • Modularity

Classes + Objects

  • Constructors
  • Destructors
  • Inheritance

Surface Complexities

  • Parsing
  • Type checking
  • Overload resolution
  • Syntactic sugar

Hooking into existing tooling

slide-17
SLIDE 17

The future is built on BedRock.

Uses clang to build C++ ASTs from source fjles. ► First-order AST, ► embedded types

cpp2v

a.cpp a_cpp.v cpp2v

slide-18
SLIDE 18

The future is built on BedRock.

Uses clang to build C++ ASTs from source fjles. ► First-order AST, ► embedded types

cpp2v

a.cpp a_cpp.v cpp2v cpp2v -o a_cpp.v src/a.cpp -- --target=aarch64-none-elf - std=gnu++17 -O2 -fno-exceptions -fno-rtti -fno- threadsafe-statics -fno-builtin -I./include

  • I./include/aarch64

Standard clang compiler options.

Also runnable as a clang plugin.

slide-19
SLIDE 19

The future is built on BedRock.

Uses clang to build C++ ASTs from source fjles. ► First-order AST, ► embedded types

cpp2v

a.cpp a_cpp.v cpp2v Minimal pre-processing (close to C++ standard). cpp2v -o a_cpp.v src/a.cpp -- --target=aarch64-none-elf - std=gnu++17 -O2 -fno-exceptions -fno-rtti -fno- threadsafe-statics -fno-builtin -I./include

  • I./include/aarch64

Standard clang compiler options.

Compatible with C

Also runnable as a clang plugin.

slide-20
SLIDE 20

The future is built on BedRock.

Uses clang to build C++ ASTs from source fjles. ► First-order AST, ► embedded types

cpp2v

a.cpp a_cpp.v cpp2v Minimal pre-processing (close to C++ standard). cpp2v -o a_cpp.v src/a.cpp -- --target=aarch64-none-elf - std=gnu++17 -O2 -fno-exceptions -fno-rtti -fno- threadsafe-statics -fno-builtin -I./include

  • I./include/aarch64

Standard clang compiler options.

Compatible with C

Also runnable as a clang plugin. Include extra information to ease consumption: ► value categories, ► types, ► implicit initializers, ► overload resolution, ► some desugaring, ► etc.

slide-21
SLIDE 21

The future is built on BedRock.

Features of C++

Semantic Challenges

  • Value categories
  • Side-effects
  • Modularity

Weakest precondition semantics in Iris Classes + Objects

  • Constructors
  • Destructors
  • Inheritance

Surface Complexities

  • Parsing
  • Type checking
  • Overload resolution
  • Syntactic sugar

Hooking into existing tooling

slide-22
SLIDE 22

The future is built on BedRock.

The program logic for C++

These are values, e.g. integers

And for other value categories & language constructs: wp_lval, wp_xval

slide-23
SLIDE 23

The future is built on BedRock.

The program logic for C++

These are values, e.g. integers Locals “Thread identifier” Temporaries to destroy Iris mask Declarations

And for other value categories & language constructs: wp_lval, wp_xval

slide-24
SLIDE 24

The future is built on BedRock.

Variables & Regions

All program state is represented uniformly as resources ►Simple representation

  • f stack-allocated

structs ►More uniform representation predicates

Mapping from names to location Location of x is a (persistent) All locations are accessed uniformly.

slide-25
SLIDE 25

The future is built on BedRock.

  • #include & macros

○ Verifjcation after macro expansion ○ C++ is moving away from macros towards language- based features, e.g. constexpr

  • Lots of code in header fjles.

File-modular Verifjcation

lib.cpp #include “lib.hpp” struct F { … }; int main() { … } lib.hpp int foo(int) { … } extern int bar(); main.cpp #include “lib.hpp” struct B { … }; int main() { … } Verify once!

slide-26
SLIDE 26

The future is built on BedRock.

  • #include & macros

○ Verifjcation after macro expansion ○ C++ is moving away from macros towards language- based features, e.g. constexpr

  • Lots of code in header fjles.

File-modular Verifjcation

lib.cpp #include “lib.hpp” struct F { … }; int main() { … } lib.hpp int foo(int) { … } extern int bar(); main.cpp #include “lib.hpp” struct B { … }; int main() { … } Preservation under compatible extension

slide-27
SLIDE 27

The future is built on BedRock.

Features of C++

Semantic Challenges

  • Value categories
  • Side-effects
  • Modularity

Weakest precondition semantics in Iris Classes + Objects

  • Constructors
  • Destructors
  • Inheritance

Describe the object system in separation logic. Surface Complexities

  • Parsing
  • Type checking
  • Overload resolution
  • Syntactic sugar

Hooking into existing tooling

slide-28
SLIDE 28

The future is built on BedRock.

Supporting Classes + Objects

Classes are a pervasive addition in C++ ►Constructors ►Destructors ►Member functions ►Virtual functions

Fairly easy due to information in the AST, e.g. explicit cast nodes, etc.

slide-29
SLIDE 29

The future is built on BedRock.

Supporting Classes + Objects

Classes are a pervasive addition in C++ ►Constructors ►Destructors ►Member functions ►Virtual functions Object identity is intricate ►Track it using language- specifjc ghost state

Fairly easy due to information in the AST, e.g. explicit cast nodes, etc.

slide-30
SLIDE 30

The future is built on BedRock.

Supporting Classes + Objects

Classes are a pervasive addition in C++ ►Constructors ►Destructors ►Member functions ►Virtual functions Object identity is intricate ►Track it using language- specifjc ghost state

Still looking for a good abstraction for reasoning. (Do you have ideas?) Fairly easy due to information in the AST, e.g. explicit cast nodes, etc.

slide-31
SLIDE 31

The future is built on BedRock.

Features of C++

Semantic Challenges

  • Value categories
  • Side-effects
  • Modularity

Weakest precondition semantics in Iris Classes + Objects

  • Constructors
  • Destructors
  • Inheritance

Describe the object system in separation logic. Surface Complexities

  • Parsing
  • Type checking
  • Overload resolution
  • Syntactic sugar

Hooking into existing tooling Unsupported Features

  • Uninstantiated templates
  • Lambda expressions
  • virtual inheritance
  • Exceptions
  • Weak memory
slide-32
SLIDE 32

The future is built on BedRock.

Verifjcation for Everyone

slide-33
SLIDE 33

The future is built on BedRock.

It helps!

🙷Every engineer uses some form of “verification" in their head ..., formal verification simply helps putting that on paper precisely.🙸 ~Systems Engineer

Separation logic is central to this.

slide-34
SLIDE 34

The future is built on BedRock.

It helps!

  • Teaching everyone to specify their code

○ Very helpful to tie verifjcation to a language they already know. ○ Systems engineers able to write fjrst-order specifjcations. ○ Seems to be some cognitive benefjt to classes.

🙷Every engineer uses some form of “verification" in their head ..., formal verification simply helps putting that on paper precisely.🙸 ~Systems Engineer

Separation logic is central to this.

slide-35
SLIDE 35

The future is built on BedRock.

Summary

► cpp2v is a tool for importing C++ code in Coq ► Built on top of the clang toolchain ► Axiomatic semantics of (much of) C++ ► Some interesting challenges in C++

cpp2v

https://github.com/bedrocksystems/cpp2v

Contributions, collaborations, and users welcome