v erification de programmes avec pointeurs a l aide de r
play

V erification de programmes avec pointeurs ` a laide de r egions - PowerPoint PPT Presentation

Jun 18, 2023 •416 likes •944 views

INRIA Saclay Universit e de Paris-Sud 11 Ile-de-France Centre dOrsay Equipe ProVal V erification de programmes avec pointeurs ` a laide de r egions et de permissions Romain Bardou pr esent ee le 14 octobre 2011

  1. INRIA Saclay – ˆ Universit´ e de Paris-Sud 11 Ile-de-France Centre d’Orsay Equipe ProVal V´ erification de programmes avec pointeurs ` a l’aide de r´ egions et de permissions Romain Bardou pr´ esent´ ee le 14 octobre 2011 devant le jury compos´ e de : MM. Peter M¨ uller Fran¸ cois Pottier Jean Goubault-Larrecq Burkhart Wolff Claude March´ e 1 / 51

  2. There are two ways to write error-free programs; only the third one works. — Alan J. Perlis 2 / 51

  3. Program Verification programming needs thinking verification is tedious human machine thinking good bad repetition bad good parts of verification are repetitive = ⇒ let the human program and the machine verify Introduction Program Verification 3 / 51

  4. Trade-Off: Automation vs. Expressiveness properties: “ x is always an integer” automated (typing) “ x is always an odd integer” requires reasoning (annotations) “for all i , a [ i ] is prime” requires more reasoning (proofs) Introduction Program Verification 4 / 51

  5. Deductive Program Verification program + specification verification conditions automatic theorem provers proof assistants (Alt-Ergo, Simplify, Z3, CVC3, ...) (Coq, Isabelle, ...) Introduction Deductive Program Verification 5 / 51

  6. Deductive Program Verification expressiveness: ◮ mainstream programming languages (C, Java...) ◮ (at least) first-order logic for specifications automation: ◮ specification written by hand ◮ automatic provers for simple verification conditions ◮ proof assistants for difficult verification conditions Introduction Deductive Program Verification 6 / 51

  7. Deductive Verification: Example void max( int i, int j) /*@ ensures \result >= i && \result >= j */ { if (i > j) return i; else return j; } verification conditions: i > j ⇒ i ≥ i ∧ i ≥ j ¬ ( i > j ) ⇒ j ≥ i ∧ j ≥ j Introduction Deductive Program Verification 7 / 51

  8. Pointers pointer = variable containing a location pointed value = value stored at location x loc · · · · · · 42 loc Introduction Pointers 8 / 51

  9. Pointer Aliasing *p = 42; *q = 69; /*@ assert *p = 42; */ what if p = q ? verification conditions? Introduction Pointers 9 / 51

  10. Data Invariants: Examples handy specification tool “this array is always sorted” “this tree is a search tree” “this tree is well-balanced” “rocket speed is always positive” Introduction Data Invariants 10 / 51

  11. Related Work ownership ◮ Data Groups [Leino 1998] ◮ Ownership Types [Clarke, Potter, Noble 1998] ◮ Spec# Methodology [Barnett et al. 2004] ◮ Universe Types [Dietl, Muller 2005] ◮ Considerate Reasoning [Summers, Drossopoulou 2010] alias control ◮ Separation Logic [Reynolds 2002] ◮ Regional Logic [Banerjee, Naumann, Rosenberg 2008] ◮ (implicit) Dynamic Frames [Kassios 2006; Smans et al. 2009] Regions, Permissions / Capabilities, Alias Types... Introduction Contributions 11 / 51

  12. Main Contribution A type system using regions and permissions to structure the heap in a modular fashion, control pointer aliasing and data invariants and produce proof obligations where pointers are separated. implemented as a tool called Capucine Introduction Contributions 12 / 51

  13. Contents Introduction The Capucine Language Classes Regions Permissions Operations Ownership Coherence Preservation Conclusion Computing Verification Conditions Conclusion The Capucine Language 13 / 51

  14. Classes class = record + invariant + owned regions class Pair { fst : int ; snd : int ; invariant fst < snd ; } The Capucine Language Classes 14 / 51

  15. Pointer Types and Regions region = set of locations memory structured using regions the type of a pointer [ ρ ] gives its region ρ fun incrPair [ r : Pair ] ( p : [ r ]): unit { p . fst ← p . fst + 1; p . snd ← p . snd + 1; } The Capucine Language Regions 15 / 51

  16. Life Cycle of Pointers ◮ allocation ◮ initialization of fields ◮ verification of the invariant ◮ insertion into a data structure ◮ update + invariant preservation permissions track the state of objects The Capucine Language Permissions 16 / 51

  17. Permissions permission = type-level information about a region permissions evolve during execution: statements consume and produce permissions permissions cannot be duplicated The Capucine Language Permissions 17 / 51

  18. Allocation and Initialization operation let region r : C ◮ produces r ∅ operation let x = new C [ ρ ] ◮ consumes ρ ∅ ◮ produces ρ ◦ { f 1 , · · · , f k } and owned permissions operation x . f ← e when x : [ ρ ] ◮ consumes ρ ◦ { g } ◮ produces ρ ◦ { g − f } The Capucine Language Operations 18 / 51

  19. Allocation: Example r ∅ let region r : Pair ; r ◦ { fst , snd } let p = new Pair [ r ]; r ◦ { snd } p . fst ← 42; r ◦ p . snd ← 69; The Capucine Language Operations 19 / 51

  20. Permission Diagram (so far) let region r ∅ new r ◦ {· · ·} ← r ◦ The Capucine Language Operations 20 / 51

  21. Packing and Unpacking if y : [ ρ ] operation pack y ◮ consumes ρ ◦ and owned permissions ◮ produces ρ × ◮ requires the invariant of y as a pre-condition operation unpack y ◮ consumes ρ × ◮ produces ρ ◦ and owned permissions note: ρ ◦ required to modify y . f ⇒ if ρ × available, then the invariant of y holds = The Capucine Language Operations 21 / 51

  22. Example: Incrementing a Pair fun incrPair [ r : Pair ] ( p : [ r ]): unit consumes r × produces r × { r ◦ unpack p ; r ◦ p . fst ← p . fst + 1; r ◦ p . snd ← p . snd + 1; r × pack p ; (* invariant must hold *) } The Capucine Language Operations 22 / 51

  23. Permission Diagram (so far) let region r ∅ new r ◦ {· · ·} ← unpack r ◦ r × r × pack The Capucine Language Operations 23 / 51

  24. Adoption: From Singleton to Group if x : [ σ ] operation adopt x : σ as ρ ◮ consumes σ × and ρ G ◮ produces ρ G ◮ type of x becomes [ ρ ] x is then both in σ and ρ region σ is disabled The Capucine Language Operations 24 / 51

  25. Permission Diagram let region r ∅ new r ◦ {· · ·} ρ G ρ G ← adopt unpack r ◦ r × r × pack The Capucine Language Operations 25 / 51

  26. Focus: From Group to Singleton operation focus x : ρ as σ when x : [ ρ ] ◮ consumes ρ G and σ ∅ ◮ produces σ −◦ ρ and σ × ◮ type of x becomes [ σ ] x is then both in σ and ρ region ρ is temporarily disabled operation unfocus x : σ as ρ when x : [ σ ] ◮ consumes σ −◦ ρ and σ × ◮ produces ρ G ◮ type of x becomes [ ρ ] region ρ is re-enabled region σ is disabled The Capucine Language Operations 26 / 51

  27. Aliased or Not Aliased? p and q may be aliased: fun f [ r : Pair ] ( p : [ r ] , q : [ r ]): unit consumes r G produces r G p and q cannot be aliased: fun f [ r p : Pair , r q : Pair ] ( p : [ r p ] , q : [ r q ]): unit consumes r pG r qG produces r pG r qG The Capucine Language Operations 27 / 51

  28. Ownership locations may own regions class LongPairOwn { single r 1 : Long ; single r 2 : Long ; fst : [ r 1 ]; snd : [ r 2 ]; invariant fst . value < snd . value ; } invariant can only mention owned objects (enforced by typing) The Capucine Language Ownership 28 / 51

  29. Allocation With Ownership r ∅ let region r : LongPairOwn ; r ◦ { fst , snd } p . r 1 ∅ p . r 2 ∅ let p = new LongPairOwn [ r ]; r ◦ { fst , snd } p . r 1 ◦ { value } p . r 2 ∅ let fst = new Long [ p . r 1 ]; r ◦ { fst , snd } p . r 1 ◦ p . r 2 ∅ fst . value ← 42; r ◦ { fst , snd } p . r 1 × p . r 2 ∅ pack fst ; r ◦ { fst , snd } p . r 1 × p . r 2 ◦ { value } let snd = new Long [ p . r 2 ]; r ◦ { fst , snd } p . r 1 × p . r 2 ◦ snd . value ← 69; r ◦ { fst , snd } p . r 1 × p . r 2 × pack snd ; r ◦ { snd } p . r 1 × p . r 2 × p . fst ← fst ; r ◦ p . r 1 × p . r 2 × p . snd ← snd ; r × pack p ; The Capucine Language Ownership 29 / 51

  30. Ownership: Summary allows invariants to depend on owned fields ◮ need to unpack p to modify p . fst . value structures the heap using an ownership tree The Capucine Language Ownership 30 / 51

  31. Heap Coherence we define a memory model and semantics for Capucine we define coherence of a heap w.r.t. available permissions ◮ empty regions are empty ◮ singleton regions have exactly one location ◮ locations in closed regions verify their invariant ◮ ... The Capucine Language Coherence Preservation 31 / 51

  32. Coherence Preservation Theorem (Coherence Preservation) Coherence of the heap is preserved through execution of a well-typed program. The Capucine Language Coherence Preservation 32 / 51

  33. Summary and Contributions take the existing notion of regions and permissions ◮ control aliasing my contributions ◮ use permissions to control invariants ◮ add ownership ◮ add region parameters to classes ◮ add region polymorphism ◮ use inference to guess some operations ◮ pack, unpack, adoption, focus, unfocus The Capucine Language Conclusion 33 / 51

  34. Contents Introduction The Capucine Language Computing Verification Conditions Use Regions to Separate Pointers Prefix Trees Experiments Progress Conclusion Conclusion Computing Verification Conditions 34 / 51

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

V erification de syst` emes avec compteurs et pointeurs Arnaud Sangnier LSV, ENS Cachan,

V erification de syst` emes avec compteurs et pointeurs Arnaud Sangnier LSV, ENS Cachan,

V erification de syst` emes avec compteurs et pointeurs Arnaud Sangnier LSV, ENS Cachan, CNRS &amp; EDF R&amp;D 21 Novembre 2008 Th` ese CIFRE r ealis ee dans le cadre du projet RNTL AVERILES 1 Computer systems are everywhere 2

1.18k views • 79 slides
V erification des programmes dordre sup erieur Charles Grellois (travaux r ealis

V erification des programmes dordre sup erieur Charles Grellois (travaux r ealis

V erification des programmes dordre sup erieur Charles Grellois (travaux r ealis es avec Dal Lago et Melli` es) Aix-Marseille Universit e - LSIS Visite des etudiants de lENS Paris-Saclay 23 novembre 2017 Charles

593 views • 57 slides
V erification automatique de multiplicateurs avec les *BMDs Pierre Senellart 10 d ecembre

V erification automatique de multiplicateurs avec les *BMDs Pierre Senellart 10 d ecembre

V erification automatique de multiplicateurs avec les *BMDs Pierre Senellart 10 d ecembre 2002 Introduction BDDs [1] very powerful tools for veifying arithmetic circuits. But exponential on multipliers. *BMDs [2] give a

524 views • 20 slides
Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 `

Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 `

Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 ` etique de lInformatique Math ematique Antoine Min e Ecole normale sup erieure 9 f evrier 2011 Perpignan 9/02/2011 Analyse

896 views • 70 slides
COMPUT COMPUT E E R AIDE R AIDE D DE D DE T T E E CT CT ION OF ION OF PUL PUL

COMPUT COMPUT E E R AIDE R AIDE D DE D DE T T E E CT CT ION OF ION OF PUL PUL

COMPUT COMPUT E E R AIDE R AIDE D DE D DE T T E E CT CT ION OF ION OF PUL PUL MONARY MONARY T UBE RCUL OSIS ON DIGIT AL CHE ST RADIOGRAPHS: A SYST E MAT IC RE VIE W T RI PT I PANDE ADVANCE ADVANCE D T D T B

195 views • 18 slides
The Community Health Aide Program and Dental Health Aide Certification Opportunities for Tribal

The Community Health Aide Program and Dental Health Aide Certification Opportunities for Tribal

Sonosky, Chambers, Sachse, Miller &amp; Munson, LLP The Community Health Aide Program and Dental Health Aide Certification Opportunities for Tribal Health National Indian Health Board Public Health Summit Myra M. Munson, J.D., M.S.W. April 1

475 views • 12 slides
2014 Parade Aide Orientation What does a parade aide do? Parade aides follow a series of

2014 Parade Aide Orientation What does a parade aide do? Parade aides follow a series of

2014 Parade Aide Orientation What does a parade aide do? Parade aides follow a series of Tasks Pre Load/Load Bus Ride At Parade Site During Parade Post Parade Departing for Home Finish/Clean Up Pre Load/Load Where

639 views • 25 slides
FFR et STEMI : quel moment, pour quelles artres avec quelles limites ? GRCI, Paris 7

FFR et STEMI : quel moment, pour quelles artres avec quelles limites ? GRCI, Paris 7

FFR et STEMI : quel moment, pour quelles artres avec quelles limites ? GRCI, Paris 7 Dcembre 2018 Gilles Rioufol MD, PhD Interventional cardiology dpt Cardiovascular Hospital - Lyon - France CFR = Q max avec stnose FFR # Q max avec

163 views • 13 slides
Review of the Last Aide Memoire: Progress Against Agreed Actions - 2013 Dr. PB Chand PPICD

Review of the Last Aide Memoire: Progress Against Agreed Actions - 2013 Dr. PB Chand PPICD

Review of the Last Aide Memoire: Progress Against Agreed Actions - 2013 Dr. PB Chand PPICD Ministry of Health &amp; Population Background - Issued after joint annual review held on 28- 30 January 2013 - 13 agreed actions Aide- Memoire -

212 views • 18 slides
A M A M IXED ED V ER ON ERIFICATION S TRATEG EGY T AILOR ED FOR OR ORED N ET ORKS ON ON C C HIP

A M A M IXED ED V ER ON ERIFICATION S TRATEG EGY T AILOR ED FOR OR ORED N ET ORKS ON ON C C HIP

A M A M IXED ED V ER ON ERIFICATION S TRATEG EGY T AILOR ED FOR OR ORED N ET ORKS ON ON C C HIP ETWOR HIP G.Tsiligiannis, L.Pierre TIMA Laboratory, Grenoble, France I NTRODUCTION Questions: Is it worth defining a specific

556 views • 23 slides
FERM RMER ER V VOS OS MICR CROS S SVP VP La Presse Texte avec photo debats@lapresse.ca

FERM RMER ER V VOS OS MICR CROS S SVP VP La Presse Texte avec photo debats@lapresse.ca

FERM RMER ER V VOS OS MICR CROS S SVP VP La Presse Texte avec photo debats@lapresse.ca Gymnastique Qubec fait une mise jour avec lensemble des membres concernant la situation actuelle. - Les obligations / Les outils - La

667 views • 14 slides
V erification de protocoles cryptographiques en pr esence de th eories equationnelles

V erification de protocoles cryptographiques en pr esence de th eories equationnelles

V erification de protocoles cryptographiques en pr esence de th eories equationnelles V erification de protocoles cryptographiques en pr esence de th eories equationnelles Pascal Lafourcade LSV, UMR 8643, CNRS, ENS de

1.12k views • 74 slides
National Tax Training Committee SUGGESTED AGENDAS TAX-AIDE TAX-AIDE TRS TRAINING - 2013 1

National Tax Training Committee SUGGESTED AGENDAS TAX-AIDE TAX-AIDE TRS TRAINING - 2013 1

National Tax Training Committee SUGGESTED AGENDAS TAX-AIDE TAX-AIDE TRS TRAINING - 2013 1 SUGGESTED AGENDAS Agenda for Instructor Workshop Instructor agenda for new counselors Instructor agenda for returning counselors

358 views • 18 slides
NORTH CAROLINA DMV Identification Requirements and erification of Lawful Status in the U.S.

NORTH CAROLINA DMV Identification Requirements and erification of Lawful Status in the U.S.

NORTH CAROLINA DMV Identification Requirements and erification of Lawful Status in the U.S. Wednesday, January 25, 2012 Step 1 Documents Required as Proof of Identification to receive a DL/ID Driver License or State Issued

743 views • 27 slides
Funds and Programmes Division Roles and Functions Funds and Programmes Division Set Up

Funds and Programmes Division Roles and Functions Funds and Programmes Division Set Up

Funds and Programmes Division Roles and Functions Funds and Programmes Division Set Up Cabinet Memo 314 of 2010 establishes the remit of the Funds and Programmes Division (FPD). Set up on 1 st June 2011 Mission Statement To handle

704 views • 34 slides
l'allocation de l'aide? Facing the crisis, which priorities in aid allocation? Introduction by

l'allocation de l'aide? Facing the crisis, which priorities in aid allocation? Introduction by

FONDATION POUR LES ETUDES ET RECHERCHES SUR LE DEVELOPPEMENT INTERNATIONAL Face la crise, quelles priorits dans l'allocation de l'aide? Facing the crisis, which priorities in aid allocation? Introduction by Patrick Guillaumont Doha,

404 views • 18 slides
Secure Xen on ARM: Status and Driver Domain Separation Sang-bum Suh sbuk.suh@samsung.com SW

Secure Xen on ARM: Status and Driver Domain Separation Sang-bum Suh sbuk.suh@samsung.com SW

Secure Xen on ARM: Status and Driver Domain Separation Sang-bum Suh sbuk.suh@samsung.com SW Laboratories Corporate Technology Operations Samsung Electronics Presented at Xen Summit Autumn 2007, Sun Microsystems Contributors Sang-bum Suh

705 views • 21 slides
Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege

Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege

Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege separation Introduction to Computer Security Announcements intermission Day 9: OS security basics OS security: protection and isolation Stephen

649 views • 13 slides
Outline Introduction Operating System Security Memory protection CS 239

Outline Introduction Operating System Security Memory protection CS 239

Outline Introduction Operating System Security Memory protection CS 239 Interprocess communications protection File protection Computer Security February 16, 2005 Lecture 10 Lecture 10 Page 1 Page 2 CS 239, Winter 2005

406 views • 8 slides
Hoare logic Lecture 5: Introduction to separation logic Jean Pichon-Pharabod University of

Hoare logic Lecture 5: Introduction to separation logic Jean Pichon-Pharabod University of

Hoare logic Lecture 5: Introduction to separation logic Jean Pichon-Pharabod University of Cambridge CST Part II 2017/18 Introduction In the previous lectures, we have considered a language, WHILE , where mutability only concerned program

734 views • 57 slides
CSE543 - Introduction to Computer and Network Security Module: Access Control Professor Patrick

CSE543 - Introduction to Computer and Network Security Module: Access Control Professor Patrick

522 views • 26 slides
Characteristics of volatile return series Quantitative Risk Management in R Log-returns compared

Characteristics of volatile return series Quantitative Risk Management in R Log-returns compared

QUANTITATIVE RISK MANAGEMENT IN R Characteristics of volatile return series Quantitative Risk Management in R Log-returns compared with iid data Can financial returns be modeled as independent and identically distributed (iid)? Random

519 views • 20 slides
Mixed models with correlated measurement errors Rasmus Waagepetersen October 5, 2020 Example

Mixed models with correlated measurement errors Rasmus Waagepetersen October 5, 2020 Example

Mixed models with correlated measurement errors Rasmus Waagepetersen October 5, 2020 Example from Department of Health Technology 25 subjects where exposed to electric pulses of 11 different durations using two different electrodes (3=pin,

478 views • 19 slides
Discrete Panel Data Michel Bierlaire michel.bierlaire@epfl.ch Transport and Mobility Laboratory

Discrete Panel Data Michel Bierlaire michel.bierlaire@epfl.ch Transport and Mobility Laboratory

Discrete Panel Data Michel Bierlaire michel.bierlaire@epfl.ch Transport and Mobility Laboratory Discrete Panel Data p. 1/34 Outline Introduction Static model Static model with panel effect Dynamic model Dynamic model

1.14k views • 34 slides

More recommend