Viper A Verification Infrastructure for Permission based Reasoning Peter Müller, ETH Zurich Joint work with Pietro Ferrara, Uri Juhasz, Ioannis Kassios, Milos Novacek, Malte Schwerhoff, and Alex Summers
2 Automatic Program Verification Most automatic deductive Programming & Programming & Programming & specification specification verifiers use solvers for first specification language language language order logic (Z3, CVC4) Front-end Front-end Front-end Verification conditions are computed via translation to Intermediate verification intermediate verification language language (Boogie, Why) Verification condition Many success stories: Corral, generator Dafny, Frama-C, Spec#, VCC Prover Peter Müller – Dagstuhl, May 04, 2015
3 Verifiers for Permission Logics Separation Logic (and other Programming & permission logics) use custom Programming & Programming & specification specification logics to reason about heap- specification language language language manipulating programs Custom verification engines Symbolic Symbolic Symbolic execution execution (jStar, Smallfoot, VeriFast) execution Custom decision procedures Prover (GRASShopper) or complex encodings (Chalice) Peter Müller – Dagstuhl, May 04, 2015
4 Viper Infrastructure Frontend Frontend Frontend Silver Sample Intermediate Language Specification Inference Carbon Silicon Viper Boogie Encoding Symbolic Execution Boogie VC Generation (Microsoft Research) Z3 SMT solver (Microsoft Research) Peter Müller – Dagstuhl, May 04, 2015
5 Language Overview of Silver Top-level declarations Statements - Fields - Assignments, calls, conditionals, loops - Methods - inhale, exhale - Heap-dependent functions - fold, unfold - Predicates Types - Domains (uninterpreted functions - Int, Bool, Ref, Perm and quantified axioms) - Set[T], Seq[T] - Types declared in domains Peter Müller – Dagstuhl, May 04, 2015
6 Example: Modeling Locks class C { int [ ] data; monitor invariant data _; void Foo( ) { acquire this ; int i = data.length; while ( 0 < i ) invariant data _; invariant holds ( this ); { …; i = i – 1; } release this ; } } Peter Müller – Dagstuhl, May 04, 2015
7 Example: Leak Check class C { int [ ] data; monitor invariant data _; void Foo( ) { acquire this ; int i = data.length; while ( 0 < i ) invariant data _; invariant holds ( this ); { …; i = i – 1; } release this ; } } Peter Müller – Dagstuhl, May 04, 2015
8 Example: Finite Blocking class C { int [ ] data; monitor invariant data _; void Foo( ) { acquire this ; int i = data.length; while ( 0 < i ) invariant data _; invariant holds ( this , i ); { …; i = i – 1; } release this ; } } Peter Müller – Dagstuhl, May 04, 2015
9 Viper – Frontends Java OpenCL Chalice Scala Frontend Frontend Frontend Frontend (University of Twente) (University of Twente) Silver Sample Intermediate Language Specification Inference Carbon Silicon Viper Boogie Encoding Symbolic Execution Boogie VC Generation (Microsoft Research) Z3 SMT solver (Microsoft Research) Peter Müller – Dagstuhl, May 04, 2015
10 Conclusion Viper is useful to - Develop verifiers based on permission-logics - Prototype new verification techniques - Experiment with and integrate different back-ends Next-Generation Concurrency - We have encoded message-passing and verified certain liveness properties (via ranking functions) - We have not yet experimented with racy programs, weak memory models, higher-order idioms Peter Müller – Dagstuhl, May 04, 2015
Recommend
More recommend
