A Verification Infrastructure for PermissionBased Reasoning Malte Schwerhoff 3 rd November 2016 Bad Herrenalb Quantified Permissions DynamicFramesStyle Specifications in Permission Logics ID: 580241
Download Presentation The PPT/PDF document "Viper" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Viper
A Verification Infrastructure for Permission-Based Reasoning
Malte
Schwerhoff
3rd November 2016, Bad Herrenalb
Quantified Permissions
Dynamic-Frames-Style Specifications in Permission LogicsSlide2
2
Frame Problem{ P } C { Q }
{ P
R } C { Q R }
∧
∧Slide3
3
Framing Methodologies
{ P } C { Q }
modifies(C)
∩ reads(R) = ∅
{ P
R
}
C {
Q
R
}
∧
∧
{ P } C { Q }
{ P
R
}
C {
Q
R
}
∧
∧
Dynamic Frames
(no permissions)Slide4
4
Framing Methodologies
{ P } C { Q }
modifies(C)
∩
reads(R) = ∅
{ P
R
}
C {
Q
R
}
∧
∧
{ P } C { Q }
{ P
R
}
C {
Q
R
}
∧
∧
{ P } C { Q }
{ P
R
}
C {
Q
R
}
∗
∗
Dynamic Frames
(no permissions)
Separation Logic
(permissions)Slide5
5
Permissions
method
mutate()
requires acc(this.val)
ensures acc(this.val)
Y
y.val
X
x.val
method
client(x, y)
requires
acc
(
x.val
)
∗
acc
(
y.val
)
{
var
tmp
:=
y.val
x.mutate
()
assert
tmp
==
y.val
}Slide6
6
Permissions
method
mutate()
requires
acc(this.val) ensures
acc
(
this.val
)
method
client(x, y)
requires
acc
(
x.val
)
∗
acc
(
y.val
)
{
var
tmp
:=
y
.val
x.mutate
()
assert
tmp == y.val
}
Y
y.val
X
x.val
{ P } C { Q }
{ P
R
} C { Q
R
}
∗
∗Slide7
7
Permissions
method
mutate()
requires
acc(this.val) ensures
acc
(
this.val
)
method
client(x, y)
requires
acc
(
x.val
)
∗
acc
(
y.val
)
{
var
tmp
:=
y
.val
x.mutate
()
assert
tmp == y.val
}
Y
y.val
X
x.val
{ P } C { Q }
{ P
R
} C { Q
R
}
∗
∗Slide8
8
Permissions
method
mutate()
requires
acc(this.val) ensures
acc
(
this.val
)
method
client(x, y)
requires
acc
(
x.val
)
∗
acc
(
y.val
)
{
var
tmp
:=
y
.val
x.mutate
()
assert
tmp == y.val
}
Y
y.val
?
x.val
{ P } C { Q }
{ P
R
} C { Q
R
}
∗
∗Slide9
9
Permissions
method
mutate()
requires
acc(this.val) ensures
acc
(
this.val
)
method
client(x, y)
requires
acc
(
x.val
)
∗
acc
(
y.val
)
{
var
tmp
:=
y
.val
x.mutate
()
assert
tmp == y.val
}
Y
y.val
?
x.val
{ P } C { Q }
{ P
R
} C { Q
R
}
∗
∗Slide10
10
Permissions
method
mutate()
requires
acc(this.val) ensures
acc
(
this.val
)
method
client(x, y)
requires
acc
(
x.val
)
∗
acc
(
y.val
)
{
var
tmp
:=
y
.val
x.mutate
()
assert
tmp == y.val
}
Y
y.val
?
x.val
{ P } C { Q }
{ P
R
} C { Q
R
}
∗
∗Slide11
11
Common Tool Infrastructures
Prog
. language,
spec. language and
methodology
Verification condition
generator
SMT solver
Front end
Intermediate verification
language
No PermissionsSlide12
12
Common Tool Infrastructures
Verification condition
generator
SMT solver
Intermediate verification
language
Prog
. language,
spec. language and
methodology
Front end
No PermissionsSlide13
13
Common Tool Infrastructures
Verification condition
generator
SMT solver
Intermediate verification
language
Prog
. language,
spec. language and
methodology
Front end
No Permissions
Permissions
SMT solver
Intermediate verification
language
Custom verifier
Prog
. language,
spec. language and
methodologySlide14
14
Common Tool Infrastructures
Verification condition
generator
SMT solver
Intermediate verification
language
Prog
. language,
spec. language and
methodology
Front end
No Permissions
SMT solver
Intermediate verification
language
Custom verifier
Custom verifier
Prog
. language,
spec. language and
methodology
Custom verifier
PermissionsSlide15
15
Common Tool Infrastructures
Verification condition
generator
SMT solver
Intermediate verification
language
Prog
. language,
spec. language and
methodology
Front end
No Permissions
Permissions
repeat
reuse
abstraction
gap
SMT solver
Intermediate verification
language
Custom verifier
Custom verifier
Prog
. language,
spec. language and
methodology
Custom verifierSlide16
16
Insufficient Tool Support for Permission Logics
Prog
. language,
spec. language and
methodology
Custom
verifier
SMT solver
Verification efforts
do
not benefit fully
from advances in
theory
Theory
does
not
receive
feedback
from
applications
Toolbox image: http
://www.freeiconspng.com/free-images/toolbox-icon-32381Slide17
Facilitate
the
1.
development of tools 2. prototyping
of encodingsfor permission-based verificationSlide18
18
Viper
SMT solver
Front end
Back-end
tools
Intermediate verification language
Front end
Front end
Viper
Icons:
http://
www.iconarchive.com/show/vista-people-icons-by-icons-land.html
http://www.icons-land.com/Slide19
19
Permission Transfer
{ P } C { Q }
{ P
R
} C { Q
R
}
∗
∗
caller
calleeSlide20
20
Viper Features: Inhale and Exhale
{ P } C { Q }
{ P
R
} C { Q
R
}
∗
∗
caller
callee
exhale P
assert value constraints
check and remove permissions
havoc newly-inaccessible locations
inhale Q
obtain permissions
assume value constraintsSlide21
21
DemoSlide22
22
Recursive Predicates
predicate
list(this: Ref) {
this != null ==> acc(
this.data) && acc
(
this.next
) &&
list(
this.next
)
}
unfold
list(this)
// access
this.data
// and
this.next
fold
list(this)
vSlide23
23
Recursive Predicates: LimitationsExtending
vSlide24
24
Recursive Predicates: Limitations
v
ExtendingSlide25
25
Recursive Predicates: Limitations
v
Extending
Sharing
wSlide26
26
Recursive Predicates: Limitations
v
w
Extending
SharingSlide27
27
Recursive Predicates: Limitations
v
w
Extending
Sharing
TraversingSlide28
28
Unidirectional
Multidirectional
Random Access
Unstructured
recursive predicates
are often a suitable
specification mechanism
Unbounded Data StructuresSlide29
29
Unidirectional
Multidirectional
Random Access
Unstructured
need for an alternative
specification mechanism
Unbounded Data StructuresSlide30
30
Multidirectional
Random Access
Unstructured
Quantified Permissions
forall
n in nodes
::
acc
(
n.next
) &&
acc
(
n.prev
)Slide31
31
Multidirectional
Random Access
Unstructured
Quantified Permissions
forall
i
in [0..5]
::
acc
(
arr
[
i
])
forall
n in nodes ::
acc
(
n.next
) &&
acc
(
n.prev
)Slide32
32
Multidirectional
Random Access
Unstructured
Quantified Permissions
forall
i
in [0..5] ::
acc
(
arr
[
i
])
forall
n in nodes ::
acc
(
n.next
) &&
acc
(
n.prev
)
forall
i
in [0..5]
::
i
% 2 == 1
==>
acc
(
arr
[
i
])Slide33
33
Multidirectional
Random Access
Unstructured
Quantified Permissions
forall
i
in [0..5] ::
acc
(
arr
[
i
])
forall
n in nodes ::
acc
(
n.next
) &&
acc
(
n.prev
)
forall
n in nodes
::
acc
(
n.succs
) &&
acc
(
n.marked
)
forall
i
in [0..5] ::
i
% 2 == 1 ==>
acc
(
arr
[
i
])Slide34
34
Multidirectional
Random Access
Unstructured
Quantified Permissions
forall
i
in [0..5] ::
acc
(
arr
[
i
])
forall
n in nodes ::
acc
(
n.next
) &&
acc
(
n.prev
)
forall
n in nodes
::
acc
(
n.succs
) &&
acc
(
n.marked
) &&
(
n.marked
==>
forall
m in
n.succs
::
m.marked
)
forall
i
in [0..5] ::
i
% 2 == 1 ==>
acc
(
arr
[
i
])Slide35
35
List Tail Sharing Revisited
predicate
list(nodes: Set[Ref]) {
forall n nodes ::
acc(n.data) &&
acc
(
n.next
) &&
(
n.next
!= null
==>
n.next
nodes)
}
list(nodes) &&
v
nodes &&
w.next
nodes
v
wSlide36
36
General Receiver Expressions
exhale
∀
y
∈
R
::
acc
(
y
.f
)
inhale
∀
x
∈
S
::
acc
(
e(x)
.f)Slide37
37
{y
1
, y
2
, y
3
, ...,
y
m
}
{x
1
, x
2
, x
3
, x
4
, ...,
x
n
}
e(x).f
acc
(
y.f
)?
General Receiver Expressions: Challenge
exhale
∀
y
∈
R
::
acc
(
y
.f
)
inhale
∀
x
∈
S
::
acc
(e(x
).
f)Slide38
38
{y
1
, y
2
, y
3
, ...,
y
m
}
{x
1
, x
2
, x
3
, x
4
, ...,
x
n
}
e(x).f
General Receiver Expressions: Challenge
∃
x
ϵ
S
::
e(x) = y?
exhale
∀
y
∈
R
::
acc
(
y
.f
)
inhale
∀
x
∈
S
::
acc
(e(x
).
f)Slide39
39
{y
1
, y
2
, y
3
, ...,
y
m
}
{x
1
, x
2
, x
3
, x
4
, ...,
x
n
}
e(x).f
General Receiver Expressions:
Injectivity
1. Require
e(x)
to be
injective
(naturally satisfied
by e.g.
arrays
and
graphs)
inhale
∀
x
∈
S
::
acc
(e(x
).
f)
exhale
∀
y
∈
R
::
acc
(
y
.f
)Slide40
40
{y
1
, y
2
, y
3
, ...,
y
m
}
{x
1
, x
2
, x
3
, x
4
, ...,
x
n
}
e(x).f
General Receiver Expressions:
Inverse Functions
1. Require
e(x)
to be
injective
2.
Axiomatise
inverse
function
e
-1
(x)
to SMT solver
exhale
∀
y
∈
R
::
acc
(
y
.f
)
inhale
∀
x
∈
S
::
acc
(e(x
).
f)Slide41
41
{y
1
, y
2
, y
3
, ...,
y
m
}
{x
1
, x
2
, x
3
, x
4
, ...,
x
n
}
e(x).f
General Receiver Expressions: Challenge
exhale
∀
y
∈
R
::
acc
(
y
.f
)
inhale
∀
x
∈
S
::
acc
(e(x
).
f)
y.f
ϵ
L?
e
-1
(y)
ϵ
S?
acc
(
y.f
)?Slide42
42
DemoSlide43
Permission Logics: disjointness per default
43Dynamic Frames vs. Permissions
Concurrency
Dynamic Frames:
sharing per
default
Arbitrary
data structures
poorly supported
in toolsSlide44
Permission Logics: disjointness per default
44Dynamic Frames vs. Permissions
Concurrency
Dynamic Frames:
sharing per
default
Arbitrary
data structures
Viper’s quantified
permissions
?
specify and maintain
disjointness
explicitlySlide45
45
Viper: Currently
SMT solver
Intermediate verif
ication
language
Viper
Abstract interpretation (inference)
Boogie
Verification condition generator (verifier)
Symbolic execution (verifier)
Java
Chalice
OpenCL
PythonSlide46
46
Viper: Next
SMT solver
Intermediate verif
ication
language
Viper
Boogie
Java
Chalice
OpenCL
Python
Fine-Grained
Concurrency
Abstract interpretation (inference)
Verification condition generator (verifier)
Symbolic execution (verifier)Slide47
47
SMT solver
Intermediate verif
ication
language
Viper
Abstract interpretation (inference)
Boogie
Verification condition generator (verifier)
Symbolic execution (verifier)
Java
Chalice
OpenCL
Python
http://viper.ethz.ch
C
1
||
C
2
+