A checkable interface language for pointer-based structures

A scalable approach to addressing the verifying compiler grand challenge must handle the following four categories of programs that arise from modern programming language constructs for modern software engineering tasks: (1) code that uses only built-in data types (e.g., integers, records, arrays, some uses of pointers) to provide new functionality; (2) code that represents new user-defined abstract data types (ADTs) by using only built-in data types; (3) code that uses exist-ing user-defined ADTs to provide new functionality, but no new types; and (4) code that represents new user-defined ADTs by layering them on existing user-defined ADTs. Progress has been reported on verifying— sometimes automatically—the first two kinds of programs. In contrast, progress on applying automated reasoning to the latter two kinds of pro-grams has been elusive. Yet this is a critical piece of the verified software puzzle because such layering enables both vertical scaling of software and modular ver...

2005

We present an analysis to verify abstract set specifications for programs that use object field values to determine the membership of objects in abstract sets. In our approach, each module may encapsulate several data structures and use membership in abstract sets to characterize how objects participate in its data structures. Each module's specification uses set algebra formulas to characterize the effects of its operations on the abstract sets.

FM 2011: Formal Methods, 2011

Conventional specifications typically have a flat structure that is based primarily on the underlying logic. Such specifications lack structures that could have provided better guidance to the verification process. In this work, we propose to add three new structures to a specification framework for separation logic to achieve a more precise and better guided verification for pointer-based programs. The newly introduced structures empower users with more control over the verification process in the following ways: (i) case analysis can be invoked to take advantage of disjointness conditions in the logic. (ii) early, as opposed to late, instantiation can minimise on the use of existential quantification. (iii) formulae that are staged provide better reuse of the verification process. Initial experiments have shown that structured specifications can lead to more precise verification without incurring any performance overhead.

IEEE Transactions on Software Engineering, 1997

The typical correspondence between a concrete representation and an abstract conceptual value of an abstract data type (ADT) variable (object) is a many-to-one function. For example, many different pointer aggregates give rise to exactly the same binary tree. The theoretical possibility that this correspondence generally should be relational has long been recognized. By using a nontrivial ADT for handling an optimization problem, we show why the need for generalizing from functions to relations arises naturally in practice. Making this generalization is among the steps essential for enhancing the practical applicability of formal reasoning methods to industrial-strength software systems.

2010

Abstract. We present a new approach for automatic verification of data-dependent programs manipulating dynamic heaps. A heap is encoded by a graph where the nodes represent the cells, and the edges reflect the pointer structure between the cells of the heap. Each cell contains a set of variables which range over the natural numbers. Our method relies on standard backward reachability analysis, where the main idea is to use a simple set of predicates, called signatures, in order to represent bad sets of heaps. Examples of bad heaps are those which contain either garbage, lists which are not well-formed, or lists which are not sorted. We present the results for the case of programs with a single next-selector, and where variables may be compared for equality or inequality. This allows us to verify for instance that a program, like bubble sort or insertion sort, returns a list which is well-formed and sorted, or that the merging of two sorted lists is a new sorted list. We will report ...

Electronic Notes in Theoretical Computer Science, 2007

Recent developments in the area of expressive types have the prospect to supply the ordinary programmer with a programming language rich enough to verify complex program properties. Program verification is made possible via tractable type checking. We explore this possibility by considering two specific examples; verifying sortedness and resource usage verification. We show that advanced type error diagnosis methods become essential to assist the user in case of type checking failure. Our results point out new research directions for the development of programming environments in which users can write and verify their programs.

ACM SIGPLAN Notices, 2008

X10 is a modern object-oriented language designed for productivity and performance in concurrent and distributed systems. In this setting, dependent types offer significant opportunities for detecting design errors statically, documenting design decisions, eliminating costly runtime checks (e.g., for array bounds, null values), and improving the quality of generated code. We present the design and implementation of constrained types, a natural, simple, clean, and expressive extension to object-oriented programming: A type C(:c) names a class or interface C and a constraint c on the immutable state of C and in-scope final variables. Constraints may also be associated with class definitions (representing class invariants) and with method and constructor definitions (representing preconditions). Dynamic casting is permitted. The system is parametric on the underlying constraint system: the compiler supports a simple equalitybased constraint system but, in addition, supports extension with new constraint systems using compiler plugins.

Lecture Notes in Computer Science, 2012

Ultimately, any verifying compiler effort needs to be able to verify code that makes use of pointers, though language mechanisms for data abstraction, alias avoidance and control, or disciplined software development techniques may minimize the need for code that is directly based on pointering. It is also clear that the verification machinery of such as compiler must use specifications of components to reason about component-based software in order to be scalable. So this paper follows a natural question that arises by putting these two ideas together: Can the general machinery in a verifying compiler for component specificationbased verification also be used to verify code that uses typically built-in types, such as arrays and pointers, if those types are defined to have specifications similar to any other component? This paper answers the question in the affirmative by presenting a Location Linking Template, a concept that captures pointer behavior, and using it to verify the code of a simple data abstraction realized using pointers. Additionally, we note that the concept can be extended and realized so that different languages can plug in alternative implementations to give programmers the flexibility to choose manual memory management or automatic garbage collection depending on their performance concerns. 5

Computer Languages, 1977

Recognizing the problems that the use of pointers pose to the construction of reliable software, this two-part paper proposes a scheme by which pointers may be used in a controlled manner to build data abstractions without being used as abstractions in their own right. Part I presents the language constructs facilitating the proposal. Part II (to be published in a forthcoming issue) attempts to show, by use of a fairly complex example, that proving the correctness of an implementation of an abstraction built in this manner from pointers need not be more difficult than other implementation correctness proofs.

Frontiers of Computer Science, 2013

Translation validation was invented in the 90's by Pnueli et al. as a technique to formally verify the correctness of code generators. Rather than certifying the code generator or exhaustively qualifying it, translation validators attempt to verify that program transformations preserve semantics. In this work, we adopt this approach to formally verify that the clock semantics and data dependence are preserved during the compilation of the Signal compiler. Translation validation is implemented for every compilation phase from the initial phase until the latest phase where the executable code is generated, by proving the transformation in each phase of the compiler preserves the semantics. We represent the clock semantics, the data dependence of a program and its transformed counterpart as first-order formulas which are called clock models and synchronous dependence graphs (SDGs), respectively. We then introduce clock refinement and dependence refinement relations which express the preservations of clock semantics and dependence, as a relation on clock models and SDGs, respectively. Our validator does not require any instrumentation or modification of the compiler, nor any rewriting of the source program.