Скачать презентацию Verifying Safety Policies with Size Properties and Alias Скачать презентацию Verifying Safety Policies with Size Properties and Alias

2926bdf66b6b25f88b96ad485351cf0b.ppt

  • Количество слайдов: 37

Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1, 2, Verifying Safety Policies with Size Properties and Alias Controls Wei Ngan Chin 1, 2, Siau-Cheng Khoo 1, Shengchao Qin 3, Corneliu Popeea 1, Huu Hai Nguyen 2 1 National University of Singapore 2 Singapore-MIT Alliance 3 University of Durham

Background • Uses of Size Analysis : • array bound check elimin. [Xi-Pfenning'98] • Background • Uses of Size Analysis : • array bound check elimin. [Xi-Pfenning'98] • data structure invariance [Xi-Pfenning'99] • termination analysis [Lee-Jones'01] • space complexity [Hofman-Jost'03] analyse and verify • Current Status : • mostly for declarative languages (functional + logic) • restricted imperative language (e. g. Xanadu) 2

Our Goal • Static Verification for Object-Based Programs • Main Challenges : • objects Our Goal • Static Verification for Object-Based Programs • Main Challenges : • objects may mutate • objects may be aliased • Our Approach Use size analysis and alias controls to specify and verify safety policies 3

Type System for Size Analysis • Uses annotated types : : = c<s 1, Type System for Size Analysis • Uses annotated types : : = c • Types are annotated with size properties that capture: value True --> b=1 n=3 value 3 --> value False --> b=0 Values : bool, int Lengths : Array, List, Tree 4

Methods with Size Annotation mn ( 1 v 1, … , n vn) where Methods with Size Annotation mn ( 1 v 1, … , n vn) where pre ; post { body } • Examples int add (int x, int y) where true ; (r=a+b) { x+y } int sub (Array A, int i) where (0 i s) ; true { A[i] } 5

Object with Size Invariant • AVL Tree: s – number of nodes in tree Object with Size Invariant • AVL Tree: s – number of nodes in tree h – height of tree def - size definition adt AVL where s=1+s 2 Æ h=1+max(h 1, h 2) ; s¸ 0 Æ h¸ 0 Æ -1·h 1 -h 2· 1 { int val ; element sub-tree left value AVL left ; inv - AVL sub-tree right Tree is height-balanced AVL right; … } void insert (AVL t, int n) where true ; s’=s+1 Æ h·h’·h+1 {. . . } AVL’s invariant is preserved after node insertion 6

Mutability & Aliasing adt List<n> where n=m+1 ; n 0 { int<v> val ; Mutability & Aliasing adt List where n=m+1 ; n 0 { int val ; tail of the list List next; void set. Next (List x, List y) where n>0 ; n’=l+1 { x. next = y } …} • Problem with aliasing and mutability : List a = new List(5, new List(6, null)); // x’=2 List b = a; // y’=x Æ x’=x set. Next(b, null); // y’=1 Æ x’=x Unsound conclusion: x’=2 Æ y’=1 7

Alias Controls Goal: precisely and soundly capture size-properties. Adopted annotations : Immutability + Uniqueness Alias Controls Goal: precisely and soundly capture size-properties. Adopted annotations : Immutability + Uniqueness Each reference (field/param/local var) is marked: • • Read-Only (R) : always refers to the same object. Unique (U) : sole reference to an object. Shared (S) : maybe globally aliased. Lent-Once (L) : unique parameter temporarily lent. 8

Size Property for List (1) List with Read-Only (R) tail. adt List<n> where n=m+1 Size Property for List (1) List with Read-Only (R) tail. adt List where n=m+1 ; n¸ 0 { int@S val ; read-only List@R next ; : } List@S x; List@S y; freely shared x=y; and trackable y. val=4; y. next=x; 9

Size Property for List (2) List with Unique (U) tail. adt MList<n> where n=m+1 Size Property for List (2) List with Unique (U) tail. adt MList where n=m+1 ; n¸ 0 { int@S val ; mutable but MList@U next ; unique : } MList@U x; MList@U y; x=y; x. next=. . …y… y loses its uniqueness 10

Lending Annotation Properties of a Lent-once reference : • value does not escape the Lending Annotation Properties of a Lent-once reference : • value does not escape the method • has exclusive/unique access to the object void append (MList@L xs, MList@U ys) where m>0 ; m'=m+n lent & unique { if xs. next==null then xs. next=ys else append(xs. next, ys) } 11

Lending Annotation void append (MList<m>@L xs, MList<n>@U ys) where m>0 ; m'=m+n { … Lending Annotation void append (MList@L xs, MList@U ys) where m>0 ; m'=m+n { … } MList@U x; MList@U y; append(x, y); …x. next… …y. next… uniqueness of x is lent uniqueness of y is consumed 12

Classification of Size-Variables Three possible groups Vobj( hs*i) = (SI, ST, SN) (i) Size-Immutable Classification of Size-Variables Three possible groups Vobj( hs*i) = (SI, ST, SN) (i) Size-Immutable (freely shared) (ii) Trackable (mutable and unique) (iii) Non-Trackable (mutable and globally aliased) 13

Outline • Background on Size Analysis • Size Tracking with Alias Controls • Kernel Outline • Background on Size Analysis • Size Tracking with Alias Controls • Kernel Language and Protocol Specification • Type System for Verification • Implementation and Conclusion. 14

source program Kernel define size pre/post Language states size. Presburger size constraint invariant annotated source program Kernel define size pre/post Language states size. Presburger size constraint invariant annotated types expression oriented language 15

How are Safety Policies Specified? • Popular approach - finite state machine. • Our How are Safety Policies Specified? • Popular approach - finite state machine. • Our approach : ADT with (i) Object’s Size Invariant. (ii) Methods’ Preconditions. • Benefits: Relational Properties Infinite-State Policies 16

File Protocol Safety policy : Read/Write after Successful Open. read new 1 File state File Protocol Safety policy : Read/Write after Successful Open. read new 1 File state 1 - uninitialized 2 - opened 3 - closed open 2 close 3 open write 17

File Protocol • Specified using sized typing. successful file open must be opened closed File Protocol • Specified using sized typing. successful file open must be opened closed state 18

Bounded Buffer Protocol Safety policy : Buffer does not Under/Overflow. s<c ; s’=s+1 Æ Bounded Buffer Protocol Safety policy : Buffer does not Under/Overflow. s0 ; s’=0 Æ c’=n new Buffer state s - no of elements c - capacity n, c s, c get 2, c 1, c 0, c s>0 ; s’=s-1 Æ c’=c 19

Outline • Background on Size Analysis • Size Tracking with Alias Controls • Kernel Outline • Background on Size Analysis • Size Tracking with Alias Controls • Kernel Language and Protocol Specification • Type System for Verification • Implementation and Conclusion. 20

Type System for Verification Type judgement expression to type-check pre/post states type environment 21 Type System for Verification Type judgement expression to type-check pre/post states type environment 21

Rule for IF: path-sensitivity size of b corresponds to what branch is taken type Rule for IF: path-sensitivity size of b corresponds to what branch is taken type of v path-sensitivity for size information using disjunction 22

Rule for Call types declaration method for actual parameters substitution from formal to actual Rule for Call types declaration method for actual parameters substitution from formal to actual parameters precondition checked poststate effect 23

Correctness of Type System • Type Preservation – size type property is correctly preserved Correctness of Type System • Type Preservation – size type property is correctly preserved during reduction. • Progress – a well-typed program never goes wrong. Safety policies are guaranteed for well-typed programs. 24

Implementation • Prototype built using • Haskell language (GHC) • Omega Presburger solver • Implementation • Prototype built using • Haskell language (GHC) • Omega Presburger solver • Accepts a Java-like language (without concurrency and exceptions). • Is this method viable? • Verification is fast because of modular type-checking. • Annotation is less than 5% of source code. 25

Related Work Size analysis for immutable data structures [Hughes et. al'96, Xi-Pfenning'98, '99, Jost-Hofman'03] Related Work Size analysis for immutable data structures [Hughes et. al'96, Xi-Pfenning'98, '99, Jost-Hofman'03] Alias controls for program reasoning [Chan-Boyland'98, Aldrich-Kostadinov-Chambers'02] Other approaches to verification: • Finite type-state: Vault, Fugue [Fahndrich-De. Line'02, '04] • Theorem proving: ESC (may be unsound) [Flanagan-Leino-Lillibridge-Nelson et. al'02] • Model checking: Bogor (requires test harness) [Robby-Dwyer-Hatcliff-Rodriguez'03, '04] 26

Conclusion • Formulate a precise relational size analysis for object-based programs. • Use alias Conclusion • Formulate a precise relational size analysis for object-based programs. • Use alias controls to track mutable size properties. • Automatic verification for: Safety policies - files, bounded-buffers. Data invariants - lists, AVL trees. • Working towards inference of alias and size annotations (for methods). 27

End 28 End 28

Experiments JOlden benchmarks 29 Experiments JOlden benchmarks 29

Object Declaration adt Cell<n> where n=v ; true size definition { int<v> val ; Object Declaration adt Cell where n=v ; true size definition { int val ; void incr(Cell x) where true ; n’=n+1 {x. val =x. val + 1} …} fields can only be accessed via methods Why use ADTs ? Development: a client is based on ADT’s interface (the implementation details are hidden). Modular analysis: correct usage of ADT verified against ADT’s interface. 30

Mutable Size Properties adt Cell<n> where n=v ; true { int<v> val ; void Mutable Size Properties adt Cell where n=v ; true { int val ; void incr(Cell x) where true ; n’=n+1 {x. val =x. val + 1} …} • Example with aliasing and mutability : Cell a = new Cell(5); // x’=5 Cell b = a; // y’=x Æ x’=x incr(b); // y’=y+1 Æ x’=x // x’=5 Æ y’=6 new value old value unsound! 31

Pair Example size definition adt Pair<p 1, p 2> where p 1=s 1Æp 2=s Pair Example size definition adt Pair

where p 1=s 1Æp 2=s 2 ; true { int@S fst; where true ; int@R snd; p 1’=xÆp 2’=p 2 void set. Fst(Pair

@L p, int@S x) { p. fst=x } } r@U Pair@U r = new Pair(…); r. set. Fst(…); ( , {r 1, r 2}, ) Pair fst@S ( , {s 1}, ) ({s 1}, , ) ({p 2}, {p 1}, ) snd@R ({s 2}, , ) int ({s 2}, , ) 32

Pair Example adt Pair<p 1, p 2> where p 1=s 1Æp 2=s 2 ; Pair Example adt Pair

where p 1=s 1Æp 2=s 2 ; true { int@S fst; where true ; p 2’=p 2 int@R snd; void set. Fst(Pair

@S p, int@S x) { p. fst=x } } m@S n@S ( , {n 2}, {n 1}) ( , {m 2}, {m 1}) Pair@S m = new Pair(…); Pair@S n = m; m. set. Fst(…); ( , {s 1}, ) n. set. Fst(…); Pair fst@S ({s 1}, , ) ({p 2}, {p 1}, ) snd@R ({s 2}, , ) int ({s 2}, , ) 33

Array Protocol Safety policy : No Array Bounds Violation. no bounds violation size never Array Protocol Safety policy : No Array Bounds Violation. no bounds violation size never change • Implementation: array primitive operations (that need no runtime tests). sub(A, i) … A[i] update(A, i, v) … A[i] = v 34

Buffer Protocol Safety policy : Buffer does not Under/Overflow. safety preconditions • Implemented using Buffer Protocol Safety policy : Buffer does not Under/Overflow. safety preconditions • Implemented using a cyclic array. • Implementation checked to comply with Array protocol. 35

Lock Protocol Safety policy : No double lock/unlock operations. 36 Lock Protocol Safety policy : No double lock/unlock operations. 36

AVL Tree adt AVL<s, h> where s=1+s 2 Æ h=1+max(h 1, h 2) ; AVL Tree adt AVL where s=1+s 2 Æ h=1+max(h 1, h 2) ; s¸ 0 Æ h¸ 0 Æ -1·h 1 -h 2· 1 { int@S val ; AVL@U left ; AVL@U right; void insert (AVL@L t, int@S n) where true ; ts’=ts+1 Æ th·th’·th+1 {. . . } } 37