Smallfoot: Modular Automatic Assertion Checking with Separation Logic

Berdine, Josh; Calcagno, Cristiano; O’Hearn, Peter W.

doi:10.1007/11804192_6

Cited by 263 publications

(242 citation statements)

References 31 publications

Supporting

Mentioning

240

Contrasting

Unclassified

Order By: Relevance

“…These connectives support modularity, though they complicate proof theory (they cannot be axiomatized [15]). Tools that support separation logic for static verification of programs include: VeriFAST [42], jStar [26], Slayer [11] and Smallfoot [10].…”

Section: Context-free Grammarsmentioning

confidence: 99%

Combining Monitoring with Run-Time Assertion Checking

Boer

Gouw

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. According to a study in 2002 commisioned by a US Department, software bugs annually costs the US economy an estimated $59 billion 1 . A more recent study in 2013 by Cambridge University estimated that the global cost has risen to $312 billion globally 2 .There exists various ways to prevent, isolate and fix software bugs, ranging from lightweight methods that are (semi)-automatic, to heavyweight methods that require significant user interaction. Our own method described in this tutorial is based on automated run-time checking of a combination of protocol-and data-oriented properties of object-oriented programs. Run-Time Checking of Object-Oriented ProgramsGiven a program and a specification, a run-time verifier inserts checks in the code that determine whether the specification is satisfied. The checks are triggered during an actual execution of the program. In contrast to static verification, where properties are checked with respect to all executions (possibly there are infinitely many), run-time checkers only consider a single execution of the program. There is a wide range of specification languages used in run-time verification. They can be partitioned into two categories: languages that focus on the control-flow (these approaches are also called "monitoring"), and those focussing on data-flow.As an example, one can use regular expressions to specify the order in which functions or methods in a program should be called [18]. Such specifications describe the control-flow of the program. Other formalisms for specifying controlflow are temporal logics, various kinds of automata and context-free grammars. For these formalisms, checking whether a given property holds of the current execution involves parsing a word (where the word is some representation of the trace of method calls in the current execution) in an automata. Generally only formalisms are chosen with a decidable parsing problem (in particular, this is the case for regular expressions, context-free grammars and most automata), so Approaches that specify data-flow usually do so by annotating the source code with assertions: logical formulas that must be true whenever control passes them. The formulas constrain the values of the program variables. If assertions are expressed in first-order logic with arithmetic, it is in general undecidable due to unbounded quantification (i.e. ranging over an infinite number of values) whether the assertion is true, thus usually the assertions are restricted in some way. For instance, Java contains an assert-statement which restricts to quantifier-free formulas (i.e. Boolean expressions). Design by Contract [53] provides a systematic way of using assertions to specify classes, interfaces and methods with respectively class invariants and pre-and postconditions. It was first used in the programming language Eiffel, and subsequently has also been applied to many other programming languages. For example, JML [14] is one of the most popular specification languages for Java and supports Design by Contract. JML...

show abstract

Section: Context-free Grammarsmentioning

confidence: 99%

Combining Monitoring with Run-Time Assertion Checking

Boer

Gouw

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…On the verification side, Smallfoot [39] is the first verification system based on separation logic. The Hip/Sleek verification system [1,2] supports user-defined shape predicates over the combined shape and numerical domain.…”

Section: Related Workmentioning

confidence: 99%

Automatically refining partial specifications for heap-manipulating programs

Qin

Luo

et al. 2014

Science of Computer Programming

View full text Add to dashboard Cite

Automatically verifying heap-manipulating programs is a challenging task, especially when dealing with complex data structures with strong invariants, such as sorted lists and AVL/red-black trees. The verification process can greatly benefit from human assistance through specification annotations, but this process requires intellectual effort from users and is error-prone. In this paper, we propose a new approach to program verification that allows users to provide only partial specification to methods. Our approach will then refine the given annotation into a more complete specification by discovering missing constraints. The discovered constraints may involve both numerical and multi-set properties that could be later confirmed or revised by users. We further augment our approach by requiring partial specification to be given only for primary methods. Specifications for loops and auxiliary methods can then be systematically discovered by our augmented mechanism, with the help of information propagated from the primary methods. Our work is aimed at verifying beyond shape properties, with the eventual goal of analysing full functional properties for pointer-based data structures. Initial experiments have confirmed that we can automatically refine partial specifications with non-trivial constraints, thus making it easier for users to handle specifications with richer properties.

show abstract

“…The assumption of ( e , f ) / ∈ M in the case of inhaling field permissions encodes the fact that we cannot hold permission to the same location twice. This assumption is not made for permissions to predicate locations, since it is possible to hold the same predicate more than once 5 Additionally, when inhaling known-folded permission to a predicate e.p, all known-folded permissions from the predicate mask for e.p are added to the mask being used for the inhale. In this way, we maintain the invariant that knownfolded permissions are transitively closed; that is, if…”

Section: Encoding Of Inhalementioning

confidence: 99%

“…Program logics based on access permissions, such as separation logic [24] and implicit dynamic frames [27] are the foundation of many program verifiers for heap-manipulating programs [5,11,15,21,26]. They associate an access permission with each heap location, and enforce that a method accesses a location only if it has the permission to do so.…”

Section: Introductionmentioning

confidence: 99%

Verification Condition Generation for Permission Logics with Abstract Predicates and Abstraction Functions

Heule

Kassios

Müller

et al. 2013

ECOOP 2013 – Object-Oriented Programming

View full text Add to dashboard Cite

Abstract. Abstract predicates are the primary abstraction mechanism for program logics based on access permissions, such as separation logic and implicit dynamic frames. In addition to abstract predicates, it is useful to also support classical abstraction functions, for instance, to encode side-effect-free methods of the program and use them in specifications. However, combining abstract predicates and abstraction functions in a verification condition generator leads to subtle interactions, which complicate reasoning about heap modifications. Such complications may compromise soundness or cause divergence of the prover in the context of automated verification. In this paper, we present an encoding of abstract predicates and abstraction functions in the verification condition generator Boogie. Our encoding is sound and handles recursion in a way that is suitable for automatic verification using SMT solvers. It is implemented in the automatic verifier Chalice.

show abstract

Smallfoot: Modular Automatic Assertion Checking with Separation Logic

Cited by 263 publications

References 31 publications

Combining Monitoring with Run-Time Assertion Checking

Combining Monitoring with Run-Time Assertion Checking

Automatically refining partial specifications for heap-manipulating programs

Verification Condition Generation for Permission Logics with Abstract Predicates and Abstraction Functions

Contact Info

Product

Resources

About