Sound, Modular and Compositional Verification of the Input/Output Behavior of Programs

Penninckx, Willem; Jacobs, Bart; Piessens, Frank

doi:10.1007/978-3-662-46669-8_7

Cited by 21 publications

(26 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Its separation logic comes with a proof automation system, Floyd, that supplies tactics for symbolically executing a program while maintaining its pre-and postcondition [Cao et al 2018]. To support reasoning about external behavior in general-and the swap server's invocations of OS/network primitives in particular-we extend VST's logic with two abstract predicates [Penninckx et al 2015]; these are separation logic predicates that behave like resources but do not have a footprint in concrete memory. Instead they connect to VST's model of external state, which in this case represents the allowed network behavior of the program.…”

Section: Verificationmentioning

confidence: 99%

From C to interaction trees: specifying, verifying, and testing a networked server

Koh

et al. 2019

Proceedings of the 8th ACM SIGPLAN International Conference on Certified Programs and Proofs

View full text Add to dashboard Cite

We present the first formal verification of a networked server implemented in C. Interaction trees, a general structure for representing reactive computations, are used to tie together disparate verification and testing tools (Coq, VST, and Quick-Chick) and to axiomatize the behavior of the operating system on which the server runs (CertiKOS). The main theorem connects a specification of acceptable server behaviors, written in a straightforward "one client at a time" style, with the CompCert semantics of the C program. The variability introduced by low-level buffering of messages and interleaving of multiple TCP connections is captured using network refinement, a variant of observational refinement.

show abstract

Section: Verificationmentioning

confidence: 99%

From C to interaction trees: specifying, verifying, and testing a networked server

Koh

et al. 2019

Proceedings of the 8th ACM SIGPLAN International Conference on Certified Programs and Proofs

View full text Add to dashboard Cite

show abstract

“…Although this is a very simple program, it is not a natural fit for separation-logic-based verification tools, which model the behavior of C programs in terms of computation and memory rather than I/O. Several approaches have been suggested for reasoning about I/O in separation logic, for instance by Penninckx et al [18] and Koh et al [13]. Using the latter approach, we might specify the behavior of getchar with the Hoare triple {ITree(r ← read; ; k r)} x = getchar() {ITree(k x)}, relating the function call to an external read event: the program before the call to getchar must have permission to perform a sequence of operations beginning with a read, and after the call it has permission to perform the remaining operations (with values that may depend upon the received value).…”

Section: Introductionmentioning

confidence: 99%

Connecting Higher-Order Separation Logic to a First-Order Outside World

Mansky

Honoré

Appel

2020

Programming Languages and Systems

View full text Add to dashboard Cite

Separation logic is a useful tool for proving the correctness of programs that manipulate memory, especially when the model of memory includes higher-order state: Step-indexing, predicates in the heap, and higher-order ghost state have been used to reason about function pointers, data structure invariants, and complex concurrency patterns. On the other hand, the behavior of system features (e.g., operating systems) and the external world (e.g., communication between components) is usually specified using first-order formalisms. In principle, the soundness theorem of a separation logic is its interface with first-order theorems, but the soundness theorem may implicitly make assumptions about how other components are specified, limiting its use. In this paper, we show how to extend the higher-order separation logic of the Verified Software Toolchain to interface with a first-order verified operating system, in this case CertiKOS, that mediates its interaction with the outside world. The resulting system allows us to prove the correctness of C programs in separation logic based on the semantics of system calls implemented in CertiKOS. It also demonstrates that the combination of interaction trees + CompCert memories serves well as a lingua franca to interface and compose two quite different styles of program verification.

show abstract

“…Specification and Verification of Atomic Operations in GPGPU Programs. In SEFM 2015, pages [69][70][71][72][73][74][75][76][77][78][79][80][81][82][83]2015..…”

Section: Thesismentioning

confidence: 99%

“…Any synchronisation construct needs to be instantiated with a protocol that specifies the correct behaviour of the algorithm. Current advances in Separation Logic-based specification and verification of protocols [36,73,22,69] shows the potential of an unified method that verifies a custom synchronisation construct w.r.t. its specified protocol.…”

Section: Future Directionsmentioning

confidence: 99%

See 1 more Smart Citation

Specification and verification of synchronisation classes in Java : a practical approach

Amighi¹

View full text Add to dashboard Cite

Sound, Modular and Compositional Verification of the Input/Output Behavior of Programs

Cited by 21 publications

References 12 publications

From C to interaction trees: specifying, verifying, and testing a networked server

From C to interaction trees: specifying, verifying, and testing a networked server

Connecting Higher-Order Separation Logic to a First-Order Outside World

Specification and verification of synchronisation classes in Java : a practical approach

Contact Info

Product

Resources

About