Abstract
Modularity - the partitioning of software into units of functionality that interact with each other via interfaces - has been the mainstay of software development for half a century. In case of the C language, the main mechanism for modularity is the compilation unit / header file abstraction. This paper complements programmatic modularity for C with modularity idioms for specification and verification in the context of Verifiable C, an expressive separation logic for CompCert Clight. Technical innovations include (i) abstract predicate declarations – existential packages that combine Parkinson & Bierman’s abstract predicates with their client-visible reasoning principles; (ii) residual predicates, which help enforcing data abstraction in callback-rich code; and (iii) an application to pure (Smalltalk-style) objects that connects code verification to model-level reasoning about features such as subtyping, self, inheritance, and late binding. We introduce our techniques using concrete example modules that have all been verified using the Coq proof assistant and combine to fully linked verified programs using a novel, abstraction-respecting component composition rule for Verifiable C.
Chapter PDF
Similar content being viewed by others
Keywords
References
Ahmed, A., Appel, A.W., Richards, C.D., Swadi, K.N., Tan, G., Wang, D.C.: Semantic foundations for typed assembly languages. ACM Trans. Program.Lang. Syst. 32(3), 7:1–7:67 (2010), https://doi.org/10.1145/1709093.1709094
Albert, E., Puebla, G., Hermenegildo, M.V.: Abstraction-carrying code. In: Baader and Voronkov [7], pp. 380–397, https://doi.org/10.1007/978-3-540-32275-7_25
Appel, A.W.: Foundational proof-carrying code. In: LICS’01: 16th Annual IEEE Symposium on Logic in Computer Science, Proceedings. pp. 247–256. IEEE Computer Society (2001), https://doi.org/10.1109/LICS.2001.932501
Appel, A.W., Dockins, R., Hobor, A., Beringer, L., Dodds, J., Stewart, G., Blazy, S., Leroy, X.: Program Logics for Certified Compilers. Cambridge (2014)
Appel, A.W., Naumann, D.A.: Verified sequential malloc/free. In: Ding, C., Maas, M. (eds.) ISMM’20: 2020 ACM SIGPLAN International Symposium on Memory Management. pp. 48–59. ACM (2020), https://doi.org/10.1145/3381898.3397211
Aspinall, D., Gilmore, S., Hofmann, M., Sannella, D., Stark, I.: Mobile resource guarantees for smart devices. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J., Muntean, T. (eds.) CASSIS’04: International Workshop on Construction and Analysis of Safe, Secure, and Interoperable Smart Devices, Revised Selected Papers. LNCS, vol. 3362, pp. 1–26. Springer (2004), https://doi.org/10.1007/978-3-540-30569-9_1
Baader, F., Voronkov, A. (eds.): LPAR’04: Logic for Programming, Artificial Intelligence, and Reasoning, 11th International Conference, Proceedings, LNCS, vol. 3452. Springer (2005), https://doi.org/10.1007/b106931
Balzer, R.M.: Dataless programming. In: American Federation of Information Processing Societies: Proceedings of the AFIPS ’67 Fall Joint Computer Conference. AFIPS Conference Proceedings, vol. 31, pp. 535–544. AFIPS / ACM / Thomson Book Company, Washington D.C. (1967), https://doi.org/10.1145/1465611.1465683
Balzer, S.: Rumer: A programming language and modular verification technique based on relationships. Ph.D. thesis, ETH Zürich (2011)
Banerjee, A., Naumann, D.A.: Local reasoning for global invariants, part II: dynamic boundaries. J. ACM 60(3), 19:1–19:73 (2013), http://doi.acm.org/10.1145/2485981
Barnett, M., DeLine, R., Fähndrich, M., Leino, K.R.M., Schulte, W.: Verification of object-oriented programs with invariants. Journal of Object Technology 3(6), 27–56 (2004), https://doi.org/10.5381/jot.2004.3.6.a2
Barnett, M., Naumann, D.A.: Friends need a bit more: Maintaining invariants over shared state. In: Kozen, D., Shankland, C. (eds.) Mathematics of Program Construction, 7th International Conference, MPC 2004, Proceedings. LNCS, vol. 3125, pp. 54–84. Springer (2004), https://doi.org/10.1007/978-3-540-27764-4_5
Barthe, G., Crégut, P., Grégoire, B., Jensen, T.P., Pichardie, D.: The MOBIUS proof carrying code infrastructure. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.P. (eds.) FMCO’07: Formal Methods for Components and Objects, 6th International Symposium, Revised Lectures. LNCS, vol. 5382, pp. 1–24. Springer (2007), https://doi.org/10.1007/978-3-540-92188-2_1
Beringer, L.: Verified Software Units – Coq development (2021), https://www.cs.princeton.edu/~eberinge/VSU_Esop21.tar.gz
Beringer, L., Appel, A.W.: Abstraction and subsumption in modular verification of C programs. In: ter Beek, M.H., McIver, A., Oliveira, J.N. (eds.) Formal Methods - The Next 30 Years - Third World Congress, FM 2019, Proceedings. LNCS, vol. 11800, pp. 573–590. Springer (2019), https://doi.org/10.1007/978-3-030-30942-8_34
Beringer, L., Hofmann, M., Momigliano, A., Shkaravska, O.: Automatic certification of heap consumption. In: Baader and Voronkov [7], pp. 347–362, https://doi.org/10.1007/978-3-540-32275-7_23
Besson, F., Jensen, T.P., Pichardie, D.: Proof-carrying code from certified abstract interpretation and fixpoint compression. Theor. Comput. Sci. 364(3), 273–291 (2006), https://doi.org/10.1016/j.tcs.2006.08.012
Bruce, K.B., Cardelli, L., Pierce, B.C.: Comparing object encodings. Inf. Comput. 155(1-2), 108–133 (1999), https://doi.org/10.1006/inco.1999.2829
Chalin, P., Kiniry, J.R., Leavens, G.T., Poll, E.: Beyond assertions: Advanced specification and verification with JML and ESC/Java2. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.P. (eds.) Formal Methods for Components and Objects, 4th International Symposium, FMCO 2005, Revised Lectures. LNCS, vol. 4111, pp. 342–363. Springer (2005), https://doi.org/10.1007/11804192_16
Clarke, D., Drossopoulou, S., Noble, J., Wrigstad, T.: Aliasing, confinement, and ownership in object-oriented programming. In: Cebulla, M. (ed.) Object-Oriented Technology. ECOOP 2007 Workshop Reader, Final Reports. LNCS, vol. 4906, pp. 40–49. Springer (2007), https://doi.org/10.1007/978-3-540-78195-0_5
Drossopoulou, S., Damiani, F., Dezani-Ciancaglini, M., Giannini, P.: Fickle : Dynamic object re-classification. In: Knudsen, J.L. (ed.) ECOOP 2001 - Object-Oriented Programming, 15th European Conference, Proceedings. LNCS, vol. 2072, pp. 130–149. Springer (2001), https://doi.org/10.1007/3-540-45337-7_8
Drossopoulou, S., Francalanza, A., Müller, P., Summers, A.J.: A unified framework for verification techniques for object invariants. In: Vitek, J. (ed.) ECOOP 2008 - Object-Oriented Programming, 22nd European Conference, Proceedings. LNCS, vol. 5142, pp. 412–437. Springer (2008), https://doi.org/10.1007/978-3-540-70592-5_18
Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley Longman Publishing Co., Inc, USA (1995)
Gu, R., Koenig, J., Ramananandro, T., Shao, Z., Wu, X.N., Weng, S., Zhang, H., Guo, Y.: Deep specifications and certified abstraction layers. In: Rajamani, S.K., Walker, D. (eds.) Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2015. pp. 595–608. ACM (2015), https://doi.org/10.1145/2676726.2676975
Gu, R., Shao, Z., Chen, H., Kim, J., Koenig, J., Wu, X.N., Sjöberg, V., Costanzo, D.: Building certified concurrent OS kernels. Commun. ACM 62(10), 89–99 (2019), https://doi.org/10.1145/3356903
Gu, R., Shao, Z., Kim, J., Wu, X.N., Koenig, J., Sjöberg, V., Chen, H., Costanzo, D., Ramananandro, T.: Certified concurrent abstraction layers. In: Foster, J.S., Grossman, D. (eds.) Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2018. pp. 646–661. ACM (2018), https://doi.org/10.1145/3192366.3192381
Hamid, N.A., Shao, Z., Trifonov, V., Monnier, S., Ni, Z.: A syntactic approach to foundational proof-carrying code. J. Autom. Reasoning 31(3-4), 191–229 (2003), https://doi.org/10.1023/B:JARS.0000021012.97318.e9
Hawblitzel, C., Howell, J., Kapritsos, M., Lorch, J.R., Parno, B., Roberts, M.L., Setty, S.T.V., Zill, B.: Ironfleet: proving safety and liveness of practical distributed systems. Commun. ACM 60(7), 83–92 (2017), https://doi.org/10.1145/3068608
Hawblitzel, C., Howell, J., Lorch, J.R., Narayan, A., Parno, B., Zhang, D., Zill, B.: Ironclad apps: End-to-end security via automated full-system verification. In: Flinn, J., Levy, H. (eds.) 11th USENIX Symposium on Operating Systems Design and Implementation, OSDI ’14. pp. 165–181. USENIX Association (2014), https://www.usenix.org/conference/osdi14/technical-sessions/presentation/hawblitzel
Hofmann, M., Pierce, B.C.: Positive subtyping. Inf. Comput. 126(1), 11–33 (1996), https://doi.org/10.1006/inco.1996.0031
Honsell, F., Lenisa, M., Redamalla, R.: Coalgebraic semantics and observational equivalences of an imperative class-based OO-language. Electron. Notes Theor. Comput. Sci. 104, 163–180 (2004), https://doi.org/10.1016/j.entcs.2004.08.024
Huisman, M., Jacobs, B.: Inheritance in higher order logic: Modeling and reasoning. In: Theorem Proving in Higher Order Logics. LNCS, vol. 1869, pp. 301–319. Springer (2000)
Jacobs, B.: Objects and classes, co-algebraically. In: Freitag, B., Jones, C.B., Lengauer, C., Schek, H. (eds.) Object Orientation with Parallelism and Persistence. pp. 83–103. Kluwer Academic Publishers (1995)
Jacobs, B., Smans, J., Philippaerts, P., Vogels, F., Penninckx, W., Piessens, F.: Verifast: A powerful, sound, predictable, fast verifier for C and java. In: Bobaru, M.G., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NASA Formal Methods - Third International Symposium, NFM 2011. Proceedings. LNCS, vol. 6617, pp. 41–55. Springer (2011), https://doi.org/10.1007/978-3-642-20398-5_4
Jacobs, B., Smans, J., Piessens, F.: Verifying the composite pattern using separation logic. In: Specification and verification of component-based systems – Workshop at ACM SIGSOFT/FSE 16 (2008), available at https://people.cs.kuleuven.be/~bart.jacobs/verifast
Jung, R., Krebbers, R., Jourdan, J.H., Bizjak, A., Birkedal, L., Dreyer, D.: Iris from the ground up: A modular foundation for higher-order concurrent separation logic. Journal of Functional Programming 28 (2018)
Kay, A.C.: The early history of Smalltalk. In: Lee, J.A.N., Sammet, J.E. (eds.) History of Programming Languages Conference (HOPL-II), Preprints. pp. 69–95. ACM (1993), https://doi.org/10.1145/154766.155364
Kleymann, T.: Hoare logic and auxiliary variables. Formal Asp. Comput. 11(5), 541–566 (1999), https://doi.org/10.1007/s001650050057
Koh, N., Li, Y., Li, Y., Xia, L., Beringer, L., Honoré, W., Mansky, W., Pierce, B.C., Zdancewic, S.: From C to interaction trees: specifying, verifying, and testing a networked server. In: Mahboubi, A., Myreen, M.O. (eds.) Proceedings of the 8th ACM SIGPLAN International Conference on Certified Programs and Proofs, (CPP’19). pp. 234–248. ACM (2019), https://doi.org/10.1145/3293880.3294106
Kravchuk-Kirilyuk, A.Y.: The B\(^{+}\)-tree Index as a Verified Software Unit. Master’s thesis, Department of Computer Science, Princeton University (2020)
Krishnaswami, N.R., Aldrich, J., Birkedal, L., Svendsen, K., Buisse, A.: Design patterns in separation logic. In: Kennedy, A., Ahmed, A. (eds.) Proceedings of TLDI’09: 2009 ACM SIGPLAN International Workshop on Types in Languages Design and Implementation. pp. 105–116. ACM (2009), https://doi.org/10.1145/1481861.1481874
Leavens, G.T., Naumann, D.A.: Behavioral subtyping, specification inheritance, and modular reasoning. ACM Trans. on Programming Languages and Systems 37(4), 13:1–13:88 (2015), https://doi.org/10.1145/2766446
Liskov, B.: Keynote address - data abstraction and hierarchy. SIGPLAN Not. 23(5), 17–34 (Jan 1987), https://doi.org/10.1145/62139.62141
Liskov, B., Wing, J.M.: A behavioral notion of subtyping. ACM Trans. Program. Lang. Syst. 16(6), 1811–1841 (1994), https://doi.org/10.1145/197320.197383
McKinna, J., Burstall, R.M.: Deliverables: A categorial approach to program development in type theory. In: Borzyszkowski, A.M., Sokolowski, S. (eds.) Mathematical Foundations of Computer Science 1993, 18th International Symposium, MFCS’93. Lecture Notes in Computer Science, vol. 711, pp. 32–67. Springer (1993), https://doi.org/10.1007/3-540-57182-5_3
Mitchell, J.C., Plotkin, G.D.: Abstract types have existential type. ACM Trans. on Programming Languages and Systems 10(3), 470–502 (Jul 1988)
Müller, P., Poetzsch-Heffter, A., Leavens, G.T.: Modular invariants for layered object structures. Sci. Comput. Program. 62(3), 253–286 (2006), https://doi.org/10.1016/j.scico.2006.03.001
Naumann, D.A.: Deriving sharp rules of adaptation for Hoare logics. Tech. Rep. 9906, Department of Computer Science, Stevens Institute of Technology (1999)
Necula, G.C.: Proof-carrying code. In: Lee, P., Henglein, F., Jones, N.D. (eds.) Conference Record of POPL’97: The 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. pp. 106–119. ACM Press (1997), https://doi.org/10.1145/263699.263712
Nipkow, T.: Hoare logics for recursive procedures and unbounded nondeterminism. In: Bradfield, J.C. (ed.) Computer Science Logic, 16th International Workshop, CSL 2002, 11th Annual Conference of the EACSL, Proceedings. Lecture Notes in Computer Science, vol. 2471, pp. 103–119. Springer (2002), https://doi.org/10.1007/3-540-45793-3_8
Nistor, L., Aldrich, J., Balzer, S., Mehnert, H.: Object propositions. In: Jones, C.B., Pihlajasaari, P., Sun, J. (eds.) FM 2014: Formal Methods - 19th International Symposium, Singapore, May 12-16, 2014. Proceedings. LNCS, vol. 8442, pp. 497–513. Springer (2014), https://doi.org/10.1007/978-3-319-06410-9_34
Nistor, L., Kurilova, D., Balzer, S., Chung, B., Potanin, A., Aldrich, J.: Wyvern: A simple, typed, and pure object-oriented language. In: Proceedings of the 5th Workshop on MechAnisms for SPEcialization, Generalization and InHerItance. pp. 9–16. MASPEGHI ’13, Association for Computing Machinery, New York, NY, USA (2013), https://doi.org/10.1145/2489828.2489830
O’Hearn, P.W.: Separation logic. Commun. ACM 62(2), 86–95 (2019), https://doi.org/10.1145/3211968
O’Hearn, P.W., Yang, H., Reynolds, J.C.: Separation and information hiding. ACM Trans. Program. Lang. Syst. 31(3), 11:1–11:50 (2009), https://doi.org/10.1145/1498926.1498929.
Parkinson, M.: Class invariants: the end of the road? (2007), contained in [20]. Also available at https://people.dsv.su.se/~tobias/iwaco/p3-parkinson.pdf
Parkinson, M.J., Bierman, G.M.: Separation logic and abstraction. In: Palsberg, J., Abadi, M. (eds.) Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2005. pp. 247–258. ACM (2005), https://doi.org/10.1145/1040305.1040326
Parkinson, M.J., Bierman, G.M.: Separation logic, abstraction and inheritance. In: Necula, G.C., Wadler, P. (eds.) Proceedings of the 35th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2008. pp. 75–86. ACM (2008), https://doi.org/10.1145/1328438.1328451
Pierce, B.C.: Types and Programming Languages. MIT Press, Cambridge, Mass. (2002)
Polikarpova, N., Tschannen, J., Furia, C.A., Meyer, B.: Flexible invariants through semantic collaboration. In: Jones, C.B., Pihlajasaari, P., Sun, J. (eds.) FM 2014: Formal Methods - 19th International Symposium. LNCS, vol. 8442, pp. 514–530. Springer (2014), https://doi.org/10.1007/978-3-319-06410-9_35
Reynolds, J.C.: GEDANKEN - a simple typeless language based on the principle of completeness and the reference concept. Commun. ACM 13(5), 308–319 (1970), https://doi.org/10.1145/362349.362364
Reynolds, J.C.: Separation logic: A logic for shared mutable data structures. In: 17th IEEE Symposium on Logic in Computer Science (LICS 2002), Proceedings. pp. 55–74. IEEE Computer Society (2002), https://doi.org/10.1109/LICS.2002.1029817
Saini, D., Sunshine, J., Aldrich, J.: A theory of typestate-oriented programming. In: Proceedings of the 12th Workshop on Formal Techniques for Java-Like Programs, FTFJP 2010, Maribor, Slovenia, June 22, 2010. pp. 9:1–9:7. ACM (2010), https://doi.org/10.1145/1924520.1924529
Schreiner, A.T.: Objektorientierte Programmierung mit ANSI-C. Hanser (1994), https://www.cs.rit.edu/~ats
Sjöberg, V., Sang, Y., Weng, S.c., Shao, Z.: DeepSEA: A language for certified system software. Proc. ACM Program. Lang. 3(OOPSLA), 136:1–136:27 (Oct 2019), https://doi.org/10.1145/3360562
Summers, A.J., Drossopoulou, S.: Considerate reasoning and the composite design pattern. In: Barthe, G., Hermenegildo, M.V. (eds.) Verification, Model Checking, and Abstract Interpretation, 11th International Conference, VMCAI 2010, Proceedings. LNCS, vol. 5944, pp. 328–344. Springer (2010), https://doi.org/10.1007/978-3-642-11319-2_24
Summers, A.J., Drossopoulou, S., Müller, P.: The need for flexible object invariants. In: International Workshop on Aliasing, Confinement and Ownership in Object-Oriented Programming (IWACO’09). ACM (2009), https://doi.org/10.1145/1562154.1562160
Vasudevan, A., Chaki, S., Maniatis, P., Jia, L., Datta, A.: überspark: Enforcing verifiable object abstractions for automated compositional security analysis of a hypervisor. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 16. pp. 87–104. USENIX Association (2016), https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/vasudevan
Xia, L., Zakowski, Y., He, P., Hur, C., Malecha, G., Pierce, B.C., Zdancewic, S.: Interaction trees: representing recursive and impure programs in Coq. Proc. ACM Program. Lang. 4(POPL), 51:1–51:32 (2020), https://doi.org/10.1145/3371119
Acknowledgments
This work was funded by the National Science Foundation under the awards 1005849 (Verified High Performance Data Structure Implementations, Beringer) and 1521602 Expedition in Computing: The Science of Deep Specification, Appel). The author is grateful to the members of both projects for their feedback and greatly appreciates the reviewers’ comments and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2021 The Author(s)
About this paper
Cite this paper
Beringer, L. (2021). Verified Software Units. In: Yoshida, N. (eds) Programming Languages and Systems. ESOP 2021. Lecture Notes in Computer Science(), vol 12648. Springer, Cham. https://doi.org/10.1007/978-3-030-72019-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-72019-3_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-72018-6
Online ISBN: 978-3-030-72019-3
eBook Packages: Computer ScienceComputer Science (R0)