research-article

Unifying type checking and property checking for low-level code

Authors:
Jeremy Condit

Microsoft Research, Redmond, WA, USA

Microsoft Research, Redmond, WA, USA
View Profile

,
Brian Hackett

Stanford University, Stanford, CA, USA

Stanford University, Stanford, CA, USA
View Profile

,
Shuvendu K. Lahiri

Microsoft Research, Redmond, WA, USA

Microsoft Research, Redmond, WA, USA
View Profile

,
Shaz Qadeer

Microsoft Research, Redmond, WA, USA

Microsoft Research, Redmond, WA, USA
View Profile

POPL '09: Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesJanuary 2009Pages 302–314https://doi.org/10.1145/1480881.1480921

Published:21 January 2009Publication History

POPL '09: Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages

Pages 302–314

ABSTRACT

We present a unified approach to type checking and property checking for low-level code. Type checking for low-level code is challenging because type safety often depends on complex, program-specific invariants that are difficult for traditional type checkers to express. Conversely, property checking for low-level code is challenging because it is difficult to write concise specifications that distinguish between locations in an untyped program's heap. We address both problems simultaneously by implementing a type checker for low-level code as part of our property checker.

We present a low-level formalization of a C program's heap and its types that can be checked with an SMT solver, and we provide a decision procedure for checking type safety. Our type system is flexible enough to support a combination of nominal and structural subtyping for C, on a per-structure basis. We discuss several case studies that demonstrate the ability of this tool to express and check complex type invariants in low-level C code, including several small Windows device drivers.

References

The Coq proof assistant. http://coq.inria.fr/.Google Scholar
The HAVOC property checker. http://research.microsoft.com/projects/havoc/.Google Scholar
A. J. Ahmed, A. W. Appel, and R. Virga. A stratified semantics of general references embeddable in higher-order logic. In Logic in Computer Science (LICS), 2002. Google ScholarDigital Library
A. W. Appel. Foundational proof-carrying code. In Logic in Computer Science (LICS), 2001. Google ScholarDigital Library
A. W. Appel and A. P. Felty. A semantic model of types and machine instructions for proof-carrying code. In Principles of Programming Languages (POPL), 2000. Google ScholarDigital Library
A. W. Appel and D. McAllester. An indexed model of recursive types for foundational proof-carrying code. Transactions on Programming Languages and Systems (TOPLAS), 23(5), Sep 2001. Google ScholarDigital Library
T. Ball, B. Hackett, S. K. Lahiri, and S. Qadeer. Annotation-based property checking for systems software. Technical Report MSR-TR-2008-82, Microsoft Research, 2008.Google Scholar
T. Ball, R. Majumdar, T. D. Millstein, and S. K. Rajamani. Automatic predicate abstraction of C programs. In Programming Language Design and Implementation (PLDI), 2001. Google ScholarDigital Library
M. Barnett, B.-Y. E. Chang, R. DeLine, B. Jacobs, and K. R. M. Leino. Boogie: A modular reusable verifier for object-oriented programs. In Formal Methods for Components and Objects (FMCO), 2005. Google ScholarDigital Library
M. Barnett, K. R. M. Leino, and W. Schulte. The Spec# programming system: An overview. In Construction and Analysis of Safe, Secure, and Interoperable Smart Devices (CASSIS), 2004. Google ScholarDigital Library
M. Barnett and R. Leino. Weakest-precondition of unstructured programs. In Program Analysis for Software Tools and Engineering (PASTE), 2005. Google ScholarDigital Library
R. Bornat. Proving pointer programs in Hoare logic. In Mathematics of Program Construction (MPC), 2000. Google ScholarDigital Library
C. Calcagno, D. Distefano, P. W. O'Hearn, and H. Yang. Beyond reachability: Shape abstraction in the presence of pointer arithmetic. In Static Analysis Symposium (SAS), 2006. Google ScholarDigital Library
B.-Y. E. Chang, A. Chlipala, G. C. Necula, and R. R. Schneck. The Open Verifier framework for foundational verifiers. In Types in Language Design and Implementation (TLDI), 2005. Google ScholarDigital Library
S. Chatterjee, S. K. Lahiri, S. Qadeer, and Z. Rakamaric. A reachability predicate for analyzing low-level software. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS), 2007. Google ScholarDigital Library
B. Chin, S. Markstrum, and T. Millstein. Semantic type qualifiers. In Programming Language Design and Implementation (PLDI), 2005. Google ScholarDigital Library
J. Condit, M. Harren, Z. Anderson, D. Gay, and G. Necula. Dependent types for low-level programming. In European Symposium on Programmig (ESOP), 2007. Google ScholarDigital Library
K. Crary and J. C. Vanderwaart. An expressive, scalable type theory for certified code. In International Conference on Functional Programming (ICFP), 2002. Google ScholarDigital Library
L. de Moura and N. Bjorner. Z3: An efficient SMT solver. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS), 2008. Google ScholarDigital Library
E. W. Dijkstra. Guarded commands, nondeterminacy and formal derivation of programs. Communcations of the ACM, 18, 1975. Google ScholarDigital Library
X. Feng, Z. Ni, Z. Shao, and Y. Guo. An open framework for foundational proof-carrying code. In Types in Language Design and Implementation (TLDI), 2007. Google ScholarDigital Library
J.-C. Filliatre and C. Marche. The Why/Krakatoa/Caduceus platform for deductive program verification. In Computer Aided Verification (CAV), 2007. Google ScholarDigital Library
C. Flanagan, K. R. M. Leino, M. Lillibridge, G. Nelson, J. B. Saxe, and R. Stata. Extended static checking for Java. In Programming Language Design and Implementation (PLDI), 2002. Google ScholarDigital Library
T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction. In Principles of Programming Languages (POPL), 2002. Google ScholarDigital Library
T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In USENIX Annual Technical Conference, 2002. Google ScholarDigital Library
S. K. Lahiri and S. Qadeer. Back to the future: Revisiting precise program verification using SMT solvers. In Principles of Programming Languages (POPL), 2008. Google ScholarDigital Library
X. Leroy. Formal certification of a compiler back-end, or: Programming a compiler with a proof assistant. In Principles of Programming Languages (POPL), 2006. Google ScholarDigital Library
Microsoft. Windows driver kit. http://www.microsoft.com/whdc/devtools/wdk/default.mspx.Google Scholar
G. Morrisett, D. Walker, K. Crary, and N. Glew. From System F to typed assembly language. Transactions on Programming Languages and Systems (TOPLAS), 21:3, 1999. Google ScholarDigital Library
G. C. Necula. Proof-carrying code. In Principles of Programming Languages (POPL), 1997. Google ScholarDigital Library
G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy software. Transactions on Programming Languages and Systems (TOPLAS), 27(3), May 2005. Google ScholarDigital Library
G. C. Necula and P. Lee. The design and implementation of a certifying compiler. In Programming Language Design and Implementation (PLDI), 1998. Google ScholarDigital Library
G. Nelson and D. C. Oppen. Simplification by cooperating decision procedures. Transactions on Programming Languages and Systems (TOPLAS), 1(2), 1979. Google ScholarDigital Library
Y. Regis-Gianas and F. Pottier. A Hoare logic for call-by-value functional programs. In Mathematics of Program Construction (MPC), 2008. Google ScholarDigital Library
J. C. Reynolds. Separation logic: A logic for shared mutable data structures. In Logic in Computer Science (LICS), 2002. Google ScholarDigital Library
Satisfiability Modulo Theories Library (SMT-LIB). Available at http://goedel.cs.uiowa.edu/smtlib/.Google Scholar
W. Schulte, S. Xia, J. Smans, and F. Piessens. A glimpse of a verifying C compiler. In C/C++ Verification Workshop, 2007.Google Scholar
H. Xi. Imperative programming with dependent types. In Logic in Computer Science (LICS), 2000. Google ScholarDigital Library
H. Xi and F. Pfenning. Dependent types in practical programming. In Principles of Programming Languages (POPL), 1999. Google ScholarDigital Library
H. Yang, O. Lee, J. Berdine, C. Calcagno, B. Cook, D. Distefano, and P. O'Hearn. Scalable shape analysis for systems code. In Computer Aided Verification (CAV), 2008. Google ScholarDigital Library

Index Terms

Unifying type checking and property checking for low-level code

Recommendations

Unifying type checking and property checking for low-level code
POPL '09

We present a unified approach to type checking and property checking for low-level code. Type checking for low-level code is challenging because type safety often depends on complex, program-specific invariants that are difficult for traditional type ...
Read More
Type inference and strong static type checking for Promela

The Spin model checker and its specification language Promela have been used extensively in industry and academia to check the logical properties of distributed algorithms and protocols. Model checking with Spin involves reasoning about a system via an ...
Read More
Type checking and typability in domain-free lambda calculi

This paper shows (1) the undecidability of the type checking and the typability problems in the domain-free lambda calculus with negation, product, and existential types, (2) the undecidability of the typability problem in the domain-free polymorphic ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
POPL '09: Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
January 2009
464 pages
ISBN:9781605583792
DOI:10.1145/1480881
General Chair:
Zhong Shao
Yale University, USA
,
Program Chair:
Benjamin C. Pierce
University of Pennsylvania, USA
ACM SIGPLAN Notices Volume 44, Issue 1
POPL '09
January 2009
453 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/1594834
Issue’s Table of Contents
Copyright © 2009 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 21 January 2009
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
assertion checking
decision procedure
low-level code
property checking
smt solver
type checking
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate824of4,130submissions,20%
Upcoming Conference
POPL '25

Sponsor:

sigplan

The 52nd Annual ACM SIGPLAN Symposium on Principles of Programming Languages

January 19 - 25, 2025

Denver , CO , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 54
  Total Citations
  View Citations
- 482
  Total Downloads
- Downloads (Last 12 months)3
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Unifying type checking and property checking for low-level code

POPL '09: Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages

ABSTRACT

References

Cited By

Index Terms

Recommendations

Unifying type checking and property checking for low-level code

Type inference and strong static type checking for Promela

Type checking and typability in domain-free lambda calculi