ABSTRACT
We present a unified approach to type checking and property checking for low-level code. Type checking for low-level code is challenging because type safety often depends on complex, program-specific invariants that are difficult for traditional type checkers to express. Conversely, property checking for low-level code is challenging because it is difficult to write concise specifications that distinguish between locations in an untyped program's heap. We address both problems simultaneously by implementing a type checker for low-level code as part of our property checker.
We present a low-level formalization of a C program's heap and its types that can be checked with an SMT solver, and we provide a decision procedure for checking type safety. Our type system is flexible enough to support a combination of nominal and structural subtyping for C, on a per-structure basis. We discuss several case studies that demonstrate the ability of this tool to express and check complex type invariants in low-level C code, including several small Windows device drivers.
- The Coq proof assistant. http://coq.inria.fr/.Google Scholar
- The HAVOC property checker. http://research.microsoft.com/projects/havoc/.Google Scholar
- A. J. Ahmed, A. W. Appel, and R. Virga. A stratified semantics of general references embeddable in higher-order logic. In Logic in Computer Science (LICS), 2002. Google ScholarDigital Library
- A. W. Appel. Foundational proof-carrying code. In Logic in Computer Science (LICS), 2001. Google ScholarDigital Library
- A. W. Appel and A. P. Felty. A semantic model of types and machine instructions for proof-carrying code. In Principles of Programming Languages (POPL), 2000. Google ScholarDigital Library
- A. W. Appel and D. McAllester. An indexed model of recursive types for foundational proof-carrying code. Transactions on Programming Languages and Systems (TOPLAS), 23(5), Sep 2001. Google ScholarDigital Library
- T. Ball, B. Hackett, S. K. Lahiri, and S. Qadeer. Annotation-based property checking for systems software. Technical Report MSR-TR-2008-82, Microsoft Research, 2008.Google Scholar
- T. Ball, R. Majumdar, T. D. Millstein, and S. K. Rajamani. Automatic predicate abstraction of C programs. In Programming Language Design and Implementation (PLDI), 2001. Google ScholarDigital Library
- M. Barnett, B.-Y. E. Chang, R. DeLine, B. Jacobs, and K. R. M. Leino. Boogie: A modular reusable verifier for object-oriented programs. In Formal Methods for Components and Objects (FMCO), 2005. Google ScholarDigital Library
- M. Barnett, K. R. M. Leino, and W. Schulte. The Spec# programming system: An overview. In Construction and Analysis of Safe, Secure, and Interoperable Smart Devices (CASSIS), 2004. Google ScholarDigital Library
- M. Barnett and R. Leino. Weakest-precondition of unstructured programs. In Program Analysis for Software Tools and Engineering (PASTE), 2005. Google ScholarDigital Library
- R. Bornat. Proving pointer programs in Hoare logic. In Mathematics of Program Construction (MPC), 2000. Google ScholarDigital Library
- C. Calcagno, D. Distefano, P. W. O'Hearn, and H. Yang. Beyond reachability: Shape abstraction in the presence of pointer arithmetic. In Static Analysis Symposium (SAS), 2006. Google ScholarDigital Library
- B.-Y. E. Chang, A. Chlipala, G. C. Necula, and R. R. Schneck. The Open Verifier framework for foundational verifiers. In Types in Language Design and Implementation (TLDI), 2005. Google ScholarDigital Library
- S. Chatterjee, S. K. Lahiri, S. Qadeer, and Z. Rakamaric. A reachability predicate for analyzing low-level software. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS), 2007. Google ScholarDigital Library
- B. Chin, S. Markstrum, and T. Millstein. Semantic type qualifiers. In Programming Language Design and Implementation (PLDI), 2005. Google ScholarDigital Library
- J. Condit, M. Harren, Z. Anderson, D. Gay, and G. Necula. Dependent types for low-level programming. In European Symposium on Programmig (ESOP), 2007. Google ScholarDigital Library
- K. Crary and J. C. Vanderwaart. An expressive, scalable type theory for certified code. In International Conference on Functional Programming (ICFP), 2002. Google ScholarDigital Library
- L. de Moura and N. Bjorner. Z3: An efficient SMT solver. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS), 2008. Google ScholarDigital Library
- E. W. Dijkstra. Guarded commands, nondeterminacy and formal derivation of programs. Communcations of the ACM, 18, 1975. Google ScholarDigital Library
- X. Feng, Z. Ni, Z. Shao, and Y. Guo. An open framework for foundational proof-carrying code. In Types in Language Design and Implementation (TLDI), 2007. Google ScholarDigital Library
- J.-C. Filliatre and C. Marche. The Why/Krakatoa/Caduceus platform for deductive program verification. In Computer Aided Verification (CAV), 2007. Google ScholarDigital Library
- C. Flanagan, K. R. M. Leino, M. Lillibridge, G. Nelson, J. B. Saxe, and R. Stata. Extended static checking for Java. In Programming Language Design and Implementation (PLDI), 2002. Google ScholarDigital Library
- T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction. In Principles of Programming Languages (POPL), 2002. Google ScholarDigital Library
- T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In USENIX Annual Technical Conference, 2002. Google ScholarDigital Library
- S. K. Lahiri and S. Qadeer. Back to the future: Revisiting precise program verification using SMT solvers. In Principles of Programming Languages (POPL), 2008. Google ScholarDigital Library
- X. Leroy. Formal certification of a compiler back-end, or: Programming a compiler with a proof assistant. In Principles of Programming Languages (POPL), 2006. Google ScholarDigital Library
- Microsoft. Windows driver kit. http://www.microsoft.com/whdc/devtools/wdk/default.mspx.Google Scholar
- G. Morrisett, D. Walker, K. Crary, and N. Glew. From System F to typed assembly language. Transactions on Programming Languages and Systems (TOPLAS), 21:3, 1999. Google ScholarDigital Library
- G. C. Necula. Proof-carrying code. In Principles of Programming Languages (POPL), 1997. Google ScholarDigital Library
- G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy software. Transactions on Programming Languages and Systems (TOPLAS), 27(3), May 2005. Google ScholarDigital Library
- G. C. Necula and P. Lee. The design and implementation of a certifying compiler. In Programming Language Design and Implementation (PLDI), 1998. Google ScholarDigital Library
- G. Nelson and D. C. Oppen. Simplification by cooperating decision procedures. Transactions on Programming Languages and Systems (TOPLAS), 1(2), 1979. Google ScholarDigital Library
- Y. Regis-Gianas and F. Pottier. A Hoare logic for call-by-value functional programs. In Mathematics of Program Construction (MPC), 2008. Google ScholarDigital Library
- J. C. Reynolds. Separation logic: A logic for shared mutable data structures. In Logic in Computer Science (LICS), 2002. Google ScholarDigital Library
- Satisfiability Modulo Theories Library (SMT-LIB). Available at http://goedel.cs.uiowa.edu/smtlib/.Google Scholar
- W. Schulte, S. Xia, J. Smans, and F. Piessens. A glimpse of a verifying C compiler. In C/C++ Verification Workshop, 2007.Google Scholar
- H. Xi. Imperative programming with dependent types. In Logic in Computer Science (LICS), 2000. Google ScholarDigital Library
- H. Xi and F. Pfenning. Dependent types in practical programming. In Principles of Programming Languages (POPL), 1999. Google ScholarDigital Library
- H. Yang, O. Lee, J. Berdine, C. Calcagno, B. Cook, D. Distefano, and P. O'Hearn. Scalable shape analysis for systems code. In Computer Aided Verification (CAV), 2008. Google ScholarDigital Library
Index Terms
- Unifying type checking and property checking for low-level code
Recommendations
Unifying type checking and property checking for low-level code
POPL '09We present a unified approach to type checking and property checking for low-level code. Type checking for low-level code is challenging because type safety often depends on complex, program-specific invariants that are difficult for traditional type ...
Type inference and strong static type checking for Promela
The Spin model checker and its specification language Promela have been used extensively in industry and academia to check the logical properties of distributed algorithms and protocols. Model checking with Spin involves reasoning about a system via an ...
Type checking and typability in domain-free lambda calculi
This paper shows (1) the undecidability of the type checking and the typability problems in the domain-free lambda calculus with negation, product, and existential types, (2) the undecidability of the typability problem in the domain-free polymorphic ...
Comments