Andrew W. Appel
David A. Naumann
ABSTRACT
We verify the functional correctness of an array-of-bins (segregated free-lists) single-thread malloc/free system with respect to a correctness specification written in separation logic. The memory allocator is written in standard C code compatible with the standard API; the specification is in the Verifiable C program logic, and the proof is done in the Verified Software Toolchain within the Coq proof assistant. Our "resource-aware" specification can guarantee when malloc will successfully return a block, unlike the standard Posix specification that allows malloc to return NULL whenever it wants to. We also prove subsumption (refinement): the resource-aware specification implies a resource-oblivious spec.
- David Aspinall and Adriana B. Compagnoni. 2003.Google Scholar
- Heap-Bounded Assembly Language. J. Autom. Reasoning 31, 3-4 (2003), 261–302.Google Scholar
- Gilles Barthe, Mariela Pavlova, and Gerardo Schneider. 2005. Precise analysis of memory consumption using program logics. In Third IEEE International Conference on Software Engineering and Formal Methods (SEFM’05). IEEE, 86–95.Google ScholarDigital Library
- Lennart Beringer and Andrew W. Appel. 2019. Abstraction and Subsumption in Modular Verification of C Programs. In Formal Methods - The Next 30 Years - Third World Congress, FM 2019, Proceedings (LNCS), Maurice H. ter Beek, Annabelle McIver, and José N. Oliveira (Eds.), Vol. 11800. Springer, 573–590. 030-30942-8_34 Google ScholarCross Ref
- Lennart Beringer, Martin Hofmann, Alberto Momigliano, and Olha Shkaravska. 2004. Automatic Certification of Heap Consumption. In LPAR’04: Logic for Programming, Artificial Intelligence, and Reasoning, 11th International Conference, Proceedings (LNCS), Franz Baader and Andrei Voronkov (Eds.), Vol. 3452. Springer, 347–362. 10.1007/978-3-540-32275-7_23 Google ScholarCross Ref
- Lennart Beringer, Adam Petcher, Katherine Q. Ye, and Andrew W. Appel. 2015. Verified Correctness and Security of OpenSSL HMAC. In 24th USENIX Security Symposium. USENIX Assocation, 207–221.Google Scholar
- Lars Birkedal, Noah Torp-Smith, and John C Reynolds. 2004.Google Scholar
- Local reasoning about a copying garbage collector. In Proceedings of the 31st ACM SIGPLAN-SIGACT symposium on Principles of programming languages. 220–231.Google Scholar
- Qinxiang Cao, Lennart Beringer, Samuel Gruetter, Josiah Dodds, and Andrew W. Appel. 2018. VST-Floyd: A Separation Logic Tool to Verify Correctness of C Programs. J. Autom. Reason. 61, 1-4 (June 2018), 367–422. Google ScholarDigital Library
- Santiago Cuellar, Nick Giannarakis, Jean-Marie Madiot, William Mansky, Lennart Beringer, Qinxiang Cao, and Andrew W. Appel. 2020.Google Scholar
- Hoang-Hai Dang, Jacques-Henri Jourdan, Jan-Oliver Kaiser, and Derek Dreyer. 2019. RustBelt meets relaxed memory. Proceedings of the ACM on Programming Languages 4, POPL (2019), 1–29.Google Scholar
- Yi Feng and Emery D. Berger. 2005. A Locality-Improving Dynamic Memory Allocator. In 2005 Workshop on Memory System Performance. 68–77. Google ScholarDigital Library
- Peter Gammie, Antony L Hosking, and Kai Engelhardt. 2015. Relaxing safely: verified on-the-fly garbage collection for x86-TSO. ACM SIGPLAN Notices 50, 6 (2015), 99–109.Google ScholarDigital Library
- Ronghui Gu, Jérémie Koenig, Tahina Ramananandro, Zhong Shao, Xiongnan (Newman) Wu, Shu-Chun Weng, Haozhong Zhang, and Yu Guo. 2015. Deep Specifications and Certified Abstraction Layers. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2015, Sriram K. Rajamani and David Walker (Eds.). ACM, 595–608. 2676726.2676975 Google ScholarDigital Library
- Ronghui Gu, Zhong Shao, Hao Chen, Jieung Kim, Jérémie Koenig, Xiongnan (Newman) Wu, Vilhelm Sjöberg, and David Costanzo. 2019.Google Scholar
- Building certified concurrent OS kernels. Commun. ACM 62, 10 (2019), 89–99. Google ScholarDigital Library
- Martin Hofmann and Steffen Jost. 2003. Static prediction of heap space usage for first-order functional programs. In POPL ’03: 30th ACM Symp. on Principles of Programming Languages. 185–197.Google Scholar
- Bart Jacobs, Jan Smans, Pieter Philippaerts, Frédéric Vogels, Willem Penninckx, and Frank Piessens. 2011.Google Scholar
- VeriFast: A powerful, sound, predictable, fast verifier for C and Java. In NASA Formal Methods Symposium. Springer, 41–55.Google Scholar
- Ke Jiang, David Sanan, Yongwang Zhao, Shuanglong Kan, and Yang Liu. 2019. A Formally Verified Buddy Memory Allocation Model. In 2019 24th International Conference on Engineering of Complex Computer Systems (ICECCS). IEEE, 144–153.Google ScholarCross Ref
- Jeehoon Kang, Chung-Kil Hur, William Mansky, Dmitri Garbuzov, Steve Zdancewic, and Viktor Vafeiadis. 2015.Google Scholar
- A Formal C Memory Model Supporting Integer-Pointer Casts. In PLDI’15: 36th annual ACM SIGPLAN conference on Programming Languages Design and Implementation. 326–335.Google Scholar
- Florent Kirchner, Nikolai Kosmatov, Virgile Prevosto, Julien Signoles, and Boris Yakobowski. 2015. Frama-C: A software analysis perspective. Formal Aspects of Computing 27, 3 (01 May 2015), 573–609. Google ScholarCross Ref
- Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, et al. 2009.Google Scholar
- seL4: Formal verification of an OS kernel. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles. ACM, 207–220.Google Scholar
- Donald E. Knuth. 1973.Google Scholar
- The Art of Computer Programming, Vol. I: Fundamental Algorithms (second edition). Addison Wesley, Reading, MA.Google Scholar
- Daan Leijen, Benjamin Zorn, and Leonardo de Moura. 2019. Mimalloc: Free List Sharding in Action. In Asian Symposium on Programming Languages and Systems. Springer, 244–265.Google Scholar
- Xavier Leroy. 2009. Formal verification of a realistic compiler. Commun. ACM 52, 7 (2009), 107–115.Google ScholarDigital Library
- Paul Liétar, Theodore Butler, Sylvan Clebsch, Sophia Drossopoulou, Juliana Franco, Matthew J. Parkinson, Alex Shamis, Christoph M. Wintersteiger, and David Chisnall. 2019.Google Scholar
- snmalloc: a message passing allocator. In Proceedings of the 2019 ACM SIGPLAN International Symposium on Memory Management (ISMM). 122–135.Google Scholar
- William Mansky, Andrew W. Appel, and Aleksey Nogin. 2017.Google Scholar
- A Verified Messaging System. In Proceedings of the 2017 ACM International Conference on Object Oriented Programming Systems Languages & Applications (OOPSLA ’17). ACM.Google Scholar
- William Mansky, Wolf Honoré, and Andrew W. Appel. 2020. Connecting Higher-Order Separation Logic to a First-Order Outside World. In ESOP’20: European Symposium on Programming.Google Scholar
- Nicolas Marti, Reynald Affeldt, and Akinori Yonezawa. 2006. Formal Verification of the Heap Manager of an Operating System using Separation Logic. In SPACE 06: Third workshop on Semantics, Program Analysis, and Computing Environments for Memory Management.Google ScholarDigital Library
- Andrew McCreight, Tim Chevalier, and Andrew Tolmach. 2010.Google Scholar
- A certified framework for compiling and executing garbage-collected languages. In ICFP’10: 15th ACM SIGPLAN International Conference on Functional programming. 273–284.Google Scholar
- Andrew McCreight, Zhong Shao, Chunxiao Lin, and Long Li. 2007. A general framework for certifying garbage collectors and their mutators. In PLDI’07: 28th ACM SIGPLAN Conference on Programming Language Design and Implementation. 468–479.Google ScholarDigital Library
- Peter O’Hearn, John Reynolds, and Hongseok Yang. 2001. Local Reasoning about Programs that Alter Data Structures. In CSL’01: Annual Conference of the European Association for Computer Science Logic. 1–19. LNCS 2142.Google ScholarCross Ref
- Matthew J. Parkinson and Gavin M. Bierman. 2005.Google Scholar
- Separation logic and abstraction. In 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 2005). 247–258. Google ScholarDigital Library
- J. M. Robson. 1971. An Estimate of the Store Size Necessary for Dynamic Storage Allocation. J. Association for Computing Machinery 18, ISMM ’20, June 16, 2020, London, UK Andrew W. Appel and David A. Naumann 3 (July 1971), 416–423.Google ScholarDigital Library
- Harvey Tuch. 2009. Formal verification of C systems code. Journal of Automated Reasoning 42, 2-4 (2009), 125–187.Google ScholarDigital Library
- Gijs Vanspauwen and Bart Jacobs. 2017.Google Scholar
- Verifying cryptographic protocol implementations that use industrial cryptographic APIs. CW Reports (2017).Google Scholar
- Shengyi Wang, Qinxiang Cao, Anshuman Mohan, and Aquinas Hobor. 2019. Certifying Graph-Manipulating C Programs via Localizations within Data Structures. In Proceedings of the ACM on Programming Languages (OOPSLA).Google ScholarDigital Library
- Xi Wang, Nickolai Zeldovich, M Frans Kaashoek, and Armando Solar-Lezama. 2013. Towards optimization-safe systems: analyzing the impact of undefined behavior. In Proceedings 24th ACM Symposium on Operating Systems Principles. ACM, 260–275.Google ScholarDigital Library
- Charles B. Weinstock. 1976.Google Scholar
- Dynamic storage allocation techniques. Ph.D. Dissertation. Carnegie Mellon University.Google Scholar
- John Wickerson, Mike Dodds, and Matthew J. Parkinson. 2010.Google Scholar
- Explicit Stabilisation for Modular Rely-Guarantee Reasoning. In European Symposium on Programming (ESOP). 610–629.Google Scholar
- Katherine Q. Ye, Matthew Green, Naphat Sanguansin, Lennart Beringer, Adam Petcher, and Andrew W. Appel. 2017. Verified Correctness and Security of mbedTLS HMAC-DRBG. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS’17). ACM.Google Scholar
- Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina Argyraki, and George Candea. 2017. A Formally Verified NAT. In SIGCOMM’17: Proceedings of the conference of the ACM Special Interest Group on Data Communication. 141–154.Google ScholarDigital Library
- Yu Zhang, Yongwang Zhao, David Sanan, Lei Qiao, and Jinkun Zhang. 2019. A Verified Specification of TLSF Memory Management Allocator Using State Monads. In Dependable Software Engineering. Theories, Tools, and Applications, Nan Guan, Joost-Pieter Katoen, and Jun Sun (Eds.). Springer International Publishing, 122–138. Abstract 1 Introduction 2 The Algorithm and Data Structure 3 Specification in Separation Logic 4 Resource Tracking 5 Filling the Resource Vector 6 Funspec Subsumption 7 Formal Guarantees w.r.t. C Standard 8 Bugs 9 Verification Effort 10 Future Work 11 Conclusion Acknowledgments ReferencesGoogle Scholar
Index Terms
- Verified sequential Malloc/Free
Recommendations
Verified heap theorem prover by paramodulation
ICFP '12We present VeriStar, a verified theorem prover for a decidable subset of separation logic. Together with VeriSmall [3], a proved-sound Smallfoot-style program analysis for C minor, VeriStar demonstrates that fully machine-checked static analyses ...
Verified heap theorem prover by paramodulation
ICFP '12: Proceedings of the 17th ACM SIGPLAN international conference on Functional programmingWe present VeriStar, a verified theorem prover for a decidable subset of separation logic. Together with VeriSmall [3], a proved-sound Smallfoot-style program analysis for C minor, VeriStar demonstrates that fully machine-checked static analyses ...
Verified Correctness and Security of mbedTLS HMAC-DRBG
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityWe have formalized the functional specification of HMAC-DRBG (NIST 800-90A), and we have proved its cryptographic security-that its output is pseudorandom--using a hybrid game-based proof. We have also proved that the mbedTLS implementation (C program) ...
Comments