research-article

Open access

Linear types for large-scale systems verification

Authors:

Andrea Lattuada,

Jonathan Cameron,

Chris HawblitzelAuthors Info & Claims

Proceedings of the ACM on Programming Languages, Volume 6, Issue OOPSLA1

Article No.: 69, Pages 1 - 28

https://doi.org/10.1145/3527313

Published: 29 April 2022 Publication History

Abstract

Reasoning about memory aliasing and mutation in software verification is a hard problem. This is especially true for systems using SMT-based automated theorem provers. Memory reasoning in SMT verification typically requires a nontrivial amount of manual effort to specify heap invariants, as well as extensive alias reasoning from the SMT solver. In this paper, we present a hybrid approach that combines linear types with SMT-based verification for memory reasoning. We integrate linear types into Dafny, a verification language with an SMT backend, and show that the two approaches complement each other. By separating memory reasoning from verification conditions, linear types reduce the SMT solving time. At the same time, the expressiveness of SMT queries extends the flexibility of the linear type system. In particular, it allows our linear type system to easily and correctly mix linear and nonlinear data in novel ways, encapsulating linear data inside nonlinear data and vice-versa. We formalize the core of our extensions, prove soundness, and provide algorithms for linear type checking. We evaluate our approach by converting the implementation of a verified storage system (about 24K lines of code and proof) written in Dafny, to use our extended Dafny. The resulting system uses linear types for 91% of the code and SMT-based heap reasoning for the remaining 9%. We show that the converted system has 28% fewer lines of proofs and 30% shorter verification time overall. We discuss the development overhead in the original system due to SMT-based heap reasoning and highlight the improved developer experience when using linear types.

References

[1]

Sidney Amani, Alex Hixon, Zilin Chen, Christine Rizkallah, Peter Chubb, Liam O’Connor, Joel Beeren, Yutaka Nagashima, Japheth Lim, Thomas Sewell, Joseph Tuong, Gabriele Keller, Toby Murray, Gerwin Klein, and Gernot Heiser. 2016. Cogent: Verifying High-Assurance File System Implementations. In Proceedings of the ACM Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS).

Digital Library

[2]

Vytautas Astrauskas, Peter Müller, Federico Poli, and Alexander J. Summers. 2019. Leveraging Rust Types for Modular Specification and Verification. Proc. ACM Program. Lang., 3, OOPSLA (2019), Article 147, Oct., 30 pages. https://doi.org/10.1145/3360573

Digital Library

[3]

M. Barnett, B.-Y. E. Chang, R. DeLine, B. Jacobs, and K. R. M. Leino. 2006. Boogie: A modular reusable verifier for object-oriented programs. Proceedings of Formal Methods for Components and Objects (FMCO), https://doi.org/10.1007/11804192_17

Digital Library

[4]

Michael A. Bender, Martin Farach-Colton, William Jannen, Rob Johnson, Bradley C. Kuszmaul, Donald E. Porter, Jun Yuan, and Yang Zhan. 2015. An Introduction to B^∊ -trees and Write-Optimization. ;login: The USENIX Magazine, 40, 5 (2015), Oct., 22–28.

[5]

Josh Berdine, Byron Cook, and Samin Ishtiaq. 2011. SLAyer: Memory Safety for Systems-level Code. In Conference on Computer Aided Verification (CAV).

[6]

Ankit Bhardwaj, Chinmay Kulkarni, Reto Achermann, Irina Calciu, Sanidhya Kashyap, Ryan Stutsman, Amy Tai, and Gerd Zellweger. 2021. NrOS: Effective Replication and Sharing in an Operating System. In 15th USENIX Symposium on Operating Systems Design and Implementation (OSDI 21). USENIX Association, 295–312. isbn:978-1-939133-22-9 https://www.usenix.org/conference/osdi21/presentation/bhardwaj

[7]

Kevin Boos, Namitha Liyanage, Ramla Ijaz, and Lin Zhong. 2020. Theseus: an Experiment in Operating System Structure and State Management. In 14th USENIX Symposium on Operating Systems Design and Implementation (OSDI 20). USENIX Association, 1–19. isbn:978-1-939133-19-9 https://www.usenix.org/conference/osdi20/presentation/boos

[8]

L. M. de Moura and N. Bjørner. 2008. Z3: An efficient SMT solver. In Proceedings of the Conference on Tools and Algorithms for the Construction and Analysis of Systems. https://doi.org/10.1007/978-3-540-78800-3_24

[9]

M. Fluet, G. Morrisett, and A. Ahmed. 2006. Linear Regions Are All You Need. In European Symposium on Programming (ESOP). https://doi.org/10.1007/11693024_2

Digital Library

[10]

Aymeric Fromherz, Aseem Rastogi, Nikhil Swamy, Sydney Gibson, Guido Martínez, Denis Merigoux, and Tahina Ramananandro. 2021. Steel: Proof-oriented Programming in a Dependently Typed Concurrent Separation Logic. https://www.fstar-lang.org/papers/steel/ In submission.

[11]

Jean-Yves Girard. 1987. Linear Logic. In Theoretical Computer Science. https://doi.org/10.1016/0304-3975(87)90045-4

Digital Library

[12]

D. Grossman, G. Morrisett, T. Jim, M. Hicks, Y. Wang, and J. Cheney. 2002. Region-based memory management in Cyclone. In Programming Language Design and Implementation (PLDI). https://doi.org/10.1145/512529.512563

Digital Library

[13]

Travis Hance, Andrea Lattuada, Chris Hawblitzel, Jon Howell, Rob Johnson, and Bryan Parno. 2020. Storage Systems are Distributed Systems (So Verify Them That Way!). In 14th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2020, Virtual Event, November 4-6, 2020. USENIX Association, 99–115. https://www.usenix.org/conference/osdi20/presentation/hance

[14]

Travis Hance, Andrea Lattuada, Chris Hawblitzel, Jon Howell, Rob Johnson, and Bryan Parno. 2020. veribetrkv-osdi2020. https://github.com/secure-foundations/veribetrkv-osdi2020/tree/master/docker-hdd/src/veribetrkv-dynamic-frames

[15]

Chris Hawblitzel, Jon Howell, Manos Kapritsos, Jacob R. Lorch, Bryan Parno, Michael L. Roberts, Srinath Setty, and Brian Zill. 2015. IronFleet: Proving Practical Distributed Systems Correct. In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP). https://doi.org/10.1145/2815400.2815428

Digital Library

[16]

Chris Hawblitzel, Jon Howell, Jacob R. Lorch, Arjun Narayan, Bryan Parno, Danfeng Zhang, and Brian Zill. 2014. Ironclad Apps: End-to-End Security via Automated Full-System Verification. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14). USENIX Association, Broomfield, CO. 165–181. isbn:978-1-931971-16-4 https://www.usenix.org/conference/osdi14/technical-sessions/presentation/hawblitzel

Digital Library

[17]

Chris Hawblitzel, Erez Petrank, Shaz Qadeer, and Serdar Tasiran. 2015. Automated and Modular Refinement Reasoning for Concurrent Programs. In Proceedings of the Conference on Computer Aided Verification (CAV). https://doi.org/10.1007/978-3-319-21668-3_26

[18]

Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2017. RustBelt: Securing the Foundations of the Rust Programming Language. Proc. ACM Program. Lang., 2, POPL (2017), Article 66, Dec., 34 pages. https://doi.org/10.1145/3158154

Digital Library

[19]

Ioannis T. Kassios. 2006. Dynamic Frames: Support for Framing, Dependencies and Sharing Without Restrictions. In FM 2006: Formal Methods.

Digital Library

[20]

Steve Klabnik, Carol Nichols, and Rust Community. 2018. The Rust Programming Language https://doc.rust-lang.org/book/.

[21]

Gerwin Klein, June Andronick, Kevin Elphinstone, Toby Murray, Thomas Sewell, Rafal Kolanski, and Gernot Heiser. 2014. Comprehensive Formal Verification of an OS Microkernel. ACM Trans. Comput. Syst., 32, 1 (2014), Article 2, Feb., 70 pages. issn:0734-2071 https://doi.org/10.1145/2560537

Digital Library

[22]

Leslie Lamport. 2002. Specifying Systems: The TLA+ Languange and Tools for Hardware and Software Engineers. Addison-Wesley.

Digital Library

[23]

K. Rustan M. Leino. 2010. Dafny: An Automatic Program Verifier for Functional Correctness. In Proceedings of the Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR). https://doi.org/10.1007/978-3-642-17511-4_20

[24]

Nicholas D. Matsakis and Felix S. Klock. 2014. The Rust Language. In Proceedings of the 2014 ACM SIGAda Annual Conference on High Integrity Language Technology (HILT ’14). Association for Computing Machinery, New York, NY, USA. 103–104. isbn:9781450332170 https://doi.org/10.1145/2663171.2663188

Digital Library

[25]

Peter Müller, Malte Schwerhoff, and Alexander J. Summers. 2016. Viper: A Verification Infrastructure for Permission-Based Reasoning. In Proceedings of the Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI).

[26]

Vikram Narayanan, Tianjiao Huang, David Detweiler, Dan Appel, Zhaofeng Li, Gerd Zellweger, and Anton Burtsev. 2020. RedLeaf: Isolation and Communication in a Safe Operating System. In 14th USENIX Symposium on Operating Systems Design and Implementation (OSDI 20). USENIX Association, 21–39. isbn:978-1-939133-19-9 https://www.usenix.org/conference/osdi20/presentation/narayanan-vikram

[27]

John C. Reynolds. 2002. Separation Logic: A Logic for Shared Mutable Data Structures. In Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science. https://doi.org/10.1109/LICS.2002.1029817

[28]

Nikhil Swamy, Aseem Rastogi, Aymeric Fromherz, Denis Merigoux, Danel Ahman, and Guido Martínez. 2020. SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependently Typed Programs. In 25th ACM SIGPLAN International Conference on Functional Programming (ICFP). https://doi.org/10.1145/3409003

Digital Library

[29]

Mads Tofte and Jean-Pierre Talpin. 1994. Implementing the call-by-value lambda-calculus using a stack of regions. In Principles of Programming Languages (POPL). https://doi.org/10.1145/174675.177855

Digital Library

[30]

Philip Wadler. 1990. Linear Types Can Change the World!. In Proceedings of the IFIP TC 2 Working Conference on Programming Concepts and Methods.

[31]

David Walker and Kevin Watkins. 2001. On regions and linear types. In International Converence on Functional Programming (ICFP). https://doi.org/10.1145/507635.507658

Digital Library

[32]

Aaron Weiss, Daniel Patterson, Nicholas D. Matsakis, and Amal Ahmed. 2019. Oxide: The Essence of Rust. CoRR, abs/1903.00982 (2019), https://doi.org/10.48550/ARXIV.1903.00982 arXiv:1903.00982.

[33]

Joshua Yanovski, Hoang-Hai Dang, Ralf Jung, and Derek Dreyer. 2021. GhostCell: Separating Permissions from Data in Rust. Proc. ACM Program. Lang., 5, ICFP (2021), Article 92, aug, 30 pages. https://doi.org/10.1145/3473597

Digital Library

Cited By

Chen XLi ZZhang JBurtsev A(2024)Veld: Verified Linux DriversProceedings of the 2nd Workshop on Kernel Isolation, Safety and Verification10.1145/3698576.3698766(23-30)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3698576.3698766
Lattuada AHance TBosamiya JBrun MCho CLeBlanc HSrinivasan PAchermann RChajed THawblitzel CHowell JLorch JPadon OParno BWitchel EArpaci-Dusseau ARossbach CKeeton K(2024)Verus: A Practical Foundation for Systems VerificationProceedings of the ACM SIGOPS 30th Symposium on Operating Systems Principles10.1145/3694715.3695952(438-454)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3694715.3695952
Andrici CCiobâcă ȘHriţcu CMartínez GRivas ETanter ÉWinterhalter T(2024)Securing Verified IO Programs Against Unverified Code in F*Proceedings of the ACM on Programming Languages10.1145/36329168:POPL(2226-2259)Online publication date: 5-Jan-2024
https://dl.acm.org/doi/10.1145/3632916
Show More Cited By

Index Terms

Linear types for large-scale systems verification
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Formal software verification

Recommendations

Verus: Verifying Rust Programs using Linear Ghost Types

The Rust programming language provides a powerful type system that checks linearity and borrowing, allowing code to safely manipulate memory without garbage collection and making Rust ideal for developing low-level, high-assurance systems. For such ...
Formal Verification of a Reader-Writer Lock Implementation in C

We present the formal verification of a reader-writer lock implementation, which is a widely used synchronization primitive in multithreaded code. Specifications are given at the level of C code in the annotation language of Microsoft's Verifying C ...
Integrating Linear and Dependent Types
POPL '15: Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages

In this paper, we show how to integrate linear types with type dependency, by extending the linear/non-linear calculus of Benton to support type dependency. Next, we give an application of this calculus by giving a proof-theoretic account of imperative ...

Comments

Information & Contributors

Information

Published In

cover image Proceedings of the ACM on Programming Languages

Proceedings of the ACM on Programming Languages Volume 6, Issue OOPSLA1

April 2022

687 pages

EISSN:2475-1421

DOI:10.1145/3534679

Issue’s Table of Contents

Copyright © 2022 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 April 2022

Published in PACMPL Volume 6, Issue OOPSLA1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Author Tags

Qualifiers

Research-article

Funding Sources

NSF (National Science Foundation)

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
1,358
Total Downloads

Downloads (Last 12 months)332
Downloads (Last 6 weeks)56

Reflects downloads up to 21 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Chen XLi ZZhang JBurtsev A(2024)Veld: Verified Linux DriversProceedings of the 2nd Workshop on Kernel Isolation, Safety and Verification10.1145/3698576.3698766(23-30)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3698576.3698766
Lattuada AHance TBosamiya JBrun MCho CLeBlanc HSrinivasan PAchermann RChajed THawblitzel CHowell JLorch JPadon OParno BWitchel EArpaci-Dusseau ARossbach CKeeton K(2024)Verus: A Practical Foundation for Systems VerificationProceedings of the ACM SIGOPS 30th Symposium on Operating Systems Principles10.1145/3694715.3695952(438-454)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3694715.3695952
Andrici CCiobâcă ȘHriţcu CMartínez GRivas ETanter ÉWinterhalter T(2024)Securing Verified IO Programs Against Unverified Code in F*Proceedings of the ACM on Programming Languages10.1145/36329168:POPL(2226-2259)Online publication date: 5-Jan-2024
https://dl.acm.org/doi/10.1145/3632916
Piankarnka VLertbumroongchai KPiriyasurawong P(2023)A Digital Painting Learning Model Using Mixed-Reality Technology to Develop Practical Skills in Character Design for AnimationAdvances in Human-Computer Interaction10.1155/2023/52307622023Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1155/2023/5230762
Lattuada AHance TCho CBrun MSubasinghe IZhou YHowell JParno BHawblitzel C(2023)Verus: Verifying Rust Programs using Linear Ghost TypesProceedings of the ACM on Programming Languages10.1145/35860377:OOPSLA1(286-315)Online publication date: 6-Apr-2023
https://dl.acm.org/doi/10.1145/3586037
Ho SProtzenko J(2022)Aeneas: Rust verification by functional translationProceedings of the ACM on Programming Languages10.1145/35476476:ICFP(711-741)Online publication date: 31-Aug-2022
https://dl.acm.org/doi/10.1145/3547647
Li TYang RQu GShi GYu CWierman ALow S(2022)Robustness and Consistency in Linear Quadratic Control with Untrusted PredictionsACM SIGMETRICS Performance Evaluation Review10.1145/3547353.352265850:1(107-108)Online publication date: 7-Jul-2022
https://dl.acm.org/doi/10.1145/3547353.3522658

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents