Language Design Meets Verifying Compilers (Keynote)
Pages 1 - 4
Abstract
The dream of developing compilers that automatically verify whether or not programs meet their specifications remains an ongoing challenge. Such "verifying compilers" are (finally) on the verge of entering mainstream software development. This is partly due to advancements made over the last few decades, but also to the increasingly significant and complex role software plays in the modern world. As computer scientists, we should encourage this transition and help relegate many forms of software error to the history books. One way of increasing adoption is to design languages around these tools which look, on the surface, like regular programming languages. That is, to seamlessly integrate specification and verification and offer something that, for the everyday programmer, appears as nothing more than glorified type checking. This requires, amongst other things, careful consideration as to which language features mesh well with verification, and which do not. The design space here is interesting and subtle, but has been largely overlooked. In this talk, I will attempt to shed light on this murky area by contrasting the choices made in two existing languages: Dafny and Whiley.
References
[1]
2016. Deductive Software Verification — The KeY Book — From Theory to Practice, Wolfgang Ahrendt, Bernhard Beckert, Richard Bubel, Reiner Hähnle, Peter H. Schmitt, and Mattias Ulbrich (Eds.) (LNCS, Vol. 10001). Springer.
[2]
Nathaniel Ayewah and William Pugh. 2010. Null dereference analysis in practice. In Proc. PASTE. ACM Press, 65–72.
[3]
J. Barnes. 1997. High Integrity Ada: The SPARK Approach. Addison Wesley Longman, Inc., Reading.
[4]
Mike Barnett, Robert DeLine, Manuel Fähndrich, K. Rustan M. Leino, and Wolfram Schulte. 2004. Verification of Object-Oriented Programs with Invariants. JOT, 3, 6 (2004), 27–56.
[5]
M. Barnett, M. Fähndrich, K. R. M. Leino, P. Müller, W. Schulte, and H. Venter. 2011. Specification and verification: the Spec# experience. CACM, 54, 6 (2011), 81–91.
[6]
C. Barrett and C. Tinelli. 2007. CVC3. In Proc. CAV. 298–302.
[7]
Clark W. Barrett, Christopher L. Conway, Morgan Deters, Liana Hadarean, Dejan Jovanovic, Tim King, Andrew Reynolds, and Cesare Tinelli. 2011. CVC4. In Proc. CAV (LNCS, Vol. 6806). Springer-Verlag, 171–177.
[8]
François Bobot, Jean-Christophe Filliâtre, Claude Marché, and Andrei Paskevich. 2011. Why3: Shepherd Your Herd of Provers. In Proc. BOOGIE.
[9]
J. Bowen and M. Hinchey. 2006. Ten Commandments of Formal Methods … Ten Years Later. IEEE Computer, 39, 1 (2006).
[10]
Patrice Chalin and Perry R. James. 2007. Non-null References by Default in Java: Alleviating the Nullity Annotation Burden. In Proc. ECOOP. 227–247.
[11]
Patrice Chalin, Joseph R. Kiniry, Gary T. Leavens, and Erik Poll. 2005. Beyond Assertions: Advanced Specification and Verification with JML and ESC/Java2. In Proc. FMCO. 342–363.
[12]
H. Chamarthi, P. Dillinger, M. Kaufmann, and P. Manolios. 2011. Integrating Testing and Interactive Theorem Proving. In Proc. ACL2. 4–19.
[13]
Roderick Chapman and Florian Schanda. 2014. Are We There Yet? 20 Years of Industrial Theorem Proving with SPARK. In Proc. ITP. 17–26.
[14]
J. Chin and D. J. Pearce. 2021. Finding Bugs with Specification-Based Testing is Easy!. PROGRAMMING, 5 (2021), Article 13.
[15]
E. Cohen, M. Dahlweid, M. Hillebrand, D. Leinenbach, M. Moskal, T. Santen, W. Schulte, and S. Tobies. 2009. VCC: A Practical System for Verifying Concurrent C. In Proc. TPHOL. 23–42.
[16]
David R. Cok. 2011. OpenJML: JML for Java 7 by Extending OpenJDK. In Proc. NFM (LNCS, Vol. 6617). Springer-Verlag, 472–479.
[17]
David R. Cok. 2014. OpenJML: Software verification for Java 7 using JML, OpenJDK, and Eclipse. In Proc. F-IDE. 149, 79–92.
[18]
D. R. Cok and J. Kiniry. 2005. ESC/Java2: Uniting ESC/Java and JML. In Proc. CASSIS. 108–128.
[19]
Sylvain Conchon, Albin Coquereau, Mohamed Iguernlala, and Alain Mebsout. 2018. Alt-Ergo 2.2. In Workshop on Satisfiability Modulo Theories (SMT). HAL CCSD.
[20]
Byron Cook, A. Podelski, and A. Rybalchenko. 2011. Proving Program Termination. CACM, 88–98.
[21]
P. Cuoq, F. Kirchner, N. Kosmatov, V. Prevosto, J. Signoles, and B. Yakobowski. 2012. Frama-C: A Software Analysis Perspective. In Proc. SEFM (LNCS, Vol. 7504). Springer-Verlag, 233–247.
[22]
L. de Moura and N. Bjørner. 2008. Z3: An Efficient SMT Solver. In Proc. TACAS. 337–340.
[23]
D. Detlefs, G. Nelson, and J. B. Saxe. 2005. Simplify: A Theorem Prover for Program Checking. JACM, 52, 3 (2005), 365–473.
[24]
David L. Detlefs, K. Rustan M. Leino, Greg Nelson, and James B. Saxe. 1998. Extended Static Checking. Compaq Systems Research Center.
[25]
L. Peter Deutsch. 1973. An interactive program verifier.
[26]
Bruno Dutertre. 2014. Yices 2.2. In Proc. CAV (LNCS, Vol. 8559). Springer-Verlag, 737–744.
[27]
T. Ekman and G. Hedin. 2007. Pluggable Checking and Inferencing of Non-Null Types for Java. JOT, 6, 9 (2007), 455–475.
[28]
M. Fähndrich and K. R. M. Leino. 2003. Declaring and checking non-null types in an object-oriented language. In Proc. OOPSLA. ACM Press, 302–312.
[29]
J. Filliâtre and A. Paskevich. 2013. Why3 — Where Programs Meet Provers. In Proc. ESOP. 125–128.
[30]
Jean-Christophe Filliâtre. 2012. Verifying Two Lines of C with Why3: An Exercise in Program Verification. In Proc. VSTTE (LNCS, Vol. 7152). Springer-Verlag, 83–97.
[31]
C. Flanagan, K. Leino, M. Lillibridge, G. Nelson, J. B. Saxe, and R. Stata. 2002. Extended Static Checking for Java. In Proc. PLDI. 234–245.
[32]
D. I. Good. 1985. Mechanical proofs about computer programs. In Mathematical logic and programming languages. 55–75.
[33]
Alwyn E. Goodloe, César Muñoz, Florent Kirchner, and Loïc Correnson. 2013. Verification of Numerical Programs: From Real Numbers to Floating Point Numbers. In Proc. NFM (LNCS, Vol. 7871). Springer-Verlag, 441–446.
[34]
Alex Groce, Klaus Havelund, Gerard J. Holzmann, Rajeev Joshi, and Ru-Gang Xu. 2014. Establishing flight software reliability: testing, model checking, constraint-solving, monitoring and learning. AMAI, 70, 4 (2014), 315–349.
[35]
Stefan Heule, Ioannis T. Kassios, Peter Müller, and Alexander J. Summers. 2013. Verification Condition Generation for Permission Logics with Abstract Predicates and Abstraction Functions. In Proc. ECOOP. 451–476.
[36]
C.A.R. Hoare. 1969. An Axiomatic Basis for Computer Programming. CACM, 12, 10 (1969), 576–583.
[37]
C.A.R. Hoare. 2003. The verifying compiler: A grand challenge for computing research. JACM, 50, 1 (2003), 63–69.
[38]
Kryštof Hoder, Laura Kovács, and Andrei Voronkov. 2011. Invariant Generation in Vampire. In Proc. TACAS (LNCS, Vol. 6605). Springer-Verlag, 60–64.
[39]
Laurent Hubert. 2008. A non-null annotation inferencer for Java bytecode. In Proc. PASTE. ACM Press, 36–42.
[40]
Laurent Hubert, Thomas Jensen, and David Pichardie. 2008. Semantic Foundations and Inference of Non-null Annotations. In Proceedings of the International conference on Formal Methods for Open Object-Based Distributed Systems (FMOODS). Springer-Verlag, 132–149.
[41]
B. Jacobs, J. Smans, P. Philippaerts, F. Vogels, W. Penninckx, and F. Piessens. 2011. VeriFast: A Powerful, Sound, Predictable, Fast Verifier for C and Java. In Proc. NFM. 41–55.
[42]
B. Jacobs, J. Smans, and F. Piessens. 2010. A Quick Tour of the VeriFast Program Verifier. In Proc. APLAS. 304–311.
[43]
Ralf Jung, Hoang-Hai Dang, Jeehoon Kang, and Derek Dreyer. 2020. Stacked Borrows: An Aliasing Model for Rust. In Proc. POPL. Article 41.
[44]
S. King. 1969. A Program Verifier. Ph. D. Dissertation. Carnegie-Mellon University.
[45]
Nikolai Kosmatov and Julien Signoles. 2013. A Lesson on Runtime Assertion Checking with Frama-C. In Proc. RV (LNCS, Vol. 8174). Springer-Verlag, 386–399.
[46]
Laura Kovács and Andrei Voronkov. 2013. First-Order Theorem Proving and Vampire. In Proc. CAV (LNCS, Vol. 8044). Springer-Verlag, 1–35.
[47]
Gregory Kulczycki, Heather Keown, Murali Sitaraman, and Bruce W. Weide. 2007. Abstracting Pointers for a Verifying Compiler. In Proc. SEW. IEEE, 204–213.
[48]
G. T. Leavens, Y. Cheon, C. Clifton, C. Ruby, and D. R. Cok. 2005. How the Design of JML Accommodates Runtime Assertion Checking and Formal Verification. SCP, 55, 1-3 (2005), 185–208.
[49]
K.R.M. Leino and R Monahan. 2010. Dafny Meets The Verification Benchmarks Challenge. In Proc. VSTTE. 112–126.
[50]
K. R. M. Leino. 2001. Extended Static Checking: A Ten-Year Perspective. In Informatics — 10 Years Back, 10 Years Ahead (LNCS, Vol. 2000). 157–175.
[51]
K. Rustan M. Leino. 2010. Dafny: An Automatic Program Verifier for Functional Correctness. In Proc. LPAR (LNCS, Vol. 6355). Springer-Verlag, 348–370.
[52]
K. R. M. Leino. 2012. Developing Verified Programs with Dafny. In Proc. VSTTE. 82–82.
[53]
K. Rustan M. Leino. 2017. Accessible Software Verification with Dafny. IEEE Software, 34, 6 (2017), 94–97.
[54]
K. Rustan M. Leino. 2018. Modeling Concurrency in Dafny. In Proc. ETSS. Springer-Verlag, 115–142.
[55]
K. R. M. Leino and Peter Müller. 2004. Object Invariants in Dynamic Contexts. In Proc. ECOOP. 491–516.
[56]
K. Rustan M. Leino and Wolfram Schulte. 2007. A verifying compiler for a multi-threaded object-oriented language. In Summer School Marktoberdorf 2006: Software System Reliability and Security. IOS Press.
[57]
D. Luckham, SM German, F. von Henke, R. Karp, P. Milne, D. Oppen, W. Polak, and W. Scherlis. 1979. Stanford Pascal Verifier user manual. Stanford University, Department of Computer Science, 124.
[58]
C. Male, D.J. Pearce, A. Potanin, and C. Dymnikov. 2008. Java Bytecode Verification for @NonNull Types. In Proc. CC. 229–244.
[59]
John W. McCormick and Peter C. Chapin. 2015. Building High Integrity Applications with SPARK. Cambridge University Press. https://doi.org/10.1017/CBO9781139629294
[60]
David Monniaux. 2008. The pitfalls of verifying floating-point computations. ACM TOPLAS, 30, 3 (2008).
[61]
P. Müller, M. Schwerhoff, and A. J. Summers. 2016. Viper: A Verification Infrastructure for Permission-Based Reasoning. In Proc. VMCAI. 41–62.
[62]
D. J. Pearce. 2013. A Calculus for Constraint-Based Flow Typing. In Proc. FTfJP. Article 7.
[63]
D. J. Pearce. 2013. Sound and Complete Flow Typing with Unions, Intersections and Negations. In Proc. VMCAI. 335–354.
[64]
David J. Pearce. 2021. A Lightweight Formalism for Reference Lifetimes and Borrowing in Rust. ACM TOPLAS, 43, 1 (2021), Article 3.
[65]
D. J. Pearce and L. Groves. 2015. Designing a Verifying Compiler: Lessons Learned from Developing Whiley. SCP, 191–220.
[66]
D. J. Pearce and J. Noble. 2011. Implementing a Language with Flow-Sensitive and Structural Typing on the JVM. ENTCS, 279, 1 (2011), 47–59.
[67]
D. J. Pearce, M. Utting, and L. Groves. 2019. An Introduction to Software Verification with Whiley. In Proc. ETSS. Springer-Verlag, 1–37.
[68]
D. J. Pearce, M. Utting, and L. Groves. 2022. Verifying Whiley Programs with Boogie. Journal of Automated Reasoning.
[69]
Guillaume Petiot, Nikolai Kosmatov, Bernard Botella, Alain Giorgetti, and Jacques Julliand. 2016. Your Proof Fails? Testing Helps to Find the Reason. In Proc. TAP (LNCS, Vol. 9762). Springer-Verlag, 130–150.
[70]
Guillaume Petiot, Nikolai Kosmatov, Alain Giorgetti, and Jacques Julliand. 2014. How Test Generation Helps Software Specification and Deductive Verification in Frama-C. In Proc. TAP. 204–211.
[71]
Dimitri Racordon, Denys Shabalin, Daniel Zheng, Dave Abrahams, and Brennan Saeta. 2021. Native Implementation of Mutable Value Semantics. CoRR, abs/2106.12678 (2021).
[72]
Dimitri Racordon, Denys Shabalin, Daniel Zheng, Dave Abrahams, and Brennan Saeta. 2022. Implementation Strategies for Mutable Value Semantics. JOT, 21, 2 (2022).
[73]
José Sánchez and Gary T. Leavens. 2014. Static verification of PtolemyRely programs using OpenJML. In Proc. FOAL. ACM Press, 13–18.
[74]
Jan Smans, Bart Jacobs, and Frank Piessens. 2008. VeriCool: An Automatic Verifier for a Concurrent Object-Oriented Language. In Formal Methods for Open Object-Based Distributed Systems (FMOODS). 220–239.
[75]
Fausto Spoto. 2008. Nullness Analysis in Boolean Form. In Proc. SEFM. IEEE, 21–30.
[76]
Arshavir Ter-Gabrielyan, Alexander J. Summers, and Peter Müller. 2019. Modular Verification of Heap Reachability Properties in Separation Logic. ACM Press, Article 121.
[77]
Julian Tschannen, Carlo A. Furia, Martin Nordio, and Nadia Polikarpova. 2015. AutoProof: Auto-Active Functional Verification of Object-Oriented Programs. In Proc. TACAS. 566–580.
[78]
Grigoriy Volkov, Mikhail U. Mandrykin, and Denis Efremov. 2018. Lemma Functions for Frama-C: C Programs as Proofs. CoRR, abs/1811.05879 (2018).
Index Terms
- Language Design Meets Verifying Compilers (Keynote)
Recommendations
Verifying Compilers and ASMs
ASM '00: Proceedings of the International Workshop on Abstract State Machines, Theory and ApplicationsA verifying compiler ensures that the compiled code is always correct but the compiler may also terminate with an error mesage and then fails to generate code. We argue that with respect to compiler correctness this is the best possible result which can ...
Surgical precision JIT compilers
PLDI '14Just-in-time (JIT) compilation of running programs provides more optimization opportunities than offline compilation. Modern JIT compilers, such as those in virtual machines like Oracle's HotSpot for Java or Google's V8 for JavaScript, rely on dynamic ...
Cross-platform language design in Scala.js (keynote)
Scala 2018: Proceedings of the 9th ACM SIGPLAN International Symposium on ScalaHave you ever wondered what is the secret sauce of Scala.js? What defines Scala.js, above all else, is the overarching will to make it cross-platform. A cross-platform language is both portable—most source code cross-compiles and behaves the same way on ...
Comments
Information & Contributors
Information
Published In
November 2022
186 pages
ISBN:9781450399203
DOI:10.1145/3564719
- General Chair:
- Bernhard Scholz,
- Program Chair:
- Yukiyoshi Kameyama
Copyright © 2022 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 01 December 2022
Check for updates
Author Tags
Qualifiers
- Invited-talk
Conference
GPCE '22
Sponsor:
GPCE '22: 21st ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences
December 6 - 7, 2022
Auckland, New Zealand
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 67Total Downloads
- Downloads (Last 12 months)18
- Downloads (Last 6 weeks)1
Reflects downloads up to 26 Sep 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in