Abstraction and subsumption in modular verification of C programs

Abstraction and subsumption in modular verification of C programs

The type-theoretic notions of existential abstraction, subtyping, subsumption, and intersection have useful analogues in separation-logic proofs of imperative programs. We have implemented these as an enhancement of the verified software toolchain (VST). VST is an impredicative concurrent separation...

Full description

Saved in:
Bibliographic Details
Published in:Formal methods in system design Vol. 58; no. 1-2; pp. 322 - 345
Main Authors: Beringer, Lennart, Appel, Andrew W.
Format: Journal Article
Language:English
Published: New York Springer US 01-10-2021
Springer Nature B.V
Subjects:
CAE) and Design
Circuits and Systems
Computer-Aided Engineering (CAD
Electrical Engineering
Engineering
Intersections
Logic
Modularity
Program verification (computers)
Separation
Software engineering
Software Engineering/Programming and Operating Systems
Source code
Specifications
Specification subsumption
Foundational program verification
Separation logics
Intersection specifications
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The type-theoretic notions of existential abstraction, subtyping, subsumption, and intersection have useful analogues in separation-logic proofs of imperative programs. We have implemented these as an enhancement of the verified software toolchain (VST). VST is an impredicative concurrent separation logic for the C language, implemented in the Coq proof assistant, and proved sound in Coq. For machine-checked functional-correctness verification of software at scale, VST embeds its expressive program logic in dependently typed higher-order logic (CiC). Specifications and proofs in the program logic can leverage the expressiveness of CiC—so users can overcome the abstraction gaps that stand in the way of top-to-bottom verification: gaps between source code verification, compilation, and domain-specific reasoning, and between different analysis techniques or formalisms. Until now, VST has supported the specification of a program as a flat collection of function specifications (in higher-order separation logic)—one proves that each function correctly implements its specification, assuming the specifications of the functions it calls. But what if a function has more than one specification? In this work, we exploit type-theoretic concepts to structure specification interfaces for C code. This brings modularity principles of modern software engineering to concrete program verification. Previous work used representation predicates to enable data abstraction in separation logic. We go further, introducing function-specification subsumption and intersection specifications to organize the multiple specifications that a function is typically associated with. As in type theory, if ϕ is a of ψ , that is ϕ < : ψ , then x : ϕ implies x : ψ , meaning that any function satisfying specification ϕ can be used wherever a function satisfying ψ is demanded. Subsumption incorporates separation-logic framing and parameter adaptation, as well as step-indexing and specifications constructed via mixed-variance functors (needed for C’s function pointers).
ISSN:0925-9856
1572-8102
DOI:10.1007/s10703-020-00353-1