Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Jean Yang on An Axiomatic Basis for Computer Programming

Papers_We_Love
November 18, 2014
Programming
4
29k

Jean Yang on An Axiomatic Basis for Computer Programming

Our lives now run on software. Bugs are becoming not just annoyances for software developers, but sources of potentially catastrophic failures. A careless programmer mistake could leak our social security numbers or crash our cars. While testing provides some assurance, it is difficult to test all possibilities in complex systems--and practically impossible in concurrent systems. For the critical systems in our lives, we should demand mathematical guarantees that the software behaves the way the programmer expected.

A single paper influenced much of the work towards providing these mathematical guarantees. C.A.R. Hoare’s seminal 1969 paper “An Axiomatic Basis for Computer Programming” introduces a method of reasoning about program correctness now known as Hoare logic. In this paper, Hoare provides a technique that 1) allows programmers to express program properties and 2) allows these properties to be automatically checked. These ideas have influenced decades of research in automated reasoning about software correctness.

In this talk, I will describe the main ideas in Hoare logic, as well as the impact of these ideas. I will talk about my personal experience using Hoare logic to verify memory guarantees in an operating system. I will also discuss takeaway lessons for working programmers.

Papers_We_Love

November 18, 2014
Tweet

More Decks by Papers_We_Love

See All by Papers_We_Love
What About the Natural Numbers by José Manuel Calderón Trilla
paperswelove
0
81
Is Program Analysis The Silver Bullet Against Software Bugs? by Karim Ali
paperswelove
1
140
On the Expressive Power of Programming Languages by Shriram Krishnamurthi
paperswelove
1
120
Anonymity in the Bitcoin Peer-to-Peer Network by Giulia Fanti
paperswelove
0
110
Building Personable Machines by Star Simpson
paperswelove
0
38
PWL SF 03/18 > Cathie Yun on "Bulletproofs: Short Proofs for Confidential Transactions and More"
paperswelove
1
300
Bonnie Eisenman on Multiphase Numerical Modeling... for Jigsaw Puzzle Generation
paperswelove
0
560
Suz Hinton on Accessible images (AIMS)
paperswelove
0
810
Hannes Frederic Sowa on "BBR: Congestion-Based Congestion Control"
paperswelove
0
1.2k

Other Decks in Programming

See All in Programming
祝 Ver.3リリース Fluent UI Blazorのすすめ
tomokusaba
0
120
Migrating From Spring Boot 2 To Spring Boot 3 - What's Jakarta EE Got To Do with It?
ivargrimstad
0
550
Build Backwards-Compatible REST APIs with Rolling Versions
subomi
0
140
Google Apps Scriptを使いこなさない方法
efbmzwyk999
0
110
第3回 AWSとGitHub勉強会 - GitHub Actionsを使ったCI環境の構築 -
ogiwarat
0
140
Twillio SDKをFlutterアプリに統合した話/twilio-in-flutter
minma_curama
0
120
Compose Multiplatform 101
dalinaum
2
380
第2回 AWSとGitHub勉強会 - CodespacesとHelidonの利用 -
ogiwarat
0
140
Flutterにおけるアプリ内課金実装 -Android/iOS完全なる統一 -
nacatl
1
870
Building Shared UIs across Platforms with Compose
heyitsmohit
1
170
リアーキテクチャによってどうなりたいか/re-architecture
suzukihoge
2
310
Re:Android Studio 설정 살펴보기 및 생산성 올리기
pluu
0
620

Featured

See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
0
2.3k
Making Projects Easy
brettharned
104
5.1k
We Have a Design System, Now What?
morganepeng
40
6.3k
Building an army of robots
kneath
300
41k
How To Stay Up To Date on Web Technology
chriscoyier
780
250k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k
GraphQLの誤解/rethinking-graphql
sonatard
44
8.5k
Testing 201, or: Great Expectations
jmmastey
26
6k
How to name files
jennybc
56
84k
YesSQL, Process and Tooling at Scale
rocio
159
13k
The Cult of Friendly URLs
andyhume
71
5.3k
The Invisible Side of Design
smashingmag
292
49k

Transcript

  1. An Axiomatic
    Basis for
    Computer
    Programming
    Jean Yang
    Papers We Love #10 / 11.18.14

    View Slide

  2. An Axiomatic
    Basis for
    Computer
    Programming
    Jean Yang
    Ph.D. student, MIT CSAIL
    November 18, 2014

    View Slide

  3. View Slide

  4. View Slide

  5. View Slide

  6. View Slide

  7. Good thing
    there is such a
    thing as
    inspection!

    View Slide

  8. But How Do We
    Measure Software?

    View Slide

  9. Testing
    I looked in the mirror
    five times. I
    confirmed that I look
    good.
    I am Ryan Gosling. I
    am wearing a suit.
    Ryan Gosling looks
    good in a suit.
    Q.E.D.
    Logical
    reasoning
    vs.

    View Slide

  10. Axioms.
    The set of facts we
    have to work with.
    Ingredients
    Theorems.
    Built from our axioms
    based on deduction
    rules.

    View Slide

  11. Deductive Logic:
    Detachment



    Am Ryan Gosling → Look good
    Am Ryan Gosling
    Look good

    View Slide





  12. Am Ryan Gosling → Great hair
    Great hair → Look good
    Am Ryan Gosling
    Look good
    Deductive Logic:
    Syllogism

    View Slide

  13. Deductive Logic:
    Contrapositive

    ¬
    ¬
    Am Ryan Gosling → Look good
    Do not look good
    Am not Ryan Gosling

    View Slide

  14. But How to Apply to
    Programs?

    View Slide

  15. Previous Work:
    Characterizing Program
    State
    = 3
    >
    ( ≠ 0) ⇒ ( + = )
    =
    ∈1…
    []
    ∀ ∈ 1 … . > [ − 1]

    Slide borrowed from Jonathan Aldrich, who borrowed slides from Rustan Leino.

    View Slide

  16. Characterizing
    Programs Using the
    Hoare Triple

    Precondition Program Postcondition

    View Slide

  17. Example Hoare Triples
    ∶= 5 = 5
    = { ∶= + 3} = + 3
    > 0 { ∶= ∗ 2} > −2
    = < 0 ℎ ∶= − = ||
    { ∶= 3} = 8
    {ℎ ≔ + 1}

    Looks
    good
    Any
    program
    Looks
    good

    View Slide

  18. Example: Assignment
    ? ≔ + 1 ≤
    Assignment axiom schema
    0

    where is a variable identifier;
    is an expression;

    0
    is obtained from by substituting for all
    occurrences of .

    View Slide

  19. Example: Assignment
    + 1 ≤ ≔ + 1 ≤
    0

    where is a variable identifier;
    is an expression;

    0
    is obtained from by substituting for all
    occurrences of .
    Assignment axiom schema

    View Slide

  20. Bringing This Back to
    Ryan Gosling
    + = ≔ + =
    ?

    View Slide

  21. 1
    1
    1
    2

    1
    ; 2

    Composition
    > 1 ≔ + 1 > 2
    > 2 ≔ + 1 > 3
    > 1 ≔ + 1; ≔ + 1 > 3
    > 1 ≔ + 1 > 2
    > 0 ≔ − < 0
    > 1 ≔ + 1; ≔ − ?

    View Slide







  22. Consequence
    > 1 ≔ + 1 > 2
    > 2 → > 0
    > 0 ≔ − < 0
    > 1 ≔ + 1; ≔ − < 0

    View Slide

  23. Consequence with RG
    + = ≔ + =
    = ≔ + =
    = → + =



    View Slide

  24. Iteration
    ∧ conjunction
    ¬ negation
    ∧ < 10 ≔ + 1
    < 10 ≔ + 1 ≥ 10 ∧
    > 0 ∧ < 10 ≔ + 1 > 0
    > 0 < 10 ≔ + 1 ≥ 10 ∧ > 0

    ¬ ∧

    View Slide

  25. View Slide

  26. Automated Tools Based
    on Hoare Logic

    View Slide

  27. Verified
    Type-checked
    Verve, a Type-Safe OS
    Safe to the Last Instruction / Jean Yang
    • Verify partial
    correctness of low-
    level Nucleus using
    Hoare logic based on a
    hardware spec.
    • Verify an interface to
    typed assembly for
    end-to-end safety.
    Nucleus
    File
    System
    Drivers
    Applications
    Microkernel
    Hardware specification
    Interface specification
    27
    [Yang and Hawblitzel, PLDI 2010]

    View Slide

  28. View Slide

  29. “Load” Specification
    procedure Load(ptr:int)
    returns (val:int);
    requires memAddr(ptr);
    requires Aligned(ptr);
    modifies Eip;
    ensures word(val);
    ensures val == Mem[ptr];
    Safe to the Last Instruction / Jean Yang 29

    View Slide

  30. Boogie to x86
    implementation ReadKeyboard(){
    call KeyboardStatusIn8();
    call eax := And(eax, 1);
    if (eax != 0) { goto proc; }
    call eax := mov(256);
    return;
    proc:
    call KeyboardDataIn8();
    call eax := And(eax, 255);
    return;
    }
    Safe to the Last Instruction / Jean Yang
    ReadKeyboard proc
    in al, 064h
    and eax, 1
    cmp eax, 0
    jne ReadKeyboard$proc
    mov eax, 256
    ret
    ReadKeyboard$skip:
    in al, 060h
    and eax, 255
    ret
    30

    View Slide

  31. The Verve Nucleus
    Safe to the Last Instruction / Jean Yang 31
    Verified
    Type-checked
    Nucleus
    File
    System
    Driver
    s
    Applications
    Microkernel
    Hardware specification
    Interface specification
    Verified
    Interface specification
    x86
    instructions
    Memory bounds Devices
    GC
    Heap
    Allocator and
    GC
    [POPL 2009]
    Stacks
    Interrupt
    table
    Interrupt/error
    handling
    Interface specification

    View Slide

  32. Ideas to Take Home

    View Slide

  33. Always think about
    correctness.

    View Slide

  34. Choose a language that
    helps you reason.

    View Slide

  35. Read Papers You Love!

    View Slide

  36. Play with Research Tools
    Coq

    View Slide

  37. M-MAYBE IT BECAME
    ILL AND COULDN’T
    PRINT AN
    OUTPUT !
    Be Patient with Research

    View Slide

  38. Pop Quiz!
    • What main issues did this paper address?
    • Why do we want to prove programs
    correct?
    • What were Hoare’s contributions to
    software verification?
    • What should we be doing when we leave
    here?

    View Slide

  39. Hoare Logic, Since 1969
    1. Define a way to characterize programs and
    properties.
    2. Build tools to automatically check program
    properties.
    3. Profit.

    View Slide