An Axiomatic Basis for Computer Programming Jean Yang Papers We Love #10 / 11.18.14

An Axiomatic Basis for Computer Programming Jean Yang Ph.D. student, MIT CSAIL November 18, 2014

No content

No content

No content

No content

Good thing there is such a thing as inspection!

But How Do We Measure Software?

Testing I looked in the mirror five times. I confirmed that I look good. I am Ryan Gosling. I am wearing a suit. Ryan Gosling looks good in a suit. Q.E.D. Logical reasoning vs.

Axioms. The set of facts we have to work with. Ingredients Theorems. Built from our axioms based on deduction rules.

Deductive Logic: Detachment → Am Ryan Gosling → Look good Am Ryan Gosling Look good

→ → Am Ryan Gosling → Great hair Great hair → Look good Am Ryan Gosling Look good Deductive Logic: Syllogism

Deductive Logic: Contrapositive → ¬ ¬ Am Ryan Gosling → Look good Do not look good Am not Ryan Gosling

But How to Apply to Programs?

Previous Work: Characterizing Program State = 3 > ( ≠ 0) ⇒ ( + = ) = ∈1… [] ∀ ∈ 1 … . > [ − 1] Slide borrowed from Jonathan Aldrich, who borrowed slides from Rustan Leino.

Characterizing Programs Using the Hoare Triple Precondition Program Postcondition

Example Hoare Triples ∶= 5 = 5 = { ∶= + 3} = + 3 > 0 { ∶= ∗ 2} > −2 = < 0 ℎ ∶= − = || { ∶= 3} = 8 {ℎ ≔ + 1} … Looks good Any program Looks good

Example: Assignment ? ≔ + 1 ≤ Assignment axiom schema 0 ≔ where is a variable identifier; is an expression; 0 is obtained from by substituting for all occurrences of .

Example: Assignment + 1 ≤ ≔ + 1 ≤ 0 ≔ where is a variable identifier; is an expression; 0 is obtained from by substituting for all occurrences of . Assignment axiom schema

Bringing This Back to Ryan Gosling + = ≔ + = ?

1 1 1 2 1 ; 2 Composition > 1 ≔ + 1 > 2 > 2 ≔ + 1 > 3 > 1 ≔ + 1; ≔ + 1 > 3 > 1 ≔ + 1 > 2 > 0 ≔ − < 0 > 1 ≔ + 1; ≔ − ?

→ → Consequence > 1 ≔ + 1 > 2 > 2 → > 0 > 0 ≔ − < 0 > 1 ≔ + 1; ≔ − < 0

Consequence with RG + = ≔ + = = ≔ + = = → + = →

Iteration ∧ conjunction ¬ negation ∧ < 10 ≔ + 1 < 10 ≔ + 1 ≥ 10 ∧ > 0 ∧ < 10 ≔ + 1 > 0 > 0 < 10 ≔ + 1 ≥ 10 ∧ > 0 ∧ ¬ ∧

No content

Automated Tools Based on Hoare Logic

Verified Type-checked Verve, a Type-Safe OS Safe to the Last Instruction / Jean Yang • Verify partial correctness of low- level Nucleus using Hoare logic based on a hardware spec. • Verify an interface to typed assembly for end-to-end safety. Nucleus File System Drivers Applications Microkernel Hardware specification Interface specification 27 [Yang and Hawblitzel, PLDI 2010]

No content

“Load” Specification procedure Load(ptr:int) returns (val:int); requires memAddr(ptr); requires Aligned(ptr); modifies Eip; ensures word(val); ensures val == Mem[ptr]; Safe to the Last Instruction / Jean Yang 29

Boogie to x86 implementation ReadKeyboard(){ call KeyboardStatusIn8(); call eax := And(eax, 1); if (eax != 0) { goto proc; } call eax := mov(256); return; proc: call KeyboardDataIn8(); call eax := And(eax, 255); return; } Safe to the Last Instruction / Jean Yang ReadKeyboard proc in al, 064h and eax, 1 cmp eax, 0 jne ReadKeyboard$proc mov eax, 256 ret ReadKeyboard$skip: in al, 060h and eax, 255 ret 30

The Verve Nucleus Safe to the Last Instruction / Jean Yang 31 Verified Type-checked Nucleus File System Driver s Applications Microkernel Hardware specification Interface specification Verified Interface specification x86 instructions Memory bounds Devices GC Heap Allocator and GC [POPL 2009] Stacks Interrupt table Interrupt/error handling Interface specification

Ideas to Take Home

Always think about correctness.

Choose a language that helps you reason.

Read Papers You Love!

Play with Research Tools Coq

M-MAYBE IT BECAME ILL AND COULDN’T PRINT AN OUTPUT ! Be Patient with Research

Pop Quiz! • What main issues did this paper address? • Why do we want to prove programs correct? • What were Hoare’s contributions to software verification? • What should we be doing when we leave here?

Hoare Logic, Since 1969 1. Define a way to characterize programs and properties. 2. Build tools to automatically check program properties. 3. Profit.