Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Formal verification in Scala with Leon

8b62135e6fe874b24bc01ed7cee448c7?s=47 Romain Ruetschi
August 28, 2015
Research
0
40

Formal verification in Scala with Leon

8b62135e6fe874b24bc01ed7cee448c7?s=128

Romain Ruetschi

August 28, 2015
Tweet

More Decks by Romain Ruetschi

See All by Romain Ruetschi
8b62135e6fe874b24bc01ed7cee448c7?s=48 romac
0
77
8b62135e6fe874b24bc01ed7cee448c7?s=48 romac
0
26
8b62135e6fe874b24bc01ed7cee448c7?s=48 romac
0
18
8b62135e6fe874b24bc01ed7cee448c7?s=48 romac
0
25

Other Decks in Research

See All in Research
Fccb5974b63d64636a7c90faf3bab51f?s=48 kikuzo
0
300
9fdb3aa57e5fb99b3772976b0b903e53?s=48 chikuwait
2
350
842835ac15342badc48543e39ce0431c?s=48 masahiro1
0
120
A2f0b02357897c8fa8e39ea87b33f450?s=48 pirika_info
0
810
Ae87a6075a4bc957a6775c6d70c8be90?s=48 yamathcy
0
350
00cc87fe4bac9d2f3c213ae97fde667a?s=48 ivanovskiy
0
1.3k
91b77d9a98b86e27838b183407270bc0?s=48 supikiti
0
250
40c3343a57cb430f12aed951798fd0fc?s=48 hirotohonda
1
490
77e8bd47ec598a4717eb61b21917f363?s=48 flankerhqd
2
4.1k
0afa0fa8da68232aa74f9566e01a36bf?s=48 sasakits
0
100
A82e268e52c06ad69b83f1a251c682d4?s=48 hiking
0
2.3k
C612ab39597a17ba5948cae54d13f99f?s=48 mkimura
3
1.1k

Featured

See All Featured
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
370
42k
Af6a12710770ad9a7cfd08c97efd40d3?s=48 pedronauck
652
110k
5f83ef806155b403c3393160ce51f955?s=48 jlugia
217
16k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
779
240k
1b8ad785acdd1ce1c99914b1c2a4e10e?s=48 sugarenia
233
880k
9fa239b3154a0169d99ab7bf1422dd12?s=48 marcelosomers
221
15k
15f2b8221f247985a27a627d2ece72f0?s=48 pauljervisheath
195
15k
4262b9cfacfb6b2c77f23e1d0310cd3e?s=48 myddelton
109
11k
168ccec72eee0530b818d44f3fedaacf?s=48 shlominoach
176
7.6k
A415db3ac9e9668acbc1fb36eead84ac?s=48 mthomps
38
2.4k
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
237
23k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
21
1.3k

Transcript

  1. Formal verification in Scala with Leon Romain Ruetschi, EPFL August

    2015 0

  2. Outline 1. Formal verification 2. A few words about Scala

    3. Leon, a verification system for Scala 4. Verification conditions 5. Demo 6. Under the hood 7. SMT solver 1

  3. Formal verification 2

  4. Formal verification Traditionally, errors in hardware and software have been

    discovered empirically, by testing them in many possible situations. The number of situations to account for is usually so large that it becomes impractical. Formal verification is an alternative that involves trying to prove mathematically that a computer system will function as intended. 3

  5. Formal verification A lot of hardware companies rely extensively on

    formal verification, eg. Intel. But it can also be applied to cryptographic protocols, digital circuits, software, etc. 4

  6. Formal verification of software Formal verification of software Process of

    proving that a program satisfies a formal specification of its behavior, thus making the program safer and more reliable. Catches bugs such as integer overflows, divide-by-zero, out-of-bounds array accesses, buffer overflows, etc. But also helps making sure that an algorithm is properly implemented. 5

  7. Formal verification of software 6

  8. A few words about Scala 7

  9. A few words about Scala ￿ Statically typed programming language.

    ￿ Runs on the Java Virtual Machine. ￿ Invented at EPFL by Prof. Martin Odersky. ￿ Version 1.0 released in 2004. ￿ In use at companies such as: Twitter, UBS, LinkedIn, MUFG, Geisha Tokyo Entertainment, M3, etc. 8

  10. Leon, a verification system for Scala 9

  11. Leon, a verification system for Scala Leon takes as input

    a Scala source file, and generates individual verification conditions corresponding to different properties of the program. It then tries to prove or disprove that the verification conditions hold. 10

  12. Verification conditions 11

  13. Verification conditions Pre- and post-conditions def neg(x: Int): Int =

    { require(x >= 0) -x } ensuring(_ <= 0) Leon will try to prove that the post-condition always holds, assuming that the pre-condition does hold. 12

  14. Verification Array access safety For each array variable, Leon carries

    along a symbolic information on its length. This information is used to prove that each expression used as an index in the array is both positive and strictly smaller than its length. 13

  15. Verification conditions Pattern matching exhaustiveness Leon takes pre-conditions into account

    to verify that pattern matches are exhaustive. def getHead(l: List): Int = { require(l != Nil) l match { case x :: _ => x } } 14

  16. Repair and synthesis 15

  17. Repair and synthesis Leon can automatically repair your program if

    it doesn’t satisify its specification. More importantly, it can also synthesize code from a specification! It does so by attempting to find a counter-example to the claim that no program satisfying the given specification exists. 16

  18. Demo: leon.epfl.ch 17

  19. Under the hood 18

  20. Under the hood Leon is itself written in Scala. It

    delegates parsing and typechecking to the Scala compiler. The AST it gets from scalac is then converted to a PureScala AST. 19

  21. Under the hood This AST then goes through a number

    of transformations, before either of the verification, repair or synthesis phases kick in. 20

  22. Under the hood Most of the hard work required to

    prove or disprove various properties of the program is delegated to an SMT solver. 21

  23. SMT solver SMT stands for Satisfiability Modulo Theories. An SMT

    instance is a first-order logic formulas over various theories such as real numbers, integers, lists, arrays, ADTs, and others. 22

  24. SMT solver Verification conditions are translated to an SMT instance,

    then fed to the SMT solver, which attempts to either prove it, or yield a counter-example. 23

  25. Learn more about Leon 24

  26. Learn more about Leon ￿ http://leon.epfl.ch ￿ http://leon.epfl.ch/doc ￿ http://lara.epfl.ch/w/leon

    ￿ https://github.com/epfl-lara/leon 25

  27. Thank you! 26

  28. Contact If you have any questions or just want to

    get in touch: Twitter: @_romac GitHub: @romac 27

  29. Bachelor semester project 28

  30. Bachelor semester project An encoding of Any for Leon 29

  31. An encoding of Any for Leon Adds support for uni-typed

    programs such as def reverse(lst: Any): Any = { if (lst == Nil()) Nil() else reverse(lst.tail) ++ Cons(lst.head, Nil()) } ensuring (_.contents == lst.contents) def reverseReverseIsIdentity(lst: Any) = { reverse(reverse(lst)) == lst }.holds 30

  32. An encoding of Any for Leon Mostly an experiment, as

    using Any is generally frowned upon in the Scala community. Has nonetheless interesting applications, such as eg. automatically porting theorems from Lisp-based theorem provers like ACL2. 31

  33. An encoding of Any for Leon Nothing too fancy. It’s

    just a pre-processing phase, that encodes Any as a sum type and lifts expressions into it. Allowed us to add support for Any without touching the rest of the system. 32

  34. An encoding of Any for Leon Before case class Box(value:

    Int) def double(x: Any): Any = x match { case n: Int => n * 2 case Box(n) => Box(n * 2) case _ => x } double(42) 33

  35. An encoding of Any for Leon After sealed abstract class

    Any1 case class Any1Int(value: Int) extends Any1 case class Any1Box(value: Box) extends Any1 def double(x: Any1): Any1 = x match { case Any1Int(n) => Any1Int(n * 2) case Any1Box(Box(n)) => Any1Box(Box(n * 2)) case _ => x } double(Any1Int(42)) 34