Results 1  10
of
43
Types and HigherOrder Recursion Schemes for Verification of HigherOrder Programs
, 2009
"... We propose a new verification method for temporal properties of higherorder functional programs, which takes advantage of Ong’s recent result on the decidability of the modelchecking problem for higherorder recursion schemes (HORS’s). A program is transformed to an HORS that generates a tree repr ..."
Abstract

Cited by 33 (7 self)
 Add to MetaCart
We propose a new verification method for temporal properties of higherorder functional programs, which takes advantage of Ong’s recent result on the decidability of the modelchecking problem for higherorder recursion schemes (HORS’s). A program is transformed to an HORS that generates a tree representing all the possible event sequences of the program, and then the HORS is modelchecked. Unlike most of the previous methods for verification of higherorder programs, our verification method is sound and complete. Moreover, this new verification framework allows a smooth integration of abstract model checking techniques into verification of higherorder programs. We also present a typebased verification algorithm for HORS’s. The algorithm can deal with only a fragment of the properties expressed by modal μcalculus, but the algorithm and its correctness proof are (arguably) much simpler than those of Ong’s gamesemanticsbased algorithm. Moreover, while the HORS model checking problem is nEXPTIME in general, our algorithm is linear in the size of HORS, under the assumption that the sizes of types and specifications are bounded by a constant.
Decision procedures for algebraic data types with abstractions
 IN 37TH ACM SIGACTSIGPLAN SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES (POPL), 2010. DECISION PROCEDURES FOR ORDERED COLLECTIONS 15 SHE75. SAHARON SHELAH. THE MONADIC THEORY OF ORDER. THA ANNALS OF MATHEMATICS OF MATHEMATICS
, 2010
"... We describe a family of decision procedures that extend the decision procedure for quantifierfree constraints on recursive algebraic data types (term algebras) to support recursive abstraction functions. Our abstraction functions are catamorphisms (term algebra homomorphisms) mapping algebraic data ..."
Abstract

Cited by 27 (10 self)
 Add to MetaCart
(Show Context)
We describe a family of decision procedures that extend the decision procedure for quantifierfree constraints on recursive algebraic data types (term algebras) to support recursive abstraction functions. Our abstraction functions are catamorphisms (term algebra homomorphisms) mapping algebraic data type values into values in other decidable theories (e.g. sets, multisets, lists, integers, booleans). Each instance of our decision procedure family is sound; we identify a widely applicable manytoone condition on abstraction functions that implies the completeness. Complete instances of our decision procedure include the following correctness statements: 1) a functional data structure implementation satisfies a recursively specified invariant, 2) such data structure conforms to a contract given in terms of sets, multisets, lists, sizes, or heights, 3) a transformation of a formula (or lambda term) abstract syntax tree changes the set of free variables in the specified way.
Hybrid Type Checking
"... Traditional static type systems are effective for verifying basic interface specifications. Dynamicallychecked contracts support more precise specifications, but these are not checked until run time, resulting in incomplete detection of defects. Hybrid type checking is a synthesis of these two appro ..."
Abstract

Cited by 20 (0 self)
 Add to MetaCart
(Show Context)
Traditional static type systems are effective for verifying basic interface specifications. Dynamicallychecked contracts support more precise specifications, but these are not checked until run time, resulting in incomplete detection of defects. Hybrid type checking is a synthesis of these two approaches that enforces precise interface specifications, via static analysis where possible, but also via dynamic checks where necessary. This paper explores the key ideas and implications of hybrid type checking, in the context of the λcalculus extended with contract types, i.e., with dependent function types and with arbitrary refinements of base types.
Semantic subtyping with an SMT solver
, 2010
"... We study a firstorder functional language with the novel combination of the ideas of refinement type (the subset of a type to satisfy a Boolean expression) and typetest (a Boolean expression testing whether a value belongs to a type). Our core calculus can express a rich variety of typing idioms; ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
(Show Context)
We study a firstorder functional language with the novel combination of the ideas of refinement type (the subset of a type to satisfy a Boolean expression) and typetest (a Boolean expression testing whether a value belongs to a type). Our core calculus can express a rich variety of typing idioms; for example, intersection, union, negation, singleton, nullable, variant, and algebraic types are all derivable. We formulate a semantics in which expressions denote terms, and types are interpreted as firstorder logic formulas. Subtyping is defined as valid implication between the semantics of types. The formulas are interpreted in a specific model that we axiomatize using standard firstorder theories. On this basis, we present a novel typechecking algorithm able to eliminate many dynamic tests and to detect many errors statically. The key idea is to rely on an SMT solver to compute subtyping efficiently. Moreover, interpreting types as formulas allows us to call the SMT solver at runtime to compute instances of types.
Satisfiability modulo recursive programs
 In Static Analysis Symposium (SAS
, 2011
"... Abstract. We present a semidecision procedure for checking satisfiability of expressive correctness properties of recursive firstorder functional programs. In our approach, both properties and programs are expressed in the same language, a subset of Scala. We implemented our procedure and integrat ..."
Abstract

Cited by 15 (6 self)
 Add to MetaCart
(Show Context)
Abstract. We present a semidecision procedure for checking satisfiability of expressive correctness properties of recursive firstorder functional programs. In our approach, both properties and programs are expressed in the same language, a subset of Scala. We implemented our procedure and integrated it with the Z3 SMT solver and the Scala compiler. Our procedure is sound for counterexamples and for proofs of terminating functions. It is terminating and thus complete for many important classes of specifications, including all satisfiable formulas and all formulas where recursive functions satisfy certain syntactic restrictions. Using our system, Leon, we verified detailed correctness properties for functional data structure implementations, as well as syntax tree manipulations. We have found our system to be fast for both finding counterexamples and finding correctness proofs, and to scale to larger programs than alternative techniques. 1
Typebased data structure verification
 In PLDI
, 2009
"... We present a refinement typebased approach for the static verification of complex data structure invariants. Our approach is based on the observation that complex data structures are typically fashioned from two elements: recursion (e.g., lists and trees), and maps (e.g., arrays and hash tables). W ..."
Abstract

Cited by 13 (5 self)
 Add to MetaCart
(Show Context)
We present a refinement typebased approach for the static verification of complex data structure invariants. Our approach is based on the observation that complex data structures are typically fashioned from two elements: recursion (e.g., lists and trees), and maps (e.g., arrays and hash tables). We introduce two novel typebased mechanisms targeted towards these elements: recursive refinements and polymorphic refinements. These mechanisms automate the challenging work of generalizing and instantiating rich universal invariants by piggybacking simple refinement predicates on top of types, and carefully dividing the labor of analysis between the type system and an SMT solver [6]. Further, the mechanisms permit the use of the abstract interpretation framework of liquid type inference [22] to automatically synthesize complex invariants from simple logical qualifiers, thereby almost completely automating the verification. We have implemented our approach in DSOLVE, which uses liquid types to verify OCAML programs. We present experiments that show that our typebased approach reduces the manual annotation required to verify complex properties like sortedness, balancedness, binarysearchordering, and acyclicity by more than an order of magnitude.
Synthesizing software verifiers from proof rules
 IN PLDI
, 2012
"... Automatically generated tools can significantly improve programmer productivity. For example, parsers and dataflow analyzers can be automatically generated from declarative specifications in the form of grammars, which tremendously simplifies the task of implementing a compiler. In this paper, we pr ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
(Show Context)
Automatically generated tools can significantly improve programmer productivity. For example, parsers and dataflow analyzers can be automatically generated from declarative specifications in the form of grammars, which tremendously simplifies the task of implementing a compiler. In this paper, we present a method for the automatic synthesis of software verification tools. Our synthesis procedure takes as input a description of the employed proof rule, e.g., program safety checking via inductive invariants, and produces a tool that automatically discovers the auxiliary assertions required by the proof rule, e.g., inductive loop invariants and procedure summaries. We rely on a (standard) representation of proof rules using recursive equations over the auxiliary assertions. The discovery of auxiliary assertions, i.e., solving the equations, is based on an iterative process that extrapolates solutions obtained for finitary unrollings of equations. We show how our method synthesizes automatic safety and liveness verifiers for programs with procedures, multithreaded programs, and functional programs. Our experimental comparison of the resulting verifiers with existing stateoftheart verification tools confirms the practicality of the approach.
Dependent Types from Counterexamples
, 2010
"... Motivated by recent research in abstract model checking, we present a new approach to inferring dependent types. Unlike many of the existing approaches, our approach does not rely on programmers to supply the candidate (or the correct) types for the recursive functions and instead does counterexampl ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
Motivated by recent research in abstract model checking, we present a new approach to inferring dependent types. Unlike many of the existing approaches, our approach does not rely on programmers to supply the candidate (or the correct) types for the recursive functions and instead does counterexampleguided refinement to automatically generate the set of candidate dependent types. The main idea is to extend the classical fixedpoint type inference routine to return a counterexample if the program is found untypable with the current set of candidate types. Then, an interpolating theorem prover is used to validate the counterexample as a real type error or generate additional candidate dependent types to refute the spurious counterexample. The process is repeated until either a real type error is found or sufficient candidates are generated to prove the program typable. Our system makes nontrivial use of “linear” intersection types in the refinement phase. The paper presents the type inference system and reports on the experience with a prototype implementation that infers dependent types for a subset of the Ocaml language. The implementation infers dependent types containing predicates from the quantifierfree theory of linear arithmetic and equality with uninterpreted function symbols.
LowLevel Liquid Types ∗
"... We present LowLevel Liquid Types, a refinement type system for C based on Liquid Types. LowLevel Liquid Types combine refinement types with three key elements to automate verification of critical safety properties of lowlevel programs: First, by associating refinement types with individual heap l ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
(Show Context)
We present LowLevel Liquid Types, a refinement type system for C based on Liquid Types. LowLevel Liquid Types combine refinement types with three key elements to automate verification of critical safety properties of lowlevel programs: First, by associating refinement types with individual heap locations and precisely tracking the locations referenced by pointers, our system is able to reason about complex invariants of inmemory data structures and sophisticated uses of pointer arithmetic. Second, by adding constructs which allow strong updates to the types of heap locations, even in the presence of aliasing, our system is able to verify properties of inmemory data structures in spite of temporary invariant violations. By using this strong update mechanism, our system is able to verify the correct initialization of newlyallocated regions of memory. Third, by using the abstract interpretation framework of Liquid Types, we are able to use refinement type inference to automatically verify important safety properties without imposing an onerous annotation burden. We have implemented our approach in CSOLVE, a tool for LowLevel Liquid Type inference for C programs. We demonstrate through several examples that CSOLVE is able to precisely infer complex invariants required to verify important safety properties, like the absence of array bounds violations and nulldereferences, with a minimal annotation overhead.
Nested refinements: A logic for duck typing
"... Programs written in dynamic languages make heavy use of features — runtime type tests, valueindexed dictionaries, polymorphism, and higherorder functions — that are beyond the reach of type systems that employ either purely syntactic or purely semantic reasoning. We present a core calculus, Syste ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
Programs written in dynamic languages make heavy use of features — runtime type tests, valueindexed dictionaries, polymorphism, and higherorder functions — that are beyond the reach of type systems that employ either purely syntactic or purely semantic reasoning. We present a core calculus, System D, that merges these two modes of reasoning into a single powerful mechanism of nested refinement types wherein the typing relation is itself a predicate in the refinement logic. System D coordinates SMTbased logical implication and syntactic subtyping to automatically typecheck sophisticated dynamic language programs. By coupling nested refinements with McCarthy’s theory of finite maps, System D can precisely reason about the interaction of higherorder functions, polymorphism, and dictionaries. The addition of type predicates to the refinement logic creates a circularity that leads to unique technical challenges in the metatheory, which we solve with a novel stratification approach that we use to prove the soundness of System D.