local reasoning about the presence of bugs incorrectness
play

Local Reasoning about the Presence of Bugs: Incorrectness Separation - PowerPoint PPT Presentation

Local Reasoning about the Presence of Bugs: Incorrectness Separation Logic (ISL) Azalea Raad 1,2 Josh Berdine 3 Hoang-Hai Dang 2 Derek Dreyer 2 Peter OHearn 3,4 Jules Villard 3 1 Imperial College London 2 Max Planck Institute for Software


  1. Local Reasoning about the Presence of Bugs: Incorrectness Separation Logic (ISL) Azalea Raad 1,2 Josh Berdine 3 Hoang-Hai Dang 2 Derek Dreyer 2 Peter O’Hearn 3,4 Jules Villard 3 1 Imperial College London 2 Max Planck Institute for Software Systems (MPI-SWS) 3 Facebook London 4 University College London azalea@imperial.ac.uk SoundAndComplete.org @azalearaad

  2. State of the Art: Correctness ❖ Lots of work on local reasoning for proving correctness ➡ Prove the absence of bugs ➡ Over-approximate reasoning � 2

  3. State of the Art: Correctness ❖ Lots of work on local reasoning for proving correctness ➡ Prove the absence of bugs ➡ Over-approximate reasoning ➡ Compositionality in code ⇒ reasoning about incomplete components in resources accessed ⇒ spatial locality � 2

  4. State of the Art: Correctness ❖ Lots of work on local reasoning for proving correctness ➡ Prove the absence of bugs ➡ Over-approximate reasoning ➡ Compositionality in code ⇒ reasoning about incomplete components in resources accessed ⇒ spatial locality ➡ Scalability to large teams and codebases � 2

  5. State of the Art: Bug Catching ❖ Lots of work on bug catching ➡ Prove the presence of bugs ➡ E.g. symbolic model checking, symbolic execution for testing ➡ Under-approximate reasoning � 3

  6. State of the Art: Bug Catching ❖ Lots of work on bug catching ➡ Prove the presence of bugs ➡ E.g. symbolic model checking, symbolic execution for testing ➡ Under-approximate reasoning ❖ Based on global reasoning � 3

  7. State of the Art: Bug Catching ❖ Lots of work on bug catching ➡ Prove the presence of bugs ➡ E.g. symbolic model checking, symbolic execution for testing ➡ Under-approximate reasoning ❖ Based on global reasoning ❖ Exceptions using local reasoning ➡ e.g. Infer � 3

  8. State of the Art: Bug Catching ❖ Lots of work on bug catching ➡ Prove the presence of bugs ➡ E.g. symbolic model checking, symbolic execution for testing ➡ Under-approximate reasoning ❖ Based on global reasoning ❖ Exceptions using local reasoning ➡ e.g. Infer ➡ Using correctness -based compositional analysis � 3

  9. State of the Art: Bug Catching ❖ Lots of work on bug catching ➡ Prove the presence of bugs ➡ E.g. symbolic model checking, symbolic execution for testing ➡ Under-approximate reasoning Incorrectness Logic (O’Hearn) ❖ Based on global reasoning Formal Foundations ❖ Exceptions using local reasoning for ➡ e.g. Infer Bug Catching ➡ Using correctness -based compositional analysis � 3

  10. Incorrectness Logic (IL) {p} C {q} Hoare triples � 4

  11. Incorrectness Logic (IL) {p} C {q} Hoare triples For all states s in p if running C on s terminates in s’ , then s’ is in q � 4

  12. Incorrectness Logic (IL) {p} C {q} post(C)p ⊆ q Hoare triples iff For all states s in p if running C on s terminates in s’ , then s’ is in q � 4

  13. Incorrectness Logic (IL) {p} C {q} post(C)p ⊆ q Hoare triples iff For all states s in p if running C on s terminates in s’ , then s’ is in q post(C)p q ⊆ � 4

  14. Incorrectness Logic (IL) {p} C {q} post(C)p ⊆ q Hoare triples iff For all states s in p if running C on s terminates in s’ , then s’ is in q post(C)p q ⊇ � 4

  15. Incorrectness Logic (IL) {p} C {q} post(C)p ⊆ q Hoare triples iff For all states s in p if running C on s terminates in s’ , then s’ is in q [p] C [q] post(C)p q iff ⊇ � 4

  16. Incorrectness Logic (IL) {p} C {q} post(C)p ⊆ q Hoare triples iff For all states s in p if running C on s terminates in s’ , then s’ is in q [p] C [q] Incorrectness post(C)p q iff ⊇ triples � 4

  17. Incorrectness Logic (IL) {p} C {q} post(C)p ⊆ q Hoare triples iff For all states s in p if running C on s terminates in s’ , then s’ is in q [p] C [q] Incorrectness post(C)p q iff ⊇ triples For all states s in q s can be reached by running C on some s’ in p � 4

  18. Incorrectness Logic (IL) {p} C {q} post(C)p ⊆ q Hoare triples iff � 5

  19. Incorrectness Logic (IL) {p} C {q} post(C)p ⊆ q Hoare triples iff q over-approximates post(C)p � 5

  20. Incorrectness Logic (IL) {p} C {q} post(C)p ⊆ q Hoare triples iff q over-approximates post(C)p post(C)p q � 5

  21. Incorrectness Logic (IL) {p} C {q} post(C)p ⊆ q Hoare triples iff q over-approximates post(C)p post(C)p q true positive � 5

  22. Incorrectness Logic (IL) {p} C {q} post(C)p ⊆ q Hoare triples iff q over-approximates post(C)p post(C)p false positive q true positive � 5

  23. Incorrectness Logic (IL) {p} C {q} post(C)p ⊆ q Hoare triples iff q over-approximates post(C)p post(C)p false positive q true positive [p] C [q] Incorrectness post(C)p q iff ⊇ triples q under-approximates post(C)p � 5

  24. Incorrectness Logic (IL) {p} C {q} post(C)p ⊆ q Hoare triples iff q over-approximates post(C)p post(C)p false positive q true positive [p] C [q] Incorrectness post(C)p q iff ⊇ triples q under-approximates post(C)p q true positive post(C)p � 5

  25. Incorrectness Logic (IL) {p} C {q} post(C)p ⊆ q Hoare triples iff q over-approximates post(C)p post(C)p false positive q true positive [p] C [q] Incorrectness post(C)p q iff ⊇ triples q under-approximates post(C)p q false negative true positive post(C)p � 5

  26. Incorrectness Logic (IL) [p] C [ 𝜁 : q] 𝜁 : exit condition ok: normal execution er : erroneous execution � 6

  27. Incorrectness Logic (IL) [p] C [ 𝜁 : q] 𝜁 : exit condition ok: normal execution er : erroneous execution [y=v] x:=y [ok: x=y=v] � 6

  28. Incorrectness Logic (IL) [p] C [ 𝜁 : q] 𝜁 : exit condition ok: normal execution er : erroneous execution [y=v] x:=y [ok: x=y=v] [p] error( ) [er: p] � 6

  29. Incorrectness Logic (IL) [p] C [ 𝜁 : q] post(C, 𝜁 )p ⊇ q iff Equivalent Definition (reachability) ∀ s ∈ q. ∃ s’ ∈ p. (s’,s) ∈ [C] 𝜁 [p] C [ 𝜁 : q] iff � 7

  30. Incorrectness Logic: Summary + Under-approximate analogue of Hoare Logic + Formal foundation for bug catching � 8

  31. Incorrectness Logic: Summary + Under-approximate analogue of Hoare Logic + Formal foundation for bug catching — Global reasoning: non-compositional (as in original Hoare Logic) — Cannot target memory safety bugs (e.g. use-after-free) � 8

  32. Incorrectness Logic: Summary + Under-approximate analogue of Hoare Logic + Formal foundation for bug catching Our Solution — Global reasoning: non-compositional (as in original Hoare Logic) — Cannot target memory safety bugs (e.g. use-after-free) Incorrectness Separation Logic � 8

  33. Contributions � 9

  34. Contributions ❖ Incorrectness Separation Logic (ISL) ➡ IL + SL for compositional bug catching � 9

  35. Contributions ❖ Incorrectness Separation Logic (ISL) ➡ IL + SL for compositional bug catching ➡ Under-approximate analogue of SL ➡ Targets memory safety bugs (e.g. use-after-free) ➡ Scalable : inspired by Facebook Pulse � 9

  36. Contributions ❖ Incorrectness Separation Logic (ISL) ➡ IL + SL for compositional bug catching ➡ Under-approximate analogue of SL ➡ Targets memory safety bugs (e.g. use-after-free) ➡ Scalable : inspired by Facebook Pulse ❖ Combining IL+SL: not straightforward ➡ invalid frame rule! � 9

  37. Contributions ❖ Incorrectness Separation Logic (ISL) ➡ IL + SL for compositional bug catching ➡ Under-approximate analogue of SL ➡ Targets memory safety bugs (e.g. use-after-free) ➡ Scalable : inspired by Facebook Pulse ❖ Combining IL+SL: not straightforward ➡ invalid frame rule! ❖ Fix: a monotonic model for frame preservation � 9

  38. Contributions ❖ Incorrectness Separation Logic (ISL) ➡ IL + SL for compositional bug catching ➡ Under-approximate analogue of SL ➡ Targets memory safety bugs (e.g. use-after-free) ➡ Scalable : inspired by Facebook Pulse ❖ Combining IL+SL: not straightforward ➡ invalid frame rule! ❖ Fix: a monotonic model for frame preservation ❖ Recovering the footprint property for completeness � 9

  39. Contributions ❖ Incorrectness Separation Logic (ISL) ➡ IL + SL for compositional bug catching ➡ Under-approximate analogue of SL ➡ Targets memory safety bugs (e.g. use-after-free) ➡ Scalable : inspired by Facebook Pulse ❖ Combining IL+SL: not straightforward ➡ invalid frame rule! ❖ Fix: a monotonic model for frame preservation ❖ Recovering the footprint property for completeness ❖ ISL-based analysis ➡ No-false-positives theorem: All bugs found are true bugs � 9

  40. Contributions ❖ Incorrectness Separation Logic (ISL) ➡ IL + SL for compositional bug catching ➡ Under-approximate analogue of SL This talk ➡ Targets memory safety bugs (e.g. use-after-free) ➡ Scalable : inspired by Facebook Pulse ❖ Combining IL+SL: not straightforward ➡ invalid frame rule! ❖ Fix: a monotonic model for frame preservation ❖ Recovering the footprint property for completeness ❖ ISL-based analysis ➡ No-false-positives theorem: All bugs found are true bugs � 9

  41. What Is Separation Logic (SL)? SL : Local & compositional reasoning via ownership & separation ☛ ideal for heap-manipulating programs with aliasing � 10

  42. What Is Separation Logic (SL)? SL : Local & compositional reasoning via ownership & separation ☛ ideal for heap-manipulating programs with aliasing [x]:= 1; [y]:= 2; [z]:= 3; � 10

Recommend


More recommend