verifying concurrent go code in coq with goose
play

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph - PowerPoint PPT Presentation

Feb 23, 2024 •376 likes •859 views

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Systems verification, broadly impl proof specification 2 Systems verification requires connecting

  1. Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College

  2. Systems verification, broadly impl proof specification 2

  3. Systems verification requires connecting implementation to proof model of impl impl proof specification 3

  4. Systems verification requires connecting implementation to proof this talk model of impl impl previous [SOSP 2019] proof and current work specification 3

  5. We aim to verify realistic systems PDOS (the part that does verification) Systems: running code, interacts with outside world Realistic: reasonably e ffi cient, concurrency Verification: functional correctness, focus on crash safety 4

  6. Goal: implement in a systems language (1) write ordinary imperative code (2) import into Coq model of impl impl (3) prove something about the model 5

  7. Goose: write code in Go and prove with Iris Why Go (vs. C or Rust) ? Simple, good tooling Why Iris (vs. VST) ? Concurrency, extensibility 6

  8. Implementing in Go helps build the software (1a) write ordinary imperative code (2) import into Coq model of impl impl (1b) test (3) prove something (1c) debug about the model (1d) profile (1e) benchmark 7

  9. Goose: import subset of Go into a Coq model Go Goose ✓ locks ✓ fork ✓ structs ✓ pointers ✗ interfaces 8

  10. Goose: import subset of Go into a Coq model Coq Go goose translator Goose ✓ locks ✓ fork ✓ structs ✓ pointers ✗ interfaces 8

  11. Goose: import subset of Go into a Coq model Coq Go GooseLang goose translator λ ref,conc with 
 Goose ✓ locks external ops ✓ fork ✓ structs ✓ pointers ✗ interfaces 8

  12. Goose: import subset of Go into a Coq model Coq Go GooseLang goose translator λ ref,conc with 
 Goose ✓ locks external ops ✓ fork ✓ structs carry out ✓ pointers proofs in Iris ✗ interfaces 8

  13. Our systems verification research using Goose Persistent key-value store using file system (unverified) Mail server using file system (appeared in SOSP ’19) Concurrent file system using disk (in progress) 9

  14. Go is a systems language C-like: functions, structs, pointers Exposes system calls E ffi cient runtime (garbage collection, threads) 10

  15. Goose code Looks like standard Go, but avoids most of the standard library Use narrow interfaces for file system or disk More of Go is supported frequently 11

  16. Challenges in implementing Goose Defining GooseLang, a semantic model of Go Translating Go to GooseLang 12

  17. GooseLang, a semantic model of Go e ::= x | λ x. e | e 1 e 2 // λ -calculus 
 | ref e | !e | e 1 ← e 2 // heap operations 
 | fork e | cmpxchg // concurrency | call op e // external operations 13

  18. GooseLang, a semantic model of Go e ::= x | λ x. e | e 1 e 2 // λ -calculus 
 | ref e | !e | e 1 ← e 2 // heap operations 
 | fork e | cmpxchg // concurrency | call op e // external operations 13

  19. GooseLang, a semantic model of Go e ::= x | λ x. e | e 1 e 2 // λ -calculus 
 | ref e | !e | e 1 ← e 2 // heap operations 
 | fork e | cmpxchg // concurrency | call op e // external operations v ::= U64 x | Loc z | … // literals | Pair | InjL | InjR // sums, products 13

  20. Excerpt from GooseLang: 
 slices x = (ptr, len) Definition sliceAppend := … λ s, x. ptr let s’ := alloc (s.len + #1) () in len … (* fill s’ *) (s’, s.len + #1). Coq 14

  21. Excerpt from GooseLang: 
 slices x = (ptr, len) Definition sliceAppend := … λ s, x. ptr let s’ := alloc (s.len + #1) () in len … (* fill s’ *) (s’, s.len + #1). Coq Go Definition example := func example(x []uint64) { x1 := x[1] λ x. goose append(x, 5) let x1 := !(x.ptr + ₗ #1) in } sliceAppend x #5;; #(). 14

  22. Excerpt from GooseLang: 
 modeling concurrency and locking func coin() bool { m := new(sync.Mutex) x := new(bool) go func() { m.Lock() *x = true m.Unlock() }() m.Lock() v := *x m.Unlock() return v 15

  23. Excerpt from GooseLang: 
 modeling concurrency and locking Definition coin: val := func coin() bool { λ <>. m := new(sync.Mutex) let: “m” := lock.new #() in x := new(bool) let: “x” := ref #(zero_val boolT) in go func() { goose fork (lock.acquire “m”;; m.Lock() “x” ← #true;; *x = true m.Unlock() lock.release “m”);; }() lock.acquire “m”;; m.Lock() let: “v” := !”x” in v := *x lock.release “m”;; m.Unlock() “v”. return v 15

  24. Excerpt from GooseLang: 
 modeling concurrency and locking Definition coin: val := func coin() bool { λ <>. m := new(sync.Mutex) let: “m” := lock.new #() in x := new(bool) let: “x” := ref #(zero_val boolT) in go func() { goose fork (lock.acquire “m”;; m.Lock() “x” ← #true;; *x = true m.Unlock() lock.release “m”);; }() lock.acquire “m”;; m.Lock() let: “v” := !”x” in v := *x lock.release “m”;; m.Unlock() “v”. return v 16

  25. Excerpt from GooseLang: 
 modeling concurrency and locking Definition coin: val := func coin() bool { λ <>. m := new(sync.Mutex) let: “m” := lock.new #() in x := new(bool) let: “x” := ref #(zero_val boolT) in go func() { goose fork (lock.acquire “m”;; m.Lock() “x” ← #true;; *x = true m.Unlock() lock.release “m”);; }() lock.acquire “m”;; m.Lock() let: “v” := !”x” in v := *x lock.release “m”;; m.Unlock() “v”. return v 17

  26. Excerpt from GooseLang: 
 modeling concurrency and locking Definition coin: val := func coin() bool { λ <>. m := new(sync.Mutex) let: “m” := lock.new #() in x := new(bool) let: “x” := ref #(zero_val boolT) in go func() { goose fork (lock.acquire “m”;; m.Lock() “x” ← #true;; *x = true m.Unlock() lock.release “m”);; }() lock.acquire “m”;; m.Lock() let: “v” := !”x” in v := *x lock.release “m”;; m.Unlock() “v”. return v 18

  27. Challenge in modeling Go: weak memory func uhOh(x *uint64) { Definition uhOh: val := go func() { λ x. goose *x = 1 fork (x ← #1 print(“set x”) print “set x” !x);; }() print “x=” !x. print(“x=”, *x) Sequential consistency } x86-TSO If we first see “set x”, then 19

  28. Challenge in modeling Go: weak memory func uhOh(x *uint64) { Definition uhOh: val := go func() { λ x. goose *x = 1 fork (x ← #1 ✓ print(“set x”) print “set x” !x);; }() print “x=” !x. print(“x=”, *x) Sequential consistency } x86-TSO If we first see “set x”, then sequential consistency means x=1 19

  29. Challenge in modeling Go: weak memory func uhOh(x *uint64) { Definition uhOh: val := go func() { λ x. goose *x = 1 ✗ fork (x ← #1 ✓ print(“set x”) print “set x” !x);; }() print “x=” !x. print(“x=”, *x) Sequential consistency } x86-TSO If we first see “set x”, then sequential consistency means x=1 but TSO allows x=0 19

  30. Challenge in modeling Go: weak memory func uhOh(x *uint64) { Definition uhOh: val := go func() { λ x. goose *x = 1 ✗ fork (x ← #1 ✓ print(“set x”) print “set x” !x);; }() print “x=” !x. print(“x=”, *x) Sequential consistency } x86-TSO If we first see “set x”, then sequential consistency means x=1 but TSO allows x=0 19

  31. Disallow racy loads and stores Definition Store: val := λ p, v. BeginStore p;; FinishStore p v. Notation “p ← v” := (Store p v). Track in-progress stores Concurrent store/store and load/store are undefined 20

  32. Compatibility with Iris gives us amazing verification technology Concurrent separation logic with higher-order ghost state Iris Proof Mode (IPM) for interactive proofs 21

  33. Compatibility with Iris gives us amazing verification technology Concurrent separation logic with higher-order ghost state Iris Proof Mode (IPM) for interactive proofs Connect to our unwritten POPL 2021 paper for crash safety 21

  34. Proofs using non-atomic memory Load (non-atomic) Store { p ↦ v } { p ↦ v 0 } ! p p ← v { p ↦ v } { λ v . p ↦ v } These triples are sound because is exclusive access to p ↦ v p 22

  35. Proofs using non-atomic memory Load (non-atomic) Store { p ↦ v } { p ↦ v 0 } ! p p ← v { p ↦ v } { λ v . p ↦ v } These triples are sound because exclude using locks is exclusive access to p ↦ v p exclude by using local variables 22

  36. GooseLang programs can make system calls Import disk. import “github.com/tchajed/goose/ machine/disk" goose Definition Copy: val := func Copy() { b := disk.Read(0) λ _. disk.Write(1, b) let b := call ReadOp #0 in } call WriteOp (#1, b). Language is parameterized by external calls Currently implementing GooseLang + file-system ops in terms of GooseLang + disk ops 23

  37. Semantics of GooseLang Small-step operational semantics, mostly standard and following design of HeapLang For testing, have executable semantics (interpreter + soundness proof) 24

  38. Previous approach: shallow embedding as semantic model GooseLang was a free monad instead of a λ -calculus Go code had to explicitly sequence e ff ectful operations Pure operations were expressed directly in Gallina 25

  39. GooseLang is a mix of shallow and deep embedding Heap operations, concurrency are deeply represented Data structures are shallowly built out of sums 26

Recommend

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya Sergey Aleks Nanevski Anindya Banerjee ESOP 2015 A logic-based approach for Specifying and Verifying Concurrent Algorithms An

2.36k views • 186 slides
Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*, Nickolai Zeldovich MIT CSAIL and *Microsoft Concurrent software is difficult to get right Programmer cannot reason about code in sequence 2

1.2k views • 72 slides
Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC 2015 Anton Wijs Correctness of Concurrent Systems Distributed, concurrent systems common-place, but very

633 views • 52 slides
Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis &amp; Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis &amp; Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis &amp; Verification Group NEC Labs America, Princeton, USA www.nec-labs.com Tutorial: Verifying Concurrent Programs Oct 2011 Acknowledgements Malay Ganai, Vineet

982 views • 72 slides
GOOSE BUSTERS CANADA GOOSE CONTROL GOOSE BUSTERS 1997 Started Business Goose removal only

GOOSE BUSTERS CANADA GOOSE CONTROL GOOSE BUSTERS 1997 Started Business Goose removal only

GOOSE BUSTERS CANADA GOOSE CONTROL GOOSE BUSTERS 1997 Started Business Goose removal only 5 sites, 822 geese removed avg. 164 per site 1998 Became sole proprietor 1999 Added Nest Destruction 2011 Added Dog Hazing

242 views • 21 slides
VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark Hillebrand 3 , Dirk Leinenbach 3 , Michal Moskal 2 , Thomas Santen 2 , Wolfram Schulte 4 and Stephan Tobies 2 1 Microsoft Corporation, Redmond, WA, USA 2

553 views • 27 slides
The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed

The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed

The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed Bouajjani 2 Mohamed Faouzi Atig 1 Tuan Phong Ngo 1 1 Uppsala University 2 IRIF, Universit Paris Diderot &amp; IUF CONCUR 2016 1 Motivation

1.66k views • 118 slides
Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open

Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open

Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open University) Andrew D. Gordon (MSR Cambridge) Jan Jrjens (TU Dortmund) Verifying Security Code Assume a security API specification.

397 views • 24 slides
Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo ao M. Lourenc o, Ale s Smr cka, Diogo G. Sousa, Tom a s Vojnar Brno University of Technology (BUT) Universidade Nova de Lisboa (UNL)

1.54k views • 125 slides
Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification 01 Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan Lawrence jonathan.lawrence@cs.ox.ac.uk Concurrent Datatype Verification 02 Introduction Case study using

618 views • 27 slides
Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs with Unbounded Replication D.

774 views • 50 slides
Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri David Pichardie Jan Vitek Yannick Zakowski Why are high level languages difficult to compile? Easy to compile in C Obj.f := v What about Java? A

1.17k views • 73 slides
Verifying that a compiler preserves concurrent value-dependent information-flow security Robert

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert Sison (UNSW Sydney, Data61) and Toby Murray (University of Melbourne) September 2019 THE UNIVERSITY OF NEW SOUTH WALES www.data61.csiro.au So

1.94k views • 156 slides
Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly

Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly

Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly University Gyngys, Hungary Synchron 2016 Bamberg December 2016 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

486 views • 25 slides
Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans

Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans

Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Many systems need concurrency and crash safety Examples: file systems, databases, and key-value

852 views • 46 slides
Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv

Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv

Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford University Mooly Sagiv Tel Aviv University Martin Vechev ETH Eran Yahav Technion

458 views • 35 slides
Xerox/DOM Presentation Fall 2016 CONTENTS 1. Verifying Eligibility 2. Taxonomy Code Placement

Xerox/DOM Presentation Fall 2016 CONTENTS 1. Verifying Eligibility 2. Taxonomy Code Placement

Xerox/DOM Presentation Fall 2016 CONTENTS 1. Verifying Eligibility 2. Taxonomy Code Placement 3. Prior Authorization 4. Timely Filing Limits 5. Envision Web Portal Verifying Eligibility It is the responsibility of the Medicaid Provider to

602 views • 21 slides
Management Project Bill Dundas (SGRPID) &amp; Rae McKenzie (SNH) Background Historical goose

Management Project Bill Dundas (SGRPID) &amp; Rae McKenzie (SNH) Background Historical goose

Islay Sustainable Goose Management Project Bill Dundas (SGRPID) &amp; Rae McKenzie (SNH) Background Historical goose numbers Barnacle goose numbers Islay - 1952-2013 Background Historical goose numbers Greenland white-fronted goose

257 views • 21 slides
The Flight of the Goose presented by Bruce Boguski As each goose flaps its wings it creates

The Flight of the Goose presented by Bruce Boguski As each goose flaps its wings it creates

The Flight of the Goose presented by Bruce Boguski As each goose flaps its wings it creates uplift for the others behind it. This uplift allows the V-formation to fly 71% further than a goose flying alone . The Lesson: Teams that share a

517 views • 22 slides
SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil

SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil

SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil Swamy, Aseem Rastogi, Aymeric Fromherz , Denis Merigoux, Danel Ahman, Guido Martinez ICFP 2020 1/12 Verifying Concurrent Programs Lots of recent work

556 views • 37 slides
Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan,

Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan,

Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan, Franois Pottier August, 2020 ICFP, New York LRI &amp; Inria, Paris, France This talk Our aim: Verifying fine-grained concurrent

511 views • 38 slides
Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail Aizatulin 1 supervised by Andrew Gordon 23 , Jan J urjens 4 , Bashar Nuseibeh 1 1 The Open University 2 Microsoft Research Cambridge 3 University of

543 views • 29 slides
Formally verifying exceptions in low-level code with Separation Logic Marco Paviotti and Jesper

Formally verifying exceptions in low-level code with Separation Logic Marco Paviotti and Jesper

Formally verifying exceptions in low-level code with Separation Logic Marco Paviotti and Jesper Bengtson IT University of Copenhagen 22nd October Nordic Workshop on Programming Theory (NWPT) Reykjavik, Iceland 1 Verification of low-level

416 views • 15 slides
A Model-driven Methodology for Generating and Verifying CSP-based Java Code no 1 ul N.N. Alborodo

A Model-driven Methodology for Generating and Verifying CSP-based Java Code no 1 ul N.N. Alborodo

A Model-driven Methodology for Generating and Verifying CSP-based Java Code no 1 ul N.N. Alborodo 2 Julio Mari Ra 1 Universidad Polit 2 IMDEA Software Institute ecnica de Madrid Babel research group raul.alborodo@imdea.org

758 views • 45 slides

More recommend