Abstract
We present a new approach to deductive program verification based on auxiliary programs called ghost monitors. This technique is useful when the syntactic structure of the target program is not well suited for verification, for example, when an essentially recursive algorithm is implemented in an iterative fashion. Our approach consists in implementing, specifying, and verifying an auxiliary program that monitors the execution of the target program, in such a way that the correctness of the monitor entails the correctness of the target. The ghost monitor maintains the necessary data and invariants to facilitate the proof. It can be implemented and verified in any suitable framework, which does not have to be related to the language of the target programs. This technique is also applicable when we want to establish relational properties between two target programs written in different languages and having different syntactic structure.
We then show how ghost monitors can be used to specify and prove fine-grained properties about the infinite behaviors of target programs. Since this cannot be easily done using existing verification frameworks, we introduce a dedicated language for ghost monitors, with an original construction to catch and handle divergent executions. The soundness of the underlying program logic is established using a particular flavor of transfinite games. This language and its soundness are formalized and mechanically checked.
Supplemental Material
- Ralph-Johan Back and Joakim von Wright. 1990. Duality in specification languages: a lattice-theoretical approach. Acta Informatica 27, 7 (July 1990), 583–625. Google ScholarDigital Library
- Anindya Banerjee, David A. Naumann, and Mohammad Nikouei. 2016. Relational Logic with Framing and Hypotheses. In Foundations of Software Technology and Theoretical Computer Science (Leibniz International Proceedings in Informatics), Akash Lal, S. Akshay, Saket Saurabh, and Sandeep Sen (Eds.), Vol. 65. Schloss Dagstuhl – Leibniz-Zentrum für Informatik, 11:1–11:16.Google Scholar
- Gilles Barthe, Juan Manuel Crespo, and César Kunz. 2011. Relational Verification Using Product Programs. In International Conference on Formal Methods (Lecture Notes in Computer Science), Vol. 6664. Springer, 200–214.Google Scholar
- Richard Bornat. 2000. Proving Pointer Programs in Hoare Logic. In Mathematics of Program Construction. 102–126.Google Scholar
- Martin Clochard. 2018a. Hoare Logic and Games. Formal development, http://toccata.lri.fr/gallery/hoare_logic_and_games. en.html .Google Scholar
- Martin Clochard. 2018b. Méthodes et outils pour la spécification et la preuve de propriétés difficiles de programmes séquentiels. Thèse de Doctorat. Université Paris-Saclay. https://tel.archives- ouvertes.fr/tel- 01787689 .Google Scholar
- Martin Clochard, Jean-Christophe Filliâtre, and Claude Marché. 2018a. Variations on the McCarthy’s 91 Function. Formal development, http://toccata.lri.fr/gallery/mccarthy.fr.html .Google Scholar
- Martin Clochard and Claude Marché. 2018. Schorr-Waite Algorithm proved using a Ghost Monitor. Formal development, http://toccata.lri.fr/gallery/schorr_waite_with_ghost_monitor.en.html .Google Scholar
- Martin Clochard, Andrei Paskevich, and Claude Marché. 2018b. Deductive Verification via Ghost Debugging. Research Report 9219. Inria. https://hal.inria.fr/hal- 01907894 .Google Scholar
- Edsger W. Dijkstra. 1975. Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM 18 (August 1975), 453–457. Issue 8. Google ScholarDigital Library
- Jean-Christophe Filliâtre, Léon Gondelman, and Andrei Paskevich. 2016. The Spirit of Ghost Code. Formal Methods in System Design 48, 3 (2016), 152–174.Google ScholarDigital Library
- Moritz Kiefer, Vladimir Klebanov, and Mattias Ulbrich. 2018. Relational Program Reasoning Using Compiler IR. Journal of Automated Reasoning 60, 3 (March 2018), 337–363. Google ScholarDigital Library
- Robbert Krebbers, Ralf Jung, Aleš Bizjak, Jacques-Henri Jourdan, Derek Dreyer, and Lars Birkedal. 2017. The Essence of Higher-Order Concurrent Separation Logic. In 26th European Symposium on Programming Languages and Systems (Lecture Notes in Computer Science), Vol. 10201. Springer, 696–723. Google ScholarDigital Library
- K. Rustan M. Leino. 2010. Dafny: An Automatic Program Verifier for Functional Correctness. In LPAR-16 (Lecture Notes in Computer Science), Vol. 6355. Springer, 348–370.Google Scholar
- Konstantinos Mamouras. 2016. Synthesis of Strategies Using the Hoare Logic of Angelic and Demonic Nondeterminism. Logical Methods in Computer Science 12, 3 (2016). Google ScholarCross Ref
- Zohar Manna and John McCarthy. 1970. Properties of programs and partial function logic. 5 (1970), 79–98.Google Scholar
- Glen Mével, Jacques-Henri Jourdan, and François Pottier. 2019. Time Credits and Time Receipts in Iris. In European Symposium on Programming (LNCS), Luís Caires (Ed.), Vol. 11423. Springer, 3–29.Google Scholar
- Magnus O. Myreen and Michael J. C. Gordon. 2007. Hoare Logic for Realistically Modelled Machine Code. In Tools and Algorithms for the Construction and Analysis of Systems, Orna Grumberg and Michael Huth (Eds.). Springer, 568–582.Google Scholar
- Herbert Schorr and William M. Waite. 1967. An efficient machine-independent procedure for garbage collection in various list structures. Commun. ACM 10 (1967), 501–506.Google ScholarDigital Library
- Joseph Tassarotti, Ralf Jung, and Robert Harper. 2017. A Higher-Order Logic for Concurrent Termination-Preserving Refinement. In European Symposium on Programming (Lecture Notes in Computer Science), Hongseok Yang (Ed.), Vol. 10201. Springer, 909–936.Google ScholarDigital Library
- Thomas Tuerk. 2010. Local Reasoning about While-Loops. VS-Theory Workshop, 3rd Int. Conf. on Verified Software: Theories, Tools and Experiments.Google Scholar
- Mattias Ulbrich. 2013. Dynamic Logic for an Intermediate Language Verification, Interaction and Refinement. Ph.D. Dissertation. Karlsruhe Institute of Technology. http://nbn- resolving.org/urn:nbn:de:swb:90- 411691Google Scholar
- Hongseok Yang. 2007. Relational Separation Logic. Theoretical Computer Science 375, 1 (2007), 308–334.Google ScholarDigital Library
Index Terms
- Deductive verification with ghost monitors
Recommendations
The spirit of ghost code
In the context of deductive program verification, ghost code is a part of the program that is added for the purpose of specification. Ghost code must not interfere with regular code, in the sense that it can be erased without observable difference in ...
The Matrix Reproved (Verification Pearl)
In this paper we describe a complete solution for the first challenge of the VerifyThis 2016 competition held at the 18th ETAPS Forum. We present the proof of two variants for the multiplication of matrices: a naive version using three nested loops and ...
Induction as the Basis for Program Verification
We will consider the inductive mechanisms in five techniques for verifying iterative/recursive program structures: inductive assertion, predicate transformers, subgoal induction, computation induction, and structural induction. We will discover that all ...
Comments