(Atsushi Igarashi)
-
SW verification as "the holy grail" (Bill Gates, 2002) is within reach today (Gates claims that in 2002 for device drivers)
-
but still we are busy developing verifiers every day
-
will talk about smart contracts, IoT, research directions and current development
-
challenges in smart contract verification: invocation of other, unknown, contracts (-> verification of HOFs), unclear spec.s
-
setting: Tezos BC, Michelson language (functional stack-based with blocks, rich set of primitive types)
- Michelson for smart contracts: stateful, continuation-style (no return as such), no (direct) operation to invoke other contracts
-
own work "Helmholtz" (observing Michelson!)
- verifier of Michelson contracts
- hard-wired variables amount,ops,source in pre/post-conditions
- background: refinement types, adapted to HOF stack-based languages
- implementation: no surprises, using an SMT solver on the computed strongest post-cond.
-
Experience:
- building a verifier from scratch, cumbersome
- single contracts are not interesting, contract interaction is what implements interesting use cases
-
Verifying multiple contracts
- "Dexter" (decentralised exchange) as a case study
- tokens as a derived currency, using a constant Product Market Maker (CPMM) together with the token holding account
- transfer and approval (of an allowance) calls
- CPMM: can sell tokens for XTZ on behalf of account owners
- (several mistakes on the slide!)
- example of CPMM interactoin to exchange tokens for tz
- two flaws:
- allowance setting allows tokens from Alice to be stolen
- when allowance is set, anyone can step in to make CPMM transfer
- anyone can steal from CPMM
- self-transfer must succeed, so X=CPMM allows anyone to steal
- allowance setting allows tokens from Alice to be stolen
- proposed solution: remove XferTokens first parameter (-> screenshot)
- insufficient and going in a wrong direction
- Helmholtz-based invariants proposed to fix the CPMM flaws
-
to summarise:
- verifiers are not easy to build, more support from PL community
-
goal: verify protocols and trust chains (static + dynamic)
-
"DevSecOps" (buzz buzz buzz)
-
Experience:
- IoT system verification is hard, even for experts
- example: a published paper turned out to make impossible assumptions (turning on a device more than once)
- verification tools should be usable by IoT System dev.s (but aren't)
-
Questions
- about the boomerang example, infinte loops: prevented by gas consumption
- analysing instruction output vs. interprocedural semantic analysis
- problem 1: unknown contract may be invoked
- problem 2: instruction list may be long (and execution may fork)
(Roland Meyer)
-
applying separation logic to data structures in concurrent programs
-
two challenges: concurrent unbounded updates, linearisability
-
unbounded updates: example of removal
- recursive SL predicates and induction hard to automate
- "ghost update chunks": composing updates
- can be composed during the program traversal without overhead
- walk through an example.. (screenshots)
-
Linearisability
- example: containment in a list in the presence of concurrent
removal
- possible to linearise concurrent actions to consistent sequence
- proposal: "past reasoning" about interference
- concurrent interfering actions are not able to change the past captured in the traversal
- example: containment in a list in the presence of concurrent
removal
-
both proposed concepts formalised in separation logic, with an implementation of proving several challenging examples
(awarded paper, Thomas Haas)
-
"theory and solver for weak memory"
-
Motivation: ways to find bugs in concurrent programs
- using bounded model checking etc.
- with the help of a SAT solver
- neglecting the fact that threads communicate (over shared memory)
- requires a memory model, and to include it in the model/SAT solving
-
What are memory models?
- examples: Seq. consistency, total store ordering (buffered write-back)
- can be described by CAT (DSL describing consistency models)
- uses a number of base relations and derived relations to
describe consistency-related properties of operations
- po = program order, rf = read-from, co = coherence
- uses a number of base relations and derived relations to
describe consistency-related properties of operations
- example: Peterson's Mutex (screenshots)
-
encoding memory model descriptions (CAT) into logical theories
- a number of basic axioms need to be added to a straightfwd encoding
- problem: recursion in CAT
- solution: encode CAT as instead of in a logical theory
- theory only talks about base relations, but considers derived relations internally
- example (screenshot): happens-before cycle encoded in this theory
- generalisation possible: abstract base relations (e.g., DB transactions)
- decision procedure: checking consistency of a conjunction, (provided by a SAT solver), providing explanations for inconsistencies
- in the example:
- deriving formulas from the execution trace..
- discovery of a happens-before-cycle
- removal of derived relations from explanation
-
classical example: message passing sync using a variable
- under C11 relaxed memory model, the sync. may be broken (2nd thread reading a prior value)
- "release-acquire atomics" annotations to fix this by enforcing a global ordering
- example2: using CAS instead to attempt a fix
- C11 manual provides a range of different CAS operations
-
this work: generalising the release-acquire idea for CAS
-
extensions:
- transactional read-wrote seqiemces
- release-acquire transactions (3 threads performing a transitive release-acquire synchronisation)
-
Formal semantics (overview)
- builds on "TMS2" model (memory snapshots based reasoning)
- extension of the snapshots to indicate release or acquire
- acquiring transactions must read from releasing ones
-
Implementation of release-acquire transactions
- follows as a modification of prior art (TxRead/Write)
-
proposes transfer of incorrectness logic to quantum computing setting
-
early-stage work to be further generalised, considering quantum-specifics (noise) and local reasoning
(Kevin Batz)
-
"enable probabilistic programming for programmers inexperienced in probability theory"
- this work: extends this to the "mathematical theory" as a whole
-
proposes "weighting", here extending a prototypical imp language
- weighting (x) accumulates
- branching (+) considers two branches (and, e.g., minimises)
- theory applicable to different settings: optimisation, reasoning about program traces, combinatorics, resource analysis, etc)
-
variants of semantics
- operational: weighted automata - resulting in infinite state
- denotational: weakest precondition and invariants.
- one-path search for pre/post-condition correspondence
- adding weight to the valid final states (true post-cond.)
- semi-ring sum over all valid final states yields solution
-
weakest pre-weightings are synthesised (syntax-driven)
- (backwards) pushing (n + y) through the example program (screenshot)
- same for invariants (loop body)
-
weakest liberal preconditions
- accounting for non-terminating programs.
- adds greatest-fixpoint to inference in the loop statement
-
case studies: screenshot
(awarded paper, Kevin Bierhoff)
-
addresses a fundamental unsoundness in Java and Scala, reported in Oopsla16
- solution along the Oopsla16 paper, with a new example
- key: typing of
null
-
wildcards: address invariance of java collections (List(Integer) not < List(Num) not < List(Object)
-
wildcards can address this, they instantiate the existential type given in a collection type
- java aims to ensure these exist, but does not allow for specifying them (no introduction form)
- elimination form usually exists, too, but again not in Java
-
=> Java wildcards have lower and upper bound (lower often bottom, upper often Object)
-
walk through the types in the example crash
-
previous proposal to solve this: limit wildcard subtyping
-
here: ensure all wildcards have a witness type
- which makes an instantiation with
null
impossible (no witness) - explicit elimination of wildcards using a special let construct
- limiting the type of
null
to require a witness
- which makes an instantiation with
-
proof of preservation and progress:
- problematic side is progress proof
- requires a "witness lemma" to ensure that a witness is available (see null restrictino before)
-
evaluated as a javac plugin ("Error-prone") on the google codebase
-
enabled by default in Bazel and available as OSS