Developing Verified Software Using Leon

Kunčak, Viktor

doi:10.1007/978-3-319-17524-9_2

Cited by 5 publications

(3 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Such code does not map to any C code but rather is included in the WhyML code only to enable a proof. Ghost code is available in a number of proof tools in addition to Why3, such as Dafny [31] and Leon [30]. Concretely, the Ipanema compiler instruments the generated WhyML code to maintain boolean maps B and U that record the set of cores on which threads have blocked or unblocked, respectively, since the start of the execution of the CWC operation.…”

Section: Modeling Scheduling Event-handler Behaviormentioning

confidence: 99%

Provable multicore schedulers with Ipanema

Lepers

Gouicem²,

Carver³

et al. 2020

Proceedings of the Fifteenth European Conference on Computer Systems

View full text Add to dashboard Cite

Recent research and bug reports have shown that work conservation, the property that a core is idle only if no other core is overloaded, is not guaranteed by Linux's CFS or FreeBSD's ULE multicore schedulers. Indeed, multicore schedulers are challenging to specify and verify: they must operate under stringent performance requirements, while handling very large numbers of concurrent operations on threads. As a consequence, the verification of correctness properties of schedulers has not yet been considered. In this paper, we propose an approach, based on a domainspecific language and theorem provers, for developing schedulers with provable properties. We introduce the notion of concurrent work conservation (CWC), a relaxed definition of work conservation that can be achieved in a concurrent system where threads can be created, unblocked and blocked concurrently with other scheduling events. We implement several scheduling policies, inspired by CFS and ULE. We show that our schedulers obtain the same level of performance as production schedulers, while concurrent work conservation is satisfied.

show abstract

Section: Modeling Scheduling Event-handler Behaviormentioning

confidence: 99%

Provable multicore schedulers with Ipanema

Lepers

Gouicem²,

Carver³

et al. 2020

Proceedings of the Fifteenth European Conference on Computer Systems

View full text Add to dashboard Cite

show abstract

“…There exists many static verification, analysis, and model-checking tools of various degrees of sophistication for a variety of languages, e.g. VeriFast [39] Frama-C [21], Astré [20], Boogie [5], Spec# [6], Dafny [52], Leon [48], BLAST [36]. Still, building fully verified software remains extremely labor intensive.…”

Section: Related Workmentioning

confidence: 99%

LMS-Verify: abstraction without regret for verified systems programming

Amin

Rompf

2017

SIGPLAN Not.

View full text Add to dashboard Cite

Performance critical software is almost always developed in C, as programmers do not trust high-level languages to deliver the same reliable performance. This is bad because low-level code in unsafe languages attracts security vulnerabilities and because development is far less productive, with PL advances mostly lost on programmers operating under tight performance constraints. Highlevel languages provide memory safety out of the box, but they are deemed too slow and unpredictable for serious system software. Recent years have seen a surge in staging and generative programming: the key idea is to use high-level languages and their abstraction power as glorified macro systems to compose code fragments in first-order, potentially domain-specific, intermediate languages, from which fast C can be emitted. But what about security? Since the end result is still C code, the safety guarantees of the high-level host language are lost. In this paper, we extend this generative approach to emit ACSL specifications along with C code. We demonstrate that staging achieves "abstraction without regret" for verification: we show how high-level programming models, in particular higher-order composable contracts from dynamic languages, can be used at generation time to compose and generate first-order specifications that can be statically checked by existing tools. We also show how type classes can automatically attach invariants to data types, reducing the need for repetitive manual annotations. We evaluate our system on several case studies that varyingly exercise verification of memory safety, overflow safety, and functional correctness. We feature an HTTP parser that is (1) fast (2) high-level: implemented using staged parser combinators (3) secure: with verified memory safety. This result is significant, as input parsing is a key attack vector, and vulnerabilities related to HTTP parsing have been documented in all widely-used web servers.

show abstract

“…We hope to introduce some of the many Scala users to formal methods by providing tools they can use directly on Scala code. Leon system (http://leon.epfl.ch) is a verification and synthesis system for a subset of Scala [2,10]. Leon reuses the Scala compiler's parsing and type-checking frontend and subsequently derives verification conditions to be solved by the automated theorem provers, such as Z3 [13] and CVC4 [1].…”

Section: Introductionmentioning

confidence: 99%

Translating Scala Programs to Isabelle/HOL

Hupel

Kunčak

2016

Automated Reasoning

Self Cite

View full text Add to dashboard Cite

Abstract. We present a trustworthy connection between the Leon verification system and the Isabelle proof assistant. Leon is a system for verifying functional Scala programs. It uses a variety of automated theorem provers (ATPs) to check verification conditions (VCs) stemming from the input program. Isabelle, on the other hand, is an interactive theorem prover used to verify mathematical specifications using its own input language Isabelle/Isar. Users specify (inductive) definitions and write proofs about them manually, albeit with the help of semiautomated tactics. The integration of these two systems allows us to exploit Isabelle's rich standard library and give greater confidence guarantees in the correctness of analysed programs.

show abstract

Developing Verified Software Using Leon

Cited by 5 publications

References 26 publications

Provable multicore schedulers with Ipanema

Provable multicore schedulers with Ipanema

LMS-Verify: abstraction without regret for verified systems programming

Translating Scala Programs to Isabelle/HOL

Contact Info

Product

Resources

About