1 / 33

Verifying Type Systems with Glass Box Model Checking

Verifying Type Systems with Glass Box Model Checking. Melanie Agnew Michael Roberson. Overview. Project Goal: Use model checking to verify a type system Project Background / Motivation What does it mean to verify a type system? Why do we care? Project Summary Project Results.

teagan-mckay
Download Presentation

Verifying Type Systems with Glass Box Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Verifying Type Systems with Glass Box Model Checking Melanie Agnew Michael Roberson

  2. Overview • Project Goal: Use model checking to verify a type system • Project Background / Motivation • What does it mean to verify a type system? • Why do we care? • Project Summary • Project Results

  3. Type Checking • What is type checking? • process of verifying that the statements in the program use types correctly • “correct” type usage is defined by the language • ex: int a = “abc”; • What is a type error? • bug in the program that results in undefined behavior

  4. Type Checking All Programs Is every program that passes type checking inside here? Programs with Type Errors

  5. Type Soundness • What is type soundness? • type soundness is a property of the language that guarantees that any program that passes type checking has no type errors • we can verify this by checking that from any well typed state we transition to another well typed state if b then a = 0 else a = 3 if b then a = 0 else a = 3 State Transition

  6. Example Language literals: 0, true, false operators: +1, -1 if statement: ife1thene2elsee3 Types: Boolean, Integer Example program: (if true then 0 else 0+1)+1

  7. Example Language TypeOf((if true then 0 else 0+1)+1) = ? Use Typing Rules to find the type of this expression. If it has a valid type then it passes type checking. It is then called “well-typed”.

  8. Example Language TypeOf((if true then 0 else 0+1)+1) = ? Integer Integer Integer Boolean TypeOf(true) = Boolean TypeOf(0) = Integer

  9. = e1 Example Language TypeOf((if true then 0 else 0+1)+1) = ? Integer Integer Integer Boolean Integer TypeOf(e1+1) = Integer if: TypeOf(e1) = Integer

  10. Example Language TypeOf((if true then 0 else 0+1)+1) = ? Integer Integer Integer Boolean Integer Integer = e1 TypeOf(ife1thene2elsee3) = TypeOf(e2) if: TypeOf(e1) = Boolean TypeOf(e2) = TypeOf(e3) = e2 = e3

  11. = e1 Example Language TypeOf((if true then 0 else 0+1)+1) = ? Integer Integer Integer Boolean Integer Integer Integer TypeOf(e1+1) = Integer if: TypeOf(e1) = Integer

  12. Example Language TypeOf((if true then 0 else 0+1)+1) = Integer Integer Integer Integer Boolean Integer Integer Integer The expression is well-typed.

  13. Example 2 What happens if our language uses a different rule for if-then-else? TypeOf(ife1thene2elsee3) = TypeOf(e2) if: TypeOf(e1) = Boolean TypeOf(e2) = TypeOf(e3) TypeOf(ife1thene2elsee3) = TypeOf(e2) if: TypeOf(e1) = Boolean Then this passes the type checker: (if false then 0 else true)+1 …but it contains a type error! (true+1 is undefined)

  14. In Summary • What does it mean to verify a type system? • Prove Type Soundness of the type system • Why do we care? • Detect an entire class of bugs at compile time!

  15. Proving Type Soundness • Traditional method is to write out a symbolic proof • need to prove soundness for each type of statement • We use software model checking • Verify that each well-typed program state transitions to another well-typed state

  16. Proving Type Soundness • Traditional method is to write out a symbolic proof • need to prove soundness for each type of statement • We use software model checking • Verify that each well-typed program state transitions to another well-typed state Example 1 State Transition (if true then 0 else 0+1)+1 0+1 Type: Integer Type: Integer

  17. Proving Type Soundness • Traditional method is to write out a symbolic proof • need to prove soundness for each type of statement • We use software model checking • Verify that each well-typed program state transitions to another well-typed state Example 2 State Transition (if false then 0 else true)+1 true+1 Type: Integer Type: Invalid

  18. Glass Box Model Checking • Traditional model checking explores state transitions S' S State Logic 1 s1 s'1 0 s2 s'2 0 0 s3 s'3 1 0 s4 s'4 1 0 s5 s'5 1 1

  19. Glass Box Model Checking • Glass Box checking determines which part of the state is used S' S Which bits are used? State Logic 1 s1 s'1 0 s2 s'2 0 0 s3 s'3 1 0 s4 s'4 1 0 s5 s'5 1 1

  20. Glass Box Model Checking • Prune away similar states S' S Which bits are used? State Logic 1 s1 s'1 0 s2 s'2 0 0 s3 s'3 1 0 s4 s'4 1 0 s5 s'5 1 1

  21. Glass Box Model Checking • Overall strategy: • Keep a set of states that need to be checked • Can use a BDD or a SAT formula • Iterate until the set is empty • Choose a state from the set, check it • Remove all similar states from the set

  22. Glass Box Checking +Type Soundness • We applied Glass Box checking to Type Soundness • Language Implementation • Build an interpreter for the language • Define the type system, build a type checker • Instrumentation • Check which parts of the state are accessed • Automatically generated from interpreter • Initial Search Space • BDD/SAT representation of all well-typed states • Size-limited

  23. Languages • We verified the type soundness of three languages: • Expression Language • While Language • Featherweight Java

  24. Languages • Simple Language of Integer and Boolean Expressions • if-then-else • booleans and integers succ( if true then 0 else succ(0))

  25. Expression Height • Expression height measures the number of statements in a specific program body height 1: true height 2: succ(0) height 3: isZero(if true then 0 else 0) height 4: succ(if isZero(0) then succ(0) else 0)

  26. Results Expression Language

  27. Languages • While language • Imperative language • while loops • variables int a a := 5; while (a < 7) a := a+1

  28. Results While Language (vars = height and nums = height)

  29. Languages • Featherweight Java • Simplified java • Classes • Methods • Inheritance

  30. Results Featherweight Java (class height=3, method height = 2)

  31. Conclusions • Model checking type systems is feasible • SAT seems to outperform BDDs on complex languages • Glass box pruning dramatically reduces the type soundness state space

  32. future work • Investigating methods for type checking-specific pruning • Automatic generation of initial state constraints • Investigating alternative logics for set representation

  33. Questions

More Related