A Specification Logic for Exceptions and Beyond
description
Transcript of A Specification Logic for Exceptions and Beyond
![Page 1: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/1.jpg)
A Specification Logic for Exceptions and Beyond
Cristina DavidCristian Gherghina
National University of Singapore
![Page 2: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/2.jpg)
2
Context(Roy Maxion et al. “Improving software robustness with dependability cases”)
Exception failures◦ Up to 2/3 of system crashes ◦ 50% of system security vulnerabilities
Need for ◦ Specifying behavior even in the presence of exceptions◦ Precisely defined yet flexible exception safety
guarantees◦ Tools to enforce such specifications
![Page 3: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/3.jpg)
3
ContributionsA specification logic for all control
flow types
An improvement of the classical exception safety guarantees
A verification system for a Java-like language
![Page 4: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/4.jpg)
4
Specification LogicCurrent specification logics fail to
track control flow types
We propose Explicit tracking of control flow
information in the specification logic An unified view of all control flow types
![Page 5: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/5.jpg)
Specification Logic An unified view of the control flow:
Unify both normal and abnormal control flows
Unify both static and dynamic control flows• static flow: break, continue, return• dynamic flow: try-catch, raise
5
![Page 6: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/6.jpg)
Unified control flow hierarchy
staticdynamic
6
dynamic control flows due to exceptions static control flows
normal execution
can be caught
cannot be caught
![Page 7: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/7.jpg)
Specification LogicThe specification formulae are
enriched separation logic formulae
They allow for capturing the states for both normal and exceptional executions
7
![Page 8: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/8.jpg)
Specification Formulae
◦ ¯ captures constraints on flow variables◦ ¿ captures the current flow◦ Current flow values can be:
Exact flow types Subtypes and type differences 8
![Page 9: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/9.jpg)
9
Exception Safety Guarantees
(Stroustrup: Exception Safety: Concepts and Techniques)◦ No-leak guarantee
Exceptions leave the operands in well-defined states Every acquired resources is released
◦ Basic guarantee The class invariants are always maintained Very forgiving with the programmer
◦ Relaxed strong guarantee Precise explicit effect Currently, difficult to specify
◦ Strong guarantee◦ The operation either succeeds or has no effect if an exception is
raised◦ More difficult to implement
◦ No throw guarantee◦ Never throw an exception
![Page 10: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/10.jpg)
No Throw GuaranteeE.g. a swap function
The postcondition specifies that no exceptional flow can escape the swap method
10
![Page 11: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/11.jpg)
Strong GuaranteeAn operation
leaves its operands in well-defined states ensures that every acquired resource is released class invariants are maintained succeeds, or has no effects when an exception occurs
11
![Page 12: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/12.jpg)
Relaxed Strong Guarantee An operation
leaves its operands in well-defined states ensures that every acquired resource is released
eventually class invariants are maintained succeeds, or has a precisely known effect when
an exception occurs
12
![Page 13: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/13.jpg)
Verification SystemTranslates Source Language programs
into Core Language programs◦ (C. David et al. ”Translation and optimization for
a core calculus with exceptions” PEPM09)
Performs forward verification by computing the strongest post condition
Proven to be sound
13
![Page 14: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/14.jpg)
Source Language SrcLang• Supports constructs challenging from
the point of how control flow is transferred
• finally construct
• multi-return function call
• try catch with multiple handlers
• break and continue statements14
![Page 15: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/15.jpg)
Core Language• As small as a corresponding one
without exceptions
• Supports the translation of challenging constructs from the source language
• Easier to analyze than the source language
15
![Page 16: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/16.jpg)
16
Source Lang Core Lang
…
![Page 17: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/17.jpg)
Important constructs of the Core Lang
• Flow and value: ft#v • normal flow: norm#v• exceptional flow: ty(v)#v
• Try-catch construct: try e1 catch((c@fv)#v) e2• captures both exceptional and normal
control flow
17
control flow
variable capturing the control flow type (fv<:c)
the thrown value
![Page 18: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/18.jpg)
18
Verification Exampletry {
if (x>0)
compute(x,p)
else
ret#p
}catch(over_exc@fv#v)
brk_l#()
![Page 19: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/19.jpg)
19
Verification Exampleif (x>0)
compute(x,p);
else
ret#p
{true & flow=norm}
{x>0 & flow=norm}
{x≤0 & flow = norm}
{(x>0 & x’=x-1& p’=p*x & flow=norm) Ç (res::num_exc() & x>0 & p=0 & flow=num_exc)}
{x≤0 & res=p & flow = ret}{ (x≤0 & res=p & flow = ret) Ç (x>0 & x’=x-1& p’=p*x & flow=norm) Ç (res::num_exc() & x>0 & p=0 & flow=num_exc)}
![Page 20: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/20.jpg)
20
Verification Exampletry{
…
}catch(over_exc@fv#v)
brk_l#()
{true & flow=norm}
{true & flow=norm}
{v::over_exc() & x>0 & p=0 & flow=norm & fv=over_exc}
{v::over_exc() & x>0 & p=0 & flow=brk_l & fv=over_exc}{(x≤0 & res=p & flow = ret) Ç (x>0 & x’=x-1& p’=p*x &
flow=norm) 9 v,fv ¢ (x>0 & res=3 & v=x& flow=exception & fv=exception)}
{ (x≤0 & res=p & flow = ret) Ç (x>0 & x’=x-1& p’=p*x & flow=norm) Ç (res::num_exc() & x>0 & p=0 & flow=num_exc)}
over_exc <: num_exc
![Page 21: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/21.jpg)
21
Verification Exampletry{…
}catch(over_exc@fv#v) …
{v::over_exc() & x>0 & p=0 & flow=brk_l & fv=over_exc}
{(x≤0 & res=p & flow = ret) Ç (x>0 & x’=x-1& p’=p*x & flow=norm) Ç 9 v,fv ¢ (v::over_exc() & x>0 & p=0 & flow=brk_l & fv=over_exc) Ç (res::num_exc() & x>0 & p=0 & flow=num_exc – over_exc)}
{ (x≤0 & res=p & flow = ret) Ç (x>0 & x’=x-1& p’=p*x & flow=norm) Ç (res::num_exc() & x>0 & p=0 & flow=num_exc)}
over_exc <: num_exc
![Page 22: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/22.jpg)
Try-catch and “#” Verification Rules
22
the “caught” states the “uncaught” states
![Page 23: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/23.jpg)
Experimental ResultsSuccessfully verified test
examples from:◦KeY project, exercising specific
features◦SPEC benchmarks, broad range
exception handling
23
![Page 24: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/24.jpg)
24
Related WorkSPEC#
◦ K. Rustan et al. “Exception safety for C#”KEY project
◦ B. Beckert et al. “Verification of Object-Oriented Software: The KeY Approach”
Type systems◦M. Blume et al. “Exception handlers
as extensible cases”CSP
![Page 25: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/25.jpg)
25
Thank you!
![Page 26: A Specification Logic for Exceptions and Beyond](https://reader035.fdocuments.us/reader035/viewer/2022081517/5681627b550346895dd2e9f7/html5/thumbnails/26.jpg)
Multi-return function call
26
• Explicitly captures the choice of the return point, based on the control flow caught after the evaluation