| 09:00 - 10:00 | Arrival and welcome |
| 10:00 - 11:00 |
Bug Detection for the Masses: A (True) Positive Experience
Azalea Raad (Imperial College London)
Abstract
Incorrectness Logic (IL), introduced in 2020, provides a logical foundation for under-approximate program analysis aimed at true bug detection. A defining feature of IL-based analyses is their no-false-positives guarantee: every reported bug corresponds to a real defect. In this talk, I will present an overview of our work on IL over the past five years, spanning both theoretical advances and industrial deployments. I will discuss extensions of IL that enable:
- compositional reasoning via separation logic, leading to the Pulse-X analyser deployed at Meta;
- reasoning about program divergence (non-termination), culminating in the Pulse∞ analyser deployed at Meta and Bloomberg; and
- bug detection for unsafe Rust code, resulting in the Soteria static analysis engine and the formation of Soteria Tools Ltd.
|
| 11:00 - 11:30 | Tea, coffee, and pastries |
| 11:30 - 12:45 |
Gradually Retrofitting Assurance into Systems Code: A Separation-Logic Approach
Rini Banerjee (University of Cambridge)
Abstract
Systems software (e.g. operating systems, hypervisors) forms the foundation of all modern computing infrastructure, and so ensuring its reliability is critical, and various approaches have been explored over the past few decades in pursuit of this goal. Full functional correctness verification, although historically a slow process requiring specialist knowledge of proof tools, provides strong correctness guarantees by proving the absence of bugs for all possible executions. In the context of systems software, where a single bug that propagates up the stack can have far-reaching consequences, such guarantees are often not just desirable, but essential.
The majority of the overhead of such verification efforts lies in the process of writing explicit specifications that capture the full behaviour of the software to be verified. This includes function-level specifications like pre- and post-conditions, but also intermediate specifications like loop invariants. This process of writing specifications can be tedious at best, and inhibiting at worst: the feedback loop of writing a full specification, running a proof tool to check if it makes sense, and in the failure case, using the error message generated by the proof tool to debug the incorrect specification, is extremely slow and often unintuitive. Testing specifications concretely at runtime — as they are being written — is one way to alleviate these problems and provide more gradual assurance; testing makes discovering specification bugs easier and the specification-writing process more lightweight, making the checking and debugging of in-progress, partial specifications possible. In the context of testing and verifying systems code, we consider separation logic a crucial tool for capturing the complex ownership patterns that are prevalent in real-world systems programs. Separation-logic specification-testing has not been extensively explored until recently, for both technical and social reasons.
In this talk, we discuss our ongoing work in using separation-logic tools to retroactively gain assurance of real-world systems software written in C. For this purpose, we have used CN, a state-of-the-art separation-logic verification tool for C; Fulminate, a tool that translates CN separation-logic specifications into runtime-checkable C assertions and performs dynamic ownership checking; and Darcy, a new property-based testing tool that generates sophisticated random inputs from the provided CN specifications to exercise Fulminate-instrumented C files. We discuss our experience in writing CN specifications for a fragment of Google’s pKVM hypervisor, the hyp allocator, and testing them as they were being written; our efforts in getting a Fulminate-instrumented version of the hyp allocator to run within pKVM at the privileged Arm Exception Level 2 (EL2); and the various improvements we have made to each of these tools to facilitate this work.
|
Specialisation: Context-Dependent Reasoning in Incorrectness Separation Logic
Raquel Fernandes da Silva (Imperial College London)
Abstract
Compositional static analysis has enabled the application of
bug-finding techniques at scale, as demonstrated by tools
such as Infer’s Pulse engine. However, restricting the analysis
to the level of procedures results in losing awareness of the
program state when a function is called. In particular for pro-
cedures involving dynamic dispatching or argument pointer
aliasing, context is essential for effective specification infer-
ence. This work presents specialisation, a mechanism that
enables the generation of summaries tailored to individual
call site contexts when necessary. We discuss the intuition
behind our formalisation of this technique and present our
preliminary results on the impact of specialisation when
analysing open-source projects with the Pulse engine.
|
NilGuard: Minimising Patches for Null Pointer Errors with Incorrectness Separation Logic
Raghav Roy (University College London)
Abstract
Automated repair tools for null pointer exceptions often produce bloated or false-positive patches due to their over-approximate foundations. NilGuard takes a different approach: it builds on Pulse-X and Incorrectness Separation Logic to precisely locate faults and generate minimal program transformations. We formalise NPE repair as an alias-aware transformation problem, introduce two canonical repair schemas (Skip and Replace), and present a three-stage compaction algorithm that finds Pareto-optimal patches under a novel cost model. Our evaluation on over 1.5M lines of C shows that NilGuard produces 28.7% more safe patches than the state of the art, with significantly less patch bloat.
|
|
| 12:45 - 14:00 | Lunch |
| 14:00 - 15:00 |
A Programming Language for Lightweight Diagramming
Shriram Krishnamurthi (Brown University)
Abstract
Formal modeling tools such as Alloy enable users to incrementally define, explore, verify, and diagnose specifications for complex systems. A critical component of these tools is a visualizer that lets users graphically explore generated models. However, a default visualizer that knows nothing about the domain can be unhelpful and can even actively violate presentational and cognitive principles. At the other extreme, full-blown custom visualization requires significant effort as well as knowledge that a tool user might not possess. Custom visualizations can also exhibit bad (even silent) failures. The same needs and demands apply to programming languages, which are virtually never accompanied by data structure visualizers.
We chart a middle ground between the extremes of default and fully-customizable visualization. We capture essential domain information for lightweight diagramming. To identify key elements of these diagrams, we ground the design in both cognitive science and in a corpus of custom visualizations. We distill from these sources a small set of orthogonal primitives, and use the primitives to guide a diagramming language.
We show how to endow the diagramming language with a spatial semantics and prove that it enjoys key properties. We also show how it can be embedded into three very different languages: Python, Rust, and Pyret. We present a novel counterfactual debugging aid for diagramming errors, combining textual and visual output. We evaluate the language and system for expressiveness, performance, and diagnostic quality. We thus define a new point in the design space of diagramming: through a language that is lightweight, effective, and driven by cognitively sound principles.
|
| 15:00 - 15:20 | Tea, coffee, and biscuits |
| 15:20 - 16:10 |
I Put a SAT Solver in Your SAT Solver So You Can Find Backdoors Slowly
Martin Mariusz Lester (University of Reading)
Abstract
The classic algorithm for SAT solving, DPLL, runs in exponential time. The algorithm is entirely
deterministic, except for choices about which variable to branch on and whether to try true or
false first. This choice can be made deterministically using heuristics, but often randomness is
employed. For the algorithm to find a solution in reasonable time, it must make only a small number
of choices, although (thanks to backtracking) some of these may be wrong. By modelling the choices
as nondeterminism, we obtain a declarative C SAT solver, executable using a SAT solver.
The declarative C SAT solver works using a bounded model checker to encode the problem
of solving a SAT instance as a larger SAT instance, then using an existing SAT solver to resolve
the nondeterminism. This is much less efficient than applying the existing SAT solver directly to
the SAT instance of interest. However, by reframing SAT solving as an optimisation problem of
minimising the amount of nondeterminism required, we can get an empirical measure of the hardness
of an easy SAT instance, called a backdoor, which is more informative than syntactic measures such
as number of variables or clauses.
|
Type-Level Arithmetic in an Ordered Context
Stephen Dolan (Jane Street)
Abstract
Refinement types allow convenient automatic propagation of facts about
values. However, refinement type systems are tricky: substituting a
definition can break typeability, and soundness is highly sensitive to
evaluation order. Dependent types are more robust, being insensitive to
substitutions or evaluation order, but are less convenient.
I'll show how, at least for linear rational arithmetic, the advantages
of both can be combined. The key is to separate the predicate of a
variable’s type (what it says about the value) from its projection
(what it says about other variables), and to track all constraints in
a single ordered context.
|
|
| 16:10 - 16:30 | Tea and coffee |
| 16:30 - 17:20 |
It's Good to Be Unbound!
Hossein Haeri (PLWorkz R&D)
Abstract
Unowned sharing, which is the use of an entity by more than one other
entity without owning the shared entity, is ubiquitous in programming.
We identify three sets of linguistic requirements for the practice of
unowned sharing. The "stakeholder requirements" are those that enforce
unownedness of the sharing and prevent duplication. The "coalition
requirements" are those that pertain to the identification of an
unowned sharing and programming in terms of it. Finally, there are
also "practicality requirements."
We propose `unbound`s as a new programming construct that fulfills all
those requirements. We demonstrate the suitability of `unbound`s for
systems programming and their elegance by tackling three recurrent
programming challenges: dependency injection, prevention of
association bugs (i.e., those bugs caused due to the usage by what an
entity is not conceptually associated with), and zero-boilerplate
(de)serialization. Unsurprisingly, those three are all instances of
unowned sharing. We discuss how `unbound`s support both family
polymorphism and lightweight family polymorphism. An implementation of
`unbound`s is available in Xlang, our new systems programming
language.
|
Quis custodiet ipsos custodes: Solidifying the Foundations for Software Verification
Chengyu Zhang (Loughborough University)
Abstract
Although software verification is key to reliability, the tools themselves are rarely validated due to the complexity of constructing effective test cases and oracles. Dr. Zhang will present systematic approaches to detect bugs in SMT solvers and verifiers, revealing thousands of critical bugs in the tools we trust. This talk will discuss the theoretical and practical implications of these findings and the latest advances.
|
|
| 17:20 - 17:30 | Farewell |
Note: the venue is different from that of SREPLS 13. Watershed is approximately 20 minutes walk from Bristol Temple Meads railway station. If you plan to travel by car, there are many Park and Ride locations that offer easy access to the city centre.
