Automated deductive program synthesis promises to generate executable programs from concise specifications, along with proofs of correctness that can be independently verified using thirdparty tools. However, an attempt to exercise this promise using existing proofcertification frameworks reveals significant discrepancies in how proof derivations are structured for two different purposes: program synthesis and program verification. These discrepancies make it difficult to use certified verifiers to validate synthesis results, forcing one to write an adhoc translation procedure from synthesis proofs to correctness proofs for each verification backend. In this work, we address this challenge in the context of the synthesis and verification of heapmanipulating programs. We present a technique for principled translation of deductive synthesis derivations (a.k.a. source proofs) into deductive target proofs about the synthesised programs in the logics of interactive program verifiers. We showcase our technique by implementing three different certifiers for programs generated via SuSLik, a Separation Logicbased tool for automated synthesis of programs with pointers, in foundational verification frameworks embedded in Coq: Hoare Type Theory (HTT), Iris, and Verified Software Toolchain (VST), producing concise and efficient machinecheckable proofs for characteristic synthesis benchmarks.
more »
« less
This content will become publicly available on January 9, 2024
Unrealizability Logic
We consider the problem of establishing that a programsynthesis problem is unrealizable (i.e., has no solution in a given search space of programs). Prior work on unrealizability has developed some automatic techniques to establish that a problem is unrealizable; however, these techniques are all blackbox , meaning that they conceal the reasoning behind why a synthesis problem is unrealizable. In this paper, we present a Hoarestyle reasoning system, called unrealizability logic for establishing that a programsynthesis problem is unrealizable. To the best of our knowledge, unrealizability logic is the first proof system for overapproximating the execution of an infinite set of imperative programs. The logic provides a general, logical system for building checkable proofs about unrealizability. Similar to how Hoare logic distills the fundamental concepts behind algorithms and tools to prove the correctness of programs, unrealizability logic distills into a single logical system the fundamental concepts that were hidden within prior tools capable of establishing that a programsynthesis problem is unrealizable.
more »
« less
 Award ID(s):
 1750965
 NSFPAR ID:
 10432711
 Date Published:
 Journal Name:
 Proceedings of the ACM on Programming Languages
 Volume:
 7
 Issue:
 POPL
 ISSN:
 24751421
 Page Range / eLocation ID:
 659 to 688
 Format(s):
 Medium: X
 Sponsoring Org:
 National Science Foundation
More Like this


Dedicated to Tony Hoare. In a paper published in 1972, Hoare articulated the fundamental notions of hiding invariants and simulations. Hiding: invariants on encapsulated data representations need not be mentioned in specifications that comprise the API of a module. Simulation: correctness of a new data representation and implementation can be established by proving simulation between the old and new implementations using a coupling relation defined on the encapsulated state. These results were formalized semantically and for a simple model of state, though the paper claimed this could be extended to encompass dynamically allocated objects. In recent years, progress has been made toward formalizing the claim, for simulation, though mainly in semantic developments. In this article, hiding and simulation are combined with the idea in Hoareโs 1969 paper: a logic of programs. For an objectbased language with dynamic allocation, we introduce a relational Hoare logic with stateful frame conditions that formalizes encapsulation, hiding of invariants, and couplings that relate two implementations. Relations and other assertions are expressed in firstorder logic. Specifications can express a wide range of relational properties such as conditional equivalence and noninterference with declassification. The proof rules facilitate relational reasoning by means of convenient alignments and are shown sound with respect to a conventional operational semantics. A derived proof rule for equivalence of linked programs directly embodies representation independence. Applicability to representative examples is demonstrated using an SMTbased implementation.more » « less

Kleene algebra with tests (KAT) is a foundational equational framework for reasoning about programs, which has found applications in program transformations, networking and compiler optimizations, among many other areas. In his seminal work, Kozen proved that KAT subsumes propositional Hoare logic, showing that one can reason about the (partial) correctness of while programs by means of the equational theory of KAT. In this work, we investigate the support that KAT provides for reasoning about incorrectness, instead, as embodied by O'Hearn's recently proposed incorrectness logic. We show that KAT cannot directly express incorrectness logic. The main reason for this limitation can be traced to the fact that KAT cannot express explicitly the notion of codomain, which is essential to express incorrectness triples. To address this issue, we study Kleene Algebra with Top and Tests (TopKAT), an extension of KAT with a top element. We show that TopKAT is powerful enough to express a codomain operation, to express incorrectness triples, and to prove all the rules of incorrectness logic sound. This shows that one can reason about the incorrectness of whilelike programs by means of the equational theory of TopKAT.more » « less

Relational verification encompasses information flow security, regression verification, translation validation for compilers, and more. Effective alignment of the programs and computations to be related facilitates use of simpler relational invariants and relational procedure specs, which in turn enables automation and modular reasoning. Alignment has been explored in terms of trace pairs, deductive rules of relational Hoare logics (RHL), and several forms of product automata. This article shows how a simple extension of Kleene Algebra with Tests (KAT), called BiKAT, subsumes prior formulations, including alignment witnesses for forallexists properties, which brings to light new RHLstyle rules for such properties. Alignments can be discovered algorithmically or devised manually but, in either case, their adequacy with respect to the original programs must be proved; an explicit algebra enables constructive proof by equational reasoning. Furthermore our approach inherits algorithmic benefits from existing KATbased techniques and tools, which are applicable to a range of semantic models.more » « less

null (Ed.)The typetheoretic notions of existential abstraction, subtyping, subsumption, and intersection have useful analogues in separationlogic proofs of imperative programs. We have implemented these as an enhancement of the verified software toolchain (VST). VST is an impredicative concurrent separation logic for the C language, implemented in the Coq proof assistant, and proved sound in Coq. For machinechecked functionalcorrectness verification of software at scale, VST embeds its expressive program logic in dependently typed higherorder logic (CiC). Specifications and proofs in the program logic can leverage the expressiveness of CiCโso users can overcome the abstraction gaps that stand in the way of toptobottom verification: gaps between source code verification, compilation, and domainspecific reasoning, and between different analysis techniques or formalisms. Until now, VST has supported the specification of a program as a flat collection of function specifications (in higherorder separation logic)โone proves that each function correctly implements its specification, assuming the specifications of the functions it calls. But what if a function has more than one specification? In this work, we exploit typetheoretic concepts to structure specification interfaces for C code. This brings modularity principles of modern software engineering to concrete program verification. Previous work used representation predicates to enable data abstraction in separation logic. We go further, introducing functionspecification subsumption and intersection specifications to organize the multiple specifications that a function is typically associated with. As in type theory, if ๐ is a of ๐, that is ๐<:๐, then ๐ฅ:๐ implies ๐ฅ:๐, meaning that any function satisfying specification ๐ can be used wherever a function satisfying ๐ is demanded. Subsumption incorporates separationlogic framing and parameter adaptation, as well as stepindexing and specifications constructed via mixedvariance functors (needed for Cโs function pointers).more » « less