►
Description
Yulu Pan and Yuichi Nishiwaki
A
A
B
B
So
here
is
a
summary
of
work,
so
our
ultimate
goal
is
a
formal
reaction
method
applicable
to
production
code.
Yes,
it
is
sounds
very
ambitious,
so
we
developed
a
deductive
verification
framework
for
unsafe
last
using
isabelle
and
simple.
This
is
a
serum
improver
and
simply
the
framework
formalized
in
isabel.
B
So
this
project
is
pretty
much
working
progress
mode,
but
we
prove
and
disproves
the
safety
and
correctness
property
for
some
very
small
and
serious
programs
using
our
frameworks.
So
here
is
a
label
of
the
the
europe
of
the
ripple.
So
you
can
see
the
formalization
artifact
here.
So
this
is
our
trend
of
the
talk.
First,
we
overview
the
background
and
approach
we
took
next.
We
see
some
technical
details
that
explains
how
we
model
us
in
isabel.
B
Then
we
introduce
an
example
where
we
verify
the
safety
condition
for
beta
soft
function
is
correct,
so
in
using
our
special
using
our
framework.
Next,
we
briefly
talk
about
the
verification
effort
for
some
other
small
answer
functions.
We
have
verified
a
mobile.
We
show
some
an
interesting
example
where
we
found
that
formalizing
the
safety
condition
can
be
tricky
due
to
stuff
procedures.
B
Finally,
we
talk
about
some
observations
and
feature
work,
so,
let's
see
the
overview
so
currently,
when
we
listen
about
the
safety
of
unsafe
last
programs,
so
we
have
a
very
nice
culture
where
we
usually
write
these
safety
sections
when
defined
as
functions
and
safety
comments
when
calling
assay
functions
so
that
we
can
be
sure
that
the
safety
are
actually
made.
However,
the
listening
is
down
in
our
head,
so
we
make
many
mistakes,
and
here
we
have
this
list
of
several
vulnerabilities.
B
So
therefore
we
like
to
have
a
formal
rescue
missile
for
safety
and
functional
quickness
for
unsafe
last
programs
to
gain
more
reliability.
Moreover,
the
muscles
should
be
able
to
listen
about
low-level
memory
model
of
unsafe
loss
and
we
want
the
verification
effort
to
be
a
minimal.
So
this
course
looks
very
quite
changing,
but
we
can
look
back
on
history
of
research
like
last
designer
already
did
and
we
can
stand
on
the
shoulder
of
giants.
So
in
this
project
the
name
of
the
change
is
called
the
cell
4.
B
To
help
this
work,
they
have
developed
several
powerful
automation
tools.
So
here
is
the
artific
architecture
of
sorry.
Here
is
architecture
of
the
city
for
verification
they
use
the
ceremony
approval
called
isabel
hall
for
the
verification.
So
first
they
write
down
the
formal
spec
of
their
carne
in
izabel
hall.
B
B
So
finally
they
proved
that
this
representation
implements
a
spec
concluding
that
this
c
called
satisfy
the
spec.
So
the
sample
project
successfully,
this
verification
works.
So
we
saw
that
this
approach
can
be
adapted
to
last.
So
in
this
approach
we
translate
the
last
program
to
israel
instead
of
c.
So
currently
we
are
missing
this
high-level
representation
on
automated
translator,
so
in
current
setting
we
need
to
manually
translate
last
program,
so
sim
is
avail
and
we
are
writing
direct
proof
against
the
formal
specification
of
the
function
and
not
a
representation
of
the
last
implementation.
B
B
What
is
interesting
is
that
this
simple
frame,
work
on
its
whole
logic,
are
parameterized
by
this
set
space.
So
once
we
can
encode
last
memory
model
into
this,
like
simple
state
space,
we
can
leverage
simple
infrastructure
such
as
holologic
for
verification
of
unsafe
flash
programs.
So
we
briefly
show
how
we
encode
last
memory
model
into
simple.
B
First,
we
represented
the
global
heap
memory
as
a
pair
of
bias
and
exo
stacks
following
the
last
stacked
force
areas
in
model.
So
in
this
definition,
this
memory
path
corresponds
to
the
content
of
the
memory
at
each
location
and
this
tags
part
tracks
byte
references
using
different
styles.
So
this
left
kind
means
that
permission
given
to
this
set
of
tags
and
they
form
a
stack
to
deal
with
reporting.
B
Then
for
each
function
to
be
verified,
we
define
a
set
space
for
that
function
and
we
and
this
this
state
space
is
used
for
verifying
last
programs
using
simple.
So,
for
example,
I
mean
the
function.
Csps
is
defined.
A
pair
of
global
heap
and
variables,
for
example,
swap
function
in
the
standard.
Library
takes
two
arguments
x
and
y,
and
it
has
local
variable
name
temps.
B
So
let's
see
an
example
of
verification,
so
here
we
want
to
verify
that
the
safety
conditions
on
the
pointer
swap
function
in
the.
So
I
mean
I'm
sorry,
so
we
would
like
to
verify
that
safety
condition
of
point
as
well
function
written
in
the
standard
library,
dogs
are
actually
sufficient
to
be
safe.
To
call
the
point
of
swap
so
so
to
verify
this,
we
first
translate
the
implementation
point
of
function
into
simple.
B
B
B
B
B
So
the
area
case
I
explained
later
so-
the
verification
of
the
safety
is
mostly
automatic.
We
learn
the
verification,
condition
generator
of
simple
and
simplifier
of
isabelle,
so
they
give
up
remaining
beneficial
conditions,
but
we
can
invoke
sledgehammer
2,
which
is
a
very
powerful
proof,
search
to
provided
by
isabel-
and
this
is
summer
to
conclude
the
proof
with
this
lemma
in
this
case,
so
we
can
prove
the
safety
of
a
function
like
this.
B
These
functions
are
very
minimal,
but
we
observe
that
proof
checking
time
can
easily
blow
up.
So,
actually,
our
framework
is
not
very
scalable
in
its
current
state,
so
over
the
areas
in
case
so
where
two,
the
arguments
of
the
pointers
up
are
area,
same
requests,
a
bit
more
verification
work,
and
during
this
verification
we
found
an
interesting
example
where
formalizing
safety
condition
can
be
tricky,
so
consider
these
two
programs.
B
B
Indeed,
under
the
stack
both
rules,
the
left
one
lands
safely,
while
the
right
one
exhibits
an
undefined
behavior
when
calling
point
as
well,
so
to
explain
why
there
is
this
difference,
we
assume
the
understanding
of
suck
o.
So
please
feel
free
to
ignore
this
slide.
If
you
don't
know
much
about
success,
so,
basically,
on
the
left
hand,
side
since
p2
are
directly
revolved
from
p1,
p1
and
p2
share
the
same
partition
to
access
x,
so
in
other
words,
p1
and
p2
are
simultaneously
byte
differences.
B
While,
on
the
right
hand,
side
there
is
a
there,
is
a
mutable
differences
spreading
p1
and
p2,
so
under
the
stack
both
used
when
we
use
p1
in
the
implementation
of
pointer
swap,
it
invalidates
p2,
so
in
other
words,
p1
and
p2
are
not
similar
dc
varied.
And,
finally,
this
pointer
sub
code
leads
to
an
undefined
behavior.
B
So
the
point
of
this
example
is
that
this
distinction
is
not
clear
from
the
safety
section
of
point
of
documentation.
It
just
say
the
both
x
and
y
must
be
valid,
but
it
doesn't
say
it's
the
point,
that's
up
by
inverse
sense
so
and
actually,
when
we
try
to
improve
safety
of
the
left
hand,
side
and
the
unsafety
of
the
right-hand
side.
The
reasoning
is
much
more
complex
due
to
aliasing.
B
However,
our
formerization
suffers
from
longest
proof
checking
time,
and
actually
we
observed
some
exponential
block
up
of
verification
conditions,
so
it's
not
scalable.
Now,
moreover,
we
found
that
formalizing
safety
conditions
can
be
tricky,
as
shown
in
the
previous
slides,
especially
under
stockpiles
loose.
So
I
opened
the
issue
at
last
long
last
repository
about
how
to
document
pointers
of
safety
conditions.
So
if
you
have
any
idea,
please
go
ahead
so
also
future
work.