Formal Foundations for Translational Separation Logic Verifiers (extended version) (2407.20002v2)

Abstract: Program verification tools are often implemented as front-end translations of an input program into an intermediate verification language (IVL) such as Boogie, GIL, Viper, or Why3. The resulting IVL program is then verified using an existing back-end verifier. A soundness proof for such a translational verifier needs to relate the input program and verification logic to the semantics of the IVL, which in turn needs to be connected with the verification logic implemented in the back-end verifiers. Performing such proofs is challenging due to the large semantic gap between the input and output programs and logics, especially for complex verification logics such as separation logic. This paper presents a formal framework for reasoning about translational separation logic verifiers. At its center is a generic core IVL that captures the essence of different separation logics. We define its operational semantics and formally connect it to two different back-end verifiers, which use symbolic execution and verification condition generation, resp. Crucially, this semantics uses angelic non-determinism to enable the application of different proof search algorithms and heuristics in the back-end verifiers. An axiomatic semantics for the core IVL simplifies reasoning about the front-end translation by performing essential proof steps once and for all in the equivalence proof with the operational semantics rather than for each concrete front-end translation. We illustrate the usefulness of our formal framework by instantiating our core IVL with elements of Viper and connecting it to two Viper back-ends as well as a front-end for concurrent separation logic. All our technical results have been formalized in Isabelle/HOL, including the core IVL and its semantics, the semantics of two back-ends for a subset of Viper, and all proofs.

• The paper establishes a formal framework that uses CoreIVL to unify separation logic and implicit dynamic frames with sound operational semantics.
• The methodology employs dual non-determinism—demonic for uncertainty and angelic for proof strategies—to model both symbolic execution and verification condition generation.
• The work streamlines verification pipelines by enabling a unified approach to prove soundness from high-level translations to low-level operational semantics.

Formal Foundations for Translational Separation Logic Verifiers

This paper addresses the foundational underpinnings of translational separation logic (SL) verifiers by introducing a formal framework designed to establish soundness proofs for such verifiers. The central objective is to bridge the substantial semantic gap between high-level program logics used at the front-end and operational semantics used in back-end verifiers. The framework is centered on a core intermediate verification language (IVL), termed CoreIVL, which abstracts over various back-end verification strategies, including both symbolic execution and verification condition generation. A significant aspect of the paper is to show that CoreIVL can model both separation logic (SL) and implicit dynamic frames (IDF).

CoreIVL and its Semantics

CoreIVL is defined as a parametric language, capturing the essence of translation-based approaches in SL-based verifiers. Assertions and expressions are semantically defined to accommodate the diversity present in existing verifiers. The essence of CoreIVL is embodied in core statements such as \vinhale{} and \vexhale{}, which are utilized to manipulate program state in terms of resource allocation, reflecting SL's capabilities.

The paper introduces an operational semantics for CoreIVL designed to incorporate dual non-determinism (demonic and angelic). This dual non-determinism is a novel approach for representing verification strategies among back-end verifiers. Demonic non-determinism represents uncertainties (e.g., inputs, concurrency), while angelic non-determinism abstracts over back-end proof search strategies, allowing succinct soundness proofs for different algorithms.

Proof of Soundness

To illustrate the applicability of CoreIVL, the authors instantiate it into a version called ViperCore, which mirrors key elements of the Viper language. This instantiation enables the authors to demonstrate soundness with respect to the symbolic execution and verification condition generation back-ends in Viper. A key contribution is showing that CoreIVL captures the different strategies used by these disparate back-ends, further proving that operational semantics can effectively model both symbolic execution and VCG techniques.

Axiomatic Semantics and Front-End Soundness

Additionally, an axiomatic semantics for CoreIVL is defined and proven equivalent to the operational semantics. This axiomatic semantics simplifies the task of establishing soundness proofs for front-end verifiers that translate high-level programs into CoreIVL. The authors provide a detailed example of a front-end translation from a parallel programming language (ParImp) into ViperCore. The translation leverages common patterns in front-end encoding, allowing efficient proof of soundness by using the defined axiomatic semantics.

Implications and Future Developments

This framework provides substantial theoretical backing for verifying tools that target separation logic-based IVLs. One of the primary benefits is its ability to streamline the verification pipeline by reducing redundancies in soundness proofs across different layers of verification. The paper facilitates a unified approach to understanding and proving the correctness of verification processes from high-level language specifications down to low-level operational semantics.

Looking forward, potential developments include extending CoreIVL to accommodate other intermediate representations and further enhancing the expressiveness of the framework to incorporate more complex features of real-world programming languages. Moreover, investigating optimizations within the framework itself could provide performance improvements for SL-based verifiers. This work lays a solid foundation, not only unifying current methodologies but also offering a path for future advances in formal program verification.