Abstract:Toman et al. have proposed a type system for automatic verification of low-level programs, which combines ownership types and refinement types to enable strong updates of refinement types in the presence of pointer aliases. We extend their type system to support pointer arithmetic, and prove its soundness. Based on the proposed type system, we have implemented a prototype tool for automated verification of the lack of assertion errors of low-level programs with pointer arithmetic, and confirmed its effectiveness through experiments.
What problem does this paper attempt to address?
### What problem does this paper attempt to solve?
This paper aims to solve the problem of automatic verification of low - level programs (programs involving pointer arithmetic). Specifically, the author extends the existing type system to support pointer arithmetic and proves its correctness. Based on the proposed type system, the author also implements a prototype tool for automatically verifying that no assertion errors will occur in low - level programs, and verifies the effectiveness of this tool through experiments.
#### Background and Challenges
1. **Difficulties in low - level program verification**:
- Low - level programs usually contain mutable references, which makes it complicated to track the values in each reference unit.
- Due to possible aliasing, there are challenges in maintaining the accuracy, precision, and efficiency of information.
2. **Limitations of existing methods**:
- Toman et al. proposed a type system that combines ownership types and refined types to support strongly updated refined types, but does not support pointer arithmetic.
- When dealing with pointer arithmetic, simple type updates may lead to incorrect reasoning because the existence of aliasing will affect pointer operations.
#### Main contributions of the paper
1. **Extension of the type system**:
- Extend the type system of Toman et al. so that it can support pointer arithmetic (including pointer addition and subtraction).
- Introduce new ownership functions that map relative addresses to rational numbers in the range of [0, 1], representing the ownership of memory units.
2. **Formalization of the new type system**:
- Propose a new type system that not only describes the return type but also the types of parameters after a function call.
- Prove the correctness of this type system by formal methods.
3. **Implementation of the prototype tool**:
- Based on the proposed type system, implement a prototype tool for automatically verifying low - level programs.
- This tool can infer ownership functions and refined predicates to ensure that no assertion errors occur in the program.
4. **Experimental verification**:
- Verify the effectiveness of the prototype tool through experiments, demonstrating its potential in practical applications.
### Formula Summary
- **Ownership function**: The ownership function \(\Gamma\) maps relative addresses to rational numbers in the range of [0, 1], representing the ownership of memory units. For example, \(\Gamma(i)=1\) represents full ownership of address \(i\).
\[
\Gamma: \mathbb{Z}\to[0, 1]
\]
- **Pointer type**: The pointer type \((\lambda i.\tau)\text{ref}\Gamma\) describes a pointer, where \(\lambda i.\tau\) is a type depending on the relative address \(i\), and \(\Gamma\) is an ownership function.
\[
(\lambda i.\tau)\text{ref}\Gamma
\]
- **Type judgment**: The form of type judgment is \(\Theta|\Gamma\vdash e:\tau\Rightarrow\Gamma'\), which means that under the function type environment \(\Theta\) and type environment \(\Gamma\), the type of expression \(e\) is \(\tau\), and the type environment becomes \(\Gamma'\) after evaluation.
\[
\Theta|\Gamma\vdash e:\tau\Rightarrow\Gamma'
\]
Through these improvements, the paper successfully solves the problem of automatic verification of pointer arithmetic in low - level programs and provides an effective solution.