Program Verification with Monadic Second-Order Logic & Languages
Total Page:16
File Type:pdf, Size:1020Kb
Program Verification with Monadic Second-Order Logic & Languages for Web Service Development Anders Møller Ph.D. Dissertation Department of Computer Science University of Aarhus Denmark Program Verification with Monadic Second-Order Logic & Languages for Web Service Development A Dissertation Presented to the Faculty of Science of the University of Aarhus in Partial Fulfillment of the Requirements for the Ph.D. Degree by Anders Møller June 12, 2002 Abstract Domain-specific formal languages are an essential part of computer science, combin- ing theory and practice. Such languages are characterized by being tailor-made for specific application domains and thereby providing expressiveness on high abstraction levels and allowing specialized analysis and verification techniques. This disserta- tion describes two projects, each exploring one particular instance of such languages: monadic second-order logic and its application to program verification, and program- ming languages for construction of interactive Web services. Both program verifica- tion and Web service development are areas of programming language research that have received increased attention during the last years. We first show how the logic Weak monadic Second-order Logic on Strings and Trees can be implemented efficiently despite an intractable theoretical worst-case com- plexity. Among several other applications, this implementation forms the basis of a verification technique for imperative programs that perform data-type operations using pointers. To achieve this, the basic logic is extended with layers of language abstractions. Also, a language for expressing data structures and operations along with correctness specifications is designed. Using Hoare logic, programs are split into loop-free fragments which can be encoded in the logic. The technique is described for recursive data types and later extended to the whole class of graph types. As an ex- ample application, we verify correctness properties of an implementation of the insert procedure for red-black search trees. We then show how Web service development can benefit from high-level language support. Existing programming languages for Web services are typically general- purpose languages that provide only low-level primitives for common problems, such as maintaining session state and dynamically producing HTML or XML documents. By introducing explicit language-based mechanisms for those issues, we liberate the Web service programmer from the tedious and error-prone alternatives. Specialized program analyses aid the programmer by verifying at compile time that only valid HTML documents are ever shown to the clients at runtime and that the documents are constructed consistently. In addition, the language design provides support for declar- ative form-field validation, caching of dynamic documents, concurrency control based on temporal-logic specifications, and syntax-level macros for making additional lan- guage extensions. In its newest version, the programming language is designed as an extension of Java. To describe classes of XML documents, we introduce a novel XML schema language aiming to both simplify and generalize existing proposals. All parts are implemented and tested in practice. Both projects involve design of high-level languages and specialized analysis and verification techniques, supporting the thesis that the domain-specific paradigm can provide a versatile and productive approach to development of formal languages. v Acknowledgments I sincerely thank Claus Brabrand, Rasmus Pagh, Anna Ostlin,¨ Jacob and Louise El- gaard, Anders Sandholm, and Aske Simon Christensen for good friendship and for making DAIMI a great place to be. I am grateful to Michael Schwartzbach for being a wise and witty mentor. He has been the ideal supervisor during my studies. I have learned much from Nils Klarlund. I thank him for valuable cooperation and guidance, and for his hospitality the times I visited New Jersey. I am also indebted to Alex Aiken for allowing me to have an inspiring and exciting stay at UC Berkeley. Also thanks to Jeff Foster, Zhendong Su, and David Gay for their friendliness and insightful discussions. Special thanks go to my wife Hanne and to my parents for encouragement and giving me the possibility to pursue my goals. My daughter Sara Louise arrived just in time for this section to be written. I appreciate her effort in reminding me that there are much more important things in life than programming languages. Anders Møller, Aarhus, June 12, 2002. vii Contents Abstract v Acknowledgments vii I Overview 1 1 Introduction 3 1.1 Structure of the Dissertation . 3 1.2 About Domain-Specific Formal Languages . 5 2 Program Verification with Monadic Second-Order Logic 7 2.1 The MONA Tool . 7 2.1.1 The Automaton–Logic Connection . 8 2.1.2 Core WS1S . 9 2.1.3 Complexity . 10 2.1.4 BDD Representation of Automata . 11 2.1.5 Tree Logics and Tree Automata . 12 2.1.6 Finite vs. Infinite Structures . 12 2.1.7 Restrictions and Three-Valued Logic . 13 2.1.8 Other Implementation Tricks . 13 2.1.9 Applications . 17 2.2 Program Verification . 19 2.2.1 Overview . 19 2.2.2 Related Work . 20 2.2.3 Pointer Assertion Logic and Graph Types . 21 2.2.4 Encoding Programs and Properties in MONA Logic . 23 3 Languages for Web Service Development 27 3.1 Interactive Web Services . 28 3.2 The Session-Centered Approach . 31 3.2.1 Script-Centered Languages . 31 3.2.2 Page-Centered Languages . 32 3.2.3 Session-Centered Languages . 33 3.2.4 A Runtime Model with Support for Sessions . 35 3.3 Dynamic Construction of Web Pages . 36 3.4 Program Analyses . 39 ix 3.4.1 Flow Graphs for JWIG Programs . 40 3.4.2 Summary Graphs for XML Expressions . 40 3.4.3 Analyzing Plug Operations . 42 3.4.4 Analyzing Receive Operations . 42 3.4.5 Analyzing Show Operations . 43 3.5 Declarative Form Field Validation . 43 3.5.1 The PowerForms Language . 44 3.5.2 PowerForms in JWIG . 46 3.6 Other Aspects of Web Service Languages . 46 3.6.1 Concurrency Control . 46 3.6.2 Security Issues . 48 3.6.3 Language Abstractions with Syntax Macros . 49 3.7 Schema Languages for XML . 49 3.7.1 The Document Structure Description Language . 51 3.7.2 Validating Summary Graphs with DSD2 . 54 4 Conclusion 57 II Publications 59 5 MONA 1.x: New Techniques for WS1S and WS2S 61 5.1 Introduction . 61 5.2 M2L(Str) and WS1S . 62 5.3 DAGs for Compilation . 64 5.4 Experimental Results . 64 5.5 Related and Future Work . 65 6 MONA Implementation Secrets 67 6.1 Introduction . 67 6.2 The Automaton–Logic Connection . 68 6.3 Benchmark Formulas . 70 6.4 Implementation Secrets . 72 6.4.1 BDD-based Automata Representation . 72 6.4.2 Cache-Conscious Data Structures . 73 6.4.3 Eager Minimization . 74 6.4.4 Guided Tree Automata . 75 6.4.5 DAGification . 75 6.4.6 Three-Valued Logic and Automata . 76 6.4.7 Formula Reductions . 77 6.5 Future Developments . 79 6.6 Conclusion . 80 7 Compile-Time Debugging of C Programs Working on Trees 81 7.1 Introduction . 81 7.2 The Language . 85 7.2.1 The C Subset . 85 x 7.2.2 Modeling the Store . 86 7.2.3 Store Logic . 87 7.2.4 Program Annotations and Hoare Triples . 88 7.3 Deciding Hoare Triples . 90 7.3.1 Weak Monadic Second-Order Logic with Recursive Types . 90 7.3.2 Encoding Stores and Formulas in WSRT . 91 7.3.3 Predicate Transformation . 92 7.4 Deciding WSRT . 93 7.4.1 The Naive Decision Procedure . 93 7.4.2 A Decision Procedure using Guided Tree Automata . 94 7.5 Conclusion . 95 8 The Pointer Assertion Logic Engine 97 8.1 Introduction . 97 8.1.1 A Tiny Example . 99 8.1.2 Related Work . 100 8.2 Pointer Assertion Logic . 101 8.2.1 Store Model . 101 8.2.2 Graph Types . 101 8.2.3 The Programming Language . 103 8.2.4 Program Annotations . 104 8.2.5 Semantics of Annotations . 106 8.3 Example: Threaded Trees . 106 8.4 Hoare Logic Revisited . 108 8.5 Deciding Hoare Triples in MONA . 109 8.6 Data Abstractions . 112 8.7 Implementation and Evaluation . 113 8.8 Conclusion . 116 9 The <bigwig> Project 117 9.1 Introduction . 117 9.1.1 Motivation . 118 9.1.2 The <bigwig> Language . 120 9.1.3 Overview . 122 9.2 Session-Centered Web Services . 122 9.2.1 The Script-Centered Approach . 122 9.2.2 The Page-Centered Approach . 124 9.2.3 The Session-Centered Approach . 125 9.2.4 Structure of <bigwig> Services . 126 9.2.5 A Session-Based Runtime Model . 127 9.3 Dynamic Construction of HTML Pages . 129 9.3.1 Analysis of Template Construction and Form Input . 131 9.3.2 HTML Validity Analysis . 132 9.3.3 Caching of Dynamically Generated HTML . 134 9.3.4 Code Gaps and Document Clusters . 134 9.4 Form Field Validation . 135 9.5 Concurrency Control . 138 xi 9.6 Syntax Macros . 140 9.7 Other Web Service Aspects . 143 9.7.1 HTML Deconstruction . 143 9.7.2 Seslets . 144 9.7.3 Databases . 144 9.7.4 Security . ..