Lightweight Verification via Specialized Typecheckers

Abstract

Software defects can cause severe damage, because software is ubiquitous in the modern world. Software testing cannot find all defects. Full formal verification, though powerful, remains too difficult and expensive for most software engineering projects.Lightweight verification is a promising middle ground between testing and full formal verification that permits developers to prove the absense of particular kinds of defects with low overhead. Proving the absense of such defects improves the reliability, correctness, and security of software. Lightweight verification enables working software engineers to begin to use verification tools, paving the way toward a future in which verification is a standard part of every developer’s toolkit. In this dissertation, we describe novel contributions to lightweight verification via the use of specialized pluggable typecheckers. Our contributions are in two categories: (1) new techniques that increase the expressiveness of lightweight verification by making verification simpler or cheaper for particular classes of problems— thus making verification of the absence of those problems more lightweight—and (2) impact on real developers by applying specialized typecheckers to new domains. Our first contribution is the theory of accumulation analysis, which demonstrates that alias analysis—the key bottleneck in a traditional typestate analysis—is not necessary for 41% of typestate specifications in a literature survey, meaning that those 41% of specifications can be checked using a lightweight accumulation analysis instead of an expensive traditional typestate analysis. We have implemented several accumulation analyses, including for two specific classes of problems traditionally addressed with typestate—initialization and resource leaks. We have shown that these specialized typecheckers implementing accumulation analyses are effective tools for lightweight verification: they are sound (that is, doing verification rather than bug-finding), fast (running in minutes on commodity hardware), and as precise as the unsound, heuristic-based static analyses commonly employed by developers. Our second contribution is a collection of specialized typecheckers for proving the absense of out-of-bounds array accesses. Our typecheckers achieve similar results as an expensive SMT-backed analysis in an order of magnitude less time, increasing the practicality of array-bounds verification. Our third contribution is a collection of specialized typecheckers for proving the absence of certain violations of compliance rules. Lightweight verification is a novel technique in the domain of compliance certification which achieves significant impact: developers prefer lightweight verification to state-of-the-practice manual audits.