Abstract
In the context of deductive program verification, ghost code is a part of the program that is added for the purpose of specification. Ghost code must not interfere with regular code, in the sense that it can be erased without observable difference in the program outcome. In particular, ghost data cannot participate in regular computations and ghost code cannot mutate regular data or diverge. The idea exists in the folklore since the early notion of auxiliary variables and is implemented in many state-of-the-art program verification tools. However, ghost code deserves rigorous definition and treatment, and few formalizations exist. In this article, we describe a simple ML-style programming language with mutable state and ghost code. Non-interference is ensured by a type system with effects, which allows, notably, the same data types and functions to be used in both regular and ghost code. We define the procedure of ghost code erasure and we prove its safety using bisimulation. A similar type system, with numerous extensions which we briefly discuss, is implemented in the program verification environment Why3.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
For the sake of readability, we slightly relax the constraints of the A-normal form and accept arbitrary terms in the reference assignment.
Why3 is freely available from http://why3.lri.fr/.
References
Leino KRM (2010) Dafny: an automatic program verifier for functional correctness. In: LPAR-16. Lecture Notes in Computer Science, vol 6355. Springer, pp 348–370
Cohen E, Dahlweid M, Hillebrand M, Leinenbach D, Moskal M, Santen T, Schulte W, Tobies S (2009) VCC: a practical system for verifying concurrent C. In: Theorem proving in higher order logics (TPHOLs). Lecture Notes in Computer Science, vol 5674. Springer
Jacobs B, Piessens F (2008) The VeriFast program verifier. CW Reports CW520. Department of Computer Science, K.U.Leuven
Filliâtre JC, Paskevich A (2013) Why3: where programs meet provers. In: Felleisen M, Gardner P (eds) Proceedings of the 22nd European symposium on programming. Lecture Notes in Computer Science, vol 7792. Springer, pp 125–128
Hatcliff J, Leavens GT, Leino KRM, Müller P, Parkinson M (2009) Behavioral interface specification languages. Technical report CS-TR-09-01, University of Central Florida, School of EECS A survey paper, Draft
Flanagan C, Sabry A, Duba BF, Felleisen M (1993) The essence of compiling with continuations. SIGPLAN Not 28(6):237–247
Wright AK, Felleisen M (1992) A syntactic approach to type soundness. Inf Comput 115:38–94
Pierce BC (2002) Types and programming languages. MIT Press, Cambridge
Plotkin GD (1975) Call-by-name, call-by-value and the lambda-calculus. Theory Comput Sci 1(2):125–159
Jones CB, Roscoe A, Wood KR (2010) Reflections on the Work of C.A.R. Hoare. 1st edn. Springer Publishing Company, Incorporated
Reynolds JC (1981) The craft of programming. Prentice Hall International Series in Computer SciencePrentice Hall, London
Lucas P (1968) Two constructive realizations of the block concept and their equivalence. Technical Report 25.085. IBM Laboratory, Vienna
Kleymann T (1999) Hoare logic and auxiliary variables. Form Asp Comput 11(5):541–566
Zhang Z, Feng X, Fu M, Shao Z, Li Y (2012) A structural approach to prophecy variables. In: Agrawal M, Cooper S, Li A (eds) 9th annual conference on theory and applications of models of computation (TAMC). Lecture Notes in Computer Science, Vol 7287. Springer, Berlin, pp 61–71
Schmaltz S (2013) Towards the pervasive formal verification of multi-core operating systems and hypervisors implemented in C. PhD thesis, Saarland University, Saarbrücken
Leino KRM, Moskal M (2014) Co-induction simply: automatic co-inductive proofs in a program verifier. In: Jones C, Pihlajasaari P, Sun J (eds) FM 2014: formal methods. Lecture Notes in Computer Science, vol 8442, Springer, pp 382–398
Denning DE, Denning PJ (1977) Certification of programs for secure information flow. Commun ACM 20(2):504–513
Pottier F, Conchon S (2000) Information flow inference for free. In: Proceedings of the fifth ACM SIGPLAN international conference on functional programming (ICFP’00). Montréal, pp 46–57
Pottier F, Simonet V (2003) Information flow inference for ML. In: ACM Transactions on programming languages and systems. ACM, vol 25(1), pp 117–158
Paulin-Mohring C (1989) Extracting \({F}_{\omega }\)’s programs from proofs in the Calculus of Constructions. In: Sixteenth annual ACM symposium on principles of programming languages. ACM Press, Austin
Paulin-Mohring C (1989) Extraction de programmes dans le Calcul des Constructions. Thèse d’université, Paris 7
Filliâtre JC, Gondelman L, Paskevich A (2014) The spirit of ghost code. In: Biere A, Bloem R (eds) 26th international conference on computer aided verification. Lecture Notes in Computer Science, vol 8859. Springer, Vienna, pp 1–16
Acknowledgments
We are grateful to Sylvain Conchon, Rustan Leino, and François Pottier for comments and discussions regarding earlier versions of this paper. This work is partly supported by the Bware (ANR-12-INSE-0010, http://bware.lri.fr/) project of the French national research agency (ANR). This is an extended version of a conference paper [22].
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Filliâtre, JC., Gondelman, L. & Paskevich, A. The spirit of ghost code. Form Methods Syst Des 48, 152–174 (2016). https://doi.org/10.1007/s10703-016-0243-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10703-016-0243-x