Gradual C0: Symbolic Execution for Efficient Gradual Verification

Current static verification techniques have allowed users to specify and verify more code than ever before. However, such techniques only support complete and detailed specifications, which places an undue burden on users. To solve this problem, prior work proposed gradual verification, which handles complete, partial, or missing specifications by soundly combining static and dynamic checking. Gradual verification has also been extended to programs that manipulate recursive, mutable data structures on the heap. Unfortunately, this extension does not exhibit a pay-as-you-go cost model, which rewards users with increased static correctness guarantees and decreased dynamic checking as specifications are refined. In fact, all properties are checked dynamically regardless of any static guarantees, resulting in significant run-time overhead. In this paper, we present the first gradual verifier for recursive heap data structures that can be used on real programs, called Gradual C0. Additionally, Gradual C0 reasons with symbolic execution and supports a pay-as-you-go cost model. Our approach addresses technical challenges related to symbolic execution with imprecise specifications, heap ownership, and that branches across program statements and specifications. Finally, we empirically evaluated the pay-as-you-go cost model of Gradual C0 and found that, on average, Gradual C0 decreases run-time overhead between 50-75% compared to the fully-dynamic approach used in prior work. Further, the worst-case scenarios for performance are predictable and avoidable.