How to get an efficient yet verified arbitrary-precision integer library
|
|
- Scott York
- 5 years ago
- Views:
Transcription
1 How to get an efficient yet verified arbitrary-precision integer library Raphaël Rieu-Helft (joint work with Guillaume Melquiond and Claude Marché) TrustInSoft Inria May 28, /31
2 Context, motivation, goals goal: efficient and formally verified large-integer library GMP: widely-used, high-performance library tested, but hard to ensure good coverage (unlikely branches) correctness bugs have been found in the past idea: 1 formally verify GMP algorithms with Why3 2 extract efficient C code 2/31
3 Outline 1 Deductive verification with Why3 2 Reimplementing GMP using Why3 3 Extracting to idiomatic C code 4 An example: schoolbook multiplication 5 Benchmarks, conclusions 3/31
4 Deductive verification with Why3 4/31
5 Deductive verification program + specification verification conditions proof 5/31
6 Kadane s algorithm (* *) (*... ######## max ########... *) (*... ### cur #### *) let maximum_subarray (a: array int): int ensures { forall l h: int. 0 l h length a sum a l h result } ensures { exists l h: int. 0 l h length a sum a l h = result } = let max = ref 0 in let cur = ref 0 in for i = 0 to length a - 1 do cur += a[i]; if!cur < 0 then cur := 0; if!cur >!max then max :=!cur done;!max 6/31
7 Kadane s algorithm (* *) (*... ######## max ########... *) (*... ### cur #### *) let maximum_subarray (a: array int): int ensures { forall l h: int. 0 l h length a sum a l h result } ensures { exists l h: int. 0 l h length a sum a l h = result } = let max = ref 0 in let cur = ref 0 in let ghost cl = ref 0 in for i = 0 to length a - 1 do invariant { forall l: int. 0 l i sum a l i!cur } invariant { 0!cl i sum a!cl i =!cur } cur += a[i]; if!cur < 0 then begin cur := 0; cl := i+1 end; if!cur >!max then max :=!cur done;!max 7/31
8 Kadane s algorithm (* *) (*... ######## max ########... *) (*... ### cur #### *) let maximum_subarray (a: array int): int ensures { forall l h: int. 0 l h length a sum a l h result } ensures { exists l h: int. 0 l h length a sum a l h = result } = let max = ref 0 in let cur = ref 0 in let ghost cl = ref 0 in let ghost lo = ref 0 in let ghost hi = ref 0 in for i = 0 to length a - 1 do invariant { forall l: int. 0 l i sum a l i!cur } invariant { 0!cl i sum a!cl i =!cur } invariant { forall l h: int. 0 l h i sum a l h!max } invariant { 0!lo!hi i sum a!lo!hi =!max } cur += a[i]; if!cur < 0 then begin cur := 0; cl := i+1 end; if!cur >!max then begin max :=!cur; lo :=!cl; hi := i+1 end done;!max 8/31
9 Computing verification conditions A Hoare triplet: {P } e {Q } P e Q precondition property expression postcondition property {P } e {Q } if we execute e in a state that satisfies P, then the computation terminates in a state that satisfies Q Predicate transformer WP(e, Q) (Dijkstra) e expression Q postcondition computes the weakest precondition P such that {P } e {Q } 9/31
10 Definition of WP WP(skip, Q) = Q WP(t,Q) = Q[result t ] WP(x := t,q) = Q[x t ] WP(e 1 ; e 2,Q) = WP(e 1,WP(e 2,Q)) WP(let v = e 1 in e 2,Q) = WP(e 1,WP(e 2,Q)[v result]) WP(let x = ref e 1 in e 2,Q) = WP(e 1,WP(e 2,Q)[x result]) WP(if t then e 1 else e 2,Q) = (t WP(e 1,Q)) ( t WP(e 2,Q)) WP(assert R,Q) = R (R Q) 10/31
11 Soundness of WP Theorem For any e and Q, the triple {WP(e,Q)} e {Q } is valid. Can be proved by induction on the structure of the program e w.r.t. some reasonable semantics (axiomatic, operational, etc.) Corollary To show that {P } e {Q } is valid, it suffices to prove P WP(e,Q). This is what Why3 does. 11/31
12 Why3 proof session 12/31
13 Reimplementing GMP using Why3 13/31
14 General approach file.mlw Why3 file.ml file.c Alt-Ergo CVC4 Z3 etc. game plan: implement the GMP algorithms in WhyML verify them with Why3 extract to C difficulties: preserve all GMP implementation tricks prove them correct extract to efficient C code 14/31
15 An example: comparison large integer pointer to array of unsigned integers a 0...a n 1 called limbs value(a,n) = n 1 a i β i usually β = 2 64 i=0 type ptr 'a =... exception Return32 int32 let wmpn_cmp (x y: ptr uint64) (sz: int32): int32 = let i = ref sz in try while!i 1 do i :=!i - 1; let lx = x[!i] in let ly = y[!i] in if lx ly then if lx > ly then raise (Return32 1) else raise (Return32 (-1)) done; 0 with Return32 r r end 15/31
16 Memory model simple memory model, more restrictive than C type ptr 'a = abstract { mutable data: array 'a ; offset: int } predicate valid (p:ptr 'a) (sz:int) = 0 sz 0 p.offset p.offset + sz plength p p.data p.offset }{{} valid(p,5) val malloc (sz:uint32) : ptr 'a (* malloc(sz * sizeof('a)) *)... val free (p:ptr 'a) : unit (* free(p) *)... no explicit address for pointers 16/31
17 Alias control aliased C pointers point to the same memory object aliased Why3 pointers same data field only way to get aliased pointers: incr type ptr 'a = abstract { mutable data: array 'a ; offset: int } val incr (p:ptr 'a) (ofs:int32): ptr 'a (* p+ofs *) alias { result.data with p.data } ensures { result.offset = p.offset + ofs }... val free (p:ptr 'a) : unit requires { p.offset = 0 } writes { p.data } ensures { p.data.length = 0 } Why3 type system: all aliases are known statically no need to prove non-aliasing hypotheses 17/31
18 Example specification: long multiplication specifications are defined in terms of value (** [wmpn_mul r x y sx sy] multiplies [(x, sx)] and [(y,sy)] and writes the result in [(r, sx+sy)]. [sx] must be greater than or equal to [sy]. Corresponds to [mpn_mul]. *) let wmpn_mul (r x y: ptr uint64) (sx sy: int32) : unit requires { 0 < sy sx } requires { valid x sx } requires { valid y sy } requires { valid r (sy + sx) } writes { r.data.elts } ensures { value r (sy + sx) = value x sx * value y sy } Why3 typing constraint: r cannot be aliased to x or y simplifies proofs : aliases are known statically we need separate functions for in-place operations 18/31
19 Extracting to idiomatic C code 19/31
20 Extraction mechanism goals: simple, straightforward extraction (trusted) performance: no added complexity, no closures or indirections inefficiencies caused by extraction must be optimizable by the compiler tradeoff: handle only a small, C-like fragment of WhyML loops references machine integers manual memory management polymorphism, abstract types higher order mathematical integers garbage collection 20/31
21 Exceptions and return/break statements return and break are emulated by exceptions in WhyML recognize the patterns, extract as native return/break reject all other exceptions let f (args) =... ; try (* tail position *)... raise (R e)... with R v v end f ( args ) {...;...; return e;... } try while... do... raise B... done with B () end while... {... break ;... } 21/31
22 Comparison: extracted C code let wmpn_cmp (x y: ptr uint64) (sz: int32): int32 = let i = ref sz in try while!i 1 do i :=!i - 1; let lx = x[!i] in let ly = y[!i] in if lx ly then if lx > ly then raise (Return32 1) else raise (Return32 (-1)) done; 0 with Return32 r r end int32_t wmpn_cmp ( uint64_t * x, uint64_t * y, int32_t sz) { int32_t i, o; uint64_t lx, ly; i = (sz ); while (i >= 1) { o = (i - 1); i = o; lx = (*( x+(i ))); ly = (*( y+(i ))); if (lx!= ly) { if ( lx > ly) return (1); else return ( -(1)); } } return (0); } 22/31
23 An example: schoolbook multiplication 23/31
24 Schoolbook multiplication simple algorithm, optimal for smaller sizes GMP switches to divide-and-conquer algorithms at 20 words mp_limb_t mpn_mul ( mp_ptr rp, mp_srcptr up, mp_size_t un, mp_srcptr vp, mp_size_t vn) { /* We first multiply by the low order limb. This result can be stored, not added, to rp. We also avoid a loop for zeroing this way. */ rp[ un] = mpn_mul_1 ( rp, up, un, vp [0]); /* Now accumulate the product of up [] and the next higher limb from vp []. */ } while (--vn >= 1) { rp += 1, vp += 1; rp[ un] = mpn_addmul_1 ( rp, up, un, vp [0]); } return rp[ un ]; 24/31
25 Why3 implementation while!i < sy do invariant { value r (!i + sx) = value x sx * value y!i } ly := get_ofs y!i; let c = addmul_limb!rp x!ly sx in set_ofs!rp sx c; i :=!i + 1;!rp := C.incr!rp 1; done;... 25/31
26 Why3 implementation while!i < sy do invariant { 0!i sy } invariant { value r (!i + sx) = value x sx * value y!i } invariant { (!rp).offset = r.offset +!i } invariant { plength!rp = plength r } invariant { pelts!rp = pelts r } variant { sy -!i } ly := get_ofs y!i; let c = addmul_limb!rp x!ly sx in value_sub_update_no_change (pelts r) ((!rp).offset + sx) r.offset (r.offset +!i) c; set_ofs!rp sx c; i :=!i + 1; value_sub_tail (pelts r) r.offset (r.offset + sx + k); value_sub_tail (pelts y) y.offset (y.offset + k); value_sub_concat (pelts r) r.offset (r.offset + k) (r.offset + k + sx); assert { value r (!i + sx) = value x sx * value y!i by... so... so... (* 20+ subgoals *) };!rp := C.incr!rp 1; done;... 25/31
27 Building block: addmul_limb (** [addmul_limb r x y sz] multiplies [(x, sz)] by [y], adds the [sz] least significant limbs to [(r, sz)] and writes the result in [(r,sz)]. Returns the most significant limb of the product plus the carry of the addition. Corresponds to [mpn_addmul_1].*) let addmul_limb (r x: ptr uint64) (y: uint64) (sz: int32): uint64 requires { valid x sz } requires { valid r sz } ensures { value r sz + (power radix sz) * result = value (old r) sz + value x sz * y } writes { r.data.elts } ensures { forall j. j < r.offset r.offset + sz j r[j] = (old r)[j] } adds y x to r does not change the contents of r outside the first sz cells called on r + i, x and y i for 0 i sy 26/31
28 Extracted code void mul ( uint64_t * r12, uint64_t * x15, uint64_t * y13, int32_t sx4, int32_t sy4 ) { uint64_t ly9, c8, res16 ; uint64_t * rp3 ; int32_t i16, o28 ; uint64_t * o29 ; ly9 = (*( y13 )); c8 = ( mul_limb (r12, x15, ly9, sx4 )); *( r12 +( sx4 )) = c8; rp3 = ( r12 +(1)); i16 = (1); while ( i16 < sy4 ) { ly9 = *( y13 +( i16 )); res16 = ( addmul_limb ( rp3, x15, ly9, sx4 )); *( rp3 +( sx4 )) = res16 ; o28 = ( i16 + 1); i16 = o28 ; o29 = ( rp3 +(1)); ( rp3 ) = o29 ; } return (*( rp3 +( sx4-1))); } not as concise as GMP, but close enough to be optimized by the compiler 27/31
29 Benchmarks, conclusions 28/31
30 Comparison with GMP we compare with GMP without assembly (option --disable-assembly) we only consider inputs of 20 words or less ( 1300 bits) above that, GMP uses different algorithms multiplication: less than 5% slower than GMP division: 10% slower than GMP except for very small inputs except for sx very close to sy GMP uses a different algorithm for sy > sx/2, to do performances are very dependent on the compiled code of the primitives ongoing: link to GMP to use the exact same primitives 29/31
31 Proof effort 6000 lines of Why3 code 1350 of programs 4650 of specifications and (mostly) assertions 4200 subgoals, around two thirds are for division large proof contexts, nonlinear arithmetic many long assertions are needed even for some easy goals Ongoing: use computational reflection to automate some proofs and delete the assertions 700 lines of assertions deleted, work in progress removes the need for some tedious proofs, but still finicky 30/31
32 Conclusions verified C library, bit-compatible with GMP GMP mpn functions implemented: schoolbook add, sub, mul, div, shifts, divide-and-conquer multiplication (wip) GMP implementation tricks preserved satisfactory performances in the handled cases new Why3 features: extraction and memory model for C alias of return value and parameter Why3 framework for proofs by reflection coming soon: divide-and-conquer algorithms for multiplication and division GMP mpz functions extract specifications as well? 31/31
33 Arithmetic primitives: the uint64 type type uint64 val function to_int (n:uint64): int meta coercion function to_int let constant max = 0xffff_ffff_ffff_ffff predicate in_bounds (n:int) = 0 n max axiom to_int_in_bounds: forall n:uint64. in_bounds n val mul (x y:uint64): uint64 (* defensive, no overflow *) requires { in_bounds (x * y) } ensures { result = x * y } val mul_mod (x y:uint64): uint64 (* with overflow *) ensures { result = mod (x * y) (max+1) } val mul_double (x y:uint64): (uint64,uint64) returns { (l,h) l + (max+1) * h = x * y } (* returns two words*) 1/1
How to get an efficient yet verified arbitrary-precision integer library
How to get an efficient yet verified arbitrary-precision integer library Raphaël Rieu-Helft TrustInSoft Inria March 13, 2018 March 13, 2018 1 / 36 Context, motivation, goals goal: efficient and formally
More informationHow to Get an Efficient yet Verified Arbitrary-Precision Integer Library
How to Get an Efficient yet Verified Arbitrary-Precision Integer Library Raphaël Rieu-Helft, Claude Marché, Guillaume Melquiond To cite this version: Raphaël Rieu-Helft, Claude Marché, Guillaume Melquiond.
More informationDeductive Program Verification with WHY3
Deductive Program Verification with WHY3 Andrei Paskevich LRI, Université Paris-Sud Toccata, Inria Saclay http://why3.lri.fr/ejcp-2017 ÉJCP 2017 1. A quick look back 2 / 121 Introduction Software is hard.
More informationWhy3 where programs meet provers
Why3 where programs meet provers Jean-Christophe Filliâtre CNRS KeY Symposium 2017 Rastatt, Germany October 5, 2017 history started in 2001, as an intermediate language in the process of verifying C and
More informationHoare Logic: Proving Programs Correct
Hoare Logic: Proving Programs Correct 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich Reading: C.A.R. Hoare, An Axiomatic Basis for Computer Programming Some presentation ideas from a lecture
More informationDeductive Program Verification with Why3
Deductive Program Verification with Why3 Jean-Christophe Filliâtre CNRS Mathematical Structures of Computation Formal Proof, Symbolic Computation and Computer Arithmetic Lyon, February 2014 definition
More informationWhy. an intermediate language for deductive program verification
Why an intermediate language for deductive program verification Jean-Christophe Filliâtre CNRS Orsay, France AFM workshop Grenoble, June 27, 2009 Jean-Christophe Filliâtre Why tutorial AFM 09 1 / 56 Motivations
More informationWhy3 A Multi-Prover Platform for Program Verification
Why3 A Multi-Prover Platform for Program Verification Jean-Christophe Filliâtre CNRS joint work with Andrei Paskevich, Claude Marché, and François Bobot ProVal team, Orsay, France IFIP WG 1.9/2.14 Verified
More informationAn Introduction to Deductive Program Verification
An Introduction to Deductive Program Verification Jean-Christophe Filliâtre CNRS Sixth Summer School on Formal Techniques May 2016 http://why3.lri.fr/ssft-16/ 1 / 145 Software is hard. Don Knuth why? wrong
More informationLecture Notes: Hoare Logic
Lecture Notes: Hoare Logic 17-654/17-754: Analysis of Software Artifacts Jonathan Aldrich (jonathan.aldrich@cs.cmu.edu) Lecture 3 1 Hoare Logic The goal of Hoare logic is to provide a formal system for
More informationReminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture
Reminder of the last lecture Aliasing Issues: Call by reference, Pointer programs Claude Marché Cours MPRI 2-36-1 Preuve de Programme 18 janvier 2017 Additional features of the specification language Abstract
More informationProving Programs Correct
Floyd-Hoare Logic: A formal system for proving correctness A program operates on state - moving through code changes state Hoare logic follows state changes through triples: {P } C {Q} where P is an assertion
More informationLectures 20, 21: Axiomatic Semantics
Lectures 20, 21: Axiomatic Semantics Polyvios Pratikakis Computer Science Department, University of Crete Type Systems and Static Analysis Based on slides by George Necula Pratikakis (CSD) Axiomatic Semantics
More informationExercise 3. Syntax Extensions. Reminder of the last lecture. This Lecture s Goals
Exercise 3 Syntax Extensions (ghost variables, labels, local mutable variables) Functions and Function calls Termination Specification languages, application to arrays Claude Marché Cours MPRI 2-36-1 Preuve
More informationMain Goal. Language-independent program verification framework. Derive program properties from operational semantics
Main Goal Language-independent program verification framework Derive program properties from operational semantics Questions: Is it possible? Is it practical? Answers: Sound and complete proof system,
More informationAbstract Interpretation
Abstract Interpretation Ranjit Jhala, UC San Diego April 22, 2013 Fundamental Challenge of Program Analysis How to infer (loop) invariants? Fundamental Challenge of Program Analysis Key issue for any analysis
More informationIntroduction to Axiomatic Semantics
Introduction to Axiomatic Semantics Meeting 10, CSCI 5535, Spring 2009 Announcements Homework 3 due tonight Homework 2 is graded 13 (mean), 14 (median), out of 21 total, but Graduate class: final project
More informationGNATprove a Spark2014 verifying compiler Florian Schanda, Altran UK
1 GNATprove a Spark2014 verifying compiler Florian Schanda, Altran UK Tool architecture User view Source gnatprove Verdict 2 Tool architecture More detailed view... Source Encoding CVC4 gnat2why gnatwhy3
More informationReview: Hoare Logic Rules
Review: Hoare Logic Rules wp(x := E, P) = [E/x] P wp(s;t, Q) = wp(s, wp(t, Q)) wp(if B then S else T, Q) = B wp(s,q) && B wp(t,q) Proving loops correct First consider partial correctness The loop may not
More informationDeductive Verification in Frama-C and SPARK2014: Past, Present and Future
Deductive Verification in Frama-C and SPARK2014: Past, Present and Future Claude Marché (Inria & Université Paris-Saclay) OSIS, Frama-C & SPARK day, May 30th, 2017 1 / 31 Outline Why this joint Frama-C
More informationAn Annotated Language
Hoare Logic An Annotated Language State and Semantics Expressions are interpreted as functions from states to the corresponding domain of interpretation Operators have the obvious interpretation Free of
More informationHoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré
Hoare Logic COMP2600 Formal Methods for Software Engineering Rajeev Goré Australian National University Semester 2, 2016 (Slides courtesy of Ranald Clouston) COMP 2600 Hoare Logic 1 Australian Capital
More informationFormal Methods. CITS5501 Software Testing and Quality Assurance
Formal Methods CITS5501 Software Testing and Quality Assurance Pressman, R. Software Engineering: A Practitioner s Approach. Chapter 28. McGraw-Hill, 2005 The Science of Programming, David Gries, 1981
More informationCOMP 507: Computer-Aided Program Design
Fall 2014 April 7, 2015 Goal: Correctness proofs Prove that an algorithm written in an imperative language is correct Induction for algorithmic correctness Induction for functional programs: The program
More informationFrom Hoare Logic to Matching Logic Reachability. Grigore Rosu and Andrei Stefanescu University of Illinois, USA
From Hoare Logic to Matching Logic Reachability Grigore Rosu and Andrei Stefanescu University of Illinois, USA Matching Logic Reachability - Goal - Language independent program verification framework Derives
More informationPointers. Chapter 8. Decision Procedures. An Algorithmic Point of View. Revision 1.0
Pointers Chapter 8 Decision Procedures An Algorithmic Point of View D.Kroening O.Strichman Revision 1.0 Outline 1 Introduction Pointers and Their Applications Dynamic Memory Allocation Analysis of Programs
More informationSoftwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24
Softwaretechnik Program verification Albert-Ludwigs-Universität Freiburg June 28, 2012 Softwaretechnik June 28, 2012 1 / 24 Road Map Program verification Automatic program verification Programs with loops
More informationProgram Static Analysis. Overview
Program Static Analysis Overview Program static analysis Abstract interpretation Data flow analysis Intra-procedural Inter-procedural 2 1 What is static analysis? The analysis to understand computer software
More informationG Programming Languages - Fall 2012
G22.2110-003 Programming Languages - Fall 2012 Lecture 4 Thomas Wies New York University Review Last week Control Structures Selection Loops Adding Invariants Outline Subprograms Calling Sequences Parameter
More informationChapter 1. Introduction
1 Chapter 1 Introduction An exciting development of the 21st century is that the 20th-century vision of mechanized program verification is finally becoming practical, thanks to 30 years of advances in
More informationFormal Verification of MIX Programs
Formal Verification of MIX Programs Jean-Christophe Filliâtre CNRS LRI, Univ Paris-Sud, Orsay F-91405 INRIA Futurs, ProVal, Orsay F-91893 Abstract We introduce a methodology to formally verify MIX programs.
More informationFormal Verification of Floating-Point programs
Formal Verification of Floating-Point programs Sylvie Boldo and Jean-Christophe Filliâtre Montpellier June, 26th 2007 INRIA Futurs CNRS, LRI Motivations Goal: reliability in numerical software Motivations
More informationDeductive Program Verification with Why3, Past and Future
Deductive Program Verification with Why3, Past and Future Claude Marché ProofInUse Kick-Off Day February 2nd, 2015 A bit of history 1999: Jean-Christophe Filliâtre s PhD Thesis Proof of imperative programs,
More informationCombining Coq and Gappa for Certifying FP Programs
Introduction Example Gappa Tactic Conclusion Combining Coq and Gappa for Certifying Floating-Point Programs Sylvie Boldo Jean-Christophe Filliâtre Guillaume Melquiond Proval, Laboratoire de Recherche en
More informationWhy3 Where Programs Meet Provers
Why3 Where Programs Meet Provers Jean-Christophe Filliâtre, Andrei Paskevich To cite this version: Jean-Christophe Filliâtre, Andrei Paskevich. Why3 Where Programs Meet Provers. ESOP 13 22nd European Symposium
More informationSoftwaretechnik. Program verification. Software Engineering Albert-Ludwigs-University Freiburg. June 30, 2011
Softwaretechnik Program verification Software Engineering Albert-Ludwigs-University Freiburg June 30, 2011 (Software Engineering) Softwaretechnik June 30, 2011 1 / 28 Road Map Program verification Automatic
More informationOverview. Verification with Functions and Pointers. IMP with assertions and assumptions. Proof rules for Assert and Assume. IMP+: IMP with functions
Overview Verification with Functions and Pointers Işıl Dillig The IMP language considered so far does not have many features of realistics PLs Our goal today: Enrich IMP with two features, namely functions
More informationNumerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Proval, Laboratoire de Recherche en Informatique INRIA Saclay IdF, Université Paris Sud, CNRS October 28, 2009 Program verification Formal arithmetic
More informationFormal Systems II: Applications
Formal Systems II: Applications Functional Verification of Java Programs: Java Dynamic Logic Bernhard Beckert Mattias Ulbrich SS 2017 KIT INSTITUT FÜR THEORETISCHE INFORMATIK KIT University of the State
More informationIntroduction to Axiomatic Semantics (1/2)
#1 Introduction to Axiomatic Semantics (1/2) How s The Homework Going? Remember: just do the counterexample guided abstraction refinement part of DPLL(T). If you notice any other errors, those are good
More informationMulti-Precision Arithmetic for Cryptography in C++
Multi-Precision Arithmetic for Cryptography in C++ at Run-Time and at Compile-Time Niek J. Bouman, PhD niekbouman@gmail.com 1 Secure Multiparty Computation (MPC) in Gartner s Hype Cycle (2017) 2 Secure
More informationRepresentation Independence, Confinement and Access Control
Representation Independence, Confinement and Access Control Anindya Banerjee and David Naumann ab@cis.ksu.edu and naumann@cs.stevens-tech.edu Kansas State University and Stevens Institute of Technology
More informationProgram Verification. Aarti Gupta
Program Verification Aarti Gupta 1 Agenda Famous bugs Common bugs Testing (from lecture 6) Reasoning about programs Techniques for program verification 2 Famous Bugs The first bug: A moth in a relay (1945)
More informationWP Plug-in (Draft) Manual
WP (Draft Manual) WP Plug-in (Draft) Manual Frama-C Carbon 20101202 beta-2 Loïc Correnson, Zaynah Dargaye, Anne Pacalet CEA LIST, Software Reliability Laboratory c 2010 CEA LIST This work has been supported
More informationIntroduction to Axiomatic Semantics (1/2)
#1 Introduction to Axiomatic Semantics (1/2) How s The Homework Going? Remember that you can t just define a meaning function in terms of itself you must use some fixed point machinery. #2 #3 Observations
More informationLecture 5 - Axiomatic semantics
Program Verification March 2014 Lecture 5 - Axiomatic semantics Lecturer: Noam Rinetzky Scribes by: Nir Hemed 1.1 Axiomatic semantics The development of the theory is contributed to Robert Floyd, C.A.R
More informationChapter 13: Reference. Why reference Typing Evaluation Store Typings Safety Notes
Chapter 13: Reference Why reference Typing Evaluation Store Typings Safety Notes References Computational Effects Also known as side effects. A function or expression is said to have a side effect if,
More informationRepresentation Independence, Confinement and Access Control
Representation Independence, Confinement and Access Control Anindya Banerjee and David Naumann ab@cis.ksu.edu and naumann@cs.stevens-tech.edu Kansas State University and Stevens Institute of Technology,
More informationAn Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C
An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C Robbert Krebbers Radboud University Nijmegen January 22, 2014 @ POPL, San Diego, USA 1 / 16 What is this program supposed
More informationProgramming Languages Third Edition
Programming Languages Third Edition Chapter 12 Formal Semantics Objectives Become familiar with a sample small language for the purpose of semantic specification Understand operational semantics Understand
More informationFormal Verification of a Floating-Point Elementary Function
Introduction Coq & Flocq Coq.Interval Gappa Conclusion Formal Verification of a Floating-Point Elementary Function Inria Saclay Île-de-France & LRI, Université Paris Sud, CNRS 2015-06-25 Introduction Coq
More informationSimple proofs of simple programs in Why3
Simple proofs of simple programs in Why3 Jean-Jacques Lévy State Key Laboratory for Computer Science, Institute of Software, Chinese Academy of Sciences & Inria Abstract We want simple proofs for proving
More informationFrama-C WP Tutorial. Virgile Prevosto, Nikolay Kosmatov and Julien Signoles. June 11 th, 2013
Frama-C WP Tutorial Virgile Prevosto, Nikolay Kosmatov and Julien Signoles June 11 th, 2013 Motivation Main objective: Rigorous, mathematical proof of semantic properties of a program functional properties
More informationAliasing restrictions of C11 formalized in Coq
Aliasing restrictions of C11 formalized in Coq Robbert Krebbers Radboud University Nijmegen December 11, 2013 @ CPP, Melbourne, Australia Aliasing Aliasing: multiple pointers referring to the same object
More informationHoare logic. A proof system for separation logic. Introduction. Separation logic
Introduction Hoare logic Lecture 6: Examples in separation logic In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing separation logic.
More informationSpecifying and Verifying Programs (Part 2)
Specifying and Verifying Programs (Part 2) Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at
More informationHardware versus software
Logic 1 Hardware versus software 2 In hardware such as chip design or architecture, designs are usually proven to be correct using proof tools In software, a program is very rarely proved correct Why?
More informationVerified Characteristic Formulae for CakeML. Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 27, 2017
Verified Characteristic Formulae for CakeML Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 27, 2017 Goal: write programs in a high-level (ML-style) language, prove them correct interactively,
More informationThe Rule of Constancy(Derived Frame Rule)
The Rule of Constancy(Derived Frame Rule) The following derived rule is used on the next slide The rule of constancy {P } C {Q} {P R} C {Q R} where no variable assigned to in C occurs in R Outline of derivation
More informationVerification Condition Generation
Verification Condition Generation Jorge Sousa Pinto Departamento de Informática / Universidade do Minho jsp@di.uminho.pt www.di.uminho.pt/~jsp Outline (1) - From Hoare Logic to VCGen algorithms: an architecture
More informationHoare logic. WHILE p, a language with pointers. Introduction. Syntax of WHILE p. Lecture 5: Introduction to separation logic
Introduction Hoare logic Lecture 5: Introduction to separation logic In the previous lectures, we have considered a language, WHILE, where mutability only concerned program variables. Jean Pichon-Pharabod
More informationChecking Program Properties with ESC/Java
Checking Program Properties with ESC/Java 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich 1 ESC/Java A checker for Java programs Finds null pointers, array dereferences Checks Hoare logic
More informationA CRASH COURSE IN SEMANTICS
LAST TIME Recdef More induction NICTA Advanced Course Well founded orders Slide 1 Theorem Proving Principles, Techniques, Applications Slide 3 Well founded recursion Calculations: also/finally {P}... {Q}
More informationThe Why/Krakatoa/Caduceus Platform for Deductive Program Verication
The Why/Krakatoa/Caduceus Platform for Deductive Program Verication Jean-Christophe Filliâtre 1,3 and Claude Marché 2,3 1 CNRS, Lab. de Recherche en Informatique, UMR 8623, Orsay, F-91405 2 INRIA Futurs,
More informationHoare logic. Lecture 5: Introduction to separation logic. Jean Pichon-Pharabod University of Cambridge. CST Part II 2017/18
Hoare logic Lecture 5: Introduction to separation logic Jean Pichon-Pharabod University of Cambridge CST Part II 2017/18 Introduction In the previous lectures, we have considered a language, WHILE, where
More information4/24/18. Overview. Program Static Analysis. Has anyone done static analysis? What is static analysis? Why static analysis?
Overview Program Static Analysis Program static analysis Abstract interpretation Static analysis techniques 2 What is static analysis? The analysis to understand computer software without executing programs
More informationSemantic Analysis. CSE 307 Principles of Programming Languages Stony Brook University
Semantic Analysis CSE 307 Principles of Programming Languages Stony Brook University http://www.cs.stonybrook.edu/~cse307 1 Role of Semantic Analysis Syntax vs. Semantics: syntax concerns the form of a
More informationThe Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England
The Formal Semantics of Programming Languages An Introduction Glynn Winskel The MIT Press Cambridge, Massachusetts London, England Series foreword Preface xiii xv 1 Basic set theory 1 1.1 Logical notation
More informationExample: Adding 1000 integers on Cortex-M4F. Lower bound: 2n + 1 cycles for n LDR + n ADD. Imagine not knowing this : : :
Cryptographic software engineering, part 2 1 Daniel J. Bernstein Last time: General software engineering. Using const-time instructions. Comparing time to lower bound. Example: Adding 1000 integers on
More informationSemantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics
There is no single widely acceptable notation or formalism for describing semantics Operational Describe the meaning of a program by executing its statements on a machine, either simulated or actual. The
More informationA Case Study on Model Checking and Deductive Verification Techniques of Safety-Critical Software
A Case Study on Model Checking and Deductive Verification Techniques of Safety-Critical Software Rovedy A. B. e Silva 1,2, Jose M. Parente de Oliveira 2, and Jorge Sousa Pinto 3 1 Aeronautics and Space
More informationCMSC 330: Organization of Programming Languages
CMSC 330: Organization of Programming Languages Operational Semantics CMSC 330 Summer 2018 1 Formal Semantics of a Prog. Lang. Mathematical description of the meaning of programs written in that language
More informationFrom proposition to program
From proposition to program Embedding the refinement calculus in Coq Wouter Swierstra 1 and Joao Alpuim 2 1 Universiteit Utrecht w.s.swierstra@uu.nl 2 RiskCo joao.alpuim@riskco.nl Abstract. The refinement
More informationRecap. Juan Pablo Galeotti,Alessandra Gorla, Software Engineering Chair Computer Science Saarland University, Germany
Recap Juan Pablo Galeotti,Alessandra Gorla, Software Engineering Chair Computer Science Saarland University, Germany 30% projects (10% each) At least 50% threshold for exam admittance Groups of 2 70% final
More informationType checking. Jianguo Lu. November 27, slides adapted from Sean Treichler and Alex Aiken s. Jianguo Lu November 27, / 39
Type checking Jianguo Lu November 27, 2014 slides adapted from Sean Treichler and Alex Aiken s Jianguo Lu November 27, 2014 1 / 39 Outline 1 Language translation 2 Type checking 3 optimization Jianguo
More informationCreating Formally Verified Components for Layered Assurance with an LLVM-to-ACL2 Translator
Creating Formally Verified Components for Layered Assurance with an LLVM-to-ACL2 Translator Jennifer Davis, David Hardin, Jedidiah McClurg December 2013 Introduction Research objectives: Reduce need to
More informationBasic Verification Strategy
ormal Verification Basic Verification Strategy compare behavior to intent System Model of system behavior intent Verifier results Intent Usually, originates with requirements, refined through design and
More informationVerifying Java Programs Verifying Java Programs with KeY
Verifying Java Programs Verifying Java Programs with KeY Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at
More informationTechnical presentation
TOWARDS A COGNITIVE COMPUTING PLATFORM SUPPORTING A UNIFIED APPROACH TOWARDS PRIVACY, SECURITY AND SAFETY (PSS) OF IOT SYSTEMS The VESSEDIA Project Technical presentation Armand PUCCETTI, CEA Rome, 11th
More informationHybrid Verification in SPARK 2014: Combining Formal Methods with Testing
IEEE Software Technology Conference 2015 Hybrid Verification in SPARK 2014: Combining Formal Methods with Testing Steve Baird Senior Software Engineer Copyright 2014 AdaCore Slide: 1 procedure Array_Indexing_Bug
More informationCMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics
Recall Architecture of Compilers, Interpreters CMSC 330: Organization of Programming Languages Source Scanner Parser Static Analyzer Operational Semantics Intermediate Representation Front End Back End
More information6. Hoare Logic and Weakest Preconditions
6. Hoare Logic and Weakest Preconditions Program Verification ETH Zurich, Spring Semester 07 Alexander J. Summers 30 Program Correctness There are many notions of correctness properties for a given program
More informationFormal Semantics of Programming Languages
Formal Semantics of Programming Languages Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson http://www.daimi.au.dk/~bra8130/wiley_book/wiley.html Benefits of formal
More informationPractical introduction to Frama-C (without Mathematical notations ;-) )
Practical introduction to Frama-C (without Mathematical notations ;-) ) David MENTRÉ Using content of Jochen Burghardt (Fraunhofer First), Virgile Prevosto (CEA), Julien Signoles
More informationG Programming Languages Spring 2010 Lecture 4. Robert Grimm, New York University
G22.2110-001 Programming Languages Spring 2010 Lecture 4 Robert Grimm, New York University 1 Review Last week Control Structures Selection Loops 2 Outline Subprograms Calling Sequences Parameter Passing
More informationMotivation was to facilitate development of systems software, especially OS development.
A History Lesson C Basics 1 Development of language by Dennis Ritchie at Bell Labs culminated in the C language in 1972. Motivation was to facilitate development of systems software, especially OS development.
More informationTranslation Validation for a Verified OS Kernel
To appear in PLDI 13 Translation Validation for a Verified OS Kernel Thomas Sewell 1, Magnus Myreen 2, Gerwin Klein 1 1 NICTA, Australia 2 University of Cambridge, UK L4.verified sel4 = a formally verified
More informationVerification Conditions. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany
Verification Conditions Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany 30% projects (10% each) At least 50% threshold for exam admittance Groups of 2 70% final exam (see
More informationA Context-Sensitive Memory Model for Verification of C/C++ Programs
A Context-Sensitive Memory Model for Verification of C/C++ Programs Arie Gurfinkel and Jorge A. Navas University of Waterloo and SRI International SAS 17, August 30th, 2017 Gurfinkel and Navas (UWaterloo/SRI)
More informationCSE 307: Principles of Programming Languages
CSE 307: Principles of Programming Languages Advanced Topics R. Sekar Topics 1 / 14 1. 2 / 14 Section 1 3 / 14 Semantics of Programs Syntax defines what programs are valid. Semantics defines what the valid
More informationChapter 3. Describing Syntax and Semantics ISBN
Chapter 3 Describing Syntax and Semantics ISBN 0-321-49362-1 Chapter 3 Topics Describing the Meanings of Programs: Dynamic Semantics Copyright 2015 Pearson. All rights reserved. 2 Semantics There is no
More informationSimulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1
Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 2012 The MathWorks, Inc. 1 Agenda Formal Verification Key concept Applications Verification of designs against (functional) requirements Design error detection Test
More informationModules and Representation Invariants
Modules and Representation Invariants COS 326 Andrew W. Appel Princeton University slides copyright 2013-2015 David Walker and Andrew W. Appel In previous classes: Reasoning about individual OCaml expressions.
More informationA Modular Way to Reason About Iteration
A Modular Way to Reason About Iteration Jean-Christophe Filliâtre Mário Pereira LRI, Univ. Paris-Sud, CNRS, Inria Saclay INRIA Paris - Séminaire Gallium Mars 7, 2016 iteration iteration: hello old friend!
More informationHoare Logic and Model Checking
Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Introduction In the
More informationProgram Verification. Program Verification 307/434
Program Verification Program Verification 307/434 Outline Introduction: What and Why? Pre- and Postconditions Conditionals while-loops and Total Correctness Arrays Program Verification Introduction 308/434
More informationProof Carrying Code(PCC)
Discussion p./6 Proof Carrying Code(PCC Languaged based security policy instead of OS-based A mechanism to determine with certainity that it is safe execute a program or not Generic architecture for providing
More informationStatic Program Analysis Part 1 the TIP language
Static Program Analysis Part 1 the TIP language http://cs.au.dk/~amoeller/spa/ Anders Møller & Michael I. Schwartzbach Computer Science, Aarhus University Questions about programs Does the program terminate
More informationLecture 10 Design by Contract
CS 5959 Writing Solid Code Fall 2015 Nov-23 Lecture 10 Design by Contract Zvonimir Rakamarić University of Utah Design by Contract Also called assume-guarantee reasoning Developers annotate software components
More informationA Partial Correctness Proof for Programs with Decided Specifications
Applied Mathematics & Information Sciences 1(2)(2007), 195-202 An International Journal c 2007 Dixie W Publishing Corporation, U. S. A. A Partial Correctness Proof for Programs with Decided Specifications
More information