Formal semantics and other research around Spark2014

Size: px

Start display at page:

Download "Formal semantics and other research around Spark2014"

Quentin Walton
6 years ago
Views:

1 Formal semantics and other research around Spark2014 Virginia Aponte, Pierre Courtieu, Tristan Crolard (CPR Team - Cnam) Zhi Zhang (SAnToS, KSU) November 2014 Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

2 In this talk 1 Ada and SPARK 2 Motivations & Current State 3 Run-Time Checks 4 Nested and recursive procedures 5 A prototype SPARK frontend for CompCert Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

3 Ada is not Pascal type MY_INT is new INTEGER range 0..9; procedure F(U: in out MY_INT) is TMP : MY_INT := 0; RES : MY_INT := U; while RES > TMP loop RES := RES - 1; TMP := TMP; end loop; U := RES; G(U,U); - warning: overlap end F; Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

4 Ada is not Pascal type MY_INT is new INTEGER range 0..9; procedure F(U: in out MY_INT) is TMP : MY_INT := 0; RES : MY_INT := U; while RES > TMP loop RES := RES - 1; TMP := TMP; end loop; U := RES; G(U,U); - warning: overlap end F; strong typing Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

5 Ada is not Pascal type MY_INT is new INTEGER range 0..9; procedure F(U: in out MY_INT) is TMP : MY_INT := 0; RES : MY_INT := U; while RES > TMP loop RES := RES - 1; TMP := TMP; end loop; U := RES; G(U,U); - warning: overlap end F; strong typing precise typing Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

6 Ada is not Pascal type MY_INT is new INTEGER range 0..9; procedure F(U: in out MY_INT) is TMP : MY_INT := 0; RES : MY_INT := U; while RES > TMP loop RES := RES - 1; TMP := TMP; end loop; U := RES; G(U,U); - warning: overlap end F; strong typing precise typing controlled effects Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

7 Ada is not Pascal type MY_INT is new INTEGER range 0..9; procedure F(U: in out MY_INT) is TMP : MY_INT := 0; RES : MY_INT := U; while RES > TMP loop RES := RES - 1; TMP := TMP; end loop; U := RES; G(U,U); - warning: overlap end F; OK statically Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

8 Ada is not Pascal type MY_INT is new INTEGER range 0..9; procedure F(U: in out MY_INT) is TMP : MY_INT := 0; RES : MY_INT := U; while RES > TMP loop RES := RES - 1; TMP := TMP; end loop; U := RES; G(U,U); - warning: overlap end F; OK statically OK statically Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

9 Ada is not Pascal type MY_INT is new INTEGER range 0..9; procedure F(U: in out MY_INT) is TMP : MY_INT := 0; RES : MY_INT := U; while RES > TMP loop RES := RES - 1; TMP := TMP; end loop; U := RES; G(U,U); - warning: overlap end F; OK statically OK statically dynamic! Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

10 Ada is not Pascal type MY_INT is new INTEGER range 0..9; procedure F(U: in out MY_INT) is TMP : MY_INT := 0; RES : MY_INT := U; while RES > TMP loop RES := RES - 1; TMP := TMP; end loop; U := RES; G(U,U); - warning: overlap end F; OK statically OK statically dynamic! runtime checks (RC) Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

11 Runtime checks Tests at runtime, exception raised when failing implicit tests: range, overflows, division by zero, array bounds,... explicit annotations always executable (gnat -gnata) used for testing mostly procedure F(U: in out MY_INT) with Pre => U >=0, Post => U<= U Old ; Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

12 Annotations In the specification (à la Hoare) In the code (à la Hoare) On types For flow analysis (SPARK only) etc procedure F(U: in out MY_INT) with Pre => U >=0, Post => U<= U Old ; Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

13 Annotations In the specification (à la Hoare) In the code (à la Hoare) On types For flow analysis (SPARK only) etc while RES > TMP loop Pragma Loop_Invariant ((RES <= U Loop_Entry) and (for all I in 0..t range => t[i]>0)) ;... end loop; Pragma Assert (RES <= TMP); Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

14 Annotations In the specification (à la Hoare) In the code (à la Hoare) On types For flow analysis (SPARK only) etc type Stack is private with Type_Invariant => Is_Unduplicated(Stack); Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

15 Annotations In the specification (à la Hoare) In the code (à la Hoare) On types For flow analysis (SPARK only) etc procedure F(U: out MY_INT2) with Global => (Input => (X,Y)), Depends => (U => (X,Y)); Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

16 SPARK is not Ada Developed by ALTRAN and now AdaCore too Dedicated to static analysis No dedicated compiler, strict subset of Ada Access types Effects in expressions Aliasing: warning not allowed (since no pointer) Exception handler... runtime checks static analysis Verification conditions à la Hoare (VCs) Ensures: No check would fail at runtime neither implicit (type/array bounds, initialization, div by zero, etc) nor explicit (assertion, loop invariant etc) Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

17 Plan 1 Ada and SPARK 2 Motivations & Current State 3 Run-Time Checks 4 Nested and recursive procedures 5 A prototype SPARK frontend for CompCert Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

18 Motivations Qualification of SPARK (DO-178C) AST validator w.r.t. run-time checks (RC) Link with other formalized tools (KSU) CompCert, certified compilation (Lockheed Martin) Semantics for Ada? ((very) long term) Proving invariant patterns Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

19 Previous works Ian O Neil. The formal semantics of SPARK83. Technical report. (format: Z) Eduardo Brito. PhD. A Formal Approach for a Subset of the SPARK Programming Language (format: Natural Semantics style) Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

20 Work in progress Team work, 2 internships of Zhi Zhang Big step semantics on untyped terms (ASTs) Typing = Property on (untyped-)terms Judgments: e, σ v or e, σ p, σ σ or p, σ = runtime error Abnormal (1+TRUE, uninitialized variable, etc) = execution blocked Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

21 Return states and error propagation Inductive Return (A : Type) : Type := Normal : A Return A (* σ, v *) Run_Time_Error : error_type Return A (* (+ msg) *) Seq 1 c 1, σ c 1 ; c 2, σ c 1, σ σ c 2, σ Seq 2 c 1 ; c 2, σ c 1, σ σ c 2, σ σ Seq 3 c 1 ; c 2, σ σ Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

22 Return states and error propagation Inductive eval_stmt: symboltable stack statement Return stack Prop :=... Eval_S_Sequence_RTE: st s c1 msg c2, eval_stmt st s c1 (Run_Time_Error msg) eval_stmt st s (S_Sequence c1 c2) (Run_Time_Error msg) Eval_S_Sequence: st s c1 s1 c2 s2, eval_stmt st s c1 (Normal s1) eval_stmt st s1 c2 s2 eval_stmt st s (S_Sequence c1 c2) s2 Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

23 Error Propagation Eval_S_If_RTE: st s b msg c1 c2, eval_expr st s b (Run_Time_Error msg) eval_stmt st s (S_If b c1 c2) (Run_Time_Error msg) Eval_S_If_True: st s b c1 s1 c2, eval_expr st s b (Normal (BasicV (Bool true))) eval_stmt st s c1 s1 eval_stmt st s (S_If b c1 c2) s1... Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

24 Work in progress Subset of SPARK covered: Integers + subtypes + derived types Arrays and records (nested: current work by Z. Zhang) Procedures (recursive & nested), in, out, in out, No function Run-Time checks: a few, no annotation yet Prototype of a compiler to Cminor of CompCert (demo!) ia32, ppc, Arm No procedure contract yet Proved parts: Type checking/initialization (on a smaller subset) Run-Time checks (Z. Zhang) No compilation proof (starting now) Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

25 Plan 1 Ada and SPARK 2 Motivations & Current State 3 Run-Time Checks 4 Nested and recursive procedures 5 A prototype SPARK frontend for CompCert Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

26 GNAT/SPARK 2014 program + Pre Post Assert Loop_Invariant... Ada GNAT front-end AST (RC) GNAT back-end (gcc) gnatprove Why exec x86, ARM,... VCs alt-ergo, Z3,... Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

27 Correctness GNAT-gnatprove prog GNAT front-end AST + RC GNAT back-end exec Usual commutation diagram? gnatprove VCs p :AST+RC, gnatprove(p) s, GNAT(p), s Not sufficient Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

28 Correctness GNAT-gnatprove prog GNAT front-end AST + RC If RC incomplete? GNAT back-end exec? gnatprove VCs Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

29 Correctness GNAT-gnatprove prog GNAT front-end AST + RC GNAT back-end exec? gnatprove VCs If RC incomplete? Neither detected at runtime nor during anlysis erroneous program ou bounded errors Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

30 Correctness GNAT-gnatprove prog GNAT front-end AST + RC GNAT back-end exec? gnatprove VCs If RC incomplete? Neither detected at runtime nor during anlysis erroneous program ou bounded errors Correctness of the (result of the) front-end Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

31 Validating Run-time Checks (Z. Zhang) Two semantics: Semantics S 1 with on the fly checks Checks everything (no RCin AST) Reference, validated by experts Semantics S 2 with on demand checks Checks only RC Real + check_rc: AST+RC -> boolean + proof: t s.t. check_rc t = true, S 1 and S 2 coincide on t. S 2 may be optimized Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

32 With implicit on the fly run-time checks binop RTE1 e 1, σ e 1 e 2, σ e 1, σ v 1 e 2, σ binop RTE2 e 1 e 2, σ binop 2 e 1, σ v 1 e 2, σ v 2 RC(v 1, v 2, ) e 1 e 2, σ binop 1 e 1, σ v 1 e 2, σ v 2 RC(v 1, v 2, ) e 1 e 2, σ v 1 v 2 RC: predicate validated by ADA experts (division by zero, etc) Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

33 With explicit checks binop RTE1 e 1, σ e 1 C e 2, σ e 1, σ v 1 e 2, σ binop RTE2 e 1 C e 2, σ binop 1 e 1, σ v 1 e 2, σ v 2 C(v 1, v 2 ) e 1 C e 2, σ v 1 v 2 binop 2 e 1, σ v 1 e 2, σ v 2 C(v 1, v 2 ) e 1 C e 2, σ C: tags in the AST, generated by GNAT (front-end) C RC \ {optimization} Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

34 On the fly vs On demand Inductive eval_stmt: symboltable stack statement Return stack Prop :=... Inductive eval_stmt_x: symboltable stack statement_x Return stack Prop :=... Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

35 On the fly vs On demand: binary operations Eval_E_Binary_Operation_RTE_Bin: st s e1 v1 e2 v2 msg op, eval_expr st s e1 (Normal v1) eval_expr st s e2 (Normal v2) do_run_time_check_on_binop op v1 v2 (Exception msg) eval_expr st s (E_Binary_Operation op e1 e2) (Run_Time_Error msg) Eval_E_Binary_Operation_RTE_Bin_X: st s e1 v1 e2 v2 checkflags op msg, eval_expr_x st s e1 (Normal v1) eval_expr_x st s e2 (Normal v2) do_flagged_checks_on_binop checkflags op v1 v2 (Exception msg) eval_expr_x st s (E_Binary_Operation_X op e1 e2 checkflags) (Run_Time_Error msg) Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

36 On the fly vs On demand: binary operations Eval_E_Binary_Operation: st s e1 v1 e2 v2 op v, eval_expr st s e1 (Normal v1) eval_expr st s e2 (Normal v2) do_run_time_check_on_binop op v1 v2 Success Val.binary_operation op v1 v2 = Some v eval_expr st s (E_Binary_Operation op e1 e2) (Normal v) Eval_E_Binary_Operation_X: st s e1 v1 e2 v2 checkflags op v, eval_expr_x st s e1 (Normal v1) eval_expr_x st s e2 (Normal v2) do_flagged_checks_on_binop checkflags op v1 v2 Success Val.binary_operation op v1 v2 = Some v eval_expr_x st s (E_Binary_Operation_X op e1 e2 checkfla (Normal v) Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

37 On the fly vs On demand: Range check for assignment Eval_S_Assignment_Range_RTE: st s e v x t l u, eval_expr st s e (Normal (BasicV (Int v))) extract_subtype_range st x (Range l u) do_range_check v l u (Exception RTE_Range) eval_stmt st s (S_Assignment x e) (Run_Time_Error RTE_Range) Eval_S_Assignment_RTE_X: e st s msg x, (List.In Do_Range_Check (exp_check_flags e)) eval_expr_x st s e... Eval_S_Assignment_Range_RTE_X: e flgs st s v x t l u, exp_check_flags e = Do_Range_Check flgs eval_expr_x st s (update_exp_check_flags e flgs) (Normal (BasicV (Int v))) extract_subtype_range_x st x (Range_X l u)... Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

38 On the fly vs On demand: Range check for assignment Eval_S_Assignment_Range: st s e v x t l u s1, eval_expr st s e (Normal (BasicV (Int v))) fetch_exp_type x st = Some t extract_subtype_range st t (Range l u) do_range_check v l u Success storeupdate st s x (BasicV (Int v)) s1 eval_stmt st s (S_Assignment x e) s1 Eval_S_Assignment_Range_X: e cks1 cks2 st s v x t l u s1, exp_check_flags e = Do_Range_Check flgs eval_expr_x st s (update_exp_check_flags e flgs) (Normal (BasicV (Int v))) extract_subtype_range_x st x (Range_X l u) do_range_check v l u Success storeupdate_x st s x (BasicV (Int v)) s1 eval_stmt_x st s (S_Assignment_X x e) s1 Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

39 Properties of the ast validator Definition check_generator: statement statement_x. Lemma statement_checks_soundness: st s stmt s st, eval_stmt st s stmt s check_generator stmt = stmt eval_stmt_x st s stmt s. Definition check_rc stmt_x = check_generator(noflags stmt_x) = stmt_x. Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

40 Run-Time Checks covered Very few, proof of concept Division by zero (integers) Overflows (integers,arrays) Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

41 Table des matieres 1 Ada and SPARK 2 Motivations & Current State 3 Run-Time Checks 4 Nested and recursive procedures 5 A prototype SPARK frontend for CompCert Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

42 Nested recursive procedures: P-machine procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; Dynamic context L(X2); Put(X2); G(3); Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

43 Nested recursive procedures: P-machine procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; Dynamic context L(X2); Put(X2); G(3); X2 X 1 3 Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

44 Nested recursive procedures: P-machine procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; Dynamic context L(X2); Put(X2); G(3); Y X2 X Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

45 Nested recursive procedures: P-machine procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; Dynamic context L(X2); Put(X2); G(3); Y X2 X Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

46 Nested recursive procedures: P-machine procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; Dynamic context L(X2); Put(X2); G(3); Y X2 X Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

47 Nested recursive procedures: P-machine procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; Dynamic context L(X2); Put(X2); G(3); Y Y X2 X Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

48 Nested recursive procedures: P-machine procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; Dynamic context L(X2); Put(X2); G(3); Y Y X2 X Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

49 Nested recursive procedures: P-machine procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; Dynamic context L(X2); Put(X2); G(3); Y Y X2 X Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

50 Nested recursive procedures: P-machine procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; L(X2); Put(X2); G(3); Dynamic context Y 3 Y 2 Y 1 X2 2 X 3 Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

51 Nested recursive procedures: P-machine procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; L(X2); Put(X2); G(3); Dynamic context Y 3 Y 2 Y 1 X2 6 X 3 Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

52 Nested recursive procedures: P-machine procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; Dynamic context L(X2); Put(X2); G(3); X2 X 6 3 Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

53 Nested recursive procedures procedure G(X:INTEGER) is VG: INTEGER; procedure L(Y:INTEGER) is VL: INTEGER..L(e).. end L;... end G; Static context VL Y VG X Dynamic context VL Y VG X Dynamic environment static one But Dynamic environment static visible one How to present a reference semantics? Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

54 Nested recursive procedures: Reference procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; Dynamic context L(X2); Put(X2); G(3); Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

55 Nested recursive procedures: Reference procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; Dynamic context L(X2); Put(X2); G(3); X2 X 1 3 Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

56 Nested recursive procedures: Reference procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; Dynamic context L(X2); Put(X2); G(3); Y X2 X Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

57 Nested recursive procedures: Reference procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; Dynamic context L(X2); Put(X2); G(3); Y X2 X Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

58 Nested recursive procedures: Reference procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; Dynamic context L(X2); Put(X2); G(3); Y X2 X Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

59 Nested recursive procedures: Reference procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; Dynamic context L(X2); Put(X2); G(3); Y X2 X Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

60 Nested recursive procedures: Reference procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; Dynamic context L(X2); Put(X2); G(3); Y X2 X Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

61 Nested recursive procedures: Reference procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; Dynamic context L(X2); Put(X2); G(3); Y X2 X Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

62 Nested recursive procedures: Reference procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; Dynamic context L(X2); Put(X2); G(3); Y X2 X Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

63 Nested recursive procedures: Reference procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; Dynamic context L(X2); Put(X2); G(3); Y X2 X Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

64 Nested recursive procedures: Reference procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; Dynamic context L(X2); Put(X2); G(3); X2 X 6 3 Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

65 Nested recursive procedure fetch_proc p st = (proc_lvl,pb) eval_stmt st s (S_Procedure_Call p args) s4 procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; s Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

66 Nested recursive procedure fetch_proc p st = (proc_lvl,pb) copy_in st s (parameters pb) args (Normal f) eval_stmt st s (S_Procedure_Call p args) s4 procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; s f Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

67 Nested recursive procedure fetch_proc p st = (proc_lvl,pb) copy_in st s (parameters pb) args (Normal f) cut_until s proc_lvl pfx s1 eval_stmt st s (S_Procedure_Call p args) s4 procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; pfx s1 f Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

68 Nested recursive procedure fetch_proc p st = (proc_lvl,pb) copy_in st s (parameters pb) args (Normal f) cut_until s proc_lvl pfx s1 eval_decl st s1 f (declarative_part pb) (Normal f1) eval_stmt st s (S_Procedure_Call p args) s4 procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; pfx s1 f1 Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

69 Nested recursive procedure fetch_proc p st = (proc_lvl,pb) copy_in st s (parameters pb) args (Normal f) cut_until s proc_lvl pfx s1 eval_decl st s1 f (declarative_part pb) (Normal f1) eval_stmt st (f1 ++ s1) (statements pb) (Normal s2) eval_stmt st s (S_Procedure_Call p args) s4 procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if;... 2 pfx f1++s1 Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

70 Nested recursive procedure fetch_proc p st = (proc_lvl,pb) copy_in st s (parameters pb) args (Normal f) cut_until s proc_lvl pfx s1 eval_decl st s1 f (declarative_part pb) (Normal f1) eval_stmt st (f1 ++ s1) (statements pb) (Normal s2) eval_stmt st s (S_Procedure_Call p args) s4 procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if;... 2 pfx s2 Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

71 Nested recursive procedure fetch_proc p st = (proc_lvl,pb) copy_in st s (parameters pb) args (Normal f) cut_until s proc_lvl pfx s1 eval_decl st s1 f (declarative_part pb) (Normal f1) eval_stmt st (f1 ++ s1) (statements pb) (Normal s2) s2 = locls ++ parms ++ s3 eval_stmt st s (S_Procedure_Call p args) s4 procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; pfx s3 parms Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

72 Nested recursive procedure fetch_proc p st = (proc_lvl,pb) copy_in st s (parameters pb) args (Normal f) cut_until s proc_lvl pfx s1 eval_decl st s1 f (declarative_part pb) (Normal f1) eval_stmt st (f1 ++ s1) (statements pb) (Normal s2) s2 = locls ++ parms ++ s3 copy_out st (pfx ++ s3) parms (parameters pb) args s4 eval_stmt st s (S_Procedure_Call p args) s4 procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; copy_out 3 pfx++s3 3 parms Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

73 Nested recursive procedure fetch_proc p st = (proc_lvl,pb) copy_in st s (parameters pb) args (Normal f) cut_until s proc_lvl pfx s1 eval_decl st s1 f (declarative_part pb) (Normal f1) eval_stmt st (f1 ++ s1) (statements pb) (Normal s2) s2 = locls ++ parms ++ s3 copy_out st (pfx ++ s3) parms (parameters pb) args s4 eval_stmt st s (S_Procedure_Call p args) s4 procedure G (X: in Integer) is X2: Integer := 1; procedure L (Y: in Integer) is X2 := X2 * Y; if Y < X then L(Y+1); end if; s4 Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

74 Equivalence with P-machine (T. Crolard) P-M. p, σ 1 σ 2 p, σ 1 Ref. σ 2 Coq development Small toy language Correctness P-Machine vs Ref. Semantics Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

75 Equivalence with P-machine (T. Crolard) P-M. p, σ 1 σ 2 Ref. w. names p, σ 1 σ 2 compil+ p, σ 1 Ref. σ 2 Ref. ˆp, ˆσ 1 ˆσ 2 Coq development Small toy language Correctness P-Machine vs Ref. Semantics + compilation P-machine with var. names P-machine (offsets) Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

76 Equivalence with P-machine (T. Crolard) P-M. p, σ 1 σ 2 Ref. w. names p, σ 1 σ 2 compil+ p, σ 1 Ref. σ 2 Ref. ˆp, ˆσ 1 ˆσ 2 One functorized semantics, three stack modules 1376 LOC statements, 1777 LOC proofs Completeness under way (T.Crolard, M.V. Aponte, J.Lawall) Extend it to the whole SPARK semantics? Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

77 CompCert frontend program + Pre Post Assert Loop_Invariant... Ada GNAT front-end to be proved correct AST (RC) CompCert back-end correct GNAT back-end (gcc) gnatprove Why exec VCs x86, ARM,... alt-ergo, Z3,... Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

78 Why CompCert? Having a (partially) proved compilation chain Testing semantics for pure SPARK? How flexible is CompCert? Nested (recursive) procedures are fun ( see later), despite easier than in Ada Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

79 Target language: Cminor C#minor too loose memory model RTL to low level Cminor all what we need Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

80 Cminor Function frame Each function leaves in a separate frame Local temporary variables (parameters + some local variables) Local stack (other variables) Initially: empty stack, all arguments in temporary variables C frontend: prelude to copy some variables in the stack... Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

81 Nested procedures in Cminor L procedure G (X: in out Integer) is X2: Integer := 1; procedure L (Y: in Integer) is Y2: Integer := 1; X2 := X2 * Y; if Y < X then L(Y+1); end if; L(X2); X := X2; Y Y2 Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

82 Nested procedures in Cminor procedure G (X: in out Integer) is X2: Integer := 1; procedure L (Y: in Integer) is Y2: Integer := 1; X2 := X2 * Y; if Y < X then L(Y+1); end if; L(X2); X := X2; & Y Y2 L G & = ptr to G s stack X X2 Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

83 Nested procedures in Cminor procedure G (X: in out Integer) is X2: Integer := 1; procedure L (Y: in Integer) is Y2: Integer := 1; X2 := X2 * Y; if Y < X then L(Y+1); end if; L(X2); X := X2; & Y Y2 L G & = ptr to G s stack Needed copies on stack: prelude X X2 X2 X Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

84 Nested procedures in Cminor procedure G (X: in out Integer) is X2: Integer := 1; procedure L (Y: in Integer) is Y2: Integer := 1; X2 := X2 * Y; if Y < X then L(Y+1); end if; L(X2); X := X2; & Y Y2 L G & = ptr to G s stack Needed copies on stack: prelude out parameters: postlude &X X2 X2 X Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

85 Example "G"( X ) : int -> void { stack 8; var X2 ; int32[&0 + 0] = int32[ X ]; int32[&0 + 4] = 1; "L"(&0, int32[&0 + 4]) : int -> int -> void; int32[&0 + 0] = int32[&0 + 4]; int32[ X ] = int32[&0 + 0]; } "L"( CHAIN, Y ) : int -> int -> void { stack 12; var Y2 ; int32[&0] = CHAIN ; int32[&0 + 4] = Y ; int32[&0 + 8] = 1; int32[int32[&0] + 4] = int32[int32[&0] + 4] * int32[&0 + 4]; if (int32[&0 + 4] < int32[int32[&0] + 0]!= 0) { "L"(int32[&0], int32[&0 + 4] + 1) : int -> int -> void; } } Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

86 Demo CompCert Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

87 Future Works Annotations, contracts Prove CompCert compilation Prove loop invariants patterns [FM2012] (M-V. Aponte) Test and proof, a.k.a. mixing memory models of SPARK and Ada etc Thanks! Aponte, Courtieu, Crolard, Zhang Formal semantics for SPARK & more November / 41

Spark verification features

Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal Verification Spring 2018 Adding specification information to programs Verification concerns checking whether