Verification of an ML compiler. Lecture 1: An introduction to compiler verification
|
|
- Doris Wilson
- 5 years ago
- Views:
Transcription
1 Verification of an ML compiler Lecture 1: An introduction to compiler verification Marktoberdorf Summer School MOD 2017 Magnus O. Myreen, Chalmers University of Technology
2 Introduction
3 Your program crashes. Where do you look for the fault? Do you look at your source code? Do look at the code for the compiler you used? users want to rely on compilers
4 Verified compilers What? A verified compiler is a compiler that comes with a machine-checker proof. The proof states that the compiler preserves the behaviour of source programs. Traditional compiler development relies on testing. Compiler verification is considered too costly. cost reduction?
5 All (unverified) compilers have bugs Every compiler we tested was found to crash and also to silently generate wrong code when presented with valid input. PLDI 11 Abstract Finding and Understanding Bugs in C Compilers Xuejun Yang Yang Chen Eric Eide John Regehr Compilers should be correct. To improve the quality of C compilers, we created Csmith, a randomized test-case generation tool, and spent three years using it to find compiler bugs. During this period University of Utah, School of Computing { jxyang, chenyang, eeide, regehr }@cs.utah.edu [The verified part of] CompCert is the only compiler we have tested for which Csmith cannot find wrong-code we reported more than 325 previously unknown bugs to compiler developers. Every compiler we tested was found to crash and also to silently generate wrong code when presented with valid input. In this paper we present our compiler-testing tool and the results of our bug-hunting study. Our first contribution is to advance the state of the art in compiler testing. Unlike previous tools, Csmith generates programs that cover a large subset of C while avoiding the s that would destroy its ability 1 int foo (void) { 2 signed char x = 1; 3 unsigned char y = 255; 4 return x > y; 5 } errors. This is not for lack of trying: we have devoted about six CPU-years to the task. Figure 1. We found a bug in the version of GCC that shipped with Ubuntu Linux for x86. At all optimization levels it compiles this function to return 1; the correct result is 0. The Ubuntu compiler was heavily patched; the base version of GCC did not have this bug. d Csmith, a randomized test-case generator that sup- -
6 Motivations Bugs in compilers are not tolerated by users Bugs can be hard to find by testing Verified compilers must be used for verification of source-level programs to imply guarantees at the level of verified machine code Research question: how easy (cheap) can we make compiler verification?
7 State of the art
8 CompCert CompCert C compiler Leroy et al. Source: Compiles C source code to assembly. Has good performance numbers Proved correct in Coq.
9 Values Languages Compiler transformations CakeML compiler Compiles CakeML concrete syntax to machine code. Proved correct in HOL4. Has mostly good performance numbers (later lecture) abstract values incl. closures and ref pointers abstract values incl. ref and code pointers source syntax source AST no modules no cons names no declarations exhaustive pat. matches no pat. match ClosLang: last language with closures (has multi-arg closures) BVL: functional language without closures only 1 global, handle in call DataLang: imperative language Parse concrete syntax Infer types, exit if fail Eliminate modules Replace constructor names with numbers Reduce declarations to exps; introduce global vars Make patterns exhaustive Move nullary constructor patterns upwards Compile pattern matches to nested Ifs and Lets Rephrase language Fuse function calls/apps into multi-arg calls/apps Track where closure values flow; annotate program Introduce C-style fast calls wherever possible Remove deadcode Prepare for closure conv. Perform closure conv. Inline small functions Fold constants and shrink Lets Split over-sized functions into many small functions Compile global vars into a dynamically resized array Optimise Let-expressions Switch to imperative style Reduce caller-saved vars Combine adjacent memory allocations Remove data abstraction Simplify program Known as the first verified compiler to be bootstrapped. I m one of the six developers behind version 2 (diagram to the right). machine words and code labels 32-bit words WordLang: imperative language with machine words, memory and a GC primitive StackLang: imperative language with array-like stack and optional GC LabLang: assembly lang. ARMv6 Select target instructions Perform SSA-like renaming Force two-reg code (if req.) Remove deadcode Allocate register names Concretise stack Implement GC primitive Turn stack access into memory acceses Rename registers to match arch registers/conventions Flatten code Delete no-ops (Tick, Skip) Encode program as concrete machine code later lecture zooms in 64-bit words ARMv8 x86-64 MIPS-64 RISC-V All languages communicate with the external world via a byte-array-based foreign-function interface.
10 A spectrum robust, inflexible more flexible, but can be fragile proved to always work correctly produces a proof for each run Verified compilers Proof-producing compilers Pilsner Fiat CompCert C compiler CakeML compiler Cogent Translation validation for a verified OS kernel CompCertTSO
11 These 4 lectures on Verification of an ML compiler will focus on key concepts rather than implementation details The lectures: Lecture 1: introduction to compiler verification Lecture 2: data representation and garbage collection Lecture 3: closures and call optimisations Lecture 4: compiler bootstrapping
12 but feel free to ask The lectures will not cover: Verification of parsing and ML-style type inference Optimisations (except call optimisations in lecture 3) Modelling and verification of I/O How to manage a large code base of proofs The lectures: Lecture 1: introduction to compiler verification Lecture 2: data representation and garbage collection Lecture 3: closures and call optimisations Lecture 4: compiler bootstrapping
13 Let s get started! Lecture 1: introduction to compiler verification
14 Questions Should we write a new compiler for the verification? yes, because then it has nice invariants What should we prove about it? that the generated programs behave the same as the source programs Do we need to use mechanised proof? yes
15 Proving a compiler correct Ingredients: a formal logic for the proofs accurate models of the source language the target language the compiler algorithm Tools: a proof assistant (software) does this correspond with reality? requires testing Method: prove simulation theorem using induction
16 Ingredient 1: Formal logic
17 Formal logic These lectures will use classical higher-order logic (HOL) HOL = lambda calculus with simple ML-like types Allows for quantification over functions and relations. ` () 8 Example 1: Skolem ` (8 x. 9 y. P x y) () 9 f. 8 x. P x (f x) ` 8 9 () 9 8 Example 2: complete induction over nat: ` (8 n. (8 m. m < n ) P m) ) P n) ) 8 n. P n Example 3: definition of list permutation: ` PERM L 1 L 2 () 8 x. FILTER ((=) x) L 1 = FILTER ((=) x) L 2
18 User-definitions in HOL Datatypes: datatype e = Var string Num int Add e e Assign string e datatype r = Rval int Rbreak Rfail Recursive ` 9 functions ^ (that terminate or are tail-recursive): FILTER P [] = [] FILTER P (h::t) = if P h then h::filter P t else FILTER P t Inductive relations (also co-inductive relations): (S1) (t 1,s) + t (Rval n 1,s 1 ) (t 2,s 1 ) + t r (Seq t 1 t 2,s) + t r (S2) (t 1,s) + t (r,s 1 ) is_rval r (Seq t 1 t 2,s) + t (r,s 1 )
19 Ingredient 2: Language models
20 Syntax The abstract syntax is defined as a datatype. A toy source language: t = Dec string t Exp e Break Seq t t If e t t For e e t e = Var string Num int Add e e Assign string e evaluates an expression Break aborts a loop For-loop expressions can have side-effects (c.f. ML)
21 Syntax The abstract syntax is defined as a datatype. A toy source language: t = Dec string t Exp e Break Seq t t If e t t For e e t e = Var string Num int Add e e Assign string e A toy target language: inst = Add reg reg reg Int reg int Jmp offset JmpIf reg offset an assembly program is a list of instructions
22 Operational Semantics the options There are 4 main variants one can choose from. used for concurrency relational functional common in ACL2 small-step big-step CakeML uses this style avoids treating diverging behaviours separately most common for compiler proofs requires defining: inductive rel. for terminating behaviours; co-inductive rel. for diverging behaviours.
23 Towards a functional big-step semantics (1) We define an interpreter for the source in Standard ML: fun lookup y [] = NONE lookup y ((x,v)::xs) = if y = x then SOME v else lookup y xs fun run_e s (Var x) = (case lookup x s of NONE => (Rfail,s) SOME v => (Rval v,s)) run_e s (Num i) = (Rval i,s) run_e s (Assign (x, e)) = (case run_e s e of (Rval n1, s1) => (Rval n1, (x,n1)::s1) r => r) run_e s (Add (e1, e2)) =... state state is a simple is an a-list assoc-list assignments update the state expression evaluation returns Rval or Rfail and new state
24 Towards a functional big-step semantics (2) and the evaluation of statements (type t): fun run_t s (Exp e) = run_e s e run_t s (Dec (x, t)) = run_t ((x,0)::s) t run_t s Break = (Rbreak, s) run_t s (Seq (t1, t2)) = Break causes an Rbreak (case run_t s t1 of (Rval _, s1) => run_t s1 t2 r => r) Rbreak skips Seq-code run_t s (If (e, t1, t2)) = (case run_e s e of (Rval n1, s1) => run_t s1 (if n1 = 0 then t2 else t1) r => r)
25 Towards a functional big-step semantics (3) so far everything we wrote in ML could be defined in HOL. r => r) run_t s (For (e1, e2, t)) = (case run_e s e1 of (Rval n1, s1) => if n1 = 0 then (Rval 0, s1) else (case run_t s1 t of (Rval _, s2) => (case run_e s2 e2 of but now this recursive call introduces potential non-termination (Rval _, s3) => run_t s3 (For (e1, e2, t)) r => r) (Rbreak, s2) => (Rval 0, s2) r => r) r => r)
26 Why is non-terimination an issue? Suppose HOL allowed definitions of non-terminating functions, e.g. f n = f n + 1 then f n - f n = f n f n and 0 = 1
27 Towards a functional big-step semantics (4) We can force our functions to terminate by inserting a clock. ML: run_t s (For (e1, e2, t)) =... (Rval _, s3) => run_t s3 (For (e1, e2, t)) HOL: eval_t s (For e 1 e 2 t) = in HOL, the state is a record... containing a clock (Rval _,s 3 ) ) if s 3.clock 6= 0 then which gets decremented eval_t (dec_clock s 3 ) (For e 1 e 2 t) else (Rtimeout,s 3 ) if it hits zero, then we abort with an uncatchable exception
28 Functional big-step semantics Other parts do not require clock clutter: HOL: eval_t s (Exp e) = eval_e s e eval_t s (Dec x t) = eval_t (store_var x 0 s) t eval_t s Break = (Rbreak,s) since the size of eval_t s (Seq t 1 t 2 ) = the input shrinks case eval_t s t 1 of (Rval _,s 1 ) ) eval_t s 1 t 2 r ) r eval_t s (If e t 1 t 2 ) = case eval_e s e of (Rval n 1,s 1 ) ) eval_t s 1 (if n 1 = 0 then t 2 else t 1 ) r ) r
29 Observational semantics Compiler proof is to relate different observational semantics. Without I/O, programs can only Terminate, Diverge or Crash. terminates if there is a clock that is sufficient semantics t = if 9 c v s. sem_t (s_with_clock c) t = (Rval v,s) then Terminate else if 8 c. 9 s. sem_t (s_with_clock c) t = (Rtimeout,s) then Diverge else Crash diverges if all clocks cause timeouts crashes otherwise, e.g. when Rbreak propagates to the top
30 Exercise Define a functional big-step semantics in your favourite prover (e.g. HOL4, Isabelle/HOL, Coq, ACL2) There is a trick to the termination proof. Ask me!
31 Ingredient 3: Compiler function
32 Ingredient 3: Compiler function Three phases: phase 1: rewrite For to something simpler phase 2: split expressions into instructions phase 3: flatten to list of assembly instructions
33 Ingredient 3: Compiler function Three phases: ) phase 1: rewrite For to something simpler phase1 (Exp e) = Exp e phase1 (Dec x t) = Seq (Exp (Assign x (Num 0))) (phase1 t) phase1 Break = Break phase1 (Seq t 1 t 2 ) = Seq (phase1 t 1 ) (phase1 t 2 ) phase1 (If e t 1 t 2 ) = If e (phase1 t 1 ) (phase1 t 2 ) phase1 (For e 1 e 2 t) = Loop (If e 1 (Seq (phase1 t) (Exp e 2 )) Break) where Loop t = For (Num 1) (Num 1) t. Makes all loops simple while-true loops.
34 Proving a compiler correct Ingredients: a formal logic for the proofs accurate models of the source language the target language the compiler algorithm Tools: a proof assistant (software) Method: prove simulation theorem using induction
35 Induction theorem ` 8P. (8 s e. P s (Exp e)) ^ (8 s x t. P (store_var x 0 s) t ) P s (Dec x t)) ^ (8 s. P s Break) ^ (8 s t 1 t 2. (8 v 2 s 1 v 5. (eval_t s t 1 = (v 2,s 1 )) ^ (v 2 = Rval v 5 ) ) P s 1 t 2 ) ^ P s t 1 ) P s (Seq t 1 t 2 )) ^ (8 s e t 1 t 2. (8 v 2 s 1 n 1. (eval_e s e = (v 2,s 1 )) ^ (v 2 = Rval n 1 ) ) P s 1 (if n 1 = 0 then t 2 else t 1 )) ) construct. P s (If e t 1 t 2 )) ^ (8 s e 1 e 2 t. (8 v 4 s 1 n 1 v 3 s 2 v 7 v 2 s 3 v 5. (eval_e s e 1 = (v 4,s 1 )) ^ (v 4 = Rval n 1 ) ^ n 1 6= 0 ^ (eval_t s 1 t = (v 3,s 2 )) ^ (v 3 = Rval v 7 ) ^ (eval_e s 2 e 2 = (v 2,s 3 )) ^ (v 2 = Rval v 5 ) ^ s 3.clock 6= 0 ) P (dec_clock s 3 ) (For e 1 e 2 t)) ^ (8 v 4 s 1 n 1. (eval_e s e 1 = (v 4,s 1 )) ^ (v 4 = Rval n 1 ) ^ n 1 6= 0 ) P s 1 t) ) P s (For e 1 e 2 t)) ) 8 v v 1. P v v 1 Has structure of functional big-step interpreter. One case for each program
36 Simulation proof Particularly simple for phase 1: ` 8s t. eval_t s (phase1 t) = eval_t s t Requires only 8 lines of HOL4 proof script (mostly rewriting). We can lift this to the observational semantics with a one-line proof by rewriting: ` 8t. semantics (phase1 t) = semantics t
37 Simulation theorems in general Usually, each compile phase requires a theorem of the form: non-failing evaluation of source intermediate language (IL) evaluate code s1 = (res,s2) res Rfail state_rel s1 t1 implies t2. evaluate (compile code) t1 = (res,t2) state_rel s2 t2 similar evaluation in target IL w.r.t. some relation between states (state_rel)
38 Simulation theorems in general Usually, each compile phase requires a theorem of the form: evaluate code s1 = (res,s2) res Rfail state_rel s1 t1 t2. evaluate (compile code) t1 = (res,t2) state_rel s2 t2 usually: state_rel keeps clocks in sync variant: target can consume more clock ticks
39 Simulation theorems in general Usually, each compile phase requires a theorem of the form: evaluate code s1 = (res,s2) res Rfail state_rel s1 t1 t2. evaluate (compile code) t1 = (res,t2) state_rel s2 t2 Sufficient to prove observational equivalence for both terminating and diverging runs.
40 Phase 2 simulation theorem 9 ^ ^ source IL ` 8s e t n res s 1. (eval_t s e = (res,s 1 )) ^ res 6= Rfail ^ phase2_subset e ^ possible_var_name n s.store ^ s.store v t.store ^ target IL not failing compiler (t.clock = s.clock) ^ t_max e < strlen n ) 9 t 1. (eval_t t (flatten_t e n) = (res,t 1 )) ^ s 1.store v t 1.store ^ (t 1.clock = s 1.clock) ^ possible_var_name n s 1.store ^ 8 k v. restrict language syntax following phase 1 state_rel relation possible_var_name k s.store ^ t_max e < strlen k ^ strlen k < strlen n ^ (lookup t.store k = SOME v) ) (lookup t 1.store k = SOME v) extra property
41 Composing top-level theorems Each phase maintains observational equivalence: semantics (phase1 t) = semantics t semantics t 6= Crash ^ phase2_subset t ) (semantics (phase2 t) = semantics t) semantics t 6= Crash ^ phase3_subset t ) (asm_semantics (phase3 0 0 t) = semantics t) observational semantics of target assembly Here: compile t = phase3 0 0 (phase2 (phase1 t))
42 Composing top-level theorems lemma: correct syntax implies no Crashes Result: for ML: type-correct program implies no Crash ` 8t. syntax_ok t ) (asm_semantics (compile t) = semantics t) where compile t = phase3 0 0 (phase2 (phase1 t))
43 What we learnt Ingredients: formal logic, compiler, language semantics Tools: proof assistant Method: using functional big-step semantics it suffices to prove theorems of the form: evaluate code s1 = (res,s2) res Rfail state_rel s1 t1 t2. evaluate (compile code) t1 = (res,t2) state_rel s2 t2 in order to prove observational equivalence, i.e. ` 8t. syntax_ok t ) (asm_semantics (compile t) = semantics t)
44 Extra slides
45 Comparing functional with relation big-step In the functional version, Seq was specified by: eval_t s Break = (Rbreak,s) eval_t s (Seq t 1 t 2 ) = case eval_t s t 1 of (Rval _,s 1 ) ) eval_t s 1 t 2 r ) r In the relational version, Seq is specified using four rules: (S1) (t 1,s) + t (Rval n 1,s 1 ) (t 2,s 1 ) + t r (Seq t 1 t 2,s) + t r (S2) (t 1,s) + t (r,s 1 ) is_rval r (Seq t 1 t 2,s) + t (r,s 1 ) + (S1 0 ) (t 1,s) * t (Seq t 1 t 2,s) * t (S2 0 ) (t 1,s) + t (Rval n 1,s 1 ) (t 2,s 1 ) * t (Seq t 1 t 2,s) * t
46 Induction from relational big-step `... ^... ^... ^... ^... ^... ^... ^... ^ (8 s s 1 e 1 e 2 t. (e 1,s) + e (Rval 0,s 1 ) ) P (For e 1 e 2 t,s) (Rval 0,s 1 )) ^ (8 s s 1 e 1 e 2 t r. (e 1,s) + e (r,s 1 ) ^ is_rval r ) P (For e 1 e 2 t,s) (r,s 1 )) ^ (8 s s 1 s 2 s 3 e 1 e 2 t n 1 n 2 n 3 r. (e 1,s) + e (Rval n 1,s 1 ) ^ n 1 6= 0 ^ P (t,s 1 ) (Rval n 2,s 2 ) ^ (e 2,s 2 ) + e (Rval n 3,s 3 ) ^ P (For e 1 e 2 t,s 3 ) r ) P (For e 1 e 2 t,s) r) ^ (8 s s 1 s 2 e 1 e 2 t n 1. (e 1,s) + e (Rval n 1,s 1 ) ^ n 1 6= 0 ^ P (t,s 1 ) (Rbreak,s 2 ) ) P (For e 1 e 2 t,s) (Rval 0,s 2 )) ^ (8 s s 1 s 2 s 3 e 1 e 2 t n 1 n 2 r. (e 1,s) + e (Rval n 1,s 1 ) ^ n 1 6= 0 ^ P (t,s 1 ) (Rval n 2,s 2 ) ^ (e 2,s 2 ) + e (r,s 3 ) ^ is_rval r ) P (For e 1 e 2 t,s) (r,s 3 )) ^ (8 s s 1 s 2 e 1 e 2 t n 1 r. (e 1,s) + e (Rval n 1,s 1 ) ^ n 1 6= 0 ^ P (t,s 1 ) (r,s 2 ) ^ is_rval r ^ r 6= Rbreak ) P (For e 1 e 2 t,s) (r,s 2 )) ) 8 ts rs. ts + t rs ) P ts rs It has one rule for each case in the relation Six cases for For!
47 Observational semantics with I/O Defining the observational semantics when there is I/O. semantics t input (Terminate io_trace) () 9 c nd i s. (sem_t (init_st c nd input) t = (Rval i,s)) ^ (FILTER ISL s.io_trace = io_trace) semantics t input Crash () 9 c nd r s. (sem_t (init_st c nd input) t = (r,s)) ^ ((r = Rbreak) _ (r = Rfail)) semantics t input (Diverge io_trace) () 9 nd. (8 c. 9 s. sem_t (init_st c nd input) t = (Rtimeout,s)) ^ (io_trace W = c. fromlist (FILTER ISL (SND (sem_t (init_st c nd input) t)).io_trace))
Verified compilers. Guest lecture for Compiler Construction, Spring Magnus Myréen. Chalmers University of Technology
Guest lecture for Compiler Construction, Spring 2015 Verified compilers Magnus Myréen Chalmers University of Technology Mentions joint work with Ramana Kumar, Michael Norrish, Scott Owens and many more
More informationVerification of an ML compiler. Lecture 3: Closures, closure conversion and call optimisations
Verification of an ML compiler Lecture 3: Closures, closure conversion and call optimisations Marktoberdorf Summer School MOD 2017 Magnus O. Myreen, Chalmers University of Technology Implementing the ML
More informationA New Verified Compiler Backend for CakeML. Yong Kiam Tan* Magnus O. Myreen Ramana Kumar Anthony Fox Scott Owens Michael Norrish
A New Verified Compiler Backend for CakeML Yong Kiam Tan* Magnus O. Myreen Ramana Kumar Anthony Fox Scott Owens Michael Norrish 1 CakeML Has: references, modules, signatures, datatypes, exceptions,...
More informationTurning proof assistants into programming assistants
Turning proof assistants into programming assistants ST Winter Meeting, 3 Feb 2015 Magnus Myréen Why? Why combine proof- and programming assistants? Why proofs? Testing cannot show absence of bugs. Some
More informationCAKEML. A Verified Implementation of ML. S-REPLS 6 UCL 25 May, Ramana Kumar. Magnus Myreen. Yong Kiam Tan
CAKEML A Verified Implementation of ML Anthony Fox Hugo Férée Armaël Guéneau Ramana Kumar Magnus Myreen Michael Norrish Scott Owens Yong Kiam Tan S-REPLS 6 UCL 25 May, 2017 The CakeML Project A functional
More informationKent Academic Repository
Kent Academic Repository Full text document (pdf) Citation for published version Owens, Scott and Myreen, Magnus O. and Kumar, Ramana and Tan, Yong Kiam (2016) Functional Big-step Semantics. In: European
More informationThe Verified CakeML Compiler Backend
Under consideration for publication in J. Functional Programming 1 The Verified CakeML Compiler Backend Yong Kiam Tan 1, Magnus O. Myreen 2, Ramana Kumar 3 Anthony Fox 4, Scott Owens 5, Michael Norrish
More informationBackground. From my PhD (2009): Verified Lisp interpreter in ARM, x86 and PowerPC machine code
Certification of high-level and low-level programs, IHP, Paris, 2014 CakeML A verified implementation of ML Ramana Kumar Magnus Myreen Michael Norrish Scott Owens Background From my PhD (2009): Verified
More informationVerified Characteristic Formulae for CakeML. Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 27, 2017
Verified Characteristic Formulae for CakeML Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 27, 2017 Goal: write programs in a high-level (ML-style) language, prove them correct interactively,
More informationCSE413: Programming Languages and Implementation Racket structs Implementing languages with interpreters Implementing closures
CSE413: Programming Languages and Implementation Racket structs Implementing languages with interpreters Implementing closures Dan Grossman Fall 2014 Hi! I m not Hal J I love this stuff and have taught
More informationCertified compilers. Do you trust your compiler? Testing is immune to this problem, since it is applied to target code
Certified compilers Do you trust your compiler? Most software errors arise from source code But what if the compiler itself is flawed? Testing is immune to this problem, since it is applied to target code
More informationCSE341: Programming Languages Lecture 17 Implementing Languages Including Closures. Dan Grossman Autumn 2018
CSE341: Programming Languages Lecture 17 Implementing Languages Including Closures Dan Grossman Autumn 2018 Typical workflow concrete syntax (string) "(fn x => x + x) 4" Parsing Possible errors / warnings
More informationA CRASH COURSE IN SEMANTICS
LAST TIME Recdef More induction NICTA Advanced Course Well founded orders Slide 1 Theorem Proving Principles, Techniques, Applications Slide 3 Well founded recursion Calculations: also/finally {P}... {Q}
More informationCakeML. A verified implementation of ML. LFCS seminar, Edinburgh, May Magnus Myreen Chalmers University of Technology & University of Cambridge
LFCS seminar, Edinburgh, May 2015 CakeML A verified implementation of ML Magnus Myreen Chalmers University of Technology & University of Cambridge Joint work with Ramana Kumar, Michael Norrish, Scott Owens
More informationAutomatically Introducing Tail Recursion in CakeML. Master s thesis in Computer Science Algorithms, Languages, and Logic OSKAR ABRAHAMSSON
Automatically Introducing Tail Recursion in CakeML Master s thesis in Computer Science Algorithms, Languages, and Logic OSKAR ABRAHAMSSON Department of Computer Science and Engineering CHALMERS UNIVERSITY
More informationTranslation Validation for a Verified OS Kernel
To appear in PLDI 13 Translation Validation for a Verified OS Kernel Thomas Sewell 1, Magnus Myreen 2, Gerwin Klein 1 1 NICTA, Australia 2 University of Cambridge, UK L4.verified sel4 = a formally verified
More informationTheorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214
Theorem proving PVS theorem prover Abhik Roychoudhury National University of Singapore Both specification and implementation can be formalized in a suitable logic. Proof rules for proving statements in
More informationSoftware Testing CS 408. Lecture 10: Compiler Testing 2/15/18
Software Testing CS 408 Lecture 10: Compiler Testing 2/15/18 Compilers Clearly, a very critical part of any software system. It is itself a complex piece of software - How should they be tested? - Random
More informationVerified compilation of a first-order Lisp language
Verified compilation of a first-order Lisp language Lecture 7 MPhil ACS & Part III course, Functional Programming: Implementation, Specification and Verification Magnus Myreen Michaelmas term, 2013 Interpreter
More informationA Simple Supercompiler Formally Verified in Coq
A Simple Supercompiler Formally Verified in Coq IGE+XAO Balkan 4 July 2010 / META 2010 Outline 1 Introduction 2 3 Test Generation, Extensional Equivalence More Realistic Language Use Information Propagation
More informationOptimising Functional Programming Languages. Max Bolingbroke, Cambridge University CPRG Lectures 2010
Optimising Functional Programming Languages Max Bolingbroke, Cambridge University CPRG Lectures 2010 Objectives Explore optimisation of functional programming languages using the framework of equational
More informationProgramming Languages Lecture 15: Recursive Types & Subtyping
CSE 230: Winter 2008 Principles of Programming Languages Lecture 15: Recursive Types & Subtyping Ranjit Jhala UC San Diego News? Formalize first-order type systems Simple types (integers and booleans)
More informationHardening LLVM with Random Testing
Hardening LLVM with Random Testing Xuejun Yang, Yang Chen Eric Eide, John Regehr {jxyang, chenyang, eeide, regehr}@cs.utah.edu University of Utah 11/3/2010 1 A LLVM Crash Bug int * p[2]; int i; for (...)
More informationApplied Theorem Proving: Modelling Instruction Sets and Decompiling Machine Code. Anthony Fox University of Cambridge, Computer Laboratory
Applied Theorem Proving: Modelling Instruction Sets and Decompiling Machine Code Anthony Fox University of Cambridge, Computer Laboratory Overview This talk will mainly focus on 1. Specifying instruction
More informationHow much is a mechanized proof worth, certification-wise?
How much is a mechanized proof worth, certification-wise? Xavier Leroy Inria Paris-Rocquencourt PiP 2014: Principles in Practice In this talk... Some feedback from the aircraft industry concerning the
More informationCS153: Compilers Lecture 15: Local Optimization
CS153: Compilers Lecture 15: Local Optimization Stephen Chong https://www.seas.harvard.edu/courses/cs153 Announcements Project 4 out Due Thursday Oct 25 (2 days) Project 5 out Due Tuesday Nov 13 (21 days)
More informationCOS 320. Compiling Techniques
Topic 5: Types COS 320 Compiling Techniques Princeton University Spring 2016 Lennart Beringer 1 Types: potential benefits (I) 2 For programmers: help to eliminate common programming mistakes, particularly
More informationAdvanced C Programming
Advanced C Programming Compilers Sebastian Hack hack@cs.uni-sb.de Christoph Weidenbach weidenbach@mpi-inf.mpg.de 20.01.2009 saarland university computer science 1 Contents Overview Optimizations Program
More informationTypical workflow. CSE341: Programming Languages. Lecture 17 Implementing Languages Including Closures. Reality more complicated
Typical workflow concrete synta (string) "(fn => + ) 4" Parsing CSE341: Programming Languages abstract synta (tree) Lecture 17 Implementing Languages Including Closures Function Constant + 4 Var Var Type
More informationG Programming Languages - Fall 2012
G22.2110-003 Programming Languages - Fall 2012 Lecture 4 Thomas Wies New York University Review Last week Control Structures Selection Loops Adding Invariants Outline Subprograms Calling Sequences Parameter
More informationA Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture. Anthony Fox and Magnus O. Myreen University of Cambridge
A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture Anthony Fox and Magnus O. Myreen University of Cambridge Background Instruction set architectures play an important role in
More informationAdam Chlipala University of California, Berkeley ICFP 2006
Modular Development of Certified Program Verifiers with a Proof Assistant Adam Chlipala University of California, Berkeley ICFP 2006 1 Who Watches the Watcher? Program Verifier Might want to ensure: Memory
More informationProving Properties on Programs From the Coq Tutorial at ITP 2015
Proving Properties on Programs From the Coq Tutorial at ITP 2015 Reynald Affeldt August 29, 2015 Hoare logic is a proof system to verify imperative programs. It consists of a language of Hoare triples
More informationA verified runtime for a verified theorem prover
A verified runtime for a verified theorem prover Magnus Myreen 1 and Jared Davis 2 1 University of Cambridge, UK 2 Centaur Technology, USA Two projects meet My theorem prover is written in Lisp. Can I
More informationFormal verification of program obfuscations
Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and Alix Trieu IFIP WG 2.11, 2015-11-10 1 Background: verifying a compiler Compiler + proof that the compiler
More informationA Small Interpreted Language
A Small Interpreted Language What would you need to build a small computing language based on mathematical principles? The language should be simple, Turing equivalent (i.e.: it can compute anything that
More informationControl in Sequential Languages
CS 242 2012 Control in Sequential Languages Reading: Chapter 8, Sections 8.1 8.3 (only) Section 7.3 of The Haskell 98 Report, Exception Handling in the I/O Monad, http://www.haskell.org/onlinelibrary/io-13.html
More informationCompilers: The goal. Safe. e : ASM
Compilers: The goal What s our goal with compilers? Take a high level language, turn it into a low level language In a semantics preserving way. e : ML Safe e : ASM 1 Compilers: The goal What s our goal
More informationG Programming Languages Spring 2010 Lecture 4. Robert Grimm, New York University
G22.2110-001 Programming Languages Spring 2010 Lecture 4 Robert Grimm, New York University 1 Review Last week Control Structures Selection Loops 2 Outline Subprograms Calling Sequences Parameter Passing
More information6.184 Lecture 4. Interpretation. Tweaked by Ben Vandiver Compiled by Mike Phillips Original material by Eric Grimson
6.184 Lecture 4 Interpretation Tweaked by Ben Vandiver Compiled by Mike Phillips Original material by Eric Grimson 1 Interpretation Parts of an interpreter Arithmetic calculator
More informationCSCI-GA Scripting Languages
CSCI-GA.3033.003 Scripting Languages 12/02/2013 OCaml 1 Acknowledgement The material on these slides is based on notes provided by Dexter Kozen. 2 About OCaml A functional programming language All computation
More informationDirections in ISA Specification. Anthony Fox. Computer Laboratory, University of Cambridge, UK
Directions in ISA Specification Anthony Fox Computer Laboratory, University of Cambridge, UK Abstract. This rough diamond presents a new domain-specific language (DSL) for producing detailed models of
More informationVerification Condition Generation
Verification Condition Generation Jorge Sousa Pinto Departamento de Informática / Universidade do Minho jsp@di.uminho.pt www.di.uminho.pt/~jsp Outline (1) - From Hoare Logic to VCGen algorithms: an architecture
More information# true;; - : bool = true. # false;; - : bool = false 9/10/ // = {s (5, "hi", 3.2), c 4, a 1, b 5} 9/10/2017 4
Booleans (aka Truth Values) Programming Languages and Compilers (CS 421) Sasa Misailovic 4110 SC, UIUC https://courses.engr.illinois.edu/cs421/fa2017/cs421a # true;; - : bool = true # false;; - : bool
More informationPrinciples of Programming Languages
Principles of Programming Languages Lesson 14 Type Checking Collaboration and Management Dana Fisman www.cs.bgu.ac.il/~ppl172 1 Type Checking We return to the issue of type safety we discussed informally,
More informationTheorem Proving Principles, Techniques, Applications Recursion
NICTA Advanced Course Theorem Proving Principles, Techniques, Applications Recursion 1 CONTENT Intro & motivation, getting started with Isabelle Foundations & Principles Lambda Calculus Higher Order Logic,
More informationCompilers. Type checking. Yannis Smaragdakis, U. Athens (original slides by Sam
Compilers Type checking Yannis Smaragdakis, U. Athens (original slides by Sam Guyer@Tufts) Summary of parsing Parsing A solid foundation: context-free grammars A simple parser: LL(1) A more powerful parser:
More informationCS152: Programming Languages. Lecture 5 Pseudo-Denotational Semantics. Dan Grossman Spring 2011
CS152: Programming Languages Lecture 5 Pseudo-Denotational Semantics Dan Grossman Spring 2011 A different approach Operational semantics defines an interpreter, from abstract syntax to abstract syntax.
More informationThe design of a programming language for provably correct programs: success and failure
The design of a programming language for provably correct programs: success and failure Don Sannella Laboratory for Foundations of Computer Science School of Informatics, University of Edinburgh http://homepages.inf.ed.ac.uk/dts
More informationCertified Merger for C Programs Using a Theorem Prover: A First Step
Certified Merger for C Programs Using a Theorem Prover: A First Step Yuki Goto Kazuko Takahashi School of Science & Technology School of Science & Technology Kwansei Gakuin University Kwansei Gakuin University
More informationThe Substitution Model
The Substitution Model Prof. Clarkson Fall 2017 Today s music: Substitute by The Who Review Previously in 3110: simple interpreter for expression language abstract syntax tree (AST) evaluation based on
More informationLecture08: Scope and Lexical Address
Lecture08: Scope and Lexical Address Free and Bound Variables (EOPL 1.3.1) Given an expression E, does a particular variable reference x appear free or bound in that expression? Definition: A variable
More informationCS 11 Haskell track: lecture 1
CS 11 Haskell track: lecture 1 This week: Introduction/motivation/pep talk Basics of Haskell Prerequisite Knowledge of basic functional programming e.g. Scheme, Ocaml, Erlang CS 1, CS 4 "permission of
More informationWork-in-progress: Verifying the Glasgow Haskell Compiler Core language
Work-in-progress: Verifying the Glasgow Haskell Compiler Core language Stephanie Weirich Joachim Breitner, Antal Spector-Zabusky, Yao Li, Christine Rizkallah, John Wiegley May 2018 Verified compilers and
More informationAdvanced Systems Programming
Advanced Systems Programming Introduction to C++ Martin Küttler September 19, 2017 1 / 18 About this presentation This presentation is not about learning programming or every C++ feature. It is a short
More informationCompilers and computer architecture: A realistic compiler to MIPS
1 / 1 Compilers and computer architecture: A realistic compiler to MIPS Martin Berger November 2017 Recall the function of compilers 2 / 1 3 / 1 Recall the structure of compilers Source program Lexical
More informationMachine-checked proofs of program correctness
Machine-checked proofs of program correctness COS 326 Andrew W. Appel Princeton University slides copyright 2013-2015 David Walker and Andrew W. Appel In this course, you saw how to prove that functional
More informationDefining the Ethereum Virtual Machine for Interactive Theorem Provers
Defining the Ethereum Virtual Machine for Interactive Theorem Provers Ethereum Foundation Workshop on Trusted Smart Contracts Malta, Apr. 7, 2017 1/32 Outline 1 2 3 Remaining Problems 4 2/32 Outline 1
More informationCS 242. Fundamentals. Reading: See last slide
CS 242 Fundamentals Reading: See last slide Syntax and Semantics of Programs Syntax The symbols used to write a program Semantics The actions that occur when a program is executed Programming language
More informationCOMP 4161 Data61 Advanced Course. Advanced Topics in Software Verification. Gerwin Klein, June Andronick, Christine Rizkallah, Miki Tanaka
COMP 4161 Data61 Advanced Course Advanced Topics in Software Verification Gerwin Klein, June Andronick, Christine Rizkallah, Miki Tanaka 1 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution
More informationCSE 341 Section 7. Eric Mullen Spring Adapted from slides by Nicholas Shahan, Dan Grossman, and Tam Dang
CSE 341 Section 7 Eric Mullen Spring 2017 Adapted from slides by Nicholas Shahan, Dan Grossman, and Tam Dang Outline Interpreting LBI (Language Being Implemented) Assume Correct Syntax Check for Correct
More informationCompiler Theory. (Semantic Analysis and Run-Time Environments)
Compiler Theory (Semantic Analysis and Run-Time Environments) 005 Semantic Actions A compiler must do more than recognise whether a sentence belongs to the language of a grammar it must do something useful
More informationCS61C : Machine Structures
inst.eecs.berkeley.edu/~cs61c/su06 CS61C : Machine Structures Lecture #6: Memory Management CS 61C L06 Memory Management (1) 2006-07-05 Andy Carle Memory Management (1/2) Variable declaration allocates
More informationMatching Logic. Grigore Rosu University of Illinois at Urbana-Champaign
Matching Logic Grigore Rosu University of Illinois at Urbana-Champaign Joint work with Andrei Stefanescu and Chucky Ellison. Started with Wolfram Schulte at Microsoft Research in 2009 Question could it
More informationCS558 Programming Languages
CS558 Programming Languages Fall 2016 Lecture 3a Andrew Tolmach Portland State University 1994-2016 Formal Semantics Goal: rigorous and unambiguous definition in terms of a wellunderstood formalism (e.g.
More informationCSE341, Spring 2013, Final Examination June 13, 2013
CSE341, Spring 2013, Final Examination June 13, 2013 Please do not turn the page until 8:30. Rules: The exam is closed-book, closed-note, except for both sides of one 8.5x11in piece of paper. Please stop
More informationCSE505, Fall 2012, Midterm Examination October 30, 2012
CSE505, Fall 2012, Midterm Examination October 30, 2012 Rules: The exam is closed-book, closed-notes, except for one side of one 8.5x11in piece of paper. Please stop promptly at Noon. You can rip apart
More informationtype classes & locales
Content Rough timeline Intro & motivation, getting started [1] COMP 4161 NICTA Advanced Course Advanced Topics in Software Verification Gerwin Klein, June Andronick, Toby Murray type classes & locales
More informationAn Extensible Programming Language for Verified Systems Software. Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012
An Extensible Programming Language for Verified Systems Software Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012 The status quo in computer system design DOM JS API Web page Network JS API CPU Timer interrupts
More informationHow Efficient Can Fully Verified Functional Programs Be - A Case Study of Graph Traversal Algorithms
How Efficient Can Fully Verified Functional Programs Be - A Case Study of Graph Traversal Algorithms Mirko Stojadinović Faculty of Mathematics, University of Belgrade Abstract. One approach in achieving
More informationŒuf: Minimizing the Coq Extraction TCB
Œuf: Minimizing the Coq Extraction TCB Eric Mullen University of Washington, USA USA Abstract Zachary Tatlock University of Washington, USA USA Verifying systems by implementing them in the programming
More informationCS558 Programming Languages
CS558 Programming Languages Winter 2017 Lecture 7b Andrew Tolmach Portland State University 1994-2017 Values and Types We divide the universe of values according to types A type is a set of values and
More informationFunctional Programming. Pure Functional Programming
Functional Programming Pure Functional Programming Computation is largely performed by applying functions to values. The value of an expression depends only on the values of its sub-expressions (if any).
More informationCS 360 Programming Languages Interpreters
CS 360 Programming Languages Interpreters Implementing PLs Most of the course is learning fundamental concepts for using and understanding PLs. Syntax vs. semantics vs. idioms. Powerful constructs like
More informationCSE 505: Concepts of Programming Languages
CSE 505: Concepts of Programming Languages Dan Grossman Fall 2009 Lecture 4 Proofs about Operational Semantics; Pseudo-Denotational Semantics Dan Grossman CSE505 Fall 2009, Lecture 4 1 This lecture Continue
More informationDesign Issues. Subroutines and Control Abstraction. Subroutines and Control Abstraction. CSC 4101: Programming Languages 1. Textbook, Chapter 8
Subroutines and Control Abstraction Textbook, Chapter 8 1 Subroutines and Control Abstraction Mechanisms for process abstraction Single entry (except FORTRAN, PL/I) Caller is suspended Control returns
More informationIntrinsically Typed Reflection of a Gallina Subset Supporting Dependent Types for Non-structural Recursion of Coq
Intrinsically Typed Reflection of a Gallina Subset Supporting Dependent Types for Non-structural Recursion of Coq Akira Tanaka National Institute of Advanced Industrial Science and Technology (AIST) 2018-11-21
More informationCS558 Programming Languages
CS558 Programming Languages Winter 2017 Lecture 4a Andrew Tolmach Portland State University 1994-2017 Semantics and Erroneous Programs Important part of language specification is distinguishing valid from
More informationCSE 341 Section 7. Ethan Shea Autumn Adapted from slides by Nicholas Shahan, Dan Grossman, Tam Dang, and Eric Mullen
CSE 341 Section 7 Ethan Shea Autumn 2018 Adapted from slides by Nicholas Shahan, Dan Grossman, Tam Dang, and Eric Mullen Outline Interpreting MUPL Assume Correct Syntax Check for Correct Semantics Evaluating
More informationProgram analysis parameterized by the semantics in Maude
Program analysis parameterized by the semantics in Maude A. Riesco (joint work with I. M. Asăvoae and M. Asăvoae) Universidad Complutense de Madrid, Madrid, Spain Workshop on Logic, Algebra and Category
More informationFunctional Languages. Hwansoo Han
Functional Languages Hwansoo Han Historical Origins Imperative and functional models Alan Turing, Alonzo Church, Stephen Kleene, Emil Post, etc. ~1930s Different formalizations of the notion of an algorithm
More informationTypical Runtime Layout. Tiger Runtime Environments. Example: Nested Functions. Activation Trees. code. Memory Layout
Tiger Runtime Environments Compile-time environments are just symbol tables; they are used to assist static semantic analysis, code generation and code optimization. Run-time environments are about how
More informationChapter 1. Introduction
1 Chapter 1 Introduction An exciting development of the 21st century is that the 20th-century vision of mechanized program verification is finally becoming practical, thanks to 30 years of advances in
More informationCombining Programming with Theorem Proving
Combining Programming with Theorem Proving Chiyan Chen and Hongwei Xi Boston University Programming with Theorem Proving p.1/27 Motivation for the Research To support advanced type systems for practical
More informationOrnaments in ML. Thomas Williams, Didier Rémy. April 18, Inria - Gallium
Ornaments in ML Thomas Williams, Didier Rémy Inria - Gallium April 18, 2017 1 Motivation Two very similar functions let rec add m n = match m with Z n S m S (add m n) let rec append ml nl = match ml with
More informationDirections in ISA Specification
Directions in ISA Specification Anthony Fox Computer Laboratory, University of Cambridge, UK Abstract. This rough diamond presents a new domain-specific language (DSL) for producing detailed models of
More informationCSE 413 Languages & Implementation. Hal Perkins Winter 2019 Structs, Implementing Languages (credits: Dan Grossman, CSE 341)
CSE 413 Languages & Implementation Hal Perkins Winter 2019 Structs, Implementing Languages (credits: Dan Grossman, CSE 341) 1 Goals Representing programs as data Racket structs as a better way to represent
More informationThe Environment Model. Nate Foster Spring 2018
The Environment Model Nate Foster Spring 2018 Review Previously in 3110: Interpreters: ASTs, evaluation, parsing Formal syntax: BNF Formal semantics: dynamic: small-step substitution model static semantics
More informationProvably Correct Software
Provably Correct Software Max Schäfer Institute of Information Science/Academia Sinica September 17, 2007 1 / 48 The Need for Provably Correct Software BUT bugs are annoying, embarrassing, and cost gazillions
More informationMoreIntro_annotated.v. MoreIntro_annotated.v. Printed by Zach Tatlock. Oct 04, 16 21:55 Page 1/10
Oct 04, 16 21:55 Page 1/10 * Lecture 02 Infer some type arguments automatically. Set Implicit Arguments. Note that the type constructor for functions (arrow " >") associates to the right: A > B > C = A
More informationA Lazy to Strict Language Compiler Master s thesis in Computer Science and Engineering PHILIP THAM
A Lazy to Strict Language Compiler Master s thesis in Computer Science and Engineering PHILIP THAM Department of Computer Science and Engineering CHALMERS UNIVERSITY OF TECHNOLOGY UNIVERSITY OF GOTHENBURG
More informationCA Compiler Construction
CA4003 - Compiler Construction David Sinclair When procedure A calls procedure B, we name procedure A the caller and procedure B the callee. A Runtime Environment, also called an Activation Record, is
More information6.037 Lecture 4. Interpretation. What is an interpreter? Why do we need an interpreter? Stages of an interpreter. Role of each part of the interpreter
6.037 Lecture 4 Interpretation Interpretation Parts of an interpreter Meta-circular Evaluator (Scheme-in-scheme!) A slight variation: dynamic scoping Original material by Eric Grimson Tweaked by Zev Benjamin,
More informationCMSC 330: Organization of Programming Languages
CMSC 330: Organization of Programming Languages Operational Semantics CMSC 330 Summer 2018 1 Formal Semantics of a Prog. Lang. Mathematical description of the meaning of programs written in that language
More informationPierce Ch. 3, 8, 11, 15. Type Systems
Pierce Ch. 3, 8, 11, 15 Type Systems Goals Define the simple language of expressions A small subset of Lisp, with minor modifications Define the type system of this language Mathematical definition using
More informationFunctional programming languages
Functional programming languages Part V: functional intermediate representations Xavier Leroy INRIA Paris-Rocquencourt MPRI 2-4, 2015 2017 X. Leroy (INRIA) Functional programming languages MPRI 2-4, 2015
More informationCompiler Construction D7011E
Compiler Construction D7011E Lecture 8: Introduction to code generation Viktor Leijon Slides largely by Johan Nordlander with material generously provided by Mark P. Jones. 1 What is a Compiler? Compilers
More informationMoreIntro.v. MoreIntro.v. Printed by Zach Tatlock. Oct 07, 16 18:11 Page 1/10. Oct 07, 16 18:11 Page 2/10. Monday October 10, 2016 lec02/moreintro.
Oct 07, 16 18:11 Page 1/10 * Lecture 02 Set Implicit Arguments. Inductive list (A: Type) : Type := nil : list A cons : A > list A > list A. Fixpoint length (A: Type) (l: list A) : nat := nil _ => O cons
More informationVerification Condition Generation via Theorem Proving
Verification Condition Generation via Theorem Proving John Matthews Galois Connections Inc. J Strother Moore University of Texas at Austin Sandip Ray University of Texas at Austin Daron Vroon Georgia Institute
More informationBooleans (aka Truth Values) Programming Languages and Compilers (CS 421) Booleans and Short-Circuit Evaluation. Tuples as Values.
Booleans (aka Truth Values) Programming Languages and Compilers (CS 421) Elsa L Gunter 2112 SC, UIUC https://courses.engr.illinois.edu/cs421/fa2017/cs421d # true;; - : bool = true # false;; - : bool =
More information