Certified Memory Usage Analysis
|
|
- Bonnie Adams
- 5 years ago
- Views:
Transcription
1 Certified Memory Usage Analysis David Cachera, Thomas Jensen, David Pichardie, Gerardo Schneider IRISA, ENS Cachan Bretagne, France
2 Context Embedded devices (smart cards, mobile phones) memory is limited garbage collectors are time and memory consuming Industrial answer : smart cards programmers are not allowed to make dynamical allocation inside loops!
3 Goal of this work Propose a static analysis aimed at verifying that the number of dynamical allocations is bounded loop detection algorithm This analysis targets programs written using the previous restrictive programming discipline dynamical loops are over-approximated by static loops a program is predicted memory bounded if no dynamical allocation occurs inside static loops
4 Why you should not read this paper... you are looking for a sophisticated memory usage analysis you are only interested in implementing verification tools you don t care about proofs
5 Why you should not read this paper... you are looking for a sophisticated memory usage analysis you are only interested in implementing verification tools you don t care about proofs A simple algorithm, but an in-extenso correctness proof of the algorithm based on the abstract interpretation theory machine-checked in the Coq proof assistant efficient implementation extracted from the proof
6 Outline Introduction The analysed language The algorithm Certification Experimental results Conclusion
7 Outline Introduction The analysed language The algorithm Certification Experimental results Conclusion
8 The analysed language : Carmel Instructions an intermediate representation of the Java Card bytecode bytecode for stack machine nop push c pop swap numop op load x store x if pc goto pc new cl putfield f getfield f newarray t arraylength arrayload arraystore invokevirtual m id return stack } local variables } jump heap } method call and return
9 The analysed language : Carmel Instructions an intermediate representation of the Java Card bytecode bytecode for stack machine nop push c pop swap numop op load x store x if pc goto pc new cl putfield f getfield f newarray t arraylength arrayload arraystore invokevirtual m id return stack } local variables } jump heap } method call and return
10 The analysed language : Carmel Instructions an intermediate representation of the Java Card bytecode bytecode for stack machine nop push c pop swap numop op load x store x if pc goto pc new cl putfield f getfield f newarray t arraylength arrayload arraystore invokevirtual m id return stack } local variables } jump heap } method call and return
11 The analysed language : Carmel Instructions an intermediate representation of the Java Card bytecode bytecode for stack machine nop push c pop swap numop op load x store x if pc goto pc new cl putfield f getfield f newarray t arraylength arrayload arraystore invokevirtual m id return stack } local variables } jump heap } method call and return
12 The analysed language : Carmel Instructions an intermediate representation of the Java Card bytecode bytecode for stack machine nop push c pop swap numop op load x store x if pc goto pc new cl putfield f getfield f newarray t arraylength arrayload arraystore invokevirtual m id return stack } local variables } jump heap } method call and return
13 The analysed language : Carmel Instructions an intermediate representation of the Java Card bytecode bytecode for stack machine nop push c pop swap numop op load x store x if pc goto pc new cl putfield f getfield f newarray t arraylength arrayload arraystore invokevirtual m id return stack } local variables } jump heap } method call and return
14 The analysed language : Carmel Instructions an intermediate representation of the Java Card bytecode bytecode for stack machine 4 kinds of instructions intra-method jumps inter-method jumps dynamical allocation the others... nop push c pop swap numop op load x store x if pc goto pc new cl putfield f getfield f newarray t arraylength arrayload arraystore invokevirtual m id return stack } local variables } jump heap } method call and return
15 The analysed language : Carmel Instructions an intermediate representation of the Java Card bytecode bytecode for stack machine 4 kinds of instructions intra-method jumps inter-method jumps dynamical allocation the others... nop push c pop swap numop op load x store x if pc goto pc new cl putfield f getfield f newarray t arraylength arrayload arraystore invokevirtual m id return stack } local variables } jump heap } method call and return
16 The analysed language : Carmel Instructions an intermediate representation of the Java Card bytecode bytecode for stack machine 4 kinds of instructions intra-method jumps inter-method jumps dynamical allocation the others... nop push c pop swap numop op load x store x if pc goto pc new cl putfield f getfield f newarray t arraylength arrayload arraystore invokevirtual m id return stack } local variables } jump heap } method call and return
17 The analysed language : Carmel Instructions an intermediate representation of the Java Card bytecode bytecode for stack machine 4 kinds of instructions intra-method jumps inter-method jumps dynamical allocation the others... nop push c pop swap numop op load x store x if pc goto pc new cl putfield f getfield f newarray t arraylength arrayload arraystore invokevirtual m id return stack } local variables } jump heap } method call and return
18 The analysed language : Carmel Instructions an intermediate representation of the Java Card bytecode bytecode for stack machine 4 kinds of instructions intra-method jumps inter-method jumps dynamical allocation the others... nop push c pop swap numop op load x store x if pc goto pc new cl putfield f getfield f newarray t arraylength arrayload arraystore invokevirtual m id return stack } local variables } jump heap } method call and return
19 The analysed language : Carmel Instructions an intermediate representation of the Java Card bytecode bytecode for stack machine 4 kinds of instructions intra-method jumps inter-method jumps dynamical allocation the others... instr in the rest of the talk instr instr instr instr instr instr instr if pc goto pc new cl instr instr newarray t instr instr instr invokevirtual m id return stack } local variables } jump heap } method call and return
20 Carmel : semantic domains Val ::= num n n N ref r r Reference null Stack = Val LocalVar = Var Val Frame = NameMethod PointProg LocalVar Stack CallStack = Frame Object = FieldName Val Heap = Reference Object State = Heap Frame CallStack State example : h, m, pc, l, v :: s, sf
21 Carmel : operational semantics instructionat P (m, pc) = instr h, m, pc, l, s, sf h, m, pc + 1, l, s, sf instructionat P (m, pc) = invokevirtual m id m = methodlookup(m id, h(loc)) V = v 1 :: :: v nbarguments(mid ) h, m, pc, l, loc :: V :: s, sf h, m, 1, V, ε, m, pc, l, s :: sf
22 Carmel : reachable partial traces Sequence of consecutive states P = { s 0 :: s 1 :: :: s n State + s 0 S init k < n, s k s k+1 } (State + ) with S init : set of initial states
23 Carmel : reachable partial traces Sequence of consecutive states P = { s 0 :: s 1 :: :: s n State + s 0 S init k < n, s k s k+1 } (State + ) with S init : set of initial states Our static analysis aims at computing an over-approximation of P
24 Outline Introduction The analysed language The algorithm Certification Experimental results Conclusion
25 Algorithm : outline
26 Algorithm : outline Two graphs
27 Algorithm : outline Two graphs method call graph
28 Algorithm : outline Two graphs method call graph internal flow graph
29 Algorithm : outline Two graphs method call graph internal flow graph 4 steps
30 Algorithm : outline Two graphs method call graph internal flow graph 4 steps 1. loop detection in method call graph
31 Algorithm : outline Two graphs method call graph internal flow graph 4 steps 1. loop detection in method call graph 2. loop detection in internal flow graph
32 Algorithm : outline Two graphs method call graph internal flow graph 4 steps 1. loop detection in method call graph 2. loop detection in internal flow graph 3. detection of dangerous zones
33 Algorithm : outline Two graphs method call graph internal flow graph 4 steps 1. loop detection in method call graph 2. loop detection in internal flow graph 3. detection of dangerous zones loop zone in both graphs
34 Algorithm : outline Two graphs method call graph internal flow graph 4 steps 1. loop detection in method call graph 2. loop detection in internal flow graph 3. detection of dangerous zones loop zone in both graphs successors of loop zone
35 Algorithm : outline Two graphs method call graph internal flow graph 4 steps 1. loop detection in method call graph 2. loop detection in internal flow graph 3. detection of dangerous zones loop zone in both graphs successors of loop zone 4. last check : no allocation inside dangerous zones
36 Algorithm : outline Two graphs method call graph internal flow graph 4 steps 1. loop detection in method call graph 2. loop detection in internal flow graph 3. detection of dangerous zones loop zone in both graphs successors of loop zone 4. last check : no allocation inside dangerous zones new new Memory bounded
37 Algorithm : outline Two graphs method call graph internal flow graph 4 steps 1. loop detection in method call graph 2. loop detection in internal flow graph new 3. detection of dangerous zones loop zone in both graphs successors of loop zone 4. last check : no allocation Memory maybe unbounded inside dangerous zones new
38 Algorithm : the steps Formalised as a sequence of constraint on 5 variables (living in lattice structures) 1. Potential ancestors of each methods in the call graph Anc : NameMethod (NameMethod) (m, pc) : invokevirtual m ID m implements(p, m ID ) Anc(m) {m} Anc(m ) 2. Determining which methods are reachable from a mutually recursive method MutRecR : (NameMethod) m Anc(m) {m} MutRecR Anc(m) MutRecR {m} MutRecR
39 Algorithm : the steps 3. For each program point (m, pc), computing the potential predecessors in the internal flow graph Pred : NameMethod PointProg (PointProg) 4. Determining methods reachable from internal loops LoopCall : (NameMethod) 5. Check that no new instruction occurs in any dangerous zone Unbounded(P) : Bool (m, pc) : new o cl m MutRecR m LoopCall pc Pred(m, pc) true Bool Unbounded(P)
40 Outline Introduction The analysed language The algorithm Certification Experimental results Conclusion
41 Certification Approach based on the abstract interpretation formalism : we show that the informations computed with the constraints system are correct with respect to the program semantics. Concrete semantics Abstract semantics t : s 0 :: s 1 :: :: s n Anc : m 1 {} m 2 {m 1 } m 3 {m 2, m 3 } m 4 {m 3 }.
42 Certification Approach based on the abstract interpretation formalism : we show that the informations computed with the constraints system are correct with respect to the program semantics. Concrete semantics Abstract semantics t : s 0 :: s 1 :: :: s n γ Anc : m 1 {} m 2 {m 1 } m 3 {m 2, m 3 } m 4 {m 3 }.
43 Certification : concretisation examples γ Anc : (NameMethod (NameMethod)) (State + ) γ Anc (Anc) = { st 1 :: :: st n h i, m i, pc i, l i, s i, sf i {st 1,..., st n } m sf i, m Anc(m i ) } γ MutRecR : (NameMethod) (State + ) γ MutRecR (MutRecR) = h i, m i, pc i, l i, s i, sf i {st 1,..., st n } st 1 :: :: st n m i MutRecR m i sf i and methods in sf i are distinct
44 Certification : soundness lemmas For all variable X {Anc, MutRecR, LoopCall, Pred}, the corresponding system is proved correct Lemma Proof: P γ(x) prove the lattice structure of the underlying domain prove the monotony of γ X a classic subject reduction lemma: for any trace t 1 P, if t 1 γ X (X) and t 1 t 2, then t 2 γ X (X)
45 Certification : memory bounded theorem If the result of the analysis is false then there exists a bound on the number of memory allocations Theorem : memory bounded analysis soundness Unbounded(P) = false Max new, t P, t new < Max new Difficult proof with counting arguments, permutation of summation operators
46 Computing the analysis result The result of the analysis is computed by constraint iteration m 1 {} m 2 {} m 1 m 3 {} m 4 {} m2 m3 m4
47 Computing the analysis result The result of the analysis is computed by constraint iteration m 1 {} m 2 {m 1, m 3 } m 1 m 3 {m 2 } m 4 {m 3 } m2 m3 m4
48 Computing the analysis result The result of the analysis is computed by constraint iteration m 1 {} m 2 {m 1, m 2, m 3 } m 1 m 3 {m 1, m 2, m 3 } m 4 {m 1, m 2, m 3 } m2 m3 m4
49 Computing the analysis result The result of the analysis is computed by constraint iteration m 1 {} m 2 {m 1, m 2, m 3 } m 1 m 3 {m 1, m 2, m 3 } m 4 {m 1, m 2, m 3 } Termination : ascending chain condition on lattices m2 m3 m4
50 Computing the analysis result The result of the analysis is computed by constraint iteration m 1 {} m 2 {m 1, m 2, m 3 } m 1 m 3 {m 1, m 2, m 3 } m 4 {m 1, m 2, m 3 } Termination : ascending chain condition on lattices m2 m3 m4 these lattices are constructed by composition of lattice functors defined in a previous work [Esop 04]
51 Computing the analysis result The result of the analysis is computed by constraint iteration m 1 {} m 2 {m 1, m 2, m 3 } m 1 m 3 {m 1, m 2, m 3 } m 4 {m 1, m 2, m 3 } Termination : ascending chain condition on lattices m2 m3 m4 these lattices are constructed by composition of lattice functors defined in a previous work [Esop 04] An analyser written in Caml is automatically extracted from the whole Coq correctness proof
52 Outline Introduction The analysed language The algorithm Certification Experimental results Conclusion
53 Experimental results Observation : let F : program program the function which replaces in a program all instructions instr by nop for all standard bytecode program p, the analysis computation time on p and F(p) are the same We use this observation to test the efficiency of our analyser with a random generator of bytecode programs. Two parameters method number number of line per method
54 Computation time (seconds) Fixed number of line per method Memory usage (megabytes) Fixed number of line per method 0 50 k Program size (LOCs) 100 k 0 50 k Program size (LOCs) 100 k Fixed number method Fixed number method Computation time (seconds) Memory usage (megabytes) Program size (LOCs) 50 k 0 Program size (LOCs) 50 k
55 Outline Introduction The analysed language The algorithm Certification Experimental results Conclusion
56 Conclusion Efficient algorithm : between 40 and 80 s to analyse lines of code memory optimisation of the analyser : some lattices could be implemented with more efficient data-structures Completely certified algorithm proved correct with respect to the program semantics extracted implementation Proof based on a generic framework easier to combine the analysis proof with other analyses we could improve this analysis with a previous control flow analysis [Esop 03] we plan to refine this analysis with a relational numeric abstraction A good test for the abstract interpretation framework proposed in [Esop 03] a completely different analyse with a good re-use of some of the previous proofs
Modular proof principles for parameterised concretizations
Modular proof principles for parameterised concretizations David Pichardie IRISA / ENS Cachan Bretagne IRISA, Campus de Beaulieu F-35042 Rennes, France david.pichardie@irisa.fr Abstract. Abstract interpretation
More informationOutline. Information flow analyis Data Race analyis. 1 Introduction. 2 A Certified Lightweight Array Bound Checker
A Certified Lightweight Array Bound Checker Outline 1 Introduction Information flow analyis Data Race analyis 2 A Certified Lightweight Array Bound Checker 3 Building a Certified Static Analyser (tutorial)
More informationStatic Program Analysis
Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ws-1617/spa/ Recap: Taking Conditional Branches into Account Extending
More informationA Certified Non-Interference Java Bytecode Verifier
1 A Certified Non-Interference Java Bytecode Verifier G. Barthe, D. Pichardie and T. Rezk, A Certified ightweight Non-Interference Java Bytecode Verifier, ESOP'07 2 Motivations 1: bytecode verification
More informationAlgebraic Program Analysis
Introduction to Algebraic Program Analysis Zachary Kincaid 1 Thomas Reps 2,3 1 Princeton University 2 University of Wisconsin-Madison 3 GrammaTech, Inc. January 8, 2018 1 Program analysis Design algorithms
More informationTowards Verification of Well-Formed Transactions in Java Card Bytecode
Bytecode 2005 Preliminary Version Towards Verification of Well-Formed Transactions in Java Card Bytecode René Rydhof Hansen 1 Informatics and Mathematical Modelling Technical University Denmark Kgs. Lyngby,
More informationCertified Static Analysis by Abstract Interpretation
Certified Static Analysis by Abstract Interpretation Frédéric Besson, David Cachera, Thomas Jensen, David Pichardie To cite this version: Frédéric Besson, David Cachera, Thomas Jensen, David Pichardie.
More informationKonzepte von Programmiersprachen
Konzepte von Programmiersprachen Chapter 5: Continuation-Passing Interpreters Stefan Wehr Universität Freiburg 8. Juni 2009 Konzepte von Programmiersprachen 1 / 43 Motivation Continuations: abstraction
More informationINF 212 ANALYSIS OF PROG. LANGS FUNCTION COMPOSITION. Instructors: Crista Lopes Copyright Instructors.
INF 212 ANALYSIS OF PROG. LANGS FUNCTION COMPOSITION Instructors: Crista Lopes Copyright Instructors. Topics Recursion Higher-order functions Continuation-Passing Style Monads (take 1) Identity Monad Maybe
More informationA Provably Correct Stackless Intermediate Representation for Java Bytecode
A Provably Correct Stackless Intermediate Representation for Java Bytecode Delphine Demange 1, Thomas Jensen 2, and David Pichardie 2 1 ENS Cachan Antenne de Bretagne / IRISA, France 2 INRIA, Centre Rennes
More informationA Gentle Introduction to Program Analysis
A Gentle Introduction to Program Analysis Işıl Dillig University of Texas, Austin January 21, 2014 Programming Languages Mentoring Workshop 1 / 24 What is Program Analysis? Very broad topic, but generally
More informationJava byte code verification
Java byte code verification SOS Master Science Informatique U. Rennes 1 Thomas Jensen SOS Java byte code verification 1 / 26 Java security architecture Java: programming applications with code from different
More informationSendmail crackaddr - Static Analysis strikes back
Sendmail crackaddr - Static Analysis strikes back Bogdan Mihaila Technical University of Munich, Germany December 6, 2014 Name Lastname < name@mail.org > ()()()()()()()()()... ()()() 1 / 25 Abstract Interpretation
More informationCOS 320. Compiling Techniques
Topic 5: Types COS 320 Compiling Techniques Princeton University Spring 2016 Lennart Beringer 1 Types: potential benefits (I) 2 For programmers: help to eliminate common programming mistakes, particularly
More informationAn Introduction to Multicodes. Ben Stephenson Department of Computer Science University of Western Ontario
An Introduction to Multicodes Ben Stephenson Department of Computer Science University of Western Ontario ben@csd csd.uwo.ca Outline Java Virtual Machine Background The Current State of the Multicode Art
More informationCS 6110 S14 Lecture 38 Abstract Interpretation 30 April 2014
CS 6110 S14 Lecture 38 Abstract Interpretation 30 April 2014 1 Introduction to Abstract Interpretation At this point in the course, we have looked at several aspects of programming languages: operational
More informationAgenda. CSE P 501 Compilers. Java Implementation Overview. JVM Architecture. JVM Runtime Data Areas (1) JVM Data Types. CSE P 501 Su04 T-1
Agenda CSE P 501 Compilers Java Implementation JVMs, JITs &c Hal Perkins Summer 2004 Java virtual machine architecture.class files Class loading Execution engines Interpreters & JITs various strategies
More informationResource Usage Analysis and its Application to Resource Certification
Resource Usage Analysis and its Application to Resource Certification Elvira Albert 1, Puri Arenas 1, Samir Genaim 2, Germán Puebla 2, and Damiano Zanardini 2 1 DSIC, Complutense University of Madrid,
More informationC2TLA+: A translator from C to TLA+
C2TLA+: A translator from C to TLA+ Amira METHNI (CEA/CNAM) Matthieu LEMERRE (CEA) Belgacem BEN HEDIA (CEA) Serge HADDAD (ENS Cachan) Kamel BARKAOUI (CNAM) www.cea.fr June 3, 2014 Outline Cliquez pour
More informationScience of Computer Programming. Formalisation and implementation of an algorithm for bytecode verification types
Science of Computer Programming 76 (2011) 587 608 Contents lists available at ScienceDirect Science of Computer Programming journal homepage: www.elsevier.com/locate/scico Formalisation and implementation
More informationHoare logic. A proof system for separation logic. Introduction. Separation logic
Introduction Hoare logic Lecture 6: Examples in separation logic In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing separation logic.
More informationA concrete memory model for CompCert
A concrete memory model for CompCert Frédéric Besson Sandrine Blazy Pierre Wilke Rennes, France P. Wilke A concrete memory model for CompCert 1 / 28 CompCert real-world C to ASM compiler used in industry
More informationRun-time Program Management. Hwansoo Han
Run-time Program Management Hwansoo Han Run-time System Run-time system refers to Set of libraries needed for correct operation of language implementation Some parts obtain all the information from subroutine
More informationINF 102 CONCEPTS OF PROG. LANGS FUNCTIONAL COMPOSITION. Instructors: James Jones Copyright Instructors.
INF 102 CONCEPTS OF PROG. LANGS FUNCTIONAL COMPOSITION Instructors: James Jones Copyright Instructors. Topics Recursion Higher-order functions Continuation-Passing Style Monads (take 1) Identity Monad
More informationCertified Result Checking for Polyhedral Analysis of Bytecode Programs
Certified Result Checking for Polyhedral Analysis of Bytecode Programs Frédéric Besson, Thomas Jensen, David Pichardie, and Tiphaine Turpin INRIA Rennes - Bretagne Atlantique Campus de Beaulieu, F-35042
More informationStatic Analysis by A. I. of Embedded Critical Software
Static Analysis by Abstract Interpretation of Embedded Critical Software Julien Bertrane ENS, Julien.bertrane@ens.fr Patrick Cousot ENS & CIMS, Patrick.Cousot@ens.fr Radhia Cousot CNRS & ENS, Radhia.Cousot@ens.fr
More informationChecking Secure Interactions of Smart Card Applets
Checking Secure Interactions of Smart Card Applets extended version P. Bieber, J. Cazin, P. Girard, J.-L. Lanet, V. Wiels, G. Zanon CS 711 5 November 2003 René Rydhof Hansen CS 711 5 November 2003 p.1/24
More informationAdministration CS 412/413. Why build a compiler? Compilers. Architectural independence. Source-to-source translator
CS 412/413 Introduction to Compilers and Translators Andrew Myers Cornell University Administration Design reports due Friday Current demo schedule on web page send mail with preferred times if you haven
More informationPrinciples of Program Analysis: A Sampler of Approaches
Principles of Program Analysis: A Sampler of Approaches Transparencies based on Chapter 1 of the book: Flemming Nielson, Hanne Riis Nielson and Chris Hankin: Principles of Program Analysis Springer Verlag
More informationRepresentation Independence, Confinement and Access Control
Representation Independence, Confinement and Access Control Anindya Banerjee and David Naumann ab@cis.ksu.edu and naumann@cs.stevens-tech.edu Kansas State University and Stevens Institute of Technology,
More informationAn Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C
An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C Robbert Krebbers Radboud University Nijmegen January 22, 2014 @ POPL, San Diego, USA 1 / 16 What is this program supposed
More informationCompiler Optimisation
Compiler Optimisation 3 Dataflow Analysis Hugh Leather IF 1.18a hleather@inf.ed.ac.uk Institute for Computing Systems Architecture School of Informatics University of Edinburgh 2018 Introduction Optimisations
More informationNegations in Refinement Type Systems
Negations in Refinement Type Systems T. Tsukada (U. Tokyo) 14th March 2016 Shonan, JAPAN This Talk About refinement intersection type systems that refute judgements of other type systems. Background Refinement
More informationCS558 Programming Languages
CS558 Programming Languages Fall 2016 Lecture 3a Andrew Tolmach Portland State University 1994-2016 Formal Semantics Goal: rigorous and unambiguous definition in terms of a wellunderstood formalism (e.g.
More informationResource Usage Analysis and its Application to Resource Certification (Part I)
Resource Usage Analysis and its Application to Resource Certification (Part I) Germán Puebla 1 joint work with Elvira Albert 2, Puri Arenas 2, Samir Genaim 2, and Damiano Zanardini 1 1 Technical University
More informationTranslating Java bytecode to BoogiePL
Recap Changes Coq Boogie Conclusion Master project - Final presentation September 29, 2006 Recap Changes Coq Boogie Conclusion Outline Recap What has changed? Formalization of the translation Boogie modifications
More informationPrecise Analysis of Memory Consumption using Program Logics
Precise Analysis of Memory Consumption using Program Logics Gilles Barthe INRIA Sophia Antipolis, France Gilles.Barthe@sophia.inria.fr Mariela Pavlova INRIA Sophia Antipolis, France Mariela.Pavlova@sophia.inria.fr
More informationCombining Static and Dynamic Contract Checking for Curry
Michael Hanus (CAU Kiel) Combining Static and Dynamic Contract Checking for Curry LOPSTR 2017 1 Combining Static and Dynamic Contract Checking for Curry Michael Hanus University of Kiel Programming Languages
More informationFunctional Programming. Pure Functional Programming
Functional Programming Pure Functional Programming Computation is largely performed by applying functions to values. The value of an expression depends only on the values of its sub-expressions (if any).
More informationAdam Chlipala University of California, Berkeley ICFP 2006
Modular Development of Certified Program Verifiers with a Proof Assistant Adam Chlipala University of California, Berkeley ICFP 2006 1 Who Watches the Watcher? Program Verifier Might want to ensure: Memory
More informationVerasco: a Formally Verified C Static Analyzer
Verasco: a Formally Verified C Static Analyzer Jacques-Henri Jourdan Joint work with: Vincent Laporte, Sandrine Blazy, Xavier Leroy, David Pichardie,... June 13, 2017, Montpellier GdR GPL thesis prize
More informationFunctions: flow of control (foc)
Functions: flow of control (foc) Essentially the handling of functions is a flow of control (foc) problem (use goto) The two additional points are 1. Parameter passing 2. Return value passing function
More informationBackground. From my PhD (2009): Verified Lisp interpreter in ARM, x86 and PowerPC machine code
Certification of high-level and low-level programs, IHP, Paris, 2014 CakeML A verified implementation of ML Ramana Kumar Magnus Myreen Michael Norrish Scott Owens Background From my PhD (2009): Verified
More informationVerifying a Concurrent Garbage Collector using a Rely-Guarantee Methodology
Verifying a Concurrent Garbage Collector using a Rely-Guarantee Methodology Yannick Zakowski David Cachera Delphine Demange Gustavo Petri David Pichardie Suresh Jagannathan Jan Vitek Automatic memory management
More informationType checking. Jianguo Lu. November 27, slides adapted from Sean Treichler and Alex Aiken s. Jianguo Lu November 27, / 39
Type checking Jianguo Lu November 27, 2014 slides adapted from Sean Treichler and Alex Aiken s Jianguo Lu November 27, 2014 1 / 39 Outline 1 Language translation 2 Type checking 3 optimization Jianguo
More informationThe Apron Library. Bertrand Jeannet and Antoine Miné. CAV 09 conference 02/07/2009 INRIA, CNRS/ENS
The Apron Library Bertrand Jeannet and Antoine Miné INRIA, CNRS/ENS CAV 09 conference 02/07/2009 Context : Static Analysis What is it about? Discover properties of a program statically and automatically.
More informationProgramming Languages Fall 2014
Programming Languages Fall 2014 Lecture 7: Simple Types and Simply-Typed Lambda Calculus Prof. Liang Huang huang@qc.cs.cuny.edu 1 Types stuck terms? how to fix it? 2 Plan First I For today, we ll go back
More informationTowards an industrial use of FLUCTUAT on safety-critical avionics software
Towards an industrial use of FLUCTUAT on safety-critical avionics software David Delmas 1, Eric Goubault 2, Sylvie Putot 2, Jean Souyris 1, Karim Tekkal 3 and Franck Védrine 2 1. Airbus Operations S.A.S.,
More informationParsing Scheme (+ (* 2 3) 1) * 1
Parsing Scheme + (+ (* 2 3) 1) * 1 2 3 Compiling Scheme frame + frame halt * 1 3 2 3 2 refer 1 apply * refer apply + Compiling Scheme make-return START make-test make-close make-assign make- pair? yes
More informationReasoning about modules: data refinement and simulation
Reasoning about modules: data refinement and simulation David Naumann naumann@cs.stevens-tech.edu Stevens Institute of Technology Naumann - POPL 02 Java Verification Workshop p.1/17 Objectives of talk
More informationStatic Program Analysis CS701
Static Program Analysis CS701 Thomas Reps [Based on notes taken by Aditya Venkataraman on Oct 6th, 2015] Abstract This lecture introduces the area of static program analysis. We introduce the topics to
More informationProgramming Languages
CSE 230: Winter 2008 Principles of Programming Languages Ocaml/HW #3 Q-A Session Push deadline = Mar 10 Session Mon 3pm? Lecture 15: Type Systems Ranjit Jhala UC San Diego Why Typed Languages? Development
More informationRepresentation Independence, Confinement and Access Control
Representation Independence, Confinement and Access Control Anindya Banerjee and David Naumann ab@cis.ksu.edu and naumann@cs.stevens-tech.edu Kansas State University and Stevens Institute of Technology
More informationSimply-Typed Lambda Calculus
#1 Simply-Typed Lambda Calculus #2 Back to School What is operational semantics? When would you use contextual (small-step) semantics? What is denotational semantics? What is axiomatic semantics? What
More informationHigh-Level Language VMs
High-Level Language VMs Outline Motivation What is the need for HLL VMs? How are these different from System or Process VMs? Approach to HLL VMs Evolutionary history Pascal P-code Object oriented HLL VMs
More informationApplications of Program analysis in Model-Based Design
Applications of Program analysis in Model-Based Design Prahlad Sampath (Prahlad.Sampath@mathworks.com) 2018 by The MathWorks, Inc., MATLAB, Simulink, Stateflow, are registered trademarks of The MathWorks,
More informationVerified compilation of a first-order Lisp language
Verified compilation of a first-order Lisp language Lecture 7 MPhil ACS & Part III course, Functional Programming: Implementation, Specification and Verification Magnus Myreen Michaelmas term, 2013 Interpreter
More informationCalculating Correct Compilers
university of copenhagen department of computer science Faculty of Science Calculating Correct Compilers Patrick Bahr1 Graham Hutton2 1 University of Copenhagen, Department of Computer Science paba@diku.dk
More informationCSE 5317 Midterm Examination 4 March Solutions
CSE 5317 Midterm Examination 4 March 2010 1. / [20 pts] Solutions (parts a j; -1 point for each wrong answer, 0 points for each blank answer, 2 point for each correct answer. Therefore, the score for this
More informationAbout the Authors... iii Introduction... xvii. Chapter 1: System Software... 1
Table of Contents About the Authors... iii Introduction... xvii Chapter 1: System Software... 1 1.1 Concept of System Software... 2 Types of Software Programs... 2 Software Programs and the Computing Machine...
More informationAdvanced Programming Methods. Introduction in program analysis
Advanced Programming Methods Introduction in program analysis What is Program Analysis? Very broad topic, but generally speaking, automated analysis of program behavior Program analysis is about developing
More informationA verified runtime for a verified theorem prover
A verified runtime for a verified theorem prover Magnus Myreen 1 and Jared Davis 2 1 University of Cambridge, UK 2 Centaur Technology, USA Two projects meet My theorem prover is written in Lisp. Can I
More informationLecture 6. Abstract Interpretation
Lecture 6. Abstract Interpretation Wei Le 2014.10 Outline Motivation History What it is: an intuitive understanding An example Steps of abstract interpretation Galois connection Narrowing and Widening
More informationA Type System for Object Initialization In the Java TM Bytecode Language
Electronic Notes in Theoretical Computer Science 10 (1998) URL: http://www.elsevier.nl/locate/entcs/volume10.html 7 pages A Type System for Object Initialization In the Java TM Bytecode Language Stephen
More informationEXAMINATIONS 2014 TRIMESTER 1 SWEN 430. Compiler Engineering. This examination will be marked out of 180 marks.
T E W H A R E W Ā N A N G A O T E Ū P O K O O T E I K A A M Ā U I VUW V I C T O R I A UNIVERSITY OF WELLINGTON EXAMINATIONS 2014 TRIMESTER 1 SWEN 430 Compiler Engineering Time Allowed: THREE HOURS Instructions:
More informationCompilers. 8. Run-time Support. Laszlo Böszörmenyi Compilers Run-time - 1
Compilers 8. Run-time Support Laszlo Böszörmenyi Compilers Run-time - 1 Run-Time Environment A compiler needs an abstract model of the runtime environment of the compiled code It must generate code for
More informationAbstracting Definitional Interpreters
Abstracting Definitional Interpreters David Darais University of Maryland Nicholas Labich University of Maryland Phúc C. Nguyễn University of Maryland David Van Horn University of Maryland Does my program
More informationCS143 Final Fall 2009
CS143 Final Fall 2009 Please read all instructions (including these) carefully. There are 4 questions on the exam, all with multiple parts. You have 2 hours to work on the exam. The exam is closed book,
More informationG Programming Languages - Fall 2012
G22.2110-003 Programming Languages - Fall 2012 Lecture 2 Thomas Wies New York University Review Last week Programming Languages Overview Syntax and Semantics Grammars and Regular Expressions High-level
More informationBinsec: a platform for binary code analysis
Binsec: a platform for binary code analysis 08/06/2016 Adel Djoudi Robin David Josselin Feist Thanh Dinh Ta Introduction Outline Introduction The BINSEC Platform DBA simplification Static analysis Symbolic
More informationAn experiment with variable binding, denotational semantics, and logical relations in Coq. Adam Chlipala University of California, Berkeley
A Certified TypePreserving Compiler from Lambda Calculus to Assembly Language An experiment with variable binding, denotational semantics, and logical relations in Coq Adam Chlipala University of California,
More informationA Structural Operational Semantics for JavaScript
Dept. of Computer Science, Stanford University Joint work with Sergio Maffeis and John C. Mitchell Outline 1 Motivation Web Security problem Informal and Formal Semantics Related work 2 Formal Semantics
More informationProof Carrying Code(PCC)
Discussion p./6 Proof Carrying Code(PCC Languaged based security policy instead of OS-based A mechanism to determine with certainity that it is safe execute a program or not Generic architecture for providing
More informationCode Generation. Frédéric Haziza Spring Department of Computer Systems Uppsala University
Code Generation Frédéric Haziza Department of Computer Systems Uppsala University Spring 2008 Operating Systems Process Management Memory Management Storage Management Compilers Compiling
More informationStatic Program Analysis
Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ss-18/spa/ Preliminaries Outline of Lecture 1 Preliminaries Introduction
More informationHierarchical Shape Abstraction of Dynamic Structures in Static Blocks
Hierarchical Shape Abstraction of Dynamic Structures in Static Blocks Pascal Sotin and Xavier Rival INRIA 4 novembre 2013 P. Sotin, X. Rival (INRIA) Hierarchical Shape Abstraction 4 novembre 2013 1 / 29
More informationHeap, Variables, References, and Garbage. CS152. Chris Pollett. Oct. 13, 2008.
Heap, Variables, References, and Garbage. CS152. Chris Pollett. Oct. 13, 2008. Outline. Dynamic Allocation. Variables and Constants. Aliases and Problems. Garbage. Introduction. On Wednesday, we were talking
More informationBasic Data Structures (Version 7) Name:
Prerequisite Concepts for Analysis of Algorithms Basic Data Structures (Version 7) Name: Email: Concept: mathematics notation 1. log 2 n is: Code: 21481 (A) o(log 10 n) (B) ω(log 10 n) (C) Θ(log 10 n)
More informationCS558 Programming Languages
CS558 Programming Languages Winter 2017 Lecture 4a Andrew Tolmach Portland State University 1994-2017 Semantics and Erroneous Programs Important part of language specification is distinguishing valid from
More informationThe role of semantic analysis in a compiler
Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Static analyses that detect type errors
More informationTyping in-place update
Typing in-place update David Aspinall Martin Hofmann LFCS Edinburgh Institut für Informatik Munich Motivation and background Goal: use in-place update rather than fresh creation of memory cells and GC
More informationType Checking. Outline. General properties of type systems. Types in programming languages. Notation for type rules.
Outline Type Checking General properties of type systems Types in programming languages Notation for type rules Logical rules of inference Common type rules 2 Static Checking Refers to the compile-time
More informationFormal methods for software security
Formal methods for software security Thomas Jensen, INRIA Forum "Méthodes formelles" Toulouse, 31 January 2017 Formal methods for software security Formal methods for software security Confidentiality
More informationComputing Fundamentals 2 Introduction to CafeOBJ
Computing Fundamentals 2 Introduction to CafeOBJ Lecturer: Patrick Browne Lecture Room: K408 Lab Room: A308 Based on work by: Nakamura Masaki, João Pascoal Faria, Prof. Heinrich Hußmann. See notes on slides
More informationOutline. General properties of type systems. Types in programming languages. Notation for type rules. Common type rules. Logical rules of inference
Type Checking Outline General properties of type systems Types in programming languages Notation for type rules Logical rules of inference Common type rules 2 Static Checking Refers to the compile-time
More informationNotes on the Exam. Question 1. Today. Comp 104:Operating Systems Concepts 11/05/2015. Revision Lectures (separate questions and answers)
Comp 104:Operating Systems Concepts Revision Lectures (separate questions and answers) Today Here are a sample of questions that could appear in the exam Please LET ME KNOW if there are particular subjects
More informationG Programming Languages - Fall 2012
G22.2110-003 Programming Languages - Fall 2012 Lecture 4 Thomas Wies New York University Review Last week Control Structures Selection Loops Adding Invariants Outline Subprograms Calling Sequences Parameter
More informationHoare Logic and Model Checking
Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Introduction In the
More informationUNIT 3
UNIT 3 Presentation Outline Sequence control with expressions Conditional Statements, Loops Exception Handling Subprogram definition and activation Simple and Recursive Subprogram Subprogram Environment
More informationCSE P 501 Compilers. Java Implementation JVMs, JITs &c Hal Perkins Winter /11/ Hal Perkins & UW CSE V-1
CSE P 501 Compilers Java Implementation JVMs, JITs &c Hal Perkins Winter 2008 3/11/2008 2002-08 Hal Perkins & UW CSE V-1 Agenda Java virtual machine architecture.class files Class loading Execution engines
More informationEventrons: A Safe Programming Construct for High-Frequency Hard Real-Time Applications
Eventrons: A Safe Programming Construct for High-Frequency Hard Real-Time Applications Daniel Spoonhower Carnegie Mellon University Joint work with Joshua Auerbach, David F. Bacon, Perry Cheng, David Grove
More informationParsing III. CS434 Lecture 8 Spring 2005 Department of Computer Science University of Alabama Joel Jones
Parsing III (Top-down parsing: recursive descent & LL(1) ) (Bottom-up parsing) CS434 Lecture 8 Spring 2005 Department of Computer Science University of Alabama Joel Jones Copyright 2003, Keith D. Cooper,
More informationA Formally-Verified C static analyzer
A Formally-Verified C static analyzer David Pichardie joint work with J.-H. Jourdan, V. Laporte, S.Blazy, X. Leroy, presented at POPL 15!! How do you trust your software? bug finders sound verifiers verified
More informationThe University of Nottingham SCHOOL OF COMPUTER SCIENCE A LEVEL 4 MODULE, SPRING SEMESTER MATHEMATICAL FOUNDATIONS OF PROGRAMMING ANSWERS
The University of Nottingham SCHOOL OF COMPUTER SCIENCE A LEVEL 4 MODULE, SPRING SEMESTER 2012 2013 MATHEMATICAL FOUNDATIONS OF PROGRAMMING ANSWERS Time allowed TWO hours Candidates may complete the front
More informationComp 204: Computer Systems and Their Implementation. Lecture 25a: Revision Lectures (separate questions and answers)
Comp 204: Computer Systems and Their Implementation Lecture 25a: Revision Lectures (separate questions and answers) 1 Today Here are a sample of questions that could appear in the exam Please LET ME KNOW
More informationStructuring an Abstract Interpreter through Value and State Abstractions: EVA, an Evolved Value Analysis for Frama C
Structuring an Abstract Interpreter through Value and State Abstractions: EVA, an Evolved Value Analysis for Frama C David Bühler CEA LIST, Software Safety Lab Frama-C & SPARK Day 2017 May 30th, 2017 David
More informationFormal verification of a static analyzer based on abstract interpretation
Formal verification of a static analyzer based on abstract interpretation Sandrine Blazy joint work with J.-H. Jourdan, V. Laporte, A. Maroneze, X. Leroy, D. Pichardie IFIP WG 1.9/2.15, 2014-07-14 1 Background:
More informationDeductive Program Verification with Why3, Past and Future
Deductive Program Verification with Why3, Past and Future Claude Marché ProofInUse Kick-Off Day February 2nd, 2015 A bit of history 1999: Jean-Christophe Filliâtre s PhD Thesis Proof of imperative programs,
More informationHoare Logic and Model Checking. A proof system for Separation logic. Introduction. Separation Logic
Introduction Hoare Logic and Model Checking In the previous lecture we saw the informal concepts that Separation Logic is based on. Kasper Svendsen University of Cambridge CST Part II 2016/17 This lecture
More informationCS558 Programming Languages
CS558 Programming Languages Fall 2017 Lecture 3a Andrew Tolmach Portland State University 1994-2017 Binding, Scope, Storage Part of being a high-level language is letting the programmer name things: variables
More information