formal verification of a realistic compiler
play

Formal verification of a realistic compiler Xavier Leroy CACM 2009 - PowerPoint PPT Presentation

Dec 09, 2023 •309 likes •1.01k views

Formal verification of a realistic compiler Xavier Leroy CACM 2009 CS 7194: Great Works in Programming Languages Presenter : Irene Yoon | Mentor : Ryan Doenges 1 Building robust compilers is Hard. 2 Bugs bugs 3 Bugs [Yang

  1. Formal verification of a realistic compiler Xavier Leroy CACM 2009 CS 7194: Great Works in Programming Languages Presenter : Irene Yoon | Mentor : Ryan Doenges � 1

  2. Building robust compilers is Hard. � 2

  3. Bugs bugs � 3

  4. Bugs [Yang et al 2011] • Random testing finds bugs in 11 C compilers • Hundreds of previously unknown bugs • LLVM has a large test suite, real compilers have bugs � 4

  5. Bugs [Yang et al 2011] • Random testing finds bugs in 11 C compilers • Hundreds of previously unknown bugs • LLVM has a large test suite � 5

  6. Bugs [Yang et al 2011] • Random testing finds bugs in 11 C compilers • Hundreds of previously unknown bugs • LLVM has a large test suite, real compilers have bugs � 6

  7. Bugs [Yang et al 2011] • Random testing finds bugs in 11 C compilers • Hundreds of previously unknown bugs • LLVM has a large test suite � 7

  8. ✅ Building compilers is hard Testing sucks Formalisms are good � 8

  9. ✅ Building compilers is hard ✅ Testing sucks Formalisms are good � 9

  10. ✅ Building compilers is hard ✅ Testing sucks ✅ Formalisms are good � 10

  11. ✅ Building compilers is hard ✅ Testing sucks ✅ Formalisms are good Formal verification of a compiler � 11

  12. First Published Proof of Compiler Correctness [1967] • arithmetic expressions → stack machine code • prototype for proving usable compilers � 12

  13. First Mechanized Proof of Compiler Correctness [1972] • ALGOL-like language → elementary assembly language • Stanford LCF � 13

  14. Compiler Verification • 100+ papers on compiler verification since 1967 � 14

  15. Compiler Verification • 100+ papers on compiler verification since 1967 � 15

  16. Compiler Verification • 100+ papers on compiler verification since 1967 � 16

  17. Compiler Verification • 100+ papers on Compiler Verification since 1967 [2003] � 17

  18. CompCert � 18

  19. CompCert [2009] “Develop and prove correct a realistic compiler, usable for critical embedded software.” • 42k Coq, 3 person years target source PowerPC Clight ARM x86 CompCert

  20. CompCert [2009] “Develop and prove correct a realistic compiler, usable for critical embedded software.” • 42k Coq, 3 person years target source PowerPC Clight ARM x86 CompCert

  21. CompCert [2009] “Develop and prove correct a realistic compiler, usable for critical embedded software.” • 42k Coq, 3 person years target source PowerPC Clight ARM x86 CompCert

  22. Verified, Validated, Certifying � 22

  23. Verified, Validated, Certifying 1. Verified transformation [ Compiler Correctness ] source target COMPILER � 23

  24. Verified, Validated, Certifying 2 . Translation validation [ Translation Verification ] target source COMPILER VALIDATOR � 24

  25. Verified, Validated, Certifying 3. Certifying compiler [ Proof-carrying Code ] source CERTIFYING PROOF COMPILER CHECKER target code + certificate � 25

  26. � 26

  27. [Leroy `06] � 27

  28. => External solver with verified validation � 28

  29. => External solver with verified validation [Tristan and Leroy `10] � 29

  30. CompCert � 30

  31. CompCert formal specification � 31

  32. CompCert formal specification → semantic analysis tools [Appel ’11] � 32

  33. CompCert semantic preservation* � 33

  34. CompCert � 34

  35. Semantic Preservation • Spec(B) : functional specification of observable behavior • B: observable behavior (trace properties of I/O) • “going wrong” (run-time error), termination, divergence • C ㅑ Spec if A. C cannot go wrong B. All behaviors B satisfy Spec � 35

  36. Semantic Preservation • Spec(B) : functional specification of observable behavior • B: observable behavior (trace properties of I/O) • “going wrong” (run-time error), termination, divergence • C ㅑ Spec if A. C cannot go wrong B. All behaviors B satisfy Spec � 36

  37. Semantic Preservation • Spec(B) : functional specification of observable behavior • B: observable behavior (trace properties of I/O) • “going wrong” (run-time error), termination, divergence • C ㅑ Spec if A. C cannot go wrong B. All behaviors B satisfy Spec � 37

  38. Correctness Property Compiled code C preserves the fact that the source code S satisfies the specification. � 38

  39. Proving Semantic Preservation � 39

  40. Proving Semantic Preservation * � 40

  41. Safety Precondition • Compilation result will match the semantics of the input if if program is “safe” (no runtime errors) • Need to prove that input program is safe � 41

  42. Safety Precondition • Compilation result will match the semantics of the input if if program is “safe” (no runtime errors) • Need to prove that input program is safe � 42

  43. Correctness Weakness � 43

  44. Correctness Weakness � 44

  45. CompCert � 45

  46. CompCert � 46

  47. Correctness Weakness • Only runs after the preprocessing step • Astrèe [Cousot et al ’05] , Verasco [Jourdan et al ’15] ) • Reliant on less verifiable assumptions • Coq’s correctness [Anand et al ’17] • Formal specification of C & PowerPC assembly � 47

  48. Correctness Weakness • Only runs after the preprocessing step • Astrèe [Cousot et al ’05] , Verasco [Jourdan et al ’15] • Reliant on less verifiable assumptions • Coq’s correctness [Anand et al ’17] • Formal specification of C & PowerPC assembly � 48

  49. Correctness Weakness • Only runs after the preprocessing step • Astrèe [Cousot et al ’05] , Verasco [Jourdan et al ’15] ) • Reliant on less verifiable assumptions • Coq’s correctness [Anand et al ’17] • Formal specification of C & PowerPC assembly � 49

  50. Correctness Weakness • Only runs after the preprocessing step • Astrèe [Cousot et al ’05] , Verasco [Jourdan et al ’15] ) • Reliant on less verifiable assumptions • Coq’s correctness ( CertiCoq [Anand et al ’17]) • Formal specification of C & PowerPC assembly � 50

  51. Correctness Weakness • Only runs after the preprocessing step • Astrèe [Cousot et al ’05] , Verasco [Jourdan et al ’15] ) • Reliant on less verifiable assumptions • Coq’s correctness ( CertiCoq [Anand et al ’17]) • Formal specification of C & PowerPC assembly � 51

  52. Performance � 52

  53. Performance competitive with gcc -01 � 53

  54. Bugs, revisited. [Yang et al 2011] • CompCert: errors only found in unverified parts (parser and model of machine) • Other compilers: errors everywhere “The striking thing about our CompCert results is that the middle-end bugs we found in all other compilers are absent” � 54

  55. Bugs, revisited. [Yang et al 2011] • CompCert: errors only found in unverified parts (parser and model of machine) • Other compilers: errors everywhere “The striking thing about our CompCert results is that the middle-end bugs we found in all other compilers are absent” � 55

  56. Bugs, revisited. [Yang et al 2011] • CompCert: errors only found in unverified parts (parser and model of machine) • Other compilers: errors everywhere “The striking thing about our CompCert results is that the middle-end bugs we found in all other compilers are absent” � 56

  57. Bugs, revisited. [Yang et al 2011] • CompCert: errors only found in unverified parts (parser and model of machine) • Other compilers: errors everywhere “The striking thing about our CompCert results is that the middle-end bugs we found in all other compilers are absent” � 57

  58. Critical Use Cases • AirBus • MTU Friedrichshafen (nuclear energy) • High-Assurance Cyber Military Systems (HACMS) [Fisher et al, ’17] • PhD Theses � 58

  59. Critical Use Cases • AirBus • MTU Friedrichshafen (nuclear energy) • High-Assurance Cyber Military Systems (HACMS) [Fisher et al, ’17] • PhD Theses � 59

  60. Critical Use Cases • AirBus • MTU Friedrichshafen (nuclear energy) • High-Assurance Cyber Military Systems (HACMS) [Fisher et al, ’17] • PhD Theses � 60

  61. Critical Use Cases • AirBus • MTU Friedrichshafen (nuclear energy) • High-Assurance Cyber Military Systems (HACMS) [Fisher et al, ’17] • PhD Theses � 61

  62. Critical Use Cases “a realistic compiler” • AirBus • MTU Friedrichshafen (nuclear energy) • High-Assurance Cyber Military Systems (HACMS) [Fisher et al, ’17] • PhD Theses � 62

  63. Concluding Remarks • Still some correctness and safety weaknesses • Useful for safety critical code (that doesn’t have to run fast) • Future work - . . . � 63

  64. Concluding Remarks • Still some correctness and safety weaknesses • Useful for safety critical code (that doesn’t have to run fast) • Future work - . . . . . . � 64

  65. Concluding Remarks • Still some correctness and safety weaknesses • Useful for safety critical code (that doesn’t have to run fast) • Future work - . . . � 65

  66. Concluding Remarks • Still some correctness and safety weaknesses • Useful for safety critical code (that doesn’t have to run fast) Type Preserving Compilation • Future work - . . . . . . � 66

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formal verification of an optimizing compiler or: a software-proof codesign approach to the

Formal verification of an optimizing compiler or: a software-proof codesign approach to the

Formal verification of an optimizing compiler or: a software-proof codesign approach to the development of trusted compilers Xavier Leroy INRIA Rocquencourt MEMOCODE 2007 X. Leroy (INRIA) Formal compiler verification MEMOCODE 2007 1 / 61

969 views • 62 slides
A GENERAL-PURPOSE CRN-TO-DSD COMPILER WITH FORMAL VERIFICATION, OPTIMIZATION, AND SIMULATION

A GENERAL-PURPOSE CRN-TO-DSD COMPILER WITH FORMAL VERIFICATION, OPTIMIZATION, AND SIMULATION

A GENERAL-PURPOSE CRN-TO-DSD COMPILER WITH FORMAL VERIFICATION, OPTIMIZATION, AND SIMULATION CAPABILITIES Stefan Badelt , Seung Woo Shin, Robert F. Johnson, Qing Dong, Chris Thachuk, and Erik Winfree DNA and Natural Algorithms (DNA) Group,

320 views • 28 slides
Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and

Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and

Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and Alix Trieu IFIP WG 2.11, 2015-11-10 1 Background: verifying a compiler Compiler + proof that the compiler does not introduce bugs CompCert, a

597 views • 21 slides
Formal verification of a compiler front-end for mini-ML Zaynah Dargaye, Xavier Leroy, Andrew

Formal verification of a compiler front-end for mini-ML Zaynah Dargaye, Xavier Leroy, Andrew

Formal verification of a compiler front-end for mini-ML Zaynah Dargaye, Xavier Leroy, Andrew Tolmach INRIA Paris-Rocquencourt WG 2.8, july 2007 Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 1 / 34

704 views • 33 slides
Verasco: Formal verification of a C static analyzer based on abstract interpretation

Verasco: Formal verification of a C static analyzer based on abstract interpretation

Verasco: Formal verification of a C static analyzer based on abstract interpretation Jacques-Henri Jourdan, Vincent Laporte Sandrine Blazy, Xavier Leroy , David Pichardie Inria / U. Rennes 1 / ENS Rennes Workshop on Realistic Program

885 views • 63 slides
Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc. Software and Reliability Can we rely

1.14k views • 78 slides
A GENERAL-PURPOSE A GENERAL-PURPOSE CRN-TO-DSD COMPILER FRAMEWORK CRN-TO-DSD COMPILER FRAMEWORK

A GENERAL-PURPOSE A GENERAL-PURPOSE CRN-TO-DSD COMPILER FRAMEWORK CRN-TO-DSD COMPILER FRAMEWORK

A GENERAL-PURPOSE A GENERAL-PURPOSE CRN-TO-DSD COMPILER FRAMEWORK CRN-TO-DSD COMPILER FRAMEWORK WITH FORMAL VERIFICATION, OPTIMIZATION, WITH FORMAL VERIFICATION, OPTIMIZATION, AND SIMULATION CAPABILITIES AND SIMULATION CAPABILITIES Stefan

575 views • 38 slides
Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim for automation (bit level) Find niches where formal methods work well Use assertions/ properties first in sim. and then in FV (the acronym is ABV,

1.14k views • 65 slides
Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry 1 Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal verification Machine-checked proof Automatic and interactive approaches HOL Light Floating point

366 views • 25 slides
Compiler verification for fun and profit Xavier Leroy Inria Paris-Rocquencourt FMCAD,

Compiler verification for fun and profit Xavier Leroy Inria Paris-Rocquencourt FMCAD,

Compiler verification for fun and profit Xavier Leroy Inria Paris-Rocquencourt FMCAD, 2014-10-22 X. Leroy (Inria) Compiler verification FMCAD14 1 / 52 Prologue: Can you trust your compiler? X. Leroy (Inria) Compiler verification

856 views • 70 slides
Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic 1 Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal verification Machine-checked proof Automatic and interactive approaches HOL Light

539 views • 19 slides
Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms 1 Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of bugs Formal verification Levels of verification HOL Light Formalizing mathematics

353 views • 19 slides
Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA http://www.clifford.at/papers/2018/riscv-formal/ About assertion based formal verification (formal ABV) Assertion based verification (ABV) Uses

781 views • 39 slides
Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal Verification Yosys-STMBMC iCE40 FPGAs Bounded Model Checking (Project IceStorm) Using any SMT-LIB2 solver (using QF_AUFBV logic) Xilinx

706 views • 56 slides
Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim Kobeissi PROSECCO: Pro gramming Sec urely with C rypt o graphy. Team at INRIA Paris specializing in applied cryptography and formal verification.

357 views • 14 slides
Managing risks in the preservation of research data with preservation networks Esther Conway,

Managing risks in the preservation of research data with preservation networks Esther Conway,

Managing risks in the preservation of research data with preservation networks Esther Conway, Brian Matthews, David Giaretta, Simon Lambert, Nick Draper Michael Wilson: Science and Technology Facilities Council Nick Draper: Tessella RAL

696 views • 34 slides
ECE 6900 Special Problems in Electrical Engineering: Security and privacy preservation for

ECE 6900 Special Problems in Electrical Engineering: Security and privacy preservation for

ECE 6900 Special Problems in Electrical Engineering: Security and privacy preservation for wireless networks Chapter 0: Important information Dr. Mohamed Mahmoud http://iweb.tntech.edu/mmahmoud/ mmahmoud@tntech.edu Instructor: Dr.

642 views • 9 slides
Privacy-Preserving Distributed Information Sharing Lea Kissner leak@cs.cmu.edu Advisor: Dawn

Privacy-Preserving Distributed Information Sharing Lea Kissner leak@cs.cmu.edu Advisor: Dawn

Privacy-Preserving Distributed Information Sharing Lea Kissner leak@cs.cmu.edu Advisor: Dawn Song dawnsong@cmu.edu Why Share? Many applications require mutually distrustful parties to share information Many examples in two major

783 views • 39 slides
So Many Standards, So Little Time: An Analysis of the Development and Adoption of Video

So Many Standards, So Little Time: An Analysis of the Development and Adoption of Video

So Many Standards, So Little Time: An Analysis of the Development and Adoption of Video Digitization Standards Jimi Jones 25 October, 2018 No Time To Wait 3 2018 London, England Introduction Analog video recordings are deteriorating

361 views • 19 slides
Designing Information-Preserving Mapping Schemes for XML Denilson Barbosa Juliana Freire

Designing Information-Preserving Mapping Schemes for XML Denilson Barbosa Juliana Freire

Designing Information-Preserving Mapping Schemes for XML Denilson Barbosa Juliana Freire Alberto O. Mendelzon VLDB 2005 Motivation An XML-to-relational mapping scheme consists of a procedure for shredding XML documents into relational

351 views • 19 slides
Preservation of strong mixing and weak dependence under renewal sampling Imma Valentina Curato

Preservation of strong mixing and weak dependence under renewal sampling Imma Valentina Curato

Introduction -Weak Dependence Preservation Preservation of strong mixing and weak dependence under renewal sampling Imma Valentina Curato based on a joint work with D. Brandes and R. Stelzer Institute of Mathematical Finance, University of

430 views • 20 slides
Infeasible Paths Elimination by Symb. Execution Techniques: Proof of Correctness and Preservation

Infeasible Paths Elimination by Symb. Execution Techniques: Proof of Correctness and Preservation

Infeasible Paths Elimination by Symb. Execution Techniques: Proof of Correctness and Preservation of Paths Romain Aissat, Frederic Voisin and Burkhart Wolff Univ - Paris-Sud / LRI 1 Abstract TRACER [8] is a tool for verifying safety

361 views • 21 slides
Bitly Link & DAT Page Link to Digital Preservation Peer Assessment: http://bit.ly/BPE-DAT

Bitly Link & DAT Page Link to Digital Preservation Peer Assessment: http://bit.ly/BPE-DAT

Bitly Link & DAT Page Link to Digital Preservation Peer Assessment: http://bit.ly/BPE-DAT Link to DAT Page https://www.nedcc.org/preservation- training/digital-preservation-assessment-training Progress Report from the Digital Preservation

506 views • 24 slides

More recommend