trust in programming tools the formal verification of
play

Trust in programming tools: the formal verification of compilers and - PowerPoint PPT Presentation

Jun 18, 2023 •199 likes •731 views

Trust in programming tools: the formal verification of compilers and static analysers Xavier Leroy Inria Paris Verified trustworthy software systems, April 2016 X. Leroy (Inria) Trust in tools 2016-04-05 1 / 35 Tool-assisted formal

  1. Trust in programming tools: the formal verification of compilers and static analysers Xavier Leroy Inria Paris Verified trustworthy software systems, April 2016 X. Leroy (Inria) Trust in tools 2016-04-05 1 / 35

  2. Tool-assisted formal verification Old, fundamental ideas. . . (Hoare logic, 1960’s; model checking, abstract interpretation, 1970’s) that remained theoretical for a long time. . . are now implemented and automated in verification tools. . . usable and sometimes used in the critical software industry. X. Leroy (Inria) Trust in tools 2016-04-05 2 / 35

  3. Examples of uses for avionics software Simulink, Scade C code AiT WCET Executable (precise time bounds)

  4. Examples of uses for avionics software Simulink, Scade C code Astr´ ee (absence of run-time errors, incl. floating-point) AiT WCET Executable (precise time bounds)

  5. Examples of uses for avionics software Simulink, Scade Caveat (program proof) (*) C code Astr´ ee (absence of run-time errors, incl. floating-point) AiT WCET Executable (precise time bounds) (*) Motto: “unit proofs as a replacement for unit tests”

  6. Examples of uses for avionics software Rockwell-Collins toolchain Simulink, Scade (model-checking + proof) Caveat (program proof) (*) C code Astr´ ee (absence of run-time errors, incl. floating-point) AiT WCET Executable (precise time bounds) (*) Motto: “unit proofs as a replacement for unit tests” X. Leroy (Inria) Trust in tools 2016-04-05 3 / 35

  7. Trust in tools that participate in the production and verification of critical software X. Leroy (Inria) Trust in tools 2016-04-05 4 / 35

  8. Trust in formal verification Simulink, Scade Simulation Model-checking Code generator ? Program proof C code ? Static analysis Compiler Testing Executable The unsoundness risk: Are verification tools semantically sound? The miscompilation risk: Are compilers semantics-preserving? X. Leroy (Inria) Trust in tools 2016-04-05 5 / 35

  9. Miscompilation happens We tested thirteen production-quality C compilers and, for each, found situations in which the compiler generated incorrect code for accessing volatile variables. E. Eide & J. Regehr, EMSOFT 2008 To improve the quality of C compilers, we created Csmith, a randomized test-case generation tool, and spent three years using it to find compiler bugs. During this period we reported more than 325 previously unknown bugs to compiler developers. Every compiler we tested was found to crash and also to silently generate wrong code when presented with valid input. X. Yang, Y. Chen, E. Eide & J. Regehr, PLDI 2011 X. Leroy (Inria) Trust in tools 2016-04-05 6 / 35

  10. An example of optimizing compilation double dotproduct(int n, double * a, double * b) { double dp = 0.0; int i; for (i = 0; i < n; i++) dp += a[i] * b[i]; return dp; } Compiled with a good compiler, then manually decompiled back to C. . . X. Leroy (Inria) Trust in tools 2016-04-05 7 / 35

  11. double dotproduct(int n, double a[], double b[]) { dp = 0.0; if (n <= 0) goto L5; r2 = n - 3; f1 = 0.0; r1 = 0; f10 = 0.0; f11 = 0.0; if (r2 > n || r2 <= 0) goto L19; prefetch(a[16]); prefetch(b[16]); if (4 >= r2) goto L14; prefetch(a[20]); prefetch(b[20]); f12 = a[0]; f13 = b[0]; f14 = a[1]; f15 = b[1]; r1 = 8; if (8 >= r2) goto L16; L17: f16 = b[2]; f18 = a[2]; f17 = f12 * f13; f19 = b[3]; f20 = a[3]; f15 = f14 * f15; f12 = a[4]; f16 = f18 * f16; f19 = f29 * f19; f13 = b[4]; a += 4; f14 = a[1]; f11 += f17; r1 += 4; f10 += f15; f15 = b[5]; prefetch(a[20]); prefetch(b[24]); f1 += f16; dp += f19; b += 4; if (r1 < r2) goto L17; L16: f15 = f14 * f15; f21 = b[2]; f23 = a[2]; f22 = f12 * f13; f24 = b[3]; f25 = a[3]; f21 = f23 * f21; f12 = a[4]; f13 = b[4]; f24 = f25 * f24; f10 = f10 + f15; a += 4; b += 4; f14 = a[8]; f15 = b[8]; f11 += f22; f1 += f21; dp += f24; L18: f26 = b[2]; f27 = a[2]; f14 = f14 * f15; f28 = b[3]; f29 = a[3]; f12 = f12 * f13; f26 = f27 * f26; a += 4; f28 = f29 * f28; b += 4; f10 += f14; f11 += f12; f1 += f26; dp += f28; dp += f1; dp += f10; dp += f11; if (r1 >= n) goto L5; L19: f30 = a[0]; f18 = b[0]; r1 += 1; a += 8; f18 = f30 * f18; b += 8; dp += f18; if (r1 < n) goto L19; L5: return dp; L14: f12 = a[0]; f13 = b[0]; f14 = a[1]; f15 = b[1]; goto L18; } X. Leroy (Inria) Trust in tools 2016-04-05 8 / 35

  12. L17: f16 = b[2]; f18 = a[2]; f17 = f12 * f13; f19 = b[3]; f20 = a[3]; f15 = f14 * f15; f12 = a[4]; f16 = f18 * f16; f19 = f29 * f19; f13 = b[4]; a += 4; f14 = a[1]; f11 += f17; r1 += 4; f10 += f15; f15 = b[5]; prefetch(a[20]); prefetch(b[24]); f1 += f16; dp += f19; b += 4; if (r1 < r2) goto L17; X. Leroy (Inria) Trust in tools 2016-04-05 8 / 35

  13. double dotproduct(int n, double a[], double b[]) { dp = 0.0; if (n <= 0) goto L5; r2 = n - 3; f1 = 0.0; r1 = 0; f10 = 0.0; f11 = 0.0; if (r2 > n || r2 <= 0) goto L19; prefetch(a[16]); prefetch(b[16]); if (4 >= r2) goto L14; prefetch(a[20]); prefetch(b[20]); f12 = a[0]; f13 = b[0]; f14 = a[1]; f15 = b[1]; r1 = 8; if (8 >= r2) goto L16; L16: f15 = f14 * f15; f21 = b[2]; f23 = a[2]; f22 = f12 * f13; f24 = b[3]; f25 = a[3]; f21 = f23 * f21; f12 = a[4]; f13 = b[4]; f24 = f25 * f24; f10 = f10 + f15; a += 4; b += 4; f14 = a[8]; f15 = b[8]; f11 += f22; f1 += f21; dp += f24; L18: f26 = b[2]; f27 = a[2]; f14 = f14 * f15; f28 = b[3]; f29 = a[3]; f12 = f12 * f13; f26 = f27 * f26; a += 4; f28 = f29 * f28; b += 4; f10 += f14; f11 += f12; f1 += f26; dp += f28; dp += f1; dp += f10; dp += f11; if (r1 >= n) goto L5; L19: f30 = a[0]; f18 = b[0]; r1 += 1; a += 8; f18 = f30 * f18; b += 8; dp += f18; if (r1 < n) goto L19; L5: return dp; L14: f12 = a[0]; f13 = b[0]; f14 = a[1]; f15 = b[1]; goto L18; } X. Leroy (Inria) Trust in tools 2016-04-05 8 / 35

  14. Formal verification of tools Why not formally verify the compiler and the verification tools themselves? (using program proof) After all, these tools have simple specifications: Correct compiler: if compilation succeeds, the generated code behaves as prescribed by the semantics of the source program. Sound verification tool: if the tool reports no alarms, all executions of the source program satisfy a given safety property. As a corollary, we obtain: The generated code satisfies the given safety property. X. Leroy (Inria) Trust in tools 2016-04-05 9 / 35

  15. An old idea. . . Mathematical Aspects of Computer Science , 1967 X. Leroy (Inria) Trust in tools 2016-04-05 10 / 35

  16. An old idea. . . Machine Intelligence (7), 1972. X. Leroy (Inria) Trust in tools 2016-04-05 11 / 35

  17. CompCert: a formally-verified C compiler X. Leroy (Inria) Trust in tools 2016-04-05 12 / 35

  18. The CompCert project (X.Leroy, S.Blazy, et al) Develop and prove correct a realistic compiler, usable for critical embedded software. Source language: a very large subset of C99. Target language: PowerPC/ARM/x86 assembly. Generates reasonably compact and fast code ⇒ careful code generation; some optimizations. Note: compiler written from scratch, along with its proof; not trying to prove an existing compiler. X. Leroy (Inria) Trust in tools 2016-04-05 13 / 35

  19. The formally verified part of the compiler type elimination side-effects out CompCert C Clight C # minor of expressions loop simplifications stack allocation Optimizations: constant prop., CSE, of “&” variables inlining, tail calls CFG construction instruction RTL CminorSel Cminor expr. decomp. selection register allocation (IRC) calling conventions linearization layout of LTL Linear Mach of the CFG stack frames asm code generation Asm x86 Asm ARM Asm PPC X. Leroy (Inria) Trust in tools 2016-04-05 14 / 35

  20. Formally verified using Coq The correctness proof (semantic preservation) for the compiler is entirely machine-checked, using the Coq proof assistant. Proof pattern: simulation/refinement diagrams such as: Original program Transformed program State 1 invariant Execution steps State 1 ′ (not stuck) t State 2 ′

  21. Formally verified using Coq The correctness proof (semantic preservation) for the compiler is entirely machine-checked, using the Coq proof assistant. Proof pattern: simulation/refinement diagrams such as: Original program Transformed program State 1 invariant Execution steps State 1 ′ (not stuck) ∗ t t State 2 State 2 ′ invariant X. Leroy (Inria) Trust in tools 2016-04-05 15 / 35

  22. Formally verified using Coq As a consequence, the observable behavior of the compiled code (trace of I/O operations) is identical to one of the possible behaviors of the source code, or improves over one: Source code: i 1 . o 1 . o 2 . i 2 . o 3 i 1 . o 1 . † undefined behavior Compiled code: i 1 . o 1 . o 2 . i 2 . o 3 i 1 . o 1 . o 2 . . . (same behavior) (“improved” undefined behavior) Theorem transf_c_program_preservation: forall p tp beh, transf_c_program p = OK tp -> program_behaves (Asm.semantics tp) beh -> exists beh’, program_behaves (Csem.semantics p) beh’ /\ behavior_improves beh’ beh. X. Leroy (Inria) Trust in tools 2016-04-05 16 / 35

  23. Compiler verification patterns (for each pass) Verified transformation Verified translation validation transformation transformation × validator External solver with verified validation transformation × = formally verified checker = not verified untrusted solver X. Leroy (Inria) Trust in tools 2016-04-05 17 / 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

WP verification methodology and tools Paul Jackson School of Informatics University of Edinburgh

WP verification methodology and tools Paul Jackson School of Informatics University of Edinburgh

WP verification methodology and tools Paul Jackson School of Informatics University of Edinburgh Formal Verification Spring 2017 Levels of formal verification Checking freedom from run-time exceptions Dominant level for Spark tools

263 views • 8 slides
Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018

Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018

Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018 - Tutorial September 9th 2018 1 / 47 1 Side-Channel Attacks and Masking 2 Formal Tools for Verification at Fixed Order 3 Formal Tools

1.24k views • 97 slides
Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies

Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies

Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies Synopsys, Inc. June 18, 2017 1 Build Better Formal Verification Tools? CAR BICYCLE DOG S oftware that learns from experience and enables

767 views • 40 slides
Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA

Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA

Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA tools for students, hobbyists, enthusiasts FPGA Synthesis Formal Verification Free to use: Free to use: Xilinx Vivado WebPack,

818 views • 49 slides
SymbiYosys Formal Hardware Verification with OpenSource Tools Clifford Wolf Symbiotic EDA

SymbiYosys Formal Hardware Verification with OpenSource Tools Clifford Wolf Symbiotic EDA

SymbiYosys Formal Hardware Verification with OpenSource Tools Clifford Wolf Symbiotic EDA Yosys, Yosys-SMTBMC, SymbiYosys Yosys FOSS Verilog Synthesis tool and more highly flexible, customizable using scripts Formal

600 views • 35 slides
Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
Software Verification/Validation Methods and Tools . . . or Practical Formal Methods John Rushby

Software Verification/Validation Methods and Tools . . . or Practical Formal Methods John Rushby

Software Verification/Validation Methods and Tools . . . or Practical Formal Methods John Rushby Computer Science Laboratory SRI International Menlo Park, CA John Rushby, SR I Practical Formal Methods: 1 Need: Growing Importance and Cost of

278 views • 12 slides
Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc. Software and Reliability Can we rely

1.14k views • 78 slides
Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim for automation (bit level) Find niches where formal methods work well Use assertions/ properties first in sim. and then in FV (the acronym is ABV,

1.14k views • 65 slides
On Formal Verification in Imperative Multivalued Programming over Continuous Data Types Gyesik

On Formal Verification in Imperative Multivalued Programming over Continuous Data Types Gyesik

On Formal Verification in Imperative Multivalued Programming over Continuous Data Types Gyesik Lee, Norbert M uller, Eike Neumann, Sewon Park, Norbert Preining, Martin Ziegler November 29, 2017 1 1. Motivation Recursive Analysis

693 views • 34 slides
Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry 1 Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal verification Machine-checked proof Automatic and interactive approaches HOL Light Floating point

366 views • 25 slides
CS 4160 Formal Verification Prof. Clarkson Spring 2019 Approaches to validation Social

CS 4160 Formal Verification Prof. Clarkson Spring 2019 Approaches to validation Social

CS 4160 Formal Verification Prof. Clarkson Spring 2019 Approaches to validation Social Less formal: Techniques may Code reviews miss problems in programs Extreme/Pair programming Methodological Design patterns

330 views • 18 slides
Formal Verification of Stack Manipulation in the SCIP Processor J. Aaron Pendergrass High Level

Formal Verification of Stack Manipulation in the SCIP Processor J. Aaron Pendergrass High Level

Formal Verification of Stack Manipulation in the SCIP Processor J. Aaron Pendergrass High Level Challenges to developing capability in formal methods: Perceived high barrier to entry, Specialized tools and jargon, Need for a

424 views • 23 slides
Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic 1 Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal verification Machine-checked proof Automatic and interactive approaches HOL Light

539 views • 19 slides
Program Verification via Machine Learning Aditya V. Nori Programming Languages and Tools group

Program Verification via Machine Learning Aditya V. Nori Programming Languages and Tools group

Program Verification via Machine Learning Aditya V. Nori Programming Languages and Tools group Microsoft Research India Joint work with Alex Aiken, Rahul Sharma (Stanford University) Software validation problem I hope some hacker cannot

1.15k views • 46 slides
Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms 1 Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of bugs Formal verification Levels of verification HOL Light Formalizing mathematics

353 views • 19 slides
Monads in Scala 1 / 13 Functors A functor is a container type that supports map ping over its

Monads in Scala 1 / 13 Functors A functor is a container type that supports map ping over its

Monads in Scala 1 / 13 Functors A functor is a container type that supports map ping over its contents. 1 List is functor: 1 List(1, 2, 3).map((x: Int) =&gt; x.toString) == List(&quot;1&quot;, &quot;2&quot;, &quot;3&quot;) As a conceptual

243 views • 13 slides
Validating LR (1) parsers Jacques-Henri Jourdan Fran cois Pottier Xavier Leroy INRIA

Validating LR (1) parsers Jacques-Henri Jourdan Fran cois Pottier Xavier Leroy INRIA

Validating LR (1) parsers Jacques-Henri Jourdan Fran cois Pottier Xavier Leroy INRIA Paris-Rocquencourt, projet Gallium IFIP WG 2.8, Nov 2012 Parsing: recap text abstract or syntax tree token stream 1 + 2 3 + 1 2 3

658 views • 34 slides
Restoring Natural Language as a Computerised Mathematics Input Method Robert Lamar joint work

Restoring Natural Language as a Computerised Mathematics Input Method Robert Lamar joint work

Restoring Natural Language as a Computerised Mathematics Input Method Robert Lamar joint work with Fairouz Kamareddine Manuel Maarek J. B. Wells ULTRA group, Heriot-Watt University http://www.macs.hw.ac.uk/ultra/ 30 June 2007 Mathematical

752 views • 43 slides
How much is a mechanized proof worth, certification-wise? Xavier Leroy Inria Paris-Rocquencourt

How much is a mechanized proof worth, certification-wise? Xavier Leroy Inria Paris-Rocquencourt

How much is a mechanized proof worth, certification-wise? Xavier Leroy Inria Paris-Rocquencourt PiP 2014: Principles in Practice In this talk. . . Some feedback from the aircraft industry concerning the potential usefulness of the CompCert

890 views • 36 slides
Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

3BA31 Formal Methods 1 3BA31: Formal Methods Andrew Butterfield Foundations &amp; Methods Group, Software Systems Laboratory Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember This? A Stock

631 views • 33 slides
CPL 2016, week 8 Erlang functional core and agents Oleg Batrashev Institute of Computer Science,

CPL 2016, week 8 Erlang functional core and agents Oleg Batrashev Institute of Computer Science,

CPL 2016, week 8 Erlang functional core and agents Oleg Batrashev Institute of Computer Science, Tartu, Estonia March 28, 2016 Overview Today Erlang: functional core and agents Next week Erlang fault tolerance and distributed

548 views • 26 slides
Formale Entwicklung objektorientierter Software Prof. P.H. Schmitt, C. Engel, F. Werner Fakult

Formale Entwicklung objektorientierter Software Prof. P.H. Schmitt, C. Engel, F. Werner Fakult

JML Formale Entwicklung objektorientierter Software Prof. P.H. Schmitt, C. Engel, F. Werner Fakult at f ur Informatik Universit at Karlsruhe (TH) Winter 2006/2007 Prof. P.H. Schmitt, C. Engel, F. Werner Formale Entwicklung

1.38k views • 105 slides
Developing language educators understanding of assessment reform discourse and practices:

Developing language educators understanding of assessment reform discourse and practices:

Developing language educators understanding of assessment reform discourse and practices: school- university collaborative action research as praxis Speaker: Cheri Chan (based on a paper-in-progress by Chan, C. &amp; Davison, C., presented

448 views • 27 slides

More recommend