104,332 research outputs found
Ahead-of-Time Algebraic Compilation for Safety-Critical Java
In recent years Java has been increasingly considered as a language for safety-critical embedded systems. However, some features of Java are unsuitable for such systems. This has resulted in the creation of Safety-Critical Java (SCJ), which facilitates the development of certifiable real-time and embedded Java programs. SCJ uses different scheduling and memory management models to standard Java, so it requires a specialised virtual machine (SCJVM). A common
approach is to compile Java bytecode program to a native language, usually C, ahead-of-time for greater performance on low-resource embedded systems.
Given the safety-critical nature of the applications, it must be ensured that the virtual machine is correct. However, so far, formal verification has not been applied to any SCJVM. This thesis contributes to the formal verification of SCJVMs that utilise ahead-of-time compilation by presenting a verification of compilation from Java bytecode to C.
The approach we adopt is an adaptation of the algebraic approach developed by Sampaio and Hoare. We start with a formal specification of an SCJVM executing the bytecodes of a program, and transform it, through the application of proven compilation rules, to a representation of the target C code. Thus, our contributions are a formal specification of an SCJVM, a set of compilation rules with proofs, and a strategy for applying those compilation rules.
Our compilation strategy can be used as the basis for an implementation of an ahead-of-time compiling SCJVM, or verification of an existing implementation. Additionally, our formal model of an SCJVM may be used as a specification for creating an interpreting SCJVM. To ensure the
applicability of our results, we base our work on icecap, the only currently available SCJVM that is open source and up-to-date with the SCJ standard
Remote-scope Promotion: Clarified, Rectified, and Verified
Modern accelerator programming frameworks, such as OpenCL, organise threads into work-groups. Remote-scope promotion (RSP) is a language extension recently proposed by AMD researchers that is designed to enable applications, for the first time, both to optimise for the common case of intra-work-group communication (using memory scopes to provide consistency only within a work-group) and to allow occasional inter-work-group communication (as required, for instance, to support the popular load-balancing idiom of work stealing). We present the first formal, axiomatic memory model of OpenCL extended with RSP. We have extended the Herd memory model simulator with support for OpenCL kernels that exploit RSP, and used it to discover bugs in several litmus tests and a work-stealing queue, that have been used previously in the study of RSP. We have also formalised the proposed GPU implementation of RSP. The formalisation process allowed us to identify bugs in the description of RSP that could result in well-synchronised programs experiencing memory inconsistencies. We present and prove sound a new implementation of RSP that incorporates bug fixes and requires less non-standard hardware than the original implementation. This work, a collaboration between academia and industry, clearly demonstrates how, when designing hardware support for a new concurrent language feature, the early application of formal tools and techniques can help to prevent errors, such as those we have found, from making it into silicon
Putting Instruction Sequences into Effect
An attempt is made to define the concept of execution of an instruction
sequence. It is found to be a special case of directly putting into effect of
an instruction sequence. Directly putting into effect of an instruction
sequences comprises interpretation as well as execution. Directly putting into
effect is a special case of putting into effect with other special cases
classified as indirectly putting into effect
Enabling Cross-Event Optimization in Discrete-Event Simulation Through Compile-Time Event Batching
A discrete-event simulation (DES) involves the execution of a sequence of
event handlers dynamically scheduled at runtime. As a consequence, a priori
knowledge of the control flow of the overall simulation program is limited. In
particular, powerful optimizations supported by modern compilers can only be
applied on the scope of individual event handlers, which frequently involve
only a few lines of code. We propose a method that extends the scope for
compiler optimizations in discrete-event simulations by generating batches of
multiple events that are subjected to compiler optimizations as contiguous
procedures. A runtime mechanism executes suitable batches at negligible
overhead. Our method does not require any compiler extensions and introduces
only minor additional effort during model development. The feasibility and
potential performance gains of the approach are illustrated on the example of
an idealized proof-ofconcept model. We believe that the applicability of the
approach extends to general event-driven programs
LF-PPL: A Low-Level First Order Probabilistic Programming Language for Non-Differentiable Models
We develop a new Low-level, First-order Probabilistic Programming Language
(LF-PPL) suited for models containing a mix of continuous, discrete, and/or
piecewise-continuous variables. The key success of this language and its
compilation scheme is in its ability to automatically distinguish parameters
the density function is discontinuous with respect to, while further providing
runtime checks for boundary crossings. This enables the introduction of new
inference engines that are able to exploit gradient information, while
remaining efficient for models which are not everywhere differentiable. We
demonstrate this ability by incorporating a discontinuous Hamiltonian Monte
Carlo (DHMC) inference engine that is able to deliver automated and efficient
inference for non-differentiable models. Our system is backed up by a
mathematical formalism that ensures that any model expressed in this language
has a density with measure zero discontinuities to maintain the validity of the
inference engine.Comment: Published in the proceedings of the 22nd International Conference on
Artificial Intelligence and Statistics (AISTATS
Formal change impact analyses for emulated control software
Processor emulators are a software tool for allowing legacy computer programs to be executed on a modern processor. In the past emulators have been used in trivial applications such as maintenance of video games. Now, however, processor emulation is being applied to safety-critical control systems, including military avionics. These applications demand utmost guarantees of correctness, but no verification techniques exist for proving that an emulated system preserves the original system’s functional and timing properties. Here we show how this can be done by combining concepts previously used for reasoning about real-time program compilation, coupled with an understanding of the new and old software architectures. In particular, we show how both the old and new systems can be given a common semantics, thus allowing their behaviours to be compared directly
Indexed Labels for Loop Iteration Dependent Costs
We present an extension to the labelling approach, a technique for lifting
resource consumption information from compiled to source code. This approach,
which is at the core of the annotating compiler from a large fragment of C to
8051 assembly of the CerCo project, looses preciseness when differences arise
as to the cost of the same portion of code, whether due to code transformation
such as loop optimisations or advanced architecture features (e.g. cache). We
propose to address this weakness by formally indexing cost labels with the
iterations of the containing loops they occur in. These indexes can be
transformed during the compilation, and when lifted back to source code they
produce dependent costs.
The proposed changes have been implemented in CerCo's untrusted prototype
compiler from a large fragment of C to 8051 assembly.Comment: In Proceedings QAPL 2013, arXiv:1306.241
CapablePtrs: Securely Compiling Partial Programs using the Pointers-as-Capabilities Principle
Capability machines such as CHERI provide memory capabilities that can be
used by compilers to provide security benefits for compiled code (e.g., memory
safety). The C to CHERI compiler, for example, achieves memory safety by
following a principle called "pointers as capabilities" (PAC). Informally, PAC
says that a compiler should represent a source language pointer as a machine
code capability. But the security properties of PAC compilers are not yet well
understood. We show that memory safety is only one aspect, and that PAC
compilers can provide significant additional security guarantees for partial
programs: the compiler can provide guarantees for a compilation unit, even if
that compilation unit is later linked to attacker-controlled machine code. This
paper is the first to study the security of PAC compilers for partial programs
formally. We prove for a model of such a compiler that it is fully abstract.
The proof uses a novel proof technique (dubbed TrICL, read trickle), which is
of broad interest because it reuses and extends the compiler correctness
relation in a natural way, as we demonstrate. We implement our compiler on top
of the CHERI platform and show that it can compile legacy C code with minimal
code changes. We provide performance benchmarks that show how performance
overhead is proportional to the number of cross-compilation-unit function
calls
Implementing Multi-Periodic Critical Systems: from Design to Code Generation
This article presents a complete scheme for the development of Critical
Embedded Systems with Multiple Real-Time Constraints. The system is programmed
with a language that extends the synchronous approach with high-level real-time
primitives. It enables to assemble in a modular and hierarchical manner several
locally mono-periodic synchronous systems into a globally multi-periodic
synchronous system. It also allows to specify flow latency constraints. A
program is translated into a set of real-time tasks. The generated code (\C\
code) can be executed on a simple real-time platform with a dynamic-priority
scheduler (EDF). The compilation process (each algorithm of the process, not
the compiler itself) is formally proved correct, meaning that the generated
code respects the real-time semantics of the original program (respect of
periods, deadlines, release dates and precedences) as well as its functional
semantics (respect of variable consumption).Comment: 15 pages, published in Workshop on Formal Methods for Aerospace
(FMA'09), part of Formal Methods Week 2009
- …