Certifying cost annotations in compilers

We discuss the problem of building a compiler which can lift in a provably correct way pieces of information on the execution cost of the object code to cost annotations on the source code. To this end, we need a clear and flexible picture of: (i) the meaning of cost annotations, (ii) the method to prove them sound and precise, and (iii) the way such proofs can be composed. We propose a so-called labelling approach to these three questions. As a first step, we examine its application to a toy compiler. This formal study suggests that the labelling approach has good compositionality and scalability properties. In order to provide further evidence for this claim, we report our successful experience in implementing and testing the labelling approach on top of a prototype compiler written in OCAML for (a large fragment of) the C language

Secure mobile code and control flow analysis

The interaction between software systems by means of mobile code is a powerful and truly effective method, particularly useful for installing and executing code dynamically. However, for this mechanism to be applicable safely, especially in industrial or critical applications, techniques that guarantee foreign code execution safety for the consumer or host will be necessary. Of course, tool support for automating, at least partially, the application of these techniques is essential. The importance of guarantee code execution safety originates numerous active research lines, among which Proof-Carrying Code (PCC) is one of the most successful. One of the problems to overcome for the PCC industrial use is to obtain lineal methods of safeness certification and verification. A framework for the generation and execution of safe mobile code based on PCC together with techniques for static analysis of control and data-flow, called PCC-SA, was developed later by the authors. The results of the group that allowed proving the hypothesis that the PCC-SA complexity in practice is lineal respect to the input programs length, as for certification as for verification processes are also presented. To achieve this, a C-program family, whose elements are referred to as lineally annotative, is defined. Parameters statically measured over their source code determine whether a program belongs to this family or not. Different properties of this family are demonstrated in this work, which allows formally showing that for all the programs of this family, the PCC-SA presents a lineal behavior. The parameters required for a large sample of programs keeping of standard packages, are calculated. This calculation finally determines that all the programs of the sample are lineally annotative, which validates the hypothesis previously stated.Red de Universidades con Carreras en Informática (RedUNCI

TWAM: A Certifying Abstract Machine for Logic Programs

Type-preserving (or typed) compilation uses typing derivations to certify correctness properties of compilation. We have designed and implemented a type-preserving compiler for a simply-typed dialect of Prolog we call T-Prolog. The crux of our approach is a new certifying abstract machine which we call the Typed Warren Abstract Machine (TWAM). The TWAM has a dependent type system strong enough to specify the semantics of a logic program in the logical framework LF. We present a soundness metatheorem which constitutes a partial correctness guarantee: well-typed programs implement the logic program specified by their type. This metatheorem justifies our design and implementation of a certifying compiler from T-Prolog to TWAM.Comment: 41 pages, under submission to ACM Transactions on Computational Logi

Synthesizing Certified Code

Code certification is a lightweight approach for formally demonstrating software quality. Its basic idea is to require code producers to provide formal proofs that their code satisfies certain quality properties. These proofs serve as certificates that can be checked independently. Since code certification uses the same underlying technology as program verification, it requires detailed annotations (e.g., loop invariants) to make the proofs possible. However, manually adding annotations to the code is time-consuming and error-prone. We address this problem by combining code certification with automatic program synthesis. Given a high-level specification, our approach simultaneously generates code and all annotations required to certify the generated code. We describe a certification extension of AutoBayes, a synthesis tool for automatically generating data analysis programs. Based on built-in domain knowledge, proof annotations are added and used to generate proof obligations that are discharged by the automated theorem prover E-SETHEO. We demonstrate our approach by certifying operator- and memory-safety on a data-classification program. For this program, our approach was faster and more precise than PolySpace, a commercial static analysis tool

Indexed Labels for Loop Iteration Dependent Costs

We present an extension to the labelling approach, a technique for lifting resource consumption information from compiled to source code. This approach, which is at the core of the annotating compiler from a large fragment of C to 8051 assembly of the CerCo project, looses preciseness when differences arise as to the cost of the same portion of code, whether due to code transformation such as loop optimisations or advanced architecture features (e.g. cache). We propose to address this weakness by formally indexing cost labels with the iterations of the containing loops they occur in. These indexes can be transformed during the compilation, and when lifted back to source code they produce dependent costs. The proposed changes have been implemented in CerCo's untrusted prototype compiler from a large fragment of C to 8051 assembly.Comment: In Proceedings QAPL 2013, arXiv:1306.241

Symbolic and analytic techniques for resource analysis of Java bytecode

Recent work in resource analysis has translated the idea of amortised resource analysis to imperative languages using a program logic that allows mixing of assertions about heap shapes, in the tradition of separation logic, and assertions about consumable resources. Separately, polyhedral methods have been used to calculate bounds on numbers of iterations in loop-based programs. We are attempting to combine these ideas to deal with Java programs involving both data structures and loops, focusing on the bytecode level rather than on source code

Secure mobile code and control flow analysis

The interaction between software systems by means of mobile code is a powerful and truly effective method, particularly useful for installing and executing code dynamically. However, for this mechanism to be applicable safely, especially in industrial or critical applications, techniques that guarantee foreign code execution safety for the consumer or host will be necessary. Of course, tool support for automating, at least partially, the application of these techniques is essential. The importance of guarantee code execution safety originates numerous active research lines, among which Proof-Carrying Code (PCC) is one of the most successful. One of the problems to overcome for the PCC industrial use is to obtain lineal methods of safeness certification and verification. A framework for the generation and execution of safe mobile code based on PCC together with techniques for static analysis of control and data-flow, called PCC-SA, was developed later by the authors. The results of the group that allowed proving the hypothesis that the PCC-SA complexity in practice is lineal respect to the input programs length, as for certification as for verification processes are also presented. To achieve this, a C-program family, whose elements are referred to as lineally annotative, is defined. Parameters statically measured over their source code determine whether a program belongs to this family or not. Different properties of this family are demonstrated in this work, which allows formally showing that for all the programs of this family, the PCC-SA presents a lineal behavior. The parameters required for a large sample of programs keeping of standard packages, are calculated. This calculation finally determines that all the programs of the sample are lineally annotative, which validates the hypothesis previously stated.Red de Universidades con Carreras en Informática (RedUNCI

A formally verified compiler back-end

This article describes the development and formal verification (proof of semantic preservation) of a compiler back-end from Cminor (a simple imperative intermediate language) to PowerPC assembly code, using the Coq proof assistant both for programming the compiler and for proving its correctness. Such a verified compiler is useful in the context of formal methods applied to the certification of critical software: the verification of the compiler guarantees that the safety properties proved on the source code hold for the executable compiled code as well