35 research outputs found
Verifying Parallel Loops with Separation Logic
This paper proposes a technique to specify and verify whether a loop can be
parallelised. Our approach can be used as an additional step in a parallelising
compiler to verify user annotations about loop dependences. Essentially, our
technique requires each loop iteration to be specified with the locations it
will read and write. From the loop iteration specifications, the loop
(in)dependences can be derived. Moreover, the loop iteration specifications
also reveal where synchronisation is needed in the parallelised program. The
loop iteration specifications can be verified using permission-based separation
logic.Comment: In Proceedings PLACES 2014, arXiv:1406.331
Separation Logic for Small-step Cminor
Cminor is a mid-level imperative programming language; there are
proved-correct optimizing compilers from C to Cminor and from Cminor to machine
language. We have redesigned Cminor so that it is suitable for Hoare Logic
reasoning and we have designed a Separation Logic for Cminor. In this paper, we
give a small-step semantics (instead of the big-step of the proved-correct
compiler) that is motivated by the need to support future concurrent
extensions. We detail a machine-checked proof of soundness of our Separation
Logic. This is the first large-scale machine-checked proof of a Separation
Logic w.r.t. a small-step semantics. The work presented in this paper has been
carried out in the Coq proof assistant. It is a first step towards an
environment in which concurrent Cminor programs can be verified using
Separation Logic and also compiled by a proved-correct compiler with formal
end-to-end correctness guarantees.Comment: Version courte du rapport de recherche RR-613
On the Use of Underspecified Data-Type Semantics for Type Safety in Low-Level Code
In recent projects on operating-system verification, C and C++ data types are
often formalized using a semantics that does not fully specify the precise byte
encoding of objects. It is well-known that such an underspecified data-type
semantics can be used to detect certain kinds of type errors. In general,
however, underspecified data-type semantics are unsound: they assign
well-defined meaning to programs that have undefined behavior according to the
C and C++ language standards.
A precise characterization of the type-correctness properties that can be
enforced with underspecified data-type semantics is still missing. In this
paper, we identify strengths and weaknesses of underspecified data-type
semantics for ensuring type safety of low-level systems code. We prove
sufficient conditions to detect certain classes of type errors and, finally,
identify a trade-off between the complexity of underspecified data-type
semantics and their type-checking capabilities.Comment: In Proceedings SSV 2012, arXiv:1211.587
Mechanized semantics
The goal of this lecture is to show how modern theorem provers---in this
case, the Coq proof assistant---can be used to mechanize the specification of
programming languages and their semantics, and to reason over individual
programs and over generic program transformations, as typically found in
compilers. The topics covered include: operational semantics (small-step,
big-step, definitional interpreters); a simple form of denotational semantics;
axiomatic semantics and Hoare logic; generation of verification conditions,
with application to program proof; compilation to virtual machine code and its
proof of correctness; an example of an optimizing program transformation (dead
code elimination) and its proof of correctness
Verification of loop parallelisations
Writing correct parallel programs becomes more and more difficult as the complexity and heterogeneity of processors increase. This issue is addressed by parallelising compilers. Various compiler directives can be used to tell these compilers where to parallelise. This paper addresses the correctness of such compiler directives for loop parallelisation. Specifically, we propose a technique based on separation logic to verify whether a loop can be parallelised. Our approach requires each loop iteration to be specified with the locations that are read and written in this iteration. If the specifications are correct, they can be used to draw conclusions about loop (in)dependences. Moreover, they also reveal where synchronisation is needed in the parallelised program. The loop iteration specifications can be verified using permission-based separation logic and seamlessly integrate with functional behaviour specifications. We formally prove the correctness of our approach and we discuss automated tool support for our technique. Additionally, we also discuss how the loop iteration contracts can be compiled into specifications for the code coming out of the parallelising compiler
High-level Proofs about Low-level Programs
Functional verification of low-level code requires
abstractions over the memory model to be effective, since
the number of side-conditions induced by byte-addressed
memory is prohibitive even with modern automated reasoners.
We propose a flexible solution to this challenge: assertions
contain explicit memory layouts which carry the necessary
side-conditions as invariants. The memory-related proof
obligations arising during verification can then be solved
using specialized automatic proof procedures. The remaining
verification conditions about the content of data structures
directly reflect a developer's understanding.
The development is formalized in Isabelle/HOL