skip to main content
research-article

End-to-end verification of stack-space bounds for C programs

Published:09 June 2014Publication History
Skip Abstract Section

Abstract

Verified compilers guarantee the preservation of semantic properties and thus enable formal verification of programs at the source level. However, important quantitative properties such as memory and time usage still have to be verified at the machine level where interactive proofs tend to be more tedious and automation is more challenging.

This article describes a framework that enables the formal verification of stack-space bounds of compiled machine code at the C level. It consists of a verified CompCert-based compiler that preserves quantitative properties, a verified quantitative program logic for interactive stack-bound development, and a verified stack analyzer that automatically derives stack bounds during compilation.

The framework is based on event traces that record function calls and returns. The source language is CompCert Clight and the target language is x86 assembly. The compiler is implemented in the Coq Proof Assistant and it is proved that crucial properties of event traces are preserved during compilation. A novel quantitative Hoare logic is developed to verify stack-space bounds at the CompCert Clight level. The quantitative logic is implemented in Coq and proved sound with respect to event traces generated by the small-step semantics of CompCert Clight. Stack-space bounds can be proved at the source level without taking into account low-level details that depend on the implementation of the compiler. The compiler fills in these low-level details during compilation and generates a concrete stack-space bound that applies to the produced machine code. The verified stack analyzer is guaranteed to automatically derive bounds for code with non-recursive functions. It generates a derivation in the quantitative logic to ensure soundness as well as interoperability with interactively developed stack bounds.

In an experimental evaluation, the developed framework is used to obtain verified stack-space bounds for micro benchmarks as well as real system code. The examples include the verified operating-system kernel CertiKOS, parts of the MiBench embedded benchmark suite, and programs from the CompCert benchmarks. The derived bounds are close to the measured stack-space usage of executions of the compiled programs on a Linux x86 system.

References

  1. E. Albert, P. Arenas, S. Genaim, M. Gómez-Zamalloa, and G. Puebla. Cost Analysis of Concurrent OO Programs. In Prog. Langs. and Systems - 9th Asian Symposium (APLAS'11), pages 238--254, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. E. Albert, R. Bubel, S. Genaim, R. Hähnle, and G. Román-Díez. Verified Resource Guarantees for Heap Manipulating Programs. In Fundamental Approaches to Soft. Eng. - 15th Int. Conf. (FASE'12), pages 130--145, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. A. W. Appel et al. Program Logics for Certified Compilers. Cambridge University Press, 2013.Google ScholarGoogle Scholar
  4. D. Aspinall, L. Beringer, M. Hofmann, H.-W. Loidl, and A. Momigliano. A Program Logic for Resources. Theor. Comput. Sci., 389(3):411--445, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. R. Atkey. Amortised Resource Analysis with Separation Logic. In 19th Euro. Symp. on Prog. (ESOP'10), pages 85--103, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. R. Bedin França, S. Blazy, D. Favre-Felix, X. Leroy, M. Pantel, and J. Souyris. Formally Verified Optimizing Compilation in ACG-based Flight Control Software. In Embedded Real Time Software and Systems (ERTS 2012), 2012.Google ScholarGoogle Scholar
  7. S. Blazy, A. Maroneze, and D. Pichardie. Formal Verification of Loop Bound Estimation for WCET Analysis. In Verified Software: Theories, Tools, Experiments - 5th Int. Conf. (VSTTE'13), 2013. To appear.Google ScholarGoogle Scholar
  8. D. Brylow, N. Damgaard, and J. Palsberg. Static Checking of Interrupt-Driven Software. In 23rd Int. Conf. on Soft. Engineering (ICSE'01), pages 47--56, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Q. Carbonneaux, J. Hoffmann, T. Ramananandro, and Z. Shao. End-to-End Verification of Stack-Space Bounds for C Programs. Technical Report YALEU/DCS/TR-1487, Yale University, March 2014.Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. W.-N. Chin, H. H. Nguyen, C. Popeea, and S. Qin. Analysing Memory Resource Bounds for Low-Level Programs. In 7th Int Symp. on Memory Management (ISMM'08), pages 151--160, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. A. Chlipala. A Certified Type-Preserving Compiler from Lambda Calculus to Assembly Language. In 28th Conf. on Prog. Lang. Design and Impl. (PLDI'07), pages 54--65, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. K. Crary and S. Weirich. Resource Bound Certification. In 27th ACM Symp. on Principles of Prog. Langs. (POPL'00), pages 184--198, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Express Logic, Inc. Helping you avoid stack overflow crashes! White Paper, 2014. URL http://rtos.com/images/uploads/Stack_Analysis_White_paper.1_.pdf.Google ScholarGoogle Scholar
  14. C. Ferdinand, R. Heckmann, and B. Franzen. Static Memory and Timing Analysis of Embedded Systems Code. In 3rd Europ. Symp. on Verification and Validation of Software Systems (VVSS'07), 2007.Google ScholarGoogle Scholar
  15. L. Gu, A. Vaynberg, B. Ford, Z. Shao, and D. Costanzo. CertiKOS: A Certified Kernel for Secure Cloud Computing. In Asia Pacific Workshop on Systems (APSys'11), 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. S. Gulwani, K. K. Mehra, and T. M. Chilimbi. SPEED: Precise and Efficient Static Estimation of Program Computational Complexity. In 36th ACM Symp. on Principles of Prog. Langs. (POPL'09), pages 127--139, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. M. R. Guthaus, J. S. Ringenberg, D. Ernst, T. M. Austin, T. Mudge, and R. B. Brown. MiBench: A Free, Commercially Representative Embedded Benchmark Suite. In IEEE International Workshop on Workload Characterization (WWC'01), pages 3--14, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. K. Hammond and G. Michaelson. Hume: A Domain-Specific Language for Real-Time Embedded Systems. In Generative Progr. and Component Eng., 2nd Int. Conf. (GPCE'03), pages 37--56, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. J. Hoffmann, K. Aehlig, and M. Hofmann. Multivariate Amortized Resource Analysis. ACM Trans. Program. Lang. Syst., 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. J. Hoffmann, M. Marmar, and Z. Shao. Quantitative Reasoning for Proving Lock-Freedom. In 28th ACM/IEEE Symposium on Logic in Computer Science (LICS'13), 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. M. Hofmann and S. Jost. Static Prediction of Heap Space Usage for First-Order Functional Programs. In 30th ACM Symp. on Principles of Prog. Langs. (POPL'03), pages 185--197, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. J. B. Jensen, N. Benton, and A. Kennedy. High-Level Separation Logic for Low-Level Code. In 40th ACM Symp. on Principles of Prog. Langs. (POPL'13), pages 301--314, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. S. Jost, H.-W. Loidl, K. Hammond, N. Scaife, and M. Hofmann. Carbon Credits for Resource-Bounded Computations using Amortised Analysis. In 16th Symp. on Form. Meth. (FM'09), pages 354--369, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. G. Klein and T. Nipkow. A Machine-Checked Model for a Java-Like Language, Virtual Machine, and Compiler. ACM Trans. Program. Lang. Syst., 28(4):619--695, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. G. Klein, J. Andronick, K. Elphinstone, G. Heiser, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal Verification of an Operating-System Kernel. Commun. ACM, 53(6):107--115, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. X. Leroy. Formal Certification of a Compiler Back-End, or: Programming a Compiler with a Proof Assistant. In 33rd Symposium on Principles of Prog. Langs. (POPL'06), pages 42--54, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. X. Leroy. Formal Verification of a Realistic Compiler. Communications of the ACM, 52(7):107--115, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Y. Moy, E. Ledinot, H. Delseny, V. Wiels, and B. Monate. Testing or Formal Verification: DO-178C Alternatives and Industrial Experience. IEEE Software, 30(3):50--57, 2013. ISSN 0740--7459. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Z. Ni and Z. Shao. Certified Assembly Programming with Embedded Code Pointers. In 33th ACM Symp. on Principles of Prog. Langs. (POPL'06), pages 320--333, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. T. Nipkow. Hoare Logics in Isabelle/HOL. In Proof and System-Reliability, volume 62 of NATO Science Series, pages 341--367. Springer, 2002.Google ScholarGoogle ScholarCross RefCross Ref
  31. J. Regehr, A. Reid, and K. Webb. Eliminating Stack Overflow by Abstract Interpretation. ACM Trans. Embed. Comput. Syst., 4(4):751--778, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. J. Sevcík, V. Vafeiadis, F. Z. Nardelli, S. Jagannathan, and P. Sewell. CompCertTSO: A Verified Compiler for Relaxed-Memory Concurrency. J. ACM, 60(3), 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Z. Shao. Certified software. Commun. ACM, 53(12):56--66, 2010.Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. R. Wilhelm et al. The Worst-Case Execution-Time Problem --- Overview of Methods and Survey of Tools. ACM Trans. Embedded Comput. Syst., 7(3), 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. X. Yang, Y. Chen, E. Eide, and J. Regehr. Finding and Understanding Bugs in C Compilers. In 32nd Conf. on Prog. Lang. Design and Impl. (PLDI'11), pages 283--294, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. F. Zuleger, M. Sinn, S. Gulwani, and H. Veith. Bound Analysis of Imperative Programs with the Size-change Abstraction. In 18th Int. Static Analysis Symposium (SAS'11), 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. End-to-end verification of stack-space bounds for C programs

              Recommendations

              Comments

              Login options

              Check if you have access through your login credentials or your institution to get full access on this article.

              Sign in

              Full Access

              PDF Format

              View or Download as a PDF file.

              PDF

              eReader

              View online with eReader.

              eReader
              About Cookies On This Site

              We use cookies to ensure that we give you the best experience on our website.

              Learn more

              Got it!