Abstract
Verified compilers guarantee the preservation of semantic properties and thus enable formal verification of programs at the source level. However, important quantitative properties such as memory and time usage still have to be verified at the machine level where interactive proofs tend to be more tedious and automation is more challenging.
This article describes a framework that enables the formal verification of stack-space bounds of compiled machine code at the C level. It consists of a verified CompCert-based compiler that preserves quantitative properties, a verified quantitative program logic for interactive stack-bound development, and a verified stack analyzer that automatically derives stack bounds during compilation.
The framework is based on event traces that record function calls and returns. The source language is CompCert Clight and the target language is x86 assembly. The compiler is implemented in the Coq Proof Assistant and it is proved that crucial properties of event traces are preserved during compilation. A novel quantitative Hoare logic is developed to verify stack-space bounds at the CompCert Clight level. The quantitative logic is implemented in Coq and proved sound with respect to event traces generated by the small-step semantics of CompCert Clight. Stack-space bounds can be proved at the source level without taking into account low-level details that depend on the implementation of the compiler. The compiler fills in these low-level details during compilation and generates a concrete stack-space bound that applies to the produced machine code. The verified stack analyzer is guaranteed to automatically derive bounds for code with non-recursive functions. It generates a derivation in the quantitative logic to ensure soundness as well as interoperability with interactively developed stack bounds.
In an experimental evaluation, the developed framework is used to obtain verified stack-space bounds for micro benchmarks as well as real system code. The examples include the verified operating-system kernel CertiKOS, parts of the MiBench embedded benchmark suite, and programs from the CompCert benchmarks. The derived bounds are close to the measured stack-space usage of executions of the compiled programs on a Linux x86 system.
- E. Albert, P. Arenas, S. Genaim, M. Gómez-Zamalloa, and G. Puebla. Cost Analysis of Concurrent OO Programs. In Prog. Langs. and Systems - 9th Asian Symposium (APLAS'11), pages 238--254, 2011. Google Scholar
Digital Library
- E. Albert, R. Bubel, S. Genaim, R. Hähnle, and G. Román-Díez. Verified Resource Guarantees for Heap Manipulating Programs. In Fundamental Approaches to Soft. Eng. - 15th Int. Conf. (FASE'12), pages 130--145, 2012. Google Scholar
Digital Library
- A. W. Appel et al. Program Logics for Certified Compilers. Cambridge University Press, 2013.Google Scholar
- D. Aspinall, L. Beringer, M. Hofmann, H.-W. Loidl, and A. Momigliano. A Program Logic for Resources. Theor. Comput. Sci., 389(3):411--445, 2007. Google Scholar
Digital Library
- R. Atkey. Amortised Resource Analysis with Separation Logic. In 19th Euro. Symp. on Prog. (ESOP'10), pages 85--103, 2010. Google Scholar
Digital Library
- R. Bedin França, S. Blazy, D. Favre-Felix, X. Leroy, M. Pantel, and J. Souyris. Formally Verified Optimizing Compilation in ACG-based Flight Control Software. In Embedded Real Time Software and Systems (ERTS 2012), 2012.Google Scholar
- S. Blazy, A. Maroneze, and D. Pichardie. Formal Verification of Loop Bound Estimation for WCET Analysis. In Verified Software: Theories, Tools, Experiments - 5th Int. Conf. (VSTTE'13), 2013. To appear.Google Scholar
- D. Brylow, N. Damgaard, and J. Palsberg. Static Checking of Interrupt-Driven Software. In 23rd Int. Conf. on Soft. Engineering (ICSE'01), pages 47--56, 2001. Google Scholar
Digital Library
- Q. Carbonneaux, J. Hoffmann, T. Ramananandro, and Z. Shao. End-to-End Verification of Stack-Space Bounds for C Programs. Technical Report YALEU/DCS/TR-1487, Yale University, March 2014.Google Scholar
Digital Library
- W.-N. Chin, H. H. Nguyen, C. Popeea, and S. Qin. Analysing Memory Resource Bounds for Low-Level Programs. In 7th Int Symp. on Memory Management (ISMM'08), pages 151--160, 2008. Google Scholar
Digital Library
- A. Chlipala. A Certified Type-Preserving Compiler from Lambda Calculus to Assembly Language. In 28th Conf. on Prog. Lang. Design and Impl. (PLDI'07), pages 54--65, 2007. Google Scholar
Digital Library
- K. Crary and S. Weirich. Resource Bound Certification. In 27th ACM Symp. on Principles of Prog. Langs. (POPL'00), pages 184--198, 2000. Google Scholar
Digital Library
- Express Logic, Inc. Helping you avoid stack overflow crashes! White Paper, 2014. URL http://rtos.com/images/uploads/Stack_Analysis_White_paper.1_.pdf.Google Scholar
- C. Ferdinand, R. Heckmann, and B. Franzen. Static Memory and Timing Analysis of Embedded Systems Code. In 3rd Europ. Symp. on Verification and Validation of Software Systems (VVSS'07), 2007.Google Scholar
- L. Gu, A. Vaynberg, B. Ford, Z. Shao, and D. Costanzo. CertiKOS: A Certified Kernel for Secure Cloud Computing. In Asia Pacific Workshop on Systems (APSys'11), 2011. Google Scholar
Digital Library
- S. Gulwani, K. K. Mehra, and T. M. Chilimbi. SPEED: Precise and Efficient Static Estimation of Program Computational Complexity. In 36th ACM Symp. on Principles of Prog. Langs. (POPL'09), pages 127--139, 2009. Google Scholar
Digital Library
- M. R. Guthaus, J. S. Ringenberg, D. Ernst, T. M. Austin, T. Mudge, and R. B. Brown. MiBench: A Free, Commercially Representative Embedded Benchmark Suite. In IEEE International Workshop on Workload Characterization (WWC'01), pages 3--14, 2001. Google Scholar
Digital Library
- K. Hammond and G. Michaelson. Hume: A Domain-Specific Language for Real-Time Embedded Systems. In Generative Progr. and Component Eng., 2nd Int. Conf. (GPCE'03), pages 37--56, 2003. Google Scholar
Digital Library
- J. Hoffmann, K. Aehlig, and M. Hofmann. Multivariate Amortized Resource Analysis. ACM Trans. Program. Lang. Syst., 2012. Google Scholar
Digital Library
- J. Hoffmann, M. Marmar, and Z. Shao. Quantitative Reasoning for Proving Lock-Freedom. In 28th ACM/IEEE Symposium on Logic in Computer Science (LICS'13), 2013. Google Scholar
Digital Library
- M. Hofmann and S. Jost. Static Prediction of Heap Space Usage for First-Order Functional Programs. In 30th ACM Symp. on Principles of Prog. Langs. (POPL'03), pages 185--197, 2003. Google Scholar
Digital Library
- J. B. Jensen, N. Benton, and A. Kennedy. High-Level Separation Logic for Low-Level Code. In 40th ACM Symp. on Principles of Prog. Langs. (POPL'13), pages 301--314, 2013. Google Scholar
Digital Library
- S. Jost, H.-W. Loidl, K. Hammond, N. Scaife, and M. Hofmann. Carbon Credits for Resource-Bounded Computations using Amortised Analysis. In 16th Symp. on Form. Meth. (FM'09), pages 354--369, 2009. Google Scholar
Digital Library
- G. Klein and T. Nipkow. A Machine-Checked Model for a Java-Like Language, Virtual Machine, and Compiler. ACM Trans. Program. Lang. Syst., 28(4):619--695, 2006. Google Scholar
Digital Library
- G. Klein, J. Andronick, K. Elphinstone, G. Heiser, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal Verification of an Operating-System Kernel. Commun. ACM, 53(6):107--115, 2010. Google Scholar
Digital Library
- X. Leroy. Formal Certification of a Compiler Back-End, or: Programming a Compiler with a Proof Assistant. In 33rd Symposium on Principles of Prog. Langs. (POPL'06), pages 42--54, 2006. Google Scholar
Digital Library
- X. Leroy. Formal Verification of a Realistic Compiler. Communications of the ACM, 52(7):107--115, 2009. Google Scholar
Digital Library
- Y. Moy, E. Ledinot, H. Delseny, V. Wiels, and B. Monate. Testing or Formal Verification: DO-178C Alternatives and Industrial Experience. IEEE Software, 30(3):50--57, 2013. ISSN 0740--7459. Google Scholar
Digital Library
- Z. Ni and Z. Shao. Certified Assembly Programming with Embedded Code Pointers. In 33th ACM Symp. on Principles of Prog. Langs. (POPL'06), pages 320--333, 2006. Google Scholar
Digital Library
- T. Nipkow. Hoare Logics in Isabelle/HOL. In Proof and System-Reliability, volume 62 of NATO Science Series, pages 341--367. Springer, 2002.Google Scholar
Cross Ref
- J. Regehr, A. Reid, and K. Webb. Eliminating Stack Overflow by Abstract Interpretation. ACM Trans. Embed. Comput. Syst., 4(4):751--778, 2005. Google Scholar
Digital Library
- J. Sevcík, V. Vafeiadis, F. Z. Nardelli, S. Jagannathan, and P. Sewell. CompCertTSO: A Verified Compiler for Relaxed-Memory Concurrency. J. ACM, 60(3), 2013. Google Scholar
Digital Library
- Z. Shao. Certified software. Commun. ACM, 53(12):56--66, 2010.Google Scholar
Digital Library
- R. Wilhelm et al. The Worst-Case Execution-Time Problem --- Overview of Methods and Survey of Tools. ACM Trans. Embedded Comput. Syst., 7(3), 2008. Google Scholar
Digital Library
- X. Yang, Y. Chen, E. Eide, and J. Regehr. Finding and Understanding Bugs in C Compilers. In 32nd Conf. on Prog. Lang. Design and Impl. (PLDI'11), pages 283--294, 2011. Google Scholar
Digital Library
- F. Zuleger, M. Sinn, S. Gulwani, and H. Veith. Bound Analysis of Imperative Programs with the Size-change Abstraction. In 18th Int. Static Analysis Symposium (SAS'11), 2011. Google Scholar
Digital Library
Index Terms
End-to-end verification of stack-space bounds for C programs
Recommendations
End-to-end verification of stack-space bounds for C programs
PLDI '14: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and ImplementationVerified compilers guarantee the preservation of semantic properties and thus enable formal verification of programs at the source level. However, important quantitative properties such as memory and time usage still have to be verified at the machine ...
Program proving using intermediate verification languages (IVLs) like boogie and why3
HILT '12A program verifier is a complex piece of software. To deal with this complexity, a standard architecture of a modern program verifier consists of two basic parts: a front end and a back end, separated by an intermediate verification language (IVL). The ...
Program proving using intermediate verification languages (IVLs) like boogie and why3
HILT '12: Proceedings of the 2012 ACM conference on High integrity language technologyA program verifier is a complex piece of software. To deal with this complexity, a standard architecture of a modern program verifier consists of two basic parts: a front end and a back end, separated by an intermediate verification language (IVL). The ...







Comments