Presentation is loading. Please wait.

Presentation is loading. Please wait.

Proof Carrying Code and Proof Preserving Program Transformations

Published byMaryann McCarthy Modified over 6 years ago

Similar presentations

Presentation on theme: "Proof Carrying Code and Proof Preserving Program Transformations"— Presentation transcript:

1 Proof Carrying Code and Proof Preserving Program Transformations
Ando Saabas, Institute of Cybernetics CDC Seminar,

2 Proof Carrying Code Proof-Carrying Code is based on the idea that the code producer should provide some evidence that the program she distributes is safe and/or functionally correct. The program is thus shipped with a certificate that attests that it has the desired properties. Before running a program, the code user could then check this certificate

3 PCC vs Digital Signatures
A digital signature identifies the origin of the program It has no direct connection with program semantics A digital signature is a syntactic checksum A proof is a semantic checksum

4 Where would proofs come from?
For basic safety properties, they can be inferred automatically For more complex safety and/or functional correctness properties, the code producer would use some verification environment to prove the source program correct But programs are distributed in compiled form

5 PCC framework ? Code producer Code user Yes No Specification Source
program Runtime environent Yes Compiled program Program verification environment ? Compiler + Proof compiler Proof checker Proof of the compiled program No Program proof

6 Proof compilation For non-optimizing compilers it is easy: proof compilation is (almost) identity Not so if optimizations take place

7 Dead code elimination f 9 p : s = c ¤ n ^ g f s = c ¤ n ^ p g f 9 p :
Precondition f 9 p : s = ^ 1 i g f s = ^ p 1 i g while i < n s = s + c; skip; i++; while i < n s = s + c; p = p * c; i++; Invariant f 9 p : s = c i ^ n g f s = c i ^ p n g Postcondition f 9 p : s = c n ^ g f s = c n ^ p g

8 Constant propagation f s = c ¤ n ^ p g f s = ^ p 1 i g f s = 5 ¤ i ^ p
Precondition f s = ^ p 1 i g c = 5; while i < n s = s + c; p = p * c; i++; c = 5; while i < n s = s + 5; p = p * 5; i++; Invariant f s = 5 i ^ p n g f s = c i ^ p n 5 g f s = c i ^ p < n g Postcondition f s = c n ^ p g

9 Proof compilation For non-optimizing compilers it is easy: proof compilation is (almost) identity Not so if optimizations take place Many different optimizations, each have their own particular effect on the proof Need a systematic approach for dealing with this

10 Enter type systems Optimizations are mostly based on dataflow analyses
Dataflow analyses can be described as type systems Type systems can have an optimization component Idea: types can guide the transformation of the proofs

11 Proof transformation ? ? Source Specification program Runtime Compiled
Verification Environment Proof checker Runtime Source program Analyzer Type derivation Program optimizer Proof optimzer Compiled program Proof of the compiled ? Compiler + ? Program proof

12 Liveness and dead code elimination
A variable is said to be live at the exit from a program point, if there exists a path from that program point to a use of the variable, that does not redefine the variable. Live variable analysis determines, for each program point which variables may be live at that point Used in dead code elimination

13 Live variable analysis
The types and subtyping relation of the type system correspond to the poset of the analysis: The intuitive meaning of a program typing is that, given a set of variables d which are live at the end of the program s, the variables in the pretype d’ may be live at the beginning of the program. ( D ; ) = P V a r s : d !

14 Type system for liveness analysis

15 Optimizations via type systems
Program optimizations can be explained via an extended version of the type system. Apart from assigning types to statements, it also defines the corresponding optimized forms. A typing judgement has the form where is the s’ optimized form of s. s : d ! ,

16 Type system for dead code elimination

17 Soundness of dead code elimination
The typesystematic formulation of dead code elimination leads to a simple correctness proof At corresponding program points, the states of the original and optimized program agree on all variables which are live This can be shown by induction on the typing derivation

18 Proof optimization Optimization preserves Hoare triple derivability
(P|d is obtained from P by quantifying out all program variables not in d). The constructive proof gives us “proof optimization”: transformation of Hoare triples alongside with programs.

19 Scalability Applied for partial redundancy elimination
performs common subexpression elimination and code motion at the same time changes the structure of the code requires 4 dataflow analyses Can applied for resource usage proofs

20 Scalability Can be used for optimization which require bidirectional analyses. Can be applied to CFG based program and analysis descriptions Java bytecode analyses: dead store elimination load pop pair elimination store load pair elimination etc

21 Conclusions We have shown the benefits of the typesystematic approach to dataflow analyses leads to simple soundness proofs is a viable option for proof transformation and can be applied to a very wide array of optimizations

Download ppt "Proof Carrying Code and Proof Preserving Program Transformations"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
CSC 4181 Compiler Construction Code Generation & Optimization.

CSC 4181 Compiler Construction Code Generation & Optimization.
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.

De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
8. Static Single Assignment Form Marcus Denker. © Marcus Denker SSA Roadmap  Static Single Assignment Form (SSA)  Converting to SSA Form  Examples.

8. Static Single Assignment Form Marcus Denker. © Marcus Denker SSA Roadmap  Static Single Assignment Form (SSA)  Converting to SSA Form  Examples.
Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.

Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.
Course Outline Traditional Static Program Analysis Software Testing

Course Outline Traditional Static Program Analysis Software Testing
Lecture 11: Code Optimization CS 540 George Mason University.

Lecture 11: Code Optimization CS 540 George Mason University.
Course Outline Traditional Static Program Analysis –Theory Compiler Optimizations; Control Flow Graphs Data-flow Analysis – today’s class –Classic analyses.

Course Outline Traditional Static Program Analysis –Theory Compiler Optimizations; Control Flow Graphs Data-flow Analysis – today’s class –Classic analyses.
1 CS 201 Compiler Construction Lecture 7 Code Optimizations: Partial Redundancy Elimination.

1 CS 201 Compiler Construction Lecture 7 Code Optimizations: Partial Redundancy Elimination.
1 Data flow analysis Goal : collect information about how a procedure manipulates its data This information is used in various optimizations For example,

1 Data flow analysis Goal : collect information about how a procedure manipulates its data This information is used in various optimizations For example,
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
CS 355 – Programming Languages

CS 355 – Programming Languages
Introduction to Code Optimization Comp 412 Copyright 2010, Keith D. Cooper & Linda Torczon, all rights reserved. Students enrolled in Comp 412 at Rice.

Introduction to Code Optimization Comp 412 Copyright 2010, Keith D. Cooper & Linda Torczon, all rights reserved. Students enrolled in Comp 412 at Rice.
1 CS 201 Compiler Construction Lecture 5 Code Optimizations: Copy Propagation & Elimination.

1 CS 201 Compiler Construction Lecture 5 Code Optimizations: Copy Propagation & Elimination.
Data Flow Analysis 1 15-411 Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.

Data Flow Analysis Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
1 Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program Analysis.

1 Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
Overview of program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc05.html.

Overview of program analysis Mooly Sagiv html://

Similar presentations

Ads by Google