extracting a data flow analyser in constructive logic
play

Extracting a Data Flow Analyser in Constructive Logic David - PowerPoint PPT Presentation

Feb 01, 2024 •436 likes •966 views

Extracting a Data Flow Analyser in Constructive Logic David Cachera, Thomas Jensen, David Pichardie and Vlad Rusu APPSEM04, Tallinn Static program analysis The goals of static program analysis To prove properties about the run-time

  1. Extracting a Data Flow Analyser in Constructive Logic David Cachera, Thomas Jensen, David Pichardie and Vlad Rusu APPSEM’04, Tallinn

  2. Static program analysis The goals of static program analysis ◮ To prove properties about the run-time behaviour of a program ◮ In a fully automatic way ◮ Without actually executing this program

  3. Static program analysis The goals of static program analysis ◮ To prove properties about the run-time behaviour of a program ◮ In a fully automatic way ◮ Without actually executing this program Solid foundations for designing an analyser ◮ Formalization and correctness proof by abstract interpretation ◮ Resolution of constraints on lattices by iteration and symbolic computation

  4. Formalization approximation domain programming language (lattice) + semantics correctness analysis specification proof

  5. Resolution program to analyze (in)equation generation abstract domains (in)equation system computable resolution informations about the run-time behaviour of the program

  6. So what’s the problem ?

  7. Formalization part � P c . Cousot

  8. Implementation part Formalization part int main(int argc, char **argv) { int i, j, t, parent_a, parent_b; int **swap, **newpop, **oldpop; double *fit, *normfit; get_options(argc, argv, options, help_string); srandom(seed); read_specs(specs); size += (size / 2 * 2 != size); newpop = xmalloc(sizeof(int *) * size); oldpop = xmalloc(sizeof(int *) * size); fit = xmalloc(sizeof(double) * size); normfit = xmalloc(sizeof(double) * size); for(i = 0; i < size; i++) { newpop[i] = xmalloc(sizeof(int) * len); oldpop[i] = xmalloc(sizeof(int) * len); for(j = 0; j < len * 2; j++) random_solution(oldpop[i]); } for(t = 0; t < gens; t++) { compute_fitness(oldpop, fit, normfit); dump_stats(t, oldpop, fit); for(i = 0; i < size; i += 2) { parent_a = select_one(normfit); parent_b = select_one(normfit); reproduce(oldpop, newpop, parent_a, parent_b, i); } swap = newpop; newpop = oldpop; oldpop = swap; } exit(0); } � P c . Cousot

  9. Implementation part Formalization part int main(int argc, char **argv) { int i, j, t, parent_a, parent_b; int **swap, **newpop, **oldpop; double *fit, *normfit; get_options(argc, argv, options, help_string); srandom(seed); read_specs(specs); size += (size / 2 * 2 != size); newpop = xmalloc(sizeof(int *) * size); oldpop = xmalloc(sizeof(int *) * size); Do both parts talk about the same ? fit = xmalloc(sizeof(double) * size); normfit = xmalloc(sizeof(double) * size); for(i = 0; i < size; i++) { newpop[i] = xmalloc(sizeof(int) * len); oldpop[i] = xmalloc(sizeof(int) * len); for(j = 0; j < len * 2; j++) random_solution(oldpop[i]); } for(t = 0; t < gens; t++) { compute_fitness(oldpop, fit, normfit); dump_stats(t, oldpop, fit); for(i = 0; i < size; i += 2) { parent_a = select_one(normfit); parent_b = select_one(normfit); reproduce(oldpop, newpop, parent_a, parent_b, i); } swap = newpop; newpop = oldpop; oldpop = swap; } exit(0); } � P c . Cousot

  10. Static Analysis for real-life languages Example of real-life language : bytecode JavaCard ◮ 180 instructions ◮ Real need of static analysis to verify properties about security, memory management, ... For this kind of languages, ◮ Abstract domains can be complex ◮ Correctness proofs become long and tiresome ◮ Implementation and maintenance of the analyser become a software engineering task

  11. In this work We propose a technique based on the Coq proof assistant ◮ To specify a static analysis, ◮ To prove its correctness wrt. the semantics of the language, ◮ To extract a static analyser from the proof of existence of a correct program analysis result Program-as-proofs paradigm: Write a function f which ⇒ Make a constructive proof verifies a specification P ⇐ of ∀ x , ∃ y , P ( x , y ) ∀ x , P ( x , f ( x ))

  12. Outline ◮ Motivation ◮ A Static Analysis for Carmel ◮ Building a certified static analyser ◮ Conclusion

  13. Outline ◮ Motivation ◮ A Static Analysis for Carmel ◮ Building a certified static analyser ◮ Conclusion

  14. Case study : a static analysis for Carmel e Rydhof Hansen 1 We follow the analysis proposed by Ren´ ◮ Carmel : an intermediate representation of Java Card byte code ◮ Construction of a certified data flow analyser for Carmel 1 Ren´ e Rydhof Hansen. Flow Logic for Carmel. SECSAFE-IMM-001, 2002

  15. Syntax of Carmel Instruction ::= nop  push c   stack manipulation pop numop op � load x local variables manipulation store x � if pc jump goto pc  new cl  putfield f  heap manipulation getfield f � invokevirtual m id method call and return return

  16. Semantic domains Val ::= num n n ∈ N ref r r ∈ Reference null Val ∗ Stack = LocalVar = Var → Val Frame = PointProg × NameMethod × LocalVar × Stack Frame ∗ CallStack = Object = FieldName → Val Heap = Reference → Object ⊥ State = Heap × CallStack Example : ( H , � m , pc , L , v :: S � :: SF )

  17. Dynamic semantics Operational semantics with rules like instructionAt P ( m , pc ) = push c ( H , � m , pc , L , S � :: SF ) ⇒ ( H , � m , pc + 1 , L , c :: S � :: SF ) instructionAt P ( m , pc ) = invokevirtual m id m ′ = methodLookup ( m id , h ( loc )) f ′ � m ′ , 1 , V , ε � = f ′′ = � m , pc , l , s � ( h , � m , pc , l , loc :: V :: s � :: sf ) ⇒ ( h , f ′ :: f ′′ :: sf )

  18. A Static Analysis for Carmel � � H , ˆ ˆ L , ˆ We want to calculate an approximation S on the domain � � � State = � � × NameMethod × PointProg → Heap LocalVar � � NameMethod × PointProg → � × Stack ◮ An approximation for all reachable heaps ◮ For each program points, an approximation of the operand stack and the local variables ◮ An object is abstracted to its class ◮ Numeric values are abstracted using Killdall’s Constant Propagation domain

  19. Analysis specification � � H , ˆ ˆ L , ˆ Each instruction impose constraints on S . Example 0 : push 1 1 : push 2 2 : store 0 3 : load 0 4 : numop mult 5 : goto 1

  20. Analysis specification � � H , ˆ ˆ L , ˆ Each instruction impose constraints on S . Example nil ⊑ ˆ b ⊤ ⊑ ˆ S ( m , 0 ) L ( m , 0 ) 0 : push 1 1 : push 2 2 : store 0 3 : load 0 4 : numop mult 5 : goto 1

  21. Analysis specification � � H , ˆ ˆ L , ˆ Each instruction impose constraints on S . Example nil ⊑ ˆ b ⊤ ⊑ ˆ S ( m , 0 ) L ( m , 0 ) 0 : push 1 � push (ˆ 1 , ˆ S ( m , 0 )) ⊑ ˆ ˆ L ( m , 0 ) ⊑ ˆ S ( m , 1 ) L ( m , 1 ) 1 : push 2 2 : store 0 3 : load 0 4 : numop mult 5 : goto 1

  22. Analysis specification � � H , ˆ ˆ L , ˆ Each instruction impose constraints on S . Example nil ⊑ ˆ b ⊤ ⊑ ˆ S ( m , 0 ) L ( m , 0 ) 0 : push 1 � push (ˆ 1 , ˆ S ( m , 0 )) ⊑ ˆ ˆ L ( m , 0 ) ⊑ ˆ S ( m , 1 ) L ( m , 1 ) 1 : push 2 � push (ˆ 2 , ˆ S ( m , 1 )) ⊑ ˆ ˆ L ( m , 1 ) ⊑ ˆ S ( m , 2 ) L ( m , 2 ) 2 : store 0 pop (ˆ S ( m , 2 )) ⊑ ˆ L ( m , 2 )[ 0 �→ c ˆ top (ˆ S ( m , 2 ))] ⊑ ˆ d S ( m , 3 ) L ( m , 3 ) 3 : load 0 � push (ˆ L ( m , 3 )[ 0 ] , ˆ S ( m , 3 )) ⊑ ˆ L ( m , 3 ) ⊑ ˆ ˆ S ( m , 4 ) L ( m , 4 ) 4 : numop mult ˆ L ( m , 4 ) ⊑ ˆ L ( m , 5 ) . . . 5 : goto 1 S ( m , 5 ) ⊑ ˆ ˆ ˆ L ( m , 5 ) ⊑ ˆ S ( m , 1 ) L ( m , 1 )

  23. Analysis solution The smallest value which verifies all constraints. Example b nil [ 0 �→ ⊤ ; 1 �→ ⊤ ] 0 : push 1 < ˆ [ 0 �→ ˆ 2 > 1 ; 1 �→ ⊤ ] 1 : push 2 < ˆ 1 :: ˆ [ 0 �→ ˆ 1 ; 1 �→ ⊤ ] 2 > 2 : store 0 < ˆ [ 0 �→ ˆ 2 > 1 ; 1 �→ ⊤ ] 3 : load 0 < ˆ 1 :: ˆ [ 0 �→ ˆ 2 > 1 ; 1 �→ ⊤ ] 4 : numop mult < ˆ [ 0 �→ ˆ 2 > 1 ; 1 �→ ⊤ ] 5 : goto 1 ⊥ ⊥

  24. Outline ◮ Motivation ◮ A Static Analysis for Carmel ◮ Building a certified static analyser ◮ Conclusion

  25. Building a certified static analyser ◮ A puzzle with 8 pieces, ◮ Each piece interacts with its neighbors

  26. Building a certified static analyser semantic domains ◮ Each semantic domain is modeled with a type ◮ Following exactly the definitions already seen in a previous slide

  27. Building a certified static analyser semantic abstract domains domains ◮ Each semantic domain is in relation with an abstract domain ◮ an abstract domain is a lattice (formalization of lattices in Coq to follow...)

  28. Building a certified static analyser semantic correctness abstract domains relations domains ◮ A relation ∼ between State and � State ◮ s ∼ � Σ interprets as “ � Σ is a correct approximation of s ” ◮ ∼ must be monotone : Σ 2 ∈ � ∀ s ∈ State , ∀ � Σ 1 , � State , if s ∼ � Σ 1 and � Σ 1 ⊑ � Σ 2 then s ∼ � Σ 2

  29. Building a certified static analyser semantic correctness abstract domains relations domains semantic rules ◮ The transition relation · ⇒ · is defined using Coq inductive types ◮ Collecting semantics : ] = { s | ∃ s 0 an initial state , with s 0 ⇒ ∗ s } [ [ P ] We want to compute a correct approximation of [ [ P ] ]

  30. Building a certified static analyser semantic correctness abstract domains relations domains analysis semantic specification rules ◮ we define a predicate P ⊢ � Σ which imposes a set of constraints on an abstract state � Σ

Recommend

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data Accelerometers Accelerometers Andr DIAS a,b,c , Lukas GORZELNIAK b , Angela DRING c , Gunnar HARTVIGSEN a,d , Alexander HORSCH b,d a Norwegian Centre for

582 views • 15 slides
Justification logic for constructive modal logic Sonia Marin With Roman Kuznets and Lutz

Justification logic for constructive modal logic Sonia Marin With Roman Kuznets and Lutz

Justification logic for constructive modal logic Sonia Marin With Roman Kuznets and Lutz Straburger Inria, LIX, Ecole Polytechnique IMLA17 July 17, 2017 The big picture The big picture Justification logic: G odel: What is the

928 views • 49 slides
The I nCell Analyser 1 0 0 0 High throughput, high content screening The InCell Analyser 1000

The I nCell Analyser 1 0 0 0 High throughput, high content screening The InCell Analyser 1000

The I nCell Analyser 1 0 0 0 High throughput, high content screening The InCell Analyser 1000 Automated cellular and subcellular imaging system. Built around epifluorescent based microscope and image acquisition software. Fixed and live

639 views • 20 slides
Lusteral Uniform and Modular Composition of Data-flow &amp; Control-flow in the Lazy

Lusteral Uniform and Modular Composition of Data-flow &amp; Control-flow in the Lazy

Lusteral Uniform and Modular Composition of Data-flow &amp; Control-flow in the Lazy -Calculus joint work with Marc Pouzet M. Mendler, University of Bamberg Synchron 2008 CPL Aussois Synchron 2008 CPL Aussois 1 Constructive Data

491 views • 48 slides
Extracting a cellular hierarchy from high- dimensional single-cell data Peng Qiu Department of

Extracting a cellular hierarchy from high- dimensional single-cell data Peng Qiu Department of

Extracting a cellular hierarchy from high- dimensional single-cell data Peng Qiu Department of Bioinformatics and Computational Biology University of Texas MD Anderson Cancer Center Flow / mass cytometry data Biology questions How many

516 views • 23 slides
The Edge Handheld Lactate Analyser Rachel Hilton DipAVN(Medical) RVN The Edge Lactate

The Edge Handheld Lactate Analyser Rachel Hilton DipAVN(Medical) RVN The Edge Lactate

The Edge Handheld Lactate Analyser Rachel Hilton DipAVN(Medical) RVN The Edge Lactate Analyser Portable Minimal sample volume Rapid results Large data storage Easy result recall Lactate By product of anaerobic glycolysis

506 views • 13 slides
Logic Synthesis Overview Design flow Principles of logic synthesis Logic

Logic Synthesis Overview Design flow Principles of logic synthesis Logic

Logic Synthesis Overview Design flow Principles of logic synthesis Logic Synthesis with the common tools Conclusions 2 System Design Flow Electronic System Level (ESL) flow System C TLM, Verification, Profiling

1.12k views • 28 slides
A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston College g , g Andrew W. Appel, Princeton University Jan 8 2006 Jan 8, 2006 1 Mobile Code Security Protect trusted system against

561 views • 26 slides
The rules of constructive reasoning Rosalie Iemhoff Utrecht University 1 / 31 Intuitionistic

The rules of constructive reasoning Rosalie Iemhoff Utrecht University 1 / 31 Intuitionistic

The rules of constructive reasoning Rosalie Iemhoff Utrecht University 1 / 31 Intuitionistic logic 2 / 31 Constructive theories Intermediate logics Intuitionistic logic Modal logics Substructural logics 3 / 31 Theorems versus proofs A is

584 views • 30 slides
Formalizing Classical Modal Logic in Constructive Logic Christian Doczkal Gert Smolka

Formalizing Classical Modal Logic in Constructive Logic Christian Doczkal Gert Smolka

Formalizing Classical Modal Logic in Constructive Logic Christian Doczkal Gert Smolka Programming Systems Lab, Saarland University Coq-3 Workshop, Nijmegen, August 26, 2011 Christian Doczkal (Saarland University) Classical Modal Logic in

464 views • 32 slides
Equideductive Logic and CCCs with Subspaces Paul Taylor Advances in Constructive Topology and

Equideductive Logic and CCCs with Subspaces Paul Taylor Advances in Constructive Topology and

Equideductive Logic and CCCs with Subspaces Paul Taylor Advances in Constructive Topology and Logical Foundations Universit` a di Padova gioved` , il 9 ottobre 2008 www.PaulTaylor.EU / ASD Abstract Stone Duality ASDs axiomatisation of

811 views • 59 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Continuity in constructive analysis Helmut Schwichtenberg Mathematisches Institut, LMU, M

Continuity in constructive analysis Helmut Schwichtenberg Mathematisches Institut, LMU, M

Continuity in constructive analysis Helmut Schwichtenberg Mathematisches Institut, LMU, M unchen Workshop on Mathematical Logic and its Applications, Kyoto, 16. &amp; 17. September 2016 1 / 12 Aim: Constructive analysis, with constructions

263 views • 12 slides
Information Flow in Logic Programming Antoun Yaacoub Introduction Syntax and semantics Antoun

Information Flow in Logic Programming Antoun Yaacoub Introduction Syntax and semantics Antoun

Inf. flow in Logic Prog. Information Flow in Logic Programming Antoun Yaacoub Introduction Syntax and semantics Antoun Yaacoub Information flow in logic Pg. Deciding Institut de Recherche en Informatique de Toulouse (IRIT) bisimulation

683 views • 66 slides
Provable insecurity Where artifacts come from, and how constructive math may help Claus Diem and

Provable insecurity Where artifacts come from, and how constructive math may help Claus Diem and

Provable insecurity Where artifacts come from, and how constructive math may help Claus Diem and dreiwert University of Leipzig December 29, 2019 Hash functions in theory and practice Constructive logic Part I Problem Claus Diem and

1.99k views • 168 slides
On the constructive content of proofs in abstract analysis Ulrich Berger Swansea University

On the constructive content of proofs in abstract analysis Ulrich Berger Swansea University

On the constructive content of proofs in abstract analysis Ulrich Berger Swansea University Helsinki Logic Seminar December 19, 2018 Supported by a Royal Society grant on Team Semantics, and the EU project Computation with Infinite Data

1.65k views • 136 slides
THE VECTOR NETWORK ANALYSER A SERIOUS TOOL FOR THE TECHNICAL RADIO AMATEUR WHAT IS A VECTOR

THE VECTOR NETWORK ANALYSER A SERIOUS TOOL FOR THE TECHNICAL RADIO AMATEUR WHAT IS A VECTOR

THE VECTOR NETWORK ANALYSER A SERIOUS TOOL FOR THE TECHNICAL RADIO AMATEUR WHAT IS A VECTOR NETWORK ANALYSER (VNA) A piece of test equipment which measures complex multi-port S parameters Input Output Unknown Circuit 2 Port analysis

326 views • 17 slides
1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

Speeding Up Data-Flow Analysis Solving the Data-flow Equations Last time Algorithm Various optimizations that use data-flow analysis for each node n in CFG initialize solutions in[n] = ; out[n] = Today repeat Speeding up

418 views • 4 slides
Human-Readable Machine-Verifiable Proofs for Teaching Constructive Logic Andreas Abel, Bor-Yuh

Human-Readable Machine-Verifiable Proofs for Teaching Constructive Logic Andreas Abel, Bor-Yuh

Human-Readable Machine-Verifiable Proofs for Teaching Constructive Logic Andreas Abel, Bor-Yuh Evan Chang, and Frank Pfenning Workshop on Proof Transformations, Proof Presentations and Complexity of Proofs International Joint Conference on

578 views • 23 slides
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program data. Focuses on simple, finite

1.04k views • 54 slides
1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

Introduction to Data-flow analysis Data-flow Analysis Last Time Idea Undergraduate compilers review Data-flow analysis derives information about the dynamic behavior of a program by only examining the static code Assem.Instr data

903 views • 4 slides
Ontology-based Data Access for Extracting Event Logs from Legacy Data The onprom Tool and

Ontology-based Data Access for Extracting Event Logs from Legacy Data The onprom Tool and

Ontology-based Data Access for Extracting Event Logs from Legacy Data The onprom Tool and Methodology D. Calvanese 1 , T. E. Kalayci 1 , M. Montali 1 , S. Tinella 2 1 KRDB Research Centre for Knowledge and Data, Free University of Bozen-Bolzano

888 views • 53 slides
Flow Visualization Overview: Flow Visualization (1) Introduction, overview Fl Flow data d t

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Fl Flow data d t

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Fl Flow data d t Simulation vs. measurement vs. modelling 2D vs. surfaces vs. 3D Steady vs time-dependent flow St d ti d d t fl Direct vs. indirect flow

957 views • 92 slides
Flow Visualization Overview: Flow Visualization (1) Introduction, overview Flow data Simulation

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Flow data Simulation

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Flow data Simulation vs. measurement vs. modelling 2D vs. surfaces vs. 3D Steady vs time-dependent flow Direct vs. indirect flow visualization Experimental flow

1.18k views • 92 slides

More recommend