1 / 15

Report on Project CComp

Report on Project CComp. Zhaopeng Li Joint work with Prof. Yiyun Chen, Zhong Zhuang, Simin Yang, Dawei Fan, Zhenting Zhang Software Security Lab., USTC, Suzhou, China August 1, 2009. Motivation. “Friendly” Program verification A prototype for research on: Certifying Compiler

walter
Download Presentation

Report on Project CComp

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Report on Project CComp Zhaopeng Li Joint work with Prof. Yiyun Chen, Zhong Zhuang, Simin Yang, Dawei Fan, Zhenting Zhang Software Security Lab., USTC, Suzhou, China August 1, 2009

  2. Motivation • “Friendly” Program verification • A prototype for research on: • Certifying Compiler • Automated Theorem Prover • Proof Building /Generation

  3. Research Objects (1) Certifying Compiler /*n>0 | emp*/ struct list* list_create(int n) { … while(n>0) /*n>=0 | list(p)*/ {… } return p; } /* true | list(res)*/ List_create: push ebp mov esp, ebp sub esp, 8 jmp L0 L0 : … L1 : Lemma wf_L0: … Lemma wf_L1: … Lemma … CComp Compiler C-like language SCAP Framework

  4. Research Objects (2) Automated Theorem Prover Prover for fragment of Separation Logic Linear Arithmetic Prover Formulas Proof (Proof Term Checkable by Coq) Other Domain-Specific Provers (list, and etc.) Proof Tree Proof Output Automated Theorem Prover Fragment of Separation Logic : separation star / emp / p|->_ Build-in Predicates : list/lseg/dlist/dlseg/tree…

  5. Research Objects (3) Proof-Building/Generation /*n>0 | emp*/ struct list* list_create(int n) { … while(n>0) /*n>=0 | list(p)*/ {… } return p; } /* true | list(res)*/ List_create: push ebp mov esp, ebp sub esp, 8 jmp L0 L0 : … L1 : Lemma wf_L0: … Lemma wf_L1: … Lemma … CComp Compiler Proof-Building/ Generation High Level: VCGen-based Verification VC + Proof C-like language SCAP Framework

  6. Clike Front-end SCAP (modified for CComp) IRGen SpecGen Algorithm (partial) VCGen (still some bugs) ProofGen Design Theorem Prover: linear arithmetic (with coq-checkable proof) Theorem Prover: fragment of separation logic (list, lseg) Current Status IRCode x86Code IRGen SCAP package x86Gen Clike Front-end VC Prf. VC Prf. Spec. SpecGen VCGen ProofGen Theorem Prover

  7. SCAP (modified for CComp) • Abstract Machine • Explicit Stack • Inexplicit Stack Register • Stack K ::= (webp, wesp, w::w:: … ::nil) • Reg&Instruction • No ebp, esp as register • enter/leave in prolog/epilog • Special move instruction for load/store on stack

  8. Specification Generation for SCAP • Specification (p,g) • Every label • Each program point • Pre-/Post-condition • Generate p • Generate g • By • Operation semantics • Source-level specifications • pre-/post-conditions • loop invariants p S enter x jmp L1 L1 : {(p1, g1)} Basic block2 g S S’ leave ret

  9. Figure Out G G: State -> State -> Prop R f : {R’(ebp)=R(ebp)/\R’(esp)=R(esp)+4} push ebp mov esp, ebp sub $12, esp R0(ebp) = R(ebp) /\ R0(esp) = R(esp) -4 R’(ebp) = R0(ebp) /\ R’(esp)=R0(esp)+8 R0 R’(ebp) = R(ebp) /\ R0(ebp) = R(ebp) /\ R’(esp)=R(esp)+4 /\ R0(esp) = R(esp) -4 g0 L1 : {g1} Basic block2 • The method: • Get state relation by rule of operational semantics; • Use the g of previous program point; • Do substitution and arithmetic. Leave ret R’

  10. Figure Out G (cont.) R f : {R’(ebp)=R(ebp)/\R’(esp)=R(esp)+4} push ebp mov esp, ebp sub $12, esp R’(ebp) = R0(ebp) /\ R’(esp)=R0(esp)+8 R0 g0 R1 R1(ebp) = R0(esp) /\ R1(esp) = R0(esp) R’(ebp) = M1(R1(ebp)) /\ R’(esp)=R1(esp)+8 R’(ebp) = R0(ebp) /\ R1(ebp) = R0(esp) /\ R’(esp)=R0(esp)+8 /\ R1(esp) = R0(esp) g1 L1 : {g1} Basic block2 • The method: • Get state relation by rule of operational semantics; • Use the g of previous program point; • Do substitution and arithmetic. Leave ret R’

  11. Figure Out G (cont.) R f : {R’(ebp)=R(ebp)/\R’(esp)=R(esp)+4} push ebp mov esp, ebp sub $12, esp R’(ebp) = R0(ebp) /\ R’(esp)=R0(esp)+8 R0 g0 R1 R’(ebp) = M1(R1(ebp)) /\ R’(esp)=R1(esp)+8 g1 R2 R2(ebp) = R1(ebp) /\ R2(esp) = R1(esp)-12 R’(ebp) = M2(R2(ebp)) /\ R’(esp)=R1(esp)+20 L1 : {g1} R’(ebp) = M1(R1(ebp)) /\ R2(ebp) = R1(ebp) /\ R’(esp)=R1(esp)+8 /\ R2(esp) = R1(esp)-12 Basic block2 g2 • The method: • Get state relation by rule of operational semantics; • Use the g of previous program point; • Do substitution and arithmetic. Leave ret R’

  12. On-Going Work • Automated Theorem Prover on • Fragment of separation logic • Build-in predicates: tree, dlist, dlseg,… • Proof term output • Back-end • Specification Gen for SCAP • Generation SCAP package

  13. Work to Do • Improve the Theorem Prover • Add more theory needed • Run some Benchmark • Complete and improve the Compiler • Engineering on back-end • More test cases, more testing • Papers on: • CComp • Automated Theorem Prover • SCAP(modified) and SpecGen

  14. Demonstration • Simin Yang • Linear Arithmetic Prover • Test cases on arithmetic examples • Zhong Zhuang • Prover for fragment of separation logic • Test cases on list and cyclic list • Zhenting Zhang • Building Proof of VC in IR using Clike VC • Test cases on linear arithmetic

  15. Thanks!

More Related