report on project ccomp zhaopeng li joint work with prof. yiyun chen, zhong zhuang, simin yang,...
TRANSCRIPT
Report on Project CComp
Zhaopeng LiJoint work with Prof. Yiyun Chen,Zhong Zhuang, Simin Yang, Dawei Fan, Zhenting Zhang
Software Security Lab., USTC, Suzhou, China
August 1, 2009
Motivation
“Friendly” Program verification A prototype for research on:
Certifying Compiler
Automated Theorem Prover
Proof Building /Generation
Research Objects (1)
/*n>0 | emp*/struct list* list_create(int n) { … while(n>0) /*n>=0 | list(p)*/ {… } return p;}/* true | list(res)*/
C-like language
CCompCompiler
Lemma wf_L0: …Lemma wf_L1: …Lemma …
List_create: push ebp mov esp, ebp sub esp, 8 jmp L0L0 : …L1 :
SCAP Framework
Certifying Compiler
Research Objects (2)Automated Theorem Prover
Linear Arithmetic
Prover
Formulas
Prover for fragment of
Separation Logic OtherDomain-Specific
Provers (list, and etc.)
Automated Theorem Prover
Proof Tree Proof Output
Proof(Proof TermCheckable
by Coq)
Fragment of Separation Logic : separation star / emp / p|->_ Build-in Predicates : list/lseg/dlist/dlseg/tree…
Research Objects (3)Proof-Building/Generation
/*n>0 | emp*/struct list* list_create(int n) { … while(n>0) /*n>=0 | list(p)*/ {… } return p;}/* true | list(res)*/
C-like language
CCompCompiler
Lemma wf_L0: …Lemma wf_L1: …Lemma …
List_create: push ebp mov esp, ebp sub esp, 8 jmp L0L0 : …L1 :
SCAP Framework
High Level:VCGen-based
Verification
Proof-B
uilding/ G
eneratio
n
VC + Proof
Current Status
Clike Front-end
IRGen
VCGen
IRCode
SpecGen
x86Gen SCAPpackage
ProofGenTheoremProver
Clike Front-end
IRGen
VCGen (still some bugs)
x86CodeVC Prf. VC Prf.
Spec.
Theorem Prover: linear arithmetic
(with coq-checkable proof)Theorem Prover: fragment of separation logic (list, lseg)
SCAP (modified for CComp)
SpecGen Algorithm (partial)
ProofGen Design
SCAP (modified for CComp)
Abstract Machine Explicit Stack Inexplicit Stack Register
Stack K ::= (webp, wesp, w::w:: … ::nil) Reg&Instruction
No ebp, esp as register enter/leave in prolog/epilog Special move instruction for load/store on sta
ck
Specification Generation for SCAP Specification (p,g)
Every label Each program point
Pre-/Post-condition Generate p Generate g
By Operation semantics Source-level specifications
• pre-/post-conditions• loop invariants
enter xjmp L1enter xjmp L1
Basic block2Basic block2
L1 : {(p1, g1)}
leaveretleaveret
g S S’
p S
Figure Out G
push ebp
mov esp, ebp
sub $12, esp
push ebp
mov esp, ebp
sub $12, esp
Basic block2Basic block2
f : {R’(ebp)=R(ebp)/\R’(esp)=R(esp)+4}
L1 : {g1}
R0(ebp) = R(ebp) /\ R0(esp) = R(esp) -4R0(ebp) = R(ebp) /\ R0(esp) = R(esp) -4
R’(ebp) = R(ebp) /\ R0(ebp) = R(ebp) /\ R’(esp)=R(esp)+4 /\ R0(esp) = R(esp) -4R’(ebp) = R(ebp) /\ R0(ebp) = R(ebp) /\ R’(esp)=R(esp)+4 /\ R0(esp) = R(esp) -4
R’(ebp) = R0(ebp)/\ R’(esp)=R0(esp)+8
LeaveretLeaveret
R’
R
R0
g0
The method:1. Get state relation by rule of operational semantics;2. Use the g of previous program point;3. Do substitution and arithmetic.
The method:1. Get state relation by rule of operational semantics;2. Use the g of previous program point;3. Do substitution and arithmetic.
G: State -> State -> PropG: State -> State -> Prop
Figure Out G (cont.)
push ebp
mov esp, ebp
sub $12, esp
push ebp
mov esp, ebp
sub $12, esp
Basic block2Basic block2
f : {R’(ebp)=R(ebp)/\R’(esp)=R(esp)+4}
L1 : {g1}
R’(ebp) = R0(ebp)/\ R’(esp)=R0(esp)+8
R1(ebp) = R0(esp) /\ R1(esp) = R0(esp)R1(ebp) = R0(esp) /\ R1(esp) = R0(esp)
R’(ebp) = R0(ebp) /\ R1(ebp) = R0(esp) /\ R’(esp)=R0(esp)+8 /\ R1(esp) = R0(esp)R’(ebp) = R0(ebp) /\ R1(ebp) = R0(esp) /\ R’(esp)=R0(esp)+8 /\ R1(esp) = R0(esp)
R’(ebp) = M1(R1(ebp))/\ R’(esp)=R1(esp)+8
R0
R1
LeaveretLeaveret
R’
R
g0
g1
The method:1. Get state relation by rule of operational semantics;2. Use the g of previous program point;3. Do substitution and arithmetic.
The method:1. Get state relation by rule of operational semantics;2. Use the g of previous program point;3. Do substitution and arithmetic.
Figure Out G (cont.)
push ebp
mov esp, ebp
sub $12, esp
push ebp
mov esp, ebp
sub $12, esp
Basic block2Basic block2
f : {R’(ebp)=R(ebp)/\R’(esp)=R(esp)+4}
L1 : {g1}
R’(ebp) = R0(ebp)/\ R’(esp)=R0(esp)+8
R’(ebp) = M1(R1(ebp))/\ R’(esp)=R1(esp)+8
R0
R1
LeaveretLeaveret
R’
R
R2(ebp) = R1(ebp) /\ R2(esp) = R1(esp)-12R2(ebp) = R1(ebp) /\ R2(esp) = R1(esp)-12
R’(ebp) = M1(R1(ebp)) /\ R2(ebp) = R1(ebp) /\ R’(esp)=R1(esp)+8 /\ R2(esp) = R1(esp)-12
R’(ebp) = M1(R1(ebp)) /\ R2(ebp) = R1(ebp) /\ R’(esp)=R1(esp)+8 /\ R2(esp) = R1(esp)-12
R’(ebp) = M2(R2(ebp))/\ R’(esp)=R1(esp)+20
R2
g0
g1
g2
The method:1. Get state relation by rule of operational semantics;2. Use the g of previous program point;3. Do substitution and arithmetic.
The method:1. Get state relation by rule of operational semantics;2. Use the g of previous program point;3. Do substitution and arithmetic.
On-Going Work
Automated Theorem Prover onFragment of separation logicBuild-in predicates: tree, dlist, dlseg,…Proof term output
Back-endSpecification Gen for SCAPGeneration SCAP package
Work to Do
Improve the Theorem Prover Add more theory needed Run some Benchmark
Complete and improve the Compiler Engineering on back-end More test cases, more testing
Papers on: CComp Automated Theorem Prover SCAP(modified) and SpecGen
Demonstration
Simin Yang Linear Arithmetic Prover Test cases on arithmetic examples
Zhong Zhuang Prover for fragment of separation logic Test cases on list and cyclic list
Zhenting Zhang Building Proof of VC in IR using Clike VC Test cases on linear arithmetic
Thanks!