## Certified Result Checking for Polyhedral Analysis of Bytecode Programs

Citations: | 3 - 3 self |

### BibTeX

@MISC{Besson_certifiedresult,

author = {Frédéric Besson and Thomas Jensen and David Pichardie and Tiphaine Turpin},

title = {Certified Result Checking for Polyhedral Analysis of Bytecode Programs },

year = {}

}

### OpenURL

### Abstract

Static analysers are becoming so complex that it is crucial to ascertain the soundness of their results in a provable way. In this paper we develop a certified checker in Coq that is able to certify the results of a polyhedral array-bound analysis for an imperative, stack-oriented bytecode language with procedures, arrays and global variables. The checker uses, in addition to the analysis result, certificates which at the same time improve efficiency and make correctness proofs much easier. In particular, our result certifier avoids complex polyhedral computations such as convex hulls and is using easily checkable inclusion certificates based on Farkas lemma. Benchmarks demonstrate that our approach is effective and produces certificates that can be efficiently checked not only by an extracted Caml checker but also directly in Coq.

### Citations

1958 |
Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints
- Cousot, Cousot
- 1977
(Show Context)
Citation Context ...-fixpoints {x | F ♯ (x) ⊑ x} of a suitable monotone function F ♯ operating on the global abstract domain State ♯ of the analysis. Computing such a post-fixpoint is then the role of chaotic iterations =-=[8]-=-. Iteration is sped up by using widening on well-chosen control points. Neither the iteration strategy nor the widening operators belong to the Trusted Computing Base (TCB) since the validity of the r... |

1508 |
Theory of linear and integer programming
- Schrijver
- 1986
(Show Context)
Citation Context ...sists in applying the renaming to the expressions within the polyhedron. Because the existential variables belong to a disjoint set, no capture can occur. Using Fourier-Motzkin elimination (see e.g., =-=[19]-=-), projections can be computed directly over the constraint representation of polyhedra. However, in the worst case, the number of constraints grows exponentially in the number of variables to project... |

589 | Automatic discovery of linear restraints among variables of a program
- Cousot, Halbwachs
- 1978
(Show Context)
Citation Context ...ms for which it is generally easier to prove the correctness of a result verifier than the algorithm itself. In this paper we apply this result certification methodology [20] to a polyhedral analysis =-=[10]-=- for an imperative, stack-oriented bytecode language with procedures, arrays and global variables. We design in parallel a polyhedral analyser and a certified result checker using the abstract interpr... |

245 | The octagon abstract domain
- Miné
(Show Context)
Citation Context ...nal domain specification The bytecode analysis is specified with respect to an abstract numeric relational interface (defined below) that can be instantiated with standard relational abstract domains =-=[10, 16, 17]-=-. The numeric abstract domain D is a family of sets DV4 F. Besson, T. Jensen, D. Pichardie and T. Turpin indexed with a finite set V of variables. The abstract operators and associated properties lis... |

232 | Formal certification of a compiler back-end or: programming a compiler with a proof assistant
- Leroy
- 2006
(Show Context)
Citation Context ...ic manipulations of a polyhedral library [12] and the problem becomes even more perceptible in a pure lambda-calculus language such as Coq. As noticed by Leroy in the context of certified compilation =-=[15]-=-, static analyses and optimisation heuristics are algorithms for which it is generally easier to prove the correctness of a result verifier than the algorithm itself. In this paper we apply this resul... |

108 | Software Reliability via Run-Time Result-Checking
- Blum, Wasserman
- 1997
(Show Context)
Citation Context ...sation heuristics are algorithms for which it is generally easier to prove the correctness of a result verifier than the algorithm itself. In this paper we apply this result certification methodology =-=[20]-=- to a polyhedral analysis [10] for an imperative, stack-oriented bytecode language with procedures, arrays and global variables. We design in parallel a polyhedral analyser and a certified result chec... |

90 | The Semantics of Reflected Proof
- Allen, Constable, et al.
- 1990
(Show Context)
Citation Context ...ism. In the second approach, the result checker is directly run inside the reduction engine of Coq to compute a foundational proof of safety of the program (using the technique of proof by reflection =-=[1]-=-). Fig. 3 presents our experimental results. The benchmarks are relatively modest in size and it is well known that full-blown polyhedral analyses have scalability problems. Our analyser will not avoi... |

75 | Towards a mechanized metatheory of Standard ML
- Lee, Crary, et al.
- 2007
(Show Context)
Citation Context ...p a fully certified VCGen within Isabelle/HOL for verifying arithmetic overflow in Java bytecode. The certification of abstract interpreters has been developed by Pichardie et al. [18, 6]. Lee et al. =-=[14]-=- have certified the type analysis of a language close to Standard ML in LF and Leroy [15] 1 http://mobius.inria.fr/14 F. Besson, T. Jensen, D. Pichardie and T. Turpin has certified some of the data f... |

68 | A compiled implementation of strong reduction
- Grégoire, Leroy
(Show Context)
Citation Context ... small (less than one second), which is especially noteworthy given that the checker is run in Coq. We clearly benefit here from our efficient implementation and the optimised reduction engine of Coq =-=[11]-=-. Compared to the extracted version, the Coq verifier has at most a factor 10 of efficiency penalty. Second, pruning can halve the number of constraints to verify. This reduction can sometimes but not... |

62 |
Verified bytecode verifiers
- Klein, Nipkow
- 2003
(Show Context)
Citation Context ... Java a trustworthy platform for mobile computing. Several researchers have investigated how to develop machine-checked bytecode verifiers in order to increase the confidence in this component itself =-=[13, 2]-=-. The standard bytecode verifier ensures one kind of security policy that is proved by a simple data flow analysis. The static verification of other security and safety policies (e.g., to check that a... |

61 | Precise interprocedural analysis through linear algebra
- Müller-Olm, Seidl
- 2004
(Show Context)
Citation Context ...nal domain specification The bytecode analysis is specified with respect to an abstract numeric relational interface (defined below) that can be instantiated with standard relational abstract domains =-=[10, 16, 17]-=-. The numeric abstract domain D is a family of sets DV4 F. Besson, T. Jensen, D. Pichardie and T. Turpin indexed with a finite set V of variables. The abstract operators and associated properties lis... |

48 | Imperative programming with dependent types
- Xi
- 2000
(Show Context)
Citation Context ...be represented symbolically and only the comparisons and assignment to variables require updating the relation l ♯ between variables. In a polyhedron-based analysis this kind of symbolic manipulation =-=[24, 21]-=- is a substantial saving. Definition 1 (Abstract domain). The abstract value for a program P is described by an element (Pre, Post, Loc) of the lattice State ♯ = (Meth → DR0+S0) × ( ) Meth → DR0+S0+S+... |

37 |
The ASTRÉE Analyser
- Cousot, Cousot, et al.
- 2005
(Show Context)
Citation Context ...bounds) requires more sophisticated static program analysers, which themselves are sophisticated pieces of software. A significant example of this is the state-of-the-art Astrée static analyser for C =-=[9]-=- which proves the absence of run-time errors for the primary flight control software of the Airbus A340 fly-by-wire system. In this paper we show that it is possible to use advanced analysers to enhan... |

35 |
Algorithm for Finding a General Formula for the Non-negative Solutions of a
- CHERNIKOVA
- 1965
(Show Context)
Citation Context ...he polyhedron. At the origin of the efficiency (and complexity) of convex polyhedra algorithms is Chernikova’s algorithm which is used to maintain the coherence of the double description of polyhedra =-=[7]-=-. The main insight of our approach is that we develop a checker which only uses the constraint description of polyhedra and which never needs to detect redundant constraints. Moreover, projections are... |

18 | Towards array bound check elimination in java tm virtual machine language
- Xi, Xia
(Show Context)
Citation Context ...esent work is the first extension of this to an inter-procedural analysis for bytecode. Dependent type systems for Javastyle bytecode for removing array bounds checks have been proposed by Xi and Xia =-=[25]-=-. The analysis of the stack uses singleton types to track the values of stack elements, in the same spirit as our symbolic stack expressions. The analysis is intra-procedural and does not consider met... |

16 |
Extracting a Data Flow Analyser
- CACHERA, JENSEN, et al.
(Show Context)
Citation Context ...such analysers. One approach would be to certify the analyser entirely within a proof checker, as done for the key components of the Java bytecode verifier [13, 2]. In previous work, Pichardie et. al =-=[18, 6]-=- formalised the theory of abstract interpretation inside the Coq proof assistant and proved the correctness of a variety of program analysers. ⋆ This work was partially funded by the FET Global Comput... |

16 |
Interprétation abstraite en logique intuitionniste: extraction d’analyseurs Java certifiés
- Pichardie
- 2005
(Show Context)
Citation Context ...such analysers. One approach would be to certify the analyser entirely within a proof checker, as done for the key components of the Java bytecode verifier [13, 2]. In previous work, Pichardie et. al =-=[18, 6]-=- formalised the theory of abstract interpretation inside the Coq proof assistant and proved the correctness of a variety of program analysers. ⋆ This work was partially funded by the FET Global Comput... |

15 | Fast reflexive arithmetic tactics the linear case and beyond
- Besson
- 2007
(Show Context)
Citation Context ...riants can be reduced to emptiness tests. As a result, parts of the polyhedral checker could be reused. Emptiness certificates from Section 3.2 can be generalised to deal with non-linear inequalities =-=[3]-=-. However, the analyses for inferring such properties are in their infancy. On a language level, the challenge is to extend the analysis to cover the object oriented aspects of Java bytecode. The incl... |

14 |
Bytecode Analysis for Proof Carrying Code
- Wildmoser, Chaieb, et al.
(Show Context)
Citation Context ...be represented symbolically and only the comparisons and assignment to variables require updating the relation l ♯ between variables. In a polyhedron-based analysis this kind of symbolic manipulation =-=[24, 21]-=- is a substantial saving. Definition 1 (Abstract domain). The abstract value for a program P is described by an element (Pre, Post, Loc) of the lattice State ♯ = (Meth → DR0+S0) × ( ) Meth → DR0+S0+S+... |

13 |
A tool-assisted framework for certified bytecode verification
- Barthe, Dufay
- 2004
(Show Context)
Citation Context ... Java a trustworthy platform for mobile computing. Several researchers have investigated how to develop machine-checked bytecode verifiers in order to increase the confidence in this component itself =-=[13, 2]-=-. The standard bytecode verifier ensures one kind of security policy that is proved by a simple data flow analysis. The static verification of other security and safety policies (e.g., to check that a... |

10 | Asserting bytecode safety
- Wildmoser, Nipkow
- 2005
(Show Context)
Citation Context ...ms given by Xi and have been able to infer the invariants necessary for verifying safe array access automatically. The area of certified program verifiers is an active field. Wildmoser, Nipkow et al. =-=[22]-=- were the first to develop a fully certified VCGen within Isabelle/HOL for verifying arithmetic overflow in Java bytecode. The certification of abstract interpreters has been developed by Pichardie et... |

8 | Result certification for relational program analysis. Research Report 6333
- BESSON, JENSEN, et al.
- 2007
(Show Context)
Citation Context ... integers, static methods (procedures) and static fields (global variables). The formal syntax and small-step operational semantics are rather straightforward and can be found in the companion report =-=[4]-=-. The analysis is inter-procedural, relational and parametrised with respect to a numeric abstract domain used to abstract the values of the local and global variables of the program. The analyser aut... |

4 |
Small witnesses for abstract interpretation based proofs
- Besson, Jensen, et al.
(Show Context)
Citation Context ...invariants that are useless for proving a given safety property. The advantages are twofold: invariants to check are smaller and their verification cheaper. We have applied the technique described in =-=[5]-=- for pruning constraint-based invariants, with some adaptations to deal with the interprocedural aspects of our polyhedral analysis. The algorithm is not described here for space reasons but can be fo... |

3 |
and the Apron team. The Apron library
- Jeannet
- 2007
(Show Context)
Citation Context ...ral analyser with this technique would require a tremendous certification effort. Moreover, efficiency is a major concern when considering the expensive symbolic manipulations of a polyhedral library =-=[12]-=- and the problem becomes even more perceptible in a pure lambda-calculus language such as Coq. As noticed by Leroy in the context of certified compilation [15], static analyses and optimisation heuris... |