1 / 57

117 views
Category: Funny / Jokes
Description
Notes on Violent wind Augmented Static Checking. Greg Morrisett Harvard College. Static Amplified Checking: SEX-C. Comparable way to deal with ESC-M3/Java: Ascertain a first request predicate portraying the machine state at every system point.
Transcripts
Slide 1

Notes on Cyclone Extended Static Checking Greg Morrisett Harvard University

Slide 2

Static Extended Checking: SEX-C Similar way to deal with ESC-M3/Java: Calculate a first request predicate depicting the machine state at every project point. Create confirmation conditions (VCs) comparing to run-time checks. Sustain VCs to a hypothesis prover. Just embed check (and issue cautioning) if prover can\'t indicate VC is valid. Key objective: needs proportional well (like sort checking) so it can be utilized on each alter incorporate investigate cycle.

Slide 3

Example: strcpy strcpy(char ?d, singe ?s) { while (*s != 0) { *d = *s; s++; d++; } *d = 0; } Run-time checks are embedded to guarantee that s and d are not NULL and in limits. 6 words went in rather than 2.

Slide 4

Better strcpy(char ?d, burn ?s) { unsigned i, n = numelts(s); assert(n < numelts(d)); for (i=0; i < n && s[i] != 0; i++) d[i] = s[i]; d[i] = 0; } This should have no run-time checks past the declare.

Slide 5

Even Better: strncpy(char *d, scorch *s, uint n) @assert(n < numelts(d) && n <= numelts(s)) { unsigned i; for (i=0; i < n && s[i] != 0; i++) d[i] = s[i]; d[i] = 0; } No fat pointers or element checks. Be that as it may, guest must statically fulfill the pre-condition.

Slide 6

In Practice: strncpy(char *d, scorch *s, uint n) @checks(n < numelts(d) && n <= numelts(s)) { unsigned i; for (i=0; i < n && s[i] != 0; i++) d[i] = s[i]; d[i] = 0; } If guest can build up pre-condition, no check. Something else, an understood check is embedded. Obviously, checks are a constrained class of affirmations.

Slide 7

Results so farâ¦ For the 165 records (~78 Kloc) that make up the standard libraries and compiler: CLibs: stdio, string, â¦ CycLib: rundown, cluster, spread, dict, set, bignum, â¦ Compiler: lex, parse, writing, break down, xlate to C,â¦ Eliminated 96% of the (static) looks at invalid : 33,121 of 34,437 (96%) limits: 13,402 out of 14,022 (95%) 225s for bootstrap contrasted with 221s with all verifies turned (2% slower) on this portable PC. Enhancement point of view: appears to be really great.

Slide 8

Scaling

Slide 9

Not all Rosy: Don\'t work out quite as well at exhibit escalated code. Case in point, on the AES reference: 75% of the checks (377 out of 504) 2% slower than all verifies turned. 24% slower than unique C code. (the vast majority of the overhead is fat pointers) The essential guilty party: we are extremely preservationist about number juggling. i.e., x[2*i+1] will divert us from unfailingly.

Slide 10

Challenges Assumed I could use off-the-rack innovation. In any case, kept running into a couple of issues: versatile VC era beforehand tackled issue (see ESC gentlemen.) however diverting to rediscover the arrangements. usable hypothesis provers until further notice, moved our own (not the genuine center.)

Slide 11

Verification-Condition Generation We began with course book most grounded post-conditions: SP[ x := e ] A = A [ a/x ] ï x =e [ a/x ] ( a new) SP[ S 1 ; S 2 ] A = SP[ S 2 ] (SP[ S 1 ] A ) SP[ if (e) S 1 else S 2 ] A = SP[ S 1 ]( A ï e ï¹ 0 ) ï SP[ S 2 ]( A ï e=0 )

Slide 12

Why SP rather than WP? SP[ if (c) skip else come up short ] A = A ï c When A ï c then we can dispense with the check. In any case, the post-condition is still A ï c . WP[ if (c) skip else come up short ] A = ( c ï A) ï ïc For WP, this will be proliferated in reverse making it hard to figure out which some piece of the pre-condition relates to a specific check.

Slide 13

first Problem with Textbook SP SP[ x := e ] A = A [ a/x ] ï x =e [ a/x ] What if e has impacts? Specifically, suppose it is possible that e is itself a task. Arrangement: utilize a monadic translation: SP : Exp ï® Assn ï® Term ï\' Assn

Slide 14

For Example: SP[ x ] A = ( x , A ) SP[ e 1 + e 2 ] A = let ( t 1 , A 1 ) = SP[ e 1 ] A ( t 2 , A 2 ) = SP[ e 2 ] A 1 in ( t 1 + t 2 , A 2 ) SP[ x := e ] A = let ( t , A 1 ) = SP[ e ] An in ( t [ a/x ], A 1 [ a/x ] ï x == t [ a/x ])

Slide 15

Or as in Haskell SP[ x ] = return x SP[ e 1 + e 2 ] = do { t 1 ï¬ SP[ e 1 ] ; t 2 ï¬ SP[ e 2 ] ; return t 1 + t 2 } SP[ x := e ] = do { t ï¬ SP[ e ] ; supplant [ a/x ] ; and x == t [ a/x ] ; return t [ a/x ] }

Slide 16

One Issue obviously, this over sequentializes the code. C has exceptionally liberal request of assessment standards which are pitifully unusable for any stable investigation. So we compel the assessment to be left-to-right and match our sequentialization.

Slide 17

Next Problem: Diamonds SP[ if (e 1 ) S 11 else S 12 ; if (e 2 ) S 21 else S 22 ; ... in the event that (e n ) S n1 else S n2 ] A Textbook methodology blasts ways into a tree. SP[ if (e) S 1 else S 2 ] A = SP[ S 1 ]( A ï e ï¹ 0 ) ï SP[ S 2 ]( A ï e=0 ) This essentially doesn\'t scale. e.g., one system had assn with ~1.5B hubs. WP has same issue. (see Flanagan & Leino)

Slide 18

Hmmmâ¦a part like naã¯ve CPS Duplicate consequence of first restrictive which copies the first statement. SP[ if (e 1 ) S 11 else S 12 ; if (e 2 ) S 21 else S 22 ] A = SP[ S 21 ] (( SP[ S 11 ]( A ï e 1 ï¹ 0 ) ï SP[ S 12 ]( A ï e 1 =0 ) ï e 2 ï¹ 0) ï SP[ S 22 ] (( SP[ S 11 ]( A ï e 1 ï¹ 0 ) ï SP[ S 12 ]( A ï e 1 =0 ) ï e 2 =0)

Slide 19

Aha! We require a "let": SP[ if (e) S 1 else S 2 ] A = let X= An in (e ï¹ 0 ï SP[S 1 ] X ) ï (e=0 ï SP[S 2 ] X ) Alternatively, verify we physically share A. Oh no: SP[ x := e ] X = X [ a/x ] ï x =e [ a/x ] This would oblige adding express substitutions to the statement dialect to abstain from breaking the sharing.

Slide 20

Handling Updates (Necula) Factor out a nearby domain : A = { x =e 1 ï y =e 2 ï â¦ } ï B where neither B nor e i contains program variables (i.e., x, y,â¦ ) Only the earth needs to change on redesign: SP[ x := 3 ] { x =e 1 ï y =e 2 ï â¦ } ï B = { x = 3 ï y =e 2 ï â¦ } ï B So the vast majority of the statement (B) stays unaltered and can be shared.

Slide 21

So Now: SP : Exp ï® (Env ï\' Assn) ï® ( Term ï\' Env ï\' Assn) SP[ x ] (E, A ) = (E( x ), (E, A )) SP[ e 1 + e 2 ] (E, A ) = let ( t 1 ,E 1 , A 1 ) = SP[ e 1 ] (E, A ) ( t 2 ,E 2 , A 2 ) = SP[ e 2 ] (E, A 1 ) in ( t 1 + t 2 , E 2 , A 2 ) SP[ x := e ] (E, A ) = let ( t ,E 1 , A 1 ) = SP[ e ] (E, A ) in ( t , E 1 [ x := t ], A 1 )

Slide 22

Or as in Haskell: SP[ x ] = lookup x SP[ e 1 + e 2 ] = do { t 1 ï¬ SP[ e 1 ] ; t 2 ï¬ SP[ e 2 ] ; return t 1 + t 2 } SP[ x := e ] = do { t ï¬ SP[ e ] ; set x t ; return t }

Slide 23

Note: Monadic embodiment pivotal from a product building perspective: really have numerous out-set stream edges because of special cases, return, and so forth (see Tan & Appel, VMCAI\'06) so the monad really amasses ( Term ï\' Env ï\' Assn) values for every edge. in any case, regardless it looks as lovely as the past slide. (modulo the way that it\'s composed in Cyclone.)

Slide 24

Diamond Problem Revisited: SP[ if (e) S 1 else S 2 ] { x =e 1 ï y =e 2 ï â¦ } ï B = ( SP[ S 1 ] { x =e 1 ï y =e 2 ï â¦ } ï B ï e ï¹ 0) ï ( SP[ S 2 ] { x =e 1 ï y =e 2 ï â¦ } ï B ï e = 0) = ( { x =t 1 ï y =t 2 ï â¦ } ï B 1 ) ï ( { x =u 1 ï y =u 2 ï â¦ } ï B 2 ) = { x = a x ï y = a y ï â¦ } ï (( a x = t 1 ï a y = t 2 ï â¦ ï B 1 ) ï ( a x = u 1 ï a y = u 2 ï â¦ ï B 2 ))

Slide 25

How does the earth help? SP[ if ( a ) x :=3 else x := y ; if ( b ) x :=5 else skip; ] { x =e 1 ï y =e 2 } ï B ï { x =v ï y =e 2 } ï ï b = 0 ï v =t b ï¹ 0 ï v =5 ï ï a ï¹ 0 ï t =3 B a = 0 ï t = e 2

Slide 26

Tah-Dah! I\'ve rediscovered SSA. monadic interpretation sequentializes and names middle of the road results. just need to include new variables when two ways register diverse qualities for a variable. so the added comparisons for conditionals relate to ïª - hubs. Like SSA, most pessimistic scenario O(n 2 ) yet by and by O(n). Best part: the greater part of the VCs for a given methodology have the same statement DAG.

Slide 27

Space Scaling

Slide 28

So far so great: obviously, I\'ve sparkled over the hard bits: circles memory strategies Let\'s discussion about circles firstâ¦

Slide 29

Widening: Given A ï B, figure some C such that A ï C and B ï C and |C| < |A|, |B|. At that point we can figure an altered point for circle invariants iteratively: begin with pre-condition P procedure circle test & body to get P\' check whether P\' ï P. Assuming this is the case, we\'re finished. if not, extend P ï P\' and emphasize. (gleaming over variable degree issues.)

Slide 30

Our Widening: Conceptually, to extend A ï B Calculate the DNF Factor out grammatically regular primitive relations: by and by, we d

Recommended
View more...