David Pichardie

Extracting a data flow analyser in constructive logic

A constraint-based data flow analysis is formalised in the specification language of the Coq proof assistant. This involves defining a dependent type of lattices together with a library of lattice functors for modular construction of complex abstract domains. Constraints are represented in a way that allows for both efficient constraint resolution and correctness proof of the analysis with respect to an operational semantics. The proof of existence of a solution to the constraints is constructive which means that the extraction mechanism of Coq provides a provably correct data flow analyser in Ocaml from the proof. The library of lattices and the representation of constraints are defined in an analysis-independent fashion that provides a basis for a generic framework for proving and extracting static analysers in Coq.

Proof-carrying code from certified abstract interpretation and fixpoint compression

Proof-carrying code (PCC) is a technique for downloading mobile code on a host machine while ensuring that the code adheres to the hosts safety policy. We show how certified abstract interpretation can be used to build a PCC architecture where the code producer can produce program certificates automatically. Code consumers use proof checkers derived from certified analysers to check certificates. Proof checkers carry their own correctness proofs and accepting a new proof checker amounts to type checking the checker in Coq. Certificates take the form of strategies for reconstructing a fixpoint and are kept small due to a technique for fixpoint compression. The PCC architecture has been implemented and evaluated experimentally on a byte code language for which we have designed an interval analysis that allows to generate certificates ascertaining that no array-out-of-bounds accesses will occur.

Formalizing Convex Hull Algorithms

We study the development of formally proved algorithms for computational geometry. The result of this work is a formal description of the basic principles that make convex hull algorithms work and two programs that implement convex hull computation and have been automatically obtained from formally verified mathematical proofs. A special attention has been given to handling degenerate cases that are often overlooked by conventional algorithm presentations.

Extracting a Data Flow Analyser in Constructive Logic

We show how to formalise a constraint-based data flow analysis in the specification language of the Coq proof assistant. This involves defining a dependent type of lattices together with a library of lattice functors for modular construction of complex abstract domains. Constraints are expressed in an intermediate representation that allows for both efficient constraint resolution and correctness proof of the analysis with respect to an operational semantics. The proof of existence of a correct, minimal solution to the constraints is constructive which means that the extraction mechanism of Coq provides a provably correct data flow analyser in ocaml. The library of lattices together with the intermediate representation of constraints are defined in an analysis-independent fashion that provides a basis for a generic framework for proving and extracting static analysers in Coq.

Embedding of Systems of Affine Recurrence Equations in Coq

Systems of affine recurrence equations (SAREs) over polyhedral domains are widely used to model computation-intensive algorithms and to derive parallel code or hardware implementations. The development of complex SAREs for real-sized applications calls for the elaboration of formal verification techniques. As the systems we consider are generic, i.e., depend on parameters whose value are not statically known, we considered using theorem provers, and have implemented a translation from SAREs into the Coq system. We take advantage of the regularity of our model to automatically generate an inductive type adapted to each particular system. This allows us to automatically prove that the functional translation of equations respects the wanted fixpoint properties, and to systematically derive mutual induction schemes.

Programmation d'un interpréteur abstrait certifié en logique constructive

A static analyzer aims at automatically deducing program pr operties by examining its source code. Proving the correctness of an analyzer is ba sed on semantic properties, and becomes difficult to ensure when complex analysis technique s are involved. We propose to adapt the general theory of static analysis by abstract interpret ation to the framework of constructive logic. Implementing this formalism into the Coq proof assis tant then allows for automatic extraction of certified analyzers. We focus here on a simple i mperative language and present the computation of fixpoints by widening/narrowing and synt ax-directed iteration techniques. MOTS-CLES :Analyse statique, interpretation abstraite, calcul de poi nt fixe, logique constructive, assistant de preuve

Modular proof principles for parameterised concretizations

Abstract interpretation is a particularly well-suited methodology to build modular correctness proof of static analysers. Proof modularity becomes essential when correctness proof is machine checked for realistic languages To deal with complex concrete and abstract domains, the notion of parameterised concretization has been proposed to allow a structural decomposition of the abstract domain and its concretization. In this paper we develop proof principles for such concretizations, based on the theoretical notion of concretization functor, with the aim of obtaining modular correctness proofs. Our technique has been tested on a machine-checked correctness proof of a static analysis for a Java-like bytecode language.

Verified compilation of linearizable data structures: mechanizing rely guarantee for semantic refinement

Compiling concurrent and managed languages involves implementing sophisticated interactions between client code and the runtime system. An emblematic runtime service, whose implementation is particularly error-prone, is concurrent garbage collection. In a recent work [31], we implement an on-the-fly concurrent garbage collector, and formally prove its functional correctness in the Coq proof assistant. The garbage collector is implemented in a compiler intermediate representation featuring abstract concurrent data structures. The present paper extends this work by considering the concrete implementation of some of these abstract concurrent data structures. We formalize, in the Coq proof assistant, a theorem establishing the semantic correctness of a compiling pass which translates abstract, atomic data structures into their concrete, fine-grained concurrent implementations. At the crux of the proof lies a generic result establishing once and for all a simulation relation, starting from a carefully crafted rely-guarantee specification. Inspired by the work of Vafeiadis [28], implementations are annotated with linearization points. Semantically, this instrumentation reflects the behavior of abstract data structures.