skip to main content
10.1145/2594291.2594301acmconferencesArticle/Chapter ViewAbstractPublication PagespldiConference Proceedingsconference-collections
research-article

End-to-end verification of stack-space bounds for C programs

Published: 09 June 2014 Publication History

Abstract

Verified compilers guarantee the preservation of semantic properties and thus enable formal verification of programs at the source level. However, important quantitative properties such as memory and time usage still have to be verified at the machine level where interactive proofs tend to be more tedious and automation is more challenging.
This article describes a framework that enables the formal verification of stack-space bounds of compiled machine code at the C level. It consists of a verified CompCert-based compiler that preserves quantitative properties, a verified quantitative program logic for interactive stack-bound development, and a verified stack analyzer that automatically derives stack bounds during compilation.
The framework is based on event traces that record function calls and returns. The source language is CompCert Clight and the target language is x86 assembly. The compiler is implemented in the Coq Proof Assistant and it is proved that crucial properties of event traces are preserved during compilation. A novel quantitative Hoare logic is developed to verify stack-space bounds at the CompCert Clight level. The quantitative logic is implemented in Coq and proved sound with respect to event traces generated by the small-step semantics of CompCert Clight. Stack-space bounds can be proved at the source level without taking into account low-level details that depend on the implementation of the compiler. The compiler fills in these low-level details during compilation and generates a concrete stack-space bound that applies to the produced machine code. The verified stack analyzer is guaranteed to automatically derive bounds for code with non-recursive functions. It generates a derivation in the quantitative logic to ensure soundness as well as interoperability with interactively developed stack bounds.
In an experimental evaluation, the developed framework is used to obtain verified stack-space bounds for micro benchmarks as well as real system code. The examples include the verified operating-system kernel CertiKOS, parts of the MiBench embedded benchmark suite, and programs from the CompCert benchmarks. The derived bounds are close to the measured stack-space usage of executions of the compiled programs on a Linux x86 system.

References

[1]
E. Albert, P. Arenas, S. Genaim, M. Gómez-Zamalloa, and G. Puebla. Cost Analysis of Concurrent OO Programs. In Prog. Langs. and Systems - 9th Asian Symposium (APLAS'11), pages 238--254, 2011.
[2]
E. Albert, R. Bubel, S. Genaim, R. Hähnle, and G. Román-Díez. Verified Resource Guarantees for Heap Manipulating Programs. In Fundamental Approaches to Soft. Eng. - 15th Int. Conf. (FASE'12), pages 130--145, 2012.
[3]
A. W. Appel et al. Program Logics for Certified Compilers. Cambridge University Press, 2013.
[4]
D. Aspinall, L. Beringer, M. Hofmann, H.-W. Loidl, and A. Momigliano. A Program Logic for Resources. Theor. Comput. Sci., 389(3):411--445, 2007.
[5]
R. Atkey. Amortised Resource Analysis with Separation Logic. In 19th Euro. Symp. on Prog. (ESOP'10), pages 85--103, 2010.
[6]
R. Bedin França, S. Blazy, D. Favre-Felix, X. Leroy, M. Pantel, and J. Souyris. Formally Verified Optimizing Compilation in ACG-based Flight Control Software. In Embedded Real Time Software and Systems (ERTS 2012), 2012.
[7]
S. Blazy, A. Maroneze, and D. Pichardie. Formal Verification of Loop Bound Estimation for WCET Analysis. In Verified Software: Theories, Tools, Experiments - 5th Int. Conf. (VSTTE'13), 2013. To appear.
[8]
D. Brylow, N. Damgaard, and J. Palsberg. Static Checking of Interrupt-Driven Software. In 23rd Int. Conf. on Soft. Engineering (ICSE'01), pages 47--56, 2001.
[9]
Q. Carbonneaux, J. Hoffmann, T. Ramananandro, and Z. Shao. End-to-End Verification of Stack-Space Bounds for C Programs. Technical Report YALEU/DCS/TR-1487, Yale University, March 2014.
[10]
W.-N. Chin, H. H. Nguyen, C. Popeea, and S. Qin. Analysing Memory Resource Bounds for Low-Level Programs. In 7th Int Symp. on Memory Management (ISMM'08), pages 151--160, 2008.
[11]
A. Chlipala. A Certified Type-Preserving Compiler from Lambda Calculus to Assembly Language. In 28th Conf. on Prog. Lang. Design and Impl. (PLDI'07), pages 54--65, 2007.
[12]
K. Crary and S. Weirich. Resource Bound Certification. In 27th ACM Symp. on Principles of Prog. Langs. (POPL'00), pages 184--198, 2000.
[13]
Express Logic, Inc. Helping you avoid stack overflow crashes! White Paper, 2014. URL http://rtos.com/images/uploads/Stack_Analysis_White_paper.1_.pdf.
[14]
C. Ferdinand, R. Heckmann, and B. Franzen. Static Memory and Timing Analysis of Embedded Systems Code. In 3rd Europ. Symp. on Verification and Validation of Software Systems (VVSS'07), 2007.
[15]
L. Gu, A. Vaynberg, B. Ford, Z. Shao, and D. Costanzo. CertiKOS: A Certified Kernel for Secure Cloud Computing. In Asia Pacific Workshop on Systems (APSys'11), 2011.
[16]
S. Gulwani, K. K. Mehra, and T. M. Chilimbi. SPEED: Precise and Efficient Static Estimation of Program Computational Complexity. In 36th ACM Symp. on Principles of Prog. Langs. (POPL'09), pages 127--139, 2009.
[17]
M. R. Guthaus, J. S. Ringenberg, D. Ernst, T. M. Austin, T. Mudge, and R. B. Brown. MiBench: A Free, Commercially Representative Embedded Benchmark Suite. In IEEE International Workshop on Workload Characterization (WWC'01), pages 3--14, 2001.
[18]
K. Hammond and G. Michaelson. Hume: A Domain-Specific Language for Real-Time Embedded Systems. In Generative Progr. and Component Eng., 2nd Int. Conf. (GPCE'03), pages 37--56, 2003.
[19]
J. Hoffmann, K. Aehlig, and M. Hofmann. Multivariate Amortized Resource Analysis. ACM Trans. Program. Lang. Syst., 2012.
[20]
J. Hoffmann, M. Marmar, and Z. Shao. Quantitative Reasoning for Proving Lock-Freedom. In 28th ACM/IEEE Symposium on Logic in Computer Science (LICS'13), 2013.
[21]
M. Hofmann and S. Jost. Static Prediction of Heap Space Usage for First-Order Functional Programs. In 30th ACM Symp. on Principles of Prog. Langs. (POPL'03), pages 185--197, 2003.
[22]
J. B. Jensen, N. Benton, and A. Kennedy. High-Level Separation Logic for Low-Level Code. In 40th ACM Symp. on Principles of Prog. Langs. (POPL'13), pages 301--314, 2013.
[23]
S. Jost, H.-W. Loidl, K. Hammond, N. Scaife, and M. Hofmann. Carbon Credits for Resource-Bounded Computations using Amortised Analysis. In 16th Symp. on Form. Meth. (FM'09), pages 354--369, 2009.
[24]
G. Klein and T. Nipkow. A Machine-Checked Model for a Java-Like Language, Virtual Machine, and Compiler. ACM Trans. Program. Lang. Syst., 28(4):619--695, 2006.
[25]
G. Klein, J. Andronick, K. Elphinstone, G. Heiser, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal Verification of an Operating-System Kernel. Commun. ACM, 53(6):107--115, 2010.
[26]
X. Leroy. Formal Certification of a Compiler Back-End, or: Programming a Compiler with a Proof Assistant. In 33rd Symposium on Principles of Prog. Langs. (POPL'06), pages 42--54, 2006.
[27]
X. Leroy. Formal Verification of a Realistic Compiler. Communications of the ACM, 52(7):107--115, 2009.
[28]
Y. Moy, E. Ledinot, H. Delseny, V. Wiels, and B. Monate. Testing or Formal Verification: DO-178C Alternatives and Industrial Experience. IEEE Software, 30(3):50--57, 2013. ISSN 0740--7459.
[29]
Z. Ni and Z. Shao. Certified Assembly Programming with Embedded Code Pointers. In 33th ACM Symp. on Principles of Prog. Langs. (POPL'06), pages 320--333, 2006.
[30]
T. Nipkow. Hoare Logics in Isabelle/HOL. In Proof and System-Reliability, volume 62 of NATO Science Series, pages 341--367. Springer, 2002.
[31]
J. Regehr, A. Reid, and K. Webb. Eliminating Stack Overflow by Abstract Interpretation. ACM Trans. Embed. Comput. Syst., 4(4):751--778, 2005.
[32]
J. Sevcík, V. Vafeiadis, F. Z. Nardelli, S. Jagannathan, and P. Sewell. CompCertTSO: A Verified Compiler for Relaxed-Memory Concurrency. J. ACM, 60(3), 2013.
[33]
Z. Shao. Certified software. Commun. ACM, 53(12):56--66, 2010.
[34]
R. Wilhelm et al. The Worst-Case Execution-Time Problem --- Overview of Methods and Survey of Tools. ACM Trans. Embedded Comput. Syst., 7(3), 2008.
[35]
X. Yang, Y. Chen, E. Eide, and J. Regehr. Finding and Understanding Bugs in C Compilers. In 32nd Conf. on Prog. Lang. Design and Impl. (PLDI'11), pages 283--294, 2011.
[36]
F. Zuleger, M. Sinn, S. Gulwani, and H. Veith. Bound Analysis of Imperative Programs with the Size-change Abstraction. In 18th Int. Static Analysis Symposium (SAS'11), 2011.

Cited By

View all
  • (2025)Preservation of Speculative Constant-Time by CompilationProceedings of the ACM on Programming Languages10.1145/37048809:POPL(1293-1325)Online publication date: 9-Jan-2025
  • (2024)Evaluation of Programming in C using WSM MethodREST Journal on Emerging trends in Modelling and Manufacturing10.46632/jemm/9/4/29:4(10-17)Online publication date: 25-Jun-2024
  • (2024)Modeling and Analyzing Evaluation Cost of CUDA KernelsACM Transactions on Parallel Computing10.1145/363940311:1(1-53)Online publication date: 12-Jan-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
PLDI '14: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation
June 2014
619 pages
ISBN:9781450327848
DOI:10.1145/2594291
  • cover image ACM SIGPLAN Notices
    ACM SIGPLAN Notices  Volume 49, Issue 6
    PLDI '14
    June 2014
    598 pages
    ISSN:0362-1340
    EISSN:1558-1160
    DOI:10.1145/2666356
    • Editor:
    • Andy Gill
    Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 June 2014

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. compiler construction
  2. formal verification
  3. program logics
  4. quantitative verification
  5. stack-space bounds

Qualifiers

  • Research-article

Funding Sources

Conference

PLDI '14
Sponsor:

Acceptance Rates

PLDI '14 Paper Acceptance Rate 52 of 287 submissions, 18%;
Overall Acceptance Rate 406 of 2,067 submissions, 20%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)16
  • Downloads (Last 6 weeks)0
Reflects downloads up to 18 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)Preservation of Speculative Constant-Time by CompilationProceedings of the ACM on Programming Languages10.1145/37048809:POPL(1293-1325)Online publication date: 9-Jan-2025
  • (2024)Evaluation of Programming in C using WSM MethodREST Journal on Emerging trends in Modelling and Manufacturing10.46632/jemm/9/4/29:4(10-17)Online publication date: 25-Jun-2024
  • (2024)Modeling and Analyzing Evaluation Cost of CUDA KernelsACM Transactions on Parallel Computing10.1145/363940311:1(1-53)Online publication date: 12-Jan-2024
  • (2023)Equation-Directed Axiomatization of Lustre Semantics to Enable Optimized Code ValidationACM Transactions on Embedded Computing Systems10.1145/360939322:5s(1-24)Online publication date: 31-Oct-2023
  • (2023)Sound Predictive Fuzzing for Multi-threaded Programs2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC57700.2023.00110(810-819)Online publication date: Jun-2023
  • (2023)Suspending OpenMP Tasks on Asynchronous Events: Extending the Taskwait ConstructOpenMP: Advanced Task-Based, Device and Compiler Programming10.1007/978-3-031-40744-4_5(66-80)Online publication date: 1-Sep-2023
  • (2023)Execution Time Program Verification with Tight BoundsPractical Aspects of Declarative Languages10.1007/978-3-031-24841-2_4(56-72)Online publication date: 8-Jan-2023
  • (2022)Verified compilation of C programs with a nominal memory modelProceedings of the ACM on Programming Languages10.1145/34986866:POPL(1-31)Online publication date: 12-Jan-2022
  • (2022)For a Few Dollars More: Verified Fine-Grained Algorithm Analysis Down to LLVMACM Transactions on Programming Languages and Systems10.1145/348616944:3(1-36)Online publication date: 15-Jul-2022
  • (2022)Two decades of automatic amortized resource analysisMathematical Structures in Computer Science10.1017/S096012952100048732:6(729-759)Online publication date: 16-Mar-2022
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media