Modular and lightweight certification of polyhedral abstract domains ∗


interpretation [5] provides a theory for static analysis of programs, where sets of reachable states are over-approximated by elements of an abstract domain. In particular, the domain of convex polyhedra [6] expresses postconditions as conjunctions of affine inequalities: a polyhedron p encodes a formula “ ∧ i ∑ j aij .xj≤bi”, where aij and bi are rational constants, and xj are numerical variables of the program. Its semantics (or concretization) is the predicate JpK defined as “λm. ∧ i ∑ j aij .m(xj)≤ bi”, where m is a total map from variables to rationals representing a memory state. The analyzer computes postconditions in a given abstract domain by performing a symbolic evaluation of programs that combines operators of this domain. Its correctness relies on each domain operator over-approximating a given predicate transformer. An abstract interpreter such as Astrée [3] is able to ensure the absence of undefined behaviours in large critical programs from avionics. But Astrée is itself very complex and, despite the care put in its development, it may contain bugs. This is probably also the case for well-known abstract domain implementations, such as the PPL [1] and Apron [8]. Inspired by the development in Coq of the CompCert certified compiler [10], the Verasco project aims to build a certified abstract interpreter [4]. Our work in this project focuses on obtaining a provably correct library for convex polyhedra, similar in features and performance to the core of the PPL and Apron polyhedra libraries. Proving correct the result of domain operators on polyhedra reduces to proving inclusions of polyhedra: a polyhedron p is included in a polyhedron p′ iff ∀m, JpK(m) ⇒ Jp′K(m). If each inequality of p′ is entailed by a positive linear combination of the inequalities of p, then inclusion holds. Farkas’s lemma states that when inclusion holds, such a vector Λ of linear combinations always exists. Moreover, such a Λ can be considered as a certificate containing the necessary information to build the result p′ of a given domain operator from its operands which are here expressed as p. The result p′ = Λ.p satisfies the inclusion properties which guarantee its correctness, by construction. Our certified abstract domain of polyhedra is built out of two components: • An untrusted Ocaml backend which, for each operator, produces certificates. • A frontend, developed in Coq, which builds proved-correct results using certificates provided by the backend. This idea has previously been experimented by Frédéric Besson et al. [2]. Our work makes the frontend more modular and more generic with respect to the backend. All that is required from the backend is to be able to generate certificates in our format. The backend could use its own data structures (e.g. double representation), or trade some precision for computationally cheaper operators [11, 9]. Such flexibility is achieved reducing the coupling between the frontend and the backend: • Communication between the frontend and the backend is reduced to certificates, i.e. descriptions of linear combinations of inequalities identified by integers. ∗This work was partially supported by ANR project “Verasco” (INS 2011). • The frontend ensures soundness but does not give formal precision guarantees. The precision versus efficiency trade-off is delegated to the backend. The frontend requires the backend to implement only a basic Ocaml interface. It is extended in the frontend using functors: extra features are added in a modular way to any numerical domain without relying on its specifics. For example, the predicate transformer for assignment can be phrased in terms of more basic operators: intersection, projection and renaming. A functor adds the operator to a basic domain and builds the required correctness proofs. To complete our abstract domain, we built a backend using a constraints-only representation of polyhedra [7]. Its operators use tweaked versions of standard algorithms so as to produce certificates as a cheap by-product of computations. Experiments show that the overhead of result verification is sufficiently low for our abstract domain to remain competitive with wellestablished, but non-verifying, implementations. In conclusion, result verification is particularly well suited for certifying polyhedral abstract domains. Our work demonstrates an efficient, evolutive and reusable design, which could serve as a guiding example for lightweight certification. We hope to extend this work to a whole static analyzer.

Cite this paper

@inproceedings{Fouilh2014ModularAL, title={Modular and lightweight certification of polyhedral abstract domains ∗}, author={Alexis Fouilh{\'e} and Sylvain Boulm{\'e} and Micha{\"{e}l P{\'e}rin}, year={2014} }