Clément Pit-Claudel scite author profile

The Bluespec hardware-description language presents a significantly higher-level view than hardware engineers are used to, exposing a simpler concurrency model that promotes formal proof, without compromising on performance of compiled circuits. Unfortunately, the cost model of Bluespec has been unclear, with performance details depending on a mix of user hints and opaque static analysis of potential concurrency conflicts within a design. In this paper we present Kôika, a derivative of Bluespec that preserves its desirable properties and yet gives direct control over the scheduling decisions that determine performance. Kôika has a novel and deterministic operational semantics that uses dynamic analysis to avoid concurrency anomalies. Our implementation includes Coq definitions of syntax, semantics, key metatheorems, and a verified compiler to circuits. We argue that most of the extra circuitry required for dynamic analysis can be eliminated by compile-time BSV-style static analysis.CCS Concepts: • Software and its engineering → Semantics; Compilers; • Hardware → Theorem proving and SAT solving.

show abstract

Narcissus: correct-by-construction derivation of decoders and encoders from binary formats

Delaware

Suriyakarn

Pit-Claudel

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

It is a neat result from functional programming that libraries of parser combinators can support rapid construction of decoders for quite a range of formats. With a little more work, the same combinator program can denote both a decoder and an encoder. Unfortunately, the real world is full of gnarly formats, as with the packet formats that make up the standard Internet protocol stack. Most past parser-combinator approaches cannot handle these formats, and the few exceptions require redundancy ś one part of the natural grammar needs to be hand-translated into hints in multiple parts of a parser program. We show how to recover very natural and nonredundant format specifications, covering all popular network packet formats and generating both decoders and encoders automatically. The catch is that we use the Coq proof assistant to derive both kinds of artifacts using tactics, automatically, in a way that guarantees that they form inverses of each other. We used our approach to reimplement packet processing for a full Internet protocol stack, inserting our replacement into the OCaml-based MirageOS unikernel, resulting in minimal performance degradation. ] that aim to reduce opportunities for user error in writing encoders and decoders, but these systems are quite tricky to get right and have themselves been sources of serious security bugs [CVE 2016].Combinator libraries are an alternative approach to the rapid development of parsers which has proven particularly popular in the functional-programming community [Leijen and Meijer 2001]. This approach has been adapted to generate both parsers and pretty printers from single programs [Kennedy 2004;Rendel and Ostermann 2010]. Unfortunately, unverified combinator libraries suffer from the same potential for bugs as code-generation frameworks, with the additional possibility for users to introduce errors when extending the library with new combinators. This paper presents Narcissus, a combinator-style framework for the Coq proof assistant that eliminates the possibility of such bugs, enabling the derivation of encoders and decoders that are correct by construction. Each derived encoder and decoder is backed by a machine-checked functionalcorrectness proof, and Narcissus leverages Coq's proof automation to help automate both the construction of encoders and decoders and their correctness proofs. Key to our approach is how it propagates information through a derivation, in order to generate decoders and encoders for the sorts of non-context-free languages that often appear in standard networking protocols.We begin by introducing the key features of Narcissus with a series of increasingly complex examples, leading to a hypothetical format of packets sent by a temperature sensor to a smart home controller. In order to build up the reader's intuition, we deliberately delay a discussion of the full details of our approach until Section 2. The code accompanying our tour is included in the Narcissus repository 1 in the src/Narcissus/Examples/README.v file, and can be run in Coq ver...

show abstract

Trigger Selection Strategies to Stabilize Program Verifiers

Leino

Pit-Claudel²

2016

View full text Add to dashboard Cite

SMT-based program verifiers often suffer from the so-called butterfly effect, in which minor modifications to the program source cause significant instabilities in verification times, which in turn may lead to spurious verification failures and a degraded user experience. This paper identifies matching loops (ill-behaved quantifiers causing an SMT solver to repeatedly instantiate a small set of quantified formulas) as a significant contributor to these instabilities, and describes some techniques to detect and prevent them. At their core, the contributed techniques move the trigger selection logic away from the SMT solver and into the high-level verifier: this move allows authors of verifiers to annotate, rewrite, and analyze user-written quantifiers to improve the solver's performance, using information that is easily available at the source level but would be hard to extract from the heavily encoded terms that the solver works with. The paper demonstrates three core techniques (quantifier splitting, trigger sharing, and matching loop detection) by extending the Dafny verifier with its own trigger selection routine, and demonstrates significant predictability and performance gains on both Dafny's test suite and large verification efforts using Dafny.

show abstract

Meta-F $$^\star $$ : Proof Automation with SMT, Tactics, and Metaprograms

Martínez

Ahman

Dumitrescu³

et al. 2019

View full text Add to dashboard Cite

We introduce Meta-F , a tactics and metaprogramming framework for the F program verifier. The main novelty of Meta-F is allowing the use of tactics and metaprogramming to discharge assertions not solvable by SMT, or to just simplify them into well-behaved SMT fragments. Plus, Meta-F can be used to generate verified code automatically. Meta-F is implemented as an F effect, which, given the powerful effect system of F , heavily increases code reuse and even enables the lightweight verification of metaprograms. Metaprograms can be either interpreted, or compiled to efficient native code that can be dynamically loaded into the F type-checker and can interoperate with interpreted code. Evaluation on realistic case studies shows that Meta-F provides substantial gains in proof development, efficiency, and robustness.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.