Home

Awesome

Cosa

A thing about Coq-verified Shape Analysis

Licence

Cosa and all of its files are distributed under the CeCILL v2.1 licence. It is a licence in the spirit of Gnu's GPL maintained by three French academic institutes. See the LICENCE file for details.

Xisa

Cosa is a Coq-verified implementation of (part of) the Xisa abstract interpretation based shape analysis by Bor-Yuh Evan Chang and Xavier Rival.

Principles

Xisa (and Cosa) is an abstract domain construction which transforms a value analysis into a shape analysis. The unbounded regions of memory are represented as inductive shapes. Xisa is parametrised by the set of inductive shapes it can use to represent regions.

Xisa also has a built-in notion of inductive segments. Basically they are inductive shapes with one hole. Segments are inductive shapes which can be derived from the version without hole. However, Cosa has no notion of syntax of inductive shapes at this point, so segments are hand-coded.

Papers

References to the relevant Xisa papers:

Design

On the concrete side, Cosa uses Compcert. The code is meant to interface with the value analysis described here. As such it will analyse the control-flow graph language which was designed as part of this analysis, and closely corresponds to Compcert's Cminor intermediate language. Currently Cosa doesn't use code from the value analysis (whose up to date version, developed for the Verasco project, hasn't been released yet).

Interaction structures

Xisa is design as rule-sets which can be applied with any strategy. The correctness of the analysis does not depend on the chosen strategy. To represent rule-sets, Cosa uses Interaction Structures introduced by Peter Hancock (see Programming interfaces and basic topology by Peter Hancock and Pierre Hyvernat for an overview).

Interaction structures represent processes which involve the interaction of two agents. In the case of Cosa, we can see the agent as the strategy (or oracle) and a provider of rules concerned by correctness. Interaction structures support forward refinement — as in refinement calculus — which Arnaud Spiwack noticed is sufficient to encode the abstract interpretation framework in which Xisa is expressed (set Abstract interpretation as anti-refinement).

Cosa, being based on a pre-existing design on the concrete side, does not fully leverage the correspondance between abstract interpretation and forward refinement. However, thanks to the correspondence, it is possible to refine interaction structures leading, step-wise, to a realistic analysis. As refinement is going towards the abstract, we must strengthen the pre-conditions and weaken the post-conditions.

Refinement is leveraged, in particular, in the design of inductive types where new names are being generated. In the first step, we just assume that the oracle can provide us with new names. Later we change the type of graphs to include a name of a new node, which we can increase as we go, removing the need for the oracle to traverse the graph to figure a new name ( work in progress ).

Interaction structures can also be used to represent proof systems. We use that property to define a generic notion of certificate that the oracle can provide to help the analysis check the correctness of its choice. Inclusion checking is designed to check a certificate ( work in progress ).

Working with interaction structure is the main structuring choice of Cosa. It allows to describe the interaction with an external oracle in a systematic way, and allows to delay the calls to an actual oracle to a superficial layer completely separated from the correctness proof. The data structures manipulated by the algorithm do not need to be used in the correctness proofs either.

Nominal sets

Summarised edges in a Xisa graph represent inductive shapes. Throughout an analysis they are unfolded (for instance a list at address α will be unfolded as the disjunction of α=0 and α.0=βm α.1=γ for some value β and a list at address γ). This procedure of unfolding creates new names.

The correctness property of the concretisation asserts that we can always fold back an edge, thus removing names. Creating new names is not justified directly by the usual properties of abstract interpretation.

To address this issue, Cosa uses a technology based on Andrew Pitts's nominal sets (see Nominal Sets (course notes). One way to see Xisa graph, from the point of view of unfolding, is a structure with an infinite amount of implicit binders. Nominal set handle infinite amounts of binders gracefully, which is not the case of other representations of binders.

The basic idea of nominal set is to consider a set of names (a.k.a. atoms), and the finite permutations of atoms. Permutations of atoms act on sets as a group. With such an action it is possible to define usual notions like α-equivalence and freshness. But more importantly for Cosa, it comes with a composable notion of functions which do not create names (namely the equivariant functions, i.e. those functions which preserve the action of the finite permutations of atoms).

Overview

Cosa is currently being developed, it does not provide a full-fledged analysis yet. However, it proves correct a significant proportion of the Xisa domain. Some parts of the development are being rewritten so some of the files will not compile at the moment. Here is a description of the directories and Coq files involved in the proofs:

Lib

In the Lib directory, one can find generic types and proofs.

Interaction

In the Interaction directory, one can find everything pertaining specifically to interaction structures.

Nominal

The Nominal directory defines the primitives for the nominal set technology which is used to ensure the correctness of unfolding. Most everything in the Nominal directory is defined as type classes.

Concrete

The Concrete directory contains objects involved in the description of the concrete domain. The concrete domain being essentially described in Compcert, this directory is pretty small.

Abstract

The Abstract directory contains objects involved in the description of the abstract domain but which are not part of the Xisa domain per se.

Shape

The Shape directory contains the heart of Cosa's domain, where most correction proofs are done, but where types are sometimes still idealised.

Analysis

The Analysis directory is dedicated to turning the abstract domain from the Shape directory into an effective analysis.

Installing Compcert

To browse Cosa with Coq, Compcert's Coq development must be installed. Then you a recent Proof general (from the cvs), which uses the _CoqProject file to pass the appropriate arguments to Coq.

Cosa runs atop Compcert 2.0. As far as we know, there is no installing rules for Coq files in Compcert's Makefile, so here is a procedure to get the file at the right place: