Context Navigation

← Previous Change
Next Change →

Changeset 3328 for Papers/fopara2013

Timestamp:

Jun 6, 2013, 5:05:50 PM (7 years ago)

Author:

tranquil

Message:

cut some text, reordered bibliography

File:

: 1 edited

Papers/fopara2013/fopara13.tex (modified) (12 diffs)

Legend:

: Unmodified
: Added
: Removed

Papers/fopara2013/fopara13.tex

-                      r3327
+                      r3328
 \usepackage{fancyvrb}
 \usepackage{graphicx}
+\usepackage[colorlinks]{hyperref}
+\usepackage[colorlinks,
+            bookmarks,bookmarksopen,bookmarksdepth=2]{hyperref}
 \usepackage{hyphenat}
 \usepackage[utf8x]{inputenc}
 …
 components.
 \paragraph{Contributions.} We have developed the labelling approach \cite{?}, a
+\paragraph{Contributions.} We have developed the labeling approach \cite{labeling}, a
 technique to implement compilers that induce cost models on source programs by
 very lightweight tracking of code changes through compilation. We have studied
 …
 implemented a Frama-C plugin \cite{framac} that invokes the compiler on a source
 program and uses this to generate invariants on the high-level source that
 correctly model low-level costs. Finally, the plug-in certifies that the program
+correctly model low-level costs. Finally, the plugin certifies that the program
 respects these costs by calling automated theorem provers, a new and innovative
 technique in the field of cost analysis. As a case study, we show how the
 plug-in can automatically compute and certify the exact reaction time of Lustre
+plugin can automatically compute and certify the exact reaction time of Lustre
 \cite{lustre} dataflow programs compiled into C.
 …
 compiler. The annotated program can then be enriched with complexity assertions
 in the style of Hoare logic, that are passed to a deductive platform (in our
 case Frama-C). We provide as a Frama-c cost plug-in a simple automatic
+case Frama-C). We provide as a Frama-c cost plugin a simple automatic
 synthesiser for complexity assertions (the blue lines in \autoref{itest1}),
 which can be overridden by the user to increase or decrease accuracy. From the
 …
 \end{figure}
 \section{Main S\&T results of the CerCo project}
+% We will now review the main S\&T results achieved in the CerCo project.
+\emph{The (basic) labelling approach~\cite{?}.} It is the main technique that
+We will now review the main S\&T results achieved in the CerCo project.
+% \emph{Dependent labeling~\cite{?}.} The basic labeling approach assumes a
+% bijective mapping between object code and source code O(1) blocks (called basic
+% blocks). This assumption is violated by many program optimizations (e.g. loop
+% peeling and loop unrolling). It also assumes the cost model computed on the
+% object code to be non parametric: every block must be assigned a cost that does
+% not depend on the state. This assumption is violated by stateful hardware like
+% pipelines, caches, branch prediction units. The dependent labeling approach is
+% an extension of the basic labeling approach that allows to handle parametric
+% cost models. We showed how the method allows to deal with loop optimizations and
+% pipelines, and we speculated about its applications to caches.
+%
+% \emph{Techniques to exploit the induced cost model.} Every technique used for
+% the analysis of functional properties of programs can be adapted to analyse the
+% non-functional properties of the source code instrumented by compilers that
+% implement the labeling approach. In order to gain confidence in this claim, we
+% showed how to implement a cost invariant generator combining abstract
+% interpretation with separation logic ideas \cite{separation}. We integrated
+% everything in the Frama-C modular architecture, in order to compute proof
+% obligations from functional and cost invariants and to use automatic theorem
+% provers on them. This is an example of a new technique that is not currently
+% exploited in WCET analysis. It also shows how precise functional invariants
+% benefits the non-functional analysis too. Finally, we show how to fully
+% automatically analyse the reaction time of Lustre nodes that are first compiled
+% to C using a standard Lustre compiler and then processed by a C compiler that
+% implements the labeling approach.
+% \emph{The CerCo compiler.} This is a compiler from a large subset of the C
+% program to 8051/8052 object code,
+% integrating the labeling approach and a static analyser for 8051 executables.
+% The latter can be implemented easily and does not require dependent costs
+% because the 8051 microprocessor is a very simple one, with constant-cost
+% instruction. It was chosen to separate the issue of exact propagation of the
+% cost model from the orthogonal problem of the static analysis of object code
+% that may require approximations or dependent costs. The compiler comes in
+% several versions: some are prototypes implemented directly in OCaml, and they
+% implement both the basic and dependent labeling approaches; the final version
+% is extracted from a Matita certification and at the moment implements only the
+% basic approach.
+\subsection{The (basic) labeling approach}
+The labeling approach is the main technique that
 underlies all the developments in CerCo. It allows to track the evolution of
 basic blocks during compilation in order to propagate the cost model from the
 object code to the source code without loosing precision in the process.
+\emph{Dependent labelling~\cite{?}.} The basic labelling approach assumes a
+bijective mapping between object code and source code O(1) blocks (called basic
+blocks). This assumption is violated by many program optimizations (e.g. loop
+peeling and loop unrolling). It also assumes the cost model computed on the
+object code to be non parametric: every block must be assigned a cost that does
+not depend on the state. This assumption is violated by stateful hardware like
+pipelines, caches, branch prediction units. The dependent labelling approach is
+an extension of the basic labelling approach that allows to handle parametric
+cost models. We showed how the method allows to deal with loop optimizations and
+pipelines, and we speculated about its applications to caches.
+\emph{Techniques to exploit the induced cost model.} Every technique used for
+the analysis of functional properties of programs can be adapted to analyse the
+non-functional properties of the source code instrumented by compilers that
+implement the labelling approach. In order to gain confidence in this claim, we
+showed how to implement a cost invariant generator combining abstract
+interpretation with separation logic ideas \cite{separation}. We integrated
+everything in the Frama-C modular architecture, in order to compute proof
+obligations from functional and cost invariants and to use automatic theorem
+provers on them. This is an example of a new technique that is not currently
+exploited in WCET analysis. It also shows how precise functional invariants
+benefits the non-functional analysis too. Finally, we show how to fully
+automatically analyse the reaction time of Lustre nodes that are first compiled
+to C using a standard Lustre compiler and then processed by a C compiler that
+implements the labelling approach.
+\emph{The CerCo compiler.} This is a compiler from a large subset of the C
+program to 8051/8052 object code,
+integrating the labelling approach and a static analyser for 8051 executables.
+The latter can be implemented easily and does not require dependent costs
+because the 8051 microprocessor is a very simple one, with constant-cost
+\paragraph{Problem statement.} Given a source program $P$, we want to obtain an
+instrumented source program $P'$,  written in the same programming language, and
+the object code $O$ such that: 1) $P'$ is obtained by inserting into $P$ some
+additional instructions to update global cost information like the amount of
+time spent during execution or the maximal stack space required; 2) $P$ and $P'$
+must have the same functional behavior, i.e.\ they must produce that same output
+and intermediate observables; 3) $P$ and $O$ must have the same functional
+behavior; 4) after execution and in interesting points during execution, the
+cost information computed by $P'$ must be an upper bound of the one spent by $O$
+to perform the corresponding operations (soundness property); 5) the difference
+between the costs computed by $P'$ and the execution costs of $O$ must be
+bounded by a program dependent constant (precision property).
+\paragraph{The labeling software components.} We solve the problem in four
+stages \cite{labeling}, implemented by four software components that are used
+in sequence.
+The first component labels the source program $P$ by injecting label emission
+statements in appropriate positions to mark the beginning of basic blocks.
+% The
+% set of labels with their positions is called labeling.
+The syntax and semantics
+of the source programming language is augmented with label emission statements.
+The statement ``EMIT $\ell$'' behaves like a NOP instruction that does not affect the
+program state or control flow, but its execution is observable.
+% Therefore the observables of a run of a program becomes a stream
+% of label emissions: $\ell_1,\ldots,\ell_n$, called the program trace. We clarify the conditions
+% that the labeling must respect later.
+The second component is a labeling preserving compiler. It can be obtained from
+an existing compiler by adding label emission statements to every intermediate
+language and by propagating label emission statements during compilation. The
+compiler is correct if it preserves both the functional behavior of the program
+and the traces of observables.
+% We may also ask that the function that erases the cost
+% emission statements commute with compilation. This optional property grants that
+% the labeling does not interfere with the original compiler behavior. A further
+% set of requirements will be added later.
+The third component is a static object code analyser. It takes in input a labeled
+object code and it computes the scope of each of its label emission statements,
+i.e.\ the tree of instructions that may be executed after the statement and before
+a new label emission is encountered.
+It is a tree and not a sequence because the scope
+may contain a branching statement. In order to grant that such a finite tree
+exists, the object code must not contain any loop that is not broken by a label
+emission statement. This is the first requirement of a sound labeling. The
+analyser fails if the labeling is unsound. For each scope, the analyser
+computes an upper bound of the execution time required by the scope, using the
+maximum of the costs of the two branches in case of a conditional statement.
+Finally, the analyser computes the cost of a label by taking the maximum of the
+costs of the scopes of every statement that emits that label.
+The fourth and last component takes in input the cost model computed at step 3
+and the labelled code computed at step 1. It outputs a source program obtained
+by replacing each label emission statement with a statement that increments the
+global cost variable with the cost associated to the label by the cost model.
+The obtained source code is the instrumented source code.
+\paragraph{Correctness.} Requirements 1, 2 and 3 of the problem statement
+obviously hold, with 2 and 3 being a consequence of the definition of a correct
+labeling preserving compiler. It is also obvious that the value of the global
+cost variable of an instrumented source code is at any time equal to the sum of
+the costs of the labels emitted by the corresponding labelled code. Moreover,
+because the compiler preserves all traces, the sum of the costs of the labels
+emitted in the source and target labelled code are the same. Therefore, to
+satisfy the fourth requirement, we need to grant that the time taken to execute
+the object code is equal to the sum of the costs of the labels emitted by the
+object code. We collect all the necessary conditions for this to happen in the
+definition of a sound labeling: a) all loops must be broken by a cost emission
+statement;  b) all program instructions must be in the scope of some cost
+emission statement. To satisfy also the fifth requirement, additional
+requirements must be imposed on the object code labeling to avoid all uses of
+the maximum in the cost computation: the labeling is precise if every label is
+emitted at most once and both branches of a conditional jump start with a label
+emission statement.
+The correctness and precision of the labeling approach only rely on the
+correctness and precision of the object code labeling. The simplest
+way to achieve them is to impose correctness and precision
+requirements also on the initial labeling produced by the first software
+component, and to ask the compiler to preserve these
+properties too. The latter requirement imposes serious limitations on the
+compilation strategy and optimizations: the compiler may not duplicate any code
+that contains label emission statements, like loop bodies. Therefore several
+loop optimizations like peeling or unrolling are prevented. Moreover, precision
+of the object code labeling is not sufficient per se to obtain global
+precision: we also implicitly assumed the static analysis to be able to
+associate a precise constant cost to every instruction. This is not possible in
+presence of stateful hardware whose state influences the cost of operations,
+like pipelines and caches. In the next subsection we will see an extension of the
+basic labeling approach to cover this situation.
+The labeling approach described in this section can be applied equally well and
+with minor modifications to imperative and functional languages
+\cite{labeling2}. We have tested it on a simple imperative language without
+functions (a While language), on a subset of C and on two compilation chains for
+a purely functional higher order language. The two main changes required to deal
+with functional languages are: 1) because global variables and updates are not
+available, the instrumentation phase produces monadic code to “update” the
+global costs; 2) the requirements for a sound and precise labeling of the
+source code must be changed when the compilation is based on CPS translations.
+In particular, we need to introduce both labels emitted before a statement is
+executed and labels emitted after a statement is executed. The latter capture
+code that is inserted by the CPS translation and that would escape all label
+scopes.
+Phases 1, 2 and 3 can be applied as well to logic languages (e.g. Prolog).
+However, the instrumentation phase cannot: in standard Prolog there is no notion
+of (global) variable whose state is not retracted during backtracking.
+Therefore, the cost of executing computations that are later backtracked would
+not be correctly counted in. Any extension of logic languages with
+non-backtrackable state should support the labeling approach.
+\subsection{Dependent labeling}
+The core idea of the basic labeling approach is to establish a tight connection
+between basic blocks executed in the source and target languages. Once the
+connection is established, any cost model computed on the object code can be
+transferred to the source code, without affecting the code of the compiler or
+its proof. In particular, it is immediate that we can also transport cost models
+that associate to each label functions from hardware state to natural numbers.
+However, a problem arises during the instrumentation phase that replaces cost
+emission statements with increments of global cost variables. The global cost
+variable must be incremented with the result of applying the function associated
+to the label to the hardware state at the time of execution of the block.
+The hardware state comprises both the functional state that affects the
+computation (the value of the registers and memory) and the non-functional
+state that does not (the pipeline and cache contents for example). The former is
+in correspondence with the source code state, but reconstructing the
+correspondence may be hard and lifting the cost model to work on the source code
+state is likely to produce cost expressions that are too hard to reason on.
+Luckily enough, in all modern architectures the cost of executing single
+instructions is either independent of the functional state or the jitter---the
+difference between the worst and best case execution times---is small enough
+to be bounded without loosing too much precision. Therefore we can concentrate
+on dependencies over the “non-functional” parts of the state only.
+The non-functional state has no correspondence in the high level state and does
+not influence the functional properties. What can be done is to expose the
+non-functional state in the source code. We just present here the basic
+intuition in a simplified form: the technical details that allow to handle the
+general case are more complex and can be found in the CerCo deliverables. We add
+to the source code an additional global variable that represents the
+non-functional state and another one that remembers the last labels emitted. The
+state variable must be updated at every label emission statement, using an
+update function which is computed during static analysis too. The update
+function associates to each label a function from the recently emitted labels
+and old state to the new state. It is computed composing the semantics of every
+instruction in a basic block and restricting it to the non-functional part of
+the state.
+Not all the details of the non-functional state needs to be exposed, and the
+technique works better when the part of state that is required can be summarized
+in a simple data structure. For example, to handle simple but realistic
+pipelines it is sufficient to remember a short integer that encodes the position
+of bubbles (stuck instructions) in the pipeline. In any case, the user does not
+need to understand the meaning of the state to reason over the properties of the
+program. Moreover, at any moment the user or the invariant generator tools that
+analyse the instrumented source code produced by the compiler can decide to
+trade precision of the analysis with simplicity by approximating the parametric
+cost with safe non parametric bounds. Interestingly, the functional analysis of
+the code can determine which blocks are executed more frequently in order to
+approximate more aggressively the ones that are executed less.
+Dependent labeling can also be applied to allow the compiler to duplicate
+blocks that contain labels (e.g. in loop optimizations) \cite{paolo}. The effect is to assign
+a different cost to the different occurrences of a duplicated label. For
+example, loop peeling turns a loop into the concatenation of a copy of the loop
+body (that executes the first iteration) with the conditional execution of the
+loop (for the successive iterations). Because of further optimizations, the two
+copies of the loop will be compiled differently, with the first body usually
+taking more time.
+By introducing a variable that keep tracks of the iteration number, we can
+associate to the label a cost that is a function of the iteration number. The
+same technique works for loop unrolling without modifications: the function will
+assign a cost to the even iterations and another cost to the odd ones. The
+actual work to be done consists in introducing in the source code and for each
+loop a variable that counts the number of iterations. The loop optimization code
+that duplicate the loop bodies must also modify the code to propagate correctly
+the update of the iteration numbers. The technical details are more complex and
+can be found in the CerCo reports and publications. The implementation, however,
+is quite simple and the changes to a loop optimizing compiler are minimal.
+\subsection{Techniques to exploit the induced cost model}
+We review the cost synthesis techniques developed in the project.
+The starting hypothesis is that we have a certified methodology to annotate
+blocks in the source code with constants which provide a sound and possibly
+precise upper bound on the cost of executing the blocks after compilation to
+object code.
+The principle that we have followed in designing the cost synthesis tools is
+that the synthetic bounds should be expressed and proved within a general
+purpose tool built to reason on the source code. In particular, we rely on the
+Frama-C tool to reason on C code and on the Coq proof-assistant to reason on
+higher-order functional programs.
+This principle entails that: 1)
+The inferred synthetic bounds are indeed correct as long as the general purpose
+tool is. 2) There is no limitation on the class of programs that can be handled
+as long as the user is willing to carry on an interactive proof.
+Of course, automation is desirable whenever possible. Within this framework,
+automation means writing programs that give hints to the general purpose tool.
+These hints may take the form, say, of loop invariants/variants, of predicates
+describing the structure of the heap, or of types in a light logic. If these
+hints are correct and sufficiently precise the general purpose tool will produce
+a proof automatically, otherwise, user interaction is required.
+\paragraph{The Cost plugin and its application to the Lustre compiler.}
+Frama-C \cite{framac} is a set of analysers for C programs with a
+specification language called ACSL. New analyses can be dynamically added
+through a plugin system. For instance, the Jessie plugin allows deductive
+verification of C programs with respect to their specification in ACSL, with
+various provers as back-end tools.
+We developed the CerCo Cost plugin for the Frama-C platform as a proof of
+concept of an automatic environment exploiting the cost annotations produced by
+the CerCo compiler. It consists of an OCaml program which in first approximation
+takes the following actions: 1) it receives as input a C program, 2) it
+applies the CerCo compiler to produce a related C program with cost annotations,
+) it applies some heuristics to produce a tentative bound on the cost of
+executing the C functions of the program as a function of the value of their
+parameters, 4) the user can then call the Jessie plugin to discharge the
+related proof obligations.
+In the following we elaborate on the soundness of the framework and the
+experiments we performed with the Cost tool on the C programs produced by a
+Lustre compiler.
+\paragraph{Soundness.} The soundness of the whole framework depends on the cost
+annotations added by the CerCo compiler, the synthetic costs produced by the
+Cost plugin, the verification conditions (VCs) generated by Jessie, and the
+external provers discharging the VCs. The synthetic costs being in ACSL format,
+Jessie can be used to verify them. Thus, even if the added synthetic costs are
+incorrect (relatively to the cost annotations), the process as a whole is still
+correct: indeed, Jessie will not validate incorrect costs and no conclusion can
+be made about the WCET of the program in this case. In other terms, the
+soundness does not really depend on the action of the Cost plugin, which can in
+principle produce any synthetic cost. However, in order to be able to actually
+prove a WCET of a C function, we need to add correct annotations in a way that
+Jessie and subsequent automatic provers have enough information to deduce their
+validity. In practice this is not straightforward even for very simple programs
+composed of branching and assignments (no loops and no recursion) because a fine
+analysis of the VCs associated with branching may lead to a complexity blow up.
+\paragraph{Experience with Lustre.} Lustre is a data-flow language to program
+synchronous systems and the language comes with a compiler to C. We designed a
+wrapper for supporting Lustre files.
+The C function produced by the compiler implements the step function of the
+synchronous system and computing the WCET of the function amounts to obtain a
+bound on the reaction time of the system. We tested the Cost plugin and the
+Lustre wrapper on the C programs generated by the Lustre compiler. For programs
+consisting of a few hundreds loc, the Cost plugin computes a WCET and Alt −
+Ergo is able to discharge all VCs automatically.
+\paragraph{Handling C programs with simple loops.}
+The cost annotations added by the CerCo compiler take the form of C instructions
+that update by a constant a fresh global variable called the cost variable.
+Synthesizing a WCET of a C function thus consists in statically resolving an
+upper bound of the difference between the value of the cost variable before and
+after the execution of the function, i.e. find in the function the instructions
+that update the cost variable and establish the number of times they are passed
+through during the flow of execution. In order to do the analysis the plugin
+makes the following assumptions on the programs:
+. No recursive functions.
+. Every loop must be annotated with a variant. The variants of ‘for’ loops are
+automatically inferred.
+The plugin proceeds as follows.
+First the call graph of the program is computed.
+Then the computation of the cost of the function is performed by traversing its
+control flow graph. If the function f calls the function g then the function g
+is processed before the function f. The cost at a node is the maximum of the
+costs of the successors.
+In the case of a loop with a body that has a constant cost for every step of the
+loop, the cost is the product of the cost of the body and of the variant taken
+at the start of the loop.
+In the case of a loop with a body whose cost depends on the values of some free
+variables, a fresh logic function f is introduced to represent the cost of the
+loop in the logic assertions. This logic function takes the variant as a first
+parameter. The other parameters of f are the free variables of the body of the
+loop. An axiom is added to account the fact that the cost is accumulated at each
+step of the loop.
+The cost of the function is directly added as post-condition of the function
+The user can influence the annotation by different means:
+by using more precise variants or
+by annotating function with cost specification. The plugin will use this cost
+for the function instead of computing it.
+\paragraph{C programs with pointers.}
+When it comes to verifying programs involving pointer-based data structures,
+such as linked lists, trees, or graphs, the use of traditional first-order logic
+to specify, and of SMT solvers to verify, shows some limitations. Separation
+logic \cite{separation} is then an elegant alternative. It is a program logic
+with a new notion of conjunction to express spatial heap separation. Bobot has
+recently introduced in the Jessie plugin automatically generated separation
+predicates to simulate separation logic reasoning in a traditional verification
+framework where the specification language, the verification condition
+generator, and the theorem provers were not designed with separation logic in
+mind. CerCo's plugin can exploit the separation predicates to automatically
+reason on the cost of execution of simple heap manipulation programs such as an
+in-place list reversal.
+\subsection{The CerCo Compiler}
+In CerCo we have developed a certain number of cost preserving compilers based
+on the labeling approach. Excluding an initial certified compiler for a While
+language, all remaining compilers target realistic source languages---a pure
+higher order functional language and a large subset of C with pointers, gotos
+and all data structures---and real world target processors---MIPS and the
+Intel 8051/8052 processor family. Moreover, they achieve a level of optimization
+that ranges from moderate (comparable to gcc level 1) to intermediate (including
+loop peeling and unrolling, hoisting and late constant propagation). The so
+called Trusted CerCo Compiler is the only one that was implemented in the
+interactive theorem prover Matita~\cite{matita} and its costs certified. The code distributed
+is obtained extracting OCaml code from the Matita implementation. In the rest of
+this section we will only focus on the Trusted CerCo Compiler, that only targets
+the C language and the 8051/8052 family, and that does not implement the
+advanced optimizations yet. Its user interface, however, is the same as the one
+of the other versions, in order to trade safety with additional performances. In
+particular, the Frama-C CerCo plugin can work without recompilation with all
+compilers.
+The 8051/8052 microprocessor is a very simple one, with constant-cost
 instruction. It was chosen to separate the issue of exact propagation of the
 cost model from the orthogonal problem of the static analysis of object code
+that may require approximations or dependent costs. The compiler comes in
+several versions: some are prototypes implemented directly in OCaml, and they
+implement both the basic and dependent labelling approaches; the final version
+is extracted from a Matita certification and at the moment implements only the
+basic approach.
+\emph{A formal cost certification of the CerCo compiler.} We implemented the
+that may require approximations or dependent costs.
+The (trusted) CerCo compiler implements the following optimizations: cast
+simplification, constant propagation in expressions, liveness analysis driven
+spilling of registers, dead code elimination, branch displacement, tunneling.
+The two latter optimizations are performed by our optimizing assembler
+\cite{correctness}. The back-end of the compiler works on three addresses
+instructions, preferred to static single assignment code for the simplicity of
+the formal certification.
+The CerCo compiler is loosely based on the CompCert compiler \cite{compcert}, a
+recently developed certified compiler from C to the PowerPC, ARM and x86
+microprocessors. Contrarily to CompCert, both the CerCo code and its
+certification are open source. Some data structures and language definitions for
+the front-end are directly taken from CompCert, while the back-end is a redesign
+of a compiler from Pascal to MIPS used by Francois Pottier for a course at the
+Ecole Polytechnique.
+The main peculiarities of the CerCo compiler are:
+\begin{enumerate}
+\item all of our intermediate languages include label emitting instructions to
+implement the labeling approach, and the compiler preserves execution traces.
+\item traditionally compilers target an assembly language with additional
+macro-instructions to be expanded before assembly; for CerCo we need to go all
+the way down to object code in order to perform the static analysis. Therefore
+we integrated also an optimizing assembler and a static analyser.
+\item to avoid implementing a linker and a loader, we do not support separate
+compilation and external calls. Adding a linker and a loader is a transparent
+process to the labeling approach and should create no unknown problem.
+\item we target an 8-bit processor. Targeting an 8 bit processor requires
+several changes and increased code size, but it is not fundamentally more
+complex. The proof of correctness, however, becomes much harder.
+\item we target a microprocessor that has a non uniform memory model, which is
+still often the case for microprocessors used in embedded systems and that is
+becoming common again in multi-core processors. Therefore the compiler has to
+keep track of data and it must move data between memory regions in the proper
+way. Also the size of pointers to different regions is not uniform. An
+additional difficulty was that the space available for the stack in internal
+memory in the 8051 is tiny, allowing only a minor number of nested calls. To
+support full recursion in order to test the CerCo tools also on recursive
+programs, the compiler manually manages a stack in external memory.
+\end{enumerate}
+\subsection{A formal certification of the CerCo compiler}
+We implemented the
 CerCo compiler in the interactive theorem prover Matita and have formally
 certified that the cost model induced on the source code correctly and precisely
 …
 a uniform proof of forward similarity.
+\subsection{The (basic) labelling approach.}
+\paragraph{Problem statement.} given a source program $P$, we want to obtain an
+instrumented source program $P'$,  written in the same programming language, and
+the object code $O$ such that: 1) $P'$ is obtained by inserting into $P$ some
+additional instructions to update global cost information like the amount of
+time spent during execution or the maximal stack space required; 2) $P$ and $P'$
+must have the same functional behavior, i.e., they must produce that same output
+and intermediate observables; 3) $P$ and $O$ must have the same functional
+behavior; 4) after execution and in interesting points during execution, the
+cost information computed by $P'$ must be an upper bound of the one spent by $O$
+ to perform the corresponding operations (soundness property); 5) the difference
+between the costs computed by $P'$ and the execution costs of $O$ must be
+bounded by a program dependent constant (precision property).
+\paragraph{The labeling software components.} we solve the problem in four
+stages \cite{labelling}, implemented by four software components that are used
+in sequence.
+The first component labels the source program $P$ by injecting label emission
+statements in appropriate positions to mark the beginning of basic blocks. The
+set of labels with their positions is called labelling. The syntax and semantics
+of the source programming language is augmented with label emission statements.
+The statement “EMIT l” behaves like a NOP instruction that does not affect the
+program state or control flow, but it changes the semantics by making the label
+l observable. Therefore the observables of a run of a program becomes a stream
+of label emissions: l1 … ln, called the program trace. We clarify the conditions
+that the labelling must respect later.
+The second component is a labelling preserving compiler. It can be obtained from
+an existing compiler by adding label emission statements to every intermediate
+language and by propagating label emission statements during compilation. The
+compiler is correct if it preserves both the functional behavior of the program
+and the generated traces. We may also ask that the function that erases the cost
+emission statements commute with compilation. This optional property grants that
+the labelling does not interfere with the original compiler behavior. A further
+set of requirements will be added later.
+The third component is a static object code analyser. It takes in input the
+object code augmented with label emission statements and it computes, for every
+such statement, its scope. The scope of a label emission statement is the tree
+of instructions that may be executed after the statement and before a new label
+emission statement is found. It is a tree and not a sequence because the scope
+may contain a branching statement. In order to grant that such a finite tree
+exists, the object code must not contain any loop that is not broken by a label
+emission statement. This is the first requirement of a sound labelling. The
+analyser fails if the labelling is unsound. For each scope, the analyser
+computes an upper bound of the execution time required by the scope, using the
+maximum of the costs of the two branches in case of a conditional statement.
+Finally, the analyser computes the cost of a label by taking the maximum of the
+costs of the scopes of every statement that emits that label.
+The fourth and last component takes in input the cost model computed at step 3
+and the labelled code computed at step 1. It outputs a source program obtained
+by replacing each label emission statement with a statement that increments the
+global cost variable with the cost associated to the label by the cost model.
+The obtained source code is the instrumented source code.
+\paragraph{Correctness.} Requirements 1, 2 and 3 of the program statement
+obviously hold, with 2 and 3 being a consequence of the definition of a correct
+labelling preserving compiler. It is also obvious that the value of the global
+cost variable of an instrumented source code is at any time equal to the sum of
+the costs of the labels emitted by the corresponding labelled code. Moreover,
+because the compiler preserves all traces, the sum of the costs of the labels
+emitted in the source and target labelled code are the same. Therefore, to
+satisfy the fourth requirement, we need to grant that the time taken to execute
+the object code is equal to the sum of the costs of the labels emitted by the
+object code. We collect all the necessary conditions for this to happen in the
+definition of a sound labelling: a) all loops must be broken by a cost emission
+statement;  b) all program instructions must be in the scope of some cost
+emission statement. To satisfy also the fifth requirement, additional
+requirements must be imposed on the object code labelling to avoid all uses of
+the maximum in the cost computation: the labelling is precise if every label is
+emitted at most once and both branches of a conditional jump start with a label
+emission statement.
+The correctness and precision of the labelling approach only rely on the
+correctness and precision of the object code labelling. The simplest, but not
+necessary, way to achieve them is to impose correctness and precision
+requirements also on the initial labelling produced by the first software
+component, and to ask the labelling preserving compiler to preserve these
+properties too. The latter requirement imposes serious limitations on the
+compilation strategy and optimizations: the compiler may not duplicate any code
+that contains label emission statements, like loop bodies. Therefore several
+loop optimizations like peeling or unrolling are prevented. Moreover, precision
+of the object code labelling is not sufficient per se to obtain global
+precision: we also implicitly assumed the static analysis to be able to
+associate a precise constant cost to every instruction. This is not possible in
+presence of stateful hardware whose state influences the cost of operations,
+like pipelines and caches. In the next section we will see an extension of the
+basic labelling approach to cover this situation.
+The labelling approach described in this section can be applied equally well and
+with minor modifications to imperative and functional languages
+\cite{labelling2}. We have tested it on a simple imperative language without
+functions (a While language), to a subset of C and to two compilation chains for
+a purely functional higher order language. The two main changes required to deal
+with functional languages are: 1) because global variables and updates are not
+available, the instrumentation phase produces monadic code to “update” the
+global costs; 2) the requirements for a sound and precise labelling of the
+source code must be changed when the compilation is based on CPS translations.
+In particular, we need to introduce both labels emitted before a statement is
+executed and labels emitted after a statement is executed. The latter capture
+code that is inserted by the CPS translation and that would escape all label
+scopes.
+Phases 1, 2 and 3 can be applied as well to logic languages (e.g. Prolog).
+However, the instrumentation phase cannot: in standard Prolog there is no notion
+of (global) variable whose state is not retracted during backtracking.
+Therefore, the cost of executing computations that are later backtracked would
+not be correctly counted in. Any extension of logic languages with
+non-backtrackable state should support the labelling approach.
+\subsection{Dependent labelling.}
+The core idea of the basic labelling approach is to establish a tight connection
+between basic blocks executed in the source and target languages. Once the
+connection is established, any cost model computed on the object code can be
+transferred to the source code, without affecting the code of the compiler or
+its proof. In particular, it is immediate that we can also transport cost models
+that associate to each label functions from hardware state to natural numbers.
+However, a problem arises during the instrumentation phase that replaces cost
+emission statements with increments of global cost variables. The global cost
+variable must be incremented with the result of applying the function associated
+to the label to the hardware state at the time of execution of the block.
+The hardware state comprises both the “functional” state that affects the
+computation (the value of the registers and memory) and the “non-functional”
+state that does not (the pipeline and caches content for example). The former is
+in correspondence with the source code state, but reconstructing the
+correspondence may be hard and lifting the cost model to work on the source code
+state is likely to produce cost expressions that are too hard to reason on.
+Luckily enough, in all modern architectures the cost of executing single
+instructions is either independent of the functional state or the jitter --- the
+difference between the worst and best case execution times --- is small enough
+to be bounded without loosing too much precision. Therefore we can concentrate
+on dependencies over the “non-functional” parts of the state only.
+The non-functional state has no correspondence in the high level state and does
+not influence the functional properties. What can be done is to expose the
+non-functional state in the source code. We just present here the basic
+intuition in a simplified form: the technical details that allow to handle the
+general case are more complex and can be found in the CerCo deliverables. We add
+to the source code an additional global variable that represents the
+non-functional state and another one that remembers the last labels emitted. The
+state variable must be updated at every label emission statement, using an
+update function which is computed during static analysis too. The update
+function associates to each label a function from the recently emitted labels
+and old state to the new state. It is computed composing the semantics of every
+instruction in a basic block and restricting it to the non-functional part of
+the state.
+Not all the details of the non-functional state needs to be exposed, and the
+technique works better when the part of state that is required can be summarized
+in a simple data structure. For example, to handle simple but realistic
+pipelines it is sufficient to remember a short integer that encodes the position
+of bubbles (stuck instructions) in the pipeline. In any case, the user does not
+need to understand the meaning of the state to reason over the properties of the
+program. Moreover, at any moment the user or the invariant generator tools that
+analyse the instrumented source code produced by the compiler can decide to
+trade precision of the analysis with simplicity by approximating the parametric
+cost with safe non parametric bounds. Interestingly, the functional analysis of
+the code can determine which blocks are executed more frequently in order to
+approximate more aggressively the ones that are executed less.
+Dependent labelling can also be applied to allow the compiler to duplicate
+blocks that contain labels (e.g. in loop optimizations). The effect is to assign
+a different cost to the different occurrences of a duplicated label. For
+example, loop peeling turns a loop into the concatenation of a copy of the loop
+body (that executes the first iteration) with the conditional execution of the
+loop (for the successive iterations). Because of further optimizations, the two
+copies of the loop will be compiled differently, with the first body usually
+taking more time.
+By introducing a variable that keep tracks of the iteration number, we can
+associate to the label a cost that is a function of the iteration number. The
+same technique works for loop unrolling without modifications: the function will
+assign a cost to the even iterations and another cost to the odd ones. The
+actual work to be done consists in introducing in the source code and for each
+loop a variable that counts the number of iterations. The loop optimization code
+that duplicate the loop bodies must also modify the code to propagate correctly
+the update of the iteration numbers. The technical details are more complex and
+can be found in the CerCo reports and publications. The implementation, however,
+is quite simple and the changes to a loop optimizing compiler are minimal
+\cite{paolo}.
+\subsection{Techniques to exploit the induced cost model.}
+We review the cost synthesis techniques developed in the project.
+The starting hypothesis is that we have a certified methodology to annotate
+blocks in the source code with constants which provide a sound and possibly
+precise upper bound on the cost of executing the blocks after compilation to
+object code.
+The principle that we have followed in designing the cost synthesis tools is
+that the synthetic bounds should be expressed and proved within a general
+purpose tool built to reason on the source code. In particular, we rely on the
+Frama − C tool to reason on C code and on the Coq proof-assistant to reason on
+higher-order functional programs.
+This principle entails that: 1)
+The inferred synthetic bounds are indeed correct as long as the general purpose
+tool is. 2) There is no limitation on the class of programs that can be handled
+as long as the user is willing to carry on an interactive proof.
+Of course, automation is desirable whenever possible. Within this framework,
+automation means writing programs that give hints to the general purpose tool.
+These hints may take the form, say, of loop invariants/variants, of predicates
+describing the structure of the heap, or of types in a light logic. If these
+hints are correct and sufficiently precise the general purpose tool will produce
+a proof automatically, otherwise, user interaction is required.
+\paragraph{The Cost plug-in and its application to the Lustre compiler}
+Frama − C \cite{framac} is a set of analysers for C programs with a
+specification language called ACSL. New analyses can be dynamically added
+through a plug-in system. For instance, the Jessie plug-in allows deductive
+verification of C programs with respect to their specification in ACSL, with
+various provers as back-end tools.
+We developed the CerCo Cost plug-in for the Frama − C platform as a proof of
+concept of an automatic environment exploiting the cost annotations produced by
+the CerCo compiler. It consists of an OCaml program which in first approximation
+takes the following actions: (1) it receives as input a C program, (2) it
+applies the CerCo compiler to produce a related C program with cost annotations,
+(3) it applies some heuristics to produce a tentative bound on the cost of
+executing the C functions of the program as a function of the value of their
+parameters, (4) the user can then call the Jessie plug-in to discharge the
+related proof obligations.
+In the following we elaborate on the soundness of the framework and the
+experiments we performed with the Cost tool on the C programs produced by a
+Lustre compiler.
+\paragraph{Soundness} The soundness of the whole framework depends on the cost
+annotations added by the CerCo compiler, the synthetic costs produced by the
+Cost plug-in, the verification conditions (VCs) generated by Jessie, and the
+external provers discharging the VCs. The synthetic costs being in ACSL format,
+Jessie can be used to verify them. Thus, even if the added synthetic costs are
+incorrect (relatively to the cost annotations), the process as a whole is still
+correct: indeed, Jessie will not validate incorrect costs and no conclusion can
+be made about the WCET of the program in this case. In other terms, the
+soundness does not really depend on the action of the Cost plug-in, which can in
+principle produce any synthetic cost. However, in order to be able to actually
+prove a WCET of a C function, we need to add correct annotations in a way that
+Jessie and subsequent automatic provers have enough information to deduce their
+validity. In practice this is not straightforward even for very simple programs
+composed of branching and assignments (no loops and no recursion) because a fine
+analysis of the VCs associated with branching may lead to a complexity blow up.
+\paragraph{Experience with Lustre} Lustre is a data-flow language to program
+synchronous systems and the language comes with a compiler to C. We designed a
+wrapper for supporting Lustre files.
+The C function produced by the compiler implements the step function of the
+synchronous system and computing the WCET of the function amounts to obtain a
+bound on the reaction time of the system. We tested the Cost plug-in and the
+Lustre wrapper on the C programs generated by the Lustre compiler. For programs
+consisting of a few hundreds loc, the Cost plug-in computes a WCET and Alt −
+Ergo is able to discharge all VCs automatically.
+\paragraph{Handling C programs with simple loops}
+The cost annotations added by the CerCo compiler take the form of C instructions
+that update by a constant a fresh global variable called the cost variable.
+Synthesizing a WCET of a C function thus consists in statically resolving an
+upper bound of the difference between the value of the cost variable before and
+after the execution of the function, i.e. find in the function the instructions
+that update the cost variable and establish the number of times they are passed
+through during the flow of execution. In order to do the analysis the plugin
+makes the following assumptions on the programs:
+. No recursive functions.
+. Every loop must be annotated with a variant. The variants of ‘for’ loops are
+automatically inferred.
+The plugin proceeds as follows.
+First the call graph of the program is computed.
+Then the computation of the cost of the function is performed by traversing its
+control flow graph. If the function f calls the function g then the function g
+is processed before the function f. The cost at a node is the maximum of the
+costs of the successors.
+In the case of a loop with a body that has a constant cost for every step of the
+loop, the cost is the product of the cost of the body and of the variant taken
+at the start of the loop.
+In the case of a loop with a body whose cost depends on the values of some free
+variables, a fresh logic function f is introduced to represent the cost of the
+loop in the logic assertions. This logic function takes the variant as a first
+parameter. The other parameters of f are the free variables of the body of the
+loop. An axiom is added to account the fact that the cost is accumulated at each
+step of the loop.
+The cost of the function is directly added as post-condition of the function
+The user can influence the annotation by different means:
+by using more precise variants or
+by annotating function with cost specification. The plugin will use this cost
+for the function instead of computing it.
+\paragraph{C programs with pointers}
+When it comes to verifying programs involving pointer-based data structures,
+such as linked lists, trees, or graphs, the use of traditional first-order logic
+to specify, and of SMT solvers to verify, shows some limitations. Separation
+logic \cite{separation} is then an elegant alternative. It is a program logic
+with a new notion of conjunction to express spatial heap separation. Bobot has
+recently introduced in the Jessie plug-in automatically generated separation
+predicates to simulate separation logic reasoning in a traditional verification
+framework where the specification language, the verification condition
+generator, and the theorem provers were not designed with separation logic in
+mind. CerCo's plug-in can exploit the separation predicates to automatically
+reason on the cost of execution of simple heap manipulation programs such as an
+in-place list reversal.
+\subsection{The CerCo Compiler}
+In CerCo we have developed a certain number of cost preserving compilers based
+on the labelling approach. Excluding an initial certified compiler for a While
+language, all remaining compilers target realistic source languages --- a pure
+higher order functional language and a large subset of C with pointers, gotos
+and all data structures --- and real world target processors --- MIPS and the
+Intel 8051/8052 processor family. Moreover, they achieve a level of optimization
+that ranges from moderate (comparable to gcc level 1) to intermediate (including
+loop peeling and unrolling, hoisting and late constant propagation). The so
+called Trusted CerCo Compiler is the only one that was implemented in the
+interactive theorem prover Matita and its costs certified. The code distributed
+is obtained extracting OCaml code from the Matita implementation. In the rest of
+this section we will only focus on the Trusted CerCo Compiler, that only targets
+the C language and the 8051/8052 family, and that does not implement the
+advanced optimizations yet. Its user interface, however, is the same as the one
+of the other versions, in order to trade safety with additional performances. In
+particular, the Frama-C CerCo plug-in can work without recompilation with all
+compilers.
+The (trusted) CerCo compiler implements the following optimizations: cast
+simplification, constant propagation in expressions, liveness analysis driven
+spilling of registers, dead code elimination, branch displacement, tunneling.
+The two latter optimizations are performed by our optimizing assembler
+\cite{correctness}. The back-end of the compiler works on three addresses
+instructions, preferred to static single assignment code for the simplicity of
+the formal certification.
+The CerCo compiler is loosely based on the CompCert compiler \cite{compcert}, a
+recently developed certified compiler from C to the PowerPC, ARM and x86
+microprocessors. Contrarily to CompCert, both the CerCo code and its
+certification are open source. Some data structures and language definitions for
+the front-end are directly taken from CompCert, while the back-end is a redesign
+of a compiler from Pascal to MIPS used by Francois Pottier for a course at the
+Ecole Polytechnique.
+The main peculiarities of the CerCo compiler are:
+\begin{enumerate}
+\item all of our intermediate languages include label emitting instructions to
+implement the labelling approach, and the compiler preserves execution traces.
+\item traditionally compilers target an assembly language with additional
+macro-instructions to be expanded before assembly; for CerCo we need to go all
+the way down to object code in order to perform the static analysis. Therefore
+we integrated also an optimizing assembler and a static analyser.
+\item to avoid implementing a linker and a loader, we do not support separate
+compilation and external calls. Adding a linker and a loader is a transparent
+process to the labelling approach and should create no unknown problem.
+\item we target an 8-bit processor. Targeting an 8 bit processor requires
+several changes and increased code size, but it is not fundamentally more
+complex. The proof of correctness, however, becomes much harder.
+\item we target a microprocessor that has a non uniform memory model, which is
+still often the case for microprocessors used in embedded systems and that is
+becoming common again in multi-core processors. Therefore the compiler has to
+keep track of data and it must move data between memory regions in the proper
+way. Also the size of pointers to different regions is not uniform. An
+additional difficulty was that the space available for the stack in internal
+memory in the 8051 is tiny, allowing only a minor number of nested calls. To
+support full recursion in order to test the CerCo tools also on recursive
+programs, the compiler manually manages a stack in external memory.
+\end{enumerate}
+\section{A formal certification of the CerCo compiler}
+The Trusted CerCo Compiler has been implemented and certified using the
+interactive theorem prover Matita. The details on the proof techniques employed
+The details on the proof techniques employed
 and
 the proof sketch can be collected from the CerCo deliverables and papers.
 …
 out to be more complex than what we expected at the beginning.
 \paragraph{The statement}
+\paragraph{The statement.}
 Real time programs are often reactive programs that loop forever responding to
 events (inputs) by performing some computation followed by some action (output)
 …
 space is a clear requirement of meaningfulness of a run, because source programs
 do not crash for lack of space while object code ones do. The balancing of
 function calls/returns is a requirement for precision: the labelling approach
+function calls/returns is a requirement for precision: the labeling approach
 allows the scope of label emission statements to extend after function calls to
 minimize the number of labels. Therefore a label pays for all the instructions
 …
 characterized by history dependent stateful components, like caches and
 pipelines. The main issue consists in assigning a parametric, dependent cost
 to basic blocks that can be later transferred by the labelling approach to
+to basic blocks that can be later transferred by the labeling approach to
 the source code and represented in a meaningful way to the user. The dependent
 labelling approach that we have studied seems a promising tools to achieve
+labeling approach that we have studied seems a promising tools to achieve
 this goal, but the cost model generated for a realistic processor could be too
 large and complex to be exposed in the source code. Further study is required
 …
 Examples of further future work consist in improving the cost invariant
 generator algorithms and the coverage of compiler optimizations, in combining
 the labelling approach with type \& effect discipline \cite{typeffects}
+the labeling approach with type \& effect discipline \cite{typeffects}
 to handle languages with implicit memory management, and in experimenting with
 our tools in early development phases. Some larger use case is also necessary
 to evaluate the CerCo's prototype on industrial size programs.
+\begin{thebibliography}{}
+\bibitem{cerco} \textbf{Certified Complexity}, R. Amadio, A. Asperti, N. Ayache,
+\bibliographystyle{llncs}
+\begin{thebibliography}{19}
+\bibitem{survey} \textbf{A Survey of Static Program Analysis Techniques}
+Wolfgang W\"ogerer. Technical report. Technische Universit\"at Wien 2005
+\bibitem{cerco} \textbf{Certified Complexity}. R. Amadio, A. Asperti, N. Ayache,
 B. Campbell, D. Mulligan, R. Pollack, Y. Regis-Gianas, C. Sacerdoti Coen, I.
 Stark, in Procedia Computer Science, Volume 7, 2011, Proceedings of the 2 nd
 European Future Technologies Conference and Exhibition 2011 (FET 11), 175-177.
 \bibitem{labelling} \textbf{Certifying and Reasoning on Cost Annotations in C
+\bibitem{labeling} \textbf{Certifying and Reasoning on Cost Annotations in C
 Programs}, N.  Ayache, R.M. Amadio, Y.Régis-Gianas, in Proc. FMICS, Springer
 LNCS
 : 32-46, 2012, DOI:10.1007/978-3-642-32469-7\_3.
+\bibitem{paolo} \textbf{Indexed Labels for Loop Iteration Dependent Costs}, P.
+\bibitem{labeling2} \textbf{Certifying and reasoning on cost annotations of
+functional programs}.
+R.M. Amadio, Y. Régis-Gianas. Proceedings of the Second international conference
+on Foundational and Practical Aspects of Resource Analysis FOPARA 2011 Springer
+LNCS 2011
+\bibitem{compcert} \textbf{Formal verification of a realistic compiler}. Leroy,
+X. In Commun. ACM 52(7), 107–115 (2009)
+\bibitem{framac} \textbf{Frama-C user manual}. Correnson, L., Cuoq, P., Kirchner,
+F., Prevosto, V., Puccetti, A., Signoles, J.,
+Yakobowski, B. in CEA-LIST, Software Safety Laboratory, Saclay, F-91191,
+\url{http://frama-c.com/}.
+\bibitem{paolo} \textbf{Indexed Labels for Loop Iteration Dependent Costs}. P.
 Tranquilli, in Proceedings of the 11th International Workshop on Quantitative
 Aspects of Programming Languages and Systems (QAPL 2013), Rome, 23rd-24th March
 , Electronic Proceedings in Theoretical Computer Science, to appear in 2013.
+\bibitem{embounded} \textbf{The EmBounded project (project paper)}, K. Hammond,
+R. Dyckhoff, C. Ferdinand, R. Heckmann, M. Hofmann, H. Loidl, G. Michaelson, J.
+Serot, A. Wallace, in Trends in Functional Programming, Volume 6, Intellect
+Press, 2006.
+\bibitem{proartis} \textbf{PROARTIS: Probabilistically Analysable Real-Time
+Systems}, F.J. Cazorla, E. Qui˜nones, T. Vardanega, L. Cucu, B. Triquet, G.
+Bernat, E. Berger, J. Abella, F. Wartel, M. Houston, et al., in ACM Transactions
+on Embedded Computing Systems, 2012.
+\bibitem{stateart} \textbf{The worst-case execution-time problem overview of
+methods
+and survey of tools.} Wilhelm R. et al., in  ACM Transactions on Embedded
+Computing Systems, 7:1–53, May 2008.
+%\bibitem{proartis2} \textbf{A Cache Design for Probabilistic Real-Time
+% Systems}, L. Kosmidis, J. Abella, E. Quinones, and F. Cazorla, in Design,
+% Automation, and Test in Europe (DATE), Grenoble, France, 03/2013.
+\bibitem{framac} \textbf{Frama-C user manual} Correnson, L., Cuoq, P., Kirchner,
+F., Prevosto, V., Puccetti, A., Signoles, J.,
+Yakobowski, B. in CEA-LIST, Software Safety Laboratory, Saclay, F-91191,
+\url{http://frama-c.com/}.
+\bibitem{compcert} \textbf{Formal verification of a realistic compiler} Leroy,
+X. In Commun. ACM 52(7), 107–115 (2009)
+\bibitem{separation} \textbf{Intuitionistic reasoning about shared mutable data
+structure} John C. Reynolds. In Millennial Perspectives in Computer Science,
+pages 303–321, Houndsmill,
+Hampshire, 2000. Palgrave.
 \bibitem{lustre} \textbf{LUSTRE: a declarative language for real-time
 …
 .
+\bibitem{separation} \textbf{Intuitionistic reasoning about shared mutable data
+structure} John C. Reynolds. In Millennial Perspectives in Computer Science,
+pages 303–321, Houndsmill,
+Hampshire, 2000. Palgrave.
+\bibitem{typeffects} \textbf{The Type and Effect Discipline} Jean-Pierre Talpin
+\bibitem{correctness} \textbf{On the correctness of an optimising assembler for
+the intel MCS-51 microprocessor}.
+  Dominic P. Mulligan  and Claudio Sacerdoti Coen. In Proceedings of the Second
+international conference on Certified Programs and Proofs, Springer-Verlag 2012.
+\bibitem{proartis} \textbf{PROARTIS: Probabilistically Analysable Real-Time
+Systems}, F.J. Cazorla, E. Qui˜nones, T. Vardanega, L. Cucu, B. Triquet, G.
+Bernat, E. Berger, J. Abella, F. Wartel, M. Houston, et al., in ACM Transactions
+on Embedded Computing Systems, 2012.
+\bibitem{embounded} \textbf{The EmBounded project (project paper)}. K. Hammond,
+R. Dyckhoff, C. Ferdinand, R. Heckmann, M. Hofmann, H. Loidl, G. Michaelson, J.
+Serot, A. Wallace, in Trends in Functional Programming, Volume 6, Intellect
+Press, 2006.
+\bibitem{matita}
+\textbf{The Matita Interactive Theorem Prover}.
+Andrea Asperti, Claudio Sacerdoti Coen, Wilmer Ricciotti and Enrico Tassi.
+rd International Conference on Automated Deduction, CADE 2011.
+\bibitem{typeffects} \textbf{The Type and Effect Discipline}. Jean-Pierre Talpin
 and Pierre Jouvelot.
   In Proceedings of the Seventh Annual Symposium on Logic in Computer Science
 …
 IEEE Computer Society 1992.
+\bibitem{labelling2} \textbf{Certifying and reasoning on cost annotations of
+functional programs}.
+R.M. Amadio, Y. Régis-Gianas. Proceedings of the Second international conference
+on Foundational and Practical Aspects of Resource Analysis FOPARA 2011 Springer
+LNCS 2011
+\bibitem{correctness} \textbf{On the correctness of an optimising assembler for
+the intel MCS-51 microprocessor}
+  Dominic P. Mulligan  and Claudio Sacerdoti Coen. In Proceedings of the Second
+international conference on Certified Programs and Proofs, Springer-Verlag 2012.
+\bibitem{survey} \textbf{A Survey of Static Program Analysis Techniques}
+Wolfgang W\"ogerer. Technical report. Technische Universit\"at Wien 2005
+\bibitem{stateart} \textbf{The worst-case execution-time problem overview of
+methods
+and survey of tools.} Wilhelm R. et al., in  ACM Transactions on Embedded
+Computing Systems, 7:1–53, May 2008.
+%\bibitem{proartis2} \textbf{A Cache Design for Probabilistic Real-Time
+% Systems}, L. Kosmidis, J. Abella, E. Quinones, and F. Cazorla, in Design,
+% Automation, and Test in Europe (DATE), Grenoble, France, 03/2013.
 \end{thebibliography}

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 3328 for Papers/fopara2013

Legend:

Papers/fopara2013/fopara13.tex

Download in other formats: