compiler verification for fun and profit
play

Compiler verification for fun and profit Xavier Leroy Inria - PowerPoint PPT Presentation

Nov 03, 2022 •137 likes •856 views

Compiler verification for fun and profit Xavier Leroy Inria Paris-Rocquencourt FMCAD, 2014-10-22 X. Leroy (Inria) Compiler verification FMCAD14 1 / 52 Prologue: Can you trust your compiler? X. Leroy (Inria) Compiler verification

  1. Compiler verification for fun and profit Xavier Leroy Inria Paris-Rocquencourt FMCAD, 2014-10-22 X. Leroy (Inria) Compiler verification FMCAD’14 1 / 52

  2. Prologue: Can you trust your compiler? X. Leroy (Inria) Compiler verification FMCAD’14 2 / 52

  3. The compilation process General definition: any automatic translation from a computer language to another. Restricted definition: efficient (“optimizing”) translation from a source language (understandable by programmers) to a machine language (executable in hardware). A mature area of computer science: Nearly 60 years old! (Fortran I: 1957) Huge corpus of code generation and optimization algorithms. Many industrial-strength compilers that perform subtle transformations. X. Leroy (Inria) Compiler verification FMCAD’14 3 / 52

  4. An example of compiler optimization Consider: double dotproduct(int n, double * a, double * b) { double dp = 0.0; int i; for (i = 0; i < n; i++) dp += a[i] * b[i]; return dp; } Compiled with the Tru64/Alpha compiler and manually decompiled back to C. . . X. Leroy (Inria) Compiler verification FMCAD’14 4 / 52

  5. double dotproduct(int n, double a[], double b[]) { dp = 0.0; if (n <= 0) goto L5; r2 = n - 3; f1 = 0.0; r1 = 0; f10 = 0.0; f11 = 0.0; if (r2 > n || r2 <= 0) goto L19; prefetch(a[16]); prefetch(b[16]); if (4 >= r2) goto L14; prefetch(a[20]); prefetch(b[20]); f12 = a[0]; f13 = b[0]; f14 = a[1]; f15 = b[1]; r1 = 8; if (8 >= r2) goto L16; L17: f16 = b[2]; f18 = a[2]; f17 = f12 * f13; f19 = b[3]; f20 = a[3]; f15 = f14 * f15; f12 = a[4]; f16 = f18 * f16; f19 = f29 * f19; f13 = b[4]; a += 4; f14 = a[1]; f11 += f17; r1 += 4; f10 += f15; f15 = b[5]; prefetch(a[20]); prefetch(b[24]); f1 += f16; dp += f19; b += 4; if (r1 < r2) goto L17; L16: f15 = f14 * f15; f21 = b[2]; f23 = a[2]; f22 = f12 * f13; f24 = b[3]; f25 = a[3]; f21 = f23 * f21; f12 = a[4]; f13 = b[4]; f24 = f25 * f24; f10 = f10 + f15; a += 4; b += 4; f14 = a[8]; f15 = b[8]; f11 += f22; f1 += f21; dp += f24; L18: f26 = b[2]; f27 = a[2]; f14 = f14 * f15; f28 = b[3]; f29 = a[3]; f12 = f12 * f13; f26 = f27 * f26; a += 4; f28 = f29 * f28; b += 4; f10 += f14; f11 += f12; f1 += f26; dp += f28; dp += f1; dp += f10; dp += f11; if (r1 >= n) goto L5; L19: f30 = a[0]; f18 = b[0]; r1 += 1; a += 8; f18 = f30 * f18; b += 8; dp += f18; if (r1 < n) goto L19; L5: return dp; L14: f12 = a[0]; f13 = b[0]; f14 = a[1]; f15 = b[1]; goto L18; } X. Leroy (Inria) Compiler verification FMCAD’14 5 / 52

  6. L17: f16 = b[2]; f18 = a[2]; f17 = f12 * f13; f19 = b[3]; f20 = a[3]; f15 = f14 * f15; f12 = a[4]; f16 = f18 * f16; f19 = f29 * f19; f13 = b[4]; a += 4; f14 = a[1]; f11 += f17; r1 += 4; f10 += f15; f15 = b[5]; prefetch(a[20]); prefetch(b[24]); f1 += f16; dp += f19; b += 4; if (r1 < r2) goto L17; X. Leroy (Inria) Compiler verification FMCAD’14 5 / 52

  7. double dotproduct(int n, double a[], double b[]) { dp = 0.0; if (n <= 0) goto L5; r2 = n - 3; f1 = 0.0; r1 = 0; f10 = 0.0; f11 = 0.0; if (r2 > n || r2 <= 0) goto L19; prefetch(a[16]); prefetch(b[16]); if (4 >= r2) goto L14; prefetch(a[20]); prefetch(b[20]); f12 = a[0]; f13 = b[0]; f14 = a[1]; f15 = b[1]; r1 = 8; if (8 >= r2) goto L16; L16: f15 = f14 * f15; f21 = b[2]; f23 = a[2]; f22 = f12 * f13; f24 = b[3]; f25 = a[3]; f21 = f23 * f21; f12 = a[4]; f13 = b[4]; f24 = f25 * f24; f10 = f10 + f15; a += 4; b += 4; f14 = a[8]; f15 = b[8]; f11 += f22; f1 += f21; dp += f24; L18: f26 = b[2]; f27 = a[2]; f14 = f14 * f15; f28 = b[3]; f29 = a[3]; f12 = f12 * f13; f26 = f27 * f26; a += 4; f28 = f29 * f28; b += 4; f10 += f14; f11 += f12; f1 += f26; dp += f28; dp += f1; dp += f10; dp += f11; if (r1 >= n) goto L5; L19: f30 = a[0]; f18 = b[0]; r1 += 1; a += 8; f18 = f30 * f18; b += 8; dp += f18; if (r1 < n) goto L19; L5: return dp; L14: f12 = a[0]; f13 = b[0]; f14 = a[1]; f15 = b[1]; goto L18; } X. Leroy (Inria) Compiler verification FMCAD’14 5 / 52

  8. Even unoptimized code generation is delicate double floatofint(unsigned int i) { return (double) i; } The PowerPC 32-bit architecture provides no instruction to convert from int to float. The compiler must therefore emulate it, as follows: double floatofint(unsigned int i) { union { double d; unsigned int x[2]; } u, v; u.x[0] = 0x43300000; u.x[1] = i; v.x[0] = 0x43300000; v.x[1] = 0; return u.d - v.d; } (Hint: the 64-bit integer 0x43300000 × 2 32 + x is the IEEE754 encoding of the double float 2 52 + ( double ) x .) X. Leroy (Inria) Compiler verification FMCAD’14 6 / 52

  9. Miscompilation happens NULLSTONE isolated defects [in integer division] in twelve of twenty commercially available compilers that were evaluated. http://www.nullstone.com/htmls/category/divide.htm We tested thirteen production-quality C compilers and, for each, found situations in which the compiler generated incorrect code for accessing volatile variables. This result is disturbing because it implies that embedded software and operating systems — both typically coded in C, both being bases for many mission-critical and safety-critical applications, and both relying on the correct translation of volatiles — may be being miscompiled. E. Eide & J. Regehr, EMSOFT 2008 X. Leroy (Inria) Compiler verification FMCAD’14 7 / 52

  10. Miscompilation happens We created a tool that generates random C programs, and then spent two and a half years using it to find compiler bugs. So far, we have reported more than 325 previously unknown bugs to compiler developers. Moreover, every compiler that we tested has been found to crash and also to silently generate wrong code when presented with valid inputs. X. Yang, Y. Chen, E. Eide, J. Regehr, PLDI 2011 X. Leroy (Inria) Compiler verification FMCAD’14 8 / 52

  11. Latest sighting [Our] new method succeeded in finding bugs in the latter five (newer) versions of GCCs, in which the previous method detected no errors. int main (void) { unsigned x = 2U; unsigned t = ((unsigned) -(x/2)) / 2; assert ( t != 2147483647 ); } It turned out that [the program above] caused the same error on the GCCs of versions from at least 3.1.0 through 4.7.2, regardless of targets and optimization options. E. Nagai, A. Hashimoto, N. Ishiura, SASIMI 2013 X. Leroy (Inria) Compiler verification FMCAD’14 9 / 52

  12. Are miscompilation bugs a problem? For non-critical software: Programmers rarely run into them. When they do, it’s very hard to debug. Globally negligible compared with bugs in the program itself. For critical software: A source of concern. Require additional verification activities. (E.g. manual reviews of generated assembly code; more tests.) Complicate the qualification process. Reduce the usefulness of formal verification. X. Leroy (Inria) Compiler verification FMCAD’14 10 / 52

  13. Miscompilation and formal verification Simulink, Scade Simulation ? Model-checking Code generator Program proof C code Static analysis Compiler ? Testing Executable The guarantees obtained (so painfully!) by source-level formal verification may not carry over to the executable code . . . X. Leroy (Inria) Compiler verification FMCAD’14 11 / 52

  14. A solution? Verified compilers Why not formally verify the compiler itself? After all, compilers have simple specifications: If compilation succeeds, the generated code should behave as prescribed by the semantics of the source program. As a corollary, we obtain: Any safety property of the observable behavior of the source program carries over to the generated executable code. X. Leroy (Inria) Compiler verification FMCAD’14 12 / 52

  15. Compiler verification for profit In the context of high-assurance software that undergoes strict certification (DO-178 in avionics, Common Criteria in security): Provides strong guarantees on compilers and code generators, guarantees that are very hard to obtain by more conventional methods (tests and reviews). Enable the use of aggressive optimizations (which would otherwise be problematic for certification). Generate confidence in the results of source-level formal verifications (making it easier to derive certification credit from these verifications). X. Leroy (Inria) Compiler verification FMCAD’14 13 / 52

  16. Compiler verification for fun Compilers are challenging pieces of software from a formal verification standpoint: Complex data structures: abstract syntax trees, control-flow graphs. Complex algorithms, often recursive. Specifications involve formal, operational semantics for “big” languages. Beyond the reach of automated verification techniques? (model checking, static analysis, automated deductive program provers). A very good match for interactive theorem proving! X. Leroy (Inria) Compiler verification FMCAD’14 14 / 52

  17. An old idea. . . Mathematical Aspects of Computer Science , 1967 X. Leroy (Inria) Compiler verification FMCAD’14 15 / 52

  18. An old idea. . . Machine Intelligence (7), 1972. X. Leroy (Inria) Compiler verification FMCAD’14 16 / 52

  19. CompCert: a compiler you can formally trust X. Leroy (Inria) Compiler verification FMCAD’14 17 / 52

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verification of a Java Compiler in Isabelle Martin Strecker 7.1.2002 Java: Types, values,

Verification of a Java Compiler in Isabelle Martin Strecker 7.1.2002 Java: Types, values,

Verification of a Java Compiler in Isabelle Martin Strecker 7.1.2002 Java: Types, values, terms, ... Typing and operational semantics JVM Compiler Definition Proof Techniques Compilation and Bytecode Verification

643 views • 18 slides
Compiler Verification meets Cross-Language Linking via Data Abstraction Peng Wang,

Compiler Verification meets Cross-Language Linking via Data Abstraction Peng Wang,

Compiler Verification meets Cross-Language Linking via Data Abstraction Peng Wang, MIT CSAIL Santiago Cuellar, Princeton University Adam Chlipala, MIT CSAIL Verified Compiler Program Verification Techniques

706 views • 35 slides
Formal verification of an optimizing compiler or: a software-proof codesign approach to the

Formal verification of an optimizing compiler or: a software-proof codesign approach to the

Formal verification of an optimizing compiler or: a software-proof codesign approach to the development of trusted compilers Xavier Leroy INRIA Rocquencourt MEMOCODE 2007 X. Leroy (INRIA) Formal compiler verification MEMOCODE 2007 1 / 61

969 views • 62 slides
Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and

Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and

Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and Alix Trieu IFIP WG 2.11, 2015-11-10 1 Background: verifying a compiler Compiler + proof that the compiler does not introduce bugs CompCert, a

597 views • 21 slides
A GENERAL-PURPOSE CRN-TO-DSD COMPILER WITH FORMAL VERIFICATION, OPTIMIZATION, AND SIMULATION

A GENERAL-PURPOSE CRN-TO-DSD COMPILER WITH FORMAL VERIFICATION, OPTIMIZATION, AND SIMULATION

A GENERAL-PURPOSE CRN-TO-DSD COMPILER WITH FORMAL VERIFICATION, OPTIMIZATION, AND SIMULATION CAPABILITIES Stefan Badelt , Seung Woo Shin, Robert F. Johnson, Qing Dong, Chris Thachuk, and Erik Winfree DNA and Natural Algorithms (DNA) Group,

320 views • 28 slides
Viktor Vafeiadis Software Analysis &amp; Verification Full functional verification

Viktor Vafeiadis Software Analysis &amp; Verification Full functional verification

Viktor Vafeiadis Software Analysis &amp; Verification Full functional verification Compilers , concurrent programs , theorem provers Program equivalence / Compositional reasoning Compositional compiler verification

266 views • 3 slides
Compiler Construction Lecture 19: Code Generation V (Compiler Backend) Winter Semester 2018/19

Compiler Construction Lecture 19: Code Generation V (Compiler Backend) Winter Semester 2018/19

Compiler Construction Lecture 19: Code Generation V (Compiler Backend) Winter Semester 2018/19 Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ws-1819/cc/ The Compiler Backend

1.27k views • 59 slides
Formal verification of a compiler front-end for mini-ML Zaynah Dargaye, Xavier Leroy, Andrew

Formal verification of a compiler front-end for mini-ML Zaynah Dargaye, Xavier Leroy, Andrew

Formal verification of a compiler front-end for mini-ML Zaynah Dargaye, Xavier Leroy, Andrew Tolmach INRIA Paris-Rocquencourt WG 2.8, july 2007 Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 1 / 34

704 views • 33 slides
a Scala Compiler Plugin for Verification Nada Amin Features transform Scala def AST into a

a Scala Compiler Plugin for Verification Nada Amin Features transform Scala def AST into a

a Scala Compiler Plugin for Verification Nada Amin Features transform Scala def AST into a CFG front-end to lab verifier front-end to Eldarica support for design by contract partial understanding verified classes

298 views • 17 slides
11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must perform two major tasks Sourc rce Progra ram Tokens Syntactic Semantic Scanner Parser Structure re Routines (Chara racter r St Stre

690 views • 22 slides
Formal verification of a realistic compiler Xavier Leroy CACM 2009 CS 7194: Great Works in

Formal verification of a realistic compiler Xavier Leroy CACM 2009 CS 7194: Great Works in

Formal verification of a realistic compiler Xavier Leroy CACM 2009 CS 7194: Great Works in Programming Languages Presenter : Irene Yoon | Mentor : Ryan Doenges 1 Building robust compilers is Hard. 2 Bugs bugs 3 Bugs [Yang

1.01k views • 68 slides
A GENERAL-PURPOSE A GENERAL-PURPOSE CRN-TO-DSD COMPILER FRAMEWORK CRN-TO-DSD COMPILER FRAMEWORK

A GENERAL-PURPOSE A GENERAL-PURPOSE CRN-TO-DSD COMPILER FRAMEWORK CRN-TO-DSD COMPILER FRAMEWORK

A GENERAL-PURPOSE A GENERAL-PURPOSE CRN-TO-DSD COMPILER FRAMEWORK CRN-TO-DSD COMPILER FRAMEWORK WITH FORMAL VERIFICATION, OPTIMIZATION, WITH FORMAL VERIFICATION, OPTIMIZATION, AND SIMULATION CAPABILITIES AND SIMULATION CAPABILITIES Stefan

575 views • 38 slides
Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler

Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler

Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler Perhaps a new source language Perhaps a new target for an existing compiler Perhaps both 2 Compiler Construction Compiler Construction

661 views • 18 slides
Verification Challenges Jim Woodcock University of York Newton Institute | Cambridge 24

Verification Challenges Jim Woodcock University of York Newton Institute | Cambridge 24

Verification Challenges Jim Woodcock University of York Newton Institute | Cambridge 24 September 2019 1/22 Overview I Tony Hoares verification challenges I Construct a verifying compiler I Unify theories in computer science I This talk:

469 views • 22 slides
252-210: Compiler Design 1.1 Simple compiler model 1.2

252-210: Compiler Design 1.1 Simple compiler model 1.2

252-210: Compiler Design 1.1 Simple compiler model 1.2 Admin issues Thomas R. Gross Computer Science Department ETH Zurich, Switzerland 1.1

1.27k views • 46 slides
NON NON- -PROFIT SUPPORT PROFIT SUPPORT NON NON - - PROFIT SUPPORT PROFIT SUPPORT FOR

NON NON- -PROFIT SUPPORT PROFIT SUPPORT NON NON - - PROFIT SUPPORT PROFIT SUPPORT FOR

NON NON- -PROFIT SUPPORT PROFIT SUPPORT NON NON - - PROFIT SUPPORT PROFIT SUPPORT FOR RESEARCH FOR RESEARCH FOR RESEARCH FOR RESEARCH Daniel L. Goroff Alfred P. Sloan Foundation Vice President &amp; Program Director Views expressed

627 views • 52 slides
Ltac Internals Pierre-Marie Pdrot INRIA Coq Implementor Workshop . . . . . . . . . .

Ltac Internals Pierre-Marie Pdrot INRIA Coq Implementor Workshop . . . . . . . . . .

Ltac Internals Pierre-Marie Pdrot INRIA Coq Implementor Workshop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Pierre-Marie Pdrot (INRIA) Ltac Internals 30/05/2016

437 views • 31 slides
Probability/Statistics Review &amp; Linear Regression Lecturer: Roni Rosenfeld Scribe: Udbhav

Probability/Statistics Review &amp; Linear Regression Lecturer: Roni Rosenfeld Scribe: Udbhav

10-601A: Machine Learning, Spring 2015 Probability/Statistics Review &amp; Linear Regression Lecturer: Roni Rosenfeld Scribe: Udbhav Prasad 1 Probability and Statistics A regular variable holds, at any one time, a single value, be it numeric or

194 views • 7 slides
CMPS 112: Spring 2019 Comparative Programming Languages Polymorphism and Type

CMPS 112: Spring 2019 Comparative Programming Languages Polymorphism and Type

CMPS 112: Spring 2019 Comparative Programming Languages Polymorphism and Type Inference Owen Arden UC Santa Cruz Based on course materials developed by Nadia Polikarpova Roadmap Past two weeks: How do we implement a tiny

393 views • 20 slides
Haskell at Barclays: Exotic tools for exotic trades Tim Williams | 5 December 2013

Haskell at Barclays: Exotic tools for exotic trades Tim Williams | 5 December 2013

Haskell at Barclays: Exotic tools for exotic trades Tim Williams | 5 December 2013 Introduction Exotic equity derivative contracts come in a variety of structures and clients are continually requesting new ones. In order to remain competitive

484 views • 47 slides
An overview of alphaCaml Franc ois Pottier September 2005 Franc ois Pottier An overview

An overview of alphaCaml Franc ois Pottier September 2005 Franc ois Pottier An overview

Introduction A specification language Implementation techniques Translating specifications Conclusion 1 An overview of alphaCaml Franc ois Pottier September 2005 Franc ois Pottier An overview of alphaCaml Introduction A

840 views • 24 slides
Automatic Library Compilation and Proof Tree Visualisation for Coq Proof General Hendrik Tews

Automatic Library Compilation and Proof Tree Visualisation for Coq Proof General Hendrik Tews

Automatic Library Compilation Proof Tree Visualisation Conclusion Automatic Library Compilation and Proof Tree Visualisation for Coq Proof General Hendrik Tews Technische Universit at Dresden Third Coq Workshop, August 26, 2011 Hendrik

385 views • 16 slides
Slides from FYS4410 Lectures Morten Hjorth-Jensen 1 Department of Physics and Center of

Slides from FYS4410 Lectures Morten Hjorth-Jensen 1 Department of Physics and Center of

Slides from FYS4410 Lectures Morten Hjorth-Jensen 1 Department of Physics and Center of Mathematics for Applications University of Oslo, N-0316 Oslo, Norway 2 Department of Physics and Astronomy, Michigan State University East Lansing, Michigan,

1.87k views • 165 slides
The The world d is skewed Ignorance, use, misuse,

The The world d is skewed Ignorance, use, misuse,

11/28/15 The The world d is skewed Ignorance, use, misuse, misunderstandings, and how to improve uncertainty analyses in software development projects Magne

114 views • 9 slides

More recommend