Crellvm: Verified Credible Compilation for LLVM Seoul National - - PowerPoint PPT Presentation

crellvm verified credible compilation for llvm
SMART_READER_LITE
LIVE PREVIEW

Crellvm: Verified Credible Compilation for LLVM Seoul National - - PowerPoint PPT Presentation

Dec 27, 2023 28 likes •983 views

Crellvm: Verified Credible Compilation for LLVM Seoul National University (Korea) Jeehoon Kang* Yoonseung Kim * Youngju Song* Juneyoung Lee Sanghoon Park Mark Dongyeon Shin Yonghyun Kim Sungkeun Cho Joonwon Choi (MIT) Chung-Kil

slide-1
SLIDE 1

Crellvm: Verified Credible Compilation for LLVM

Seoul National University (Korea) Jeehoon Kang* Yoonseung Kim* Youngju Song* Juneyoung Lee Sanghoon Park Mark Dongyeon Shin Yonghyun Kim Sungkeun Cho Joonwon Choi (MIT) Chung-Kil Hur Kwangkeun Yi * The first three authors are listed alphabetically.

slide-2
SLIDE 2

Reliability of Production Compilers

  • Stable in most common cases
  • Unstable in corner cases
  • Csmith: 79 from GCC / 202 from LLVM
  • EMI: 79 from GCC / 68 from LLVM
  • Problematic in practice
  • Low-level systems code
2
slide-3
SLIDE 3

Reliability of Production Compilers

  • Stable in most common cases
  • Unstable in corner cases
  • Csmith: 79 from GCC / 202 from LLVM
  • EMI: 79 from GCC / 68 from LLVM
  • Problematic in practice
  • Low-level systems code

 Goal: Improving reliability in corner cases

2
slide-4
SLIDE 4

Approaches to Improving Reliability

Compiler

src tgt

3
slide-5
SLIDE 5

Approaches to Improving Reliability

Compiler

src tgt

3
  • (Random) Testing
  • Cannot guarantee high reliability

✔ Test

slide-6
SLIDE 6

Approaches to Improving Reliability

Compiler

src tgt

3
  • (Random) Testing
  • Cannot guarantee high reliability
  • Compiler Verification
  • Too expensive to apply to

major optimizations of LLVM

Verified
slide-7
SLIDE 7

Approaches to Improving Reliability

Compiler

src tgt

3
  • (Random) Testing
  • Cannot guarantee high reliability
  • Compiler Verification
  • Too expensive to apply to

major optimizations of LLVM

  • Translation Validation
  • High reliability but not too expensive

Verified
slide-8
SLIDE 8

Approaches to Improving Reliability

Compiler

src tgt

Yes / No Checker Proof ProofGen 3
  • (Random) Testing
  • Cannot guarantee high reliability
  • Compiler Verification
  • Too expensive to apply to

major optimizations of LLVM

  • Translation Validation
  • High reliability but not too expensive
  • Credible Compilation

[Rinard & Marinov 1999]

slide-9
SLIDE 9

Approaches to Improving Reliability

Compiler

src tgt

Yes / No Checker

fails with logical reason

Proof ProofGen 3
  • (Random) Testing
  • Cannot guarantee high reliability
  • Compiler Verification
  • Too expensive to apply to

major optimizations of LLVM

  • Translation Validation
  • High reliability but not too expensive
  • Credible Compilation

[Rinard & Marinov 1999]

slide-10
SLIDE 10

Approaches to Improving Reliability

Compiler

src tgt

Yes / No Checker

fails with logical reason

Proof ProofGen

Verified 3
  • (Random) Testing
  • Cannot guarantee high reliability
  • Compiler Verification
  • Too expensive to apply to

major optimizations of LLVM

  • Translation Validation
  • High reliability but not too expensive
  • Credible Compilation

[Rinard & Marinov 1999]

  • Verified Credible Compilation
slide-11
SLIDE 11

Our Work: Crellvm

  • Crellvm
  • Developed a verified credible compilation framework for LLVM
  • Designed a logic specialized for translation validation
  • Verified its proof checker in Coq
  • Case studies
  • 3 major optimizations: mem2reg, gvn, licm
  • >100 peephole optimizations: instcombine
  • Result
  • Found 4 long-standing miscompilation bugs (all confirmed, 3 fixed)
4
slide-12
SLIDE 12

Example: A Bug We Found in mem2reg

  • Credible compilation may detect bugs that testing misses.
  • Simplified code from SPEC Benchmark:

p := alloca() loop { r := *p foo(r) *p := 42 } loop { foo(undef) }

5
slide-13
SLIDE 13

Example: A Bug We Found in mem2reg

  • Credible compilation may detect bugs that testing misses.
  • Simplified code from SPEC Benchmark:

p := alloca() loop { r := *p foo(r) *p := 42 } loop { foo(undef) }

5
slide-14
SLIDE 14

Example: A Bug We Found in mem2reg

  • Credible compilation may detect bugs that testing misses.
  • Simplified code from SPEC Benchmark:

p := alloca() loop { r := *p foo(r) *p := 42 } loop { foo(undef) }

5
slide-15
SLIDE 15

Example: A Bug We Found in mem2reg

  • Credible compilation may detect bugs that testing misses.
  • Simplified code from SPEC Benchmark:

p := alloca() loop { r := *p foo(r) *p := 42 } loop { foo(undef) }

undef

5
slide-16
SLIDE 16

Example: A Bug We Found in mem2reg

  • Credible compilation may detect bugs that testing misses.
  • Simplified code from SPEC Benchmark:

p := alloca() loop { r := *p foo(r) *p := 42 } loop { foo(undef) }

undef undef

5
slide-17
SLIDE 17

Example: A Bug We Found in mem2reg

  • Credible compilation may detect bugs that testing misses.
  • Simplified code from SPEC Benchmark:

p := alloca() loop { r := *p foo(r) *p := 42 } loop { foo(undef) }

undef undef

5
slide-18
SLIDE 18

Example: A Bug We Found in mem2reg

  • Credible compilation may detect bugs that testing misses.
  • Simplified code from SPEC Benchmark:

p := alloca() loop { r := *p foo(r) *p := 42 } loop { foo(undef) }

5
slide-19
SLIDE 19

Example: A Bug We Found in mem2reg

  • Credible compilation may detect bugs that testing misses.
  • Simplified code from SPEC Benchmark:

p := alloca() loop { r := *p foo(r) *p := 42 } loop { foo(undef) }

42

5
slide-20
SLIDE 20

Example: A Bug We Found in mem2reg

  • Credible compilation may detect bugs that testing misses.
  • Simplified code from SPEC Benchmark:

p := alloca() loop { r := *p foo(r) *p := 42 } loop { foo(undef) }

42 undef

5
slide-21
SLIDE 21

Example: A Bug We Found in mem2reg

  • Credible compilation may detect bugs that testing misses.
  • Simplified code from SPEC Benchmark:

p := alloca() loop { r := *p foo(r) *p := 42 } loop { foo(undef) }

Why testing missed this bug? Because foo ignores r: foo(r): ... s = r & 0x0 ...

42 undef

5
slide-22
SLIDE 22 / 22

Crellvm framework

6
slide-23
SLIDE 23

Crellvm Framework

Optimizer

src.ll

Proof Yes / No

tgt'.ll

Compilation Validation Yes (same) / No (not same)

tgt.ll

Validation succeeds if both are “Yes” Proof Checker llvm-diff Optimizer ProofGen 7
slide-24
SLIDE 24

Crellvm Framework

Optimizer

src.ll

Proof Yes / No

tgt'.ll

Compilation Validation Yes (same) / No (not same)

tgt.ll

Validation succeeds if both are “Yes” Proof Checker llvm-diff Optimizer ProofGen 7
slide-25
SLIDE 25

Crellvm Framework

Optimizer

src.ll

Proof Yes / No

tgt'.ll

Compilation Validation Yes (same) / No (not same)

tgt.ll

Validation succeeds if both are “Yes” Proof Checker llvm-diff Optimizer ProofGen 7
slide-26
SLIDE 26

Crellvm Framework

Optimizer

src.ll

Proof Yes / No

tgt'.ll

Compilation Validation Yes (same) / No (not same)

tgt.ll

Validation succeeds if both are “Yes” Proof Checker llvm-diff Optimizer

α-equivalence checking

ProofGen 7
slide-27
SLIDE 27

Crellvm Framework

Optimizer

src.ll

Proof Yes / No

tgt'.ll

Compilation Validation Yes (same) / No (not same)

tgt.ll

Validation succeeds if both are “Yes” Proof Checker llvm-diff Optimizer

α-equivalence checking

Verified

ProofGen 7
slide-28
SLIDE 28

Crellvm Framework

Optimizer

src.ll

Proof Yes / No

tgt'.ll

Compilation Validation Yes (same) / No (not same)

tgt.ll

Validation succeeds if both are “Yes” Proof Checker llvm-diff Optimizer

α-equivalence checking

Verified

ProofGen

Based on a logic for

  • ptimization validation

Based on a logic for

  • ptimization validation

Based on a logic for

  • ptimization validation
7
slide-29
SLIDE 29 / 22

x := add a 1 x := add a 1 10 : ⁞ ⁞ y := add x 2 y := add a 3 20 : foo(y) foo(y) 21 :

ERHL: A Logic for Optimization Validation

  • Assoc-add optimization in instcombine
8
slide-30
SLIDE 30 / 22

x := add a 1 x := add a 1 10 : ⁞ ⁞ y := add x 2 y := add a 3 20 : foo(y) foo(y) 21 :

ERHL: A Logic for Optimization Validation

  • Assoc-add optimization in instcombine

Extensible Relational Hoare Logic

8
slide-31
SLIDE 31 / 22

x := add a 1 x := add a 1 10 : ⁞ ⁞ y := add x 2 y := add a 3 20 : foo(y) foo(y) 21 :

ERHL: A Logic for Optimization Validation

  • Assoc-add optimization in instcombine
8
slide-32
SLIDE 32 / 22

x := add a 1 x := add a 1 10 : ⁞ ⁞ y := add x 2 y := add a 3 20 : foo(y) foo(y) 21 :

ERHL: A Logic for Optimization Validation

  • Assoc-add optimization in instcombine
8
slide-33
SLIDE 33 / 22

x := add a 1 x := add a 1 10 : ⁞ ⁞ y := add x 2 y := add a 3 20 : foo(y) foo(y) 21 :

ERHL: A Logic for Optimization Validation

  • Assoc-add optimization in instcombine
8
slide-34
SLIDE 34 / 22

x := add a 1 x := add a 1 10 : ⁞ ⁞ y := add x 2 y := add a 3 20 : foo(y) foo(y) 21 :

ERHL: A Logic for Optimization Validation

  • Assoc-add optimization in instcombine

Optimized

8
slide-35
SLIDE 35 / 22

{ } MD = ∅ x := add a 1 x := add a 1 10 : { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ ⁞ ⁞ { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅ foo(y) foo(y) 21 : { } MD = ∅

ERHL: A Logic for Optimization Validation

  • Assoc-add optimization in instcombine

Relational assertions

8
slide-36
SLIDE 36 / 22

{ } MD = ∅ x := add a 1 x := add a 1 10 : { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ ⁞ ⁞ { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅ foo(y) foo(y) 21 : { } MD = ∅

ERHL: A Logic for Optimization Validation

  • Assoc-add optimization in instcombine

Pre- assertion Post- assertion

8
slide-37
SLIDE 37 / 22

{ } MD = ∅ x := add a 1 x := add a 1 10 : { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ ⁞ ⁞ { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅ foo(y) foo(y) 21 : { } MD = ∅

ERHL: A Logic for Optimization Validation

  • Assoc-add optimization in instcombine

(Relational Property) All registers contain same value in SRC & TGT

8
slide-38
SLIDE 38 / 22

{ } MD = ∅ x := add a 1 x := add a 1 10 : { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ ⁞ ⁞ { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅ foo(y) foo(y) 21 : { } MD = ∅

ERHL: A Logic for Optimization Validation

  • Assoc-add optimization in instcombine

(Relational Property) All registers contain same value in SRC & TGT (Unary Property) This equation holds in SRC

8
slide-39
SLIDE 39 / 22

{ } MD = ∅ x := add a 1 x := add a 1 10 : { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ ⁞ ⁞ { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅ foo(y) foo(y) 21 : { } MD = ∅

ERHL: A Logic for Optimization Validation

  • Assoc-add optimization in instcombine

To show: y ∉ MD Though different instructions Though different instructions

8
slide-40
SLIDE 40 / 22

{ } MD = ∅ x := add a 1 x := add a 1 10 : { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ ⁞ ⁞ { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅ foo(y) foo(y) 21 : { } MD = ∅

ERHL: A Logic for Optimization Validation

  • Assoc-add optimization in instcombine

Validation succeeds since y ∉ MD To show: y ∉ MD Though different instructions Though different instructions

8
slide-41
SLIDE 41 / 22

{ } MD = ∅ x := add a 1 x := add a 1 10 : { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ ⁞ ⁞ { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅ foo(y) foo(y) 21 : { } MD = ∅

ERHL: A Logic for Optimization Validation

  • Assoc-add optimization in instcombine
8

(Design Choice) MD is the only relational property

slide-42
SLIDE 42 / 22

{ } MD = ∅ x := add a 1 x := add a 1 10 : { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ ⁞ ⁞ { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅ foo(y) foo(y) 21 : { } MD = ∅

ERHL: A Logic for Optimization Validation

  • Assoc-add optimization in instcombine
8

(Design Choice) MD is the only relational property

  • Proof checking is simple
slide-43
SLIDE 43 / 22

{ } MD = ∅ x := add a 1 x := add a 1 10 : { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ ⁞ ⁞ { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅ foo(y) foo(y) 21 : { } MD = ∅

ERHL: A Logic for Optimization Validation

  • Assoc-add optimization in instcombine
8

(Design Choice) MD is the only relational property

  • Proof checking is simple
  • Still expressive enough
slide-44
SLIDE 44 / 22

{ x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅

ERHL: A Logic for Optimization Validation

9
slide-45
SLIDE 45 / 22

{ x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅

ERHL: A Logic for Optimization Validation

Pre- assertion Post- assertion

9
slide-46
SLIDE 46 / 22

{ x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

ERHL: A Logic for Optimization Validation

Strong post- condition

9
slide-47
SLIDE 47 / 22

{ x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

ERHL: A Logic for Optimization Validation

Preserved since x,a not updated

9
slide-48
SLIDE 48 / 22

{ x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

ERHL: A Logic for Optimization Validation

Added by execution Added by execution

9
slide-49
SLIDE 49 / 22

{ x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

ERHL: A Logic for Optimization Validation

y added to MD since y updated differently

9
slide-50
SLIDE 50 / 22

{ x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

ERHL: A Logic for Optimization Validation

Need a proof

9
slide-51
SLIDE 51 / 22

y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

ERHL: A Logic for Optimization Validation

assoc_add(x𝒕𝒔𝒅, y𝒕𝒔𝒅, a𝒕𝒔𝒅, 1, 2)

y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3

9
slide-52
SLIDE 52 / 22

y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

ERHL: A Logic for Optimization Validation

assoc_add(x𝒕𝒔𝒅, y𝒕𝒔𝒅, a𝒕𝒔𝒅, 1, 2)

y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 Apply associativity

  • f add
9
slide-53
SLIDE 53 / 22

y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

ERHL: A Logic for Optimization Validation

assoc_add(x𝒕𝒔𝒅, y𝒕𝒔𝒅, a𝒕𝒔𝒅, 1, 2)

y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 Propagated

9
slide-54
SLIDE 54 / 22

y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

ERHL: A Logic for Optimization Validation

assoc_add(x𝒕𝒔𝒅, y𝒕𝒔𝒅, a𝒕𝒔𝒅, 1, 2)

MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 reduce_maydiff(y)

9
slide-55
SLIDE 55 / 22

y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

ERHL: A Logic for Optimization Validation

assoc_add(x𝒕𝒔𝒅, y𝒕𝒔𝒅, a𝒕𝒔𝒅, 1, 2)

MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 reduce_maydiff(y)

Remove y from MD

9
slide-56
SLIDE 56 / 22

y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

ERHL: A Logic for Optimization Validation

assoc_add(x𝒕𝒔𝒅, y𝒕𝒔𝒅, a𝒕𝒔𝒅, 1, 2)

MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 reduce_maydiff(y)

Remove y from MD y has same equations with a y equals to the same expression in SRC & TGT

9
slide-57
SLIDE 57 / 22

y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

ERHL: A Logic for Optimization Validation

assoc_add(x𝒕𝒔𝒅, y𝒕𝒔𝒅, a𝒕𝒔𝒅, 1, 2)

MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 reduce_maydiff(y)

a ∉ MD Remove y from MD y has same equations with a y equals to the same expression in SRC & TGT

9
slide-58
SLIDE 58 / 22

y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

ERHL: A Logic for Optimization Validation

assoc_add(x𝒕𝒔𝒅, y𝒕𝒔𝒅, a𝒕𝒔𝒅, 1, 2)

MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 reduce_maydiff(y)

9

Propagated

slide-59
SLIDE 59 / 22

y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

ERHL: A Logic for Optimization Validation

assoc_add(x𝒕𝒔𝒅, y𝒕𝒔𝒅, a𝒕𝒔𝒅, 1, 2)

MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 reduce_maydiff(y)

⇓ ⇓

Trivial

9
slide-60
SLIDE 60 / 22

y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

ERHL: A Logic for Optimization Validation

assoc_add(x𝒕𝒔𝒅, y𝒕𝒔𝒅, a𝒕𝒔𝒅, 1, 2)

MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 reduce_maydiff(y)

By proof generation code

9
slide-61
SLIDE 61 / 22

y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

ERHL: A Logic for Optimization Validation

assoc_add(x𝒕𝒔𝒅, y𝒕𝒔𝒅, a𝒕𝒔𝒅, 1, 2)

MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 reduce_maydiff(y)

By custom automation By proof generation code

9
slide-62
SLIDE 62 / 22

y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

ERHL: A Logic for Optimization Validation

assoc_add(x𝒕𝒔𝒅, y𝒕𝒔𝒅, a𝒕𝒔𝒅, 1, 2)

MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 reduce_maydiff(y)

By custom automation By proof generation code

9

(Extensibility) Can add inference rules & custom automations

slide-63
SLIDE 63 / 22

y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 { x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 } MD = ∅ y := add x 2 y := add a 3 20 : { } MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 MD = {𝑧}

ERHL: A Logic for Optimization Validation

assoc_add(x𝒕𝒔𝒅, y𝒕𝒔𝒅, a𝒕𝒔𝒅, 1, 2)

MD = ∅

{ }

x𝑡𝑠𝑑 = add a𝑡𝑠𝑑 1 y𝑡𝑠𝑑 = add x𝑡𝑠𝑑 2 y𝑢𝑕𝑢 = add a𝑢𝑕𝑢 3 y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 y𝑡𝑠𝑑 = add a𝑡𝑠𝑑 3 reduce_maydiff(y)

By custom automation By proof generation code N.B. Not in Trusted Computing Base Not in Trusted Computing Base (i.e., verification unnecessary)

9

(Extensibility) Can add inference rules & custom automations

slide-64
SLIDE 64 / 22 x := add a 1 x := add a 1 10 : ⁞ ⁞ y := add x 2 y := add a 3 20 : foo(y) foo(y) 21 :

Proof Generation

Algorithm 1 AssocAdd(𝐺: Function) A1: for 𝑚2: 𝑧 := add (reg 𝑦) (const 𝐷2) in 𝐺 do A2: if FindDef(𝐺, 𝑦) is 𝑚1: 𝑦 := add (reg 𝑏) (const 𝐷1) then A3: 𝐷 := Simplify(add 𝐷1 𝐷2) A4: ReplaceAt(𝐺, 𝑚2, 𝑧 := add (reg 𝑏) (const 𝐷)) A5: A6: A7: end if A8: end for A9: 10
slide-65
SLIDE 65 / 22 x := add a 1 x := add a 1 10 : ⁞ ⁞ y := add x 2 y := add a 3 20 : foo(y) foo(y) 21 :

Proof Generation

Algorithm 1 AssocAdd(𝐺: Function) A1: for 𝑚2: 𝑧 := add (reg 𝑦) (const 𝐷2) in 𝐺 do A2: if FindDef(𝐺, 𝑦) is 𝑚1: 𝑦 := add (reg 𝑏) (const 𝐷1) then A3: 𝐷 := Simplify(add 𝐷1 𝐷2) A4: ReplaceAt(𝐺, 𝑚2, 𝑧 := add (reg 𝑏) (const 𝐷)) A5: A6: A7: end if A8: end for A9: 10
slide-66
SLIDE 66 / 22 x := add a 1 x := add a 1 10 : ⁞ ⁞ y := add x 2 y := add a 3 20 : foo(y) foo(y) 21 :

Proof Generation

Algorithm 1 AssocAdd(𝐺: Function) A1: for 𝑚2: 𝑧 := add (reg 𝑦) (const 𝐷2) in 𝐺 do A2: if FindDef(𝐺, 𝑦) is 𝑚1: 𝑦 := add (reg 𝑏) (const 𝐷1) then A3: 𝐷 := Simplify(add 𝐷1 𝐷2) A4: ReplaceAt(𝐺, 𝑚2, 𝑧 := add (reg 𝑏) (const 𝐷)) A5: A6: A7: end if A8: end for A9: 10
slide-67
SLIDE 67 / 22 x := add a 1 x := add a 1 10 : ⁞ ⁞ y := add x 2 y := add a 3 20 : foo(y) foo(y) 21 :

Proof Generation

Algorithm 1 AssocAdd(𝐺: Function) A1: for 𝑚2: 𝑧 := add (reg 𝑦) (const 𝐷2) in 𝐺 do A2: if FindDef(𝐺, 𝑦) is 𝑚1: 𝑦 := add (reg 𝑏) (const 𝐷1) then A3: 𝐷 := Simplify(add 𝐷1 𝐷2) A4: ReplaceAt(𝐺, 𝑚2, 𝑧 := add (reg 𝑏) (const 𝐷)) A5: A6: A7: end if A8: end for A9:

𝐷1 = 1 𝐷2 = 2 ⇓ 𝐷 = 3

10
slide-68
SLIDE 68 / 22 x := add a 1 x := add a 1 10 : ⁞ ⁞ y := add x 2 y := add a 3 20 : foo(y) foo(y) 21 :

Proof Generation

Algorithm 1 AssocAdd(𝐺: Function) A1: for 𝑚2: 𝑧 := add (reg 𝑦) (const 𝐷2) in 𝐺 do A2: if FindDef(𝐺, 𝑦) is 𝑚1: 𝑦 := add (reg 𝑏) (const 𝐷1) then A3: 𝐷 := Simplify(add 𝐷1 𝐷2) A4: ReplaceAt(𝐺, 𝑚2, 𝑧 := add (reg 𝑏) (const 𝐷)) A5: A6: A7: end if A8: end for A9:

𝐷1 = 1 𝐷2 = 2 ⇓ 𝐷 = 3

10
slide-69
SLIDE 69 / 22 { } MD = ∅ { } MD = ∅ x := add a 1 x := add a 1 10 : { } MD = ∅ ⁞ ⁞ y := add x 2 y := add a 3 20 : foo(y) foo(y) 21 :

Proof Generation

Algorithm 1 AssocAdd(𝐺: Function) A1: for 𝑚2: 𝑧 := add (reg 𝑦) (const 𝐷2) in 𝐺 do A2: if FindDef(𝐺, 𝑦) is 𝑚1: 𝑦 := add (reg 𝑏) (const 𝐷1) then A3: 𝐷 := Simplify(add 𝐷1 𝐷2) A4: ReplaceAt(𝐺, 𝑚2, 𝑧 := add (reg 𝑏) (const 𝐷)) A5: A6: A7: end if A8: end for A9: { } MD = ∅ { } MD = ∅ 10
slide-70
SLIDE 70 / 22 { } MD = ∅ { } MD = ∅ x := add a 1 x := add a 1 10 : { } MD = ∅ ⁞ ⁞ y := add x 2 y := add a 3 20 : foo(y) foo(y) 21 :

Proof Generation

Algorithm 1 AssocAdd(𝐺: Function) A1: for 𝑚2: 𝑧 := add (reg 𝑦) (const 𝐷2) in 𝐺 do A2: if FindDef(𝐺, 𝑦) is 𝑚1: 𝑦 := add (reg 𝑏) (const 𝐷1) then A3: 𝐷 := Simplify(add 𝐷1 𝐷2) A4: ReplaceAt(𝐺, 𝑚2, 𝑧 := add (reg 𝑏) (const 𝐷)) A5: A6: A7: end if A8: end for A9: x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 { } MD = ∅ { } MD = ∅ Assn(𝑦𝑡𝑠𝑑 = add 𝑏𝑡𝑠𝑑 𝐷1, 𝑚1, 𝑚2) 10
slide-71
SLIDE 71 / 22 { } MD = ∅ { } MD = ∅ x := add a 1 x := add a 1 10 : { } MD = ∅ ⁞ ⁞ y := add x 2 y := add a 3 20 : foo(y) foo(y) 21 :

Proof Generation

Algorithm 1 AssocAdd(𝐺: Function) A1: for 𝑚2: 𝑧 := add (reg 𝑦) (const 𝐷2) in 𝐺 do A2: if FindDef(𝐺, 𝑦) is 𝑚1: 𝑦 := add (reg 𝑏) (const 𝐷1) then A3: 𝐷 := Simplify(add 𝐷1 𝐷2) A4: ReplaceAt(𝐺, 𝑚2, 𝑧 := add (reg 𝑏) (const 𝐷)) A5: A6: A7: end if A8: end for A9: x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 { } MD = ∅ { } MD = ∅ Assn(𝑦𝑡𝑠𝑑 = add 𝑏𝑡𝑠𝑑 𝐷1, 𝑚1, 𝑚2) 10
slide-72
SLIDE 72 / 22 { } MD = ∅ { } MD = ∅ x := add a 1 x := add a 1 10 : { } MD = ∅ ⁞ ⁞ y := add x 2 y := add a 3 20 : foo(y) foo(y) 21 :

Proof Generation

Algorithm 1 AssocAdd(𝐺: Function) A1: for 𝑚2: 𝑧 := add (reg 𝑦) (const 𝐷2) in 𝐺 do A2: if FindDef(𝐺, 𝑦) is 𝑚1: 𝑦 := add (reg 𝑏) (const 𝐷1) then A3: 𝐷 := Simplify(add 𝐷1 𝐷2) A4: ReplaceAt(𝐺, 𝑚2, 𝑧 := add (reg 𝑏) (const 𝐷)) A5: A6: A7: end if A8: end for A9: x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 Inf(assoc_add(𝑦𝑡𝑠𝑑, 𝑧𝑡𝑠𝑑, 𝑏𝑡𝑠𝑑, 𝐷1, 𝐷2), 𝑚2) assoc_add(x𝒕𝒔𝒅, y𝒕𝒔𝒅, a𝒕𝒔𝒅, 1, 2) { } MD = ∅ { } MD = ∅ Assn(𝑦𝑡𝑠𝑑 = add 𝑏𝑡𝑠𝑑 𝐷1, 𝑚1, 𝑚2) 10
slide-73
SLIDE 73 / 22 { } MD = ∅ { } MD = ∅ x := add a 1 x := add a 1 10 : { } MD = ∅ ⁞ ⁞ y := add x 2 y := add a 3 20 : foo(y) foo(y) 21 :

Proof Generation

Algorithm 1 AssocAdd(𝐺: Function) A1: for 𝑚2: 𝑧 := add (reg 𝑦) (const 𝐷2) in 𝐺 do A2: if FindDef(𝐺, 𝑦) is 𝑚1: 𝑦 := add (reg 𝑏) (const 𝐷1) then A3: 𝐷 := Simplify(add 𝐷1 𝐷2) A4: ReplaceAt(𝐺, 𝑚2, 𝑧 := add (reg 𝑏) (const 𝐷)) A5: A6: A7: end if A8: end for A9: x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 Inf(assoc_add(𝑦𝑡𝑠𝑑, 𝑧𝑡𝑠𝑑, 𝑏𝑡𝑠𝑑, 𝐷1, 𝐷2), 𝑚2) assoc_add(x𝒕𝒔𝒅, y𝒕𝒔𝒅, a𝒕𝒔𝒅, 1, 2) { } MD = ∅ { } MD = ∅ Assn(𝑦𝑡𝑠𝑑 = add 𝑏𝑡𝑠𝑑 𝐷1, 𝑚1, 𝑚2) 10
slide-74
SLIDE 74 / 22 { } MD = ∅ { } MD = ∅ x := add a 1 x := add a 1 10 : { } MD = ∅ ⁞ ⁞ y := add x 2 y := add a 3 20 : foo(y) foo(y) 21 :

Proof Generation

Algorithm 1 AssocAdd(𝐺: Function) A1: for 𝑚2: 𝑧 := add (reg 𝑦) (const 𝐷2) in 𝐺 do A2: if FindDef(𝐺, 𝑦) is 𝑚1: 𝑦 := add (reg 𝑏) (const 𝐷1) then A3: 𝐷 := Simplify(add 𝐷1 𝐷2) A4: ReplaceAt(𝐺, 𝑚2, 𝑧 := add (reg 𝑏) (const 𝐷)) A5: A6: A7: end if A8: end for A9: x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 Inf(assoc_add(𝑦𝑡𝑠𝑑, 𝑧𝑡𝑠𝑑, 𝑏𝑡𝑠𝑑, 𝐷1, 𝐷2), 𝑚2) assoc_add(x𝒕𝒔𝒅, y𝒕𝒔𝒅, a𝒕𝒔𝒅, 1, 2) EnableAuto(reduce_maydiff) reduce_maydiff(y) { } MD = ∅ { } MD = ∅ Assn(𝑦𝑡𝑠𝑑 = add 𝑏𝑡𝑠𝑑 𝐷1, 𝑚1, 𝑚2) 10
slide-75
SLIDE 75 / 22 { } MD = ∅ { } MD = ∅ x := add a 1 x := add a 1 10 : { } MD = ∅ ⁞ ⁞ y := add x 2 y := add a 3 20 : foo(y) foo(y) 21 :

Proof Generation

Algorithm 1 AssocAdd(𝐺: Function) A1: for 𝑚2: 𝑧 := add (reg 𝑦) (const 𝐷2) in 𝐺 do A2: if FindDef(𝐺, 𝑦) is 𝑚1: 𝑦 := add (reg 𝑏) (const 𝐷1) then A3: 𝐷 := Simplify(add 𝐷1 𝐷2) A4: ReplaceAt(𝐺, 𝑚2, 𝑧 := add (reg 𝑏) (const 𝐷)) A5: A6: A7: end if A8: end for A9: x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 x𝒕𝒔𝒅 = add a𝒕𝒔𝒅 𝟐 Inf(assoc_add(𝑦𝑡𝑠𝑑, 𝑧𝑡𝑠𝑑, 𝑏𝑡𝑠𝑑, 𝐷1, 𝐷2), 𝑚2) assoc_add(x𝒕𝒔𝒅, y𝒕𝒔𝒅, a𝒕𝒔𝒅, 1, 2) EnableAuto(reduce_maydiff) reduce_maydiff(y) { } MD = ∅ { } MD = ∅ Assn(𝑦𝑡𝑠𝑑 = add 𝑏𝑡𝑠𝑑 𝐷1, 𝑚1, 𝑚2)

Extra code for Crellvm Extra code for Crellvm Extra code for Crellvm

10
slide-76
SLIDE 76

General Relational Properties in ERHL

11
  • From the register promotion optimization

∗p𝒕𝒔𝒅 = r𝒖𝒉𝒖

{ }

MD = {p, r}

slide-77
SLIDE 77

General Relational Properties in ERHL

11
  • From the register promotion optimization

∗p𝒕𝒔𝒅 = r𝒖𝒉𝒖

{ }

MD = {p, r}

Not allowed in ERHL

slide-78
SLIDE 78

General Relational Properties in ERHL

11

{ ∗p𝒕𝒔𝒅 = ො

p𝒕𝒔𝒅

}

ො p𝒖𝒉𝒖 = r𝒖𝒉𝒖 MD = {p, r}

  • From the register promotion optimization

∗p𝒕𝒔𝒅 = r𝒖𝒉𝒖

{ }

MD = {p, r}

Encoded as

slide-79
SLIDE 79

General Relational Properties in ERHL

11

{ ∗p𝒕𝒔𝒅 = ො

p𝒕𝒔𝒅

}

ො p𝒖𝒉𝒖 = r𝒖𝒉𝒖 MD = {p, r}

  • From the register promotion optimization

∗p𝒕𝒔𝒅 = r𝒖𝒉𝒖

{ }

MD = {p, r}

Encoded as

∗p𝒕𝒔𝒅 = ො p𝒕𝒔𝒅

slide-80
SLIDE 80

General Relational Properties in ERHL

11

{ ∗p𝒕𝒔𝒅 = ො

p𝒕𝒔𝒅

}

ො p𝒖𝒉𝒖 = r𝒖𝒉𝒖 MD = {p, r}

  • From the register promotion optimization

∗p𝒕𝒔𝒅 = r𝒖𝒉𝒖

{ }

MD = {p, r}

Encoded as

∗p𝒕𝒔𝒅 = ො p𝒕𝒔𝒅 = ො p𝒖𝒉𝒖

ො p ∉ MD

slide-81
SLIDE 81

General Relational Properties in ERHL

11

{ ∗p𝒕𝒔𝒅 = ො

p𝒕𝒔𝒅

}

ො p𝒖𝒉𝒖 = r𝒖𝒉𝒖 MD = {p, r}

  • From the register promotion optimization

∗p𝒕𝒔𝒅 = r𝒖𝒉𝒖

{ }

MD = {p, r}

Encoded as

∗p𝒕𝒔𝒅 = ො p𝒕𝒔𝒅 = ො p𝒖𝒉𝒖 = r𝒖𝒉𝒖

slide-82
SLIDE 82

General Relational Properties in ERHL

11

{ ∗p𝒕𝒔𝒅 = ො

p𝒕𝒔𝒅

}

ො p𝒖𝒉𝒖 = r𝒖𝒉𝒖 MD = {p, r}

  • From the register promotion optimization

∗p𝒕𝒔𝒅 = r𝒖𝒉𝒖

{ }

MD = {p, r}

Ghost register: existentially quantified (Ghost registers)

  • existentially quantified
  • introduced by inf rule

Encoded as

∗p𝒕𝒔𝒅 = ො p𝒕𝒔𝒅 = ො p𝒖𝒉𝒖 = r𝒖𝒉𝒖

slide-83
SLIDE 83 / 22

Implementation & Results

12
slide-84
SLIDE 84

Implementation: Proof Checker

  • Implemented & Verified soundness in Coq
  • Used formal LLVM semantics from Vellvm
  • Proved semantics preservation using CompCert’s memory injection
  • Installed 221 inference rules
  • 9 main rules (verified)
  • 212 arithmetic & special rules for instcombine (unverifed)

Implementation Verification Total Proof Checker (SLOC) 2,987 18,934 21,921

13
slide-85
SLIDE 85

Implementation: Proof Checker

  • Implemented & Verified soundness in Coq
  • Used formal LLVM semantics from Vellvm
  • Proved semantics preservation using CompCert’s memory injection
  • Installed 221 inference rules
  • 9 main rules (verified)
  • 212 arithmetic & special rules for instcombine (unverifed)

Implementation Verification Total Proof Checker (SLOC) 2,987 18,934 21,921

  • transitivity
  • reduce_maydiff
  • intro_ghost

13
slide-86
SLIDE 86

Implementation: Proof Generation

  • Covered 4 passes in LLVM 3.7.1
  • mem2reg: register promotion algorithm
  • gvn: GVN-PRE algorithm
  • licm: loop-invariant code motion algorithm (partially covered)
  • instcombine: 158 peephole optimizations among >1000 ones

mem2reg gvn licm instcombine Compiler (Covered SLOC) 568 1,092 706 702 Proof Generation (SLOC) 213 440 286 1,357

14
slide-87
SLIDE 87

LOC Validations Fail Not Supported Success SPEC CINT 2006 1.0M 390K 69 31K (8%) 359K (92%) LLVM Nightly 1.4M 907K 69 361K (40%) 546K (60%) Open-Source 2.9M 908K 325 180K (20%) 728K (80%) Random (Csmith) 1.6M 98K 1 12K (12%) 86K (88%) Total 6.9M 2303K 464 584K (25%) 1719K (75%) * Open-Source: Sendmail, Emacs, Python, Gimp, Ghostscript

Experiment Results

15
slide-88
SLIDE 88

LOC Validations Fail Not Supported Success SPEC CINT 2006 1.0M 390K 69 31K (8%) 359K (92%) LLVM Nightly 1.4M 907K 69 361K (40%) 546K (60%) Open-Source 2.9M 908K 325 180K (20%) 728K (80%) Random (Csmith) 1.6M 98K 1 12K (12%) 86K (88%) Total 6.9M 2303K 464 584K (25%) 1719K (75%) * Open-Source: Sendmail, Emacs, Python, Gimp, Ghostscript

Experiment Results

15

All due to 4 compiler bugs

slide-89
SLIDE 89

LOC Validations Fail Not Supported Success SPEC CINT 2006 1.0M 390K 69 31K (8%) 359K (92%) LLVM Nightly 1.4M 907K 69 361K (40%) 546K (60%) Open-Source 2.9M 908K 325 180K (20%) 728K (80%) Random (Csmith) 1.6M 98K 1 12K (12%) 86K (88%) Total 6.9M 2303K 464 584K (25%) 1719K (75%) * Open-Source: Sendmail, Emacs, Python, Gimp, Ghostscript

Experiment Results

15

Lack of language formalization (e.g., vector operations) All due to 4 compiler bugs

slide-90
SLIDE 90

Execution Times

Compilation Phase Validation Phase SPEC CINT2006 51 141K LLVM Nightly 82 126K Open-Source 125 175K Total (sec.) 258 442K

16
slide-91
SLIDE 91

Execution Times

Compilation Phase Validation Phase SPEC CINT2006 51 141K LLVM Nightly 82 126K Open-Source 125 175K Total (sec.) 258 442K

16

4 min : 123 hour = 1:1700 4 min : 123 hour = 1 : 1700

slide-92
SLIDE 92

Execution Times

Compilation Phase Validation Phase SPEC CINT2006 51 141K LLVM Nightly 82 126K Open-Source 125 175K Total (sec.) 258 442K

16

But, embarrassingly parallel (~3 hours in wall clock, in 96 threads) 4 min : 123 hour = 1:1700 4 min : 123 hour = 1 : 1700

slide-93
SLIDE 93

Summary

  • Developed a verified credible compilation framework for LLVM
  • Covered 3 major and >100 peephole optimizations of LLVM
  • Discovered 4 long-standing bugs in LLVM
  • 2 in mem2reg
  • 2 in gvn
17
slide-94
SLIDE 94

What else is in the paper?

  • Reasoning about cyclic control flows
  • Reasoning about Memory properties
  • Details of mem2reg and gvn validation
  • Porting to LLVM 5.0.1
18
slide-95
SLIDE 95

Future Work

  • Formalizing LLVM IR features in Vellvm
  • Vectors, Readonly, etc
  • Integer-pointer casts
  • Undef & poison values
  • Supporting complex analyses
  • General alias analysis, division-by-zero, etc
  • Supporting CFG-changing optimizations
  • Loop unrolling, etc
19