extensible proof producing compilation
play

Extensible proof-producing compilation Magnus O . Myreen, Konrad - PowerPoint PPT Presentation

Aug 02, 2023 •5 likes •355 views

Extensible proof-producing compilation Magnus O . Myreen, Konrad Slind, Michael J . C . Gordon CC 2009 Motivation This talk is about compiling functions from the HOL4 theorem prover to machine code. Motivation This talk is about compiling

  1. Extensible proof-producing compilation Magnus O . Myreen, Konrad Slind, Michael J . C . Gordon CC 2009

  2. Motivation This talk is about compiling functions from the HOL4 theorem prover to machine code.

  3. Motivation This talk is about compiling functions from the HOL4 theorem prover to machine code. What is HOL4? ◮ an interactive and programmable proof assistant ◮ implements higher-order logic ◮ used for formalising maths, verification of hardware and software ... (e.g. Anthony Fox has used it for verifying the hardware of an ARM processor)

  4. Motivation This talk is about compiling functions from the HOL4 theorem prover to machine code. What is HOL4? ◮ an interactive and programmable proof assistant ◮ implements higher-order logic ◮ used for formalising maths, verification of hardware and software ... (e.g. Anthony Fox has used it for verifying the hardware of an ARM processor) Aim: user verifies an algorithm, clicks a button and then receives machine code, which is guaranteed (via proof in HOL4) to correctly implement the algorithm.

  5. Example Given function f as input f ( r 1 ) = if r 1 < 10 then r 1 else let r 1 = r 1 − 10 in f ( r 1 ) the compiler generates ARM machine code: E351000A L: cmp r1,#10 2241100A subcs r1,r1,#10 2AFFFFFC bcs L

  6. Example Given function f as input f ( r 1 ) = if r 1 < 10 then r 1 else let r 1 = r 1 − 10 in f ( r 1 ) the compiler generates ARM machine code: E351000A L: cmp r1,#10 2241100A subcs r1,r1,#10 2AFFFFFC bcs L and automatically proves a certificate HOL4 theorem, which states that f is executed by machine code: ⊢ { r1 r 1 ∗ pc p ∗ s } p : E351000A 2241100A 2AFFFFFC { r1 f ( r 1 ) ∗ pc ( p +12) ∗ s }

  7. Example, cont. One can prove properties of f since it lives in HOL4: ⊢ ∀ x . f ( x ) = x mod 10 Here mod is modulus over unsigned machine words.

  8. Example, cont. One can prove properties of f since it lives in HOL4: ⊢ ∀ x . f ( x ) = x mod 10 Here mod is modulus over unsigned machine words. Properties proved of f translate to properties of the machine code: ⊢ { r1 r 1 ∗ pc p ∗ s } p : E351000A 2241100A 2AFFFFFC { r1 ( r 1 mod 10) ∗ pc ( p +12) ∗ s }

  9. Example, cont. One can prove properties of f since it lives in HOL4: ⊢ ∀ x . f ( x ) = x mod 10 Here mod is modulus over unsigned machine words. Properties proved of f translate to properties of the machine code: ⊢ { r1 r 1 ∗ pc p ∗ s } p : E351000A 2241100A 2AFFFFFC { r1 ( r 1 mod 10) ∗ pc ( p +12) ∗ s } Additional feature: the compiler can use the above theorem to extend its input language with: let r 1 = r 1 mod 10 in

  10. Talk outline 1. how is the proof-producing compiler implemented? 2. how do extensions work? example: LISP interpreter 3. design decisions and related work

  11. Methodology To compile function f : 1. code generation: generate, without proof, machine code from input f ; 2. decompilation: derive, via proof, a function f ′ describing the machine code; 3. certification: prove f = f ′ . In TACAS’98, Pnueli et al . call this method translation validation.

  12. Example, code generation When compiling function f : f ( r 0 , r 1 , m ) = if r 0 = 0 then ( r 0 , r 1 , m ) else let r 1 = m ( r 1 ) in let r 0 = r 0 − 1 in f ( r 0 , r 1 , m ) Code generation produces x86 assembly:

  13. Example, code generation When compiling function f : f ( r 0 , r 1 , m ) = if r 0 = 0 then ( r 0 , r 1 , m ) else let r 1 = m ( r 1 ) in let r 0 = r 0 − 1 in f ( r 0 , r 1 , m ) Code generation produces x86 assembly: L1: test eax, eax jz L2 mov ecx,[ecx] dec eax jmp L1 L2:

  14. Example, code generation When compiling function f : f ( r 0 , r 1 , m ) = if r 0 = 0 then ( r 0 , r 1 , m ) else let r 1 = m ( r 1 ) in let r 0 = r 0 − 1 in f ( r 0 , r 1 , m ) Code generation produces x86 assembly, which NASM translates: 0: 85C0 L1: test eax, eax 2: 7405 jz L2 4: 8B09 mov ecx,[ecx] 6: 48 dec eax 7: EBF7 jmp L1 L2:

  15. Initial input language The initial input language is designed for ease of code generation: ◮ all variables must have names of registers r 0 , r 1 , r 2 , stack locations s 1 , s 2 , or memory functions m , m 1 , m 2 etc. ◮ basic operations over registers are permitted, e.g. let r 1 = r 2 + r 4 in ... let r 3 = 50 in ... ◮ simple comparisons are supported, e.g. if ( r 2 = 5) ∧ ( r 3 & 3 = 0) then ... else ... ◮ tail-recursive function calls allowed. This language is very restrictive, but can be used as compiler back-end, or extended directly (see later slides).

  16. Example, decompilation Returning to our example... the second stage of compilation is decompilation of the generated code (FMCAD 2008). Decompilation: derive a function f ′ describing the code.

  17. Example, decompilation Returning to our example... the second stage of compilation is decompilation of the generated code (FMCAD 2008). Decompilation: derive a function f ′ describing the code. First, theorems describing one pass through the code are derived: eax & eax = 0 ⇒ { ( eax , ecx , m ) is ( eax , ecx , m ) ∗ eip p ∗ s } p : 85C074058B0948EBF7 { ( eax , ecx , m ) is ( eax , ecx , m ) ∗ eip ( p +9) ∗ s } eax & eax � = 0 ∧ ecx ∈ domain m ∧ ( ecx & 3 = 0) ⇒ { ( eax , ecx , m ) is ( eax , ecx , m ) ∗ eip p ∗ s } p : 85C074058B0948EBF7 { ( eax , ecx , m ) is ( eax − 1 , m ( ecx ) , m ) ∗ eip p ∗ s }

  18. Example, decompilation, cont. A special loop rule is used to introduce a tail recursion. ∀ res res’ c . ( ∀ x . P x ∧ G x ⇒ { res x } c { res ( F x ) } ) ∧ ( ∀ x . P x ∧ ¬ ( G x ) ⇒ { res x } c { res ′ ( D x ) } ) ⇒ ( ∀ x . pre x ⇒ { res x } c { res ′ (tailrec x ) } ) where tailrec and pre are: tailrec x = if ( G x ) then tailrec ( F x ) else ( D x ) pre x = P x ∧ ( G x ⇒ pre ( F x ))

  19. Example, decompilation, cont. With appropriate instantiations of variables, tailrec satisfies: tailrec( eax , ecx , m ) = if eax & eax = 0 then ( eax , ecx , m ) else let ecx = m ( ecx ) in let eax = eax − 1 in tailrec( eax , ecx , m ) and we have a certificate theorem: pre( eax , ecx , m ) ⇒ { ( eax , ecx , m ) is ( eax , ecx , m ) ∗ eip p ∗ s } p : 85C074058B0948EBF7 { ( eax , ecx , m ) is tailrec( eax , ecx , m ) ∗ eip ( p +9) ∗ s } We define decompilation f ′ = tailrec.

  20. Certification To compile function f : 1. code generation: generate, without proof, machine code from input f ; 2. decompilation: derive, via proof, a function f ′ describing the machine code; 3. certification: prove f = f ′ .

  21. Example, certification Since f and f ′ are instances of tailrec, tailrec x = if ( G x ) then tailrec ( F x ) else ( D x ) it is sufficient to prove their components equivalent, in this case: ( λ ( r 0 , r 1 , m ) . r 0 � = 0) = ( λ ( eax , ecx , m ) . eax & eax � = 0) ( λ ( r 0 , r 1 , m ) . ( r 0 − 1 , m ( r 1 ) , m )) = ( λ ( eax , ecx , m ) . ( eax − 1 , m ( ecx ) , m )) ( λ ( r 0 , r 1 , m ) . ( r 0 , r 1 , m )) = ( λ ( eax , ecx , m ) . ( eax , ecx , m ))

  22. Example, certification Since f and f ′ are instances of tailrec, tailrec x = if ( G x ) then tailrec ( F x ) else ( D x ) it is sufficient to prove their components equivalent, in this case: ( λ ( r 0 , r 1 , m ) . r 0 � = 0) = ( λ ( eax , ecx , m ) . eax & eax � = 0) ( λ ( r 0 , r 1 , m ) . ( r 0 − 1 , m ( r 1 ) , m )) = ( λ ( eax , ecx , m ) . ( eax − 1 , m ( ecx ) , m )) ( λ ( r 0 , r 1 , m ) . ( r 0 , r 1 , m )) = ( λ ( eax , ecx , m ) . ( eax , ecx , m )) Lightweight optimisations are undone: ◮ small tweaks, like eax & eax = eax ; ◮ some instruction reordering; ◮ conditional execution (for ARM and x86); ◮ dead-code removal; ◮ shared-tail elimination (next slides)

  23. Shared-tail elimination The assignment to r 1 is shared: f ( r 1 , r 2 ) = if r 1 = 0 then let r 2 = 23 in let r 1 = 4 in ( r 1 , r 2 ) else let r 2 = 56 in let r 1 = 4 in ( r 1 , r 2 ) Another formulation: g ( r 1 , r 2 ) = let ( r 1 , r 2 ) = g 2 ( r 1 , r 2 ) in let r 1 = 4 in ( r 1 , r 2 ) g 2 ( r 1 , r 2 ) = if r 1 = 0 then let r 2 = 23 in ( r 1 , r 2 ) else let r 2 = 56 in ( r 1 , r 2 ) Both produce ARM code: 0: E3510000 cmp r1,#0 4: 03A02017 moveq r2,#23 8: 13A02038 movne r2,#56 12: E3A01004 mov r1,#4

  24. Talk outline 1. how to implement basic proof-producing compiler? 2. how do extensions work? LISP interpreter. 3. design decisions and related work

  25. Extensions The introduction showed how to prove: { r1 r 1 ∗ pc p ∗ s } p : E351000A 2241100A 2AFFFFFC { r1 ( r 1 mod 10) ∗ pc ( p +12) ∗ s } Such theorems can be used to extend the compiler’s input language, in this case with: let r 1 = r 1 mod 10 in

  26. Extensions, cont. Example. The extension allows us to compile: f ( r 1 , r 2 , r 3 ) = let r 1 = r 1 + r 2 in let r 1 = r 1 + r 3 in let r 1 = r 1 mod 10 in r 1 Code generation produces “tagged-code”: E0811002 E0811003 E351000A 2241100A 2AFFFFFC The decompiler will know to use the supplied theorem for tagged code blocks. The certification stage is unchanged.

  27. Extensions, cont. The one-pass theorem is derived using the supplied theorem: { r1 r 1 ∗ pc p ∗ s } p : E0811002 E0811003 E351000A 2241100A 2AFFFFFC { r1 (( r 1 + r 2 + r 3 ) mod 10) ∗ pc ( p +20) ∗ s } Previously proved theorems are used a building blocks.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automatic Library Compilation and Proof Tree Visualisation for Coq Proof General Hendrik Tews

Automatic Library Compilation and Proof Tree Visualisation for Coq Proof General Hendrik Tews

Automatic Library Compilation Proof Tree Visualisation Conclusion Automatic Library Compilation and Proof Tree Visualisation for Coq Proof General Hendrik Tews Technische Universit at Dresden Third Coq Workshop, August 26, 2011 Hendrik

385 views • 16 slides
Last week, David Terei lectured about the compilation pipeline which is responsible for producing

Last week, David Terei lectured about the compilation pipeline which is responsible for producing

Last week, David Terei lectured about the compilation pipeline which is responsible for producing the executable binaries of the Haskell code you actually want to run. Today, we are going to look at an important piece of C code (blasphemy!)

963 views • 74 slides
JIT Compilation Module Overview JIT Compilation Native vs. Managed Compilation Managed

JIT Compilation Module Overview JIT Compilation Native vs. Managed Compilation Managed

JIT Compilation Module Overview JIT Compilation Native vs. Managed Compilation Managed Execution Phases Assembly Loading &amp; Initialization JIT Compilation JIT Optimizations Whats new in NGEN 4.0? When to use NGEN? 2 Running Code

484 views • 46 slides
1 Language processing Query Graph Model Two stages: compilation and Vertices execution

1 Language processing Query Graph Model Two stages: compilation and Vertices execution

Outline Extensible Query Processing in Motivation Starburst Solution: Extensible DBMS Language Processing Query Graph Model Presentation: Kati Query rewrite Discussion: Andrew Summary Motivation Starburst Project

281 views • 3 slides
Tracing Compilation by Abstract Interpretation S. Dissegna, F. Logozzo, F. Ranzato Thophile

Tracing Compilation by Abstract Interpretation S. Dissegna, F. Logozzo, F. Ranzato Thophile

Just-In-Time compilation Study setup Abstract interpretation Correctness proof Tracing Compilation by Abstract Interpretation S. Dissegna, F. Logozzo, F. Ranzato Thophile Bastian March 7, 2018 Slides: https://tiny.tobast.fr/m2-absint-slides

445 views • 16 slides
The Compilation Process Preprocessing: o processes include-files, conditional compilation and

The Compilation Process Preprocessing: o processes include-files, conditional compilation and

4/1/14 The Compilation Process Preprocessing: o processes include-files, conditional compilation and macros. Compilation: Writing Large Programs o takes the output of the preprocessor and the source code, and generates assembler

271 views • 6 slides
To look but not to see In this talk I will relate recent successes in compilation for

To look but not to see In this talk I will relate recent successes in compilation for

To look but not to see In this talk I will relate recent successes in compilation for Encrypted Computing to code obfuscation Of importance in Encrypted Computing is a proof ... Adversary has no method to decipher run-time data code

319 views • 21 slides
3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

Griffith University 3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof by construction 2. Proof by equivalence 3. Proof by contradiction 4. Proof by case analysis 5. Proof by induction

549 views • 11 slides
Extensible Dependency Grammar: A Modular Grammar Formalism Based On Multigraph Description Ralph

Extensible Dependency Grammar: A Modular Grammar Formalism Based On Multigraph Description Ralph

Extensible Dependency Grammar Extensible Dependency Grammar: A Modular Grammar Formalism Based On Multigraph Description Ralph Debusmann Programming Systems Lab, Saarbrcken, Germany Promotionskolloquium, November 3, 2006 Extensible

988 views • 85 slides
Building Ext Building Extensible Ne Building Ext Building Extensible Ne nsible Netw nsible

Building Ext Building Extensible Ne Building Ext Building Extensible Ne nsible Netw nsible

Building Ext Building Extensible Ne Building Ext Building Extensible Ne nsible Netw nsible Netw twor twor orks with orks with ks with ks with Rule-Based F le-Based Forwar arding ding Lucian Popa Norbert Egi Sylvia Ratnasamy Ion

1.28k views • 104 slides
CHARIOT: A DOMAIN SPECIFIC LANGUAGE FOR EXTENSIBLE

CHARIOT: A DOMAIN SPECIFIC LANGUAGE FOR EXTENSIBLE

Extensible CPS Subhav Pradhan CHARIOT: A DOMAIN SPECIFIC LANGUAGE FOR EXTENSIBLE CYBER-PHYSICAL SYSTEMS Presented at DSM 2015, Pittsburgh, PA Subhav Pradhan , Abhishek Dubey, Aniruddha Gokhale, and

245 views • 11 slides
Creating wellness, producing value Creating wellness, producing value Disclaimer

Creating wellness, producing value Creating wellness, producing value Disclaimer

, HELEX 16 OCTOBER 2018 Creating wellness, producing value Creating wellness, producing value Disclaimer This presentation has been prepared by PAPOUTSANIS S.A. based on publicly available information solely for the

712 views • 28 slides
Extensible Indexed Types Daniel R. Licata and Robert Harper Carnegie Mellon University Indexed

Extensible Indexed Types Daniel R. Licata and Robert Harper Carnegie Mellon University Indexed

Extensible Indexed Types Daniel R. Licata and Robert Harper Carnegie Mellon University Indexed Types Indexed families of types are useful! list(t) where t type array(n) where n nat proof(p) where p prop Uniform and non-uniform

374 views • 35 slides
RDF pro an Extensible Tool for Building Stream- an Extensible Tool for Building Stream-

RDF pro an Extensible Tool for Building Stream- an Extensible Tool for Building Stream-

RDF pro RDF pro an Extensible Tool for Building Stream- an Extensible Tool for Building Stream- Oriented RDF Processing Pipelines Oriented RDF Processing Pipelines Riva del Garda, 19 October 2014 Marco Rospocher 1 , Marco Amadori 2 , Michele

394 views • 15 slides
JVM Optimization 101 Sebastian Zarnekow itemis Static vs Dynamic Compilation AOT vs JIT JIT

JVM Optimization 101 Sebastian Zarnekow itemis Static vs Dynamic Compilation AOT vs JIT JIT

JVM Optimization 101 Sebastian Zarnekow itemis Static vs Dynamic Compilation AOT vs JIT JIT Compilation Compiled when needed Maybe immediately before execution ...or when the VM decides its important ...or never? JIT Compilation

757 views • 28 slides
MID-YEAR MOBILITY DATA 1 PURPOSE The following slides are a compilation of the mid-year

MID-YEAR MOBILITY DATA 1 PURPOSE The following slides are a compilation of the mid-year

COMPILATION OF MID-YEAR MOBILITY DATA 1 PURPOSE The following slides are a compilation of the mid-year mobility data analysis presented at the Cross Sector Collaboration Task Force during the May 24 and June 28 meetings. This compilation has

485 views • 37 slides
Independently Extensible Solutions to the Expression Problem Martin Odersky, EPFL Matthias

Independently Extensible Solutions to the Expression Problem Martin Odersky, EPFL Matthias

Independently Extensible Solutions to the Expression Problem Martin Odersky, EPFL Matthias Zenger, Google History The expression problem is fundamental for software extensibility. It arises when recursively defined datatypes and

609 views • 30 slides
Nego%a%on and Extensibility Cullen Jennings fluffy@cisco.com IETF 80

Nego%a%on and Extensibility Cullen Jennings fluffy@cisco.com IETF 80

Nego%a%on and Extensibility Cullen Jennings fluffy@cisco.com IETF 80 Why Nego%a%on of Algorithms and Extensions Addi%on of features, innova%on, and fixes

235 views • 6 slides
Extensibility, Safety, and Performance in the Spin Operating System Brian Bershad, Steven

Extensibility, Safety, and Performance in the Spin Operating System Brian Bershad, Steven

Extensibility, Safety, and Performance in the Spin Operating System Brian Bershad, Steven Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc Fiuczynski, David Becker, Craig Chambers, and Susan Eggers Department of Computer Science and

305 views • 28 slides
Reelle tal, f.eks. 1/7 eller double float 32 bit 64 bit

Reelle tal, f.eks. 1/7 eller double float 32 bit 64 bit

Reelle tal, f.eks. 1/7 eller double float 32 bit 64 bit By default, the x87 processors all use 80-bit double-extended precision internally wikipedia.org/wiki/X87 Algorithms using real numbers

666 views • 54 slides
Extensibility for DSL design and Example implementation Step 1 Step 2 A case study in Common

Extensibility for DSL design and Example implementation Step 1 Step 2 A case study in Common

Extensibility Didier Verna Introduction Extensibility for DSL design and Example implementation Step 1 Step 2 A case study in Common Lisp Step 3 Step 4 Wrap Up Didier Verna Conclusion Discussion didier@lrde.epita.fr

469 views • 28 slides
Performance vs. Extensibility and Ease of Use: Next Steps in the NMWG Schemata Martin Swany

Performance vs. Extensibility and Ease of Use: Next Steps in the NMWG Schemata Martin Swany

Performance vs. Extensibility and Ease of Use: Next Steps in the NMWG Schemata Martin Swany University of Delaware Requirements and Goals Current schema continues to evolve to address community needs Application/middleware

189 views • 5 slides
Future Work Finish building VINO. Networking. Naming. Build applications that

Future Work Finish building VINO. Networking. Naming. Build applications that

Future Work Finish building VINO. Networking. Naming. Build applications that use extensions to optimize performance. Interface design. What types of extensions actually get used? Revisit flexibility vs.

297 views • 18 slides
A Practical, Typed Variant Object Model Or, How to Stand On Your Head and Enjoy the View

A Practical, Typed Variant Object Model Or, How to Stand On Your Head and Enjoy the View

A Practical, Typed Variant Object Model Or, How to Stand On Your Head and Enjoy the View Pottayil Harisanker Menon, Zachary Palmer, Scott F. Smith, Alexander Rozenshteyn The Johns Hopkins University October 22, 2012 Object Encodings

1.86k views • 160 slides

More recommend