formal verification of a compiler front end for mini ml
play

Formal verification of a compiler front-end for mini-ML Zaynah - PowerPoint PPT Presentation

May 02, 2023 •371 likes •704 views

Formal verification of a compiler front-end for mini-ML Zaynah Dargaye, Xavier Leroy, Andrew Tolmach INRIA Paris-Rocquencourt WG 2.8, july 2007 Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 1 / 34

  1. Formal verification of a compiler front-end for mini-ML Zaynah Dargaye, Xavier Leroy, Andrew Tolmach INRIA Paris-Rocquencourt WG 2.8, july 2007 Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 1 / 34

  2. Formal verification of compilers Apply formal methods to a compiler. Prove a semantic preservation property: Theorem For all source codes S, if the compiler generates machine code C from source S, without reporting a compilation error, and if S has well-defined semantics, then C has well-defined semantics and S and C have the same observable behaviour. Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 2 / 34

  3. Formal verification of compilers Motivations: Useful for high-assurance software, verified (at the source level) using formal methods. A challenge for mechanized program proof. For fun! (compilers + pure F.P. + mechanized proof, all in one easy-to-explain project). Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 3 / 34

  4. The Compcert effort INRIA/CNAM/Paris 7, since 2003 Develop and prove correct a realistic compiler, usable for critical embedded software. Source language: a subset of C. Target language: PowerPC assembly. Generates reasonably compact and fast code ⇒ some optimizations. This is “software-proof codesign” (as opposed to proving an existing compiler). We use the Coq proof assistant to conduct the proof of semantic preservation and to write most of the compiler. Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 4 / 34

  5. The Compcert effort – status A prototype compiler that executes (under MacOS X). From Clight AST to PowerPC assembly AST: entirely verified in Coq (40000 lines); entirely programmed in Coq, then automatically extracted to executable Caml code. Uses monads, persistent data structures, etc. Performances of generated code: better than gcc -O0 , close to gcc -O1 . Compilation times: comparable to those of gcc -O1 . References: X. Leroy, POPL 2006 (back-end); S. Blazy, Z. Dargaye, X. Leroy, Formal Methods 2006 (C front-end). Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 5 / 34

  6. Front-ends for other source languages Clight Cminor PPC Cminor could be a reasonable I.L. for other source languages. Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 7 / 34

  7. A flavor of Cminor "quicksort"(lo, hi, a): int -> int -> int -> void { var i, j, pivot, temp; if (! (lo < hi)) return; i = lo; j = hi; pivot = int32[a + hi * 4]; block { loop { if (! (i < j)) exit; block { loop { if (i >= hi || int32[a + i * 4] > pivot) exit; i = i + 1; } } /* ... */ } } temp = int32[a + i * 4]; int32[a + i * 4] = int32[a + hi * 4]; int32[a + hi * 4] = temp; "quicksort"(lo, i - 1, a) : int -> int -> int -> void; tailcall "quicksort"(i + 1, hi, a) : int -> int -> int -> void; } Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 9 / 34

  8. Front-ends for other source languages Clight Cminor PPC Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 11 / 34

  9. Front-ends for other source languages Clight Cminor PPC Reactive language? Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 11 / 34

  10. Front-ends for other source languages Mini-ML Clight Cminor PPC Reactive language? Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 11 / 34

  11. Front-ends for other source languages Coq specs Mini-ML Clight Cminor PPC Reactive language? Towards a trusted execution path for programs written and proved in Coq. This includes the Compcert compiler itself . . . (bootstrap!) Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 11 / 34

  12. mini-ML: syntax Pure, call-by-value, datatypes + shallow pattern matching. Terms: a ::= n variable (de Bruijn) | λ. a | a 1 a 2 | µ.λ. a recursive function | let a 1 in a 2 | C ( a 1 , . . . , a n ) data constructor | match a with p 1 → a 1 . . . p n → a n p ::= C n Patterns: i.e. C ( n , . . . , 1) Also: constants and arithmetic operators. More or less the output language for Coq’s extraction, minus mutually-recursive functions. Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 12 / 34

  13. mini-ML: dynamic semantics Big-step operational semantics with environments e ⊢ a ⇒ v with v ::= C ( v 1 , . . . , v n ) | ( λ. a )[ e ] | ( µ.λ. a )[ e ] and e = v 1 . . . v n . Entirely standard. Big-step semantics with substitutions also used in some of the proofs. Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 14 / 34

  14. mini-ML: (no) type system Our Mini-ML is untyped: Makes it easier to translate various typed F.P.L. to mini-ML, e.g. Coq with its extremely powerful type system. We are doing semantic-preserving compilation, which subsumes all the guarantees that type-preserving compilation provides. Exception: we demand that constructors are grouped into “datatype declarations” to facilitate pattern-matching compilation (see example). Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 15 / 34

  15. Example of mini-ML type list = Nil | Cons program let map = µ map. λ x. match x with | Nil -> Nil | Cons(hd, tl) -> Cons(f hd, map f tl) in map ( λ x. Cons(x, Nil)) Nil Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 17 / 34

  16. Overview of the compiler w/ numbered uncurrying w/ n -ary pat-match mini-ML “compilation” constructors functions closure CPS conversion conversion w/ closed, Cminor g n i m a n toplevel fns s o t NQANF o r f o Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 18 / 34

  17. Uncurrying let -bound curried functions are turned into n -ary functions. let f = λ x. λ y. ... in Pair(f 1 2, f 1) ⇓ let f = λ (x, y). ... in Pair(f(1, 2), (( λ x. λ y.f(x,y))(1))) Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 20 / 34

  18. Generation of Cminor code Quite straightforward if Cminor had dynamic memory allocation with garbage collection. (Mostly, represent constructor applications and closures as pointers to appropriately-filled memory blocks.) But Cminor has no memory allocator, no GC, and no run-time system of any kind. . . Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 21 / 34

  19. Run-time systems: the bane of high-level languages Run-time systems are big (e.g. 50000 lines), messy, written in C, system-dependent, often buggy, . . . Yet, the run-time system must be proved correct in the context of a verified compiler for a high-level language. Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 22 / 34

  20. What needs to be done For the memory allocator and (tracing) garbage collector: The algorithms must be proved correct. (Mostly routine.) The actual implementation (typically in Cminor) must be proved correct. (Painful, like all proofs of imperative programs.) This proof must be connected to that of the compiler: Compiler-generated code must respect GC contract (Data representation conventions, don’t touch block headers, etc) GC must be able to find the memory roots (among the compiler-managed registers, call stack, etc) Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 23 / 34

  21. What needs to be done For the memory allocator and (tracing) garbage collector: The algorithms must be proved correct. (Mostly routine.) The actual implementation (typically in Cminor) must be proved correct. (Painful, like all proofs of imperative programs.) This proof must be connected to that of the compiler: Compiler-generated code must respect GC contract (Data representation conventions, don’t touch block headers, etc) GC must be able to find the memory roots (among the compiler-managed registers, call stack, etc) Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 23 / 34

  22. What needs to be done For the memory allocator and (tracing) garbage collector: The algorithms must be proved correct. (Mostly routine.) The actual implementation (typically in Cminor) must be proved correct. (Painful, like all proofs of imperative programs.) This proof must be connected to that of the compiler: Compiler-generated code must respect GC contract (Data representation conventions, don’t touch block headers, etc) GC must be able to find the memory roots (among the compiler-managed registers, call stack, etc) Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 23 / 34

  23. Example: finding roots using frame descriptors Registers size=8 root #roots=1 r0=stk4 hash size=20 root Heap #roots=3 code addr r0=reg4 r1=stk8 hash root r2=stk12 root Frame code addr descriptors Stack Dargaye, Leroy, Tolmach (INRIA) Verification of a mini-ML compiler WG 2.8, july 2007 24 / 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formal verification of an optimizing compiler or: a software-proof codesign approach to the

Formal verification of an optimizing compiler or: a software-proof codesign approach to the

Formal verification of an optimizing compiler or: a software-proof codesign approach to the development of trusted compilers Xavier Leroy INRIA Rocquencourt MEMOCODE 2007 X. Leroy (INRIA) Formal compiler verification MEMOCODE 2007 1 / 61

969 views • 62 slides
A GENERAL-PURPOSE CRN-TO-DSD COMPILER WITH FORMAL VERIFICATION, OPTIMIZATION, AND SIMULATION

A GENERAL-PURPOSE CRN-TO-DSD COMPILER WITH FORMAL VERIFICATION, OPTIMIZATION, AND SIMULATION

A GENERAL-PURPOSE CRN-TO-DSD COMPILER WITH FORMAL VERIFICATION, OPTIMIZATION, AND SIMULATION CAPABILITIES Stefan Badelt , Seung Woo Shin, Robert F. Johnson, Qing Dong, Chris Thachuk, and Erik Winfree DNA and Natural Algorithms (DNA) Group,

320 views • 28 slides
Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and

Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and

Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and Alix Trieu IFIP WG 2.11, 2015-11-10 1 Background: verifying a compiler Compiler + proof that the compiler does not introduce bugs CompCert, a

597 views • 21 slides
a Scala Compiler Plugin for Verification Nada Amin Features transform Scala def AST into a

a Scala Compiler Plugin for Verification Nada Amin Features transform Scala def AST into a

a Scala Compiler Plugin for Verification Nada Amin Features transform Scala def AST into a CFG front-end to lab verifier front-end to Eldarica support for design by contract partial understanding verified classes

298 views • 17 slides
Formal verification of a realistic compiler Xavier Leroy CACM 2009 CS 7194: Great Works in

Formal verification of a realistic compiler Xavier Leroy CACM 2009 CS 7194: Great Works in

Formal verification of a realistic compiler Xavier Leroy CACM 2009 CS 7194: Great Works in Programming Languages Presenter : Irene Yoon | Mentor : Ryan Doenges 1 Building robust compilers is Hard. 2 Bugs bugs 3 Bugs [Yang

1.01k views • 68 slides
Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc. Software and Reliability Can we rely

1.14k views • 78 slides
A GENERAL-PURPOSE A GENERAL-PURPOSE CRN-TO-DSD COMPILER FRAMEWORK CRN-TO-DSD COMPILER FRAMEWORK

A GENERAL-PURPOSE A GENERAL-PURPOSE CRN-TO-DSD COMPILER FRAMEWORK CRN-TO-DSD COMPILER FRAMEWORK

A GENERAL-PURPOSE A GENERAL-PURPOSE CRN-TO-DSD COMPILER FRAMEWORK CRN-TO-DSD COMPILER FRAMEWORK WITH FORMAL VERIFICATION, OPTIMIZATION, WITH FORMAL VERIFICATION, OPTIMIZATION, AND SIMULATION CAPABILITIES AND SIMULATION CAPABILITIES Stefan

575 views • 38 slides
Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim for automation (bit level) Find niches where formal methods work well Use assertions/ properties first in sim. and then in FV (the acronym is ABV,

1.14k views • 65 slides
CSE 401: Introduction to Compiler Construction Course Outline Goals: Compiler front-ends:

CSE 401: Introduction to Compiler Construction Course Outline Goals: Compiler front-ends:

CSE 401: Introduction to Compiler Construction Course Outline Goals: Compiler front-ends: lexical analysis (scanning): characters tokens learn principles &amp; practice of language implementation syntactic analysis (parsing):

660 views • 11 slides
Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry 1 Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal verification Machine-checked proof Automatic and interactive approaches HOL Light Floating point

366 views • 25 slides
Compiler verification for fun and profit Xavier Leroy Inria Paris-Rocquencourt FMCAD,

Compiler verification for fun and profit Xavier Leroy Inria Paris-Rocquencourt FMCAD,

Compiler verification for fun and profit Xavier Leroy Inria Paris-Rocquencourt FMCAD, 2014-10-22 X. Leroy (Inria) Compiler verification FMCAD14 1 / 52 Prologue: Can you trust your compiler? X. Leroy (Inria) Compiler verification

856 views • 70 slides
SAE MINI BAJA Front &amp; Rear End Rear End: Jacob Ruiz Front End: Will Preston Lucas Cramer

SAE MINI BAJA Front &amp; Rear End Rear End: Jacob Ruiz Front End: Will Preston Lucas Cramer

SAE MINI BAJA Front &amp; Rear End Rear End: Jacob Ruiz Front End: Will Preston Lucas Cramer Jacob Grudynski Aaron King Jesse Summers Michael Edirmannasinghe Proudly Sponsored By: Project Description SAE Baja is a collegiate

599 views • 40 slides
Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic 1 Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal verification Machine-checked proof Automatic and interactive approaches HOL Light

539 views • 19 slides
Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms 1 Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of bugs Formal verification Levels of verification HOL Light Formalizing mathematics

353 views • 19 slides
Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA http://www.clifford.at/papers/2018/riscv-formal/ About assertion based formal verification (formal ABV) Assertion based verification (ABV) Uses

781 views • 39 slides
Data Centers &amp; Co-designed Distributed Systems A Data Center Inside a Data Center Data

Data Centers &amp; Co-designed Distributed Systems A Data Center Inside a Data Center Data

Data Centers &amp; Co-designed Distributed Systems A Data Center Inside a Data Center Data center 10k - 100k servers: 250k 10M cores 1-100PB of DRAM 100PB - 10EB storage 1- 10 Pbps bandwidth (&gt;&gt; Internet) 10-100MW power - 1-2% of

911 views • 54 slides
CEKgo extensions M ::= . . . | go M | here M F ::= ( W ) | ( M E ) |

CEKgo extensions M ::= . . . | go M | here M F ::= ( W ) | ( M E ) |

CEKgo extensions M ::= . . . | go M | here M F ::= ( W ) | ( M E ) | ::= F K 1 / 23 CEKgo machine transition steps x | E | K lookup x in E ) | E | K 2 / 23 CEKgo machine transition steps

488 views • 23 slides
A model for the extended predicative Mahlo Universe Anton Setzer (joint work with Reinhard Kahle,

A model for the extended predicative Mahlo Universe Anton Setzer (joint work with Reinhard Kahle,

A model for the extended predicative Mahlo Universe Anton Setzer (joint work with Reinhard Kahle, Lisbon) Proof Society Workshop Ghent 6 September 2018 Anton Setzer The extended predicative Mahlo Universe 1/ 31 Explicit Mathematics Extended

510 views • 34 slides
New Impossibility Results for Concurrent Composition and a Non-Interactive Completeness Theorem

New Impossibility Results for Concurrent Composition and a Non-Interactive Completeness Theorem

New Impossibility Results for Concurrent Composition and a Non-Interactive Completeness Theorem for Secure Computation Abishek Kumarasubramanian Secure Computation [Yao,GMW] Security guarantee only Corrupted party learns no when protocol runs

369 views • 16 slides
Modeling Resource-Coupled Computations MarkHereld Computa0onIns0tute

Modeling Resource-Coupled Computations MarkHereld Computa0onIns0tute

Modeling Resource-Coupled Computations MarkHereld Computa0onIns0tute Mathema0csandComputerScience ArgonneLeadershipCompu0ngFacility ArgonneNa0onalLaboratory UniversityofChicago Roadmap

402 views • 25 slides
MATH 12002 - CALCULUS I 1.4: Limit Laws Professor Donald L. White Department of Mathematical

MATH 12002 - CALCULUS I 1.4: Limit Laws Professor Donald L. White Department of Mathematical

MATH 12002 - CALCULUS I 1.4: Limit Laws Professor Donald L. White Department of Mathematical Sciences Kent State University D.L. White (Kent State University) 1 / 7 Laws There are a number of basic properties, or laws, satisfied by limits.

308 views • 7 slides
Average - case Lower Bounds for Approximate Near - Neighbor fs om Isoperimetric Inequalities

Average - case Lower Bounds for Approximate Near - Neighbor fs om Isoperimetric Inequalities

Simple Average - case Lower Bounds for Approximate Near - Neighbor fs om Isoperimetric Inequalities Yitong Yin Nanjing University Nearest Neighbor Search ( NNS ) metric space ( X, dist) query x X database access y = ( y 1 , y 2 , . . . , y

384 views • 26 slides
Today Closed World Assumption &amp; Negation as Failure. Clark completion Lloyd-Topor

Today Closed World Assumption &amp; Negation as Failure. Clark completion Lloyd-Topor

1 Today Closed World Assumption &amp; Negation as Failure. Clark completion Lloyd-Topor transformation Alan Smaill Logic Programming Nov 16 2009 2 Dealing with negation in clause body Prolog deals with negation by failure as

268 views • 24 slides

More recommend