formal verification of a realistic compiler
play

Formal verification of a realistic compiler Xavier Leroy CACM 2009 - PowerPoint PPT Presentation

Formal verification of a realistic compiler Xavier Leroy CACM 2009 CS 7194: Great Works in Programming Languages Presenter : Irene Yoon | Mentor : Ryan Doenges 1 Building robust compilers is Hard. 2 Bugs bugs 3 Bugs [Yang


  1. Formal verification of a realistic compiler Xavier Leroy CACM 2009 CS 7194: Great Works in Programming Languages Presenter : Irene Yoon | Mentor : Ryan Doenges � 1

  2. Building robust compilers is Hard. � 2

  3. Bugs bugs � 3

  4. Bugs [Yang et al 2011] • Random testing finds bugs in 11 C compilers • Hundreds of previously unknown bugs • LLVM has a large test suite, real compilers have bugs � 4

  5. Bugs [Yang et al 2011] • Random testing finds bugs in 11 C compilers • Hundreds of previously unknown bugs • LLVM has a large test suite � 5

  6. Bugs [Yang et al 2011] • Random testing finds bugs in 11 C compilers • Hundreds of previously unknown bugs • LLVM has a large test suite, real compilers have bugs � 6

  7. Bugs [Yang et al 2011] • Random testing finds bugs in 11 C compilers • Hundreds of previously unknown bugs • LLVM has a large test suite � 7

  8. ✅ Building compilers is hard Testing sucks Formalisms are good � 8

  9. ✅ Building compilers is hard ✅ Testing sucks Formalisms are good � 9

  10. ✅ Building compilers is hard ✅ Testing sucks ✅ Formalisms are good � 10

  11. ✅ Building compilers is hard ✅ Testing sucks ✅ Formalisms are good Formal verification of a compiler � 11

  12. First Published Proof of Compiler Correctness [1967] • arithmetic expressions → stack machine code • prototype for proving usable compilers � 12

  13. First Mechanized Proof of Compiler Correctness [1972] • ALGOL-like language → elementary assembly language • Stanford LCF � 13

  14. Compiler Verification • 100+ papers on compiler verification since 1967 � 14

  15. Compiler Verification • 100+ papers on compiler verification since 1967 � 15

  16. Compiler Verification • 100+ papers on compiler verification since 1967 � 16

  17. Compiler Verification • 100+ papers on Compiler Verification since 1967 [2003] � 17

  18. CompCert � 18

  19. CompCert [2009] “Develop and prove correct a realistic compiler, usable for critical embedded software.” • 42k Coq, 3 person years target source PowerPC Clight ARM x86 CompCert

  20. CompCert [2009] “Develop and prove correct a realistic compiler, usable for critical embedded software.” • 42k Coq, 3 person years target source PowerPC Clight ARM x86 CompCert

  21. CompCert [2009] “Develop and prove correct a realistic compiler, usable for critical embedded software.” • 42k Coq, 3 person years target source PowerPC Clight ARM x86 CompCert

  22. Verified, Validated, Certifying � 22

  23. Verified, Validated, Certifying 1. Verified transformation [ Compiler Correctness ] source target COMPILER � 23

  24. Verified, Validated, Certifying 2 . Translation validation [ Translation Verification ] target source COMPILER VALIDATOR � 24

  25. Verified, Validated, Certifying 3. Certifying compiler [ Proof-carrying Code ] source CERTIFYING PROOF COMPILER CHECKER target code + certificate � 25

  26. � 26

  27. [Leroy `06] � 27

  28. => External solver with verified validation � 28

  29. => External solver with verified validation [Tristan and Leroy `10] � 29

  30. CompCert � 30

  31. CompCert formal specification � 31

  32. CompCert formal specification → semantic analysis tools [Appel ’11] � 32

  33. CompCert semantic preservation* � 33

  34. CompCert � 34

  35. Semantic Preservation • Spec(B) : functional specification of observable behavior • B: observable behavior (trace properties of I/O) • “going wrong” (run-time error), termination, divergence • C ㅑ Spec if A. C cannot go wrong B. All behaviors B satisfy Spec � 35

  36. Semantic Preservation • Spec(B) : functional specification of observable behavior • B: observable behavior (trace properties of I/O) • “going wrong” (run-time error), termination, divergence • C ㅑ Spec if A. C cannot go wrong B. All behaviors B satisfy Spec � 36

  37. Semantic Preservation • Spec(B) : functional specification of observable behavior • B: observable behavior (trace properties of I/O) • “going wrong” (run-time error), termination, divergence • C ㅑ Spec if A. C cannot go wrong B. All behaviors B satisfy Spec � 37

  38. Correctness Property Compiled code C preserves the fact that the source code S satisfies the specification. � 38

  39. Proving Semantic Preservation � 39

  40. Proving Semantic Preservation * � 40

  41. Safety Precondition • Compilation result will match the semantics of the input if if program is “safe” (no runtime errors) • Need to prove that input program is safe � 41

  42. Safety Precondition • Compilation result will match the semantics of the input if if program is “safe” (no runtime errors) • Need to prove that input program is safe � 42

  43. Correctness Weakness � 43

  44. Correctness Weakness � 44

  45. CompCert � 45

  46. CompCert � 46

  47. Correctness Weakness • Only runs after the preprocessing step • Astrèe [Cousot et al ’05] , Verasco [Jourdan et al ’15] ) • Reliant on less verifiable assumptions • Coq’s correctness [Anand et al ’17] • Formal specification of C & PowerPC assembly � 47

  48. Correctness Weakness • Only runs after the preprocessing step • Astrèe [Cousot et al ’05] , Verasco [Jourdan et al ’15] • Reliant on less verifiable assumptions • Coq’s correctness [Anand et al ’17] • Formal specification of C & PowerPC assembly � 48

  49. Correctness Weakness • Only runs after the preprocessing step • Astrèe [Cousot et al ’05] , Verasco [Jourdan et al ’15] ) • Reliant on less verifiable assumptions • Coq’s correctness [Anand et al ’17] • Formal specification of C & PowerPC assembly � 49

  50. Correctness Weakness • Only runs after the preprocessing step • Astrèe [Cousot et al ’05] , Verasco [Jourdan et al ’15] ) • Reliant on less verifiable assumptions • Coq’s correctness ( CertiCoq [Anand et al ’17]) • Formal specification of C & PowerPC assembly � 50

  51. Correctness Weakness • Only runs after the preprocessing step • Astrèe [Cousot et al ’05] , Verasco [Jourdan et al ’15] ) • Reliant on less verifiable assumptions • Coq’s correctness ( CertiCoq [Anand et al ’17]) • Formal specification of C & PowerPC assembly � 51

  52. Performance � 52

  53. Performance competitive with gcc -01 � 53

  54. Bugs, revisited. [Yang et al 2011] • CompCert: errors only found in unverified parts (parser and model of machine) • Other compilers: errors everywhere “The striking thing about our CompCert results is that the middle-end bugs we found in all other compilers are absent” � 54

  55. Bugs, revisited. [Yang et al 2011] • CompCert: errors only found in unverified parts (parser and model of machine) • Other compilers: errors everywhere “The striking thing about our CompCert results is that the middle-end bugs we found in all other compilers are absent” � 55

  56. Bugs, revisited. [Yang et al 2011] • CompCert: errors only found in unverified parts (parser and model of machine) • Other compilers: errors everywhere “The striking thing about our CompCert results is that the middle-end bugs we found in all other compilers are absent” � 56

  57. Bugs, revisited. [Yang et al 2011] • CompCert: errors only found in unverified parts (parser and model of machine) • Other compilers: errors everywhere “The striking thing about our CompCert results is that the middle-end bugs we found in all other compilers are absent” � 57

  58. Critical Use Cases • AirBus • MTU Friedrichshafen (nuclear energy) • High-Assurance Cyber Military Systems (HACMS) [Fisher et al, ’17] • PhD Theses � 58

  59. Critical Use Cases • AirBus • MTU Friedrichshafen (nuclear energy) • High-Assurance Cyber Military Systems (HACMS) [Fisher et al, ’17] • PhD Theses � 59

  60. Critical Use Cases • AirBus • MTU Friedrichshafen (nuclear energy) • High-Assurance Cyber Military Systems (HACMS) [Fisher et al, ’17] • PhD Theses � 60

  61. Critical Use Cases • AirBus • MTU Friedrichshafen (nuclear energy) • High-Assurance Cyber Military Systems (HACMS) [Fisher et al, ’17] • PhD Theses � 61

  62. Critical Use Cases “a realistic compiler” • AirBus • MTU Friedrichshafen (nuclear energy) • High-Assurance Cyber Military Systems (HACMS) [Fisher et al, ’17] • PhD Theses � 62

  63. Concluding Remarks • Still some correctness and safety weaknesses • Useful for safety critical code (that doesn’t have to run fast) • Future work - . . . � 63

  64. Concluding Remarks • Still some correctness and safety weaknesses • Useful for safety critical code (that doesn’t have to run fast) • Future work - . . . . . . � 64

  65. Concluding Remarks • Still some correctness and safety weaknesses • Useful for safety critical code (that doesn’t have to run fast) • Future work - . . . � 65

  66. Concluding Remarks • Still some correctness and safety weaknesses • Useful for safety critical code (that doesn’t have to run fast) Type Preserving Compilation • Future work - . . . . . . � 66

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend


More recommend