automatically proving the correctness of compiler optimizations

Automatically Proving the Correctness of Compiler

OptimizationsSorin Lerner Todd Millstein Craig

ChambersUniversity of Washington

Goal: correct compilers

• The compiler is usually part of the trusted computing base.

• “But I use gcc, and it works great!”

gcc-bugs mailing list

• c/9525: incorrect code generation on SSE2 intrinsics• target/7336: [ARM] With -Os option, gcc incorrectly computes the

elimination offset• optimization/9325: wrong conversion of constants: (int)(float)(int)

(INT_MAX)• optimization/6537: For -O (but not -O2 or -O0) incorrect assembly is

generated• optimization/6891: G++ generates incorrect code when -Os is used• optimization/8613: [3.2/3.3/3.4 regression] -O2 optimization generates

wrong code • target/9732: PPC32: Wrong code with -O2 –fPIC• c/8224: Incorrect joining of signed and unsigned division • …

Searched for “incorrect” and “wrong” in the gcc-bugs mailing list.Some of the results:

And this is only for February 2003!On a mature compiler!

compilerSource CompiledProg

run!

inputexp-ectedoutput

Testing

• No correctness guarantees:• neither for the compiled

prog• nor for the compiler

DIFF

• To get benefits, must:• run over many inputs• compile many test cases

output

Verify each compilation


SemanticDIFF

• Translation validation [Pnueli et al 98, Necula 00]

• Credible compilation[Rinard 99]

• Compiler can still have bugs.

• Compile time increases.• “Semantic Diff” is hard.

Proving the whole compiler correct


Correctnesschecker

Proving the whole compiler correct

compiler

Correctnesschecker

Correctness checker

• Option 1: Prove compiler correct by hand.

• Proofs are long…

• And hard.• Compilers are

proven correct as written on paper. What about the implementation?

ProofProofProof«¬

$ \ rt l / .

Link?

Correctness checker

Our Approach

• Our approach: prove compiler correct automatically.

AutomaticTheoremProver

compiler

This seems really hard!


Task of provingcompiler correct

Complexity that an automatic theorem prover can handle.

Complexity of proving a compiler correct.

Making the problem easier


Task of provingcompiler correct



Task of provingoptimizer correct • Only prove optimizer correct.

• Trust front-end and code-generator.



Write optimizations in Cobalt, a domain-specific language.

Task of provingoptimizer correct



Separate correctness from profitability.





Separate correctness from profitability.

Factor out the hard and common parts of the proof, and prove them once by hand.



Results• Cobalt language

– realistic C-like IL– implemented const prop and folding, branch

folding, CSE, PRE, DAE, partial DAE, and simple forms of points-to analyses

• Correctness checker for Cobalt opts– using the Simplify theorem prover

• Execution engine for Cobalt opts– in the Whirlwind compiler

Caveats• May not be able to express your opt Cobalt:

– no interprocedural optimizations for now.– optimizations that build complicated data

structures may be difficult to express.

• A sound Cobalt optimization may be rejected by the correctness checker.

• Trusted computing base (TCB) includes:– front-end and code-generator, execution engine,

correctness checker, proofs done by hand once

Outline• Overview

• Forward optimizations (see paper for backwards)– Example: constant propagation– Strategy for proving forward optimizations sound

• Profitability heuristics

• Pure analyses

y := 5

x := yREPLACE

x := 5

statement y := 5

statements thatdon’t define y

statement x := y

Constant Prop (straight-line code)

Adding arbitrary control flow

y := 5

x := y REPLACE x := 5

statement y := 5


statement x := y

y := 5y := 5

is followed by

until

transform statement to x := 5

if

then

Constant prop in

statement y := 5


is followed by

until

if

thentransform statement to x := 5

statement x := y

English

boolean expressions evaluated at nodes in the CFG

stmt(Y := C)

X := Y

followed by

until

Cobalt versionEnglish version

: mayDef(Y)

statement y := 5


is followed by

until

if

thentransform statement to x := 5

statement x := y

Constant prop inCobalt

X := C

Outline• Overview

• Forward optimizations (see paper for backwards)– Example: constant propagation– Strategy for proving forward optimizations sound


• Pure analyses

Proving correctness automatically

y := 5

x := y x := 5

y := 5y := 5

• Witnessing region• Invariant: y == 5

Constant prop revisited

stmt(Y := C)

: mayDef(Y)

X := Y

followed by

until

with witnessY == C

Ask a theorem prover to show:1. A statement satisfying stmt(Y :=

C) establishes Y == C2. A statement satisfying :mayDef(Y)

maintains Y == C3. The statements X := Y and X := C

have the same semantics in a program state satisfying Y == C

X := C

Generalize to any forward optimization

Ask a theorem prover to show:1. A statement satisfying 1

establishes P2. A statement satisfying 2

maintains P3. The statements s and s’

have the same semantics in a program state satisfying P

We showed by hand once that these conditions imply correctness.

1

2

s

followed by

until

with witnessP

s’

Outline• Overview

• Forward optimizations (see paper for backwards)


• Pure analyses

Profitability heuristics

• Optimization correct ) safe to perform any subset of the matching transformations.

• So far, all transformations were also profitable.

• In some cases, many transformations are legal, but only a few are profitable.

The two pieces of an optimization

1

followed by 2

until s

s’with witness Pfiltered through choose

• Transformation pattern:– defines which

transformations are legal.

• Profitability heuristic:– describes which of the legal

transformations to actually perform.

– does not affect soundness.– can be written in a language

of the user’s choice.

• This way of factoring an optimization is crucial to our ability to prove optimizations sound automatically.

Profitability heuristic example: PRE

• PRE as code duplication followed by CSE


a := ...;

b := ...;

if (...) {

a := ...;

x := a + b;

} else {

...

}

x := a + b;x := a + b;

• Code duplication




a := ...;

b := ...;

if (...) {

a := ...;

x := a + b;

} else {

}

x :=

x := a + b;

• Code duplication

• CSE• self-assignment

removal

a + b; x;


a := ...;

b := ...;

if (...) {

a := ...;

x := a + b;

} else {

...

}

x := a + b;

Legal placements of x := a + bProfitable placement

Outline• Overview

• Forward optimizations (see paper for backwards)


• Pure analyses

Constant prop revisited (again)

stmt(Y := C)

: mayDef(Y)

X := Y

followed by

until

with witnessY == C

X := C

mayDef in Cobalt

stmt(Y := C)

: mayDef(Y)

X := Y

followed by

until

with witnessY == C

X := C

mayDef in Cobalt

• Very conservative!• Can we do better?

stmt(Y := C)

: mayDef(Y)

X := Y

followed by

until

with witnessY == C

X := C

mayDef in Cobalt

stmt(Y := C)

: mayDef(Y)

X := Y

followed by

until

with witnessY == C

X := C

mayDef in Cobalt

• mayPntTo is a pure analysis.• It computes dataflow info,

but performs no transformations.

stmt(Y := C)

: mayDef(Y)

X := Y

followed by

until

with witnessY == C

X := C

mayPntTo in Cobalt

addrNotTaken(X)

“no location in the store points to X”

decl X

s

mayPntTo(X,Y) , : addrNotTaken(Y)

stmt(decl X)

followed by: stmt(... := &X)

defines

with witness

Future work

• Improving expressiveness– interprocedural optimizations– one-to-many and many-to-many

transformations

• Inferring the witness

• Generate specialized compiler binary from the Cobalt sources.

Summary and Conclusion

• Optimizations written in a domain-specific language can be proven correct automatically.

• Our correctness checker found several subtle bugs in Cobalt optimizations.

• A good step towards proving compilers correct automatically.

automatically proving the correctness of compiler optimizations

Documents

correct compilersthe

mature compiler

incorrect code generation

cobalt optsin

cobalt optsusing

wrong code target9732

sound cobalt optimization

domainspecific language