vellvm :verifying transformaons’of’the’llvmir · vellvm :verifying...
TRANSCRIPT
![Page 1: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/1.jpg)
Vellvm: Verifying Transforma2ons of the LLVM IR
Steve Zdancewic Jianzhou Zhao
Milo M.K. Mar2n University of Pennsylvania
Santosh NagarakaGe Rutgers University
![Page 2: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/2.jpg)
Mo2va2on: SoHBound/CETS
• Buffer overflow vulnerabili2es. • Detect spa2al/temporal memory safety viola2ons in legacy C code.
• Implemented as an LLVM pass. • What about correctness?
[NagarakaGe, et al. PLDI ’09, ISMM ‘10]�
hGp://www.cis.upenn.edu/acg/soHbound/
![Page 3: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/3.jpg)
Mo2va2on:Compiler Bugs
LLVM
Random test-‐case genera2on �
{8 other C compilers} �
79 bugs: 25 cri2cal �
202 bugs 325 bugs in total
Source Programs
[Yang et al. PLDI 2011]
Verified Compila2on: Compcert [Leroy et al.] (Not directly applicable to LLVM)
![Page 4: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/4.jpg)
LLVM Compiler Infrastructure
LLVM
Front Ends
Code Gen/Jit
Op2miza2ons/ Transforma2ons �
Typed SSA IR�
Analysis �
[LaGner et al. ]
![Page 5: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/5.jpg)
LLVM Compiler Infrastructure
LLVM
Front Ends
Code Gen/Jit
Op2miza2ons/ Transforma2ons �
Typed SSA IR�
Analysis �
[LaGner et al.]
![Page 6: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/6.jpg)
The Vellvm Project
Op2miza2ons/ Transforma2ons �
Typed SSA IR�
Analysis �
• Formal seman2cs
• Facili2es for crea2ng simula2on proofs
• Implemented in Coq • Extract passes for use with LLVM compiler
• Example: verified memory safety instrumenta2on
[Zhao et al. POPL 2012, CPP 2012, PLDI 2013]
![Page 7: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/7.jpg)
Vellvm Framework
Transform�C Source Code�
Other Op2miza2ons �
LLVM IR�
LLVM IR�
Target�
LLVM OCaml Bindings
Printer Parser
Coq
Syntax
Opera2onal Seman2cs
Memory Model
Type System and SSA
Proof Techniques & Metatheory
Extract
![Page 8: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/8.jpg)
Vellvm Framework
C Source Code�
Other Op2miza2ons �
LLVM IR�
LLVM IR�
Target�
LLVM OCaml Bindings
Printer Parser
Coq
Syntax
Opera2onal Seman2cs
Memory Model
Type System and SSA
Proof Techniques & Metatheory
Extract Verified
Transform�
![Page 9: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/9.jpg)
Plan
• Tour of the LLVM IR • Vellvm infrastructure
– Opera2onal Seman2cs
– SSA Metatheory + Proof Techniques
• Case studies: – SoHBound memory safety
– mem2reg
• Conclusion
![Page 10: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/10.jpg)
LLVM IR by Example entry: r0 = ... r1 = ... r2 = ...
Control-‐flow Graphs: + Labeled blocks
exit: r7 = ... r8 = r1 x r2 r9 = r7 + r8
loop: r3 = ... r4 = r1 x r2 r5 = r3 + r4 r6 = r5 ≥ 100
![Page 11: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/11.jpg)
LLVM IR by Example entry: r0 = ... r1 = ... r2 = ...
Control-‐flow Graphs: + Labeled blocks + Binary Opera2ons
exit: r7 = ... r8 = r1 x r2 r9 = r7 + r8
loop: r3 = ... r4 = r1 x r2 r5 = r3 + r4 r6 = r5 ≥ 100
![Page 12: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/12.jpg)
LLVM IR by Example entry: r0 = ... r1 = ... r2 = ...
br r0 loop exit
Control-‐flow Graphs: + Labeled blocks + Binary Opera2ons + Branches/Return
exit: r7 = ... r8 = r1 x r2 r9 = r7 + r8 ret r9
loop: r3 = ... r4 = r1 x r2 r5 = r3 + r4 r6 = r5 ≥ 100 br r6 loop exit
![Page 13: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/13.jpg)
LLVM IR by Example entry: r0 = ... r1 = ... r2 = ...
br r0 loop exit
Control-‐flow Graphs: + Labeled blocks + Binary Opera2ons + Branches/Return + Sta2c Single Assignment
(each variable assigned only once, sta2cally)
exit: r7 = ... r8 = r1 x r2 r9 = r7 + r8 ret r9
loop: r3 = ... r4 = r1 x r2 r5 = r3 + r4 r6 = r5 ≥ 100 br r6 loop exit
![Page 14: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/14.jpg)
LLVM IR by Example entry: r0 = ... r1 = ... r2 = ...
br r0 loop exit
Control-‐flow Graphs: + Labeled blocks + Binary Opera2ons + Branches/Return + Sta2c Single Assignment + φ nodes
exit: r7 = φ[0;entry][r5;loop] r8 = r1 x r2 r9 = r7 + r8 ret r9
loop: r3 = φ[0;entry][r5;loop] r4 = r1 x r2 r5 = r3 + r4 r6 = r5 ≥ 100 br r6 loop exit
![Page 15: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/15.jpg)
LLVM IR by Example entry: r0 = ... r1 = ... r2 = ...
br r0 loop exit
Control-‐flow Graphs: + Labeled blocks + Binary Opera2ons + Branches/Return + Sta2c Single Assignment + φ nodes
(choose values based on predecessor blocks)
exit: r7 = φ[0;entry][r5;loop] r8 = r1 x r2 r9 = r7 + r8 ret r9
loop: r3 = φ[0;entry][r5;loop] r4 = r1 x r2 r5 = r3 + r4 r6 = r5 ≥ 100 br r6 loop exit
![Page 16: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/16.jpg)
Plan
• Tour of the LLVM IR • Vellvm infrastructure
– Opera2onal Seman2cs
– SSA Metatheory + Proof Techniques
• Case studies: – SoHBound memory safety
– mem2reg
• Conclusion
![Page 17: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/17.jpg)
Structured Data in LLVM • LLVM’s IR is uses types to describe the structure of data.
• <#elts> is an integer constant >= 0 • (Recursive) Structure types can be named at the top level:
17
ty ::= ! | !i1 | i8 | i32 |…! ! !N-‐bit integers | ![<#elts> x t] ! ! ! !arrays | !r (ty1, ty2, … , tyn)! !func>on types ! | !{ty1, ty2, … , tyn} ! !structures | !ty*! ! ! ! ! ! !pointers | !%Tident ! ! ! ! !named (iden>fied) type
r ::= ! ! !Return Types !ty first-‐class type !void ! !no return value
%T1 = type {ty1, ty2, … , tyn}
![Page 18: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/18.jpg)
LLVM’s memory model
• Manipulate structured types.
%ST = type {i10,[10 x i8*]}!
i10
i8*
i8*
i8*
i8*
i8*
i8*
i8*
i8*
i8*
i8*
High-‐level Representa2on
%val = load %ST* %ptr!…!store %ST* %ptr, %new!
![Page 19: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/19.jpg)
LLVM’s memory model
• Manipulate structured types.
• Seman2cs is given in terms of byte-‐oriented low-‐level memory. – padding & alignment – physical subtyping
%ST = type {i10,[10 x i8*]}!
b(10, 136) 0
b(10, 2) 1
uninit 2
uninit 3
ptr(Blk32,0,0) 4
ptr(Blk32,0,1) 5
ptr(Blk32,0,2) 6
ptr(Blk32,0,3) 7
ptr(Blk32,8,0) 8
ptr(Blk32,8,1) 9
ptr(Blk32,8,2) 10
ptr(Blk32,8,3) 11
… 12
… …
i10
i8*
i8*
i8*
i8*
i8*
i8*
i8*
i8*
i8*
i8*
High-‐level Representa2on
Low-‐level Representa2on
%val = load %ST* %ptr!…!store %ST* %ptr, %new!
![Page 20: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/20.jpg)
Adap2ng CompCert’s Memory Model
b(10, 136) 0
b(10, 2) 1
uninit 2
uninit 3
ptr(Blk32,0,0) 4
ptr(Blk32,0,1) 5
ptr(Blk32,0,2) 6
ptr(Blk32,0,3) 7
ptr(Blk32,8,0) 8
ptr(Blk32,8,1) 9
ptr(Blk32,8,2) 10
ptr(Blk32,8,3) 11
… 12
… …
• Code lives in blocks • Represent pointers abstractly
– block + offset • Deallocate by invalida2ng
blocks
• Allocate by crea2ng new blocks – infinite memory available
Blk0 Blk1 ✗
![Page 21: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/21.jpg)
Adap2ng CompCert’s Memory Model
b(10, 136) 0
b(10, 2) 1
uninit 2
uninit 3
ptr(Blk32,0,0) 4
ptr(Blk32,0,1) 5
ptr(Blk32,0,2) 6
ptr(Blk32,0,3) 7
ptr(Blk32,8,0) 8
ptr(Blk32,8,1) 9
ptr(Blk32,8,2) 10
ptr(Blk32,8,3) 11
… 12
… …
Blk0 Blk1 Blk32
b(16, 1) 0
b(16, 0) 1
uninit 2
uninit 3
uninit 4
uninit 5
uninit 6
uninit 7
ptr(Blk1,0,0) 8
ptr(Blk1,0,1) 9
ptr(Blk1,0,2) 10
ptr(Blk1,0,3) 11
… 12
… …
![Page 22: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/22.jpg)
Dynamic Physical Subtyping
b(10, 136) 0
b(10, 2) 1
uninit 2
uninit 3
ptr(Blk32,0,0) 4
ptr(Blk32,0,1) 5
ptr(Blk32,0,2) 6
ptr(Blk32,0,3) 7
ptr(Blk32,8,0) 8
ptr(Blk32,8,1) 9
ptr(Blk32,8,2) 10
ptr(Blk32,8,3) 11
… 12
… …
Blk0 Blk1 Blk32
b(16, 1) 0
b(16, 0) 1
uninit 2
uninit 3
uninit 4
uninit 5
uninit 6
uninit 7
ptr(Blk1,0,0) 8
ptr(Blk1,0,1) 9
ptr(Blk1,0,2) 10
ptr(Blk1,0,3) 11
… 12
… …
i10!
load i16* ⇒ 1! ✓
load i16* ⇒ undef!
✗
[Nita, et al. POPL ’08]�
![Page 23: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/23.jpg)
Fatal Errors Target-‐dependent Results
Sources of Undefined Behavior
• Unini2alized variables:
• Unini2alized memory:
• Ill-‐typed memory usage
• Out-‐of-‐bounds accesses • Access dangling pointers
• Free invalid pointers
• Invalid indirect calls
%v = add i32 %x, undef!
%ptr = alloca i32!%v = load (i32*) %ptr!
Nondeterminism Stuck States
![Page 24: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/24.jpg)
Target-‐dependent Results
Sources of Undefined Behavior
• Unini2alized variables:
• Unini2alized memory:
• Ill-‐typed memory usage
%v = add i32 %x, undef!
%ptr = alloca i32!%v = load (i32*) %ptr!
Nondeterminism Stuck States
Stuck(f, σ) = BadFree(f, σ) ˅ BadLoad(f, σ) ˅ BadStore(f, σ) ˅ … ˅ …0 �
Defined by a predicate on the program configura2on.
![Page 25: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/25.jpg)
undef!
• What is the value of %y aHer running the following?
• One plausible answer: 0 • Not LLVM’s seman2cs! (LLVM is more liberal to permit more aggressive op2miza2ons)
%x = or i8 undef, 1!%y = xor i8 %x %x!
![Page 26: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/26.jpg)
undef!
• Par2ally defined values are interpreted nondeterminis>cally as sets of possible values:
⟦%x⟧!= {a or b | a∈⟦i8 undef⟧, b ∈⟦1⟧} ! != {1,3,5,…,255}!
⟦%y⟧ = {a xor b | a∈⟦%x⟧, b∈⟦%x⟧}!! != {0,2,4,…,254}!
%x = or i8 undef, 1!%y = xor i8 %x %x!
⟦i8 undef⟧ = {0,…,255}!⟦i8 1⟧ = {1}!
![Page 27: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/27.jpg)
Nondeterminis2c Branches
l1: … … …
br undef l2 l3
l2: … … …
l2: … … …
?
![Page 28: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/28.jpg)
LLVMND Opera2onal Seman2cs
• Define a transi2on rela2on: f ⊢ σ1 ⟼ σ2
– f is the program – σ is the program state: pc, locals(δ), stack, heap
• Nondeterminis2c – δ maps local %uids to sets. – Step rela2on is nondeterminis2c
• Mostly straigh}orward (given the heap model) – One wrinkle: phi-‐nodes exectuted atomically
![Page 29: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/29.jpg)
Opera2onal Seman2cs �
Small Step Big Step
Nondeterminis2c
Determinis2c
LLVMND �
![Page 30: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/30.jpg)
Determinis2c Refinement �
Small Step Big Step
Nondeterminis2c
Determinis2c
LLVMND �
LLVMD �∋�
Instan2ate ‘undef’ with default value (0 or null) ⇒ determinis2c.
![Page 31: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/31.jpg)
Big-‐step Determinis2c Refinements�
Small Step Big Step
Nondeterminis2c
Determinis2c
LLVMND �
LLVMD �LLVMInterp � ≈�∋�
Bisimula2on up to “observable events”: • external func2on calls
![Page 32: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/32.jpg)
Big-‐step Determinis2c Refinements�
[Tristan, et al. POPL ’08, Tristan, et al. PLDI ’09]�
Small Step Big Step
Nondeterminis2c
Determinis2c
LLVMND �
LLVMD � LLVM*DFn� LLVM*
DB�LLVMInterp � ≈� ≿� ≿�∋�
Simula2on up to “observable events”: • useful for encapsula2ng behavior of func2on calls • large step evalua2on of basic blocks
![Page 33: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/33.jpg)
Plan
• Tour of the LLVM IR • Vellvm infrastructure
– Opera2onal Seman2cs
– SSA Metatheory + Proof Techniques
• Case studies: – SoHBound memory safety
– mem2reg
• Conclusion
![Page 34: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/34.jpg)
Reasoning about SSA Transforms
• Dynamic seman2cs of LLVM – Memory model – Nondeterminism – Handle groups of phi-‐nodes atomically
• Sta2c seman2cs of LLVM – Compu2ng dominators is crucial
• Use them to jus2fy correctness of program transforma2ons – Simula2on proofs
[Zhao, et al. POPL ’12]� [Zhao & Zdancewic CPP ’12]�
![Page 35: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/35.jpg)
Key SSA Invariant entry: r0 = ... r1 = ... r2 = ...
br r0 loop exit
exit: r7 = φ[0;entry][r5;loop] r8 = r1 x r2 r9 = r7 + r8 ret r9
loop: r3 = φ[0;entry][r5;loop] r4 = r1 x r2 r5 = r3 + r4 r6 = r5 ≥ 100 br r6 loop exit
Defini2on of r2.
Use of r2. Uses of r2.
![Page 36: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/36.jpg)
Key SSA Invariant entry: r0 = ... r1 = ... r2 = ...
br r0 loop exit
exit: r7 = φ[0;entry][r5;loop] r8 = r1 x r2 r9 = r7 + r8 ret r9
loop: r3 = φ[0;entry][r5;loop] r4 = r1 x r2 r5 = r3 + r4 r6 = r5 ≥ 100 br r6 loop exit
Defini2on of r2.
Use of r2. Uses of r2.
The defini2on of a variable must dominate
its uses.
![Page 37: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/37.jpg)
Safety Proper2es
• A well-‐formed program never accesses undefined variables.
• Ini>aliza>on:
• Preserva>on:
• Progress:
If ⊢ f and f ⊢ σ0 ⟼* σ then σ is not stuck. ⊢ f program f is well formed σ program state f ⊢ σ ⟼* σ evalua2on of f
If ⊢ f then wf(f, σ0).
If ⊢ f and f ⊢ σ ⟼ σ’ and wf(f, σ) then wf(f, σ’)
If ⊢ f and wf(f, σ) then f ⊢ σ ⟼ σ’
![Page 38: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/38.jpg)
Safety Proper2es
• A well-‐formed program never accesses undefined variables.
• Ini>aliza>on:
• Preserva>on:
• Progress:
If ⊢ f and f ⊢ σ0 ⟼* σ then σ is not stuck. ⊢ f program f is well formed σ program state f ⊢ σ ⟼* σ evalua2on of f
If ⊢ f then wf(f, σ0).
If ⊢ f and f ⊢ σ ⟼ σ’ and wf(f, σ) then wf(f, σ’)
If ⊢ f and wf(f, σ) then done(f,σ) or stuck(f,σ) or f ⊢ σ ⟼ σ’
![Page 39: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/39.jpg)
Well-‐formed States entry: r0 = ... r1 = ... r2 = ...
br r0 loop exit
exit: r7 = φ[0;entry][r5;loop] r8 = r1 x r2 r9 = r7 + r8 ret r9
loop: r3 = φ[0;entry][r5;loop] r4 = r1 x r2 r5 = r3 + r4 r6 = r5 ≥ 100 br r6 loop exit
pc
State σ is: pc = program counter δ = local values
![Page 40: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/40.jpg)
Well-‐formed States entry: r0 = ... r1 = ... r2 = ...
br r0 loop exit
exit: r7 = φ[0;entry][r5;loop] r8 = r1 x r2 r9 = r7 + r8 ret r9
loop: r3 = φ[0;entry][r5;loop] r4 = r1 x r2 r5 = r3 + r4 r6 = r5 ≥ 100 br r6 loop exit
pc
State σ is: pc = program counter δ = local values
sdom(f,pc) = variable defns. that strictly dominate pc.
![Page 41: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/41.jpg)
Well-‐formed States entry: r0 = ... r1 = ... r2 = ...
br r0 loop exit
exit: r7 = φ[0;entry][r5;loop] r8 = r1 x r2 r9 = r7 + r8 ret r9
loop: r3 = φ[0;entry][r5;loop] r4 = r1 x r2 r5 = r3 + r4 r6 = r5 ≥ 100 br r6 loop exit
pc
State σ contains: pc = program counter δ = local values
sdom(f,pc) = variable defns. that strictly dominate pc.
wf(f,σ) = ∀r∊sdom(f,pc). ∃v. δ(r) = ⎣v⎦
“All variables in scope are ini2alized.”
![Page 42: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/42.jpg)
Generalizing Safety • Defini2on of wf:
• Generalize like this:
• Methodology: for a given P prove three theorems: Ini>aliza>on(P) Preserva>on(P) Progress(P)
wf(f,(pc, δ)) = ∀r∊sdom(f,pc). ∃v. δ(r) = ⎣v⎦
wf(f,(pc, δ)) = P f (δ|sdom(f,pc))
where P : Program ⟶ Locals ⟶ Prop
Consider only variables in scope ⇒ P defined
rela2ve to the dominator tree of the CFG.
![Page 43: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/43.jpg)
Instan2a2ng
• For usual safety:
• For seman2c proper2es:
• Useful for verifying correctness of: – code mo2on, dead variable elimina2on, common expression elimina2on, etc.
Psafety f δ = ∀r∊dom(δ). ∃v. δ(r) = ⎣v⎦
Psem f δ = ∀r. f[r] = ⎣rhs⎦ ⇒ δ(r) = ⟦rhs⟧δ
![Page 44: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/44.jpg)
Plan
• Tour of the LLVM IR • Vellvm infrastructure
– Opera2onal Seman2cs
– SSA Metatheory + Proof Techniques
• Case studies: – SoHBound memory safety
– mem2reg
• Conclusion
![Page 45: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/45.jpg)
SoHBound
SoHBound �C Source Code�
Other Op2miza2ons �
LLVM IR�
LLVM IR�
Target�
• Implemented as an LLVM pass.
• Detect spa2al/temporal memory safety viola2ons in legacy C code.
• Good test case: – Safety Cri2cal ⇒ Proof cost warranted – Non-‐trivial Memory transforma2on
![Page 46: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/46.jpg)
Disjoint Metadata • Maintain pointer bounds in a separate memory space.
• Key Invariant: Metadata cannot be corrupted by bounds viola2on.
User memory Disjoint metadata
%p � %pbase � %pbound �%i1 �%q � %qbase � %qbound �%i6 �
%i3 �
![Page 47: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/47.jpg)
SoHBound
SoHBound �C Source Code�
Other Op2miza2ons �
LLVM IR�
LLVM IR�
Target�
%p = call malloc [10 x i8]!
%q = gep %p, i32 0, i32 255!
store i8 0, %q!
%p = call malloc [10 x i8]!%p_base = gep %p, i32 0!%p_bound = gep %p, i32 0, i32 10!
%q = gep %p, i32 0, i32 255!%q_base = %p_base!%q_bound = %p_bound!
assert %q_base <= %q ! /\ %q+1 < %q_bound!store i8 0, %q!
Maintain base and bound for all pointers�
Propagate metadata on assignment�
Check that a pointer is within its bounds when being accessed�
![Page 48: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/48.jpg)
Proving SoHBound Correct
1. Define SoHBound(f,σ) = (fs,σs) – Transforma2on pass implemented in Coq.
2. Define predicate: MemoryViola2on(f,σ) 3. Construct a non-‐standard opera2onal seman2cs:
– Builds in safety invariants “by construc2on”
4. Show that the instrumented code simulates the “correct” code:
SB f ⊢ σ ⟼ σ’
SB f ⊢ σ ⟼* σ’ ⇒ ¬MemoryViola2on(f,σ’)
SoHBound(f,σ) = (fs,σs) ⇒ [f ⊢ σ ⟼* σ’] ≿ [fs ⊢ σs ⟼* σ’s] SB
![Page 49: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/49.jpg)
Memory Simula2on Rela2on
![Page 50: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/50.jpg)
Lessons About SoHBound
• Found several bugs in our C++ implementa2on – Interac2on of undef, ‘null’, and metadata ini2aliza2on.
• Simula2on proofs suggested a redesign of SoHBound’s handling of stack pointers. – Use a “shadow stack” – Simplify the design/implementa2on
– Significantly more robust (e.g. varargs)
![Page 51: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/51.jpg)
0%
50%
100%
150%
200%
250%
Run2
me overhe
ad
Extracted
Competitive Runtime Overhead�The performance of extracted SoftBound is competitive
with the non-verified original
![Page 52: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/52.jpg)
Plan
• Tour of the LLVM IR • Vellvm infrastructure
– Opera2onal Seman2cs
– SSA Metatheory + Proof Techniques
• Case studies: – SoHBound memory safety
– mem2reg
• Conclusion
![Page 53: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/53.jpg)
Performance Cri2cal Op2miza2on
• LLVM compiler runs numerous op2miza2ons
• Proving cost vs speedup
• Which op2miza2on has the most performance impact?
Op2miza2ons/ Transforma2ons �
Typed SSA IR�
Analysis �
![Page 54: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/54.jpg)
Cri2cal Op2miza2on in LLVM
0%
50%
100%
150%
200%
250% sjen
g go
compress
ijpeg
gzip
vpr
mesa
art
ammp
equake
libqu
antum
lbm
milc
bzip2
parser
twolf
mcf
h264
Geo
.mean
Speedu
p Over LLVM-‐O0
LLVM-‐O3
LLVM-‐O1
LLVM-‐mem2reg
O1 speeds up the program by 101%. mem2reg speeds it up by 81%
![Page 55: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/55.jpg)
mem2reg in LLVM
Front-‐ends w/o SSA
construc2on �
The LLVM IR w/o φ-nodes � mem2reg�
• Promote stack allocas to temporaries • Insert minimal φ-‐nodes �
• impera2ve variables ⇒ stack allocas • no φ-‐nodes • trivially in SSA form�
Backends �
SSA-‐based op2miza2ons �
The LLVM IR in the minimal SSA form�
![Page 56: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/56.jpg)
mem2reg Example
int x = 0;!if (y > 0) x = 1;!return x;!
l1: %p = alloca i32! store 0, %p! %b = %y > 0! br %b, %l2, %l3 !
l2:! store 1, %p! br %l3 !
l3:! %x = load %p! ret %x !
The LLVM IR in the trivial SSA form�
![Page 57: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/57.jpg)
mem2reg Example
int x = 0;!if (y > 0) x = 1;!return x;!
l1: %p = alloca i32! store 0, %p! %b = %y > 0! br %b, %l2, %l3 !
l2:! store 1, %p! br %l3 !
l3:! %x = load %p! ret %x !
The LLVM IR in the trivial SSA form�
l1: !
%b = %y > 0! br %b, %l2, %l3 !
l2:!
br %l3 !
l3:! %x = φ[ 1,%l2] [ 0,%l1]! ret %x !
Minimal SSA aHer mem2reg�
mem2reg
![Page 58: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/58.jpg)
mem2reg Algorithm
• Two main opera2ons – Phi placement (Lengauer-‐Tarjan algorithm)
– Renaming of the variables
• Intermediate stage breaks SSA invariant – Defining seman2cs & well formedness non-‐trivial
![Page 59: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/59.jpg)
vmem2reg Algorithm
• Incremental algorithm • Pipeline of micro-‐transforma2ons – Preserves SSA seman2cs – Preserves well-‐formedness
• Inspired by Aycock & Horspool 2002.
max φs �
LAS/LAA�
DSE �
DAE �
elim φs �
Find alloca�
![Page 60: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/60.jpg)
How to Establish Correctness?
max φs �
LAS/LAA�
DSE �
DAE �
elim φ �
Find alloca�
![Page 61: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/61.jpg)
How to Establish Correctness?
max φs �
LAS/LAA�
DSE �
DAE �
elim φ �
Find alloca�
1. Simple aliasing proper2es (e.g. to determine promotability)
2. Instan2ate proof technique for – Subs2tu2on
– Dead Instruc2on Elimina2on PDIE = … Ini2alize(PDIE) Preserva2on(PDIE)
Progress(PDIE) 4. Put it all together to prove
composi2on of “pipeline” correct.
Aliasing Proper2es�
subst �
DIE �
![Page 62: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/62.jpg)
vmem2reg is Correct
Theorem: The vmem2reg algorithm preserves the seman2cs of the source program.
Proof: Composi2on of simula2on rela2ons from the “mini”
transforma2ons, each built using instances of the sdom proof technique.
(See Coq Vellvm development.) □
![Page 63: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/63.jpg)
Run2me overhead of verified mem2reg�
0%
20%
40%
60%
80%
100%
120%
140%
160%
180%
200% sjen
g go
compress
ijpeg
gzip
vpr
mesa
art
ammp
equake
libqu
antu
m lbm
milc
bzip2
parser
twolf
mcf
h264
Geo
.mean
Speedu
p Over LLVM-‐O0
LLVM's mem2reg Extracted mem2reg
Vmem2reg: 77% LLVM’s mem2reg: 81%
(LLVM’s mem2reg promotes allocas used by intrinsics)
![Page 64: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/64.jpg)
Plan
• Tour of the LLVM IR • Vellvm infrastructure
– Opera2onal Seman2cs
– SSA Metatheory + Proof Techniques
• Case studies: – SoHBound memory safety
– mem2reg
• Conclusion
![Page 65: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/65.jpg)
Related Work
• CompCert [Leroy et al.]
• CompCertSSA [Barthe, Demange et al. ESOP 2012] – Transla2on validate the SSA construc2on
• Verified SoHware Toolchain [Appel et. al] • Verifiable SSA Representa2on [Menon et al. POPL 2006]
– Iden2fy the well-‐formedness safety predicate for SSA • Specifica2on of SSA
– Temporal checking & model checking for proving SSA transforms [Mansky et al, ITP 2010]
– Matrix representa2on of φ nodes [Yakobowski, INRIA] – Type system equivalent to SSA [Matsuno et al]
![Page 66: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/66.jpg)
Conclusions • Proof techniques for verifying SSA transforma2ons
– Generalize the SSA scoping predicate – Preserva2on/progress + simula2ons.
• Verified: – SoHbound & vmem2reg
– Similar performance to na2ve implementa2ons
• See the papers/coq sources for details! • Future:
– Clean up + make more accessible – Tutorial for Oregon PL Summer School
– Alias analysis? Concurrency? – Applica2ons to more LLVM-‐SSA op2miza2ons
hGp://www.cis.upenn.edu/~stevez/vellvm/ �
![Page 67: Vellvm :Verifying Transformaons’of’the’LLVMIR · Vellvm :Verifying Transformaons’of’the’LLVMIR Steve’Zdancewic’ Jianzhou’Zhao’ Milo’M.K.’Mar2n’ University’of’Pennsylvania](https://reader035.vdocuments.site/reader035/viewer/2022062912/5e02f1edd9e2ea2f2041066f/html5/thumbnails/67.jpg)
hGp://www.cis.upenn.edu/~stevez/vellvm/ �