Slide 1

Have Your Verified Compiler And Extend It Too Zachary Tatlock Sorin Lerner UC San Diego

Slide 2

Compiler Correctness Building robust compilers is difficult complex interactions resist testing Compiler bugs are contagious invalidate source level guarantees Few users extend their compiler hand optimized, unreadable code

Slide 3

Verified Compilers Implement compiler in proof assistant Prove compiler correct interactively CompCert [Leroy], Lambda Tamer [Chlipala] Strong Guarantee Difficult to Extend

Slide 4

DSL-based Compilers Domain Specific Language for optimizations DSL opts proven correct automatically Rhodium [POPL 05], PEC [PLDI 09] Easier to Extend Weaker Guarantee

Slide 5

Contribution PEC CompCert harder to extend easier to extend stronger guarantee weaker guarantee DSL Execution Engine + Correctness Proof Reduce TCB Add Extensibility PEC XCertCompCert

Slide 6

XCert Rewrite Rule PEC Extensible & Correct Compiler Rewrite Locally Correct CompCert C Asm Correct Compiler Main Theorem Proved in Coq : XCert Rules Locally Correct XCert Correct Formal Correctness Proof in Coq Bulk of the development effort [PLDI 09]

Slide 7

Extensible & Correct Compiler 1 Rewrite Rule PEC CompCert C Asm 2 XCert Challenges and Evaluation 3 [PLDI 09]

Slide 8

Rewrite Rule Find & Replace Match Pattern C x < 10 IxIx Apply Subst while(C ) I += 2 while(C ) I ++ PEC x = 0 while(x < 10) x += 2 return x x = 0 while(x < 10) x ++ return x [PLDI 09]

Slide 9

I ++ !C!C C I +=2 !C!C C PEC Checker 1.Convert to CFG 2.Guess Sync Points 3.Check w/ SMT A B PEC SMT Checked A A A B while(C ) I += 2 while(C ) I ++ C I +=2 I ++ C A A [PLDI 09]

Slide 10

XCert Module 1.Rule in Coq 2.SMT Checks A B SMT Checked A A A B PEC

Slide 11

Extensible & Correct Compiler 1 Rewrite Rule PEC 2 XCert [PLDI 09] Challenges and Evaluation 3

Slide 12

XCert Correctness Proof Small Step Execute instruction Step state S to S S S

Slide 13

Equivalent Executions Initial Equiv Prove Simulation Diagram CompCert Small Step Library: Sim Diagram Progs Equiv L L R R L ~ R < < L L R L ~ R: R R Final Equiv XCert Correctness Proof

Slide 14

XCert Simulation Diagram XCert Module A A A B A B SMT Checked A A A B

Slide 15

Extensible & Correct Compiler 1 Rewrite Rule PEC 2 XCert [PLDI 09] Challenges and Evaluation 3

Slide 16

Challenges (see paper) XCert Execution Engine CFG pattern matching CFG splicing XCert Correctness Proof Managing case explosion Verified validation [Tristan and Leroy] Preserving non-terminating behaviors

Slide 17

Evaluation Engine:1,000 lines of Coq functional code Proof :3,000 lines of Coq proof script Trusted Computing Base (TCB) Compcert:Coq + Coq encoding of C sem XCert adds:SMT+ SMT encoding of C sem

Slide 18

Evaluation Extensibility: Support PEC Opts [PLDI 09] No manual proof effort or TCB increase Maintain Compcert end-to-end correctness Sample of Optimizations Run: Loop Invariant Code HoistLoop Peeling Software PipeliningConditional Speculation Loop UnswitchingPartial Redundancy Elim

Slide 19

1 Rewrite Rule PEC 2 XCert [PLDI 09] Extensible & Correct Compiler Thank You!