Have Your Verified Compiler

And Extend It Too

Zachary TatlockSorin LernerUC San Diego

Compiler Correctness

Building robust compilers is difficultcomplex interactions resist testingCompiler bugs are contagiousinvalidate source level guarantees

Few users extend their compilerhand optimized, unreadable code

Verified Compilers

Implement compiler in proof assistant Prove compiler correct interactively CompCert [Leroy], Lambda Tamer

[Chlipala]Strong

Guarantee

Difficult to

Extend

DSL-based Compilers

Domain Specific Language for optimizations

DSL opts proven correct automatically Rhodium [POPL 05], PEC [PLDI 09]

Easier toExtend

WeakerGuarante

e

Contribution

PEC

CompCert

harder to extend

easier to extend

stronger guarantee

weaker guarantee

DSL Execution Engine +Correctness Proof

Reduce TCB

AddExtensibility

PEC

XCertCompCert

CompCert

XCert

RewriteRule

PEC

Extensible & Correct Compiler

Rewrite

LocallyCorrect

CompCert

C Asm

Correct Compiler

??

Main Theorem Proved in Coq : XCert Rules Locally Correct XCert Correct

? Formal Correctness Proof in Coq

Bulk of the development effort

[PLDI 09]

Extensible & Correct Compiler

1Rewrite

Rule

PEC CompCert

C Asm

2 XCert

Challenges and Evaluation3

[PLDI 09]

Rewrite Rule Find &

Replace Match

PatternC x <

10

I x Apply Subst

while(C ) I += 2

while(C ) I ++ I ++

PEC

x = 0

while(x < 10)

x += 2

return x

x = 0

while(x < 10)

x ++

x ++

return x

[PLDI 09]

I ++

I ++

!C

C

I +=2

!CC

PEC Checker1.Convert to CFG2.Guess Sync

Points3.Check w/ SMT

A

B

PEC

SMT Checked

A AA B

while(C ) I += 2

while(C ) I ++ I ++

I ++

C

I +=2I ++

C

A

A

[PLDI 09]

XCert Module

1.Rule in Coq2.SMT Checks

A

B

SMT CheckedA AA B

PEC

Extensible & Correct Compiler

1Rewrite

Rule

PEC

2 XCert

[PLDI 09]

Challenges and Evaluation3

XCert Correctness Proof

Small Step Execute instruction

Step state S to S’

S

S’

Equivalent Executions Initial Equiv Prove Simulation Diagram

CompCert Small Step Library: Sim Diagram Progs

Equiv

L

L’

R

R’

L ~ R

<< L L’

R’

L’ ~ R’: R R’

Final Equiv

XCert Correctness Proof

?

XCert Simulation Diagram

XCert Module

A

A

A

B

A

B

SMT Checked

A AA B

Extensible & Correct Compiler

1Rewrite

Rule

PEC

2 XCert

[PLDI 09]

Challenges and Evaluation3

Challenges (see paper)

XCert Execution Engine CFG pattern matching CFG splicing

XCert Correctness Proof Managing case explosion Verified validation [Tristan and Leroy]

Preserving non-terminating behaviors

Evaluation

Engine : 1,000 lines of Coq functional code

Proof : 3,000 lines of Coq proof script

Trusted Computing Base (TCB) Compcert : Coq + Coq encoding of C sem XCert adds : SMT + SMT encoding of C sem

Evaluation

Extensibility: Support PEC Opts [PLDI 09] No manual proof effort or TCB increase Maintain Compcert end-to-end

correctness

Sample of Optimizations Run:Loop Invariant Code Hoist Loop Peeling

Software Pipelining Conditional Speculation

Loop Unswitching Partial Redundancy Elim

1Rewrite

Rule

PEC

2 XCert

[PLDI 09]

Extensible & Correct Compiler

Thank You!