proving optimizations correct using parameterized program equivalence

Proving Optimizations Correctusing Parameterized Program

Equivalence

University of California, San Diego

Sudipta KunduZachary TatlockSorin Lerner

Compiler Correctness Difficult to develop reliable compilers:

large, complex programs take a long time to mature

Consequence: buggy compilers, but also … hinders development of new languages,

architectures discourages user from extending compiler

Focus on correctness of compiler optimizations many intricate opts, unexpected interactions turning off optimizations often no longer an

option

Existing Techniques Translation

Validation prove equivalence for each

transformation every compiler

execution

a priori Correctness prove correctness before compiler runs once and for all

TVOC [Zuck et al.] Rhodium

[Lerner et al.]

Compcert[Leroy et al.]

[Necula 00]

Focus on Automated Techniques

Verified TV [Tristan et al.]

[Pnueli et al.]

Scope of Guarantee

Verify Compiler Run

Verify Compiler

TVOC [Zuck et al.] Rhodium

[Lerner et al.]

[Necula 00]

Expressive Power

ComplexLoop Opts

One-to-one Rewrites

Focus on Automated Techniques

complex loop opts+

once-and-for-allcorrectness

Our Approach:

Adapt Translation Validation to once-and-for-all setting

Key Insight:

Generalize to Parameterized Progs

Equivalence

Checking

Generalize to Parameterized Programs

OutputProg

InputProg

OutputPProg

InputPProg

Translation Validation

k := 0while(k < 100){ a[k] += k k++}


Equivalence

Checking


I := 0while(I < 100){ a[k] += I I++}

OutputProg

InputProg

OutputPProg

InputPProg


Equivalence

Checking


I := 0while(I < E){ a[k] += I I++}

OutputProg

InputProg

OutputPProg

InputPProg

Equivalence

Checking

I := 0while(I < E){ S I++}

I := 0while(I < E){ S I++}


OutputProg

InputProg


OutputPProg

InputPProg

OptimizationInstance

Optimization


Equivalence

Checking


Parameterized

Equivalence

Checking

OptimizationInstance

Optimization

OutputProg

InputProg

OutputPProg

InputPProg

ContributionsParameter

izedEquivalenc

eChecking

Parameterized Equivalence Checking (PEC) proves opts correct statically and automatically can reason about many-to-many opts

Expressed and proved a variety of opts correct which Rhodium could not have proven correct software pipelining and other complex loop opts

1

2

3

Optimization

OutputPProg

InputPProg

I := 0while(I < E-1){ S I++}SI++

Parameterized Rewrite Rules Loop Peeling

move iter out of loop

ids range over: I : variable E : expression S : statement

Shift final iteration after loop

Side conditions indicate when rewrite safe

I := 0while(I < E){ S I++}

where:• E > 0• S does not modify I, E

Enable loop unrolling

Apply Rewrite1. Match parameters2. Check side conds3. Rewrite

where: 100 > 0 a[k] += k

does not modify k,100

Applying Rewrite RulesI := 0while(I < E){ S I++}

I := 0while(I < E-1){ S I++}SI++where:

• E > 0• S does not modify I, E

k := 0while(k < 100){ a[k] += k k++}

k := 0while(k < 99){ a[k] += k k++}a[k] += kk++

• Divisible by 3• Directly unroll by 3

• Not divisible by 3• Hard to unroll by 3

Checking Correctness

OPT

ParameterizedEquivalence

Checking

OPT


Generalization of [ Necula 00 ]

Generalization of[ Zuck et al. 04]

OR

Relate

Permute

Relate

I := 0while(I < E-1){ S I++}SI++

I := 0while(I < E){ S I++}

where:• E > 0• S does not modify I, E

Checking Rewrite Rules

I:=0

I<EI≥E

S

I++

I:=0

I<E-1I≥E-1

S

I++S

I++

σ1=σ2

Programs equivalent:

Consider CFGs Start in equal

states End in equal states σ1=σ2

Checking Rewrite Rules

Relate Executions:1.Find synchronization

points2.Generate invariants3.Check invariants

preserved

I:=0

I<EI≥E

S

I++

I:=0

I<E-1I≥E-1

S

I++S

I++

A

B• Use auto theorem

prover• Each invariant must

imply successor invariants• Strengthen if inv too

weak

σ1=σ2

σ1=σ2

1. Find Synchronization Points

I<E

S

I++

I:=0

I<E-1I≥E-1

S

I++S

I++

Traverse in lockstep

Stop at stmt params

Prune infeasible paths

From Path:E ≤ 0

Side Conds:E > 0

Path never executes

I:=0

I≥E

2. Generate Invariants

I:=0

I<EI≥E

S

I++

I:=0

I<E-1I≥E-1

S

I++S

I++

Invariants: predicates over σ1, σ2

Gen initial invariant: σ1 = σ2 AND strongest post

cond

σ1=σ2

σ1=σ2

B

A

A(σ1,σ2) ...

B(σ1,σ2) ...

A(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)

∧ eval(σ2, I < E-1)

B(σ1,σ2) ...

B

AI<E I<E-1I≥E-1

A(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)

∧ eval(σ2, I < E-1)

B(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)

∧ eval(σ2, I ≥ E-1)

3. Check Invariants

I:=0

I<EI≥E

S

I++

I:=0

I<E-1I≥E-1

S

I++S

I++σ1=σ2

σ1=σ2

B

A

Each invariant must imply successor invariants

Query Theorem Prover B

AI<E

S

I++

I≥E-1

S

I++

S

I++

I<E

S

I++

I ≥ E-1

A

B

A(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)

∧ eval(σ2, I < E-1)

B(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)

∧ eval(σ2, I ≥ E-1)

Entry A Entry B A B A A B Exit

σ1 σ2 .

A(σ1,σ2) ∧

σ1’ = step(σ1, S;I++;I < E) ∧

σ2’ = step(σ2, S;I++;I ≥ E-1)

B(σ1’, σ2’)

3. Check Invariants

A

B

S

I++

I<E

S

I++

I ≥ E-1

σ1 σ2

σ1’ σ2’

σ1 σ2 .

A(σ1,σ2) ∧

σ1’ = step(σ1, S;I++;I < E) ∧

σ2’ = step(σ2, S;I++;I ≥ E-1)B(σ1’, σ2’)

ATP Query:

ATP

A(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)

∧ eval(σ2, I < E-1)

B(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)

∧ eval(σ2, I ≥ E-1)

σ1 σ2 .

A(σ1,σ2) ∧

σ1’ = step(σ1, S;I++;I < E) ∧

σ2’ = step(σ2, S;I++;I ≥ E-1)

B(σ1’, σ2’)

3. Check Invariants

A

B

S

I++

I<E

S

I++

I ≥ E-1

σ1 σ2

σ1’ σ2’

ATP Query:

ATP

A(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)

∧ eval(σ2, I < E-1)

B(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)

∧ eval(σ2, I ≥ E-1)

σ1=σ2 eval(∧ σ1, I < E) ∧ eval(σ2, I < E-1)

σ1’=σ2’ eval(∧ σ1’, I < E) ∧ eval(σ2’, I ≥ E-

1)

σ1 σ2 .

A(σ1,σ2) ∧

σ1’ = step(σ1, S;I++;I < E) ∧

σ2’ = step(σ2, S;I++;I ≥ E-1)

B(σ1’, σ2’)

3. Check Invariants

B

S

I++

I<E

S

I++

I ≥ E-1

σ1 σ2

σ1’ σ2’

ATP Query:

ATP

A(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)

∧ eval(σ2, I < E-1)

B(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)

∧ eval(σ2, I ≥ E-1)

σ1=σ2 eval(∧ σ1, I < E) ∧ eval(σ2, I < E-1)

σ1’=σ2’ eval(∧ σ1’, I < E) ∧ eval(σ2’, I ≥ E-

1)

A ∧ B(σ1’, σ2’)

Strengthen A if the theorem prover fails

σ1’ = step(σ1, S;I++;I < E)

σ2’ = step(σ2, S;I++;I ≥ E-1)

A

3. Check Invariants

I:=0

I<EI≥E

S

I++

I:=0

I<E-1I≥E-1

S

I++S

I++σ1=σ2

σ1=σ2

B

A

A(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)

∧ eval(σ2, I < E-1)

B(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)

∧ eval(σ2, I ≥ E-1)

Each invariant must imply successor invariants

Query Auto Theorem Prover

Entry A Entry B A B A A B Exit

OPT


Generalization of [ Necula 00 ]

Generalization of[ Zuck et al. 04]

OR

Relate

Permute

Relate

Permute

Works well for structure-preserving optimizations

Works well for non structure-preserving optimizations

Permute Module

for (I in R1){ for (J in R2){

S[I, J]; }}

for (N in R2){ for (M in R1){

S[M, N]; }}

where: ⟨side condition⟩• Generate correspondence between loop

indices• Ask ATP to show that ⟨side condition⟩

implies:• correspondence is one-to-one• For all I, I’ ∊ R1 and J, J’ ∊ R2

S[I, J] commutes with S[I’, J’]

Loop Interchange

ContributionsParameter

izedEquivalenc

eChecking



1

2

3

Optimization

OutputPProg

InputPProg

Optimizations Proved Correct

Category 1: PEC and Rhodium formulation equivalent

Copy propagationConstant propagationCommon sub-expression elimPartial redundancy elim

Category 2: PEC formulation easier, more general

Loop invariant code hoisting Conditional speculation Speculation

Category 3:Expressible in PECNo Rhodium formulation possible

Software pipelining Loop unswitching Loop unrolling Loop peelingLoop splitting Loop alignment Loop interchange Loop reversal Loop skewing Loop fusion Loop distribution

ConclusionParameter

izedEquivalenc

eChecking



Optimization

OutputPProg

InputPProg

proving optimizations correct using parameterized program equivalence

Documents

compcert compiler

intricate optimizations

pnueli et

reliable compilers

validating loop optimizations

zuck et als work

rhodiumlerner et

compcertleroy et