Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automated Soundness Proofs for Dataflow Analyses and Transformations via Local Rules Sorin Lerner* Todd Millstein** Erika Rice* Craig Chambers* * University.

Published byDelphia Leonard Modified over 9 years ago

Similar presentations

Presentation on theme: "Automated Soundness Proofs for Dataflow Analyses and Transformations via Local Rules Sorin Lerner* Todd Millstein** Erika Rice* Craig Chambers* * University."— Presentation transcript:

1 Automated Soundness Proofs for Dataflow Analyses and Transformations via Local Rules Sorin Lerner* Todd Millstein** Erika Rice* Craig Chambers* * University of Washington ** UCLA [graduating this year!]

2 A traditional compiler Parser Code Gen Compiler Opt

3 Using a domain specific language Parser Code Gen Compiler DSL Opt DSL Opt DSL Opt

4 Using a domain specific language Parser Code Gen Compiler DSL Execution engine DSL Opt DSL Opt DSL Opt

5 Checking correctness automatically Parser Code Gen Compiler DSL Execution engine DSL Opt DSL Opt DSL Opt

6 Checking correctness automatically Parser Code Gen Compiler DSL Execution engine Checker DSL Opt Checker DSL Opt Checker DSL Opt

7 Checker DSL Opt DSL Opt Checker DSL Opt Checking correctness automatically Checker

8 DSL Opt Checker DSL Opt Checker DSL Opt Checking correctness automatically Checker

9 DSL Opt Checking correctness automatically Checker

10 Checking correctness automatically VCGen Verification Condition (VC) Checker Automatic Theorem Prover Checker DSL Opt

11 Checking correctness automatically VCGen DSL Opt Checker Automatic Theorem Prover Verification Condition (VC)

12 Checking correctness automatically opt- independent Checker opt- specific Automatic Theorem Prover DSL Opt VCGen Lemma: VC implies correctness VC

13 Cobalt The Cobalt DSL is an instantiation of this architecture –An opt written in Cobalt is a rewrite rule triggered by a declarative global condition over the CFG Expressed and automatically proved the correctness of a variety of intraprocedural optimizations, including: –const prop and folding, branch folding, CSE, PRE, DAE, partial DAE [PLDI 03]

14 In this talk: the Rhodium DSL Increased expressiveness –New model for expressing opts: local propagation rules with explicit dataflow facts –Heap summaries –Infinite analysis domains –Flow-sensitive and -insensitive –Intraprocedural and interprocedural Some Rhodium opts not expressible in Cobalt: –Arithmetic invariant detection, integer range analysis, loop-induction-variable strength reduction, Andersen's may-point-to analysis with allocation-site summaries

15 Outline Overview Rhodium by example Checking correctness automatically Future work, related work and conclusion

16 MustPointTo analysis c := a a := &b *c := d cd ab cd c ab

17 MustPointTo info in Rhodium c := a a := &b *c := d mustPointTo ( a, b ) mustPointTo ( c, d ) cd ab cd c ab mustPointTo ( a, b ) mustPointTo ( c, b )

18 MustPointTo info in Rhodium c := a a := &b *c := d mustPointTo ( a, b ) mustPointTo ( c, d ) cd ab cd c ab mustPointTo ( a, b ) mustPointTo ( c, b ) c := a a := &b *c := d cd ab cd c ab mustPointTo ( a, b ) mustPointTo ( c, d ) mustPointTo ( a, b ) mustPointTo ( c, b )

19 MustPointTo info in Rhodium define fact mustPointTo(X:Var,Y:Var) c := a a := &b *c := d cd ab cd c ab mustPointTo ( a, b ) mustPointTo ( c, d ) mustPointTo ( a, b ) mustPointTo ( c, b )

20 Propagating facts c := a a := &b *c := d cd ab cd c ab mustPointTo ( a, b ) mustPointTo ( c, d ) mustPointTo ( a, b ) mustPointTo ( c, b ) define fact mustPointTo(X:Var,Y:Var)

21 if currStmt = [X := &Y] then mustPointTo(X,Y)@out Propagating facts define fact mustPointTo(X:Var,Y:Var) c := a a := &b *c := d cd ab cd c ab mustPointTo ( a, b ) mustPointTo ( c, d ) mustPointTo ( a, b ) mustPointTo ( c, b ) if currStmt = [X := &Y] then mustPointTo(X,Y)@out a := &b mustPointTo ( a, b )

22 if currStmt = [X := &Y] then mustPointTo(X,Y)@out Propagating facts define fact mustPointTo(X:Var,Y:Var) c := a a := &b *c := d cd ab cd c ab mustPointTo ( a, b ) mustPointTo ( c, d ) mustPointTo ( a, b ) mustPointTo ( c, b )

23 if currStmt = [X := &Y] then mustPointTo(X,Y)@out Propagating facts if mustPointTo(X,Y)@in Æ currStmt = [Z := &W] Æ X  Z then mustPointTo(X,Y)@out define fact mustPointTo(X:Var,Y:Var) c := a a := &b *c := d cd ab cd c ab mustPointTo ( a, b ) mustPointTo ( c, d ) mustPointTo ( a, b ) mustPointTo ( c, b ) if mustPointTo(X,Y)@in Æ currStmt = [Z := &W] Æ X  Z then mustPointTo(X,Y)@out a := &b mustPointTo ( c, d )

24 if currStmt = [X := &Y] then mustPointTo(X,Y)@out Propagating facts if mustPointTo(X,Y)@in Æ currStmt = [Z := &W] Æ X  Z then mustPointTo(X,Y)@out define fact mustPointTo(X:Var,Y:Var) c := a a := &b *c := d cd ab cd c ab mustPointTo ( a, b ) mustPointTo ( c, d ) mustPointTo ( a, b ) mustPointTo ( c, b ) if mustPointTo(X,Y)@in Æ currStmt = [Z := X] then mustPointTo(Z,Y)@out c := a mustPointTo ( a, b ) mustPointTo ( c, b )

25 if currStmt = [X := &Y] then mustPointTo(X,Y)@out Propagating facts if mustPointTo(X,Y)@in Æ currStmt = [Z := &W] Æ X  Z then mustPointTo(X,Y)@out define fact mustPointTo(X:Var,Y:Var) c := a a := &b *c := d cd ab cd c ab mustPointTo ( a, b ) mustPointTo ( c, d ) mustPointTo ( a, b ) mustPointTo ( c, b ) if mustPointTo(X,Y)@in Æ currStmt = [Z := X] then mustPointTo(Z,Y)@out

26 if currStmt = [X := &Y] then mustPointTo(X,Y)@out Transformations if mustPointTo(X,Y)@in Æ currStmt = [Z := &W] Æ X  Z then mustPointTo(X,Y)@out define fact mustPointTo(X:Var,Y:Var) c := a a := &b *c := d cd ab cd c ab mustPointTo ( a, b ) mustPointTo ( c, d ) mustPointTo ( a, b ) mustPointTo ( c, b ) if mustPointTo(X,Y)@in Æ currStmt = [Z := X] then mustPointTo(Z,Y)@out

27 *c := d Transformations define fact mustPointTo(X:Var,Y:Var) c := a a := &b *c := d cd ab cd c ab mustPointTo ( a, b ) mustPointTo ( c, d ) mustPointTo ( a, b ) mustPointTo ( c, b ) if mustPointTo(X,Y)@in Æ currStmt = [*X := Z] then transform to [Y := Z] mustPointTo ( c, b ) b := d

28 Semantics of a Rhodium opt Run all the propagations rules using optimistic iterative analysis starting with complete set of facts until the best fixed point is reached Then run all transformation rules For better precision, combine analyses and transformations using our previous composition framework [POPL 02]

29 More in Rhodium (see paper for details) Mixing facts Heap summaries MayPointTo analysis via MustNotPointTo Infinite domains Flow-sensitive and -insensitive Intraprocedural and interprocedural

30 Outline Overview Rhodium by example Checking correctness automatically Future work, related work and conclusion

31 Rhodium correctness checker Automatic theorem prover Checker opt- independent VCGen VC Lemma: VC ) correctness Rhodium optimization

32 Rhodium correctness checker Automatic theorem prover Checker opt- independent VCGen Rhodium optimization define fact … if … then transform … if … then … VC Lemma: VC ) correctness

33 Rhodium correctness checker Automatic theorem prover IL semantics axioms Rhodium optimization Checker opt- independent Lemma: VC ) correctness define fact … if … then transform … if … then … VCGen Local VC Lemma: Local VCs ) correctness

34 Local correctness of prop. rules define fact mustPointTo(X:Var,Y:Var) Z := X mustPointTo ( X, Y ) mustPointTo ( Z, Y ) currStmt = [Z := X] then mustPointTo(Z,Y)@out if mustPointTo(X,Y)@in Æ

35 define fact mustPointTo(X:Var,Y:Var) define fact mustPointTo(X:Var,Y:Var) with meaning « X == &Y ¬ Local correctness of prop. rules currStmt = [Z := X] then mustPointTo(Z,Y)@out mustPointTo ( X, Y ) mustPointTo ( Z, Y ) Z := X     XY  in  out ZY ? Local VC sent to ATP: if mustPointTo(X,Y)@in Æ then « Z == &Y ¬ (  out ) if « X == &Y ¬ (  in ) Æ Z := X  in  out

36 Local correctness of trans. rules define fact mustPointTo(X:Var,Y:Var) if mustPointTo(X,Y)@in Æ currStmt = [*X := Z] then transform to [Y := Z] with meaning « X == &Y ¬ then if « X == &Y ¬ (  in ) Æ *X := Z  in  out Y := Z  in  out mustPointTo ( X, Y ) *X := Z XY  in  out ? Y := Z XY  in  out Y := Z Local VC sent to ATP:

37 More on correctness (see paper for details) Heap summaries Separating profitability from correctness Theorem stating soundness of the framework for creating interprocedural and flow-insensitive analyses

38 Outline Overview Rhodium by example Checking correctness automatically Future work, related work and conclusion

39 Current and future work Backward optimizations Infer rules from just the dataflow fact declarations and their meanings Debugging Efficient execution engine

40 Some related work Proving correctness by hand –Abstract interpretation [Cousot and Cousot 77, 79] –Partial equivalence relations [Benton 04] –Temporal logic [Lacey et al. 02] Proving correctness with interactive theorem prover –Using Coq proof assistant [Cachera et al. 04] Testing correctness one compilation at a time –Translation validation [Pnueli et al. 98, Necula 00] –Credible compilation [Rinard 99] Execution engines –Incremental execution of transformations [Sittampalam et al. 04] –Running opts specified with temporal logic [Steffen 91]

41 Conclusion Local rules in Rhodium are more expressive than Cobalt’s global condition The correctness checker found subtle bugs in our Rhodium opts Good step towards pushing more of the burden of writing compilers on to the computer

Download ppt "Automated Soundness Proofs for Dataflow Analyses and Transformations via Local Rules Sorin Lerner* Todd Millstein** Erika Rice* Craig Chambers* * University."

Similar presentations

Global Value Numbering using Random Interpretation Sumit Gulwani George C. Necula CS Department University of California, Berkeley.

Global Value Numbering using Random Interpretation Sumit Gulwani George C. Necula CS Department University of California, Berkeley.
Program Analysis using Random Interpretation Sumit Gulwani UC-Berkeley March 2005.

Program Analysis using Random Interpretation Sumit Gulwani UC-Berkeley March 2005.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Technology from seed Automatic Equivalence Checking of UF+IA Programs Nuno Lopes and José Monteiro.

Technology from seed Automatic Equivalence Checking of UF+IA Programs Nuno Lopes and José Monteiro.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Automated Refinement Checking of Concurrent Systems Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University.

Automated Refinement Checking of Concurrent Systems Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.

1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.
Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India.

Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
Technology from seed Weakest Precondition Synthesis for Compiler Optimizations Nuno Lopes and José Monteiro.

Technology from seed Weakest Precondition Synthesis for Compiler Optimizations Nuno Lopes and José Monteiro.
Technology from seed Automatic Synthesis of Weakest Preconditions for Compiler Optimizations Nuno Lopes Advisor: José Monteiro.

Technology from seed Automatic Synthesis of Weakest Preconditions for Compiler Optimizations Nuno Lopes Advisor: José Monteiro.
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Discovering Affine Equalities Using Random Interpretation Sumit Gulwani George Necula EECS Department University of California, Berkeley.

Discovering Affine Equalities Using Random Interpretation Sumit Gulwani George Necula EECS Department University of California, Berkeley.
Plan for today Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search.

Plan for today Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.

Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.

Similar presentations

Ads by Google