Formal verification of a realistic compiler Xavier Leroy CACM 2009 - - PowerPoint PPT Presentation

Formal verification of a realistic compiler

Xavier Leroy CACM 2009

CS 7194: Great Works in Programming Languages Presenter : Irene Yoon | Mentor : Ryan Doenges

• 1

Building robust compilers is Hard.

2

Bugs

3

bugs

Bugs

4

• Random testing finds bugs in 11 C compilers
• Hundreds of previously unknown bugs
• LLVM has a large test suite, real compilers have bugs

[Yang et al 2011]

Bugs

5

• Random testing finds bugs in 11 C compilers
• Hundreds of previously unknown bugs
• LLVM has a large test suite

[Yang et al 2011]

Bugs

6

• Random testing finds bugs in 11 C compilers
• Hundreds of previously unknown bugs
• LLVM has a large test suite, real compilers have bugs

[Yang et al 2011]

Bugs

7

• Random testing finds bugs in 11 C compilers
• Hundreds of previously unknown bugs
• LLVM has a large test suite

[Yang et al 2011]

✅ Building compilers is hard Testing sucks Formalisms are good

8

✅ Building compilers is hard ✅ Testing sucks Formalisms are good

9

✅ Building compilers is hard ✅ Testing sucks ✅ Formalisms are good

10

✅ Building compilers is hard ✅ Testing sucks ✅ Formalisms are good

11

Formal verification of a compiler

First Published Proof of Compiler Correctness

12

• arithmetic expressions → stack machine code
• prototype for proving usable compilers

[1967]

First Mechanized Proof of Compiler Correctness

13

[1972]

• ALGOL-like language → elementary assembly language
• Stanford LCF

Compiler Verification

14

• 100+ papers on compiler verification since 1967

Compiler Verification

15

• 100+ papers on compiler verification since 1967

Compiler Verification

16

• 100+ papers on compiler verification since 1967

Compiler Verification

17

• 100+ papers on Compiler Verification since 1967

[2003]

CompCert

18

CompCert

“Develop and prove correct a realistic compiler, usable for critical embedded software.”

• 42k Coq, 3 person years

Clight PowerPC ARM x86

source target CompCert [2009]

CompCert

“Develop and prove correct a realistic compiler, usable for critical embedded software.”

• 42k Coq, 3 person years

Clight PowerPC ARM x86

source target CompCert [2009]

CompCert

“Develop and prove correct a realistic compiler, usable for critical embedded software.”

• 42k Coq, 3 person years

Clight PowerPC ARM x86

source target CompCert [2009]

Verified, Validated, Certifying

22

Verified, Validated, Certifying

• 1. Verified transformation [Compiler Correctness]

23

COMPILER

source target

Verified, Validated, Certifying

2 . Translation validation [Translation Verification]

24

COMPILER

source

VALIDATOR

target

Verified, Validated, Certifying

• 3. Certifying compiler [Proof-carrying Code]

25

PROOF CHECKER CERTIFYING COMPILER

source target code + certificate

26

27

[Leroy `06]

28

=> External solver with verified validation

29

[Tristan and Leroy `10]

=> External solver with verified validation

CompCert

30

CompCert

31

formal specification

CompCert

32

→ semantic analysis tools [Appel ’11]

formal specification

CompCert

33

semantic preservation*

CompCert

34

Semantic Preservation

• Spec(B) : functional specification of observable behavior
• B: observable behavior (trace properties of I/O)
• “going wrong” (run-time error), termination, divergence
• C ㅑ Spec if
• A. C cannot go wrong
• B. All behaviors B satisfy Spec

35

Semantic Preservation

• Spec(B) : functional specification of observable behavior
• B: observable behavior (trace properties of I/O)
• “going wrong” (run-time error), termination, divergence
• C ㅑ Spec if
• A. C cannot go wrong
• B. All behaviors B satisfy Spec

36

Semantic Preservation

• Spec(B) : functional specification of observable behavior
• B: observable behavior (trace properties of I/O)
• “going wrong” (run-time error), termination, divergence
• C ㅑ Spec if
• A. C cannot go wrong
• B. All behaviors B satisfy Spec

37

Correctness Property

Compiled code C preserves the fact that the source code S satisfies the specification.

38

Proving Semantic Preservation

39

Proving Semantic Preservation

40

*

Safety Precondition

• Compilation result will match the semantics of the input if

if program is “safe” (no runtime errors)

• Need to prove that input program is safe

41

Safety Precondition

• Compilation result will match the semantics of the input if

if program is “safe” (no runtime errors)

• Need to prove that input program is safe

42

Correctness Weakness

43

Correctness Weakness

44

CompCert

45

CompCert

46

Correctness Weakness

• Only runs after the preprocessing step
• Astrèe [Cousot et al ’05], Verasco [Jourdan et al ’15])
• Reliant on less verifiable assumptions
• Coq’s correctness [Anand et al ’17]
• Formal specification of C & PowerPC assembly

47

Correctness Weakness

• Only runs after the preprocessing step
• Astrèe [Cousot et al ’05], Verasco [Jourdan et al ’15]
• Reliant on less verifiable assumptions
• Coq’s correctness [Anand et al ’17]
• Formal specification of C & PowerPC assembly

48

Correctness Weakness

• Only runs after the preprocessing step
• Astrèe [Cousot et al ’05], Verasco [Jourdan et al ’15])
• Reliant on less verifiable assumptions
• Coq’s correctness [Anand et al ’17]
• Formal specification of C & PowerPC assembly

49

Correctness Weakness

• Only runs after the preprocessing step
• Astrèe [Cousot et al ’05], Verasco [Jourdan et al ’15])
• Reliant on less verifiable assumptions
• Coq’s correctness (CertiCoq [Anand et al ’17])
• Formal specification of C & PowerPC assembly

50

Correctness Weakness

• Only runs after the preprocessing step
• Astrèe [Cousot et al ’05], Verasco [Jourdan et al ’15])
• Reliant on less verifiable assumptions
• Coq’s correctness (CertiCoq [Anand et al ’17])
• Formal specification of C & PowerPC assembly

51

Performance

52

Performance

competitive with gcc -01

53

Bugs, revisited.

54

[Yang et al 2011]

• CompCert: errors only found in unverified parts (parser

and model of machine)

• Other compilers: errors everywhere

“The striking thing about our CompCert results is that the middle-end bugs we found in all other compilers are absent”

Bugs, revisited.

55

[Yang et al 2011]

• CompCert: errors only found in unverified parts (parser

and model of machine)

• Other compilers: errors everywhere

“The striking thing about our CompCert results is that the middle-end bugs we found in all other compilers are absent”

Bugs, revisited.

56

[Yang et al 2011]

• CompCert: errors only found in unverified parts (parser

and model of machine)

• Other compilers: errors everywhere

“The striking thing about our CompCert results is that the middle-end bugs we found in all other compilers are absent”

Bugs, revisited.

57

[Yang et al 2011]

• CompCert: errors only found in unverified parts (parser

and model of machine)

• Other compilers: errors everywhere

“The striking thing about our CompCert results is that the middle-end bugs we found in all other compilers are absent”

Critical Use Cases

• AirBus
• MTU Friedrichshafen (nuclear energy)
• High-Assurance Cyber Military Systems (HACMS) [Fisher

et al, ’17]

• PhD Theses

58

Critical Use Cases

• AirBus
• MTU Friedrichshafen (nuclear energy)
• High-Assurance Cyber Military Systems (HACMS) [Fisher

et al, ’17]

• PhD Theses

59

Critical Use Cases

• AirBus
• MTU Friedrichshafen (nuclear energy)
• High-Assurance Cyber Military Systems (HACMS) [Fisher

et al, ’17]

• PhD Theses

60

Critical Use Cases

• AirBus
• MTU Friedrichshafen (nuclear energy)
• High-Assurance Cyber Military Systems (HACMS) [Fisher

et al, ’17]

• PhD Theses

61

Critical Use Cases

• AirBus
• MTU Friedrichshafen (nuclear energy)
• High-Assurance Cyber Military Systems (HACMS) [Fisher

et al, ’17]

• PhD Theses

62

“a realistic compiler”

Concluding Remarks

63

. . .

• Still some correctness and safety weaknesses
• Useful for safety critical code (that doesn’t have to run fast)
• Future work -

Concluding Remarks

64

. . .

• Still some correctness and safety weaknesses
• Useful for safety critical code (that doesn’t have to run fast)
• Future work -

. . .

Concluding Remarks

• Still some correctness and safety weaknesses
• Useful for safety critical code (that doesn’t have to run fast)
• Future work -

65

. . .

Concluding Remarks

• Still some correctness and safety weaknesses
• Useful for safety critical code (that doesn’t have to run fast)
• Future work -

66

. . .

Type Preserving Compilation

. . .

. . .

Concluding Remarks

• Still some correctness and safety weaknesses
• Useful for safety critical code (that doesn’t have to run fast)
• Future work -

67

Type Preserving Compilation

Thanks!

68