Verifying Compilers using Multi-Language Semantics Amal Ahmed - - PowerPoint PPT Presentation

Verifying Compilers using Multi-Language Semantics

Amal Ahmed (with James T. Perconti)

Northeastern University

Thursday, October 17, 13

Semantics-preserving compilation

s t = ⇒ s ≈ t

compiles to same meaning

Thursday, October 17, 13

Problem: Closed-World Assumption

Correct compilation guarantee only applies to whole programs!

Ps Pt

• Thursday, October 17, 13

Problem: Closed-World Assumption

Correct compilation guarantee only applies to whole programs!

Ps Pt

• et

es

• low-level

libraries

Thursday, October 17, 13

Problem: Closed-World Assumption

Correct compilation guarantee only applies to whole programs!

Ps Pt

• et

es

• from

different compiler & source lang.

• Thursday, October 17, 13

Why Whole Programs?

s t = ⇒ s ≈ t

expressed how?

Thursday, October 17, 13

CompCert

Ps Pt = ⇒ Ps ≈ Pt

Why Whole Programs?

expressed how?

Pt − → . . . − → P j

t −

→∗ P j+n

t

− → . . . Ps − → . . . − → P i

s −

→ P i+1

s

− → . . .

Thursday, October 17, 13

Correct Compilation of Components?

es et

• eS ≈ eT

expressed how?

Thursday, October 17, 13

Correct Compilation of Components?

es et

e′

t

• eS ≈ eT

expressed how?

Thursday, October 17, 13

Correct Compilation of Components?

es et

e′

t

• eS ≈ eT

expressed how?

e′

t

Thursday, October 17, 13

ST et

Correct Compilation of Components?

es et

e′

t

• e′

t

Need a semantics

• f source-target

interoperability:

T Ses

Thursday, October 17, 13

ST et

Correct Compilation of Components?

es et

e′

t

• Need a semantics
• f source-target

interoperability:

T Ses ST e′

t

Thursday, October 17, 13

T S(es (ST e′

t))

≈ctx et e′

t

Correct Compilation of Components?

es et

e′

t

• ST e′

t

Thursday, October 17, 13

Correct Compilation of Components

es et

• eS ≈ eT

eS ≈ctx ST eT

def

=

Thursday, October 17, 13

Our Approach (multi-pass compiler)

S I T

Thursday, October 17, 13

SIT

Our Approach (multi-pass compiler)

S I T

Thursday, October 17, 13

SIT

Our Approach (multi-pass compiler)

S I T

SIeI ISeS

Thursday, October 17, 13

SIT

Our Approach (multi-pass compiler)

S I T

SIeI ISeS IT eT T IeI

Thursday, October 17, 13

SIT

Our Approach (multi-pass compiler)

S I T

SIeI ISeS IT eT T IeI

• eT

eS

eI

eS ≈ctx SIeI

eI ≈ctx IT eT

Compiler Correctness

Thursday, October 17, 13

Our Approach

• eT

eS

eI

eS ≈ctx SIeI

eI ≈ctx IT eT

Compiler Correctness

Thursday, October 17, 13

Our Approach

• eT

eS

eI

eS ≈ctx SIeI

Compiler Correctness

SIeI ≈ctx SI(IT eT)

Thursday, October 17, 13

Our Approach

• eT

eS

eI

eS ≈ctx SIeI

Compiler Correctness

SIeI ≈ctx SI(IT eT)}

eS ≈ctx SIT eT

Thursday, October 17, 13

Our Compiler: System F to TAL

• Closure Conversion

Allocation Code Generation

eF eC eA eT

τ C τ A τ T

Thursday, October 17, 13

Combined language FCAT

• Boundaries mediate between
• & & &
• Operational semantics
• Boundary cancellation

FCAT F C A T

τFCe

CFτe ACτe T Aτe

τCAe τAT e

τ C τ A τ T τ τ τ CFτe − →∗ CFτv − → v

τFCe −

→∗ τFCv − → v

τFCCFτe ≈ctx e : τ

CFτ τFCe ≈ctx e : τ C

Thursday, October 17, 13

Combined language FCAT

• Boundaries mediate between
• & & &
• Operational semantics
• Boundary cancellation

FCAT F C A T

τFCe

CFτe ACτe T Aτe

τCAe τAT e

τ C τ A τ T τ τ τ CFτe − →∗ CFτv − → v

τFCe −

→∗ τFCv − → v

τFCCFτe ≈ctx e : τ

CFτ τFCe ≈ctx e : τ C

Thursday, October 17, 13

Combined language FCAT

• Boundaries mediate between
• & & &
• Operational semantics
• Boundary cancellation

FCAT F C A T

τFCe

CFτe ACτe T Aτe

τCAe τAT e

τ C τ A τ T τ τ τ CFτe − →∗ CFτv − → v

τFCe −

→∗ τFCv − → v

τFCCFτe ≈ctx e : τ

CFτ τFCe ≈ctx e : τ C

Thursday, October 17, 13

Challenges / Roadmap for rest of talk

F+C: Interoperability semantics with type abstraction in both languages C+A: Interoperability when compiler pass allocates code & tuples on heap A+T: What is ? What is ? How to define contextual

• equiv. for TAL components?

How to define logical relation?

FCAT F C A T

τFCe

CFτe ACτe T Aτe

τCAe τAT e

e v

Thursday, October 17, 13

Challenges / Roadmap for rest of talk

F+C: Interoperability semantics with type abstraction in both languages C+A: Interoperability when compiler pass allocates code & tuples on heap A+T: What is ? What is ? How to define contextual

• equiv. for TAL components?

How to define logical relation?

FCAT F C A T

τFCe

CFτe ACτe T Aτe

τCAe τAT e

e v

Thursday, October 17, 13

Abstract Types & Interoperability

Requires novel admissibility relations in logical relation.

(draft paper: www.ccs.neu.edu/home/amal/voc.pdf)

Add new type & new value form

Lτ

LτFCv

Add new type & define

⌈α⌉ ⌈α⌉[τ/α] = τ C

Thursday, October 17, 13

Challenges / Roadmap

F+C: Interoperability semantics with type abstraction in both languages C+A: Interoperability when compiler pass allocates code & tuples on heap A+T: What is ? What is ? How to define contextual

• equiv. for TAL components?

How to define logical relation?

FCAT F C A T

τFCe

CFτe ACτe T Aτe

τCAe τAT e

e v

Thursday, October 17, 13

Challenges / Roadmap

F+C: Interoperability semantics with type abstraction in both languages C+A: Interoperability when compiler pass allocates code & tuples on heap A+T: What is ? What is ? How to define contextual

• equiv. for TAL components?

How to define logical relation?

FCAT F C A T

τFCe

CFτe ACτe T Aτe

τCAe τAT e

e v

Thursday, October 17, 13

A

⌧ ::= ↵ | unit | int | 9↵.⌧ | µ↵.⌧ | box ::= 8[↵].(⌧)! ⌧ | h⌧, . . . , ⌧i e ::= (t, H) | t t ::= x | () | n | t p t | if0 t t t | ` | t [] t | t[⌧] | packh⌧,ti as 9↵.⌧ | unpack h↵, xi = t in t | foldµα.τ t | unfold t | balloc hti | read[i] t p ::= + | | ⇤ v ::= () | n | packh⌧,vi as 9↵.⌧ | foldµα.τ v | ` | v[⌧] · | | h i | H ::= · | H, ` 7! h h ::= [↵](x: ⌧).t | hv, . . . , vi hH | ei 7 ! hH0 | e0i Reduction Relation (selected cases) hH | (t, H0)i 7 ! h(H, H0) | ti dom(H) \ dom(H0) = ; hH | E[` [⌧ 0] v]i 7 ! hH | E[t[⌧ 0/↵][v/x]]i H(`) = [↵](x: ⌧).t

Thursday, October 17, 13

T

⌧ ::= ↵ | unit | int | 9↵.⌧ | µ↵.⌧ Type | ref h⌧, . . . , ⌧i | box ::= 8[∆].{; }q | h⌧, . . . , ⌧i Heap value type

• ::= · | , r: ⌧

Register file type

• ::= ⇣ | • | ⌧ ::

Stack type q ::= ✏ | r | i | end[⌧; ] Return marker ∆ ::= · | ∆, ↵ | ∆, ⇣ | ∆, ✏ Type variable environment ! ::= ⌧ | | q Instantiation of type variable r ::= r1 | r2 | · · · | r7 | ra Register h ::= code[∆]{; }q.I | hw, . . . , wi Heap value w ::= () | n | ` | packh⌧,wi as 9↵.⌧ Word value | foldµα.τ w | w[!] u ::= w | r | packh⌧,ui as 9↵.⌧ Small value | foldµα.τ u | u[!] I ::= ◆; I | jmp u | ret q, r Instruction sequence Instruction

Thursday, October 17, 13

T

| | ◆ ::= aop rd, rs, u | bnz r, u | mv rd, u Instruction | ralloc rd, n | balloc rd, n | ld rd, rs[i] | st rd[i], rs | unpack h↵, rdi u | unfold rd, u | salloc n | sfree n | sld rd, i | sst i, rs aop ::= add | sub | mult Arithmetic operation e ::= (I, H) | I Component v ::= ret q, r Term value E ::= (EI, ·) Evaluation context EI ::= [·] Instruction evaluation context H ::= · | H, ` 7! h Heap or Heap fragment R ::= · | R, r 7! w Register file S ::= nil | w :: S Stack M ::= (H, R, S: ) Memory hM | ei 7 ! hM0 | e0i Reduction

Thursday, October 17, 13

Typing TAL Components

Ψ; ∆; ; ; q ` e: ⌧; 0

heap typing type environ reg-file typing return marker result type stack type stack type

• n return

Thursday, October 17, 13

Well-typed Components in T

Ψ; ∆; ; ; q ` e: ⌧; 0

` Ψ ` H: Ψe boxheap(Ψe) ret-type(q, , ) = ⌧; 0 (Ψ, Ψe); ∆; ; ; q ` I Ψ; ∆; ; ; q ` (I, H): ⌧; 0

Thursday, October 17, 13

Well-typed Instruction Sequence

Ψ; ∆; χ; σ; q ⊢ I where q =

Ψ; ∆; ; ; q ` ◆ ) ∆0; 0; 0; q0 Ψ; ∆0; 0; 0; q0 ` I Ψ; ∆; ; ; q ` ◆; I

(r) = box 8[].{r0 : ⌧; }q0 (r0) = ⌧ Ψ; ∆; ; ; r ` ret r, r0

(r) = ⌧ Ψ; ∆; ; ; end[⌧; ] ` ret end[⌧; ], r

Thursday, October 17, 13

Jmp

To next code block within component:

Ψ; ∆; ` u: box ∀[].{0; }q ∆ `  0 Ψ; ∆; ; ; q ` jmp u

Ψ; ∆; ` u: box ∀[⇣, ✏].{ˆ ; ˆ }ˆ

q

ret-addr-type(ˆ q, ˆ , ˆ ) = ∀[].{r: ⌧; ˆ 0}✏ ∆ ` 0 ∆ ` ∀[].{ˆ [0/⇣][i+k−j/✏]; ˆ [0/⇣][i+k−j/✏]}ˆ

q

∆ `  ˆ [0/⇣][i+k−j/✏] = ⌧0 :: · · · :: ⌧j :: 0 ˆ = ⌧0 :: · · · :: ⌧j :: ⇣ j < i ˆ 0 = ⌧ 0

0 :: · · · :: ⌧ 0 k :: ⇣

Ψ; ∆; ; ; i ` jmp u[0, i+k−j]

Call subroutine:

• must protect current return addr, by storing it in tail part
• f stack that is parametrically hidden from subroutine

Thursday, October 17, 13

Instruction Typing

Instructions must not clobber return address: Can move return address elsewhere:

Ψ; ∆; ` u: ⌧ q 6= rd Ψ; ∆; ; ; q ` mv rd, u ) ∆; [rd : ⌧]; ; q

Ψ; ∆; ` u: ⌧ Ψ; ∆; ; ; rs ` mv rd, rs ) ∆; [rd : ⌧]; ; rd

Thursday, October 17, 13

Logical relations: related inputs to related outputs

Equivalence of T Components: Tricky!

related inputs

Vτ1 → τ2 = {(W, λx.e1, λx.e1) | . . .}

HV∀[∆].{χ; σ}q = {(W, code[∆]{χ; σ}q.I1, code[∆]{χ; σ}q.I2) | . . .}

| | · · · | | code[∆]{; }q.I

=

Thursday, October 17, 13

Logical relations: related inputs to related outputs

Equivalence of T Components: Tricky!

related inputs related outputs

Vτ1 → τ2 = {(W, λx.e1, λx.e1) | . . .}

HV∀[∆].{χ; σ}q = {(W, code[∆]{χ; σ}q.I1, code[∆]{χ; σ}q.I2) | . . .}

| | · · · | | code[∆]{; }q.I

=

Thursday, October 17, 13

Logical relations: related inputs to related outputs

Equivalence of T Components: Tricky!

related inputs related outputs

Vτ1 → τ2 = {(W, λx.e1, λx.e1) | . . .}

HV∀[∆].{χ; σ}q = {(W, code[∆]{χ; σ}q.I1, code[∆]{χ; σ}q.I2) | . . .}

| | · · · | | code[∆]{; }q.I

=

Thursday, October 17, 13

Equivalence of T Components: Tricky!

e1 e2 related inputs Logical relations: related inputs to related outputs

Vτ1 → τ2 = {(W, λx.e1, λx.e1) | . . .}

HV∀[∆].{χ; σ}q = {(W, code[∆]{χ; σ}q.I1, code[∆]{χ; σ}q.I2) | . . .}

Thursday, October 17, 13

Equivalence of T Components: Tricky!

e1 e2 related inputs related outputs Logical relations: related inputs to related outputs

Vτ1 → τ2 = {(W, λx.e1, λx.e1) | . . .}

HV∀[∆].{χ; σ}q = {(W, code[∆]{χ; σ}q.I1, code[∆]{χ; σ}q.I2) | . . .}

Thursday, October 17, 13

Equivalence of T Components: Tricky!

e1 e2 related inputs related outputs Logical relations: related inputs to related outputs

Vτ1 → τ2 = {(W, λx.e1, λx.e1) | . . .}

HV∀[∆].{χ; σ}q = {(W, code[∆]{χ; σ}q.I1, code[∆]{χ; σ}q.I2) | . . .}

Thursday, October 17, 13

Code Generation: A to T

⌧ T Type translation

box 8[↵].(⌧1, . . . , ⌧n)! ⌧ 0T = box 8[↵, ⇣, ✏]. {ra: box 8[].{r1: ⌧ 0T ; ⇣}✏; ⌧nT :: · · · :: ⌧1T :: ⇣}ra

d ΨT ; ∆T ; ·; ·; ΓT :: •; end[⌧ T ; ΓT :: •] ` e: ⌧ T ; ΓT :: •

Ψ; ∆; Γ ` e: ⌧ e im

Thursday, October 17, 13

Code Generation: A to T

⌧ T Type translation

box 8[↵].(⌧1, . . . , ⌧n)! ⌧ 0T = box 8[↵, ⇣, ✏]. {ra: box 8[].{r1: ⌧ 0T ; ⇣}✏; ⌧nT :: · · · :: ⌧1T :: ⇣}ra

d ΨT ; ∆T ; ·; ·; ΓT :: •; end[⌧ T ; ΓT :: •] ` e: ⌧ T ; ΓT :: •

Ψ; ∆; Γ ` e: ⌧ e im

Thursday, October 17, 13

Interoperability: A and T

` 8 ! Ψ; ∆; Γ; ·; ; end[⌧ hT i; 0] ` e: ⌧ hT i; 0 Ψ; ∆; Γ; ; ; out ` τAT e: ⌧; 0

i 7 ! h |

τAT(M.M.R(r), M) = (v, M0)

hM | E[τAT ret end[⌧ hT i; ], r]i 7 ! hM0 | E[v]i

Thursday, October 17, 13

Interoperability: A and T

` 8 ! Ψ; ∆; Γ; ·; ; end[⌧ hT i; 0] ` e: ⌧ hT i; 0 Ψ; ∆; Γ; ; ; out ` τAT e: ⌧; 0

i 7 ! h |

τAT(M.M.R(r), M) = (v, M0)

hM | E[τAT ret end[⌧ hT i; ], r]i 7 ! hM0 | E[v]i

Thursday, October 17, 13

Interoperability: A and T

` 8 ! Ψ; ∆; Γ; ·; ; end[⌧ hT i; 0] ` e: ⌧ hT i; 0 Ψ; ∆; Γ; ; ; out ` τAT e: ⌧; 0

i 7 ! h |

τAT(M.M.R(r), M) = (v, M0)

hM | E[τAT ret end[⌧ hT i; ], r]i 7 ! hM0 | E[v]i

Thursday, October 17, 13

Interoperability: A and T

` 8 ! Ψ; ∆; Γ; ·; ; end[⌧ hT i; 0] ` e: ⌧ hT i; 0 Ψ; ∆; Γ; ; ; out ` τAT e: ⌧; 0

i 7 ! h |

τAT(M.M.R(r), M) = (v, M0)

hM | E[τAT ret end[⌧ hT i; ], r]i 7 ! hM0 | E[v]i

Thursday, October 17, 13

Interoperability: A and T

h | AT i 7 ! h | i TAτ (v, M) = (w, M0) hM | E[import rd, σ0T Aτ v; I]i 7 ! hM0 | E[mv rd, w; I]i

· · · | ◆ ::= · · · | import rd, σT Aτ e

τ

= ⌧0 :: · · · :: ⌧j :: 0 0 = ⌧ 0

0 :: · · · :: ⌧ 0 k :: 0

Ψ; ∆, ⇣; Γ; ; (⌧0 :: · · · :: ⌧j :: ⇣); out ` e: ⌧; (⌧ 0

0 :: · · · :: ⌧ 0 k :: ⇣)

q = i > j or q = Ψ; ∆; Γ; ; ; q ` import rd, σ0T Aτ e ) ∆; (rd : ⌧ T ); 0; inc(q, kj)

Thursday, October 17, 13

Interoperability: A and T

h | AT i 7 ! h | i TAτ (v, M) = (w, M0) hM | E[import rd, σ0T Aτ v; I]i 7 ! hM0 | E[mv rd, w; I]i

· · · | ◆ ::= · · · | import rd, σT Aτ e

τ

= ⌧0 :: · · · :: ⌧j :: 0 0 = ⌧ 0

0 :: · · · :: ⌧ 0 k :: 0

Ψ; ∆, ⇣; Γ; ; (⌧0 :: · · · :: ⌧j :: ⇣); out ` e: ⌧; (⌧ 0

0 :: · · · :: ⌧ 0 k :: ⇣)

q = i > j or q = Ψ; ∆; Γ; ; ; q ` import rd, σ0T Aτ e ) ∆; (rd : ⌧ T ); 0; inc(q, kj)

Thursday, October 17, 13

Other Issues

Contexts of FCAT

• plugging T context with a component is subtle

Logical Relation for FCAT .... nontrivial!

7! | 7! C ::= (CI, H) | (I, CH) CI ::= [·] | ◆; CI | import rd, σT Aτ C; I CH ::= CH, ` 7! h | H, ` 7! code[∆]{; }q.CI

Thursday, October 17, 13

Stepping Back... where’s this going?

ML F* C

• target

Thursday, October 17, 13

Stepping Back... where’s this going?

ML F* C

• Thursday, October 17, 13

Stepping Back... where’s this going?

ML F* C

• untyped

dependently typed simply typed

Dependent TAL with gradual typing

Thursday, October 17, 13

Stepping Back... where’s this going?

ML F* C

• preserve

parametricity? untyped dependently typed simply typed

Dependent TAL with gradual typing

Thursday, October 17, 13

Stepping Back... where’s this going?

ML F* C

• preserve

parametricity? preserve all equivalences untyped dependently typed simply typed

Dependent TAL with gradual typing

Thursday, October 17, 13

Stepping Back... where’s this going?

ML F* C

• preserve

parametricity? preserve all equivalences nothing to preserve? untyped dependently typed simply typed

Dependent TAL with gradual typing

Thursday, October 17, 13

Stepping Back... where’s this going?

ML F* C

• preserve

parametricity? preserve all equivalences nothing to preserve? untyped dependently typed simply typed

Dependent TAL with gradual typing It’s about principled language interoperability!

Thursday, October 17, 13

Conclusions

Correct compilation of components, not just whole programs

• it’s a language interoperability problem!

Multi-language approach:

• works for multi-pass compilers
• supports linking with target code of arbitrary provenance
• an opportunity to study principled interoperability
• interoperability semantics provides a specification of when

source and target are related

• but have to get all the languages to fit together!

Thursday, October 17, 13

Questions?

Thursday, October 17, 13