Figure 1 - uploaded by Lenore Zuck
Content may be subject to copyright.
Source publication
There is a growing awareness, both in industry and academia, of the crucial role of formally verifying the translation from high-level source-code representation into an low-level object code that is typically performed by an optimizing compiler. Formally verifying an optimizing compiler, as one would verify any other large program, is not feasible...
Contexts in source publication
Context 1
... notion of a target code T being a correct implementation of a source code S is then defined in terms of refinement , stating that every computation of T corresponds to some computation of S with matching values of the corresponding variables. In Figure 1 we present the process of refinement as completion of a mapping diagram. ...
Context 3
... schematic loop unrolling is in Fig. 11 (where we assume c > 1.) There are One is to design a premutaion- like rule that deals with it directly. Another is to consider loop unrolling as a special case of tiling an n × 1 array with tiles of size c, and then unrolling the innermost loop. A third approach, which we pursue here, is to consider loop unrolling as a ...
Context 4
... the branch conditions of the two paths are logically equivalent. To this end, we allow that the source paths used in Validate include non-simple paths, bounding the number of sim- ple paths composed to derive each non-simple path to c, where c is the unrolling constant. We demonstrate the approach on the C-code and its translation de- scribed in Fig. 12. ...
Context 5
... in B gen(B) : set of B's assignments y = e(¯ x) none of whose terms are redefined later in B Both kill(B) and gen(B) are easy to construct. voc-64 constructs two other sets, in(B), that is the set of invariants upon entry to B, and out(B), that is the set of invariants upon exit from B. These two sets are computed by the procedure described in Fig. 13, where pred (B) is the set of all blocks leading into B. Set operations and comparisons are performed syntactically. An obvious en- hancement to our tool is perform those operations semantically. Another possible enhancement is to add inequalities to the computed invariants, which are readily available from the data flow ...
Similar publications
Engineering is a major cost factor in automation system projects. Hence, both industry and academia aim to develop new methods and concepts to increase engineering effi-ciency. However, the verification and comparison of those methods is difficult because the measurement of engineering efficiency is unsolved and is considered to be a possible break...
Citations
... [27,13]) to translation validation (cf. [24,21,30]) to full mathematical proof (cf. [14]) have been utilized to check this property. ...
Compiler optimizations are designed to improve run-time performance while preserving input-output behavior. Correctness in this sense does not necessarily preserve security: it is known that standard optimizations may break or weaken security properties that hold of the source program. This work develops a translation validation method for secure compilation. Security (hyper-)properties are expressed using automata operating over a bundle of program traces. A flexible, automaton-based refinement scheme, generalizing existing refinement methods, guarantees that the associated security property is preserved by a program transformation. In practice, the refinement relations ("security witnesses") can be generated during compilation and validated independently with a refinement checker. This process is illustrated for common optimizations. Crucially, it is not necessary to verify the compiler implementation itself, which is infeasible in practice for production compilers.
... One possible solution is to develop an analysis which, given an instance of a correct transformation, checks whether it is secure. This would constitute a Translation Validation mechanism for security, similar to those developed for correctness in e.g., [15,18,22]. We show, however, that translation validation for security of dead store elimination is undecidable for general programs and PSPACE-hard for finite-state programs. ...
... The Translation Validation approach to correctness [15,18,22] determines, given input program P, output program Q, and (possibly) additional hints from the compiler, whether the functional behavior of P is preserved in Q. We show, however, that translation validation for secure information flow is substantially more difficult than validation for correctness. ...
A compiler optimization may be correct and yet be insecure. This work focuses on the common optimization that removes dead (i.e., useless) store instructions from a program. This operation may introduce new information leaks, weakening security while preserving functional equivalence. This work presents a polynomial-time algorithm for securely removing dead stores. The algorithm is necessarily approximate, as it is shown that determining whether new leaks have been introduced by dead store removal is undecidable in general. The algorithm uses taint and control-flow information to determine whether a dead store may be removed without introducing a new information leak. A notion of secure refinement is used to establish the security preservation properties of other compiler transformations. The important static single assignment optimization is, however, shown to be inherently insecure.
... In order to prove that one code translates the other, we introduce of formal model for a system defined by a code so to give a common semantics to both. Here we follow the terminology in [31] and use the formalism of Transition Systems (TS's). The notion of a target code T being a correct implementation of a source code S is then defined in terms of refinement, stating that every computation of T corresponds to some computation of S with matching values of the corresponding variables. ...
... Let P S = V S , Ω S , Θ S , ρ S and P T = V T , Ω T , Θ T , ρ T be comparable TS's, where P S is the source and P T is the target. In order to establish that P T is a correct translation of P S for the cases that the structure ofP T does not radically differ from the structure of P S , a proof rule, VALIDATE is applied [31]. The proof rule VALIDATE is inspired by the computational induction approach ( [7]), originally introduced for proving properties of a single program, Rule VALIDATE provides a proof methodology by which one can prove that one program refines another. ...
... The main proof rule of TVOC (which can be found in [31] with a soundness proof) calls for: ...
... Due to its usefulness in several application domains, the problem of checking equivalence between programs has been the subject of decades of research in the programming languages community. For instance, in the context of translation validation, equivalence checking allows us to prove that the low-level code produced by an optimizing compiler is semantics-preserving with respect to the original program [Necula 2000;Pnueli et al. 1998;Rinard 1999;Zuck et al. 2003]. Other important applications of equivalence checking include regression verification Strichman 2009, 2013] and semantic differencing [Lahiri et al. 2012Person et al. 2008]. ...
... One of the most well-known applications of equivalence checking is translation validation, where the goal is to prove that the compiled version of the code is equivalent to the original one. [Necula 2000;Pnueli et al. 1998;Rinard 1999;Stepp et al. 2011;Zaks and Pnueli 2008;Zuck et al. 2003]. More recent work extends translation validation to parameterized equivalence checking (PEC), which aims to prove equivalence between templatized programs representing many concrete programs [Kundu et al. 2009]. ...
This paper addresses the problem of verifying equivalence between a pair of programs that operate over databases with different schemas. This problem is particularly important in the context of web applications, which typically undergo database refactoring either for performance or maintainability reasons. While web applications should have the same externally observable behavior before and after schema migration, there are no existing tools for proving equivalence of such programs. This paper takes a first step towards solving this problem by formalizing the equivalence and refinement checking problems for database-driven applications. We also propose a proof methodology based on the notion of bisimulation invariants over relational algebra with updates and describe a technique for synthesizing such bisimulation invariants. We have implemented the proposed technique in a tool called Mediator for verifying equivalence between database-driven applications written in our intermediate language and evaluate our tool on 21 benchmarks extracted from textbooks and real-world web applications. Our results show that the proposed methodology can successfully verify 20 of these benchmarks.
... Translation validators [29,31,32,40] check whether the compilation of a given input program is correct. Translation validators need the output of the compiler to check correctness, which is not available when the compiler does not terminate. ...
Mainstream compilers contain a large number of peephole optimizations, which perform algebraic simplification of the input program with local rewriting of the code. These optimizations are a persistent source of bugs. Our recent research on Alive, a domain-specific language for expressing peephole optimizations in LLVM, addresses a part of the problem by automatically verifying the correctness of these optimizations and generating C++ code for use with LLVM.
This paper identifies a class of non-termination bugs that arise when a suite of peephole optimizations is executed until a fixed point. An optimization can undo the effect of another optimization in the suite, which results in non-terminating compilation. This paper (1) proposes a methodology to detect non-termination bugs with a suite of peephole optimizations, (2) identifies the necessary condition to ensure termination while composing peephole optimizations, and (3) provides debugging support by generating concrete input programs that cause non-terminating compilation. We have discovered 184 optimization sequences, involving 38 optimizations, that cause non-terminating compilation in LLVM with Alive-generated C++ code.
... This specific term is frequently used in situations where, instead of validating the tool a priori, validation is carried out each time the compiler or code generator is used (on the fly validation). In [21] a methodology for the translation validation of optimizing compilers is presented. In this approach, a correspondence between the source and target code is formally proved using a specific intermediate representation (IR). ...
In this paper, we present a case study where two code generators for the B-Method were validated using software testing techniques. Our testing strategy is a combination of Grammar-Based Testing (GBT) and Model-Based Testing (MBT) techniques. The strategy consists of two steps. In the first step, grammar-based coverage criteria are used to generate a wide and meaningful set of test input models to validate the parsing capabilities of the code generators. In the second step, a MBT tool is used to validate the correctness of the output produced by these tools. The MBT tool generates a set of tests based on the same input model used by the code generation tools. The generated code is considered correct (consistent with the input model) if it passes this set of tests. Using this testing strategy, we were able to find problems in both code generation tools with moderate effort.
... However, it restricts the source and target programs each consists of one single loop. Zuck et al. extended this approach to support structure-modifying transformations [23]. Necula used symbolic evaluation techniques from proof-carrying code to tackle translation validation [13]. ...
Behavioral synthesis entails application of a sequence of trans- formations to compile a high-level description of a hardware design (e.g., in C/C++/SystemC) into a register-transfer level (RTL) implementation. In this paper, we present a scalable equivalence checking framework to validate the correctness of compiler transformations employed by behavioral synthesis front-end. Our approach makes use of dual-rail symbolic simulation of the input and output of a transformation, together with identification and inductive verification of their loop structures. We have evaluated our framework on transformations applied by an open source behavioral synthesis tool to designs from the CHStone benchmark. Our tool can automatically validate more than 75 percent of the total of 1008 compiler transformations applied, taking an average time of 1.5 seconds per transformation.
... In his work, the translation approach is not verified, but rather the results of the translation are tested. A similar idea in this context is presented in VOC [ZPFG03] for translation validation of optimizing compilers. The authors developed a theory of a correct translation and proposed the VOC-64: a prototype that produces automatically verification conditions (VCs) for the global optimization of the SGI Pro-64 compiler. ...
In this paper we propose an automatic methodology to verify the soundness of model checking reduction techniques. The idea is to use the consistency of the specifications to verify if the reduced model is faithful to the original one. The user provides the reduction technique, the specification and the system under verification. Then, using Higher Order Logic he verifies automatically if the reduction technique is soundly applied. The method is completely defined in an MDG�HOL special integration platform that combines an automatic high level model checking tool Multiway Decision Graphs (MDGs) within the HOL theorem prover. We provide two case studies, the first one is the reduction using SAT�MDG of an Island Tunnel Controller and the second one is the MDG�HOL assume-guarantee reduction of the Look-Aside Interface. The obtained results of our approach offer a considerable gain in terms of the correctness of heuristics and reduction techniques as applied to commercial model checking, however a small penalty is paid in terms of CPU time and memory usage.
... An alternative treatment of this transformation can be found in [23]. ...
... Hence, a variety of methods for translation validation arise (cf. [20, 18, 21, 23, 24, 22]), each making choices between the flexibility of the program syntax and the set of possible optimizations that are handled. As details of the optimization are assumed to be unknown, each method employs heuristics to set up an inductive correctness proof for a run of the optimizer. ...
We study two closely related problems: (a) showing that a program transformation is correct and (b) propagating an invariant through a program transformation. The second problem is motivated by an application which utilizes program invariants to improve the quality of compiler optimizations. We show that both problems can be addressed by augmenting a transformation with an auxiliary witness generation procedure. For every application of the transformation, the witness gen-erator constructs a relation which guarantees the correctness of that instance. We show that stuttering simulation is a sound and complete witness format. Completeness means that, under mild conditions, every correct transformation induces a stuttering simulation witness which is strong enough to prove that the transformation is correct. A witness is self-contained, in that its correctness is independent of the optimization procedure which generates it. Any invariant of a source program can be turned into an invariant of the target of a transformation by suitably composing it with its witness. Stuttering simulations readily compose, forming a single witness for a sequence of transformations. Witness gen-eration is simpler than a formal proof of correctness, and it is compre-hensive, unlike the heuristics used for translation validation. We define witnesses for a number of standard compiler optimizations; this exercise shows that witness generators can be implemented quite easily.
... All the instructions labeled on the same transition edge are executed in parallel. The transformations carried out by Spark are called structure-preserving transformations [13], which means it will not change the control structure of the description and not modify the name of variables. ...
The growing design-productivity gap has made designers shift toward using high-level synthesis (HLS) techniques to generate register transfer level design from high-level languages like C/C++. Unfortunately, this translation process is very complex and is prone to introduce bug into the generated design, which can create a mismatch between what a designer intends and what is actually implemented in the circuit. In this paper, we present an efficient approach to validate the result of HLS against the initial high-level program using translation validation techniques. We redefined the bisimulation relation and proposed a novel algorithm based on it. When compared with the existing method, the proposed method can dramatically reduce the number of automated theorem prover (ATP) querying, which will in turn improve the time cost in equivalence validation. Our method is suitable for structure-preserving transformations such as carried out by Spark synthesizer. We have implemented our validating technique and compared it with a state-of-the-art translation validation method of HLS. The promising results show the effectiveness and efficiency of our method.
