provably correct compilers (part 2) nazrul alam and krishnaprasad vikram april 21, 2005
Post on 21-Dec-2015
224 views
TRANSCRIPT
![Page 1: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/1.jpg)
Provably Correct Compilers (Part 2)
Nazrul Alam and Krishnaprasad Vikram
April 21, 2005
![Page 2: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/2.jpg)
Automated Soundness Proofs for Dataflow Analyses and Transformations via Local
Rules (Rhodium Paper)
Sorin Lerner, Todd Millstein, Erika Rice, Craig Chambers
Today’s Focus…
![Page 3: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/3.jpg)
Rhodium: Successor of Cobalt
• Increased expressiveness– New model for expressing opts: local propagation
rules with explicit dataflow facts– Heap summaries– Infinite analysis domains– Flow-sensitive and -insensitive– Intraprocedural and interprocedural
• Some Rhodium opts not expressible in Cobalt:– Arithmetic invariant detection, integer range analysis,
loop-induction-variable strength reduction, Andersen's may-point-to analysis with allocation-site summaries
![Page 4: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/4.jpg)
Recap from Last Class
• Optimization needs analysis.
• Each analysis is formulated as a global path condition in Cobalt.
• In Rhodium it is done with local rules.
![Page 5: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/5.jpg)
Similarities with Cobalt…(Also helpful for refreshing your
memory..:)
![Page 6: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/6.jpg)
Checker
Written by programmer
Given
Rhodium Execution engine
RdmOpt
RdmOpt
RdmOpt
![Page 7: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/7.jpg)
Checker
Written by programmer
Given
Rhodium Execution engine
RdmOpt
RdmOpt
RdmOpt
![Page 8: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/8.jpg)
RdmOpt
RdmOpt
RdmOpt
Checker Checker Checker
![Page 9: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/9.jpg)
CheckerChecker CheckerChecker CheckerChecker
Exec
Compiler
Rhodium Execution engine
RdmOpt
RdmOpt
RdmOpt
if (…) { x := …;} else { y := …;}…;
Checker Checker Checker
![Page 10: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/10.jpg)
Verification Task
AutomaticTheoremProver
Rdm Opt
Verification Task
Checker
Show that for any original program:
behavior oforiginal program
=
behavior ofoptimized program
Verification Task
![Page 11: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/11.jpg)
Verification Task
AutomaticTheoremProver
Rdm Opt
Verification Task
Verification Task
![Page 12: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/12.jpg)
Verification Task
AutomaticTheoremProver
Rdm Opt
Verification Task
Verification Task
![Page 13: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/13.jpg)
Three techniques to simplify Verification Task
1. Rhodium is declarative• no loops, no branches,
no program counter• declare intent using
rules• execution engine takes
care of the rest
AutomaticTheoremProver
Rdm Opt
![Page 14: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/14.jpg)
Three techniques to simplify Verification Task
1. Rhodium is declarative• no loops, no branches,
no program counter• declare intent using
rules• execution engine takes
care of the rest
AutomaticTheoremProver
Rdm Opt
![Page 15: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/15.jpg)
Three techniques to simplify Verification Task
1. Rhodium is declarative
2. Factor out heuristics– legal transformations– vs. profitable
transformations
AutomaticTheoremProver
Rdm OptHeuristics not
affecting correctnessPart that must be reasoned
about
![Page 16: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/16.jpg)
Three techniques to simplify Verification Task
AutomaticTheoremProver
1. Rhodium is declarative
2. Factor out heuristics– legal transformations– vs. profitable
transformations
Heuristics not affecting correctness
Part that must be reasoned
about
![Page 17: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/17.jpg)
Three techniques to simplify Verification Task
1. Rhodium is declarative
2. Factor out heuristics
3. Split verification task– opt-dependent– vs. opt-independent
AutomaticTheoremProver
opt-dependent
opt-independent
![Page 18: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/18.jpg)
Three techniques to simplify Verification Task
1. Rhodium is declarative
2. Factor out heuristics
3. Split verification task– opt-dependent– vs. opt-independent
AutomaticTheoremProver
![Page 19: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/19.jpg)
Three techniques to simplify Verification Task
AutomaticTheoremProver
1. Rhodium is declarative
2. Factor out heuristics
3. Split verification task– opt-dependent– vs. opt-independent
![Page 20: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/20.jpg)
Three techniques to simplify Verification Task
AutomaticTheoremProver
1. Rhodium is declarative
2. Factor out heuristics
3. Split verification task
Result:• Expressive language• Automated
correctness checking
![Page 21: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/21.jpg)
Where is the difference?
Rohodium’s local rules are different from Cobalt’s global condition
Then how exactly Rhodium works?
![Page 22: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/22.jpg)
MustPointTo analysis
c = a
a = &b
d = *c
a b
ca b
d = b
![Page 23: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/23.jpg)
MustPointTo info in Rhodium
c = a
a = &b
mustPointTo (a, b)
ca b mustPointTo (a, b)
mustPointTo (c, b)
a b
d = *c
![Page 24: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/24.jpg)
MustPointTo info in Rhodium
c = a
a = &b
d = *c
ca b mustPointTo (a, b)
mustPointTo (c, b)
c = a
a = &b
d = *c
ca b mustPointTo (a, b)
mustPointTo (c, b)
mustPointTo (a, b)a ba b mustPointTo (a, b)
![Page 25: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/25.jpg)
MustPointTo info in Rhodiumdefine fact mustPointTo(X:Var,Y:Var)with meaning σ( X)== σ(&Y)
c = a
a = &b
d = *c
ca b mustPointTo (a, b)
mustPointTo (c, b)
mustPointTo (a, b)a bFact correct on edge if:
whenever program execution reaches edge, meaning of fact evaluates to true in the program state
![Page 26: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/26.jpg)
Propagating facts
c = a
a = &b
d = *c
ca b mustPointTo (a, b)
mustPointTo (c, b)
define fact mustPointTo(X:Var,Y:Var)with meaning σ(X)== σ(&Y)
mustPointTo (a, b)a b
![Page 27: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/27.jpg)
a = &bif currStmt == [X = &Y]then mustPointTo(X,Y)@out
Propagating facts
c = a
a = &b
d = *c
ca b mustPointTo (a, b)
mustPointTo (c, b)
if currStmt == [X = &Y]then mustPointTo(X,Y)@out
define fact mustPointTo(X:Var,Y:Var)with meaning σ(X) == σ(&Y)
mustPointTo (a, b)a b
![Page 28: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/28.jpg)
if currStmt == [X = &Y] then mustPointTo(X,Y)@out
Propagating facts
c = a
a = &b
d = *c
ca b mustPointTo (a, b)
mustPointTo (c, b)
define fact mustPointTo(X:Var,Y:Var)with meaning σ(X) == σ(&Y)
mustPointTo (a, b)a b
![Page 29: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/29.jpg)
c = ac = a
Propagating facts
a = &b
d = *c
ca b mustPointTo (a, b)
mustPointTo (c, b)
if mustPointTo(X,Y)@in currStmt == [Z = X]
then mustPointTo(Z,Y)@out
mustPointTo (c, b)
define fact mustPointTo(X:Var,Y:Var)with meaning σ(X) == σ(&Y)
if currStmt == [X = &Y] then mustPointTo(X,Y)@out
mustPointTo (a, b)a b mustPointTo (a, b)
![Page 30: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/30.jpg)
Propagating facts
c = a
a = &b
d = *c
ca b mustPointTo (a, b)
mustPointTo (c, b)
define fact mustPointTo(X:Var,Y:Var)with meaning σ(X )== σ(&Y)
if currStmt == [X = &Y] then mustPointTo(X,Y)@out
if mustPointTo(X,Y)@in currStmt == [Z = X]
then mustPointTo(Z,Y)@out
mustPointTo (a, b)a b
![Page 31: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/31.jpg)
d = *cd = *c
Transformations
c = a
a = &b
ca b mustPointTo (a, b)
mustPointTo (c, b) if mustPointTo(X,Y)@in currStmt == [Z = *X]
then transform to [Z = Y]
mustPointTo (c, b)
d = b
define fact mustPointTo(X:Var,Y:Var)with meaning σ(X )== σ(&Y)
if currStmt == [X = &Y] then mustPointTo(X,Y)@out
if mustPointTo(X,Y)@in currStmt == [Z = X]
then mustPointTo(Z,Y)@out
mustPointTo (a, b)a b
![Page 32: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/32.jpg)
d = *c
Transformations
c = a
a = &b
ca b mustPointTo (a, b)
mustPointTo (c, b) if mustPointTo(X,Y)@in currStmt == [Z = *X]
then transform to [Z = Y]d = b
define fact mustPointTo(X:Var,Y:Var)with meaning σ(X )== σ(&Y)
if currStmt == [X = &Y] then mustPointTo(X,Y)@out
if mustPointTo(X,Y)@in currStmt == [Z = X]
then mustPointTo(Z,Y)@out
mustPointTo (a, b)a b
![Page 33: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/33.jpg)
Semantics of a Rhodium opt
• Run propagation rules in a loop until there are no more changes (optimistic iterative analysis)
• Then run transformation rules
• Then run profitability heuristics
• For better precision, combine propagation rules and transformations rules.
![Page 34: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/34.jpg)
Rhodium is more expressive
![Page 35: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/35.jpg)
Cobalt: Simple Pointer Analysis
![Page 36: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/36.jpg)
Rhodium version..
![Page 37: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/37.jpg)
And Rhodium can do more…
…..Can not be expressed in Cobalt
![Page 38: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/38.jpg)
Arithmetic Simplification Optimization
![Page 39: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/39.jpg)
Arithmetic Simplification Optimization (Cont.)
![Page 40: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/40.jpg)
Loop induction-variable strength reduction
![Page 41: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/41.jpg)
Loop induction-variable strength reduction (cont.)
![Page 42: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/42.jpg)
Checking Rhodium optimizations
![Page 43: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/43.jpg)
Exec
Compiler
Rhodium Execution engine
RdmOpt
RdmOpt
if (…) { x := …;} else { y := …;}…;
Checker Checker
Rhodium correctness checker
RdmOpt
Checker
![Page 44: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/44.jpg)
Rhodium correctness checker
Checker
CheckerRdmOpt
![Page 45: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/45.jpg)
Checker
Rhodium correctness checker
Automatic theorem prover
RdmOpt
Checker
![Page 46: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/46.jpg)
Rhodium correctness checker
Automatic theorem prover
definefact …
if …then transform …
if …then …
Checker
Profitability heuristics
Rhodium optimization
![Page 47: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/47.jpg)
Rhodium correctness checker
Automatic theorem prover
Rhodium optimization
definefact …
if …then transform …
if …then …
Checker
![Page 48: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/48.jpg)
Rhodium correctness checker
Automatic theorem prover
Rhodium optimization
definefact …
VCGen
LocalVC
LocalVC
LemmaFor any Rhodium opt:
If Local VCs are trueThen opt is correct
Proof
«¬
$
\ rt l
Checker
Opt-dependent
Opt-independent
VCGen
if …then …
if …then transform …
![Page 49: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/49.jpg)
Local correctness of prop. rules
currStmt == [Z = X]
then mustPointTo(Z,Y)@out
if mustPointTo(X,Y)@in
define fact mustPointTo(X,Y)with meaning σ(X) == σ(&Y)
Fact correct on edge iff:
whenever program execution reaches edge, meaning of fact evaluates to true in the program state
![Page 50: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/50.jpg)
Local correctness of prop. rules
currStmt == [Z = X]
then mustPointTo(Z,Y)@out
Local VC (generated and proven automatically)
if mustPointTo(X,Y)@in
define fact mustPointTo(X,Y)with meaning σ(X)==σ(&Y)
Assume:
Propagated factis correct
Show:
All incoming facts are correct
Show: Z == &Y (out)
X == &Y (in)
out= step (in , [Z = X] )
Assume:
![Page 51: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/51.jpg)
Local correctness of prop. rules
Show: Z == &Y (out)
X == &Y (in)
out= step (in , [Z = X] )
Assume:
Local VC (generated and proven automatically)
define fact mustPointTo(X,Y)with meaning X == &Y
currStmt == [Z = X]
then mustPointTo(Z,Y)@out
if mustPointTo(X,Y)@in
![Page 52: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/52.jpg)
Evaluation
![Page 53: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/53.jpg)
Dimensions of evaluation
• Correctness guarantees
• Usefulness of the checker
• Expressiveness
![Page 54: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/54.jpg)
Correctness guarantees
• Once checked, optimizations are guaranteed to be correct
• Caveat: trusted computing base– execution engine– checker implementation– proofs done by hand once by Lerner.
• Adding a new optimization does not increase the size of the trusted computing base
• Ease of use• Guarantees• Usefulness• Expressiveness
![Page 55: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/55.jpg)
Usefulness of the checker
• Found subtle bugs in Lerner’s initial implementation of various optimizations
define fact equals(X:Var, E:Expr)with meaning σ(X) == σ(E)
if currStmt == [X = E] then equals(X,E)@out
x := x + 1x = x + 1
equals (x , x + 1)
• Ease of use• Guarantees• Usefulness• Expressiveness
![Page 56: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/56.jpg)
if currStmt == [X = E] then equals(X,E)@outif currStmt == [X = E] “X does not appear in E”then equals(X,E)@out
Usefulness of the checker
• Found subtle bugs in Lerner’s initial implementation of various optimizations
define fact equals(X:Var, E:Expr)with meaning σ(X) == σ(E) x := x + 1x = x + 1
equals (x , x + 1)
• Ease of use• Guarantees• Usefulness• Expressiveness
![Page 57: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/57.jpg)
x = x + 1x = x + 1x = *y + 1
Usefulness of the checker
• Found subtle bugs in Lerner’s initial implementation of various optimizations
define fact equals(X:Var, E:Expr)with meaning σ(X) == σ(E)
if currStmt == [X = E] Æ “X does not appear in E”then equals(X,E)@out
equals (x , x + 1)equals (x , *y + 1)if currStmt == [X = E] “E does not use X”then equals(X,E)@out
• Ease of use• Guarantees• Usefulness• Expressiveness
![Page 58: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/58.jpg)
Rhodium expressiveness
• Traditional optimizations:– const prop and folding, branch folding, dead assignment elim,
common sub-expression elim, partial redundancy elim, partial dead assignment elim, arithmetic invariant detection, and integer range analysis.
• Pointer analyses– must-point-to analysis, Andersen's may-point-to analysis with
heap summaries
• Loop opts– loop-induction-variable strength reduction, code hoisting, code
sinking
• Array opts– constant propagation through array elements, redundant array
load elimination
• Ease of use• Guarantees• Usefulness• Expressiveness
![Page 59: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/59.jpg)
Expressiveness limitations
• May not be able to express your optimization in Rhodium– opts that build complicated data structures– opts that perform complicated many-to-many
transformations (e.g.: loop fusion, loop unrolling)
• A correct Rhodium optimization may be rejected by the correctness checker – limitations of the theorem prover– limitations of first-order logic
• Ease of use• Guarantees• Usefulness• Expressiveness
![Page 60: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/60.jpg)
Summary
• Rhodium system– makes it easier to write optimizations– provides correctness guarantees– is expressive enough for realistic optimizations
• Rhodium system provides a foundation for safe extensible program manipulators
![Page 61: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/61.jpg)
Future works
• Overcome the limitation of Rhodium– opts that build complicated data structures– opts that perform complicated many-to-many
transformations (e.g.: loop fusion, loop unrolling)
• Overcoming the limitation of theorem prover– Simplify is conservative– Using higher order logic?
![Page 62: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/62.jpg)
Future works..
• Automatically infer the whole compiler from a high level specification– Infer analyses– Infer transformations– Program optimizations by demonstration– Automatically pick good data representations– Automatically explore the tradeoffs between
scalability and precision
![Page 63: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/63.jpg)
References
• Correctness– By hand [Cousot and Cousot 77, 79, Benton 04, Lacey et al. 02]– With interactive theorem prover [Cachera et al. 04]– One compilation at a time [Pnueli et al. 98, Necula 00, Rinard
99]
• Declarative languages for writing transformations– Attribute grammars [Reps and Teitelbaum 88]– Temporal logic [Steffen 91, Lacey et al. 02]
• Execution engines– Incremental execution of transformations [Sittampalam et al. 04]– Running opts specified with temporal logic [Steffen 91]
![Page 64: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/64.jpg)
More facts
define fact mustNotPointTo(X:Var,Y:Var)with meaning σ (X) σ (&Y)
define fact hasConstantValue(X:Var,C:Const)with meaning σ(X) == C
define fact doesNotPointIntoHeap(X:Var)with meaning Y:Var and σ (X) == σ (&Y)
![Page 65: Provably Correct Compilers (Part 2) Nazrul Alam and Krishnaprasad Vikram April 21, 2005](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649d6b5503460f94a4a44a/html5/thumbnails/65.jpg)
More rules
if currStmt == [X = *A] mustNotPointToHeap(A)@in B:Var . mayPointTo(A,B)@in
mustNotPointTo(B,Y)then mustNotPointTo(X,Y)@out