1 / 41

Automated Soundness Proofs for Dataflow Analyses and Transformations via Local Rules

Automated Soundness Proofs for Dataflow Analyses and Transformations via Local Rules. Sorin Lerner* Todd Millstein** Erika Rice* Craig Chambers* * University of Washington ** UCLA. [graduating this year!]. A traditional compiler. Compiler. Opt. Opt. Opt. Parser. Code Gen.

richelle
Download Presentation

Automated Soundness Proofs for Dataflow Analyses and Transformations via Local Rules

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automated Soundness Proofs for Dataflow Analyses and Transformations via Local Rules Sorin Lerner* Todd Millstein** Erika Rice* Craig Chambers* * University of Washington ** UCLA [graduating this year!]

  2. A traditional compiler Compiler Opt Opt Opt Parser Code Gen

  3. Using a domain specific language Compiler DSL Opt DSL Opt DSL Opt Parser Code Gen

  4. Using a domain specific language Compiler DSL Execution engine Parser Code Gen DSL Opt DSL Opt DSL Opt

  5. Checking correctness automatically Compiler DSL Execution engine Parser Code Gen DSL Opt DSL Opt DSL Opt

  6. DSL Opt DSL Opt DSL Opt Checker Checker Checker Checking correctness automatically Compiler DSL Execution engine Parser Code Gen

  7. Compiler DSL Execution engine Parser Code Gen DSL Opt DSL Opt DSL Opt Checker Checker Checking correctness automatically Checker

  8. Compiler DSL Execution engine Parser Code Gen DSL Opt DSL Opt Checker Checker Checking correctness automatically DSL Opt Checker

  9. Checker Checker Checking correctness automatically DSL Opt

  10. Checker Automatic Theorem Prover Checking correctness automatically DSL Opt Checker VCGen Verification Condition (VC)

  11. Automatic Theorem Prover Checking correctness automatically DSL Opt Checker VCGen Verification Condition (VC)

  12. DSL Opt VCGen opt- specific opt- independent Automatic Theorem Prover Checking correctness automatically Lemma: VC implies correctness Checker VC

  13. Cobalt [PLDI 03] • The Cobalt DSL is an instantiation of this architecture • An opt written in Cobalt is a rewrite rule triggered by a declarative global condition over the CFG • Expressed and automatically proved the correctness of a variety of intraprocedural optimizations, including: • const prop and folding, branch folding, CSE, PRE, DAE, partial DAE

  14. In this talk: the Rhodium DSL • Increased expressiveness • New model for expressing opts: local propagation rules with explicit dataflow facts • Heap summaries • Infinite analysis domains • Flow-sensitive and -insensitive • Intraprocedural and interprocedural • Some Rhodium opts not expressible in Cobalt: • Arithmetic invariant detection, integer range analysis, loop-induction-variable strength reduction, Andersen's may-point-to analysis with allocation-site summaries

  15. Outline • Overview • Rhodium by example • Checking correctness automatically • Future work, related work and conclusion

  16. c d a b a b c d c MustPointTo analysis a := &b c := a *c := d

  17. mustPointTo(a, b) mustPointTo(a, b) mustPointTo(c, b) mustPointTo(c, d) c d a b a b c d c mustPointTo(c, d) MustPointTo info in Rhodium a := &b c := a *c := d

  18. mustPointTo(a, b) mustPointTo(a, b) mustPointTo(a, b) mustPointTo(a, b) mustPointTo(c, b) mustPointTo(c, d) mustPointTo(c, b) mustPointTo(c, d) c c d d a a b b a a b b c c d d c c mustPointTo(c, d) mustPointTo(c, d) MustPointTo info in Rhodium a := &b a := &b c := a c := a *c := d *c := d

  19. mustPointTo(a, b) mustPointTo(a, b) mustPointTo(c, b) mustPointTo(c, d) c d a b a b c d c mustPointTo(c, d) MustPointTo info in Rhodium define fact mustPointTo(X:Var,Y:Var) a := &b c := a *c := d

  20. mustPointTo(a, b) mustPointTo(a, b) mustPointTo(c, d) mustPointTo(c, b) c d a b a b c d c mustPointTo(c, d) Propagating facts define fact mustPointTo(X:Var,Y:Var) a := &b c := a *c := d

  21. mustPointTo(a, b) mustPointTo(c, b) c d a b a b c d c mustPointTo(c, d) Propagating facts define fact mustPointTo(X:Var,Y:Var) a := &b a := &b if currStmt = [X := &Y] then mustPointTo(X,Y)@out if currStmt = [X := &Y] then mustPointTo(X,Y)@out mustPointTo(a, b) mustPointTo(a, b) mustPointTo(c, d) c := a *c := d

  22. mustPointTo(a, b) mustPointTo(a, b) mustPointTo(c, b) mustPointTo(c, d) c d a b a b c d c mustPointTo(c, d) Propagating facts define fact mustPointTo(X:Var,Y:Var) a := &b if currStmt = [X := &Y] then mustPointTo(X,Y)@out c := a *c := d

  23. mustPointTo(a, b) mustPointTo(c, b) c d a b a b c d c Propagating facts define fact mustPointTo(X:Var,Y:Var) mustPointTo(c, d) mustPointTo(c, d) a := &b a := &b if currStmt = [X := &Y] then mustPointTo(X,Y)@out mustPointTo(a, b) if mustPointTo(X,Y)@in Æ currStmt = [Z := &W]Æ X Z then mustPointTo(X,Y)@out if mustPointTo(X,Y)@in Æ currStmt = [Z := &W]Æ X Z then mustPointTo(X,Y)@out mustPointTo(c, d) mustPointTo(c, d) c := a *c := d

  24. c d a b a b c d c mustPointTo(c, d) Propagating facts define fact mustPointTo(X:Var,Y:Var) a := &b if currStmt = [X := &Y] then mustPointTo(X,Y)@out mustPointTo(a, b) mustPointTo(a, b) if mustPointTo(X,Y)@in Æ currStmt = [Z := &W]Æ X Z then mustPointTo(X,Y)@out mustPointTo(c, d) c := a c := a mustPointTo(a, b) mustPointTo(c, b) mustPointTo(c, b) if mustPointTo(X,Y)@inÆ currStmt = [Z := X] then mustPointTo(Z,Y)@out *c := d

  25. mustPointTo(a, b) mustPointTo(a, b) mustPointTo(c, b) mustPointTo(c, d) c d a b a b c d c mustPointTo(c, d) Propagating facts define fact mustPointTo(X:Var,Y:Var) a := &b if currStmt = [X := &Y] then mustPointTo(X,Y)@out if mustPointTo(X,Y)@in Æ currStmt = [Z := &W]Æ X Z then mustPointTo(X,Y)@out c := a if mustPointTo(X,Y)@inÆ currStmt = [Z := X] then mustPointTo(Z,Y)@out *c := d

  26. mustPointTo(a, b) mustPointTo(a, b) mustPointTo(c, d) mustPointTo(c, b) c d a b a b c d c if mustPointTo(X,Y)@inÆ currStmt = [Z := X] then mustPointTo(Z,Y)@out mustPointTo(c, d) Transformations define fact mustPointTo(X:Var,Y:Var) a := &b if currStmt = [X := &Y] then mustPointTo(X,Y)@out if mustPointTo(X,Y)@in Æ currStmt = [Z := &W]Æ X Z then mustPointTo(X,Y)@out c := a *c := d

  27. mustPointTo(a, b) mustPointTo(c, d) c d a b a b c d c mustPointTo(c, d) Transformations define fact mustPointTo(X:Var,Y:Var) a := &b if mustPointTo(X,Y)@inÆ currStmt = [*X := Z] then transform to [Y := Z] c := a mustPointTo(a, b) mustPointTo(c, b) mustPointTo(c, b) *c := d *c := d b := d

  28. Semantics of a Rhodium opt • Run all the propagations rules using optimistic iterative analysis starting with complete set of facts until the best fixed point is reached • Then run all transformation rules • For better precision, combine analyses and transformations using our previous composition framework [POPL 02]

  29. More in Rhodium (see paper for details) • Mixing facts • Heap summaries • MayPointTo analysis via MustNotPointTo • Infinite domains • Flow-sensitive and -insensitive • Intraprocedural and interprocedural

  30. Outline • Overview • Rhodium by example • Checking correctness automatically • Future work, related work and conclusion

  31. Rhodium correctness checker Rhodium optimization Checker Lemma: VC ) correctness VCGen VC opt- independent Automatic theorem prover

  32. Rhodium correctness checker Rhodium optimization define fact … if … then … if … then transform … Checker Lemma: VC ) correctness VCGen VC opt- independent Automatic theorem prover

  33. IL semantics axioms Rhodium correctness checker Rhodium optimization define fact … if … then … if … then transform … Checker Lemma: VC ) correctness Lemma: Local VCs ) correctness VCGen Local VC Local VC opt- independent Automatic theorem prover

  34. mustPointTo(X, Y) mustPointTo(Z, Y) Local correctness of prop. rules define fact mustPointTo(X:Var,Y:Var) if mustPointTo(X,Y)@in Æ currStmt = [Z := X] then mustPointTo(Z,Y)@out Z := X

  35. define fact mustPointTo(X:Var,Y:Var) with meaning «X == &Y¬ if «X == &Y¬(in) Æ in out then «Z == &Y¬(out)   Z := X X Z Y Y mustPointTo(X, Y) mustPointTo(Z, Y)   ? Local correctness of prop. rules define fact mustPointTo(X:Var,Y:Var) Local VC sent to ATP: if mustPointTo(X,Y)@in Æ currStmt = [Z := X] then mustPointTo(Z,Y)@out in Z := X Z := X out

  36. in in X X Y Y mustPointTo(X, Y) Local correctness of trans. rules define fact mustPointTo(X:Var,Y:Var) with meaning «X == &Y¬ Local VC sent to ATP: if mustPointTo(X,Y)@in Æ if «X == &Y¬(in) Æ *X := Z in out currStmt = [*X := Z] Y := Z in out then transform to [Y := Z] then *X := Z *X := Z Y := Z Y := Z out out ?

  37. More on correctness (see paper for details) • Heap summaries • Separating profitability from correctness • Theorem stating soundness of the framework for creating interprocedural and flow-insensitive analyses

  38. Outline • Overview • Rhodium by example • Checking correctness automatically • Future work, related work and conclusion

  39. Current and future work • Backward optimizations • Infer rules from just the dataflow fact declarations and their meanings • Debugging • Efficient execution engine

  40. Some related work • Proving correctness by hand • Abstract interpretation [Cousot and Cousot 77, 79] • Partial equivalence relations [Benton 04] • Temporal logic [Lacey et al. 02] • Proving correctness with interactive theorem prover • Using Coq proof assistant [Cachera et al. 04] • Testing correctness one compilation at a time • Translation validation [Pnueli et al. 98, Necula 00] • Credible compilation [Rinard 99] • Execution engines • Incremental execution of transformations [Sittampalam et al. 04] • Running opts specified with temporal logic [Steffen 91]

  41. Conclusion • Local rules in Rhodium are more expressive than Cobalt’s global condition • The correctness checker found subtle bugs in our Rhodium opts • Good step towards pushing more of the burden of writing compilers on to the computer

More Related