alive provably correct instcombine optimizations
play

Alive: Provably Correct InstCombine Optimizations David Menendez - PowerPoint PPT Presentation

Apr 05, 2024 •148 likes •893 views

Alive: Provably Correct InstCombine Optimizations David Menendez John Regehr Santosh Nagarakatte University of Utah Rutgers University Nuno Lopes Microsoft Research Can We Trust Compilers? Any large software project will have bugs

  1. Alive: Provably Correct InstCombine Optimizations David Menendez John Regehr Santosh Nagarakatte University of Utah Rutgers University Nuno Lopes Microsoft Research

  2. Can We Trust Compilers? • Any large software project will have bugs • LLVM is no exception • CSmith project found 203 bugs by random testing • InstCombine is especially buggy 2

  3. 3

  4. 4

  5. 5

  6. 6

  7. 7

  8. 8

  9. 9

  10. 10

  11. 11

  12. 12

  13. 13

  14. 14

  15. 15

  16. Why Is InstCombine Buggy? • It’s huge: • over 20,000 lines of code • visitICmpInst alone is 924 lines • Complicated to write • LLVM Semantics are subtle • Hard to tell when the code is correct 16

  17. For example…

  18. { Value *Op1C = Op1; BinaryOperator *BO = dyn_cast<BinaryOperator>(Op0); if (!BO || (BO->getOpcode() != Instruction::UDiv && BO->getOpcode() != Instruction::SDiv)) { Op1C = Op0; BO = dyn_cast<BinaryOperator>(Op1); } Value *Neg = dyn_castNegVal(Op1C); if (BO && BO->hasOneUse() && (BO->getOperand(1) == Op1C || BO->getOperand(1) == Neg) && (BO->getOpcode() == Instruction::UDiv || BO->getOpcode() == Instruction::SDiv)) { Value *Op0BO = BO->getOperand(0), *Op1BO = BO->getOperand(1); // If the division is exact, X % Y is zero, so we end up with X or -X. if (PossiblyExactOperator *SDiv = dyn_cast<PossiblyExactOperator>(BO)) if (SDiv->isExact()) { if (Op1BO == Op1C) return ReplaceInstUsesWith(I, Op0BO); return BinaryOperator::CreateNeg(Op0BO); } Value *Rem; if (BO->getOpcode() == Instruction::UDiv) Rem = Builder->CreateURem(Op0BO, Op1BO); else Rem = Builder->CreateSRem(Op0BO, Op1BO); Rem->takeName(BO); if (Op1BO == Op1C) return BinaryOperator::CreateSub(Op0BO, Rem); return BinaryOperator::CreateSub(Rem, Op0BO); } } 18

  19. // (X / Y) * Y = X - (X % Y) // (X / Y) * -Y = (X % Y) - X { Value *Op1C = Op1; BinaryOperator *BO = dyn_cast<BinaryOperator>(Op0); if (!BO || Improve transition to next slide (BO->getOpcode() != Instruction::UDiv && BO->getOpcode() != Instruction::SDiv)) { Op1C = Op0; BO = dyn_cast<BinaryOperator>(Op1); } Value *Neg = dyn_castNegVal(Op1C); if (BO && BO->hasOneUse() && (BO->getOperand(1) == Op1C || BO->getOperand(1) == Neg) && (BO->getOpcode() == Instruction::UDiv || BO->getOpcode() == Instruction::SDiv)) { Value *Op0BO = BO->getOperand(0), *Op1BO = BO->getOperand(1); // If the division is exact, X % Y is zero, so we end up with X or -X. if (PossiblyExactOperator *SDiv = dyn_cast<PossiblyExactOperator>(BO)) if (SDiv->isExact()) { if (Op1BO == Op1C) return ReplaceInstUsesWith(I, Op0BO); return BinaryOperator::CreateNeg(Op0BO); } Value *Rem; if (BO->getOpcode() == Instruction::UDiv) Rem = Builder->CreateURem(Op0BO, Op1BO); else Rem = Builder->CreateSRem(Op0BO, Op1BO); Rem->takeName(BO); if (Op1BO == Op1C) return BinaryOperator::CreateSub(Op0BO, Rem); return BinaryOperator::CreateSub(Rem, Op0BO); } } 19

  20. Flags can be confusing…

  21. Is This Valid? %L = mul nsw i8 %A, %B %R = mul nsw i8 %B, %C %I = mul nsw i8 %L, %C %I = mul nsw i8 %A, %R Seemingly just (A × B) × C = A × (B × C) 21

  22. Is This Valid? %A = -1, %B = 4, %C = 32 %L = mul nsw i8 %A, %B %R = mul nsw i8 %B, %C %I = mul nsw i8 %L, %C %I = mul nsw i8 %A, %R %L = -4 %I = -128 22

  23. Is This Valid? %A = -1, %B = 4, %C = 32 %L = mul nsw i8 %A, %B %R = mul nsw i8 %B, %C %I = mul nsw i8 %L, %C %I = mul nsw i8 %A, %R %L = -4 %R = poison %I = -128 %I = poison 23

  24. Is This Valid? %A = -1, %B = 4, %C = 32 %L = mul nsw i8 %A, %B %R = mul i8 %B, %C %I = mul nsw i8 %L, %C %I = mul nsw i8 %A, %R %L = -4 %R = -128 %I = -128 %I = poison 24

  25. Is This Valid? %A = -1, %B = 4, %C = 32 %L = mul nsw i8 %A, %B %R = mul i8 %B, %C %I = mul nsw i8 %L, %C %I = mul i8 %A, %R %L = -4 %R = -128 %I = -128 %I = -128 25

  26. …but flags are also essential

  27. Flags Aid Optimization %C = mul i8 %A, %B %R = sdiv i8 %C, %B R = (A × B)÷B Is R = A? 27

  28. Flags Aid Optimization %A = 100, %B = 100 %C = mul i8 %A, %B %R = sdiv i8 %C, %B %C = 10000 %R = 100 28

  29. Flags Aid Optimization %A = 100, %B = 100 %C = mul i8 %A, %B %R = sdiv i8 %C, %B %C = 10000 %R = 100 Too big for i8! 29

  30. Flags Aid Optimization %C = mul i8 %A, %B %R = sdiv i8 %C, %B We could do this if we knew that A × B fits in 8 bits 30

  31. Flags Aid Optimization More context for why flags are helpful and where they are generated (C) %C = mul nsw i8 %A, %B %R = sdiv i8 %C, %B We could do this if we knew that A × B fits in 8 bits …which is just what NSW/NUW are for 31

  32. Outline • Motivation • Introducing Alive • Language Overview • Automated Verification • Code Generation • Conclusion 32

  33. Alive: Fast, Safe, Easy Slower here Name: sdiv exact %a = sdiv exact %x, %y %r = mul %a, %y • Write optimizations in LLVM-like => DSL %r = %x • Automatically verify correctness Name: sdiv inexact %a = sdiv %x, %y • Automatically generate C++ %r = mul %a, %y code => %b = srem %x, %y %r = sub %x, %b Partial translation 33

  34. Prove Optimizations Correct Alive SMT Alive DSL Queries Analysis Alive handles all the tricky corners of LLVM’s IR 34

  35. Automatic Code Generation Alive C++ Alive LLVM DSL Alive writes your InstCombine code for you 35

  36. Why Alive? • Use of formal methods is not new • CompCert—Formally verified C compiler • Vellvm—Formal semantics for LLVM in Coq • Nuno Lopes described verifying InstCombine with SMT solvers last year 36

  37. Lightweight Formal Methods Emphasize that Alive is easier than manual proofs • Automation • Use SMT to avoid manual proofs • Use Alive to avoid writing SMT queries • High-level specification language 37

  38. More set up. Explain what this does. Additional slide before this? Alive Language Pre: C2 % (1<<C1) == 0 %s = shl nsw %A, C1 • 1<<C 1 divides C 2 %r = sdiv %s, C2 => • r s = (A<<C 1 )÷C 2 %r = sdiv %A, C2/(1<<C1) • r t = A÷(C 2 ÷(1<<C 1 )) 38

  39. Alive Language Pre: C2 % (1<<C1) == 0 Precondition %s = shl nsw %A, C1 %r = sdiv %s, C2 Source => Target %r = sdiv %A, C2/(1<<C1) 39

  40. Alive Language Pre: C2 % (1<<C1) == 0 %s = shl nsw %A, C1 %r = sdiv %s, C2 Constants => %r = sdiv %A, C2/(1<<C1) • Represent arbitrary immediate values • Expressions permitted in target and precondition 40

  41. Predicates and Functions • Predicates can be used in precondition • May invoke heuristics in LLVM, e.g., WillNotOverflowSignedAdd • Functions extend constant language • Most apply only to constant values, e.g., umax • width(%x) returns the bit width of any value 41

  42. Predicates and Functions Pre: C < 0 && isPowerOf2(abs(C)) %Op0 = add %Y, C1 %r = mul %Op0, C => %sub = sub -C1, %Y %r = mul %sub, abs(C) 42

  43. Checking Correctness • SMT (“Satisfiability Modulo Theories”) • Generalizes SAT solving • Additional theories for integers, bit vectors, etc. • Undecidable in general • Efficient in practice • Z3, Boolector, CVC4, etc. 43

  44. Type Checking • Translate type constraints to SMT • Binary operation arguments and answer have same type • Trunc result has fewer bits than argument, etc. • Find and test all solutions to constraints 44

  45. Checking Correctness • Need to show that target refines source • Target’s behavior undefined only when source’s is • Target returns poison only when source does • For all other inputs, target and source yield same result 45

  46. Checking Correctness • SMT finds satisfying instances • Phrase queries as negations: • “Find an input where the source is defined but the target is undefined” • Z3 either finds a counterexample, or shows that none exists 46

  47. Checking Correctness • Translation uses Z3’s theory of bitvectors • Sized, 2s-complement arithmetic • undef uses theory of quantifiers • Optimization must hold for all possible values 47

  48. Alive Language Pre: C2 % (1<<C1) == 0 %s = shl nsw %A, C1 %r = sdiv %s, C2 => %r = sdiv %A, C2/(1<<C1) 48

  49. Raw SMT (declare-fun C1 () (_ BitVec 4)) (declare-fun C2 () (_ BitVec 4)) (declare-fun %A () (_ BitVec 4)) (assert (and (and (distinct C2 (_ bv0 4)) true) (or (and (distinct (bvshl %A C1) (_ bv8 4)) true) (and (distinct C2 (_ bv15 4)) true) ) (bvult C1 (_ bv4 4)) (= (bvashr (bvshl %A C1) C1) %A) (= (bvsrem C2 (bvshl (_ bv1 4) C1)) (_ bv0 4)) (and (distinct (bvsdiv (bvshl %A C1) C2) (bvsdiv %A (bvsdiv C2 (bvshl (_ bv1 4) C1))) ) true ) ) ) (check-sat) i4 Equality Check 49

  50. Raw SMT (declare-fun C1 () (_ BitVec 4)) (declare-fun C2 () (_ BitVec 4)) (declare-fun %A () (_ BitVec 4)) (assert (and (and (distinct C2 (_ bv0 4)) true) (or (and (distinct (bvshl %A C1) (_ bv8 4)) true) Defined (and (distinct C2 (_ bv15 4)) true) ) (bvult C1 (_ bv4 4)) Non-poison (= (bvashr (bvshl %A C1) C1) %A) (= (bvsrem C2 (bvshl (_ bv1 4) C1)) (_ bv0 4)) Precondition (and (distinct Source (bvsdiv (bvshl %A C1) C2) (bvsdiv %A (bvsdiv C2 (bvshl (_ bv1 4) C1))) Target ) true ) ) ) (check-sat) i4 Equality Check 50

Recommend

What is the B-method? Welcome to Provably Correct Software http://www.it.uu.se/

What is the B-method? Welcome to Provably Correct Software http://www.it.uu.se/

What is the B-method? Welcome to Provably Correct Software http://www.it.uu.se/ edu/course/homepage/bkp/vt09 Instructor Lars-Henrik Eriksson lhe@it.uu.se, http://www.it.uu.se/katalog/lhe?lang=en Provably Correct Software Page 1 Updated

545 views • 18 slides
Provably Correct Development of Reconfigurable Hardware Designs via Equational Reasoning Ian

Provably Correct Development of Reconfigurable Hardware Designs via Equational Reasoning Ian

Provably Correct Development of Reconfigurable Hardware Designs via Equational Reasoning Ian Graves, Adam Procter, Bill Harrison &amp; Gerard Allwein FPT 2015 Introduction Provably Correct Development, Bird-Wadler Style Reference

397 views • 24 slides
On the synthesis of provably correct discrete controllers Jri Vain Dept. of Computer

On the synthesis of provably correct discrete controllers Jri Vain Dept. of Computer

On the synthesis of provably correct discrete controllers Jri Vain Dept. of Computer Science/Institute of Cybernetics Tallinn University of Technology Eesti arvutiteaduse teooriapev, sgis 2004 1 Controller synthesis problem (I)

393 views • 25 slides
Alive2 Verifying existing optimizations Nuno Lopes John Regehr Microsoft Research University

Alive2 Verifying existing optimizations Nuno Lopes John Regehr Microsoft Research University

Alive2 Verifying existing optimizations Nuno Lopes John Regehr Microsoft Research University of Utah Alive Found dozens of bugs in LLVM Avoided many other bugs due to use before commit Verifying peephole optimizations $ alive

863 views • 28 slides
Who Watches the Watchers: Toward Provably-correct Decision Diagram Code Yousra Lembachar , Ryan

Who Watches the Watchers: Toward Provably-correct Decision Diagram Code Yousra Lembachar , Ryan

Who Watches the Watchers: Toward Provably-correct Decision Diagram Code Yousra Lembachar , Ryan Rusich, Iulian Neamtiu, Gianfranco Ciardo University of California, Riverside 1 / 18 Toward a Completely Verified Software Toolchain 2 / 18 Toward

1.4k views • 44 slides
Provably correct implementations of services Roberto Bruni 1 Rocco De Nicola 2 Michele Loreti 2

Provably correct implementations of services Roberto Bruni 1 Rocco De Nicola 2 Michele Loreti 2

Provably correct implementations of services Roberto Bruni 1 Rocco De Nicola 2 Michele Loreti 2 Leonardo G. Mezzina 3 1 Dipartimento di Informatica, Universit` a di Pisa, Italy 2 Dipartimento di Sistemi e Informatica, Universit` a di Firenze,

1.1k views • 92 slides
Loop Optimizations Important because lots of execution Loop Optimizations Loop Optimizations

Loop Optimizations Important because lots of execution Loop Optimizations Loop Optimizations

Loop Optimizations Important because lots of execution Loop Optimizations Loop Optimizations time occurs in loops First, we will identify loops We will study three optimizations Loop-invariant code motion This lecture is

249 views • 5 slides
8. God is risen; we are alive #whodoyouthinkyouare? @simongharris @burlington_ips Hes alive

8. God is risen; we are alive #whodoyouthinkyouare? @simongharris @burlington_ips Hes alive

8. God is risen; we are alive #whodoyouthinkyouare? @simongharris @burlington_ips Hes alive confusion gives way certainty Luke 24:21 W e had hoped that he was the one who was going to redeem Israel. #whodoyouthinkyouare? Hes alive

513 views • 14 slides
Lab 2 discussion Last Time Debugging Its a science use experiments to refine

Lab 2 discussion Last Time Debugging Its a science use experiments to refine

size= 64 correct= 0 size= 73 correct= 0 Shuying Liang size= 107 correct= 1 size= 107 correct= 0 size= 108 correct= 0 size= 108 correct= 1 Please do not handin a .doc file, a .zip file, a .tar file, size= 111 correct= 1 size=

430 views • 7 slides
Is SUSY still alive? Felix Brmmer Felix Brmmer Is SUSY still alive? 1 / 13 Felix Brmmer

Is SUSY still alive? Felix Brmmer Felix Brmmer Is SUSY still alive? 1 / 13 Felix Brmmer

Is SUSY still alive? Felix Brmmer Felix Brmmer Is SUSY still alive? 1 / 13 Felix Brmmer Is SUSY still alive? 2 / 13 What is SUSY? Low-scale supersymmetry, serving to solve the hierarchy problem predict gauge coupling

629 views • 16 slides
Don't ask what the world needs. Ask what makes you come alive, and go do it. Because what the

Don't ask what the world needs. Ask what makes you come alive, and go do it. Because what the

Don't ask what the world needs. Ask what makes you come alive, and go do it. Because what the world needs is people who have come alive. - Howard Thurman 2 Projects 3 Puzzles 3 Solutions 1 ? 1 ? 2 ? 2 ? 3 ? 3 ? SOS Tag Data For

593 views • 28 slides
A Set that is Streamless and Not Provably Noetherian Marc Bezem Department of Informatics

A Set that is Streamless and Not Provably Noetherian Marc Bezem Department of Informatics

A Set that is Streamless and Not Provably Noetherian A Set that is Streamless and Not Provably Noetherian Marc Bezem Department of Informatics University of Bergen (joint work with Keiko Nakata and Tarmo Uustalu) December 2011 A Set that is

135 views • 10 slides
WHAT IS LONDON NEEDS YOU ALIVE? London Needs You Alive is an anti- knife crime campaign run by the

WHAT IS LONDON NEEDS YOU ALIVE? London Needs You Alive is an anti- knife crime campaign run by the

WHAT IS LONDON NEEDS YOU ALIVE? London Needs You Alive is an anti- knife crime campaign run by the Mayor of London, Sadiq Khan. Part of the Protecting and Educating Young People strand of the London Knife Crime Strategy, it aims to reduce the

239 views • 7 slides
Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Computational Complexity Provably-secure constructions Problems with provably-secure constructions Attempts at practical constructions Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark Quo Vadis

874 views • 20 slides
It's Alive !! Soil is our greatest resource It's alive, as opposed to dirt It's

It's Alive !! Soil is our greatest resource It's alive, as opposed to dirt It's

It's Alive !! Soil is our greatest resource It's alive, as opposed to dirt It's part of the food web as part of the three-way relationship with soil organisms and plants It's considered the most complex of all habitats Soil

492 views • 37 slides
Concepts Introduced in Chapter 9 introduction to compiler optimizations basic blocks and

Concepts Introduced in Chapter 9 introduction to compiler optimizations basic blocks and

Concepts Introduced in Chapter 9 introduction to compiler optimizations basic blocks and control flow graphs local optimizations global optimizations 1 EECS 665 Compiler Construction Compiler Optimizations Compiler

454 views • 24 slides
Verifying Optimizations using SMT Solvers Nuno Lopes technology Why verify optimizations? from

Verifying Optimizations using SMT Solvers Nuno Lopes technology Why verify optimizations? from

technology from seed Verifying Optimizations using SMT Solvers Nuno Lopes technology Why verify optimizations? from seed Catch bugs before they even exist Corner cases are hard to debug Time spent in additional verification step

1.34k views • 44 slides
Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic constant-time Gilles Barthe Benjamin Grgoire Vincent Laporte CSF18, 2018-07-12 Vincent Laporte et alii Provably secure compilation of

501 views • 25 slides
Provably weak instances of Ring-LWE revisited Wouter Castryck 1 , 2 , Ilia Iliashenko 1 , Frederik

Provably weak instances of Ring-LWE revisited Wouter Castryck 1 , 2 , Ilia Iliashenko 1 , Frederik

Provably weak instances of Ring-LWE revisited Wouter Castryck 1 , 2 , Ilia Iliashenko 1 , Frederik Vercauteren 1 , 3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE

717 views • 54 slides
Khem Raj Embedded Linux Conference 2014, San Jose, CA } What is GCC } General Optimizations

Khem Raj Embedded Linux Conference 2014, San Jose, CA } What is GCC } General Optimizations

Khem Raj Embedded Linux Conference 2014, San Jose, CA } What is GCC } General Optimizations } GCC specific Optimizations } Embedded Processor specific Optimizations } Approaches to speed up compile time } Additional tools }

419 views • 29 slides
The Knock Em Alive The Knock Em Alive Positively Powerful Positively Powerful

The Knock Em Alive The Knock Em Alive Positively Powerful Positively Powerful

The Knock Em Alive The Knock Em Alive Positively Powerful Positively Powerful Strategies For Your Job Strategies For Your Job Success! Success! With Dr. Joel Martin President. Triad West Inc. Get you where you want to

1.19k views • 31 slides
Staying Alive Animals need to eat to stay alive. Different animals eat different types of food.

Staying Alive Animals need to eat to stay alive. Different animals eat different types of food.

Staying Alive Animals need to eat to stay alive. Different animals eat different types of food. Which of these animals does not eat grass? lion rabbit cow Carnivores Some animals eat other animals. These animals are called carnivores .

434 views • 12 slides
Density Estimation Optimizations for Global Illumination Rub en Garc a, Carlos Ure na,

Density Estimation Optimizations for Global Illumination Rub en Garc a, Carlos Ure na,

Introduction New optimizations Theoretical study Future Work Conclusion Density Estimation Optimizations for Global Illumination Rub en Garc a, Carlos Ure na, Jorge Revelles, Miguel Lastra, Rosana Montes Thursday, February 2,

383 views • 14 slides
Performance of Correct Statement of the Problem and Impact. Associated Issues. Procedure

Performance of Correct Statement of the Problem and Impact. Associated Issues. Procedure

Performance of Correct Procedure at Correct Body Site Patient Safety Solutions CONTENT Performance of Correct Statement of the Problem and Impact. Associated Issues. Procedure at Correct Suggested Actions. Looking Forward.

198 views • 3 slides

More recommend