An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code Yuting Wang 1 , Pierre Wilke 1 , 2 , Zhong Shao 1 Yale University 1 , CentraleSupélec 2 ’19 – January 18 th , 2019 POPL Yuting Wang, Pierre Wilke , Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 1 / 16
Verified compilation CompCert : verified C compiler (Leroy et al. , first released in 2008) Clight C Cshm Cminor CminorSel RTL LTL Linear Mach Asm Used as a basis for a large number of extensions: • alternate semantics: CompCertTSO (weak memory model, Sevcík et al. , JACM’13), CompCertS (undefined pointer arithmetic, Besson et al. , ITP’17) • a more concrete view of the stack: Quantitative CompCert (merge the stack blocks into a single stack region, Carbonneaux et al. , PLDI’14) • compositional compilation: Compositional CompCert (Stewart et al. , POPL ’15), compositional semantics (Ramananandro et al. , CPP’15), SepCompCert (Kang et al. , POPL ’16) Open problems: • verified compilation to machine code • port all compiler passes of CompCert, including challenging inlining and tailcall recognition • verified compilation of heterogeneous modules (mix C and Asm modules) Yuting Wang, Pierre Wilke , Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 2 / 16
Contribution: Stack-Aware CompCert A version of CompCert with: 1 compilation to machine code • merge the stack blocks into a unique stack region • eliminate CompCert’s pseudo-instructions • generate machine code 2 complete extension: we support all CompCert passes • including challenging optimizations (function inlining, tailcall elimination) 3 compositional compilation • stack access policy • mix C and Asm programs Yuting Wang, Pierre Wilke , Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 3 / 16
CompCert: memory model and values b p 1 ( b i , 0 ) void swap( int * p1, int * p2){ b p 2 int tmp = *p1; ( b j , 0 ) *p1 = *p2; b tmp *p2 = tmp; 3 } b i int main(){ 3 int i = 3, j = 9; int * x = &i; b j 9 int * y = &j; swap(x,y); b x ( b i , 0 ) return 0; } b y ( b j , 0 ) Yuting Wang, Pierre Wilke , Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 4 / 16
CompCert: compilation and memory model The memory model stays the same throughout compilation, but the memory blocks change shapes. Clight C Cminor Asm b i b i b j b j main b x b y 0 / b p 1 swap b p 2 b tmp The stack frames in Asm are in distinct blocks! Yuting Wang, Pierre Wilke , Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 5 / 16
The abstract stack We maintain an abstract stack in memory states, that reflects the structure of the concrete stack. Abstract stack: a list of abstract frames. b i An abstract frame records useful information about a concrete b j stack frame: b main • the size of this stack frame at the assembly level; b x • which blocks are part of that stack frame; b y • which locations of these blocks are public or private 32 32 Yuting Wang, Pierre Wilke , Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 6 / 16
Abstract stack: example Clight Asm C Cminor b i b i The abstract stack at the C level is: b j b j 32 main b p 1 b i b x b p 2 b j b y b main ; b tmp b x b y 0 / b p 1 16 16 32 swap b p 2 b swap b tmp Yuting Wang, Pierre Wilke , Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 7 / 16
Abstract stack: example The abstract stack at the Asm level is: Clight C Cminor Asm b main b i b i b swap b j b j 32 ; main b x b y b main 16 32 0 / b p 1 16 Stack-access policy: we may write to swap b p 2 • all of b swap b swap b tmp • public locations in b main Yuting Wang, Pierre Wilke , Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 7 / 16
Abstract stack primitives Semantics of all intermediate languages instrumented with push_frame and pop_frame b swap 16 at function call at function return b main b main b main push_frame pop_frame 32 32 32 Key argument for merging stack blocks : The push_frame primitive only succeeds if the sum of the frames’ sizes is lower than MAX_STACK . Yuting Wang, Pierre Wilke , Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 8 / 16
Preservation of stack usage with compilation Since the semantics include stack consumption, it must be preserved by compilation Property to ensure : at each program point, the size of source stack should be larger than (or equal to) the size of target stack. Target Source The sizes of the source and target stacks are equal. f f | f | + | g | = | f | + | g | g g Recall | f | is the size of f ’s stack frame at the Asm level! Regular case Yuting Wang, Pierre Wilke , Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 9 / 16
Preservation of stack usage with compilation Since the semantics include stack consumption, it must be preserved by compilation Property to ensure : at each program point, the size of source stack should be larger than (or equal to) the size of target stack. Target Source Target Source void g(){ void g(){ ⇒ G; G; f f } } void f(){ void f(){ g(); ⇒ G; } } g The sizes of the source stack is larger than the target stack. | f | + | g | ≥ | f | Function inlining Yuting Wang, Pierre Wilke , Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 9 / 16
Preservation of stack usage with compilation Since the semantics include stack consumption, it must be preserved by compilation Property to ensure : at each program point, the size of source stack should be larger than (or equal to) the size of target stack. Target Source void g(){ void g(){ G; G; } } Target Source void f(){ void f(){ F; ⇒ F; ⇒ tail g(); G; f f } } The sizes of the source stack is larger than the target stack. Tailcall inlining | f | ≥ | f | Yuting Wang, Pierre Wilke , Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 9 / 16
Preservation of stack usage with compilation Since the semantics include stack consumption, it must be preserved by compilation Property to ensure : at each program point, the size of source stack should be larger than (or equal to) the size of target stack. Target Source void g(){ void g(){ ⇒ G; G; } } Target Source void f(){ void f(){ F; F; ⇒ tail g(); G; g f } } Problem: How to compare the sizes of the source and target stacks Tailcall inlining ? | g | ≥ | f | Yuting Wang, Pierre Wilke , Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 9 / 16
Preservation of stack usage with compilation Since the semantics include stack consumption, it must be preserved by compilation Property to ensure : at each program point, the size of source stack should be larger than (or equal to) the size of target stack. Target Source void g(){ void g(){ ⇒ G; G; Target Source } } void f(){ void f(){ F; F; g f f tail g(); ⇒ G; } } Tailcall inlining We keep the history of tailcalled functions: max ( | f | , | g | ) ≥ | f | Yuting Wang, Pierre Wilke , Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 9 / 16
The structure of the abstract stack The abstract stack is actually a list of list of abstract frames. abstract frame stage of abstract frames Yuting Wang, Pierre Wilke , Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 10 / 16
From CompCert Assembly to Machine Code glob glob glob mem code stack code stack code stack CompCert Asm “Single-Stack” Asm “Flat” Asm Plain Memory instruction encoding merging stack blocks pseudo-instructions (RockSalt: Morrisett et al. , elimination PLDI’12) flat memory layout Yuting Wang, Pierre Wilke , Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 11 / 16
Eliminating pseudo-instructions Caller Callee s 1 s 2 s 3 call allocframe • • • Single-Stack Asm RSP ← RSP - sz; store RA RA ← next(PC) RSP ← RSP - 8; store (next(PC)) RSP ← RSP - (sz - 8) • • • Real Asm call allocframe s ′ s ′ s ′ 1 2 3 Mismatch between CompCert semantics and expected semantics We get rid of the pseudo-register RA and can do away with pseudo-instructions (simple pointer arithmetic) Yuting Wang, Pierre Wilke , Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 12 / 16
Stack access policy Accessible locations are either top-frame locations or public locations. b swap 16 at function call at function return b main b main b main push_frame pop_frame 32 32 32 Yuting Wang, Pierre Wilke , Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 13 / 16
Recommend
More recommend