formal verification of a realistic compiler
play

Formal verification of a realistic compiler Xavier Leroy CACM 2009 - PowerPoint PPT Presentation

Formal verification of a realistic compiler Xavier Leroy CACM 2009 CS 7194: Great Works in Programming Languages Presenter : Irene Yoon | Mentor : Ryan Doenges 1 Building robust compilers is Hard. 2 Bugs bugs 3 Bugs [Yang


  1. Formal verification of a realistic compiler Xavier Leroy CACM 2009 CS 7194: Great Works in Programming Languages Presenter : Irene Yoon | Mentor : Ryan Doenges � 1

  2. Building robust compilers is Hard. � 2

  3. Bugs bugs � 3

  4. Bugs [Yang et al 2011] • Random testing finds bugs in 11 C compilers • Hundreds of previously unknown bugs • LLVM has a large test suite, real compilers have bugs � 4

  5. Bugs [Yang et al 2011] • Random testing finds bugs in 11 C compilers • Hundreds of previously unknown bugs • LLVM has a large test suite � 5

  6. Bugs [Yang et al 2011] • Random testing finds bugs in 11 C compilers • Hundreds of previously unknown bugs • LLVM has a large test suite, real compilers have bugs � 6

  7. Bugs [Yang et al 2011] • Random testing finds bugs in 11 C compilers • Hundreds of previously unknown bugs • LLVM has a large test suite � 7

  8. ✅ Building compilers is hard Testing sucks Formalisms are good � 8

  9. ✅ Building compilers is hard ✅ Testing sucks Formalisms are good � 9

  10. ✅ Building compilers is hard ✅ Testing sucks ✅ Formalisms are good � 10

  11. ✅ Building compilers is hard ✅ Testing sucks ✅ Formalisms are good Formal verification of a compiler � 11

  12. First Published Proof of Compiler Correctness [1967] • arithmetic expressions → stack machine code • prototype for proving usable compilers � 12

  13. First Mechanized Proof of Compiler Correctness [1972] • ALGOL-like language → elementary assembly language • Stanford LCF � 13

  14. Compiler Verification • 100+ papers on compiler verification since 1967 � 14

  15. Compiler Verification • 100+ papers on compiler verification since 1967 � 15

  16. Compiler Verification • 100+ papers on compiler verification since 1967 � 16

  17. Compiler Verification • 100+ papers on Compiler Verification since 1967 [2003] � 17

  18. CompCert � 18

  19. CompCert [2009] “Develop and prove correct a realistic compiler, usable for critical embedded software.” • 42k Coq, 3 person years target source PowerPC Clight ARM x86 CompCert

  20. CompCert [2009] “Develop and prove correct a realistic compiler, usable for critical embedded software.” • 42k Coq, 3 person years target source PowerPC Clight ARM x86 CompCert

  21. CompCert [2009] “Develop and prove correct a realistic compiler, usable for critical embedded software.” • 42k Coq, 3 person years target source PowerPC Clight ARM x86 CompCert

  22. Verified, Validated, Certifying � 22

  23. Verified, Validated, Certifying 1. Verified transformation [ Compiler Correctness ] source target COMPILER � 23

  24. Verified, Validated, Certifying 2 . Translation validation [ Translation Verification ] target source COMPILER VALIDATOR � 24

  25. Verified, Validated, Certifying 3. Certifying compiler [ Proof-carrying Code ] source CERTIFYING PROOF COMPILER CHECKER target code + certificate � 25

  26. � 26

  27. [Leroy `06] � 27

  28. => External solver with verified validation � 28

  29. => External solver with verified validation [Tristan and Leroy `10] � 29

  30. CompCert � 30

  31. CompCert formal specification � 31

  32. CompCert formal specification → semantic analysis tools [Appel ’11] � 32

  33. CompCert semantic preservation* � 33

  34. CompCert � 34

  35. Semantic Preservation • Spec(B) : functional specification of observable behavior • B: observable behavior (trace properties of I/O) • “going wrong” (run-time error), termination, divergence • C ㅑ Spec if A. C cannot go wrong B. All behaviors B satisfy Spec � 35

  36. Semantic Preservation • Spec(B) : functional specification of observable behavior • B: observable behavior (trace properties of I/O) • “going wrong” (run-time error), termination, divergence • C ㅑ Spec if A. C cannot go wrong B. All behaviors B satisfy Spec � 36

  37. Semantic Preservation • Spec(B) : functional specification of observable behavior • B: observable behavior (trace properties of I/O) • “going wrong” (run-time error), termination, divergence • C ㅑ Spec if A. C cannot go wrong B. All behaviors B satisfy Spec � 37

  38. Correctness Property Compiled code C preserves the fact that the source code S satisfies the specification. � 38

  39. Proving Semantic Preservation � 39

  40. Proving Semantic Preservation * � 40

  41. Safety Precondition • Compilation result will match the semantics of the input if if program is “safe” (no runtime errors) • Need to prove that input program is safe � 41

  42. Safety Precondition • Compilation result will match the semantics of the input if if program is “safe” (no runtime errors) • Need to prove that input program is safe � 42

  43. Correctness Weakness � 43

  44. Correctness Weakness � 44

  45. CompCert � 45

  46. CompCert � 46

  47. Correctness Weakness • Only runs after the preprocessing step • Astrèe [Cousot et al ’05] , Verasco [Jourdan et al ’15] ) • Reliant on less verifiable assumptions • Coq’s correctness [Anand et al ’17] • Formal specification of C & PowerPC assembly � 47

  48. Correctness Weakness • Only runs after the preprocessing step • Astrèe [Cousot et al ’05] , Verasco [Jourdan et al ’15] • Reliant on less verifiable assumptions • Coq’s correctness [Anand et al ’17] • Formal specification of C & PowerPC assembly � 48

  49. Correctness Weakness • Only runs after the preprocessing step • Astrèe [Cousot et al ’05] , Verasco [Jourdan et al ’15] ) • Reliant on less verifiable assumptions • Coq’s correctness [Anand et al ’17] • Formal specification of C & PowerPC assembly � 49

  50. Correctness Weakness • Only runs after the preprocessing step • Astrèe [Cousot et al ’05] , Verasco [Jourdan et al ’15] ) • Reliant on less verifiable assumptions • Coq’s correctness ( CertiCoq [Anand et al ’17]) • Formal specification of C & PowerPC assembly � 50

  51. Correctness Weakness • Only runs after the preprocessing step • Astrèe [Cousot et al ’05] , Verasco [Jourdan et al ’15] ) • Reliant on less verifiable assumptions • Coq’s correctness ( CertiCoq [Anand et al ’17]) • Formal specification of C & PowerPC assembly � 51

  52. Performance � 52

  53. Performance competitive with gcc -01 � 53

  54. Bugs, revisited. [Yang et al 2011] • CompCert: errors only found in unverified parts (parser and model of machine) • Other compilers: errors everywhere “The striking thing about our CompCert results is that the middle-end bugs we found in all other compilers are absent” � 54

  55. Bugs, revisited. [Yang et al 2011] • CompCert: errors only found in unverified parts (parser and model of machine) • Other compilers: errors everywhere “The striking thing about our CompCert results is that the middle-end bugs we found in all other compilers are absent” � 55

  56. Bugs, revisited. [Yang et al 2011] • CompCert: errors only found in unverified parts (parser and model of machine) • Other compilers: errors everywhere “The striking thing about our CompCert results is that the middle-end bugs we found in all other compilers are absent” � 56

  57. Bugs, revisited. [Yang et al 2011] • CompCert: errors only found in unverified parts (parser and model of machine) • Other compilers: errors everywhere “The striking thing about our CompCert results is that the middle-end bugs we found in all other compilers are absent” � 57

  58. Critical Use Cases • AirBus • MTU Friedrichshafen (nuclear energy) • High-Assurance Cyber Military Systems (HACMS) [Fisher et al, ’17] • PhD Theses � 58

  59. Critical Use Cases • AirBus • MTU Friedrichshafen (nuclear energy) • High-Assurance Cyber Military Systems (HACMS) [Fisher et al, ’17] • PhD Theses � 59

  60. Critical Use Cases • AirBus • MTU Friedrichshafen (nuclear energy) • High-Assurance Cyber Military Systems (HACMS) [Fisher et al, ’17] • PhD Theses � 60

  61. Critical Use Cases • AirBus • MTU Friedrichshafen (nuclear energy) • High-Assurance Cyber Military Systems (HACMS) [Fisher et al, ’17] • PhD Theses � 61

  62. Critical Use Cases “a realistic compiler” • AirBus • MTU Friedrichshafen (nuclear energy) • High-Assurance Cyber Military Systems (HACMS) [Fisher et al, ’17] • PhD Theses � 62

  63. Concluding Remarks • Still some correctness and safety weaknesses • Useful for safety critical code (that doesn’t have to run fast) • Future work - . . . � 63

  64. Concluding Remarks • Still some correctness and safety weaknesses • Useful for safety critical code (that doesn’t have to run fast) • Future work - . . . . . . � 64

  65. Concluding Remarks • Still some correctness and safety weaknesses • Useful for safety critical code (that doesn’t have to run fast) • Future work - . . . � 65

  66. Concluding Remarks • Still some correctness and safety weaknesses • Useful for safety critical code (that doesn’t have to run fast) Type Preserving Compilation • Future work - . . . . . . � 66

Recommend


More recommend