Compiler verification for fun and profit

2016 Formal Methods in Computer-Aided Design (FMCAD) Pub Date : 2014-10-21 DOI:10.1109/FMCAD.2014.6987587

X. Leroy

{"title":"Compiler verification for fun and profit","authors":"X. Leroy","doi":"10.1109/FMCAD.2014.6987587","DOIUrl":null,"url":null,"abstract":"Formal verification of software or hardware systems --- be it by model checking, deductive verification, abstract interpretation, type checking, or any other kind of static analysis --- is generally conducted over high-level programming or description languages, quite remote from the actual machine code and circuits that execute in the system. To bridge this particular gap, we all rely on compilers and other code generators to automatically produce the executable artifact. Compilers are, however, vulnerable to miscompilation: bugs in the compiler that cause incorrect code to be generated from a correct source code, possibly invalidating the guarantees so painfully obtained by source-level formal verification. Recent experimental studies [1] show that many widely-used production-quality compilers suffer from miscompilation. \n \nThe formal verification of compilers and related code generators is a radical, mathematically-grounded answer to the miscompilation issue. By applying formal verification (typically, interactive theorem proving) to the compiler itself, it is possible to guarantee that the compiler preserves the semantics of the source programs it transforms, or at least preserves the properties of interest that were formally verified over the source programs. Proving the correctness of compilers is an old idea [2], [3] that took a long time to scale all the way to realistic compilers. In the talk, I give an overview of CompCert C [4], a moderately-optimizing compiler for almost all of the ISO C 99 language that has been formally verified using the Coq proof assistant [5]. \n \nThe CompCert project is one point in a space of code generators whose verification deserves attention. For example, functional languages and object-oriented languages raise the issue of jointly verifying the compiler and the run-time system (memory management, exception handling, etc) that the generated code depends on. At the other end of the expressiveness spectrum, synchronous languages and hardware description languages also raise interesting verified generation issues, as exemplified by Pnueli's seminal work on translation validation for Signal [6] and Braibant and Chlipala's recent work on verified hardware synthesis [7]. \n \nOrthogonally, the integration of verification tools and compilers that are both verified against a shared formal semantics opens fascinating opportunities for \"super-optimizations\" that generate better code by exploiting the properties of the source code that were formally verified.","PeriodicalId":6479,"journal":{"name":"2016 Formal Methods in Computer-Aided Design (FMCAD)","volume":"10 1","pages":"9"},"PeriodicalIF":0.0000,"publicationDate":"2014-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 Formal Methods in Computer-Aided Design (FMCAD)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/FMCAD.2014.6987587","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

Formal verification of software or hardware systems --- be it by model checking, deductive verification, abstract interpretation, type checking, or any other kind of static analysis --- is generally conducted over high-level programming or description languages, quite remote from the actual machine code and circuits that execute in the system. To bridge this particular gap, we all rely on compilers and other code generators to automatically produce the executable artifact. Compilers are, however, vulnerable to miscompilation: bugs in the compiler that cause incorrect code to be generated from a correct source code, possibly invalidating the guarantees so painfully obtained by source-level formal verification. Recent experimental studies [1] show that many widely-used production-quality compilers suffer from miscompilation. The formal verification of compilers and related code generators is a radical, mathematically-grounded answer to the miscompilation issue. By applying formal verification (typically, interactive theorem proving) to the compiler itself, it is possible to guarantee that the compiler preserves the semantics of the source programs it transforms, or at least preserves the properties of interest that were formally verified over the source programs. Proving the correctness of compilers is an old idea [2], [3] that took a long time to scale all the way to realistic compilers. In the talk, I give an overview of CompCert C [4], a moderately-optimizing compiler for almost all of the ISO C 99 language that has been formally verified using the Coq proof assistant [5]. The CompCert project is one point in a space of code generators whose verification deserves attention. For example, functional languages and object-oriented languages raise the issue of jointly verifying the compiler and the run-time system (memory management, exception handling, etc) that the generated code depends on. At the other end of the expressiveness spectrum, synchronous languages and hardware description languages also raise interesting verified generation issues, as exemplified by Pnueli's seminal work on translation validation for Signal [6] and Braibant and Chlipala's recent work on verified hardware synthesis [7]. Orthogonally, the integration of verification tools and compilers that are both verified against a shared formal semantics opens fascinating opportunities for "super-optimizations" that generate better code by exploiting the properties of the source code that were formally verified.

查看原文本刊更多论文

编译验证的乐趣和利润

软件或硬件系统的正式验证——无论是通过模型检查、演绎验证、抽象解释、类型检查，还是任何其他类型的静态分析——通常是在高级编程或描述语言上进行的，与系统中执行的实际机器代码和电路相当遥远。为了弥补这个特殊的差距，我们都依赖编译器和其他代码生成器来自动生成可执行工件。然而，编译器容易出现错误编译:编译器中的错误会导致从正确的源代码生成不正确的代码，这可能会使通过源代码级别的形式验证痛苦地获得的保证无效。最近的实验研究[1]表明，许多广泛使用的生产质量的编译器存在编译错误。对编译器和相关代码生成器的正式验证是对错误编译问题的根本的、基于数学的回答。通过对编译器本身应用形式化验证(通常是交互式定理证明)，可以保证编译器保留其转换的源程序的语义，或者至少保留对源程序进行形式化验证的感兴趣的属性。证明编译器的正确性是一个老想法[2]，[3]，需要很长时间才能扩展到现实的编译器。在演讲中，我概述了CompCert C[4]，这是一个针对几乎所有ISO c99语言进行适度优化的编译器，已经使用Coq证明助手[5]进行了正式验证。在代码生成器领域，CompCert项目是一个值得关注的验证点。例如，函数式语言和面向对象语言提出了联合验证生成代码所依赖的编译器和运行时系统(内存管理、异常处理等)的问题。在表达谱的另一端，同步语言和硬件描述语言也提出了有趣的验证生成问题，如Pnueli在Signal翻译验证方面的开创性工作[6]，以及Braibant和Chlipala最近在验证硬件合成方面的工作[7]。正交地，验证工具和编译器的集成都是根据共享的形式语义进行验证的，这为“超级优化”提供了迷人的机会，通过利用经过正式验证的源代码的属性来生成更好的代码。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2016 Formal Methods in Computer-Aided Design (FMCAD)

自引率

0.00%

发文量