Team Gallium

Overall Objectives
Scientific Foundations
Application Domains
New Results
Contracts and Grants with Industry
Other Grants and Activities

Section: New Results

Formal verification of compilers

The Compcert verified compiler for the C language

Participants : Xavier Leroy, Sandrine Blazy [ CEDRIC-ENSIIE ] .

In the context of our work on compiler verification (see section  3.3.1 ), since 2005 we have been developing and formally verifying a moderately-optimizing compiler for a large subset of the C programming language, generating assembly code for the PowerPC architecture. This compiler comprises a back-end part, translating the Cminor intermediate language to PowerPC assembly and reusable for source languages other than C [4] , and a front-end translating the Clight subset of C to Cminor [42] . The compiler is mostly written within the specification language of the Coq proof assistant, from which Coq's extraction facility generates executable Caml code. The compiler comes with a 40000-line, machine-checked Coq proof of semantic preservation, proving that the semantics of the generated PowerPC code matches that of the source Clight program.

This year, we investigated transition (small-step) semantics for the high-level languages of the Compcert compilation chain (Clight and Cminor). Following an earlier proposal by Andrew Appel and Sandrine Blazy [40] , these transition semantics represent control points and call stacks as continuation terms. Compared with the natural (big-step) semantics used previously for Clight and Cminor, the transition semantics are more compact (there is no duplication of evaluation rules between the terminating and diverging cases), and can easily support the goto statement. Xavier Leroy revised the translation from Cminor to RTL (the next intermediate language of the back-end) and its proof of correctness to use the new reduction semantics for Cminor, including goto . Along the same lines, he attempted to adapt the correctness proof of the translation from Clight to Cminor to transition semantics, but ran into serious difficulties: some of the transformations performed over loops are very difficult to prove correct in terms of continuations, while their proofs are easy using natural semantics.

In parallel, Xavier Leroy experimented with re-targeting the back-end of the Compcert compiler to emit code for the ARM processor instead of the PowerPC. The “stacking” pass (materialization of activation records) was reworked to abstract away processor-dependent details. The enforcement of function calling conventions during register allocation and spilling was revised. In the end, less than 15% of the Coq development was modified to target the ARM processor. However, the machine-dependent parts of the Compcert back-end are not yet cleanly separated from the machine-independent parts, making it difficult to support simultaneously several target processors.

Two articles on parts of the Compcert development potentially reusable in other projects were published in Journal of Automated Reasoning . The first of these papers [13] describes the Coq formalization of the C-like memory model used throughout the Compcert development, and its uses to reason about program transformations that modify the memory behavior of the program. The second paper [14] focuses on the compilation algorithm for parallel assignments used in Compcert and on its surprisingly delicate Coq proof of correctness.

Xavier Leroy wrote and submitted a comprehensive (80 pages) article [34] describing in details the Compcert back-end compiler, its intermediate languages, and its proof of semantic preservation. Sandrine Blazy and Xavier Leroy submitted another article [31] describing the Clight source language of the Compcert compiler and the mechanization of its semantics.

Finally, two versions of the Compcert development were publically released: version 1.2 in April and 1.3 in August. The releases include everything needed to build the executable Compcert C compiler and re-check its correctness. They are licensed for non-commercial uses, including evaluation, research and teaching purposes.

Formal verification of register allocation

Participants : Sandrine Blazy [ CEDRIC-ENSIIE ] , Benoît Robillard [ CEDRIC-ENSIIE ] .

As part of his Ph.D. thesis supervised by Sandrine Blazy, Benoît Robillard investigates the development and formal verification of graph-theoretic algorithms useful for register allocation, as well as the development of new algorithms based on integer linear programming to provide exact solutions for register allocation. The latter algorithms proceed by reductions and simplifications of interference graphs.

Last year, Benoît Robillard developed a greedy algorithm that is adapted to the CompCert register allocation, and proved in Coq the optimality of this algorithm  [28] . This year, Benoît Robillard improved this Coq development by using the FMaps library in order to model graphs. He started to develop a prototype library in Coq for non-oriented graphs.

Sandrine Blazy and Benoît Robillard studied optimal coalescing in the context of extreme live-range splitting (i.e. live-range splitting after each instruction). They designed two optimizations: a graph reduction followed by a graph decomposition based on clique separators.

The two optimizations have been tested on a reference benchmark: Appel's optimal coalescing challenge. For this benchmark, the cutting-plane algorithm for optimal coalescing (the only optimal algorithm for coalescing) runs 300 times faster when combined with the optimizations. Moreover, thanks to these optimiztions, all the solutions of the optimal coalescing challenge are found, including the 3 instances that were until now unsolved. These results were presented in a paper submitted to the Compiler Construction conference  [32] .

Verified translation validation

Participants : Jean-Baptiste Tristan, Xavier Leroy.

Verified translation validation provides an alternative to proving semantics preservation for the transformations involved in a certified compiler. Instead of proving that a given transformation is correct, we validate it a posteriori, i.e. we verify that the transformed program behaves like the original. The validation algorithm is described using the Coq proof assistant and proved correct, i.e. that it only accepts transformed programs semantically equivalent to the original. In contrast, the program transformation itself can be implemented in any language and does not need to be proved correct.

Jean-Baptiste Tristan, under the supervision of Xavier Leroy, investigated this approach in the case of Lazy Code Motion. Lazy Code Motion is a program optimization that reduces execution time by performing global common subexpression elimination, partial redundancy elimination and loop invariant code motion. This year, Jean-Baptiste Tristan successfully built and proved correct a validator for Lazy Code Motion. This result is presented in a paper that has been submitted [39] . This experiments is remarkable by the simplicity of its solution. It provides strong evidence that complex global optimizations such as Lazy Code Motion are within reach of formally verified compilers such as CompCert.

To complete our study on the use of verified translation validation in the context of verified compilers, we must address loop optimizations. We have chosen to study a pinnacle of compiler optimization: software pipelining. Software pipelining is a loop transformation that overlaps different iterations of a loop to reduce execution time. This optimization is very challenging to validate and certify because it heavily modifies the structure of the program while scheduling the code and renaming registers. To the best of our knowledge, this constitutes the first attempt to certify a loop optimization of this complexity.

Verification of a compiler front-end for Mini-ML

Participants : Zaynah Dargaye, Xavier Leroy.

As part of her Ph.D. thesis and under Xavier Leroy's supervision, Zaynah Dargaye investigates the development and formal verification of a translator from a small call-by-value functional language (Mini-ML) to Cminor. Mini-ML features functions as first-class values, constructed data types and shallow pattern-matching, making it an adequate target for Coq's program extraction facility.

This year, Zaynah Dargaye finished the development and Coq proof of correctness of this translator. It performs function uncurrying (the transformation of curried functions into n -ary functions), closure conversion, explicit registration of memory roots with the garbage collector (using an original monadic intermediate form), and generation of Cminor code. An executable translator was generated by automatic extraction from the Coq specifications. In conjuction with the existing CompCert back-end compiler and a simple memory allocator and garbage collector written in Cminor, this executable translator is able to generate PowerPC executables from Mini-ML programs.

Zaynah Dargaye is writing up these results in her Ph.D. dissertation, tentatively titled Vérification formelle d'un compilateur optimisant pour un langage fonctionnel .

Formal verification of runtime systems

Participants : Tahina Ramananandro, Xavier Leroy.

High-level languages such as ML or Java are equipped with runtime systems, providing services ranging from memory management to full virtual machines. Such runtime systems are linked with compiled programs. Thus, to develop a verified compiler for such languages, it is critical to prove that their runtime systems do not modify or break the semantics of source programs. Garbage collectors, automatically managing memory for the actual representation of objects in such languages, are critical parts of these runtime systems. As they heavily use pointer arithmetics, their proofs must be treated with specific methods.

Last year, Tahina Ramananandro attempted to formally prove the correctness of a mark-and-sweep garbage collector written in the Cminor intermediate language, using the Coq proof assistant. These proofs required manual reasoning between real Cminor code and a proof-level representation of the algorithm directly expressed in Gallina (the specification language of the Coq proof assistant), as well as fine reasoning over pointer and machine integer arithmetics.

This year, under Xavier Leroy's supervision, Tahina Ramananandro attacked the issue of developing automatization tools for such proofs, as well as a domain-specific language for writing garbage collectors, along with tools to reason about both its operational and axiomatic semantics and a verified compiler from this language to Cminor. Tahina Ramananandro then revisited the formal proof of the mark-and-sweep garbage collector implementation using this specific language.

A potential application contexts for this verified garbage collector, in addition to the MiniML front-end of Zaynah Dargaye, is a verified static compiler from Java bytecode to RTL (a CFG-style intermediate language of the CompCert back-end). Tahina Ramananandro developed (in OCaml) a prototype of this static compiler.


Logo Inria