1 | \documentclass[11pt,epsf,a4wide]{article} |
---|
2 | \usepackage[mathletters]{ucs} |
---|
3 | \usepackage[utf8x]{inputenc} |
---|
4 | \usepackage{listings} |
---|
5 | \usepackage{../../style/cerco} |
---|
6 | \newcommand{\ocaml}{OCaml} |
---|
7 | \newcommand{\clight}{Clight} |
---|
8 | \newcommand{\matita}{Matita} |
---|
9 | \newcommand{\sdcc}{\texttt{sdcc}} |
---|
10 | |
---|
11 | \newcommand{\textSigma}{\ensuremath{\Sigma}} |
---|
12 | |
---|
13 | % LaTeX Companion, p 74 |
---|
14 | \newcommand{\todo}[1]{\marginpar{\raggedright - #1}} |
---|
15 | |
---|
16 | \lstdefinelanguage{coq} |
---|
17 | {keywords={Definition,Lemma,Theorem,Remark,Qed,Save,Inductive,Record}, |
---|
18 | morekeywords={[2]if,then,else}, |
---|
19 | } |
---|
20 | |
---|
21 | \lstdefinelanguage{matita} |
---|
22 | {keywords={definition,lemma,theorem,remark,inductive,record,qed,let,rec,match,with,Type,and,on}, |
---|
23 | morekeywords={[2]whd,normalize,elim,cases,destruct}, |
---|
24 | mathescape=true, |
---|
25 | morecomment=[n]{(*}{*)}, |
---|
26 | } |
---|
27 | |
---|
28 | \lstset{language=matita,basicstyle=\small\tt,columns=flexible,breaklines=false, |
---|
29 | keywordstyle=\color{red}\bfseries, |
---|
30 | keywordstyle=[2]\color{blue}, |
---|
31 | commentstyle=\color{green}, |
---|
32 | stringstyle=\color{blue}, |
---|
33 | showspaces=false,showstringspaces=false} |
---|
34 | |
---|
35 | \lstset{extendedchars=false} |
---|
36 | \lstset{inputencoding=utf8x} |
---|
37 | \DeclareUnicodeCharacter{8797}{:=} |
---|
38 | \DeclareUnicodeCharacter{10746}{++} |
---|
39 | \DeclareUnicodeCharacter{9001}{\ensuremath{\langle}} |
---|
40 | \DeclareUnicodeCharacter{9002}{\ensuremath{\rangle}} |
---|
41 | |
---|
42 | |
---|
43 | \title{ |
---|
44 | INFORMATION AND COMMUNICATION TECHNOLOGIES\\ |
---|
45 | (ICT)\\ |
---|
46 | PROGRAMME\\ |
---|
47 | \vspace*{1cm}Project FP7-ICT-2009-C-243881 \cerco{}} |
---|
48 | |
---|
49 | \date{ } |
---|
50 | \author{} |
---|
51 | |
---|
52 | \begin{document} |
---|
53 | \thispagestyle{empty} |
---|
54 | |
---|
55 | \vspace*{-1cm} |
---|
56 | \begin{center} |
---|
57 | \includegraphics[width=0.6\textwidth]{../../style/cerco_logo.png} |
---|
58 | \end{center} |
---|
59 | |
---|
60 | \begin{minipage}{\textwidth} |
---|
61 | \maketitle |
---|
62 | \end{minipage} |
---|
63 | |
---|
64 | |
---|
65 | \vspace*{0.5cm} |
---|
66 | \begin{center} |
---|
67 | \begin{LARGE} |
---|
68 | \bf |
---|
69 | Report n. D3.4\\ |
---|
70 | Front-end Correctness Proofs\\ |
---|
71 | \end{LARGE} |
---|
72 | \end{center} |
---|
73 | |
---|
74 | \vspace*{2cm} |
---|
75 | \begin{center} |
---|
76 | \begin{large} |
---|
77 | Version 1.0 |
---|
78 | \end{large} |
---|
79 | \end{center} |
---|
80 | |
---|
81 | \vspace*{0.5cm} |
---|
82 | \begin{center} |
---|
83 | \begin{large} |
---|
84 | Authors:\\ |
---|
85 | Brian~Campbell, Ilias~Garnier, James~McKinna, Ian~Stark |
---|
86 | \end{large} |
---|
87 | \end{center} |
---|
88 | |
---|
89 | \vspace*{\fill} |
---|
90 | \noindent |
---|
91 | Project Acronym: \cerco{}\\ |
---|
92 | Project full title: Certified Complexity\\ |
---|
93 | Proposal/Contract no.: FP7-ICT-2009-C-243881 \cerco{}\\ |
---|
94 | |
---|
95 | \clearpage \pagestyle{myheadings} \markright{\cerco{}, FP7-ICT-2009-C-243881} |
---|
96 | |
---|
97 | \newpage |
---|
98 | |
---|
99 | \vspace*{7cm} |
---|
100 | \paragraph{Abstract} |
---|
101 | We report on the correctness proofs for the front-end of the \cerco{} cost |
---|
102 | lifting compiler, considering three distinct parts of the task: showing that |
---|
103 | the \emph{annotated source code} output by the compiler has equivalent |
---|
104 | behaviour to the original input (up to the annotations); showing that a |
---|
105 | \emph{measurable} subtrace of the annotated source code corresponds to an |
---|
106 | equivalent measurable subtrace in the code produced by the front-end, including |
---|
107 | costs; and finally showing that the enriched \emph{structured} execution traces |
---|
108 | required for cost correctness in the back-end can be constructed from the |
---|
109 | properties of the code produced by the front-end. |
---|
110 | |
---|
111 | A key part of our work is that the intensional correctness results that show |
---|
112 | that we get consistent cost measurements throughout the intermediate languages |
---|
113 | of the compiler can be layered on top of normal forward simulation results, |
---|
114 | if we split them into local call-structure preserving results. |
---|
115 | |
---|
116 | This deliverable shows correctness results about the formalised compiler |
---|
117 | described in D3.2, using the source language semantics from D3.1 and |
---|
118 | intermediate language semantics from D3.3. Together with the companion |
---|
119 | deliverable about the correctness of the back-end, D4.4, we obtain results |
---|
120 | about the whole formalised compiler. |
---|
121 | |
---|
122 | % TODO: mention the deliverable about the extracted compiler et al? |
---|
123 | |
---|
124 | \newpage |
---|
125 | |
---|
126 | \tableofcontents |
---|
127 | |
---|
128 | % CHECK: clear up any -ize vs -ise |
---|
129 | % CHECK: clear up any "front end" vs "front-end" |
---|
130 | % CHECK: clear up any mentions of languages that aren't textsf'd. |
---|
131 | % CHECK: fix unicode in listings |
---|
132 | |
---|
133 | \section{Introduction} |
---|
134 | |
---|
135 | \todo{add stack space for more precise statement. Also do some |
---|
136 | translation validation on sound, precise labelling properties.} |
---|
137 | |
---|
138 | The \cerco{} compiler compiles C code targeting microcontrollers implementing |
---|
139 | the Intel 8051 architecture, which produces both the object code and source |
---|
140 | code containing annotations describing the timing behavior of the object code. |
---|
141 | There are two versions: first, an initial prototype implemented in |
---|
142 | \ocaml{}~\cite{d2.2}, and a version formalised in the \matita{} proof |
---|
143 | assistant~\cite{d3.2,d4.2} and then extracted to \ocaml{} code to produce an |
---|
144 | executable compiler. In this document we present results formalised in |
---|
145 | \matita{} about the front-end of that version of the compiler, and how that fits |
---|
146 | into the verification of the whole compiler. |
---|
147 | |
---|
148 | \todo{maybe mention stack space here? other additions? refer to "layering"?} |
---|
149 | A key part of this work was to separate the proofs about the compiled code's |
---|
150 | extensional behaviour (that is, the functional correctness of the compiler) |
---|
151 | from the intensional correctness that the costs given are correct. |
---|
152 | Unfortunately, the ambitious goal of completely verifying the compiler was not |
---|
153 | feasible within the time available, but thanks to this separation of extensional |
---|
154 | and intensional proofs we are able to axiomatize simulation results similar to |
---|
155 | those in other compiler verification projects and concentrate on the novel |
---|
156 | intensional proofs. The proofs were also made more tractable by introducing |
---|
157 | compile-time checks for the `sound and precise' cost labelling properties |
---|
158 | rather than proving that they are preserved throughout. |
---|
159 | |
---|
160 | The overall statement of correctness says that the annotated program has the |
---|
161 | same behaviour as the input, and that for any suitably well-structured part of |
---|
162 | the execution (which we call \emph{measurable}), the object code will execute |
---|
163 | the same behaviour taking precisely the time given by the cost annotations in |
---|
164 | the annotated source program. |
---|
165 | |
---|
166 | In the next section we recall the structure of the compiler and make the overall |
---|
167 | statement more precise. Following that, in Section~\ref{sec:fegoals} we |
---|
168 | describe the statements we need to prove about the intermediate \textsf{RTLabs} |
---|
169 | programs sufficient for the back-end proofs. \todo{rest of document structure} |
---|
170 | |
---|
171 | \section{The compiler and main goals} |
---|
172 | |
---|
173 | TODO: outline compiler, maybe figure from talk, maybe something like the figure |
---|
174 | below. |
---|
175 | |
---|
176 | TODO: might want a version of this figure |
---|
177 | \begin{figure} |
---|
178 | \begin{center} |
---|
179 | \begin{minipage}{.8\linewidth} |
---|
180 | \begin{tabbing} |
---|
181 | \quad \= $\downarrow$ \quad \= \kill |
---|
182 | \textsf{C} (unformalized)\\ |
---|
183 | \> $\downarrow$ \> CIL parser (unformalized \ocaml)\\ |
---|
184 | \textsf{Clight}\\ |
---|
185 | %\> $\downarrow$ \> add runtime functions\\ |
---|
186 | \> $\downarrow$ \> \lstinline[language=C]'switch' removal\\ |
---|
187 | \> $\downarrow$ \> labelling\\ |
---|
188 | \> $\downarrow$ \> cast removal\\ |
---|
189 | \> $\downarrow$ \> stack variable allocation and control structure |
---|
190 | simplification\\ |
---|
191 | \textsf{Cminor}\\ |
---|
192 | %\> $\downarrow$ \> generate global variable initialization code\\ |
---|
193 | \> $\downarrow$ \> transform to RTL graph\\ |
---|
194 | \textsf{RTLabs}\\ |
---|
195 | \> $\downarrow$ \> check cost labelled properties of RTL graph\\ |
---|
196 | \> $\downarrow$ \> start of target specific back-end\\ |
---|
197 | \>\quad \vdots |
---|
198 | \end{tabbing} |
---|
199 | \end{minipage} |
---|
200 | \end{center} |
---|
201 | \caption{Front-end languages and compiler passes} |
---|
202 | \label{fig:summary} |
---|
203 | \end{figure} |
---|
204 | |
---|
205 | The compiler function returns the following record on success: |
---|
206 | \begin{lstlisting}[language=matita] |
---|
207 | record compiler_output : Type[0] := |
---|
208 | { c_labelled_object_code: labelled_object_code |
---|
209 | ; c_stack_cost: stack_cost_model |
---|
210 | ; c_max_stack: nat |
---|
211 | ; c_init_costlabel: costlabel |
---|
212 | ; c_labelled_clight: clight_program |
---|
213 | ; c_clight_cost_map: clight_cost_map |
---|
214 | }. |
---|
215 | \end{lstlisting} |
---|
216 | It consists of annotated 8051 object code, a mapping from function |
---|
217 | identifiers to the function's stack space usage\footnote{The compiled |
---|
218 | code's only stack usage is to allocate a fixed-size frame on each |
---|
219 | function entry and discard it on exit.}, a cost label covering the |
---|
220 | initialisation of global variables and calling the |
---|
221 | \lstinline[language=C]'main' function, the annotated source code, and |
---|
222 | finally a mapping from cost labels to actual execution time costs. |
---|
223 | |
---|
224 | An \ocaml{} pretty printer is used to provide a concrete version of the output |
---|
225 | code. In the case of the annotated source code, it also inserts the actual |
---|
226 | costs alongside the cost labels, and optionally adds a global cost variable |
---|
227 | and instrumentation to support further reasoning. \todo{Cross-ref case study |
---|
228 | deliverables} |
---|
229 | |
---|
230 | \subsection{Revisions to the prototype compiler} |
---|
231 | |
---|
232 | TODO: could be a good idea to have this again; stack space, |
---|
233 | initialisation, cost checks, had we dropped cminor loops in previous |
---|
234 | writing?, check mailing list in case I've forgotten something |
---|
235 | |
---|
236 | TODO: continued use of dep types to reduce partiality |
---|
237 | |
---|
238 | \subsection{Main goals} |
---|
239 | |
---|
240 | TODO: need an example for this |
---|
241 | |
---|
242 | Informally, our main intensional result links the time difference in a source |
---|
243 | code execution to the time difference in the object code, expressing the time |
---|
244 | for the source by summing the values for the cost labels in the trace, and the |
---|
245 | time for the target by a clock built in to the 8051 executable semantics. |
---|
246 | |
---|
247 | The availability of precise timing information for 8501 |
---|
248 | implementations and the design of the compiler allow it to give exact |
---|
249 | time costs in terms of processor cycles. However, these exact results |
---|
250 | are only available if the subtrace we measure starts and ends at |
---|
251 | suitable points. In particular, pure computation with no observable |
---|
252 | effects may be reordered and moved past cost labels, so we cannot |
---|
253 | measure time between arbitrary statements in the program. |
---|
254 | |
---|
255 | There is also a constraint on the subtraces that we |
---|
256 | measure due to the requirements of the correctness proof for the |
---|
257 | object code timing analysis. To be sure that the timings are assigned |
---|
258 | to the correct cost label, we need to know that each return from a |
---|
259 | function call must go to the correct return address. It is difficult |
---|
260 | to observe this property locally in the object code because it relies |
---|
261 | on much earlier stages in the compiler. To convey this information to |
---|
262 | the timing analysis extra structure is imposed on the subtraces, which |
---|
263 | we will give more details on in Section~\ref{sec:fegoals}. |
---|
264 | |
---|
265 | % Regarding the footnote, would there even be much point? |
---|
266 | These restrictions are reflected in the subtraces that we give timing |
---|
267 | guarantees on; they must start at a cost label and end at the return |
---|
268 | of the enclosing function of the cost label\footnote{We expect that |
---|
269 | this would generalise to subtraces between cost labels in the same |
---|
270 | function, but could not justify the extra complexity that would be |
---|
271 | required to show this.}. A typical example of such a subtrace is |
---|
272 | the execution of an entire function from the cost label at the start |
---|
273 | of the function until it returns. We call such any such subtrace |
---|
274 | \emph{measurable} if it (and the prefix of the trace before it) can |
---|
275 | also be executed within the available stack space. |
---|
276 | |
---|
277 | Now we can give the main intensional statement for the compiler. |
---|
278 | Given a \emph{measurable} subtrace for a labelled \textsf{Clight} |
---|
279 | program, there is a subtrace of the 8051 object code program where the |
---|
280 | time differences match. Moreover, \emph{observable} parts of the |
---|
281 | trace also match --- these are the appearance of cost labels and |
---|
282 | function calls and returns. |
---|
283 | |
---|
284 | More formally, the definition of this statement in \matita{} is |
---|
285 | \begin{lstlisting}[language=matita] |
---|
286 | definition simulates := |
---|
287 | $\lambda$p: compiler_output. |
---|
288 | let initial_status := initialise_status $\dots$ (cm (c_labelled_object_code $\dots$ p)) in |
---|
289 | $\forall$m1,m2. |
---|
290 | measurable Clight_pcs (c_labelled_clight $\dots$ p) m1 m2 |
---|
291 | (lookup_stack_cost (c_stack_cost $\dots$ p)) (c_max_stack $\dots$ p) $\rightarrow$ |
---|
292 | $\forall$c1,c2. |
---|
293 | clock_after Clight_pcs (c_labelled_clight $\dots$ p) m1 (c_clight_cost_map $\dots$ p) = OK $\dots$ c1 $\rightarrow$ |
---|
294 | clock_after Clight_pcs (c_labelled_clight $\dots$ p) (m1+m2) (c_clight_cost_map $\dots$ p) = OK $\dots$ c2 $\rightarrow$ |
---|
295 | $\exists$n1,n2. |
---|
296 | observables Clight_pcs (c_labelled_clight $\dots$ p) m1 m2 = |
---|
297 | observables (OC_preclassified_system (c_labelled_object_code $\dots$ p)) |
---|
298 | (c_labelled_object_code $\dots$ p) n1 n2 |
---|
299 | $\wedge$ |
---|
300 | c2 - c1 = clock $\dots$ (execute n2 ? initial_status) - clock $\dots$ (execute n1 ? initial_status). |
---|
301 | \end{lstlisting} |
---|
302 | where the \lstinline'measurable', \lstinline'clock_after' and |
---|
303 | \lstinline'observables' definitions can be applied to multiple |
---|
304 | languages; in this case the \lstinline'Clight_pcs' record applies them |
---|
305 | to \textsf{Clight} programs. |
---|
306 | |
---|
307 | There is a second part to the statement, which says that the initial |
---|
308 | processing of the input program to produce the cost labelled version |
---|
309 | does not affect the semantics of the program: |
---|
310 | % Yes, I'm paraphrasing the result a tiny bit to remove the observe non-function |
---|
311 | \begin{lstlisting}[language=matita] |
---|
312 | $\forall$input_program,output. |
---|
313 | compile input_program = return output $\rightarrow$ |
---|
314 | not_wrong … (exec_inf … clight_fullexec input_program) $\rightarrow$ |
---|
315 | sim_with_labels |
---|
316 | (exec_inf … clight_fullexec input_program) |
---|
317 | (exec_inf … clight_fullexec (c_labelled_clight … output)) |
---|
318 | \end{lstlisting} |
---|
319 | That is, any successful compilation produces a labelled program that |
---|
320 | has identical behaviour to the original, so long as there is no |
---|
321 | `undefined behaviour'. |
---|
322 | |
---|
323 | Note that this provides full functional correctness, including |
---|
324 | preservation of (non-)termination. The intensional result above does |
---|
325 | not do this directly --- it does not guarantee the same result or same |
---|
326 | termination. There are two mitigating factors, however: first, to |
---|
327 | prove the intensional property you need local simulation results that |
---|
328 | can be pieced together to form full behavioural equivalence, only time |
---|
329 | constraints have prevented us from doing so. Second, if we wish to |
---|
330 | confirm a result, termination, or non-termination we could add an |
---|
331 | observable witness, such as a function that is only called if the |
---|
332 | correct result is given. The intensional result guarantees that the |
---|
333 | observable witness is preserved, so the program must behave correctly. |
---|
334 | |
---|
335 | \section{Intermediate goals for the front-end} |
---|
336 | \label{sec:fegoals} |
---|
337 | |
---|
338 | The essential parts of the intensional proof were outlined during work |
---|
339 | on a toy |
---|
340 | compiler~\cite{d2.1,springerlink:10.1007/978-3-642-32469-7_3}. These |
---|
341 | are |
---|
342 | \begin{enumerate} |
---|
343 | \item functional correctness, in particular preserving the trace of |
---|
344 | cost labels, |
---|
345 | \item the \emph{soundness} and \emph{precision} of the cost labelling |
---|
346 | on the object code, and |
---|
347 | \item the timing analysis on the object code produces a correct |
---|
348 | mapping from cost labels to time. |
---|
349 | \end{enumerate} |
---|
350 | |
---|
351 | However, that toy development did not include function calls. For the |
---|
352 | full \cerco{} compiler we also need to maintain the invariant that |
---|
353 | functions return to the correct program location in the caller, as we |
---|
354 | mentioned in the previous section. During work on the back-end timing |
---|
355 | analysis (describe in more detail in the companion deliverable, D4.4) |
---|
356 | the notion of a \emph{structured trace} was developed to enforce this |
---|
357 | return property, and also most of the cost labelling properties too. |
---|
358 | |
---|
359 | \begin{figure} |
---|
360 | \begin{center} |
---|
361 | \includegraphics[width=0.5\linewidth]{compiler.pdf} |
---|
362 | \end{center} |
---|
363 | \caption{The compiler and proof outline} |
---|
364 | \label{fig:compiler} |
---|
365 | \end{figure} |
---|
366 | |
---|
367 | Jointly, we generalised the structured traces to apply to any of the |
---|
368 | intermediate languages with some idea of program counter. This means |
---|
369 | that they are introduced part way through the compiler, see |
---|
370 | Figure~\ref{fig:compiler}. Proving that a structured trace can be |
---|
371 | constructed at \textsf{RTLabs} has several virtues: |
---|
372 | \begin{itemize} |
---|
373 | \item This is the first language where every operation has its own |
---|
374 | unique, easily addressable, statement. |
---|
375 | \item Function calls and returns are still handled in the language and |
---|
376 | so the structural properties are ensured by the semantics. |
---|
377 | \item Many of the back-end languages from \textsf{RTL} share a common |
---|
378 | core set of definitions, and using structured traces throughout |
---|
379 | increases this uniformity. |
---|
380 | \end{itemize} |
---|
381 | |
---|
382 | \begin{figure} |
---|
383 | \begin{center} |
---|
384 | \includegraphics[width=0.6\linewidth]{strtraces.pdf} |
---|
385 | \end{center} |
---|
386 | \caption{Nesting of functions in structured traces} |
---|
387 | \label{fig:strtrace} |
---|
388 | \end{figure} |
---|
389 | A structured trace is a mutually inductive data type which principally |
---|
390 | contains the steps from a normal program trace, but arranged into a |
---|
391 | nested structure which groups entire function calls together and |
---|
392 | aggregates individual steps between cost labels (or between the final |
---|
393 | cost label and the return from the function), see |
---|
394 | Figure~\ref{fig:strtrace}. This capture the idea that the cost labels |
---|
395 | only represent costs \emph{within} a function --- calls to other |
---|
396 | functions are accounted for in the trace for their execution, and we |
---|
397 | can locally regard function calls as a single step. |
---|
398 | |
---|
399 | These structured traces form the core part of the intermediate results |
---|
400 | that we must prove so that the back-end can complete the main |
---|
401 | intensional result stated above. In full, we provide the back-end |
---|
402 | with |
---|
403 | \begin{enumerate} |
---|
404 | \item A normal trace of the \textbf{prefix} of the program's execution |
---|
405 | before reaching the measurable subtrace. (This needs to be |
---|
406 | preserved so that we know that the stack space consumed is correct.) |
---|
407 | \item The \textbf{structured trace} corresponding to the measurable |
---|
408 | subtrace. |
---|
409 | \item An additional property about the structured trace that no |
---|
410 | `program counter' is \textbf{repeated} between cost labels. Together with |
---|
411 | the structure in the trace, this takes over from showing that |
---|
412 | cost labelling is sound and precise. |
---|
413 | \item A proof that the \textbf{observables} have been preserved. |
---|
414 | \item A proof that the \textbf{stack limit} is still observed by the prefix and |
---|
415 | the structure trace. (This is largely a consequence of the |
---|
416 | preservation of observables.) |
---|
417 | \end{enumerate} |
---|
418 | |
---|
419 | Following the outline in Figure~\ref{fig:compiler}, we will first deal |
---|
420 | with the transformations in \textsf{Clight} that produce the source |
---|
421 | program with cost labels, then show that measurable traces can be |
---|
422 | lifted to \textsf{RTLabs}, and finally that we can construct the |
---|
423 | properties listed above ready for the back-end proofs. |
---|
424 | |
---|
425 | \section{Input code to cost labelled program} |
---|
426 | |
---|
427 | The simple form of labelling used in the formalised compiler is not |
---|
428 | quite capable of capturing costs arising from complex C |
---|
429 | \lstinline[language=C]'switch' statements, largely due to the |
---|
430 | fall-through behaviour. Our first pass replaces these statements with |
---|
431 | simpler C code, allowing our second pass to perform the cost |
---|
432 | labelling. We show that the behaviour of programs is unchanged by |
---|
433 | these passes. |
---|
434 | |
---|
435 | TODO: both give one-step-sim-by-many forward sim results; switch |
---|
436 | removal tricky, uses aux var to keep result of expr, not central to |
---|
437 | intensional correctness so curtailed proof effort once reasonable |
---|
438 | level of confidence in code gained; labelling much simpler; don't care |
---|
439 | what the labels are at this stage, just need to know when to go |
---|
440 | through extra steps. Rolled up into a single result with a cofixpoint |
---|
441 | to obtain coinductive statement of equivalence (show). |
---|
442 | |
---|
443 | \section{Finding corresponding measurable subtraces} |
---|
444 | |
---|
445 | There follow the three main passes of the front-end: |
---|
446 | \begin{enumerate} |
---|
447 | \item simplification of casts in \textsf{Clight} code |
---|
448 | \item \textsf{Clight} to \textsf{Cminor} translation, performing stack |
---|
449 | variable allocation and simplifying control structures |
---|
450 | \item transformation to \textsf{RTLabs} control flow graph |
---|
451 | \end{enumerate} |
---|
452 | \todo{I keep mentioning forward sim results - I probably ought to say |
---|
453 | something about determinancy} We have taken a common approach to |
---|
454 | each pass: first we build (or axiomatise) forward simulation results |
---|
455 | that are similar to normal compiler proofs, but slightly more |
---|
456 | fine-grained so that we can see that the call structure and relative |
---|
457 | placement of cost labels is preserved. |
---|
458 | |
---|
459 | Then we instantiate a general result which shows that we can find a |
---|
460 | \emph{measurable} subtrace in the target of the pass that corresponds |
---|
461 | to the measurable subtract in the source. By repeated application of |
---|
462 | this result we can find a measurable subtrace of the execution of the |
---|
463 | \textsf{RTLabs} code, suitable for the construction of a structured |
---|
464 | trace (see Section~\ref{sec:structuredtrace}. This is essentially an |
---|
465 | extra layer on top of the simulation proofs that provides us with the |
---|
466 | extra information required for our intensional correctness proof. |
---|
467 | |
---|
468 | \subsection{Generic measurable subtrace lifting proof} |
---|
469 | |
---|
470 | Our generic proof is parametrised on a record containing small-step |
---|
471 | semantics for the source and target language, a classification of |
---|
472 | states (the same form of classification is used when defining |
---|
473 | structured traces), a simulation relation which loosely respects the |
---|
474 | classification and cost labelling \todo{this isn't very helpful} and |
---|
475 | four simulation results: |
---|
476 | \begin{enumerate} |
---|
477 | \item a step from a `normal' state (which is not classified as a call |
---|
478 | or return) which is not a cost label is simulated by zero or more |
---|
479 | `normal' steps; |
---|
480 | \item a step from a `call' state followed by a cost label step is |
---|
481 | simulated by a step from a `call' state, a corresponding label step, |
---|
482 | then zero or more `normal' steps; |
---|
483 | \item a step from a `call' state not followed by a cost label |
---|
484 | similarly (note that this case cannot occur in a well-labelled |
---|
485 | program, but we do not have enough information locally to exploit |
---|
486 | this); and |
---|
487 | \item a cost label step is simulated by a cost label step. |
---|
488 | \end{enumerate} |
---|
489 | Finally, we need to know that a successfully translated program will |
---|
490 | have an initial state in the simulation relation with the original |
---|
491 | program's initial state. |
---|
492 | |
---|
493 | \begin{figure} |
---|
494 | \begin{center} |
---|
495 | \includegraphics[width=0.5\linewidth]{meassim.pdf} |
---|
496 | \end{center} |
---|
497 | \caption{Tiling of simulation for a measurable subtrace} |
---|
498 | \label{fig:tiling} |
---|
499 | \end{figure} |
---|
500 | |
---|
501 | To find the measurable subtrace in the target program's execution we |
---|
502 | walk along the original program's execution trace applying the |
---|
503 | appropriate simulation result by induction on the number of steps. |
---|
504 | While the number of steps taken varies, the overall structure is |
---|
505 | preserved, as illustrated in Figure~\ref{fig:tiling}. By preserving |
---|
506 | the structure we also maintain the same intensional observables. One |
---|
507 | delicate point is that the cost label following a call must remain |
---|
508 | directly afterwards\footnote{The prototype compiler allowed some |
---|
509 | straight-line code to appear before the cost label until a later |
---|
510 | stage of the compiler, but we must move the requirement forward to |
---|
511 | fit with the structured traces.} |
---|
512 | % Damn it, I should have just moved the cost label forwards in RTLabs, |
---|
513 | % like the prototype does in RTL to ERTL; the result would have been |
---|
514 | % simpler. Or was there some reason not to do that? |
---|
515 | (both in the program code and in the execution trace), even if we |
---|
516 | introduce extra steps, for example to store parameters in memory in |
---|
517 | \textsf{Cminor}. Thus we have a version of the call simulation |
---|
518 | that deals with both in one result. |
---|
519 | |
---|
520 | In addition to the subtrace we are interested in measuring we must |
---|
521 | also prove that the earlier part of the trace is also preserved in |
---|
522 | order to use the simulation from the initial state. It also |
---|
523 | guarantees that we do not run out of stack space before the subtrace |
---|
524 | we are interested in. The lemmas for this prefix and the measurable |
---|
525 | subtrace are similar, following the pattern above. However, the |
---|
526 | measurable subtrace also requires us to rebuild the termination |
---|
527 | proof. This has a recursive form: |
---|
528 | \begin{lstlisting}[language=matita] |
---|
529 | let rec will_return_aux C (depth:nat) |
---|
530 | (trace:list (cs_state … C × trace)) on trace : bool := |
---|
531 | match trace with |
---|
532 | [ nil $\Rightarrow$ false |
---|
533 | | cons h tl $\Rightarrow$ |
---|
534 | let $\langle$s,tr$\rangle$ := h in |
---|
535 | match cs_classify C s with |
---|
536 | [ cl_call $\Rightarrow$ will_return_aux C (S depth) tl |
---|
537 | | cl_return $\Rightarrow$ |
---|
538 | match depth with |
---|
539 | [ O $\Rightarrow$ match tl with [ nil $\Rightarrow$ true | _ $\Rightarrow$ false ] |
---|
540 | | S d $\Rightarrow$ will_return_aux C d tl |
---|
541 | ] |
---|
542 | | _ $\Rightarrow$ will_return_aux C depth tl |
---|
543 | ] |
---|
544 | ]. |
---|
545 | \end{lstlisting} |
---|
546 | The \lstinline'depth' is the number of return states we need to see |
---|
547 | before we have returned to the original function (initially zero) and |
---|
548 | \lstinline'trace' the measurable subtrace obtained from the running |
---|
549 | the semantics for the correct number of steps. This definition |
---|
550 | unfolds tail recursively for each step, and once the corresponding |
---|
551 | simulation result has been applied a new one for the target can be |
---|
552 | asserted by unfolding and applying the induction hypothesis on the |
---|
553 | shorter trace. |
---|
554 | |
---|
555 | This then gives us an overall result for any simulation fitting the |
---|
556 | requirements above (contained in the \lstinline'meas_sim' record): |
---|
557 | \begin{lstlisting}[language=matita] |
---|
558 | theorem measured_subtrace_preserved : |
---|
559 | $\forall$MS:meas_sim. |
---|
560 | $\forall$p1,p2,m,n,stack_cost,max. |
---|
561 | ms_compiled MS p1 p2 $\rightarrow$ |
---|
562 | measurable (ms_C1 MS) p1 m n stack_cost max $\rightarrow$ |
---|
563 | $\exists$m',n'. |
---|
564 | measurable (ms_C2 MS) p2 m' n' stack_cost max $\wedge$ |
---|
565 | observables (ms_C1 MS) p1 m n = observables (ms_C2 MS) p2 m' n'. |
---|
566 | \end{lstlisting} |
---|
567 | The stack space requirement that is embedded in \lstinline'measurable' |
---|
568 | is a consequence of the preservation of observables. |
---|
569 | |
---|
570 | TODO: how to deal with untidy edges wrt to sim rel; anything to |
---|
571 | say about obs? |
---|
572 | |
---|
573 | TODO: say something about termination measures; cost labels are |
---|
574 | statements/exprs in these languages; split call/return gives simpler |
---|
575 | simulations |
---|
576 | |
---|
577 | \subsection{Simulation results for each pass} |
---|
578 | |
---|
579 | \todo{don't use loop structures from CompCert, go straight to jumps} |
---|
580 | |
---|
581 | \section{Checking cost labelling properties} |
---|
582 | |
---|
583 | Ideally, we would provide proofs that the cost labelling pass always |
---|
584 | produced programs that are soundly and precisely labelled and that |
---|
585 | each subsequent pass preserves these properties. This would match our |
---|
586 | use of dependent types to eliminate impossible sources of errors |
---|
587 | during compilation, in particular retaining intermediate language type |
---|
588 | information. |
---|
589 | |
---|
590 | However, given the limited amount of time available we realised that |
---|
591 | implementing a compile-time check for a sound and precise labelling of |
---|
592 | the \textsf{RTLabs} intermediate code would reduce the proof burden |
---|
593 | considerably. This is similar in spirit to the use of translation |
---|
594 | validation in certified compilation\todo{Cite some suitable work |
---|
595 | here}, which makes a similar trade-off between the potential for |
---|
596 | compile-time failure and the volume of proof required. |
---|
597 | |
---|
598 | The check cannot be pushed into a later stage of the compiler because |
---|
599 | much of the information is embedded into the structured traces. |
---|
600 | However, if an alternative method was used to show that function |
---|
601 | returns in the compiled code are sufficiently well-behaved, then we |
---|
602 | could consider pushing the cost property checks into the timing |
---|
603 | analysis itself. We leave this as a possible area for future work. |
---|
604 | |
---|
605 | \subsection{Implementation and correctness} |
---|
606 | |
---|
607 | For a cost labelling to be sound and precise we need a cost label at |
---|
608 | the start of each function, after each branch and at least once in |
---|
609 | every loop. The first two parts are trivial to check by examining the |
---|
610 | code. In \textsf{RTLabs} the last part is specified by saying |
---|
611 | that there is a bound on the number of successive instruction nodes in |
---|
612 | the CFG that you can follow before you encounter a cost label, and |
---|
613 | checking this is more difficult. |
---|
614 | |
---|
615 | The implementation works through the set of nodes in the graph, |
---|
616 | following successors until a cost label is found or a label-free cycle |
---|
617 | is discovered (in which case the property does not hold and we stop). |
---|
618 | This is made easier by the prior knowledge that any branch is followed |
---|
619 | by cost labels, so we do not need to search each branch. When a label |
---|
620 | is found, we remove the chain from the set and continue until it is |
---|
621 | empty, at which point we know that there is a bound for every node in |
---|
622 | the graph. |
---|
623 | |
---|
624 | Directly reasoning about the function that implements this would be |
---|
625 | rather awkward, so an inductive specification of a single step of its |
---|
626 | behaviour was written and proved to match the implementation. This |
---|
627 | was then used to prove the implementation sound and complete. |
---|
628 | |
---|
629 | While we have not attempted to proof that the cost labelled properties |
---|
630 | are established and preserved earlier in the compiler, we expect that |
---|
631 | the effort for the \textsf{Cminor} to \textsf{RTLabs} would be similar |
---|
632 | to the work outlined above, because it involves the change from |
---|
633 | requiring a cost label at particular positions to requiring cost |
---|
634 | labels to break loops in the CFG. As there are another three passes |
---|
635 | to consider (including the labelling itself), we believe that using |
---|
636 | the check above is much simpler overall. |
---|
637 | |
---|
638 | \section{Existence of a structured trace} |
---|
639 | \label{sec:structuredtrace} |
---|
640 | |
---|
641 | \emph{Structured traces} enrich the execution trace of a program by |
---|
642 | nesting function calls in a mixed-step style\todo{Can I find a |
---|
643 | justification for mixed-step} and embedding the cost properties of |
---|
644 | the program. It was originally designed to support the proof of |
---|
645 | correctness for the timing analysis of the object code in the |
---|
646 | back-end, then generalised to provide a common structure to use from |
---|
647 | the end of the front-end to the object code. See |
---|
648 | Figure~\ref{fig:strtrace} on page~\pageref{fig:strtrace} |
---|
649 | for an illustration of a structured trace. |
---|
650 | |
---|
651 | |
---|
652 | |
---|
653 | TODO: design, basic structure from termination proof, how cost |
---|
654 | labelling props are baked in; unrepeating PCs, remainder of sound |
---|
655 | labellings; coinductive version for whole programs, reason/relevance, |
---|
656 | use of em (maybe a general comment about uses of classical reasoning |
---|
657 | in development) |
---|
658 | |
---|
659 | \section{Conclusion} |
---|
660 | |
---|
661 | TODO |
---|
662 | |
---|
663 | TODO: appendix on code layout? |
---|
664 | |
---|
665 | \bibliographystyle{plain} |
---|
666 | \bibliography{report} |
---|
667 | |
---|
668 | \end{document} |
---|