Verified peephole optimizations for CompCert

Mullen, Eric; Zuniga, Daryl; Tatlock, Zachary; Grossman, Dan

doi:10.1145/2908080.2908109

Cited by 33 publications

(19 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…CompCert instead uses an infinitely addressable memory in its target semantics and proves correctness against this semantics. The Peek framework (Mullen et al, 2016) extends CompCert's x86 semantics with a fixed-size, 32-bit integer indexed memory. This is used to provide a target in which assembly level peephole optimizations can be easily verified.…”

Section: Discussion Of Related Workmentioning

confidence: 99%

See 1 more Smart Citation

The verified CakeML compiler backend

Tan¹,

Myreen²,

Kumar³

et al. 2019

J. Funct. Prog.

View full text Add to dashboard Cite

The CakeML compiler is, to the best of our knowledge, the most realistic verified compiler for a functional programming language to date. The architecture of the compiler, a sequence of intermediate languages through which high-level features are compiled away incrementally, enables verification of each compilation pass at an appropriate level of semantic detail. Parts of the compiler’s implementation resemble mainstream (unverified) compilers for strict functional languages, and it supports several important features and optimisations. These include efficient curried multi-argument functions, configurable data representations, efficient exceptions, register allocation, and more. The compiler produces machine code for five architectures: x86-64, ARMv6, ARMv8, MIPS-64, and RISC-V. The generated machine code contains the verified runtime system which includes a verified generational copying garbage collector and a verified arbitrary precision arithmetic (bignum) library. In this paper, we present the overall design of the compiler backend, including its 12 intermediate languages. We explain how the semantics and proofs fit together and provide detail on how the compiler has been bootstrapped inside the logic of a theorem prover. The entire development has been carried out within the HOL4 theorem prover.

show abstract

Section: Discussion Of Related Workmentioning

confidence: 99%

“…The CompCert project has shown that it is possible to formally verify a realistic, optimising compiler, and thereby encouraged significant interest in compiler verification. In fact, much of this interest has gone into extending or building on CompCert itself (Stewart et al, 2015;Sevcík et al, 2013;Mullen et al, 2016).…”

Section: Introductionmentioning

confidence: 99%

The verified CakeML compiler backend

Tan¹,

Myreen²,

Kumar³

et al. 2019

J. Funct. Prog.

View full text Add to dashboard Cite

show abstract

“…However, it is hard to apply this approach to existing industrial compilers because proving correctness of optimizations requires non-trivial effort. Peek [15] is a framework for implementing and verifying peephole optimizations for x86 on CompCert. They implemented 28 peephole optimizations which required 3.3k lines of code and 6.6k lines of proofs (∼350 LoC each).…”

Section: Compiler Verificationmentioning

confidence: 99%

“…Using AliveInLean requires less human effort than directly proving the optimizations on formal frameworks thanks to automation given by SMT solvers. For example, verifying the correctness of a peephole optimization on a formal framework requires more than a hundred lines of proofs [15]. However, the correctness of AliveInLean relies on the correctness of the used SMT solver.…”

Section: Introductionmentioning

confidence: 99%

AliveInLean: A Verified LLVM Peephole Optimization Verifier

Lee

Hur

Lopes

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Ensuring that compiler optimizations are correct is important for the reliability of the entire software ecosystem, since all software is compiled. Alive [12] is a tool for verifying LLVM's peephole optimizations. Since Alive was released, it has helped compiler developers proactively find dozens of bugs in LLVM, avoiding potentially hazardous miscompilations. Despite having verified many LLVM optimizations so far, Alive is itself not verified, which has led to at least once declaring an optimization correct when it was not. We introduce AliveInLean, a formally verified peephole optimization verifier for LLVM. As the name suggests, AliveInLean is a reengineered version of Alive developed in the Lean theorem prover [14]. Assuming that the proof obligations are correctly discharged by an SMT solver, AliveInLean gives the same level of correctness guarantees as state-ofthe-art formal frameworks such as CompCert [11], Peek [15], and Vellvm [26], while inheriting the advantages of Alive (significantly more automation and easy adoption by compiler developers).

show abstract

“…(Using unbounded integers is a simplification that we hope to remove in the future, e.g. by applying the ideas of Mullen et al [59].) All compartments must share this flat address space, so-without proper protection-compromised components can access buffers out-ofbounds and read or overwrite the code and data of other components.…”

Section: Secure Compilation Chainmentioning

confidence: 99%

When Good Components Go Bad

Abate

Amorim

Blanco

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

We propose a new formal criterion for evaluating secure compilation schemes for unsafe languages, expressing end-to-end security guarantees for software components that may become compromised after encountering undefined behavior-for example, by accessing an array out of bounds. Our criterion is the first to model dynamic compromise in a system of mutually distrustful components with clearly specified privileges. It articulates how each component should be protected from all the others-in particular, from components that have encountered undefined behavior and become compromised. Each component receives secure compilation guarantees-in particular, its internal invariants are protected from compromised componentsup to the point when this component itself becomes compromised, after which we assume an attacker can take complete control and use this component's privileges to attack other components. More precisely, a secure compilation chain must ensure that a dynamically compromised component cannot break the safety properties of the system at the target level any more than an arbitrary attackercontrolled component (with the same interface and privileges, but without undefined behaviors) already could at the source level. To illustrate the model, we construct a secure compilation chain for a small unsafe language with buffers, procedures, and components, targeting a simple abstract machine with built-in compartmentalization. We give a careful proof (mostly machine-checked in Coq) that this compiler satisfies our secure compilation criterion. Finally, we show that the protection guarantees offered by the compartmentalized abstract machine can be achieved at the machine-code level using either software fault isolation or a tagbased reference monitor.

show abstract

Verified peephole optimizations for CompCert

Cited by 33 publications

References 31 publications

The verified CakeML compiler backend

The verified CakeML compiler backend

AliveInLean: A Verified LLVM Peephole Optimization Verifier

When Good Components Go Bad

Contact Info

Product

Resources

About