Verifying the LLVM. Steve Zdancewic DeepSpec Summer School 2017

Transcription

1 Verifying the LLVM Steve Zdancewic DeepSpec Summer School 2017

2 Vminus OperaAonal SemanAcs Only 5 kinds of instrucaons: Binary arithmeac Memory Load Memory Store Terminators Phi nodes What is the state of a Vminus program?

3 Subtlety of Phi Nodes Phi-Nodes admit cyclic dependencies: pred:... br loop loop: %x = φ[0;pred][y;loop] %y = φ[1;pred][x;loop] %b = %x %y br %b loop exit

4 SemanAcs of Phi Nodes The value of the RHS of a phi-defined uid is relaave to the state at the entry to the block. OpAon 1: Require all phi nodes to be at the beginning of the block Execute them atomically, in parallel (Original Vellvm followed this model) OpAon 2: Keep track of the state upon entry to the block Calculate the RHS of phi nodes relaave to the entry state (Vminus follows this model)

5 VminusOpsem.v VMINUS OPERATIONAL SEMANTICS

6 Key SSA Invariant entry: r 0 =... r 1 =... r 2 =... DefiniAon of r 2. br r 0 loop exit loop: r 3 = φ[0;entry][r 5 ;loop] r 4 = r 1 x r 2 r 5 = r 3 + r 4 r 6 = r br r 6 loop exit Use of r 2. Uses of r 2. exit: r 7 = φ[0;entry][r 5 ;loop] r 8 = r 1 x r 2 r 9 = r 7 + r 8 ret r 9

7 Key SSA Invariant entry: r 0 =... r 1 =... r 2 =... DefiniAon of r 2. br r 0 loop exit loop: r 3 = φ[0;entry][r 5 ;loop] r 4 = r 1 x r 2 r 5 = r 3 + r 4 r 6 = r br r 6 loop exit exit: r 7 = φ[0;entry][r 5 ;loop] r 8 = r 1 x r 2 r 9 = r 7 + r 8 ret r 9 Use of r 2. Uses of r 2. The definiaon of a variable must dominate its uses.

8 Defining SSA Variable Scope Graph: g corresponds to a fine grained CFG Entry e z Nodes: program points (maybe more than one per block) a y Edges: fallthroughs, jump and branch instrucaons c b d Dis3nguished entry

9 Paths Paths: Path g a d [a;b;d] Entry e z a y b c d

10 Reachability Paths: Path g a d [a;b;d] Reachability: Reachable g x iff vs. Path g e x vs Entry e a b z y Unreachable c d Reachable

11 DominaAon Paths: Path g a d [a;b;d] Reachability: Reachable g x DominaAon: Dom g b c Entry e a b z y iff every path from e to c goes through b. c d

12 DominaAon Paths: Path g a d [a;b;d] Reachability: Reachable g x DominaAon: Dom g b c Entry e a b z y iff every path from e to c goes through b. c one path d

13 DominaAon Paths: Path g a d [a;b;d] Reachability: Reachable g x DominaAon: Dom g b c Entry e a b z y iff every path from e to c goes through b. c another path d

14 DominaAon Paths: Path g a d [a;b;d] Reachability: Reachable g x DominaAon: Dom g b c Entry e a b z y c d Nodes dominated by b.

15 Strict DominaAon Paths: Path g a d [a;b;d] Reachability: Reachable g x DominaAon: Dom g b c Strict DominaAon: SDom g b c Entry e a b z y c d Nodes strictly dominated by b.

16 DominaAon Tree Order the reachable nodes by (immediate) dominators, you get a tree: Entry e a b d c

17 Control-flow Analysis Goal: IdenAfy the loops and nesang structure of the CFG. An edge in the graph is a back edge if the target node dominates the source node. Back Edge A loop contains at least one back edge. 43

18 Dominator Trees DominaAon is transiave: if A dominates B and B dominates C then A dominates C DominaAon is ana-symmetric: if A dominates B and B dominates A then A = B Every flow graph has a dominator tree The Hasse diagram of the dominates relaaon

19 Dominator Dataflow Analysis Let Dom[n] = {m m dominates n} We can define Dom[n] as a forward dataflow analysis. Using the framework we saw earlier: Dom[n] = out[n] where: A node B is dominated by another node A if A dominates all of the predecessors of B. in[n] := n pred[n] out[n ] Every node dominates itself. out[n] := in[n] {n} Formally: L = set of nodes ordered by T = {all nodes} F n (x) = x {n} is Easy to show monotonicity and that F n distributes over meet. Bounded set of variables: so algorithm terminates 45

20 Improving the Algorithm Dom[b] contains just those nodes along the path in the dominator tree from the root to b: 1 e.g. Dom[8] = {1,2,4,8}, Dom[7] = {1,2,4,5,7} There is a lot of sharing among the nodes More efficient way to represent Dom sets is to store the dominator tree. doms[b] = immediate dominator of b doms[8] = 4, doms[7] = 5 To compute Dom[b] walk through doms[b] Need to efficiently compute intersecaons of Dom[a] and Dom[b] Traverse up tree, looking for least common ancestor: Dom[8] Dom[7] = Dom[4] See: A Simple, Fast Dominance Algorithm Cooper, Harvey, and Kennedy

21 CompleAng Control-flow Analysis Dominator analysis idenafies back edges: Edge n à h where h dominates n Each back edge has a natural loop: h is the header All nodes reachable from h that also reach n without going through h For each back edge n à h, find the natural loop: {n n is reachable from n in G {h}} {h} n h h Two loops may share the same header: merge them n m NesAng structure of loops is determined by set inclusion Can be used to build the control tree 47

22 Example Natural Loops 1 Control Tree: Natural Loops 0 The control tree depicts the nesting structure of the program. 48

23 Uses of Control-flow InformaAon Loop nesang depth plays an important role in opamizaaon heurisacs. Deeply nested loops pay off the most for opamizaaon. Need to know loop headers / back edges for doing loop invariant code moaon loop unrolling CIS 341: Compilers 49

24 Dominator Algorithm Tradeoffs Cooper-Harvey-Kennedy (CHK) Extended from AC Nearly as fast as LT in common cases Efficiency Lengauer-Tarjan (LT) (LLVM and GCC) Based on tricky graph theory O(E x log(n)) Although proving its correctness and verifying its running Ame require rather complicated analysis, the algorithm is quite simple to program [LT 79] Allen-Cocke (AC) Based on Kildall s algorithm Large asymptotic complexity Difficulty of Verification

25 Dominator Algorithm Tradeoffs Cooper-Harvey-Kennedy (CHK) Extended from AC Nearly as fast as LT in common cases Efficiency Lengauer-Tarjan (LT) (LLVM and GCC) Based on tricky graph theory O(E x log(n)) ValidaAng Dominator Trees for a Fast, Verified Dominance Test - Blazy, Demange, Pichardie CompCertSSA Vellvm tried both. Allen-Cocke (AC) Based on Kildall s algorithm Large asymptotic complexity Difficulty of Verification

26 Dom.v Kildall.v DomKildall.v DOMINATORS

27 Safety ProperAes A well-formed program never accesses undefined variables. If f and f σ 0 * σ then σ is not stuck. f program f is well formed σ program state f σ * σ evaluaaon of f Ini3aliza3on: If f then wf(f, σ 0 ). Preserva3on: If f and f σ σ and wf(f, σ) then wf(f, σ ) Progress: If f and wf(f, σ) then f σ σ

28 Safety ProperAes A well-formed program never accesses undefined variables. If f and f σ 0 * σ then σ is not stuck. f program f is well formed σ program state f σ * σ evaluaaon of f Ini3aliza3on: If f then wf(f, σ 0 ). Preserva3on: If f and f σ σ and wf(f, σ) then wf(f, σ ) Progress: If f and wf(f, σ) then done(f,σ) or stuck(f,σ) or f σ σ

29 Well-formed States entry: r 0 =... r 1 =... r 2 =... br r 0 loop exit State σ is: pc = program counter δ = local values pc loop: r 3 = φ[0;entry][r 5 ;loop] r 4 = r 1 x r 2 r 5 = r 3 + r 4 r 6 = r br r 6 loop exit exit: r 7 = φ[0;entry][r 5 ;loop] r 8 = r 1 x r 2 r 9 = r 7 + r 8 ret r 9

30 Well-formed States (Roughly) pc entry: r 0 =... r 1 =... r 2 =... br r 0 loop exit loop: r 3 = φ[0;entry][r 5 ;loop] r 4 = r 1 x r 2 r 5 = r 3 + r 4 r 6 = r br r 6 loop exit State σ is: pc = program counter δ = local values sdom(f,pc) = variable defns. that strictly dominate pc. exit: r 7 = φ[0;entry][r 5 ;loop] r 8 = r 1 x r 2 r 9 = r 7 + r 8 ret r 9

31 Well-formed States (Roughly) pc entry: r 0 =... r 1 =... r 2 =... br r 0 loop exit loop: r 3 = φ[0;entry][r 5 ;loop] r 4 = r 1 x r 2 r 5 = r 3 + r 4 r 6 = r br r 6 loop exit exit: r 7 = φ[0;entry][r 5 ;loop] r 8 = r 1 x r 2 r 9 = r 7 + r 8 ret r 9 State σ contains: pc = program counter δ = local values mem = memory sdom(f,pc) = variable defns. that strictly dominate pc. wf(g,σ) = r sdom(f,pc). v. δ(r) = v All variables in scope are iniaalized.

32 VminusStaAcs.v VMINUS STATIC SEMANTICS