Séminaire EPITA

Certifying cost annotations in compilers

Nicolas Ayache Post-doc at PPS  Paris 7 15th february 2012

1/32

Presentation The CerCo project

Certied Complexity 3 years European project (FP7) Laboratories I I I

University of Bologna  Claudio Sacerdoti Cohen University of Edinburgh  Ian Stark University of Paris Diderot (PPS) Roberto Amadio (site leader) Yann Régis-Gianas Nicolas Ayache

2/32

Presentation Goal

Formally sound, cost annotating compiler C program CerCo

√

3/32

Executable

Analyzer 1

WCET

C program + Cost annotations

Analyzer 2

?

Analyzer 3

better WCET

Overapproximated concrete complexity

Presentation CerCo's approach: problematic

What is the cost of evaluating tab[i]+1 ? Depends on: I I I

4/32

The variable nal locations The way memory accesses are compiled The way operations are compiled ⇒ Depends on the compilation process

Presentation CerCo's approach: solution Bad solution Consider worst case scenarios

X Too imprecise X Optimizations lost X Not modular

5/32

Presentation CerCo's approach: solution Bad solution Consider worst case scenarios

X Too imprecise X Optimizations lost X Not modular CerCo's solution

Symbolic cost update

: label

Compilation Labelled Source Labelling Labelled source assembly 5/32

Concrete costs

Presentation CerCo's approach: common considerations

Operational semantics

6/32

: P(Prog × State × State) : P(Prog × State × label trace × State)

I

Without labels

I

With labels

Presentation CerCo's approach: common considerations

Operational semantics

: P(Prog × State × State) : P(Prog × State × label trace × State)

I

Without labels

I

With labels

Annotation semantics

Annotation = Instruction of the source language Explicits cost annotations Analysis tools for cost synthesis √

I I

6/32

Presentation CerCo's approach: common considerations

Operational semantics

: P(Prog × State × State) : P(Prog × State × label trace × State)

I

Without labels

I

With labels

Annotation semantics

Annotation = Instruction of the source language Explicits cost annotations Analysis tools for cost synthesis √

I I

Demo 6/32

Presentation Outline

1

2 3

7/32

Toy compiler Languages Compilation Labelling Annotation Realistic C compiler Architecture Labelling Experiments Cost synthesis Lustre case study

Toy compiler Outline

1

2 3

8/32

Toy compiler Languages Compilation Labelling Annotation Realistic C compiler Architecture Labelling Experiments Cost synthesis Lustre case study

Toy compiler Overview

Languages

Imp −→ VM −→ ASM

I I I

9/32

Imp: simple while language VM: virtual machine (stack operations) ASM: assembly

Toy compiler Overview

Languages

Imp −→ VM −→ ASM

I I I

Imp: simple while language VM: virtual machine (stack operations) ASM: assembly

In the following... I I I

9/32

How to label the languages? How to adapt the proofs? How to keep the proofs modular?

Toy compiler

Languages

Syntax

10/32

ImpL e ::= id | n ∈ N | e + e b ::= e < e S ::= skip | id := e | S ; S | if b then S else S P ::= prog S

| while

b do S

VML I ::=

n

id ) | setvar(id ) | add | branch(k ) | bge(k ) | halt

cnst( ) | var(

P ::= I

list

ASML I

P

::=

loadi

R ,n | load R ,addr | store R ,addr k | bge R ,R ,k | halt

| branch

::=

I

list

| add

R ,R ,R

Toy compiler Labelled syntax

10/32

Languages

ImpL e ::= id | n ∈ N | e + e b ::= e < e S ::= skip | id := e | S ; S | if b then S else S P ::= prog S

| while

b do S

|

`:S

VML I ::=

n

id ) | setvar(id ) | add | branch(k ) | bge(k ) | halt | emit(`)

cnst( ) | var(

P ::= I

list

ASML I

P

::=

loadi

R ,n | load R ,addr | store R ,addr k | bge R ,R ,k | halt | emit `

| branch

::=

I

list

| add

R ,R ,R

Compilation

Toy compiler Simulation

Imp

L

VM

L

ASM

L

Imp VM ASM Labelling Erasure Compilation Labelled compilation

11/32

Compilation

Toy compiler Simulation

Imp

L

VM

L

ASM

L

Imp VM ASM Labelling Erasure Compilation Labelled compilation Theorem: diagram commutativity  EImp ◦ LImp = IdImp  L CImp ◦ EImp = EVM ◦ CImp ⇒ EASM ◦ C L ◦ LImp = C  L CVM ◦ EVM = EASM ◦ CVM 11/32

Labelling

Toy compiler Example: soundness prog `1 : if n < 1 then `2 : res := 0 else `3 : while res < 5 do `4 : res := res + n

emit `1

load R0,ln

loadi R1,1

emit `2

loadi R0,0

store R0,lres

branch

bge R1,R0

loadi R0,5

load R1,lres

bge R0,R1

emit `3

load R0,lres

branch

12/32

halt

store R0,lres

add R0,R0,R1

load R1,ln

Labelling

Toy compiler Example: soundness prog `1 : if n < 1 then `2 : res := 0 else `3 : while res < 5 do `4 : res := res + n

emit `1

load R0,ln

loadi R1,1

emit `2

loadi R0,0

store R0,lres

branch

bge R1,R0

loadi R0,5

load R1,lres

bge R0,R1

emit `3

load R0,lres

branch

store R0,lres

add R0,R0,R1

Loop with no label ⇒ not constant cost code 12/32

halt

load R1,ln

Labelling

Toy compiler Example: precision prog `1 : if n < 1 then `2 : res := 0 else `3 : while res < 5 do `4 : res := res + n

emit `1

load R0,ln

loadi R1,1

emit `2

loadi R0,0

store R0,lres

branch

halt

bge R1,R0

loadi R0,5

load R1,lres

bge R0,R1

emit `4

load R0,lres

branch

13/32

store R0,lres

add R0,R0,R1

load R1,ln

Labelling

Toy compiler Example: precision prog `1 : if n < 1 then `2 : res := 0 else `3 : while res < 5 do `4 : res := res + n

emit `1

load R0,ln

loadi R1,1

emit `2

loadi R0,0

store R0,lres

branch

halt

bge R1,R0

loadi R0,5

load R1,lres

bge R0,R1

emit `4

load R0,lres

branch

store R0,lres

add R0,R0,R1

load R1,ln

From emit `1: three paths with dierent costs ⇒ imprecision 13/32

Toy compiler Labelling criteria

Labelling

Soundness

Every reachable code is in the scope of a label. At least one label inside each loop.

Precision

Two dierent paths to the next labels have the same cost.

Criteria

The labelling must be sound and precise. √ Nice plus is a reasonable economy: not too many labels. (This can be syntatically checked on the assembly code.)

14/32

Toy compiler Instrumentation

Annotation

Cost deduction

15/32

ASM Instruction list → N

Given:

φ:

Deduced:

κ:L→N



loop free may overapproximate



Annotation

Toy compiler Instrumentation

Cost deduction

ASM Instruction list → N

Given:

φ:

Deduced:

κ:L→N



loop free may overapproximate

Instrumentation I I I

Use a fresh variable Initialize it to 0 Replace labels with increments (following κ) prog `1 :

while res < 5 do `2 : res := res + n

15/32

−→

prog _cost := 0; _cost := _cost + 2; while res < 5 do _cost := _cost + 4; res := res + n



Annotation

Toy compiler Annotation

16/32

Annotation = Instrumentation ◦ Labelling

Imp Imp

L

Imp

VM

L

VM Labelling Compilation Cost deduction

ASM

L→N L

ASM Erasure Labelled compilation Instrumentation

Realistic C compiler Outline

1

2 3

17/32

Toy compiler Languages Compilation Labelling Annotation Realistic C compiler Architecture Labelling Experiments Cost synthesis Lustre case study

Architecture

Realistic C compiler A

C Clight Cminor RTL

abs

RTL ERTL LTL LIN MIPS RTL ERTL LTL LIN 8051

C to Cminor I

Adapted from CompCert

(GNU GPL and INRIA Non-Commercial)

RTLabs I

Retargetting simplied √

Some common optimizations

X Some optimizations lost

Back-ends I

Adapted from pedagogical Pseudo-Pascal compiler (François Pottier, Creative Commons)

18/32

Architecture

Realistic C compiler Restrictions

C Clight Cminor RTL

abs

RTL ERTL LTL LIN MIPS RTL ERTL LTL LIN 8051

Standalone les Clight

X long long and long double types X longjmp and setjmp instructions X Unreasonable forms of switch X Unprototyped and variable-arity functions

RTL

X float

19/32

Realistic C compiler Overview

Labelling

Clight Clight

Cminor

Clight

Cminor

L

L

Labelling Compilation Cost deduction 20/32

L→N

...L

ASM

...

ASM

L

Erasure Labelled compilation Instrumentation

Labelling

Realistic C compiler Dierences Imp / C Side eect expressions

Ternary expressions Labels and Gotos Function calls

21/32

y = x++;

x ? y+2*z : z

lbl: ...

f(&x);

goto lbl;

Labelling

Realistic C compiler Dierences Imp / C Side eect expressions

eliminated by CIL

Ternary expressions Labels and Gotos Function calls

21/32

→

y = x++; _tmp = x; x = _tmp+1; y = _tmp;

x ? y+2*z : z

lbl: ...

f(&x);

goto lbl;

Realistic C compiler Ternary expressions

Labelling

x? (y+2*z) : z x?

y+2*z z

Branching ⇒ 1 label per branch for precision

22/32

Realistic C compiler Ternary expressions

Labelling

x? (y+2*z) : z x?

y+2*z z

Branching ⇒ 1 label per branch for precision Labelled expressions x? (`1 : Instrumentation

y+2*z) : (`2 : z)

1) Side eects inside expressions 2) Elimination by CIL C CIL Clight Instrument C CIL Clight

22/32

Labelling

Realistic C compiler Labels and Gotos lbl: ... lbl:

...

goto lbl; goto lbl;

Label ⇒ potential loop ⇒ 1 cost label needed

23/32

Labelling

Realistic C compiler Labels and Gotos lbl: ...

goto lbl;

...

lbl:

goto lbl;

Label ⇒ potential loop ⇒ 1 cost label needed lbl: `: ... lbl:

23/32

`:

goto lbl; ...

goto lbl;

Realistic C compiler Function calls

scope

24/32

Labelling

Function call: sequential instruction 1

x++; f(&x); y = x;

void f(int* x) { ...A return; }

scope

2

Realistic C compiler Function calls

scope

24/32

Labelling

Function call: sequential instruction 1

x++; f(&x); y = x;

void f(int* x) { ...A return; }

scope

2

Realistic C compiler Function calls

scope

Labelling

Function call: sequential instruction 1

x++; f(&x); y = x;

void f(int* x) { ...A return; }

scope

2

Function √pointer: statically unresolvable destination Each function handles its cost scope

1

24/32

x++; f(&x); y = x;

void f(int* x) { ...A return; }

scope

2

Experiments Outline

1

2 3

25/32

Toy compiler Languages Compilation Labelling Annotation Realistic C compiler Architecture Labelling Experiments Cost synthesis Lustre case study

Experiments Frama-C

Cost synthesis

CEA - LSL Tool for collaborative and modular analyzers for C Kernel C + ACSL parser Visitors ... 26/32

plug-in

plug-in

plug-in

plug-in

plug-in ...

plug-in ...

Experiments Jessie plug-in

Cost synthesis

ACSL I I I

Specication language for C programs Based on Hoare logic C Comments First-order logical denitions and propositions

Jessie I I I

27/32

Translator to Why (LRI - ProVal) Weakest pre-condition calculus Generates proof obligations Output to various provers (automatic or interactive)

Experiments Cost plug-in

C source

Cost plug-in

Cost synthesis C source + CerCo's annotations + ACSL specications: WCETs Jessie √

28/32

WCETs correct

Experiments Cost plug-in

C source

Cost synthesis C source + CerCo's annotations + ACSL specications: WCETs

Cost plug-in

Jessie √

Demo 28/32

WCETs correct

Experiments

Lustre case study

Lustre I I I I

Synchronous language Node = ow lus2c: node → C step function (cycle) Step function WCET = component reaction time

Lustre C specicities I I I

29/32

No arrays No loop Boolean variables identied

Lustre case study

Experiments Wrapper for Lustre

Step function WCET Lustre le + node name

optional optional

30/32

Intermediary les and results Jessie verication Test (instrumentation)

Lustre case study

Experiments Wrapper for Lustre

Step function WCET Lustre le + node name

optional optional

Demo 30/32

Intermediary les and results Jessie verication Test (instrumentation)

Conclusion

CerCo I I I I I

31/32

C sound compiler (proofs in progress in Matita) Correct cost annotations (overapproximation) C analyzers for WCET Symbolic cost labels Modular proofs

Conclusion

Thank you for your attention!

Questions?

32/32