An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code

Transcription

1 An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code Yuting Wang 1, Pierre Wilke 1,2, Zhong Shao 1 Yale University 1, CentraleSupélec 2 POPL 19 January 18 th, 2019 Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 1 / 16

2 Verified compilation CompCert : verified C compiler (Leroy et al., first released in 2008) C Clight Cshm Cminor CminorSel RTL LTL Linear Mach Asm Used as a basis for a large number of extensions: alternate semantics: CompCertTSO (weak memory model, Sevcík et al., JACM 13), CompCertS (undefined pointer arithmetic, Besson et al., ITP 17) a more concrete view of the stack: Quantitative CompCert (merge the stack blocks into a single stack region, Carbonneaux et al., PLDI 14) compositional compilation: Compositional CompCert (Stewart et al., POPL 15), compositional semantics (Ramananandro et al., CPP 15), SepCompCert (Kang et al., POPL 16) Open problems: verified compilation to machine code port all compiler passes of CompCert, including challenging inlining and tailcall recognition verified compilation of heterogeneous modules (mix C and Asm modules) Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 2 / 16

3 Contribution: Stack-Aware CompCert A version of CompCert with: 1 compilation to machine code merge the stack blocks into a unique stack region eliminate CompCert s pseudo-instructions generate machine code 2 complete extension: we support all CompCert passes including challenging optimizations (function inlining, tailcall elimination) 3 compositional compilation stack access policy mix C and Asm programs Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 3 / 16

4 CompCert: memory model and values void swap(int * p1, int * p2){ int tmp = *p1; *p1 = *p2; *p2 = tmp; int main(){ int i = 3, j = 9; int * x = &i; int * y = &j; swap(x,y); return 0; b p1 b p2 b tmp b i b j b x b y (b i,0) (b j,0) (b i,0) (b j,0) Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 4 / 16

5 CompCert: compilation and memory model The memory model stays the same throughout compilation, but the memory blocks change shapes. C Clight Cminor Asm main b i b j b x b y b i b j swap b p1 b p2 b tmp /0 The stack frames in Asm are in distinct blocks! Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 5 / 16

6 The abstract stack We maintain an abstract stack in memory states, that reflects the structure of the concrete stack. Abstract stack: a list of abstract frames. An abstract frame records useful information about a concrete stack frame: the size of this stack frame at the assembly level; b i b j b x b main which blocks are part of that stack frame; which locations of these blocks are public or private b y Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 6 / 16

7 Abstract stack: example C Clight Cminor Asm main b i b j b x b y b i b j b main 32 The abstract stack at the C level is: b p1 b p2 b tmp ; b i b j b x swap b p1 b p2 b tmp /0 b swap 16 b y Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 7 / 16

8 Abstract stack: example C Clight Cminor Asm The abstract stack at the Asm level is: main b i b j b x b i b j 32 b swap ; b main b y b main swap b p1 b p2 b tmp /0 b swap 16 Stack-access policy: we may write to all of b swap public locations in b main Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 7 / 16

9 Abstract stack primitives Semantics of all intermediate languages instrumented with push_frame and pop_frame b swap 16 b main at function call b main at function return b main push_frame pop_frame Key argument for merging stack blocks : The push_frame primitive only succeeds if the sum of the frames sizes is lower than MAX_STACK. Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 8 / 16

10 Preservation of stack usage with compilation Since the semantics include stack consumption, it must be preserved by compilation Property to ensure: at each program point, the size of source stack should be larger than (or equal to) the size of target stack. Source f Target f The sizes of the source and target stacks are equal. f + g = f + g g g Recall f is the size of f s stack frame at the Asm level! Regular case Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 9 / 16

11 Preservation of stack usage with compilation Since the semantics include stack consumption, it must be preserved by compilation Property to ensure: at each program point, the size of source stack should be larger than (or equal to) the size of target stack. Source f Target f Source void g(){ G; void f(){ g(); Target void g(){ G; void f(){ G; g The sizes of the source stack is larger than the target stack. Function inlining f + g f Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 9 / 16

12 Preservation of stack usage with compilation Since the semantics include stack consumption, it must be preserved by compilation Property to ensure: at each program point, the size of source stack should be larger than (or equal to) the size of target stack. Source f Target f Source void g(){ G; void f(){ F; tail g(); Target void g(){ G; void f(){ F; G; Tailcall inlining The sizes of the source stack is larger than the target stack. f f Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 9 / 16

13 Preservation of stack usage with compilation Since the semantics include stack consumption, it must be preserved by compilation Property to ensure: at each program point, the size of source stack should be larger than (or equal to) the size of target stack. Source g Target f Source void g(){ G; void f(){ F; tail g(); Target void g(){ G; void f(){ F; G; Tailcall inlining Problem: How to compare the sizes of the source and target stacks g? f Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 9 / 16

14 Preservation of stack usage with compilation Since the semantics include stack consumption, it must be preserved by compilation Property to ensure: at each program point, the size of source stack should be larger than (or equal to) the size of target stack. Source Target f g f Source void g(){ G; void f(){ F; tail g(); Target void g(){ G; void f(){ F; G; Tailcall inlining We keep the history of tailcalled functions: max( f, g ) f Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 9 / 16

15 The structure of the abstract stack The abstract stack is actually a list of list of abstract frames. abstract frame stage of abstract frames Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 10 / 16

16 From CompCert Assembly to Machine Code code glob stack code glob stack code glob stack mem CompCert Asm Single-Stack Asm Flat Asm Plain Memory merging stack blocks pseudo-instructions elimination flat memory layout instruction encoding (RockSalt: Morrisett et al., PLDI 12) Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 11 / 16

17 Eliminating pseudo-instructions Caller Callee Single-Stack Asm s 1 call RA next(pc) s 2 allocframe RSP RSP - sz; store RA s 3 Real Asm RSP RSP - 8; store (next(pc)) call s 1 s 2 RSP RSP - (sz - 8) allocframe s 3 Mismatch between CompCert semantics and expected semantics We get rid of the pseudo-register RA and can do away with pseudo-instructions (simple pointer arithmetic) Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 12 / 16

18 Stack access policy Accessible locations are either top-frame locations or public locations. b swap 16 b main at function call b main at function return b main push_frame pop_frame Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 13 / 16

19 Contextual compilation f g ret data callee-save link args When a function f calls a function g, the private regions of f s stack frame should not be altered. Programs compiled from C comply with that policy. Characterization of acceptable Asm functions. We apply this principle to CompCertX (Gu et al., POPL 15) contextual compiler developed for CertiKOS ability to mix C and Asm functions Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 14 / 16

20 Comparison with existing work Target Completeness Compositionality Time LOC CompCert(3.0.1) CompCert Asm complete separate - 135k Stack-Aware CompCert Machine Code complete contextual k Quantitative CompCert SingleStack Asm w.o. some opts. N/A - 100k Compositional CompCert CompCert Asm w.o. some opts. general k SepCompCert CompCert Asm complete separate 2 +3k CompCertX CompCert Asm no s.a. data contextual - +8k CompCert-TSO x86-tso w.o. some opts. concurrency 45 85k CompCertS CompCert Asm w.o. some opts. N/A k Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 15 / 16

21 Conclusion We develop Stack-Aware CompCert, with three distinguishing features: 1 compilation to machine code finite-size stack more concrete memory layout for Asm closer to actual machine code: reduction of unverified part of the compiler 2 complete extension of CompCert function inlining and tailcall elimination 3 compositional compilation extension of CompCertX stack access policy Further work and perspectives: port to other backends: ARM, RISC-V, x86-64 main challenge: encoding and decoding of instructions define a stack analysis / verification framework to reason about the stack usage of programs and prove they run in bounded stack Yuting Wang, Pierre Wilke, Zhong Shao An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code 16 / 16