Upload
kostya
View
61
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Sudipta Kundu Zachary Tatlock Sorin Lerner. Proving Optimizations Correct using Parameterized Program Equivalence. University of California, San Diego. Compiler Correctness. Difficult to develop reliable compilers: large, complex programs take a long time to mature - PowerPoint PPT Presentation
Citation preview
Proving Optimizations Correctusing Parameterized Program
Equivalence
University of California, San Diego
Sudipta KunduZachary TatlockSorin Lerner
Compiler Correctness Difficult to develop reliable compilers:
large, complex programs take a long time to mature
Consequence: buggy compilers, but also … hinders development of new languages,
architectures discourages user from extending compiler
Focus on correctness of compiler optimizations many intricate opts, unexpected interactions turning off optimizations often no longer an
option
Existing Techniques Translation
Validation prove equivalence for each
transformation every compiler
execution
a priori Correctness prove correctness before compiler runs once and for all
TVOC [Zuck et al.] Rhodium
[Lerner et al.]
Compcert[Leroy et al.]
[Necula 00]
Focus on Automated Techniques
Verified TV [Tristan et al.]
[Pnueli et al.]
Scope of Guarantee
Verify Compiler Run
Verify Compiler
TVOC [Zuck et al.] Rhodium
[Lerner et al.]
[Necula 00]
Expressive Power
ComplexLoop Opts
One-to-one Rewrites
Focus on Automated Techniques
complex loop opts+
once-and-for-allcorrectness
Our Approach:
Adapt Translation Validation to once-and-for-all setting
Key Insight:
Generalize to Parameterized Progs
Equivalence
Checking
Generalize to Parameterized Programs
OutputProg
InputProg
OutputPProg
InputPProg
Translation Validation
k := 0while(k < 100){ a[k] += k k++}
Generalize to Parameterized Progs
Equivalence
Checking
Generalize to Parameterized Programs
I := 0while(I < 100){ a[k] += I I++}
OutputProg
InputProg
OutputPProg
InputPProg
Generalize to Parameterized Progs
Equivalence
Checking
Generalize to Parameterized Programs
I := 0while(I < E){ a[k] += I I++}
OutputProg
InputProg
OutputPProg
InputPProg
Equivalence
Checking
I := 0while(I < E){ S I++}
I := 0while(I < E){ S I++}
Generalize to Parameterized Progs
OutputProg
InputProg
Generalize to Parameterized Programs
OutputPProg
InputPProg
OptimizationInstance
Optimization
Generalize to Parameterized Progs
Equivalence
Checking
Generalize to Parameterized Programs
Parameterized
Equivalence
Checking
OptimizationInstance
Optimization
OutputProg
InputProg
OutputPProg
InputPProg
ContributionsParameter
izedEquivalenc
eChecking
Parameterized Equivalence Checking (PEC) proves opts correct statically and automatically can reason about many-to-many opts
Expressed and proved a variety of opts correct which Rhodium could not have proven correct software pipelining and other complex loop opts
1
2
3
Optimization
OutputPProg
InputPProg
I := 0while(I < E-1){ S I++}SI++
Parameterized Rewrite Rules Loop Peeling
move iter out of loop
ids range over: I : variable E : expression S : statement
Shift final iteration after loop
Side conditions indicate when rewrite safe
I := 0while(I < E){ S I++}
where:• E > 0• S does not modify I, E
Enable loop unrolling
Apply Rewrite1. Match parameters2. Check side conds3. Rewrite
where: 100 > 0 a[k] += k
does not modify k,100
Applying Rewrite RulesI := 0while(I < E){ S I++}
I := 0while(I < E-1){ S I++}SI++where:
• E > 0• S does not modify I, E
k := 0while(k < 100){ a[k] += k k++}
k := 0while(k < 99){ a[k] += k k++}a[k] += kk++
• Divisible by 3• Directly unroll by 3
• Not divisible by 3• Hard to unroll by 3
Checking Correctness
OPT
ParameterizedEquivalence
Checking
OPT
Checking Correctness
Generalization of [ Necula 00 ]
Generalization of[ Zuck et al. 04]
OR
Relate
Permute
Relate
I := 0while(I < E-1){ S I++}SI++
I := 0while(I < E){ S I++}
where:• E > 0• S does not modify I, E
Checking Rewrite Rules
I:=0
I<EI≥E
S
I++
I:=0
I<E-1I≥E-1
S
I++S
I++
σ1=σ2
Programs equivalent:
Consider CFGs Start in equal
states End in equal states σ1=σ2
Checking Rewrite Rules
Relate Executions:1.Find synchronization
points2.Generate invariants3.Check invariants
preserved
I:=0
I<EI≥E
S
I++
I:=0
I<E-1I≥E-1
S
I++S
I++
A
B• Use auto theorem
prover• Each invariant must
imply successor invariants• Strengthen if inv too
weak
σ1=σ2
σ1=σ2
1. Find Synchronization Points
I<E
S
I++
I:=0
I<E-1I≥E-1
S
I++S
I++
Traverse in lockstep
Stop at stmt params
Prune infeasible paths
From Path:E ≤ 0
Side Conds:E > 0
Path never executes
I:=0
I≥E
2. Generate Invariants
I:=0
I<EI≥E
S
I++
I:=0
I<E-1I≥E-1
S
I++S
I++
Invariants: predicates over σ1, σ2
Gen initial invariant: σ1 = σ2 AND strongest post
cond
σ1=σ2
σ1=σ2
B
A
A(σ1,σ2) ...
B(σ1,σ2) ...
A(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)
∧ eval(σ2, I < E-1)
B(σ1,σ2) ...
B
AI<E I<E-1I≥E-1
A(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)
∧ eval(σ2, I < E-1)
B(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)
∧ eval(σ2, I ≥ E-1)
3. Check Invariants
I:=0
I<EI≥E
S
I++
I:=0
I<E-1I≥E-1
S
I++S
I++σ1=σ2
σ1=σ2
B
A
Each invariant must imply successor invariants
Query Theorem Prover B
AI<E
S
I++
I≥E-1
S
I++
S
I++
I<E
S
I++
I ≥ E-1
A
B
A(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)
∧ eval(σ2, I < E-1)
B(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)
∧ eval(σ2, I ≥ E-1)
Entry A Entry B A B A A B Exit
σ1 σ2 .
A(σ1,σ2) ∧
σ1’ = step(σ1, S;I++;I < E) ∧
σ2’ = step(σ2, S;I++;I ≥ E-1)
B(σ1’, σ2’)
3. Check Invariants
A
B
S
I++
I<E
S
I++
I ≥ E-1
σ1 σ2
σ1’ σ2’
σ1 σ2 .
A(σ1,σ2) ∧
σ1’ = step(σ1, S;I++;I < E) ∧
σ2’ = step(σ2, S;I++;I ≥ E-1)B(σ1’, σ2’)
ATP Query:
ATP
A(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)
∧ eval(σ2, I < E-1)
B(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)
∧ eval(σ2, I ≥ E-1)
σ1 σ2 .
A(σ1,σ2) ∧
σ1’ = step(σ1, S;I++;I < E) ∧
σ2’ = step(σ2, S;I++;I ≥ E-1)
B(σ1’, σ2’)
3. Check Invariants
A
B
S
I++
I<E
S
I++
I ≥ E-1
σ1 σ2
σ1’ σ2’
ATP Query:
ATP
A(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)
∧ eval(σ2, I < E-1)
B(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)
∧ eval(σ2, I ≥ E-1)
σ1=σ2 eval(∧ σ1, I < E) ∧ eval(σ2, I < E-1)
σ1’=σ2’ eval(∧ σ1’, I < E) ∧ eval(σ2’, I ≥ E-
1)
σ1 σ2 .
A(σ1,σ2) ∧
σ1’ = step(σ1, S;I++;I < E) ∧
σ2’ = step(σ2, S;I++;I ≥ E-1)
B(σ1’, σ2’)
3. Check Invariants
B
S
I++
I<E
S
I++
I ≥ E-1
σ1 σ2
σ1’ σ2’
ATP Query:
ATP
A(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)
∧ eval(σ2, I < E-1)
B(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)
∧ eval(σ2, I ≥ E-1)
σ1=σ2 eval(∧ σ1, I < E) ∧ eval(σ2, I < E-1)
σ1’=σ2’ eval(∧ σ1’, I < E) ∧ eval(σ2’, I ≥ E-
1)
A ∧ B(σ1’, σ2’)
Strengthen A if the theorem prover fails
σ1’ = step(σ1, S;I++;I < E)
σ2’ = step(σ2, S;I++;I ≥ E-1)
A
3. Check Invariants
I:=0
I<EI≥E
S
I++
I:=0
I<E-1I≥E-1
S
I++S
I++σ1=σ2
σ1=σ2
B
A
A(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)
∧ eval(σ2, I < E-1)
B(σ1,σ2)σ1=σ2 eval(∧ σ1, I < E)
∧ eval(σ2, I ≥ E-1)
Each invariant must imply successor invariants
Query Auto Theorem Prover
Entry A Entry B A B A A B Exit
OPT
Checking Correctness
Generalization of [ Necula 00 ]
Generalization of[ Zuck et al. 04]
OR
Relate
Permute
Relate
Permute
Works well for structure-preserving optimizations
Works well for non structure-preserving optimizations
Permute Module
for (I in R1){ for (J in R2){
S[I, J]; }}
for (N in R2){ for (M in R1){
S[M, N]; }}
where: ⟨side condition⟩• Generate correspondence between loop
indices• Ask ATP to show that ⟨side condition⟩
implies:• correspondence is one-to-one• For all I, I’ ∊ R1 and J, J’ ∊ R2
S[I, J] commutes with S[I’, J’]
Loop Interchange
ContributionsParameter
izedEquivalenc
eChecking
Parameterized Equivalence Checking (PEC) proves opts correct statically and automatically can reason about many-to-many opts
Expressed and proved a variety of opts correct which Rhodium could not have proven correct software pipelining and other complex loop opts
1
2
3
Optimization
OutputPProg
InputPProg
Optimizations Proved Correct
Category 1: PEC and Rhodium formulation equivalent
Copy propagationConstant propagationCommon sub-expression elimPartial redundancy elim
Category 2: PEC formulation easier, more general
Loop invariant code hoisting Conditional speculation Speculation
Category 3:Expressible in PECNo Rhodium formulation possible
Software pipelining Loop unswitching Loop unrolling Loop peelingLoop splitting Loop alignment Loop interchange Loop reversal Loop skewing Loop fusion Loop distribution
ConclusionParameter
izedEquivalenc
eChecking
Parameterized Equivalence Checking (PEC) proves opts correct statically and automatically can reason about many-to-many opts
Expressed and proved a variety of opts correct which Rhodium could not have proven correct software pipelining and other complex loop opts
Optimization
OutputPProg
InputPProg