Provably Correct Peephole Optimizations with Alive

Publication ▶ PLDI ’17

Authors ▶ (Microsoft research, UK)
Nuno P. Lopes
(Rutgers University, USA)
David Menendez
Santosh Nagarakatte
Presenter ▶ Yi Chiao Su

System Software Lab., NCTU Page 1

 Abstract

“Alive” is a DSL for writing peephole optimizations and for

automatically either proving them correct or generating
counterexamples.

%1 = xor i32 %x, -1

%2 = add i32 %1, 3333

%2 = sub i32 3332, %x

Name: Test
Find counterexample
Pre: True;
%1 = xor %x, -1
%2 = add %1, C
=>
Prove it
%2 = sub C-1, %x

Alive

System Software Lab., NCTU Page 2

 Outline

Overview
SMT Solver
Condition Verification Generation
Evaluation
Conclusion

System Software Lab., NCTU Page 3

 Overview

Compilers should not miscompile.

Alive is a DSL for a peephole optimization

Not include floating point

System Software Lab., NCTU Page 4

 Outline

Overview
SMT Solver
Condition Verification Generation
Evaluation
Conclusion

System Software Lab., NCTU Page 5

 SMT Solver

SAT
Boolean satisfiability problem

premise Boolean formula

If exist “X” then we called “satisfied”
SMT
Satisfiability modulo theories

System Software Lab., NCTU Page 6

 SMT Solver

How to verify equivalence?

int power3_A(int in) {
int i, out_a;
out_a = in;
for (i = 0; i < 2; i++)
out_a = out_a * in;
return out_a;
}

int power3_B(int in) {

int out_b;
out_b = (in * in) * in;
return out_b;
}

True

⟺ is unsat

System Software Lab., NCTU Page 7

 Outline

Overview
SMT Solver
Condition Verification Generation
Evaluation
Conclusion

System Software Lab., NCTU Page 8

 verification condition

Alive is problem to generation verification condition.

Two programs are equal
Two programs should share “same” condition
Not exist a undefined behavior error
(if source is undefined behavior then target must be undefined
behavior)

Pre: C1 u>= C2
%0 = shl nsw i8 %a, C1
%1 = ashr %0, C2
=>
%1 = shl nsw %a, C1-C2

System Software Lab., NCTU Page 9

 verification condition

LLVM has “nsw” and “nuw” attribute this is mean it will

be undefined behavior when signed or unsiged overflow.

Pre: C1 u>= C2
%0 = shl nsw i8 %a, C1
%1 = ashr %0, C2
=>
%1 = shl nsw %a, C1-C2

System Software Lab., NCTU Page 10

 Example

Pre: C1 u>= C2 Pre: C1 u>= C2

%0 = shl nsw i8 %a, C1 %0 = shl nsw %a, C1-C2
%1 = ashr %0, C2

Two program have “same” domaie

Two program have “same” value

System Software Lab., NCTU Page 11

 undef value

In LLVM IR, we have “undef” value.

So undef make optimization pass a value to set function

%z = or i8 1,undef

System Software Lab., NCTU Page 12

 undef Condition

For all undef value in target exist undef value in source

𝑓ҧ

System Software Lab., NCTU Page 13

 domain

value

Input,undef value ,and value for precondition

System Software Lab., NCTU Page 14

 Generating C++

System Software Lab., NCTU Page 15

 Outline

Overview
SMT Solver
Condition Verification Generation
Evaluation
Conclusion

System Software Lab., NCTU Page 16

 Evaluation
• Rewrite 334 optimization in InstCombine and found 8 bugs
• a few seconds to verify the correctness of a transformation
• for some transformations involving multiplication and division
• take several hours or longer to verify the larger bitwidths

System Software Lab., NCTU Page 17

 Example of bug

𝑋 − −𝐴 = 𝑋 + 𝐴

0x8(-8) 0x8(8)
0x0(0) 0x8(-8)
0x8(-8)
Undefine behavior
0x8(-8) 0x8(8)

System Software Lab., NCTU Page 18

 Conclusion

Alive makes optimizations much more concise than when

they are embedded in C++ code, while also supporting
automated proofs of correctness
After an Alive transformation has been proved correct, it
can be automatically translated into C++ that can be
included in an optimization pass

For me
Alive is a the simple language to solve a “specific case”
problem, and I think a verification is useful to find bugs which
are caused by the gap between math and computer.

System Software Lab., NCTU Page 19