This paper presents Vellvm (verified LLVM), a framework for reasoning about programs expressed in LLVM’s intermediate representation and transformations that operate on it. Vellvm provides a mechanized formal semantics of LLVM’s intermediate representation, its type system, and properties of its SSA form. The framework is built using the Coq interactive theorem prover. It includes multiple operational semantics and proves relations among them to facilitate different reasoning styles and proof techniques. To validate Vellvm’s design, we extract an interpreter from the Coq formal semantics that can execute programs from LLVM test suite and thus be compared against LLVM reference implementations. To demonstrate Vellvm’s practicality, we formalize and verify a previously proposed transformation that hardens C programs against spatial memory safety violations. Vellvm’s tools allow us to extract a new, verified implementation of the transformation pass that plugs into the real LLVM infrastructure; its performance is competitive with the non-verified, ad-hoc original. Categories and Subject Descriptors D.2.4 [Software Engineering]:

There is a significant conceptual gap between the source code of a configurable system and the runtime behaviors of its individual configurations. In the source, configurations are woven together into a conceptually unified program. At runtime, however, they are largely treated as independent executables. This gap leads to static analyses that, by acting on the source representing the entire configurable system, yield imprecise results with respect to individual executables. Testing, in contrast, acts on individual executables without leveraging the configurable codebase per se. In this paper, we sketch a research path that seeks to narrow the configuration source-runtime gap, based on the observation that most configurations share significant amounts of source-level structure (hence “white-box”) with other, related, configurations. We seek to identify and exploit this structure to reduce analysis and testing effort by sharing analysis and test results among related configurations. 1.

This paper presents Vellvm (verified LLVM), a framework for reasoning about programs expressed in LLVM’s intermediate representation and transformations that operate on it. Vellvm provides a mechanized formal semantics of LLVM’s intermediate representation, its type system, and properties of its SSA form. The framework is built using the Coq interactive theorem prover. It includes multiple operational semantics and proves relations among them to facilitate different reasoning styles and proof techniques. To validate Vellvm’s design, we extract an interpreter from the Coq formal semantics that can execute programs from LLVM test suite and thus be compared against LLVM reference implementations. To demonstrate Vellvm’s practicality, we formalize and verify a previously proposed transformation that hardens C programs against spatial memory safety violations. Vellvm’s tools allow us to