## Automated Soundness Proofs for Dataflow Analyses and Transformations Via Local Rules (2005)

### Cached

### Download Links

- [www.cs.ucla.edu]
- [www.cs.ucsd.edu]
- [www.cse.ucsd.edu]
- [cseweb.ucsd.edu]
- [cse.ucsd.edu]
- [pag.csail.mit.edu]
- [pag.lcs.mit.edu]
- [www.eecs.umich.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | In Proc. of the 32nd Symposium on Principles of Programming Languages |

Citations: | 61 - 8 self |

### BibTeX

@INPROCEEDINGS{Lerner05automatedsoundness,

author = {Sorin Lerner and Todd Millstein and Erika Rice and Craig Chambers},

title = {Automated Soundness Proofs for Dataflow Analyses and Transformations Via Local Rules},

booktitle = {In Proc. of the 32nd Symposium on Principles of Programming Languages},

year = {2005},

pages = {364--377},

publisher = {ACM Press}

}

### Years of Citing Articles

### OpenURL

### Abstract

We present Rhodium, a new language for writing compiler optimizations that can be automatically proved sound. Unlike our previous work on Cobalt, Rhodium expresses optimizations using explicit dataflow facts manipulated by local propagation and transformation rules. This new style allows Rhodium optimizations to be mutually recursively defined, to be automatically composed, to be interpreted in both flow-sensitive and-insensitive ways, and to be applied interprocedurally given a separate context-sensitivity strategy, all while retaining soundness. Rhodium also supports infinite analysis domains while guaranteeing termination of analysis. We have implemented a soundness checker for Rhodium and have specified and automatically proven the soundness of all of Cobalt’s optimizations plus a variety of optimizations not expressible in Cobalt, including Andersen’s points-to analysis, arithmetic-invariant detection, loop-induction-variable strength reduction, and redundant array load elimination. Categories and Subject Descriptors: D.2.4 [Software

### Citations

1099 | Proof-carrying code
- Necula
- 1997
(Show Context)
Citation Context ...res the Rhodium execution engine to be part of the trusted computing base, while translation validation and credible compilation do not require trust in any part of the optimizer. Proof-carrying code =-=[22]-=-, certified compilation [24], typed intermediate languages [31], and typed assembly languages [21] have all been used to prove properties of programs generated by a compiler. However, the kinds of pro... |

529 | Program analysis and specialization for the C programming language
- Andersen
- 1994
(Show Context)
Citation Context ...imizations plus the following new optimizations and analyses that were not expressible in Cobalt: loop-induction-variable strength reduction, a flow-sensitive version of Andersen’s points-to analysis =-=[3]-=- with heap summaries, arithmetic invariant detection, constant propagation through array elements, redundant array load elimination, and integer range analysis. Our Rhodium code defines 24 dataflow fa... |

357 |
Cousot and Radhia Cousot. An abstract interpretation framework for termination
- Patrick
- 2012
(Show Context)
Citation Context ...ornia, USA. Copyright 2005 ACM 1-58113-830-X/05/0001 ...$5.00. making compilers trustworthy, including testing, translation validation [25, 23], credible compilation [26], and manual proof techniques =-=[8, 9, 37, 14, 17, 10]-=-. In previous work [19], we presented a system in which optimizations could be checked for soundness automatically. An optimization is sound if it is guaranteed to preserve the semantics of any progra... |

303 |
Two Approaches to Interprocedural Data Flow Analysis
- Sharir, Pnueli
- 1981
(Show Context)
Citation Context ...llee at this call site. We have instantiated our framework with two commonly used context-sensitivity strategies: the transfer function strategy (also known as Sharir and Pnueli’s functional approach =-=[27]-=-), and Shivers’s k-CFA algorithm [28] (also known as the k-deep call-strings strategy of Sharir and Pnueli [27]). Table 2 shows the definition of Context and selectCalleeContext for these two strategi... |

267 | The design and implementation of a certifying compiler
- Necula, Lee
- 1998
(Show Context)
Citation Context ...gine to be part of the trusted computing base, while translation validation and credible compilation do not require trust in any part of the optimizer. Proof-carrying code [22], certified compilation =-=[24]-=-, typed intermediate languages [31], and typed assembly languages [21] have all been used to prove properties of programs generated by a compiler. However, the kinds of properties that these approache... |

235 | Cloning-based context-sensitive pointer alias analyses using binary decision diagrams
- Whaley, Lam
- 2004
(Show Context)
Citation Context ...epresentations, for instance the inverted may-point-to relation, or a bit-vector representation of the relation. Also, motivated by recent advances in the use of BDDs to represent pointer information =-=[5, 34]-=-, we would like to explore ways of inferring when it would be beneficial to use BDDs for encoding our sets of facts. Finally, we want to continue on our path of pushing more and more of the burden of ... |

226 | TIL: A type-directed optimizing compiler for ML
- TARDITI, MORRISETT, et al.
- 1996
(Show Context)
Citation Context ...uting base, while translation validation and credible compilation do not require trust in any part of the optimizer. Proof-carrying code [22], certified compilation [24], typed intermediate languages =-=[31]-=-, and typed assembly languages [21] have all been used to prove properties of programs generated by a compiler. However, the kinds of properties that these approaches have typically guaranteed are typ... |

199 | Control analysis in Scheme
- Shivers
- 1988
(Show Context)
Citation Context ...ntiated our framework with two commonly used context-sensitivity strategies: the transfer function strategy (also known as Sharir and Pnueli’s functional approach [27]), and Shivers’s k-CFA algorithm =-=[28]-=- (also known as the k-deep call-strings strategy of Sharir and Pnueli [27]). Table 2 shows the definition of Context and selectCalleeContext for these two strategies. The contextinsensitive strategy c... |

175 | Translation validation for an optimizing compiler
- Necula
(Show Context)
Citation Context ...ion and/or a fee. POPL’05, January 12–14, 2005, Long Beach, California, USA. Copyright 2005 ACM 1-58113-830-X/05/0001 ...$5.00. making compilers trustworthy, including testing, translation validation =-=[25, 23]-=-, credible compilation [26], and manual proof techniques [8, 9, 37, 14, 17, 10]. In previous work [19], we presented a system in which optimizations could be checked for soundness automatically. An op... |

164 |
Raymie Stata. Extended static checking for Java
- Flanagan, Leino, et al.
- 2002
(Show Context)
Citation Context ...es the same strong soundness guarantees. We have implemented our strategy for automatically proving Rhodium analyses and optimizations sound using Simplify, the automatic theorem prover from ESC/Java =-=[12]-=-. We defined and automatically proved sound all of Cobalt’s optimizations plus the following new optimizations and analyses that were not expressible in Cobalt: loop-induction-variable strength reduct... |

155 | TALx86: A realistic typed assembly language
- Morrisett, Crary, et al.
- 1999
(Show Context)
Citation Context ...ation and credible compilation do not require trust in any part of the optimizer. Proof-carrying code [22], certified compilation [24], typed intermediate languages [31], and typed assembly languages =-=[21]-=- have all been used to prove properties of programs generated by a compiler. However, the kinds of properties that these approaches have typically guaranteed are type safety and memory safety. In our ... |

143 | Translation validation
- Pnueli, Singerman, et al.
- 1998
(Show Context)
Citation Context ...ion and/or a fee. POPL’05, January 12–14, 2005, Long Beach, California, USA. Copyright 2005 ACM 1-58113-830-X/05/0001 ...$5.00. making compilers trustworthy, including testing, translation validation =-=[25, 23]-=-, credible compilation [26], and manual proof techniques [8, 9, 37, 14, 17, 10]. In previous work [19], we presented a system in which optimizations could be checked for soundness automatically. An op... |

113 | Vortex: An optimizing compiler for object-oriented languages
- Dean, DeFouw, et al.
- 1996
(Show Context)
Citation Context ...SES Yet another benefit of using flow functions is that we can adapt a previous flow-function-based framework [7] from the 5 Or, if using bounded-sized integers, it takes a long time. Vortex compiler =-=[11]-=- in order to automatically build provably sound interprocedural analyses in Rhodium. The previous Vortex framework has been used to write realistic interprocedural analyses, such as various kinds of c... |

109 | Kleene algebra with tests
- Kozen
- 1997
(Show Context)
Citation Context ...t of work has been done on manually proving dataflow analyses and transformations correct, including abstract interpretation [8, 9, 10], the work on the VLISP compiler [14], Kleene algebra with tests =-=[16]-=-, manual proofs of correctness for optimizations expressed in temporal logic [30, 17], and manual proofs of correctness based on partial equivalence relations [4]. Analyses and transformations have al... |

85 | Simple relational correctness proofs for static analyses and program transformations
- Benton
- 2004
(Show Context)
Citation Context ...iler [14], Kleene algebra with tests [16], manual proofs of correctness for optimizations expressed in temporal logic [30, 17], and manual proofs of correctness based on partial equivalence relations =-=[4]-=-. Analyses and transformations have also been proven correct mechanically, but not automatically: the soundness proof is performed with an interactive theorem prover that requires guidance from the us... |

79 |
Cousot and Radhia Cousot. Systematic design of program analysis frameworks
- Patrick
- 1979
(Show Context)
Citation Context ...ornia, USA. Copyright 2005 ACM 1-58113-830-X/05/0001 ...$5.00. making compilers trustworthy, including testing, translation validation [25, 23], credible compilation [26], and manual proof techniques =-=[8, 9, 37, 14, 17, 10]-=-. In previous work [19], we presented a system in which optimizations could be checked for soundness automatically. An optimization is sound if it is guaranteed to preserve the semantics of any progra... |

72 | An Approach for Exploring Code-Improving Transformations
- Whitfield, Soffa
- 1997
(Show Context)
Citation Context ... rules for supporting a given CFG rewrite rule. 9. RELATED WORK The idea of analyzing optimizations written in a domainspecific language was introduced by Whitfield and Soffa with the Gospel language =-=[35]-=-. The differences between our work and the Gospel work stem from the difference in focus: we explore soundness whereas Whitfield and Soffa explore optimization dependencies. Many other frameworks and ... |

71 | Sharlit|a tool for building optimizers
- Tjiang, Hennessy
- 1992
(Show Context)
Citation Context ...soundness whereas Whitfield and Soffa explore optimization dependencies. Many other frameworks and languages have been proposed for specifying dataflow analyses and transformations, including Sharlit =-=[32]-=-, System-Z [36], languages based on regular path queries [29], and temporal logic [30, 17]. None of these approaches, however, addresses automated soundness checking of the specified transformations. ... |

68 | Static Analyses for Eliminating Unnecessary Synchronization from Java Programs
- Aldrich, Chambers, et al.
(Show Context)
Citation Context ...ed to write realistic interprocedural analyses, such as various kinds of class analysis [13], constant propagation, side-effect analysis, escape analysis, and various synchronization-related analyses =-=[2]-=-. The contribution of the new Rhodium framework is a rigorous formal description combined with a proof of soundness. These are stand-alone contributions whose applications are broader than just the Rh... |

68 | A framework for call graph construction algorithms
- Grove, Chambers
- 2001
(Show Context)
Citation Context ...utomatically build provably sound interprocedural analyses in Rhodium. The previous Vortex framework has been used to write realistic interprocedural analyses, such as various kinds of class analysis =-=[13]-=-, constant propagation, side-effect analysis, escape analysis, and various synchronization-related analyses [2]. The contribution of the new Rhodium framework is a rigorous formal description combined... |

68 | Automatically proving the correctness of compiler optimizations - Lerner, Millstein, et al. - 2003 |

53 | Proving correctness of compiler optimizations by temporal logic, Higher-Order and Symb
- Lacey, Jones, et al.
(Show Context)
Citation Context ...ornia, USA. Copyright 2005 ACM 1-58113-830-X/05/0001 ...$5.00. making compilers trustworthy, including testing, translation validation [25, 23], credible compilation [26], and manual proof techniques =-=[8, 9, 37, 14, 17, 10]-=-. In previous work [19], we presented a system in which optimizations could be checked for soundness automatically. An optimization is sound if it is guaranteed to preserve the semantics of any progra... |

51 |
Data flow analysis as model checking
- Steffen
- 1991
(Show Context)
Citation Context ...itability heuristics and userdefined widenings. We also plan to explore more efficient implementation strategies for our execution engine, such as generating specialized code to run each optimization =-=[30]-=-. For example, consider a rule whose antecedent is a conjunction where one of the conjuncts is stmt(X := &Z). We statically know that this rule will only fire on statements of the form X := &Z, but be... |

45 | VLISP: A verified implementation of Scheme
- Guttman, Ramsdell, et al.
- 1995
(Show Context)
Citation Context |

44 | Extracting a data flow analyser in constructive logic
- Cachera, Jensen, et al.
(Show Context)
Citation Context ...idance from the user. For example, Young [37] has proven a code generator correct using the Boyer-Moore theorem prover enhanced with an interactive interface [15]. As another example, Cachera et. al. =-=[6]-=- show how to specify static analyses and prove them correct in constructive logic using the Coq proof assistant. Via the Curry-Howard isomorphism, an implementation of the static analysis algorithm ca... |

43 |
Navindra Umanee. Points-to analysis using bdds
- Berndl, Lhoták, et al.
- 2003
(Show Context)
Citation Context ...epresentations, for instance the inverted may-point-to relation, or a bit-vector representation of the relation. Also, motivated by recent advances in the use of BDDs to represent pointer information =-=[5, 34]-=-, we would like to explore ways of inferring when it would be beneficial to use BDDs for encoding our sets of facts. Finally, we want to continue on our path of pushing more and more of the burden of ... |

41 | Composing dataflow analyses and transformations
- Lerner, Grove, et al.
- 2002
(Show Context)
Citation Context ...ty. • Composed analyses and transformations. By using a model based on local propagation and transformation rules, we can exploit previous work on automatically composing analyses and transformations =-=[18]-=- to enable Rhodium optimizations to be automatically composed. • Flow-insensitive analyses. We show how to interpret Rhodium propagation rules in a flow-insensitive manner, soundly, yielding more-effi... |

36 | Credible compilers
- Rinard
- 1999
(Show Context)
Citation Context ...ary 12–14, 2005, Long Beach, California, USA. Copyright 2005 ACM 1-58113-830-X/05/0001 ...$5.00. making compilers trustworthy, including testing, translation validation [25, 23], credible compilation =-=[26]-=-, and manual proof techniques [8, 9, 37, 14, 17, 10]. In previous work [19], we presented a system in which optimizations could be checked for soundness automatically. An optimization is sound if it i... |

30 | The Boyer-Moore theorem prover and its interactive enhancement
- Boyer, Kaufmann, et al.
- 1995
(Show Context)
Citation Context ...nteractive theorem prover that requires guidance from the user. For example, Young [37] has proven a code generator correct using the Boyer-Moore theorem prover enhanced with an interactive interface =-=[15]-=-. As another example, Cachera et. al. [6] show how to specify static analyses and prove them correct in constructive logic using the Coq proof assistant. Via the Curry-Howard isomorphism, an implement... |

30 | A mechanically verified code generator
- Young
- 1989
(Show Context)
Citation Context |

18 | Frameworks for intra- and interprocedural dataflow analysis
- Chambers, Dean, et al.
- 1996
(Show Context)
Citation Context .... A proof can be found in the accompanying technical report [20]. 6. INTERPROCEDURAL ANALYSES Yet another benefit of using flow functions is that we can adapt a previous flow-function-based framework =-=[7]-=- from the 5 Or, if using bounded-sized integers, it takes a long time. Vortex compiler [11] in order to automatically build provably sound interprocedural analyses in Rhodium. The previous Vortex fram... |

18 | Incremental execution of transformation specifications
- Sittampalam, Moor, et al.
- 2004
(Show Context)
Citation Context ...pendencies. Many other frameworks and languages have been proposed for specifying dataflow analyses and transformations, including Sharlit [32], System-Z [36], languages based on regular path queries =-=[29]-=-, and temporal logic [30, 17]. None of these approaches, however, addresses automated soundness checking of the specified transformations. A significant amount of work has been done on manually provin... |

12 |
Ludwell Harrison III. Automatic generation and management of interprocedural program analyses
- Yi, Williams
- 1993
(Show Context)
Citation Context ...as Whitfield and Soffa explore optimization dependencies. Many other frameworks and languages have been proposed for specifying dataflow analyses and transformations, including Sharlit [32], System-Z =-=[36]-=-, languages based on regular path queries [29], and temporal logic [30, 17]. None of these approaches, however, addresses automated soundness checking of the specified transformations. A significant a... |

10 | D.: KAT-ML: An interactive theorem prover for Kleene algebra with tests
- Aboul-Hosn, Kozen
(Show Context)
Citation Context ...y introduce a merge statement for which users can write ordinary Rhodium propagation rules: decl X:Var, C1:Int, C2:Int, C3:Int, C4:Int if stmt(merge) ∧ inRange(X, C1, C2)@in[0] ∧ inRange(X, C3, C4)@in=-=[1]-=- then inRange(X, min(C1, C3), max(C2, C4))@out This example introduce edge indices: in[i] refers to the i th CFG input edge. The previously used in was just syntactic sugar for in[0]. Similarly, out c... |