Vminus requires a program satisfy certain invariants to be considered well formed: every variable in the top-level function must dominate all its uses and be assigned exactly once statically. At a minimum, any reasonable Vminus transformation must preserve these invariants; together they imply that the program is in SSA form [28].
Figure 4.2 shows the judgments to check the SSA invariants with respect to the control-flow graph and program points of the function f.
Rule WF F ensures that variablesdefs(f)defined in the top function must be unique, which enforces the single-assignment part of the SSA property; additionally all block labels labels(f) in the function must also be unique for a well-formed control-flow graph; the entry block has no predecessors (wf entryf).
Rule WF B checks that all instructions in reachable blocks (written f ;l) satisfy the SSA domination invariant. Because unreachable blocks have no effects at runtime, the rule does not check them. Rule NONPHI ensures that aψatpcmust be strictly dominated by the definitions of
all variables used byψ; the rule PHI ensures that the number of incoming values is not zero, that
all incoming labels are unique, and that the current block’s predecessors is the same as the set of incoming gables. If an incoming valuevaljfrom a predecessor blockljuses a variablerjatpcj, then
pcj must strictly dominate the terminator oflj. Importantly, this rule allows “cyclic” uses of SSA variables of the kind used in the example above (Section 4.1).
Given the semantics in this chapter, the next chapter presents the proof techniques for reasoning about SSA-based program properties and transformations of Vminus.
f `ψ@pc ∀r.(ψusesr=⇒r ∈sdomf(pc)) f `ψ@pc NONPHI f,l`φ uniq(lj j ) lj j =preds(f,l)
∀rj.(valjusesrj=⇒rj ∈sdomf(lj.t)) j
len( [valj,lj] j
)>0 f `valj:typ j
f,l`r=phityp[valj,lj]
j PHI
f `ψ
f`val1:int f `val2:int
f `r:=val1bop val2
WF BOP
f`val:int f[l1] =bb1c f[l2] =bb2c
f`brval l1l2 WF BR
f`val:typ
f `rettyp val WF RET
f `ψ@pc f`ψ@pc f `ψ f `ψ@pc WF NONPHI f `b f ;l=⇒(f,l`φj j ∧f `[email protected] i ∧f `tmn@(l.t)) f `lφj j ciitmn WF B ` f
uniq(defs(f)) uniq(labels(f)) f=fun{bj j
} f `bj j
wf entryf
` f WF F
Chapter 5
Proof Techniques for SSA
This section describes the proof techniques we have developed for formalizing properties of SSA- style intermediate representations. To most clearly articulate the approach, we present the results using Vminus (see Chapter 4).
The key idea of the technique is to generalize the invariant used for Vminus’s preservation lemma for proving safety to other predicates that are also shown to be invariants of the operational semantics. Crucially, these predicates all share the same form, which only constrains variable definitions thatstrictly dominatethe current program counter. Because Vminus is such a stripped- down language, the relevant lemmas are relatively straightforward to establish; Chapter 8 shows how to scale the proof technique to the full Vellvm model of LLVM to verify themem2regpass.
Instances of this idea are found in the literature (see, for example, Menon, et al. [48]), and related proof techniques have been recently used in the CompCertSSA [14] project, but as we explain in Chapter 10, our results are more general: we provide proof techniques applicable to many SSA-based optimizations and transformations.
The remainder of this section first proves safety (which in this context simply amounts to showing that all variables are well-scoped). We then show how to generalize the safety invariant to a form that is useful for proving program transformations correct and demonstrate its applicability to a number of standard optimizations.
We mechanically verified all the claims in this chapter for Vminus in Coq.1
5.1
Safety of Vminus
There are two ways that a Vminus program might get stuck. First, it might try to jump to an undefined label, but this property is ruled out statically by WF BR. Second, it might try to access a variable whose value is not defined inδ. We can prove that this second case never happens by
establishing the following safety theorem:
Theorem 9(Safety). If` f and f `(l.0,0/)−→∗σ, thenσis not stuck. (Here, l is the entry block
of function f and0/ denotes an empty mapping for identifiers.)
The proof takes the standard form using preservation and progress lemmas with the invariant for frames shown below:
pc ∈ f ∀r.(r ∈sdomf(pc) =⇒ ∃v.δ[r] =bvc)
f`(pc,δ) WF FR
This is similar to the predicate used in prior work for verifying the type safety of an SSA-based language [48]. The invariant WF FR shows that a frame(pc,δ)is well-formed if every definition
that strictly dominatespcis defined inδ. The initial program state satisfies this invariant trivially:
Lemma 10(Initial State). If` f then f `(l.0,0/), where l is the entry block of f .
The preservation and progress lemmas are straightforward—but note that they crucially rely on the interplay between the invariant onδ“projected” ontosdomf(pc)(Lemma 8), and the PHI and NONPHI rules of the static semantics.
Lemma 11(Preservation). If ` f , f `σand f `σ−→σ0, then f `σ0.
Proof. The proof proceeds by case analysis on the reduction rule. At the E BOP case: Let σ =
(l.i,δ),σ0=(l.(i+1),δ{v3/r}), and f[l.i] =br:=val1bop val2c. The conclusion holds by Lemma 8. At the E BR case: Letσ=(l.t,δ),σ0=(l3.0,δ0), f[l.t] =bbrval l1l2c,Jφ3K
l
δ=bδ
0c, and
φ3is
from the blockl3. Supposer ∈ sdomf(l3.0). Ifr ∈ defs(φ3), thenrmust be defined inδ0 by the definition ofT U
l
φ3. Otherwise, if
¬r ∈ defs(φ3), the conclusion holds by Lemma 8.
Proof. Assume thatσ= (pc,δ). Sincepc ∈ f, then∃insn.f[pc] =binsnc. The proof proceeds by case analysis on theinsn. At the case wheninsn=r:=val1bop val2: The rule NONPHI ensures that the definitions of the variables used byval1andval2strictly dominatepc, so are insdomf(pc). Therefore,σis not stuck.
At the case when insn=brval l1l2: First, the rule NONPHI ensures that the val must use the variable defined in sdomf(pc). Therefore, JvalKδ =bvc. Suppose l3 = (v?l1 :l2), f[l3] = b(l3φ3c3tmn3)c, and insn is at block lj. The rule PHI ensures that the definitions of the j-th incoming variables dominatelj.t, so are insdomf(pc). Therefore,Jφ3K
l
δ=bδ
0c.
At the case wheninsn=rettyp val: The program terminates.