The whole compiler and its proof of semantic preservation

Libraries.

Require Import String.
Require Import Coqlib Errors.
Require Import AST Linking Smallstep.

Languages (syntax and semantics).

Require Ctypes Csyntax Csem Cstrategy Cexec.
Require Clight.
Require Csharpminor.
Require Cminor.
Require CminorSel.
Require RTL.
Require LTL.
Require Linear.
Require Mach.
Require Asm.

Translation passes.

Require Initializers.
Require SimplExpr.
Require SimplLocals.
Require Cshmgen.
Require Cminorgen.
Require Selection.
Require RTLgen.
Require Import Duplicatepasses.
Require Tailcall.
Require Tailrec.
Require Inlining.
Require Profiling.
Require ProfilingExploit.
Require Renumber.
Require CSE.
Require Constprop.
Require Intervalprop.
Require CSE.
Require CSE2.
Require CSE3.
Require KillUselessMoves.
Require ForwardMoves.
Require Deadcode.
Require RTLTunneling.
Require Allnontrap.
Require Canary.
Require Renumber.
Require Unusedglob.
Require ForwardMoves.
Require Allocation.
Require LTLTunneling.
Require Linearize.
Require CleanupLabels.
Require Debugvar.
Require Stacking.
Require Asmgen.

Proofs of semantic preservation.

Require SimplExprproof.
Require SimplLocalsproof.
Require Cshmgenproof.
Require Cminorgenproof.
Require Selectionproof.
Require RTLgenproof.
Require Tailcallproof.
Require Tailrecproof.
Require Inliningproof.
Require Profilingproof.
Require ProfilingExploitproof.
Require Renumberproof.
Require CSEproof.
Require Constpropproof.
Require Intervalpropproof.
Require CSEproof.
Require CSE2proof.
Require CSE3proof.
Require KillUselessMovesproof.
Require ForwardMovesproof.
Require Deadcodeproof.
Require RTLTunnelingproof.
Require Allnontrapproof.
Require Canaryproof.
Require Renumberproof.
Require Unusedglobproof.
Require ForwardMovesproof.
Require Allocationproof.
Require LTLTunnelingproof.
Require Linearizeproof.
Require CleanupLabelsproof.
Require Debugvarproof.
Require Stackingproof.
Require Import Asmgenproof.

Command-line flags.

Require Import Compopts.
Require Import BTLpasses.

Pretty-printers (defined in Caml).

Parameter print_Clight: Clight.program -> unit.
Parameter print_Cminor: Cminor.program -> unit.
Parameter print_RTL: Z -> RTL.program -> unit.
Parameter print_LTL: Z -> LTL.program -> unit.
Parameter print_Mach: Mach.program -> unit.

Local Open Scope string_scope.

Composing the translation passes

We first define useful monadic composition operators, along with funny (but convenient) notations.

Definition apply_total (A B: Type) (x: res A) (f: A -> B) : res B :=
  match x with Error msg => Error msg | OK x1 => OK (f x1) end.

Definition apply_partial (A B: Type)
                         (x: res A) (f: A -> res B) : res B :=
  match x with Error msg => Error msg | OK x1 => f x1 end.

Notation "a @@@ b" :=
   (apply_partial _ _ a b) (at level 50, left associativity).
Notation "a @@ b" :=
   (apply_total _ _ a b) (at level 50, left associativity).

Definition print {A: Type} (printer: A -> unit) (prog: A) : A :=
  let unused := printer prog in prog.

Definition time {A B: Type} (name: string) (f: A -> B) : A -> B := f.

Definition total_if {A: Type}
          (flag: unit -> bool) (f: A -> A) (prog: A) : A :=
  if flag tt then f prog else prog.

Definition partial_if {A: Type}
          (flag: unit -> bool) (f: A -> res A) (prog: A) : res A :=
  if flag tt then f prog else OK prog.

We define three translation functions for whole programs: one starting with a C program, one with a Cminor program, one with an RTL program. The three translations produce Asm programs ready for pretty-printing and assembling.

Force Initializers and Cexec to be extracted as well.

Definition transl_init := Initializers.transl_init.
Definition cexec_do_step := Cexec.do_step.

The following lemmas help reason over compositions of passes.

Lemma print_identity:
forall (A: Type) (printer: A -> unit) (prog: A),
print printer prog = prog.

Proof.

intros; unfold print. destruct (printer prog); auto.
Qed.

Lemma compose_print_identity:
forall (A: Type) (x: res A) (f: A -> unit),
x @@ print f = x.

Proof.

intros. destruct x; simpl. rewrite print_identity. auto. auto.
Qed.

Relational specification of compilation

Definition match_if {A: Type} (flag: unit -> bool) (R: A -> A -> Prop): A -> A -> Prop :=
  if flag tt then R else eq.

Lemma total_if_match:
  forall (A: Type) (flag: unit -> bool) (f: A -> A) (rel: A -> A -> Prop) (prog: A),
  (forall p, rel p (f p)) ->
  match_if flag rel prog (total_if flag f prog).

Proof.

intros. unfold match_if, total_if. destruct (flag tt); auto.
Qed.

Lemma partial_if_match:
  forall (A: Type) (flag: unit -> bool) (f: A -> res A) (rel: A -> A -> Prop) (prog tprog: A),
  (forall p tp, f p = OK tp -> rel p tp) ->
  partial_if flag f prog = OK tprog ->
  match_if flag rel prog tprog.

Proof.

intros. unfold match_if, partial_if in *. destruct (flag tt). auto. congruence.
Qed.

Global Instance TransfIfLink {A: Type} {LA: Linker A}
(flag: unit -> bool) (transf: A -> A -> Prop) (TL: TransfLink transf)
: TransfLink (match_if flag transf).

Proof.

unfold match_if. destruct (flag tt).
- auto.
- red; intros. subst tp1 tp2. exists p; auto.
Qed.

This is the list of compilation passes of CompCert in relational style. Each pass is characterized by a match_prog relation between its input code and its output code. The mkpass and ::: combinators, defined in module Linking, ensure that the passes are composable (the output language of a pass is the input language of the next pass) and that they commute with linking (property TransfLink, inferred by the type class mechanism of Coq).

Composing the match_prog relations above, we obtain the relation between CompCert C sources and Asm code that characterize CompCert's compilation.

Definition match_prog: Csyntax.program -> Asm.program -> Prop :=
pass_match (compose_passes CompCert's_passes).

The transf_c_program function, when successful, produces assembly code that is in the match_prog relation with the source C program.

Theorem transf_c_program_match:
  forall p tp,
  transf_c_program p = OK tp ->
  match_prog p tp.

Proof.

  intros p tp T.
  unfold transf_c_program, time in T. cbn in T.
  destruct (SimplExpr.transl_program p) as [p1|e] eqn:P1; cbn in T; try discriminate.
  unfold transf_clight_program, time in T. rewrite ! compose_print_identity in T. cbn in T.
  destruct (SimplLocals.transf_program p1) as [p2|e] eqn:P2; cbn in T; try discriminate.
  destruct (Cshmgen.transl_program p2) as [p3|e] eqn:P3; cbn in T; try discriminate.
  destruct (Cminorgen.transl_program p3) as [p4|e] eqn:P4; cbn in T; try discriminate.
  unfold transf_cminor_program, time in T. rewrite ! compose_print_identity in T. cbn in T.
  destruct (Selection.sel_program p4) as [p5|e] eqn:P5; cbn in T; try discriminate.
  destruct (RTLgen.transl_program p5) as [p6|e] eqn:P6; cbn in T; try discriminate.
  unfold transf_rtl_program, time in T. rewrite ! compose_print_identity in T.
  cbn in T.
set (p7 := total_if optim_tailcalls Tailcall.transf_program p6) in *.
destruct (partial_if optim_tailrec Tailrec.transf_program p7) as [p8|e] eqn:P8; cbn in T; try discriminate.
destruct (Inlining.transf_program p8) as [p9|e] eqn:P9; cbn in T; try discriminate.
set (p10 := total_if profile_arcs Profiling.transf_program p9) in *.
set (p11 := total_if branch_probabilities ProfilingExploit.transf_program p10) in *.
set (p12 := Renumber.transf_program p11) in *.
destruct (partial_if optim_CSE CSE.transf_program p12) as [p13|e] eqn:P13; cbn in T; try discriminate.
destruct (Staticpredict.transf_program p13) as [p14|e] eqn:P14; cbn in T; try discriminate.
destruct (Unrollsingle.transf_program p14) as [p15|e] eqn:P15; cbn in T; try discriminate.
set (p16 := Renumber.transf_program p15) in *.
destruct (Tailduplicate.transf_program p16) as [p17|e] eqn:P17; cbn in T; try discriminate.
set (p18 := Renumber.transf_program p17) in *.
destruct (Unrollbody.transf_program p18) as [p19|e] eqn:P19; cbn in T; try discriminate.
set (p20 := Renumber.transf_program p19) in *.
destruct (Looprotate.transf_program p20) as [p21|e] eqn:P21; cbn in T; try discriminate.
set (p22 := Renumber.transf_program p21) in *.
set (p23 := total_if optim_constprop Constprop.transf_program p22) in *.
set (p24 := total_if optim_intervalprop Intervalprop.transf_program p23) in *.
destruct (partial_if optim_lct_promote BTL_IntPromotionpasses.transf_program p24) as [p25|e] eqn:P25; cbn in T; try discriminate.
set (p26 := Renumber.transf_program p25) in *.
destruct (partial_if optim_CSE CSE.transf_program p26) as [p27|e] eqn:P27; cbn in T; try discriminate.
set (p28 := total_if optim_CSE2 CSE2.transf_program p27) in *.
destruct (partial_if optim_CSE3 CSE3.transf_program p28) as [p29|e] eqn:P29; cbn in T; try discriminate.
set (p30 := total_if optim_CSE3 KillUselessMoves.transf_program p29) in *.
set (p31 := total_if optim_forward_moves ForwardMoves.transf_program p30) in *.
destruct (partial_if optim_redundancy Deadcode.transf_program p31) as [p32|e] eqn:P32; cbn in T; try discriminate.
destruct (RTLTunneling.transf_program p32) as [p33|e] eqn:P33; cbn in T; try discriminate.
set (p34 := total_if all_loads_nontrap Allnontrap.transf_program p33) in *.
set (p35 := total_if stack_protector Canary.transf_program p34) in *.
set (p36 := total_if stack_protector Renumber.transf_program p35) in *.
destruct (Unusedglob.transf_program p36) as [p37|e] eqn:P37; cbn in T; try discriminate.
set (p38 := total_if btl_bb Renumber.transf_program p37) in *.
destruct (partial_if btl_bb BTL_BBpasses.transf_program p38) as [p39|e] eqn:P39; cbn in T; try discriminate.
destruct (partial_if lct_tun RTLTunneling.transf_program p39) as [p40|e] eqn:P40; cbn in T; try discriminate.
set (p41 := total_if btl_sb Renumber.transf_program p40) in *.
destruct (partial_if btl_sb BTL_SBpasses.transf_program p41) as [p42|e] eqn:P42; cbn in T; try discriminate.
set (p43 := total_if optim_forward_moves ForwardMoves.transf_program p42) in *.
set (p44 := total_if optim_constprop2 Constprop.transf_program p43) in *.
set (p45 := total_if final_renumber Renumber.transf_program p44) in *.
destruct (Allocation.transf_program p45) as [p46|e] eqn:P46; cbn in T; try discriminate.
destruct (LTLTunneling.transf_program p46) as [p47|e] eqn:P47; cbn in T; try discriminate.
destruct (Linearize.transf_program p47) as [p48|e] eqn:P48; cbn in T; try discriminate.
set (p49 := CleanupLabels.transf_program p48) in *.
destruct (partial_if debug Debugvar.transf_program p49) as [p50|e] eqn:P50; cbn in T; try discriminate.
destruct (Stacking.transf_program p50) as [p51|e] eqn:P51; cbn in T; try discriminate.
  unfold match_prog; simpl.
  exists p1; split. apply SimplExprproof.transf_program_match; auto.
  exists p2; split. apply SimplLocalsproof.match_transf_program; auto.
  exists p3; split. apply Cshmgenproof.transf_program_match; auto.
  exists p4; split. apply Cminorgenproof.transf_program_match; auto.
  exists p5; split. apply Selectionproof.transf_program_match; auto.
  exists p6; split. apply RTLgenproof.transf_program_match; auto.
  exists p7; split. apply total_if_match. apply Tailcallproof.transf_program_match; auto.
  exists p8; split. eapply partial_if_match; eauto. apply Tailrecproof.transf_program_match; auto.
  exists p9; split. apply Inliningproof.transf_program_match; auto.
  exists p10; split. apply total_if_match. apply Profilingproof.transf_program_match; auto.
  exists p11; split. apply total_if_match. apply ProfilingExploitproof.transf_program_match; auto.
  exists p12; split. apply Renumberproof.transf_program_match; auto.
  exists p13; split. eapply partial_if_match; eauto. apply CSEproof.transf_program_match; auto.
  exists p14; split. apply Staticpredictproof.transf_program_match; auto.
  exists p15; split. apply Unrollsingleproof.transf_program_match; auto.
  exists p16; split. apply Renumberproof.transf_program_match; auto.
  exists p17; split. apply Tailduplicateproof.transf_program_match; auto.
  exists p18; split. apply Renumberproof.transf_program_match; auto.
  exists p19; split. apply Unrollbodyproof.transf_program_match; auto.
  exists p20; split. apply Renumberproof.transf_program_match; auto.
  exists p21; split. apply Looprotateproof.transf_program_match; auto.
  exists p22; split. apply Renumberproof.transf_program_match; auto.
  exists p23; split. apply total_if_match. apply Constpropproof.transf_program_match; auto.
  exists p24; split. apply total_if_match. apply Intervalpropproof.transf_program_match; auto.
  exists p25; split. eapply partial_if_match; eauto. apply BTL_IntPromotionpassesproof.transf_program_match; auto.
  exists p26; split. apply Renumberproof.transf_program_match; auto.
  exists p27; split. eapply partial_if_match; eauto. apply CSEproof.transf_program_match; auto.
  exists p28; split. apply total_if_match. apply CSE2proof.transf_program_match; auto.
  exists p29; split. eapply partial_if_match; eauto. apply CSE3proof.transf_program_match; auto.
  exists p30; split. apply total_if_match. apply KillUselessMovesproof.transf_program_match; auto.
  exists p31; split. apply total_if_match. apply ForwardMovesproof.transf_program_match; auto.
  exists p32; split. eapply partial_if_match; eauto. apply Deadcodeproof.transf_program_match; auto.
  exists p33; split. apply RTLTunnelingproof.transf_program_match; auto.
  exists p34; split. apply total_if_match. apply Allnontrapproof.transf_program_match; auto.
  exists p35; split. apply total_if_match. apply Canaryproof.transf_program_match; auto.
  exists p36; split. apply total_if_match. apply Renumberproof.transf_program_match; auto.
  exists p37; split. apply Unusedglobproof.transf_program_match; auto.
  exists p38; split. apply total_if_match. apply Renumberproof.transf_program_match; auto.
  exists p39; split. eapply partial_if_match; eauto. apply BTL_BBpassesproof.transf_program_match; auto.
  exists p40; split. eapply partial_if_match; eauto. apply RTLTunnelingproof.transf_program_match; auto.
  exists p41; split. apply total_if_match. apply Renumberproof.transf_program_match; auto.
  exists p42; split. eapply partial_if_match; eauto. apply BTL_SBpassesproof.transf_program_match; auto.
  exists p43; split. apply total_if_match. apply ForwardMovesproof.transf_program_match; auto.
  exists p44; split. apply total_if_match. apply Constpropproof.transf_program_match; auto.
  exists p45; split. apply total_if_match. apply Renumberproof.transf_program_match; auto.
  exists p46; split. apply Allocationproof.transf_program_match; auto.
  exists p47; split. apply LTLTunnelingproof.transf_program_match; auto.
  exists p48; split. apply Linearizeproof.transf_program_match; auto.
  exists p49; split. apply CleanupLabelsproof.transf_program_match; auto.
  exists p50; split. eapply partial_if_match; eauto. apply Debugvarproof.transf_program_match; auto.
  exists p51; split. apply Stackingproof.transf_program_match; auto.
  exists tp; split. apply Asmgenproof.transf_program_match; auto.
  reflexivity.
Qed.

Semantic preservation

We now prove that the whole CompCert compiler (as characterized by the match_prog relation) preserves semantics by constructing the following simulations:

Forward simulations from Cstrategy to Asm (composition of the forward simulations for each pass).
Backward simulations for the same languages (derived from the forward simulation, using receptiveness of the source language and determinacy of Asm).
Backward simulation from Csem to Asm (composition of two backward simulations).

Remark forward_simulation_identity:
forall sem, forward_simulation sem sem.

Proof.

intros. apply forward_simulation_step with (fun s1 s2 => s2 = s1); intros.
- auto.
- exists s1; auto.
- subst s2; auto.
- subst s2. exists s1'; auto.
Qed.

Lemma match_if_simulation:
  forall (A: Type) (sem: A -> semantics) (flag: unit -> bool) (transf: A -> A -> Prop) (prog tprog: A),
  match_if flag transf prog tprog ->
  (forall p tp, transf p tp -> forward_simulation (sem p) (sem tp)) ->
  forward_simulation (sem prog) (sem tprog).

Proof.

intros. unfold match_if in *. destruct (flag tt). eauto. subst. apply forward_simulation_identity.
Qed.

Theorem cstrategy_semantic_preservation:
  forall p tp,
  match_prog p tp ->
  forward_simulation (Cstrategy.semantics p) (Asm.semantics tp)
  /\ backward_simulation (atomic (Cstrategy.semantics p)) (Asm.semantics tp).

Proof.

Theorem c_semantic_preservation:
  forall p tp,
  match_prog p tp ->
  backward_simulation (Csem.semantics p) (Asm.semantics tp).

Proof.

  intros.
  apply compose_backward_simulation with (atomic (Cstrategy.semantics p)).
  eapply sd_traces; eapply Asm.semantics_determinate.
  apply factor_backward_simulation.
  apply Cstrategy.strategy_simulation.
  apply Csem.semantics_single_events.
  eapply ssr_well_behaved; eapply Cstrategy.semantics_strongly_receptive.
  exact (proj2 (cstrategy_semantic_preservation _ _ H)).
Qed.

Correctness of the CompCert compiler

Combining the results above, we obtain semantic preservation for two usage scenarios of CompCert: compilation of a single monolithic program, and separate compilation of multiple source files followed by linking. In the monolithic case, we have a whole C program p that is compiled in one run of CompCert to a whole Asm program tp. Then, tp preserves the semantics of p, in the sense that there exists a backward simulation of the dynamic semantics of p by the dynamic semantics of tp.

Theorem transf_c_program_correct:
  forall p tp,
  transf_c_program p = OK tp ->
  backward_simulation (Csem.semantics p) (Asm.semantics tp).

Proof.

intros. apply c_semantic_preservation. apply transf_c_program_match; auto.
Qed.

Here is the separate compilation case. Consider a nonempty list c_units of C source files (compilation units), C1 ,,, Cn. Assume that every C compilation unit Ci is successfully compiled by CompCert, obtaining an Asm compilation unit Ai. Let asm_unit be the nonempty list A1 ... An. Further assume that the C units C1 ... Cn can be linked together to produce a whole C program c_program. Then, the generated Asm units can be linked together, producing a whole Asm program asm_program. Moreover, asm_program preserves the semantics of c_program, in the sense that there exists a backward simulation of the dynamic semantics of asm_program by the dynamic semantics of c_program.

Theorem separate_transf_c_program_correct:
  forall c_units asm_units c_program,
  nlist_forall2 (fun cu tcu => transf_c_program cu = OK tcu) c_units asm_units ->
  link_list c_units = Some c_program ->
  exists asm_program,
      link_list asm_units = Some asm_program
   /\ backward_simulation (Csem.semantics c_program) (Asm.semantics asm_program).

Proof.

  intros.
  assert (nlist_forall2 match_prog c_units asm_units).
  { eapply nlist_forall2_imply. eauto. simpl; intros. apply transf_c_program_match; auto. }
  assert (exists asm_program, link_list asm_units = Some asm_program /\ match_prog c_program asm_program).
  { eapply link_list_compose_passes; eauto. }
  destruct H2 as (asm_program & P & Q).
  exists asm_program; split; auto. apply c_semantic_preservation; auto.
Qed.

Module Compiler

Composing the translation passes

Relational specification of compilation

Semantic preservation

Correctness of the CompCert compiler