2 research outputs found
Compositional Compiler Verification for a Multi-Language World
Verified compilers are typically proved correct under severe
restrictions on what the compiler\u27s output may be linked with, from no
linking at all to linking only with code compiled from the same source
language. Such assumptions contradict the reality of how we use these
compilers since most software systems today are comprised of
components written in different languages compiled by different
compilers to a common target, as well as low-level libraries that may
be handwritten in the target language.
The key challenge in verifying compilers for today\u27s world of
multi-language software is how to formally state a compiler
correctness theorem that is compositional along two dimensions.
First, the theorem must guarantee correct compilation of components
while allowing compiled code to be composed (linked) with
target-language components of arbitrary provenance, including those
compiled from other languages. Second, the theorem must support
verification of multi-pass compilers by composing correctness proofs
for individual passes. In this talk, I will describe a methodology
for verifying compositional compiler correctness for a higher-order
typed language and discuss the challenges that lie ahead. I will
argue that compositional compiler correctness is, in essence, a
language interoperability problem: for viable solutions in the long
term, high-level languages must be equipped with principled
foreign-function interfaces that specify safe interoperability
between high-level and low-level components, and between more
precisely and less precisely typed code
Overcoming Restraint: Composing Verification of Foreign Functions with Cogent
Cogent is a restricted functional language designed to reduce the cost of
developing verified systems code. Because of its sometimes-onerous
restrictions, such as the lack of support for recursion and its strict
uniqueness type system, Cogent provides an escape hatch in the form of a
foreign function interface (FFI) to C code. This poses a problem when verifying
Cogent programs, as imported C components do not enjoy the same level of static
guarantees that Cogent does. Previous verification of file systems implemented
in Cogent merely assumed that their C components were correct and that they
preserved the invariants of Cogent's type system. In this paper, we instead
prove such obligations. We demonstrate how they smoothly compose with existing
Cogent theorems, and result in a correctness theorem of the overall Cogent-C
system. The Cogent FFI constraints ensure that key invariants of Cogent's type
system are maintained even when calling C code. We verify reusable higher-order
and polymorphic functions including a generic loop combinator and array
iterators and demonstrate their application to several examples including
binary search and the BilbyFs file system. We demonstrate the feasibility of
verification of mixed Cogent-C systems, and provide some insight into
verification of software comprised of code in multiple languages with differing
levels of static guarantees