Abstract
Today’s compilers employ a variety of non-trivial optimizations to achieve good performance. One key trick compilers use to justify transformations of concurrent programs is to assume that the source program has no data races : if it does, they cause the program to have undefined behavior (UB) and give the compiler free rein. However, verifying correctness of optimizations that exploit this assumption is a non-trivial problem. In particular, prior work either has not proven that such optimizations preserve program termination (particularly non-obvious when considering optimizations that move instructions out of loop bodies), or has treated all synchronization operations as external functions (losing the ability to reorder instructions around them). In this work we present Simuliris , the first simulation technique to establish termination preservation (under a fair scheduler) for a range of concurrent program transformations that exploit UB in the source language. Simuliris is based on the idea of using ownership to reason modularly about the assumptions the compiler makes about programs with well-defined behavior. This brings the benefits of concurrent separation logics to the space of verifying program transformations: we can combine powerful reasoning techniques such as framing and coinduction to perform thread-local proofs of non-trivial concurrent program optimizations. Simuliris is built on a (non-step-indexed) variant of the Coq-based Iris framework, and is thus not tied to a particular language. In addition to demonstrating the effectiveness of Simuliris on standard compiler optimizations involving data race UB, we also instantiate it with Jung et al.’s Stacked Borrows semantics for Rust and generalize their proofs of interesting type-based aliasing optimizations to account for concurrency.
Highlights
Modern compilers use many non-trivial optimizations to make programs run faster
28 In this work we present Simuliris, the first simulation technique to establish termination preservation for a range of concurrent program transformations that exploit undefined behavior (UB) in the source language
The optimized program can produce results not possible for the original program. The reason this optimization is correct in languages like C, C++, and Rust is that unsynchronized concurrent accesses are undefined behavior (UB), which means the compiler may assume that no such accesses happen
Summary
Modern compilers use many non-trivial optimizations to make programs run faster. As an example, consider the following simple function, which sums up the value of *y until a counter reaches *x:. The optimized program can produce results not possible for the original program The reason this optimization is correct in languages like C, C++, and Rust is that unsynchronized concurrent accesses (usually called data races) are undefined behavior (UB), which means the compiler may assume that no such accesses happen. This approach can in principle handle our motivating example, though CompCert does not perform such transformations It requires hiding all synchronizing operations behind external function calls (łFFIž) in the sequential semantics; this rules out most optimizations that reorder instructions around such synchronizing operations, such as the one we consider in ğ3.2. The first work to verify transformations which leverage undefined behavior of data races is found in Ševčík’s PhD thesis [Ševčík 2009, 2011] They do not consider the same notion of correctness as the CompCert variants we have discussed so far: Ševčík only considers finite traces, and as such does not establish termination preservation. We need the optimization to be correct no matter the context that this function might be used in
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
