



*The added value of CompCert lies not in the compilation technology implemented, but in the fact that each of the source, intermediate and target languages has formally defined semantics, and that each of the transformation and optimization passes is proved to preserve semantics...<sup>1</sup>*

---

<sup>1</sup>Xavier Leroy - Formal Verification of a realistic compiler (2009)

---

# Modeling Register Pairs in CompCert

Alex Loitzl<sup>1,2</sup>

Florian Zuleger<sup>1</sup>

<sup>1</sup>TU Wien, <sup>2</sup>Institute of Science and Technology Austria (ISTA)

---

November, 2024

## Authors

Xavier Leroy - **Formal verification of a realistic compiler** (2009)

Sandrine Blazy, Zaynah Dargaye, Jacques-Henri Jourdan, Michael Schmidt,  
Bernhard Schommer, and Jean-Baptiste Tristan



<https://www.inria.fr>



<https://xavierleroy.org>



<https://www.absint.com>

# Correct Compiler



# Correct Compiler

*Verified Compiler*

$$\forall S, P, \quad \text{Comp}(S) = \text{OK}(P) \implies S \approx P$$



# Correct Compiler

*Verified Compiler*

$$\forall S, P, \quad \text{Comp}(S) = \text{OK}(P) \implies S \approx P$$



# Correct Compiler

*Verified Compiler*

$$\forall S, P, \quad \text{Comp}(S) = \text{OK}(P) \implies S \approx P$$



# Correct Compiler

*Verified Compiler*

$$\forall S, P, \quad \text{Comp}(S) = \text{OK}(P) \implies S \approx P$$



# Correct Compiler

*Verified Compiler*

$$\forall S, P, \quad \text{Comp}(S) = \text{OK}(P) \implies S \approx P$$



# Register Model

## Model

|          |
|----------|
| $D0$     |
| $D1$     |
| $D2$     |
| $D3$     |
| $\vdots$ |
| $D14$    |
| $D15$    |

Lemma 1

$$\forall r, v : rs[r \leftarrow v](r) = v.$$

Lemma 2

$$\forall r, r', v : r \neq r' \Rightarrow rs[r' \leftarrow v](r) = rs(r).$$

Addressable:  
 $D0, D1, \dots, D15$

# Register Reality

Arm



Lemma 1

$$\forall r, v : rs[r \leftarrow v](r) = v.$$

Lemma 2

$$\forall r, r', v : r \neq r' \Rightarrow rs[r' \leftarrow v](r) = rs(r).$$

Addressable:

$S_0, S_1, \dots, S_{31}$

$D_0, D_1, \dots, D_{15}$

# Register Reality



Addressable:  
 $S_0, S_1, \dots, S_{31}$   
 $D_0, D_1, \dots, D_{15}$

Lemma 1

$$\forall r, v : rs[r \leftarrow v](r) = v.$$

Lemma 2

$$\forall r, r', v : r \neq r' \Rightarrow rs[r' \leftarrow v](r) = rs(r).$$

# Correct Compiler ? - The whole picture



# Correct Compiler ? - The whole picture



# Correct Compiler ? - The whole picture



# Correct Compiler ? - The whole picture



# Consequences

```
1 double sum(single a, double b, single c){  
2     double d = (double) (a + c);  
3     return d + b;  
4 }  
5  
6 int main(){  
7     sum (0.f, 1.0, 2.f);  
8     return 0;  
9 }
```



# Consequences

```
1 double sum(single a, double b, single c){  
2     double d = (double) (a + c);  
3     return d + b;  
4 }  
5  
6 int main(){  
7     sum (0.f, 1.0, 2.f);  
8     return 0;  
9 }
```



```
1 sum:  
2 vmov.f32 S4, S1  
3 ...  
4 vadd.f32 S0, S0, S4  
5 vcvt.f64.f32 D0, S0  
6 vadd.f64 D0, D0, D1  
7 ...  
8 main:  
9 ...  
10 vmov.f32 S0, #0.  
11 vmov.f64 D1, #1.  
12 vmov.f32 S4, #2.  
13 vmov.f32 S1, S4  
14 bl sum  
15 mov R0, #0  
16 ...
```

# Summary

- Formally verified compiler
  - Proof covers all optimizations
  - Correct w.r.t. the modeled semantics
- Discrepancies between hardware and model
  - Cannot implement correct calling conventions
  - Cannot support TriCore architecture
- Suboptimal code generation
  - Inserted moves
  - Higher register pressure

# CompCert's Machine Model



## (New) Register Model

Arm



Lemma 1

$$\forall p, v : rs[p \leftarrow v](p) = v.$$

Lemma 2

$$\forall p, p', v : p \cap p' = \emptyset \Rightarrow rs[p' \leftarrow v](p) = rs(p).$$

Addressable:

 $S_0, S_1, \dots, S_{31}$  $(S_1, S_0), \dots, (S_{31}, S_{30})$

## (New) Register Model

Arm



Lemma 1

$$\forall p, v : rs[p \leftarrow v](p) = v.$$

Lemma 2

$$\forall p, p', v : p \cap p' = \emptyset \Rightarrow rs[p' \leftarrow v](p) = rs(p).$$

Addressable:

 $S_0, S_1, \dots, S_{31}$  $(S_1, S_0), \dots, (S_{31}, S_{30})$

## (New) Register Model

Arm



Addressable:  
 $S_0, S_1, \dots, S_{31}$   
 $(S_1, S_0), \dots, (S_{31}, S_{30})$

~~Lemma 1~~

~~$\forall p, v : rs[p \leftarrow v](p) = v.$~~

Combining &amp; Splitting

$$R((r_1, r_2)) \stackrel{\text{def}}{=} \text{combine}(R(r_1), R(r_2)), \text{ and}$$
$$R[(r_1, r_2) \leftarrow v] \stackrel{\text{def}}{=} R[r_1 \leftarrow \text{hiwd}(v)][r_2 \leftarrow \text{lowd}(v)].$$

# CompCert's Machine Model



# CompCert's Machine Model



<sup>2</sup>Rideau S., and Leroy X. Validating register allocation and spilling. (2010)

<sup>3</sup>Smith M.D., et al. A generalized algorithm for graph-coloring reg. alloc. (2004)

# RTL to LTL

## RTL Transition

$$\frac{c(pc) = \lfloor \text{op}_{RTL}(op, \vec{x}, y, pc') \rfloor \quad \text{eval\_op}(\_, \_, op, M(\vec{x})) = \lfloor v \rfloor}{\_ \vdash S(\_, \_, \_, pc, M, \_) \xrightarrow{\varepsilon} S(\_, \_, \_, pc', M[y \leftarrow v], \_)}$$

## LTL Transition

$$\frac{\text{eval\_op}(\_, \_, op, L(\vec{p})) = \lfloor v \rfloor}{\_ \vdash B(\_, \_, \_, \text{op}_{LTL}(op, \vec{p}, q) :: bb, L, \_) \xrightarrow{\varepsilon} B(\_, \_, \_, bb, L[q \leftarrow v], \_)}$$

# Allocation Validation

$f((x_1, x_2), x_0)$



# CompCert's Machine Model



# Results - Compile Time (Arm hard float)



# Results - Code Size

|          | vpr    | mesa   | fuzz1  | fuzz2  | fuzz3  |
|----------|--------|--------|--------|--------|--------|
| arm_hard | -0.83% | -1.77% | -4.78% | -4.7%  | -4.7%  |
| arm_soft | -0.2%  | -0.71% | -0.2%  | +0.19% | +0.27% |

# Contributions

- Improved model of the Arm assembly semantics
- Proved all architectures correct w.o. changing their semantics
- New and more general register allocator
- Enable future support for TriCore architecture
- Small positive impact on code generation

# Questions?

- ① Background on CompCert
- ② Register Model & Reality
- ③ Example Code
- ④ New Register File
- ⑤ RTL to LTL
- ⑥ Evaluation