Witnessing Program Transformations

  • Kedar S. Namjoshi
  • Lenore D. Zuck
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7935)


We study two closely related problems: (a) showing that a program transformation is correct and (b) propagating an invariant through a program transformation. The second problem is motivated by an application which utilizes program invariants to improve the quality of compiler optimizations. We show that both problems can be addressed by augmenting a transformation with an auxiliary witness generation procedure. For every application of the transformation, the witness generator constructs a relation which guarantees the correctness of that instance. We show that stuttering simulation is a sound and complete witness format. Completeness means that, under mild conditions, every correct transformation induces a stuttering simulation witness which is strong enough to prove that the transformation is correct. A witness is self-contained, in that its correctness is independent of the optimization procedure which generates it. Any invariant of a source program can be turned into an invariant of the target of a transformation by suitably composing it with its witness. Stuttering simulations readily compose, forming a single witness for a sequence of transformations. Witness generation is simpler than a formal proof of correctness, and it is comprehensive, unlike the heuristics used for translation validation. We define witnesses for a number of standard compiler optimizations; this exercise shows that witness generators can be implemented quite easily.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M., Lamport, L.: The existence of refinement mappings. Theor. Comput. Sci. 82(2), 253–284 (1991)MathSciNetzbMATHCrossRefGoogle Scholar
  2. 2.
    Allen, R., Kennedy, K.: Optimizing Compilers for Modern Architectures. Morgan Kaufmann (2002)Google Scholar
  3. 3.
    Barthe, G., Crespo, J.M., Kunz, C.: Beyond 2-safety: Asymmetric product programs for relational program verification. In: Artemov, S., Nerode, A. (eds.) LFCS 2013. LNCS, vol. 7734, pp. 29–43. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  4. 4.
    Barthe, G., Kunz, C.: An abstract model of certificate translation. ACM Trans. Program. Lang. Syst. 33(4), 13 (2011)CrossRefGoogle Scholar
  5. 5.
    Benton, N.: Simple relational correctness proofs for static analyses and program transformations. In: POPL, pp. 14–25 (2004)Google Scholar
  6. 6.
    Browne, M.C., Clarke, E.M., Grumberg, O.: Reasoning about networks with many identical finite state processes. Inf. Comput. 81(1), 13–31 (1989)MathSciNetzbMATHCrossRefGoogle Scholar
  7. 7.
    Dijkstra, E.: Guarded commands, nondeterminacy, and formal derivation of programs. CACM 18(8) (1975)Google Scholar
  8. 8.
    Dijkstra, E., Scholten, C.: Predicate Calculus and Program Semantics. Springer (1990)Google Scholar
  9. 9.
    Lattner, C., Adve, V.S.: LLVM: A compilation framework for lifelong program analysis & transformation. In: CGO, pp. 75–88 (2004), Webpage at
  10. 10.
    Leroy, X.: Formal certification of a compiler back-end or: programming a compiler with a proof assistant. In: POPL, pp. 42–54. ACM (2006)Google Scholar
  11. 11.
    Leroy, X.: Formal verification of a realistic compiler. Commun. ACM 52(7), 107–115 (2009)CrossRefGoogle Scholar
  12. 12.
    Manna, Z., McCarthy, J.: Properties of programs and partial function logic. Journal of Machine Intelligence 5 (1970)Google Scholar
  13. 13.
    Manolios, P.: Mechanical Verification of Reactive Systems. PhD thesis, University of Texas at Austin (2001)Google Scholar
  14. 14.
    Manolios, P.: A compositional theory of refinement for branching time. In: Geist, D., Tronci, E. (eds.) CHARME 2003. LNCS, vol. 2860, pp. 304–318. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Muchnick, S.: Advanced Compiler Design & Implementation. Morgan Kaufmann, San Francisco (1997)Google Scholar
  16. 16.
    Namjoshi, K.S.: A simple characterization of stuttering bisimulation. In: Ramesh, S., Sivakumar, G. (eds.) FST TCS 1997. LNCS, vol. 1346, pp. 284–296. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  17. 17.
    Namjoshi, K.S.: Lifting temporal proofs through abstractions. In: Zuck, L.D., Attie, P.C., Cortesi, A., Mukhopadhyay, S. (eds.) VMCAI 2003. LNCS, vol. 2575, pp. 174–188. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  18. 18.
    Necula, G.: Translation validation of an optimizing compiler. In: Proceedings of the ACM SIGPLAN Conference on Principles of Programming Languages Design and Implementation, PLDI 2000, pp. 83–95 (2000)Google Scholar
  19. 19.
    Necula, G.C., Lee, P.: Safe kernel extensions without run-time checking. In: OSDI, pp. 229–243. ACM (1996)Google Scholar
  20. 20.
    Pnueli, A., Siegel, M., Shtrichman, O.: The code validation tool (CVT)- automatic verification of a compilation process. Software Tools for Technology Transfer 2(2), 192–201 (1998)zbMATHCrossRefGoogle Scholar
  21. 21.
    Rinard, M., Marinov, D.: Credible compilation with pointers. In: Proceedings of the Run-Time Result Verification Workshop (July 2000)Google Scholar
  22. 22.
    Tristan, J.-B., Govereau, P., Morrisett, G.: Evaluating value-graph translation validation for LLVM. In: PLDI, pp. 295–305 (2011)Google Scholar
  23. 23.
    Zuck, L.D., Pnueli, A., Goldberg, B.: Voc: A methodology for the translation validation of optimizing compilers. J. UCS 9(3), 223–247 (2003)Google Scholar
  24. 24.
    Zuck, L.D., Pnueli, A., Goldberg, B., Barrett, C.W., Fang, Y., Hu, Y.: Translation and run-time validation of loop transformations. Formal Methods in System Design 27(3), 335–360 (2005)zbMATHCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Kedar S. Namjoshi
    • 1
  • Lenore D. Zuck
    • 2
  1. 1.Bell Laboratories, Alcatel-LucentUSA
  2. 2.University of Illinois at ChicagoUSA

Personalised recommendations