
Vellvm: Verified LLVM - lelf
http://www.cis.upenn.edu/~stevez/vellvm/
======
nickpsecurity
Those liking this will probably like the work below. They did a verified
validator for micro-optimizations (around 400) in LLVM's instruction combine
pass.

[http://rosaec.snu.ac.kr/publish/2014/techmemo/ROSAEC-2014-00...](http://rosaec.snu.ac.kr/publish/2014/techmemo/ROSAEC-2014-002.pdf)

Another for translation validation:

[https://cseweb.ucsd.edu/~lerner/papers/cav2011.pdf](https://cseweb.ucsd.edu/~lerner/papers/cav2011.pdf)

------
devit
Is it feasible to prove the correctness of all existing LLVM passes this way?

What about the backends and Clang and Rust frontends?

~~~
gsnedders
The frontends are hard because you need to start with a formal definition of
the language, really. Rust doesn't really have anything resembling a spec at
the moment. C/C++ you still have the first problem of creating a formalization
of the spec before you can verify the front-end.

~~~
kachnuv_ocasek
C actually has multiple formal semantics. The most recent I'm aware of is
Robbert Krebbers' (almost) complete formalizatiom of C11 in the CH2O
project.[1] See also his upcoming PhD thesis[2] for more details.

[1]
[http://robbertkrebbers.nl/research/ch2o/](http://robbertkrebbers.nl/research/ch2o/)

[2]
[http://robbertkrebbers.nl/thesis.html](http://robbertkrebbers.nl/thesis.html)

~~~
gsnedders
Arguably C doesn't: C is just what the spec says. You can try and formalise
what the spec says (as, rightly, many have done), but it's hard to guarantee
correctness of that formalisation.

------
gamesbrainiac
Unfortunately, I couldn't decipher the significance of this from the first
paragraph. What does this mean for LLVM? How does it make working with LLVM
better?

~~~
nickpsecurity
It's part of verification work in general. One must have a formal way of
representing a program before proving key properties (eg safety, security)
about it. Formal verification also often uses refinement to move from abstract
to concrete with intermediate forms in between. See CompCert compiler's stages
for how that might apply to LLVM (front ends especially). Also, static
analysis tools like Astree Analyzer or SPARK Ada's Examiner have some internal
model of the language to analyze to prove absence of bugs. Formal semantics
helps with them, too.

So, it's kind of a foundation to build other work on that will let one
rigorously verify the correct use, optimization, or compilation of LLVM
programs. The link below has lots of examples of awesome work in security or
verification that builds on LLVM. Some use Vellvm already with most able to
benefit somehow if work is put in.

[http://llvm.org/pubs/](http://llvm.org/pubs/)

------
cgag
Upenn seems like a really wonderful place for people who are into software
that works. Lot of good stuff coming out of there.

