New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Code generation improvements #1 #53
Comments
I wonder if it wouldn't be better to let external tools handle these transformations instead of having kremlin enforce any particular code style. Some syntactic changes can be done with a code formatting tool after extraction; e.g. clang-format even comes with a predefined Mozilla format that claims to comply with Mozilla’s style guide. |
We run clang-format on the output to get the style we want for NSS. I don't see anything in Benjamin's list that could be solved with clang-format or similar tools. |
I think 3 bullets in Benjamin's list could be solved with clang-format, namely
Some other items in the list are purely syntactic but do more than inserting and deleting whitespace. Only the two first items in the list interfere with semantics and are harder to prove sound:
I agree that using any tool that transforms the extracted code voids the guarantees of verification. However, the soundness of Kremlin is currently backed by pen-and-paper proofs that would need to be extended if additional transformations are implemented, so which tool does these transformations wouldn't be that different initially. |
why?
example? I thought I removed a lot of them... do you have unused arguments at types other than unit?
this seems to break the 80-column rule I have by default...
These three require substantial, fundamental changes from F* all the way down to C. While I agree that we want them, it's unlikely to happen anytime soon. |
I see a number of places with
I'm fairly sure that Regarding substitution, I see several places where you have a temporary that is created, assigned and then assigned to another variable, or passed to a function. As long as there isn't an implicit conversion being avoided by using the explicit declaration of type (i.e., source, destination and intermediate variable are the same type), a post-processing step could be used to inline the variable. The |
Yes. The intermediary variables stem from the fact that, at the F* level, operations such as KreMLin can, naturally, try to eliminate some of these temporaries via peepholes optimizations, but the problem stems from the fact that F* should have a Read effect and a Write effect, and that sequencing should only operate on the latter... The |
|
The following is the Coverity warning from the NSS CI:
|
[ ] Try being more agressive with dead code elimination after unrolling I'm not sure this is something that KreMLin is well suited to do. Rather, dead code should be eliminated from the F* source. |
Folks, can you take a look at https://github.com/mitls/hacl-star/tree/dev_prettify/snapshots/hacl-c Generating "const" will be harder, and requires more thought. Passing F* comments through to C seems doable and is next on my plate for this branch. |
It is certainly better. I still see intermediate values being copied from arguments in most functions. This isn't fatal (no more underscores), but it is a little unnecessary. I see this in curve25519:
|
Pushed a fix for that very issue on Karthik's |
Pushed a new option ( |
Karthik fixed |
Most of the improvements have been handled one way or the other... Thanks. |
During the successive code-review phases for the NSS production code generation we did find some good examples of potential improvements for the code generation. Some of those may be a lot of work on the F* side or the Kremlin side, but potentially some might be easy fixes.
Here is an attempt to list places where code generation could get better for production at Mozilla and Microsoft in the future.
All examples are taken in order from the Curve25519 code in the
production-nss
branch.Generation of
const
keywords based on modified clauses in post-conditionsSubstitution of intermediate variables (
dev_prettify
)This could probably be something like this if too long:
if
andfor
statementsThis is obviously correct, it might make people more comfortable to add
{ }
thoughMight be transformed, if too long, to:
if
branchif
block is empty0
casted by avoid *
was non-obviously legalThe text was updated successfully, but these errors were encountered: