Practical Formal Verification for MLIR Programs

TL;DR

This paper presents a practical formal verification method for MLIR programs that efficiently checks the semantic equivalence of program pairs, enhancing correctness assurance in compiler optimizations.

Contribution

It introduces a hybrid concrete-symbolic interpretation approach for verifying MLIR program equivalence, applicable to a meaningful subset and scalable to large benchmarks.

Findings

The verifier can show equivalence in linear time relative to program operations.

Successfully verified AMD MLIR-AIR and MLIR-AIE toolchains.

Verified hundreds of benchmark variants of mlir-opt.

Abstract

Optimizing compilers have become a cornerstone for high-performance program generation in research and industry. Optimizations, including those implemented manually by a user and those target-specific and non-target-specific, are used to transform programs to achieve good performance. Although these optimizations are necessary for performance, assessing their correctness has remained a major challenge; the risk of incorrect code being deployed increases with unproven optimization flows. In this work, we target the formal verification of correctness of a transformed program by computing whether a pair of programs are semantically equivalent, one being a transformed version of the other. We restrict the class of programs supported to enable a hybrid concrete-symbolic interpretation approach to equivalence, which in turn is mostly agnostic to how the programs are implemented (syntax, schedule, storage, etc.). This approach can show equivalence in linear time with respect to the operations executed by the programs. We develop a verifier for a meaningful subset of MLIR, and report on the verification of the AMD MLIR-AIR and MLIR-AIE toolchains, as well as the standard mlir-opt on hundreds of benchmarks variants.