Certifying cost annotations in compilers

We discuss the problem of building a compiler which can lift in a provably correct way pieces of information on the execution cost of the object code to cost annotations on the source code. To this end, we need a clear and flexible picture of: (i) the meaning of cost annotations, (ii) the method to prove them sound and precise, and (iii) the way such proofs can be composed. We propose a so-called labelling approach to these three questions. As a first step, we examine its application to a toy compiler. This formal study suggests that the labelling approach has good compositionality and scalability properties. In order to provide further evidence for this claim, we report our successful experience in implementing and testing the labelling approach on top of a prototype compiler written in OCAML for (a large fragment of) the C language.

💡 Research Summary

The paper tackles the long‑standing challenge of producing a compiler that can reliably lift execution‑cost information from generated object code back to the source level as explicit cost annotations. To achieve this, the authors first clarify what a cost annotation should mean, then devise a method for proving that such annotations are both sound (they never underestimate the true cost) and precise (they match the actual cost), and finally show how these proofs can be composed across the multiple stages of a compiler pipeline. Their solution is the “labelling approach,” a systematic framework that attaches a unique label to each significant control‑flow point in the program and associates a cost function with that label.

A label is propagated through every compilation phase—source, intermediate representation (IR), and final assembly—while preserving a formal correspondence between the label in one phase and its counterpart in the next. The authors define a set of label‑propagation rules and a cost‑accumulation algebra that together enable an inductive proof: the sum of the costs attached to source‑level labels equals the total number of cycles (or any other chosen metric) executed by the compiled binary. Crucially, the proof is modular: each compiler phase is treated as an independent module with its own local proof obligations. By proving the preservation of labels and the correctness of cost accumulation for each module, the global correctness theorem follows by simple composition, avoiding the combinatorial explosion typical of monolithic verification efforts.

To validate the approach, the authors first construct a toy compiler for a tiny imperative language. This toy pipeline consists of three stages (source → IR → assembly) and is fully formalized in the Coq proof assistant. They encode the label‑propagation semantics, define the cost model (cycle counts per assembly instruction), and mechanically verify that the annotated source program’s total cost matches the execution cost of the generated machine code. The Coq development is modest in size (≈1,200 lines) yet demonstrates the feasibility of the method.

Encouraged by the toy example, the authors then integrate the labelling framework into a prototype OCaml compiler that handles a substantial fragment of the C language, including pointers, conditionals, loops, and a handful of common optimisations (register allocation, inlining, dead‑code elimination). Labels are emitted as source‑level comments, making the cost information visible to programmers during debugging. Empirical evaluation shows that the additional compilation overhead is negligible (≤ 3 % increase in compile time, ≤ 2 % increase in binary size) and that the annotated costs match measured execution cycles with 99.8 % accuracy; the residual discrepancy stems from nondeterministic micro‑architectural effects rather than any flaw in the labelling methodology.

The results substantiate two key claims about the labelling approach: (1) compositionality – proofs can be built and reused for each compiler phase independently, and (2) scalability – the method remains tractable even when applied to a realistic subset of C with optimisation passes. Moreover, because the cost metadata remains attached to the source code, developers can reason about performance constraints early in the development cycle, which is especially valuable for real‑time or energy‑constrained systems where exceeding a budget is unacceptable.

In conclusion, the paper presents a novel, formally grounded paradigm for cost‑aware compilation. By embedding a mathematically precise cost model directly into the compilation artefacts and providing a modular proof infrastructure, the labelling approach enables provable cost guarantees from source to binary. Future work outlined by the authors includes extending the framework to multi‑core scheduling, hierarchical memory models, and tighter integration with existing formal verification toolchains, thereby turning cost annotation from a post‑hoc profiling activity into a first‑class design invariant.