compcert c compilers you can formally trust
play

CompCert : C compilers you can formally trust March 2020 - PowerPoint PPT Presentation

Dec 11, 2022 •356 likes •1.01k views

Introduction to the CompCert Certified Compiler S. Boulm e March 2020 CompCert : C compilers you can formally trust March 2020 Sylvain.Boulme@univ-grenoble-alpes.fr 1/24 Introduction to the CompCert Certified Compiler S. Boulm e

  1. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 CompCert : C compilers you can formally trust March 2020 Sylvain.Boulme@univ-grenoble-alpes.fr 1/24

  2. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 Contents Certifying compilers The Coq proof assistant for certifying compilers Using CompCert Overview of CompCert Implementation Certifying compilers 2/24

  3. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 Bug trackers of GCC and LLVM (Sun-et-al@PLDI’16) The number of attested bugs tends to remain almost constant. New bugs are introduced when compilers are improved ! Certifying compilers 3/24

  4. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 Miscompilation bugs in most compilers (GCC, LLVM, etc) Miscompilation bug = incorrect generated code � = “ performance ” bug in an optimization. Certifying compilers 4/24

  5. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 Miscompilation bugs in most compilers (GCC, LLVM, etc) Miscompilation bug = incorrect generated code � = “ performance ” bug in an optimization. Unknown miscompilation bugs still remain as attested by fuzz (ie randomized) differential testing : Eide-Regehr’08, Yang-et-al’11, Lidbury-et-al’15, Sun-et-al’16... Certifying compilers 4/24

  6. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 Miscompilation bugs in most compilers (GCC, LLVM, etc) Miscompilation bug = incorrect generated code � = “ performance ” bug in an optimization. Unknown miscompilation bugs still remain as attested by fuzz (ie randomized) differential testing : Eide-Regehr’08, Yang-et-al’11, Lidbury-et-al’15, Sun-et-al’16... Why ? Certifying compilers 4/24

  7. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 Miscompilation bugs in most compilers (GCC, LLVM, etc) Miscompilation bug = incorrect generated code � = “ performance ” bug in an optimization. Unknown miscompilation bugs still remain as attested by fuzz (ie randomized) differential testing : Eide-Regehr’08, Yang-et-al’11, Lidbury-et-al’15, Sun-et-al’16... Why ? Optimizing compilers are quite large software (in MLoC) with hundreds of maintainers, e.g : https://github.com/gcc-mirror/gcc/blob/master/MAINTAINERS Certifying compilers 4/24

  8. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 Miscompilation bugs in most compilers (GCC, LLVM, etc) Miscompilation bug = incorrect generated code � = “ performance ” bug in an optimization. Unknown miscompilation bugs still remain as attested by fuzz (ie randomized) differential testing : Eide-Regehr’08, Yang-et-al’11, Lidbury-et-al’15, Sun-et-al’16... Why ? Optimizing compilers are quite large software (in MLoC) with hundreds of maintainers, e.g : https://github.com/gcc-mirror/gcc/blob/master/MAINTAINERS Another fundamental reason : Tests of optimizing compilers cannot cover all corner cases because of a combinatorial explosion . Certifying compilers 4/24

  9. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 Issue : optimizing compiler for safety-critical software Strong safety-critical requirements of DO-178 (Avionics) , ISO-26262 (Automotive) , IEC-62279 (Railway) , IEC-61513 (Nuclear) often established at the source level... Certifying compilers 5/24

  10. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 Issue : optimizing compiler for safety-critical software Strong safety-critical requirements of DO-178 (Avionics) , ISO-26262 (Automotive) , IEC-62279 (Railway) , IEC-61513 (Nuclear) often established at the source level... Used solution human review of the compiled code Certifying compilers 5/24

  11. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 Issue : optimizing compiler for safety-critical software Strong safety-critical requirements of DO-178 (Avionics) , ISO-26262 (Automotive) , IEC-62279 (Railway) , IEC-61513 (Nuclear) often established at the source level... Used solution human review of the compiled code ← intractable if optimized Certifying compilers 5/24

  12. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 Issue : optimizing compiler for safety-critical software Strong safety-critical requirements of DO-178 (Avionics) , ISO-26262 (Automotive) , IEC-62279 (Railway) , IEC-61513 (Nuclear) often established at the source level... Used solution human review of the compiled code ← intractable if optimized + switch-off compiler optimizations (DO-178B level A). Certifying compilers 5/24

  13. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 Issue : optimizing compiler for safety-critical software Strong safety-critical requirements of DO-178 (Avionics) , ISO-26262 (Automotive) , IEC-62279 (Railway) , IEC-61513 (Nuclear) often established at the source level... Used solution human review of the compiled code ← intractable if optimized + switch-off compiler optimizations (DO-178B level A). Better solution a formally proved compiler for formal tool qualification (DO-178C + DO-333)... Certifying compilers 5/24

  14. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 Certified (= formally proved ) compiler Source Diagrammatic view Compiler of the correctness Target Behaviors Compiler correctness reduced to that of its formal spec. Certifying compilers 6/24

  15. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 Certified (= formally proved ) compiler Source Diagrammatic view Compiler of the correctness Target Behaviors Compiler correctness reduced to that of its formal spec. Advantages of formal spec over compiler code ◮ closer to informal spec (e.g. simpler for human reviews) ◮ more compositional (e.g. simpler for tests) Certifying compilers 6/24

  16. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 Certified (= formally proved ) compiler Source Diagrammatic view Compiler of the correctness Target Behaviors Compiler correctness reduced to that of its formal spec. Advantages of formal spec over compiler code ◮ closer to informal spec (e.g. simpler for human reviews) ◮ more compositional (e.g. simpler for tests) Another benefit : traceability formal proof = computer-aided review of the compiler code w.r.t its spec. Certifying compilers 6/24

  17. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 Certified (= formally proved ) compiler Source Diagrammatic view Compiler of the correctness Target Behaviors Compiler correctness reduced to that of its formal spec. Advantages of formal spec over compiler code ◮ closer to informal spec (e.g. simpler for human reviews) ◮ more compositional (e.g. simpler for tests) Another benefit : traceability formal proof = computer-aided review of the compiler code w.r.t its spec. ⇒ up-to-date & very sharp (formal) documentation of the compiler that may also help “ external developers ” Certifying compilers 6/24

  18. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 CompCert : a certified compiler CompCert = a moderately -optimizing C compiler with an unprecedented level of trust in its correctness Certifying compilers 7/24

  19. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 CompCert : a certified compiler CompCert = a moderately -optimizing C compiler with an unprecedented level of trust in its correctness as noted by Yang-et-al’11 (with randomized differential testing) : “ CompCert is the only compiler we have tested for which Csmith cannot find wrong-code errors. This is not for lack of trying : we have devoted about six CPU-years to the task. [ . . . ] developing compiler optimizations within a proof framework [ . . . ] has tangible benefits for compiler users.” Certifying compilers 7/24

  20. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 CompCert : a certified compiler CompCert = a moderately -optimizing C compiler with an unprecedented level of trust in its correctness as noted by Yang-et-al’11 (with randomized differential testing) : “ CompCert is the only compiler we have tested for which Csmith cannot find wrong-code errors. This is not for lack of trying : we have devoted about six CPU-years to the task. [ . . . ] developing compiler optimizations within a proof framework [ . . . ] has tangible benefits for compiler users.” Part of an ongoing effort to certify a whole software chain in the Coq proof assistant from the prover (e.g. CertiCoq) to OS kernels (e.g. CertiKOS) Example http://deepspec.org (supported by NSF). Certifying compilers 7/24

  21. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 Contents Certifying compilers The Coq proof assistant for certifying compilers Using CompCert Overview of CompCert Implementation The Coq proof assistant for certifying compilers 8/24

  22. Introduction to the CompCert Certified Compiler S. Boulm´ e – March 2020 The Coq proof assistant A language to formalize mathematical theories (and their proofs) with a computer . Examples : • Four-color & Odd-order theorems by Gonthier-et-al. • Univalence theory by Voevodsky (Fields Medalist). The Coq proof assistant for certifying compilers 9/24

Recommend

Mechanized semantics for Clight Sandrine Blaxy, Xavier Leroy Pim Jager - Type Theory and Coq The

Mechanized semantics for Clight Sandrine Blaxy, Xavier Leroy Pim Jager - Type Theory and Coq The

Mechanized semantics for Clight Sandrine Blaxy, Xavier Leroy Pim Jager - Type Theory and Coq The CompCert C project Formally proving a compiler The CompCert project investigates the formal verification of realistic compilers usable

948 views • 26 slides
A concrete memory model for CompCert Frdric Besson Sandrine Blazy Pierre Wilke Rennes,

A concrete memory model for CompCert Frdric Besson Sandrine Blazy Pierre Wilke Rennes,

A concrete memory model for CompCert Frdric Besson Sandrine Blazy Pierre Wilke Rennes, France P . Wilke A concrete memory model for CompCert 1 / 28 CompCert real-world C to ASM compiler used in industry (commercialised by AbsInt)

563 views • 40 slides
Extending the CompCert certified C compiler with instruction scheduling and control-flow integrity

Extending the CompCert certified C compiler with instruction scheduling and control-flow integrity

Extending CompCert S. Boulm e ( Verimag , Grenoble-INP) RISC-V week @ Paris2019 Extending the CompCert certified C compiler with instruction scheduling and control-flow integrity (CFI) October 2019 Sylvain.Boulme@univ-grenoble-alpes.fr

557 views • 19 slides
CompCert guarantees for low-level C programs Sandrine Blazy joint work with Frdric Besson and

CompCert guarantees for low-level C programs Sandrine Blazy joint work with Frdric Besson and

CompCert guarantees for low-level C programs Sandrine Blazy joint work with Frdric Besson and Pierre Wilke IFIP W.G. 2.11, Bloomington, 2016-08-23 1 The CompCert C verified compiler Compiler + proof that the compiler does not introduce bugs

471 views • 24 slides
Trust in programming tools: the formal verification of compilers and static analysers Xavier

Trust in programming tools: the formal verification of compilers and static analysers Xavier

Trust in programming tools: the formal verification of compilers and static analysers Xavier Leroy Inria Paris Verified trustworthy software systems, April 2016 X. Leroy (Inria) Trust in tools 2016-04-05 1 / 35 Tool-assisted formal

731 views • 52 slides
Thailand: Never Formally Colonized Thailand was never formally colonized by a Western

Thailand: Never Formally Colonized Thailand was never formally colonized by a Western

Neo-Colonialism in The King and I : An Analysis of Hegemony through Aural and Visual Representation By Natalie Tantisirirat Thailand: Never Formally Colonized Thailand was never formally colonized by a Western power strong pride

337 views • 21 slides
TEACHING OLD COMPILERS NEW TRICKS TEACHING OLD COMPILERS NEW TRICKS Transpiling C ++ 17 to C ++ 11

TEACHING OLD COMPILERS NEW TRICKS TEACHING OLD COMPILERS NEW TRICKS Transpiling C ++ 17 to C ++ 11

TEACHING OLD COMPILERS NEW TRICKS TEACHING OLD COMPILERS NEW TRICKS Transpiling C ++ 17 to C ++ 11 Tony Wasserka Meeting C ++ @ fail _ cluez 17 November 2018 WHO AM I ? WHO AM I ? Berlin - based consultant : Workflow optimization , Code

973 views • 24 slides
Formal C semantics: CompCert and the C standard Robbert Krebbers 1 Xavier Leroy 2 Freek Wiedijk 1

Formal C semantics: CompCert and the C standard Robbert Krebbers 1 Xavier Leroy 2 Freek Wiedijk 1

Formal C semantics: CompCert and the C standard Robbert Krebbers 1 Xavier Leroy 2 Freek Wiedijk 1 1 ICIS, Radboud University Nijmegen, The Netherlands 2 Inria Paris-Rocquencourt, France July 17, 2014 @ ITP, Vienna, Austria 1 Underspecification

511 views • 34 slides
CMSC 430 Introduction to Compilers Spring 2016 Lexing and Parsing Overview Compilers are

CMSC 430 Introduction to Compilers Spring 2016 Lexing and Parsing Overview Compilers are

CMSC 430 Introduction to Compilers Spring 2016 Lexing and Parsing Overview Compilers are roughly divided into two parts Front-end deals with surface syntax of the language Back-end analysis and code generation of the output

1.42k views • 79 slides
CMSC 430 Introduction to Compilers Spring 2017 Lexing and Parsing Overview Compilers are

CMSC 430 Introduction to Compilers Spring 2017 Lexing and Parsing Overview Compilers are

CMSC 430 Introduction to Compilers Spring 2017 Lexing and Parsing Overview Compilers are roughly divided into two parts Front-end deals with surface syntax of the language Back-end analysis and code generation of the output

1.07k views • 79 slides
Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Roberto Guanciale Mads Dam Hamed Nemati Christoph Baumann Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified Platforms Caches Excluded Formally Verified from the analysis Platforms Caches Excluded

675 views • 64 slides
Compilers Structure of a Compiler Alex Aiken Intro to Compilers 1. Lexical Analysis 2. Parsing

Compilers Structure of a Compiler Alex Aiken Intro to Compilers 1. Lexical Analysis 2. Parsing

Compilers Structure of a Compiler Alex Aiken Intro to Compilers 1. Lexical Analysis 2. Parsing 3. Semantic Analysis 4. Optimization 5. Code Generation Alex Aiken Intro to Compilers First step: recognize words. Smallest unit above

469 views • 16 slides
From Compilers to Grammarware Dr. Vadim Zaytsev Introduction Compilers Grammarware T

From Compilers to Grammarware Dr. Vadim Zaytsev Introduction Compilers Grammarware T

From Compilers to Grammarware Dr. Vadim Zaytsev Introduction Compilers Grammarware T ransformation Maturity Consistency Understanding T esting Conclusion Introduction Vadim Zaytsev MSc in appl.math (2003) & telematics

555 views • 54 slides
Geographic Data Science - Lecture V Space, formally Dani Arribas-Bel Today The need to

Geographic Data Science - Lecture V Space, formally Dani Arribas-Bel Today The need to

Geographic Data Science - Lecture V Space, formally Dani Arribas-Bel Today The need to represent space formally Spatial weights matrices What Why Types The spatial lag The Moran Plot Space, formally For a statistical method to be

628 views • 27 slides
Geographic Data Science - Lecture V Space, formally Dani Arribas-Bel Today The need to

Geographic Data Science - Lecture V Space, formally Dani Arribas-Bel Today The need to

Geographic Data Science - Lecture V Space, formally Dani Arribas-Bel Today The need to represent space formally Spatial weights matrices What Why Types The spatial lag The Moran Plot Space, formally For a statistical method to be

568 views • 42 slides
Geographic Data Science - Lecture V Space, formally Dani Arribas-Bel Today The need to

Geographic Data Science - Lecture V Space, formally Dani Arribas-Bel Today The need to

Geographic Data Science - Lecture V Space, formally Dani Arribas-Bel Today The need to represent space formally Spatial weights matrices What Why Types The spatial lag The Moran Plot Space, formally For a statistical method to be

551 views • 43 slides
VigNAT: A Formally Verified NAT Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina

VigNAT: A Formally Verified NAT Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina

VigNAT: A Formally Verified NAT Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina Argyraki, George Candea Formally verify a stateful NF with competitive performance and reasonable human effort 2 Formally verify a stateful NF with

836 views • 81 slides
CS226/326 Compilers for Computer Languages David MacQueen Department of Computer Science

CS226/326 Compilers for Computer Languages David MacQueen Department of Computer Science

CS226/326 Compilers for Computer Languages David MacQueen Department of Computer Science Spring 2003 Why Study Compilers? To learn to write compilers and interpreters for various programming languages and domain specific languages E.g.

455 views • 23 slides
CompCert Memory Model Because we need some way to understand how C works Outline The

CompCert Memory Model Because we need some way to understand how C works Outline The

The CompCert Memory Model Because we need some way to understand how C works Outline The general idea Version 1 Limitations Version 2 Problems solved? The general idea Blocks and memory states The idea: blocks*

835 views • 42 slides
A Formally Verified Quadratic Unification Algorithm J.-L. Ruiz-Reina, J.-A. Alonso, M.-J. Hidalgo

A Formally Verified Quadratic Unification Algorithm J.-L. Ruiz-Reina, J.-A. Alonso, M.-J. Hidalgo

A Formally Verified Quadratic Unification Algorithm J.-L. Ruiz-Reina, J.-A. Alonso, M.-J. Hidalgo and F .-J. Mart n-Mateos Computational Logic Group Dept. of Computer Science and Artificial Intelligence University of Seville A Formally

356 views • 32 slides
How compiler frontend is different from what IDE needs? Ilya Biryukov JetBrains ReSharper C++

How compiler frontend is different from what IDE needs? Ilya Biryukov JetBrains ReSharper C++

How compiler frontend is different from what IDE needs? Ilya Biryukov JetBrains ReSharper C++ November 3, 2016 Compilers and IDEs Compilers and IDEs are similar, but have different design goals Compilers and IDEs Compilers and IDEs are

534 views • 24 slides
Specification and verification in the field: Applying formal methods to BPF just-in-time

Specification and verification in the field: Applying formal methods to BPF just-in-time

Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel Luke Nelson, Jacob Van Geffen, Emina Torlak, and Xi Wang University of Washington Goal: formally verified (e)BPF JITs in the

267 views • 22 slides
In God we trust, all others bring data ! William E. Deming (1900-1993) USA statistician

In God we trust, all others bring data ! William E. Deming (1900-1993) USA statistician

Need for data In God we trust, all others bring data ! William E. Deming (1900-1993) USA statistician Letter to UEMS National Delegates, 7th Oct 2013 Definition of Center With Center we do mean a structure formally

627 views • 51 slides
FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust Your Local Mental Health NHS Trust Implementation of Involvement Agenda National accreditation for Memory Service Team (Bloxwich Hospital)

763 views • 14 slides

More recommend