formal c semantics compcert and the c standard
play

Formal C semantics: CompCert and the C standard Robbert Krebbers 1 - PowerPoint PPT Presentation

Jun 11, 2023 •165 likes •511 views

Formal C semantics: CompCert and the C standard Robbert Krebbers 1 Xavier Leroy 2 Freek Wiedijk 1 1 ICIS, Radboud University Nijmegen, The Netherlands 2 Inria Paris-Rocquencourt, France July 17, 2014 @ ITP, Vienna, Austria 1 Underspecification

  1. Formal C semantics: CompCert and the C standard Robbert Krebbers 1 Xavier Leroy 2 Freek Wiedijk 1 1 ICIS, Radboud University Nijmegen, The Netherlands 2 Inria Paris-Rocquencourt, France July 17, 2014 @ ITP, Vienna, Austria 1

  2. Underspecification in C ◮ Unspecified behavior : two or more behaviors are allowed For example: order of evaluation in expressions ◮ Implementation defined behavior : like unspecified behavior, but the compiler has to document its choice For example: size and endianness of integers ◮ Undefined behavior: the standard imposes no requirements at all, the program is even allowed to crash For example: dereferencing a NULL or dangling pointer, signed integer overflow, . . . 2

  3. Underspecification in C ◮ Unspecified behavior : two or more behaviors are allowed For example: order of evaluation in expressions Non-determinism ◮ Implementation defined behavior : like unspecified behavior, but the compiler has to document its choice For example: size and endianness of integers Parametrization ◮ Undefined behavior: the standard imposes no requirements at all, the program is even allowed to crash For example: dereferencing a NULL or dangling pointer, signed integer overflow, . . . No semantics/crash state 2

  4. Pros and cons of underspecification Pros for optimizing compilers: ◮ More optimizations are possible ◮ High run-time efficiency ◮ Easy to support multiple architectures Cons for programmers/formal methods people: ◮ Portability and maintenance problems ◮ Hard to formally reason about 3

  5. Approaches to underspecification CompCert (Leroy et al. ) ◮ Main goal: verified optimizing compiler in ◮ Specific choices for unspecified/impl-defined behavior For example: 32-bits int s ◮ Describes some undefined behavior For example: dereferencing NULL, integer overflow defined ◮ Compiler correctness proof only for programs without undefined behavior Formalin (Krebbers & Wiedijk) ◮ Main goal: compiler independent separation logic in ◮ Describes some implementation-defined behavior For example: no legacy architectures with 0’s complement ◮ Aims to describe all unspecified and undefined behavior 4

  6. Defined behaviors in C11, Formalin and CompCert C CompCert C C11 Formalin integer overflow comparing subtle with end-of-array casts aliasing violations pointers subtle sequence point byte-wise type violations pointer copy punning use of dangling block scope pointers arithmetic on pointer bytes 5

  7. Defined behaviors in C11, Formalin and CompCert C CompCert C C11 Formalin integer overflow comparing subtle with end-of-array casts aliasing violations pointers subtle sequence point byte-wise type violations pointer copy punning use of dangling block scope pointers arithmetic on pointer bytes This talk: add to CompCert so we get Formalin ⊆ CompCert 5

  8. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } 6

  9. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } x 0 x 1 x n − 1 p end 6

  10. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } x 1 x n − 1 x 0 + 1 p end 6

  11. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } x n − 1 x 0 + 1 x 1 + 1 p end 6

  12. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } x n − 1 x 0 + 1 x 1 + 1 p end 6

  13. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } x n − 1 + 1 x 0 + 1 x 1 + 1 p end 6

  14. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } x n − 1 + 1 x 0 + 1 x 1 + 1 p end Bizarre: int x, y; if (&x + 1 == &y) printf("x and y are adjacent\n"); 6

  15. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } x n − 1 + 1 x 0 + 1 x 1 + 1 p end Bizarre: int x, y; if (&x + 1 == &y) printf("x and y are adjacent\n"); &x &y 6

  16. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } x n − 1 + 1 x 0 + 1 x 1 + 1 p end Bizarre: int x, y; if (&x + 1 == &y) printf("x and y are adjacent\n"); &x &x + 1 &y 6

  17. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } x n − 1 + 1 x 0 + 1 x 1 + 1 p end Bizarre: int x, y; if (&x + 1 == &y) printf("x and y are adjacent\n"); == ? &x &x + 1 &y 6

  18. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } x n − 1 + 1 x 0 + 1 x 1 + 1 p end Bizarre: int x, y; if (&x + 1 == &y) printf("x and y are adjacent\n"); == ? &x &x + 1 &y Both undefined behavior in CompCert (1.12 and before) 6

  19. Comparing with end-of-array pointers (solution) Solution: Comparison of pointers is defined if: ◮ Same block: both should within block bounds � × 7

  20. Comparing with end-of-array pointers (solution) Solution: Comparison of pointers is defined if: ◮ Same block: both should within block bounds � × ◮ Different block: both should be strictly within block bounds × � 7

  21. Comparing with end-of-array pointers (solution) Solution: Comparison of pointers is defined if: ◮ Same block: both should within block bounds � × ◮ Different block: both should be strictly within block bounds × � Stable under compilation and gives a semantics to common programming practice with end-of-array pointers 7

  22. Byte-wise copying of objects (problem) struct { short x; short *r; } s1 = {10, &s.x}, s2; unsigned char *p = &s1, *q = &s2; unsigned char *end = p + size_of(s1); while (p < end) *p++ = *q++; 8

  23. Byte-wise copying of objects (problem) struct { short x; short *r; } s1 = {10, &s.x}, s2; unsigned char *p = &s1, *q = &s2; unsigned char *end = p + size_of(s1); while (p < end) *p++ = *q++; s1 : 0x0a 0x00 ( b s1 , 0) 0 ( b s1 , 0) 1 ( b s1 , 0) 2 ( b s1 , 0) 3 p end s2 : q 8

  24. Byte-wise copying of objects (problem) struct { short x; short *r; } s1 = {10, &s.x}, s2; unsigned char *p = &s1, *q = &s2; unsigned char *end = p + size_of(s1); while (p < end) *p++ = *q++; s1 : 0x0a 0x00 ( b s1 , 0) 0 ( b s1 , 0) 1 ( b s1 , 0) 2 ( b s1 , 0) 3 p end s2 : 0x0a q 8

  25. Byte-wise copying of objects (problem) struct { short x; short *r; } s1 = {10, &s.x}, s2; unsigned char *p = &s1, *q = &s2; unsigned char *end = p + size_of(s1); while (p < end) *p++ = *q++; s1 : 0x0a 0x00 ( b s1 , 0) 0 ( b s1 , 0) 1 ( b s1 , 0) 2 ( b s1 , 0) 3 p end s2 : 0x0a 0x00 q Previously undefined, need to allow copying indeterminate bytes 8

  26. Byte-wise copying of objects (problem) struct { short x; short *r; } s1 = {10, &s.x}, s2; unsigned char *p = &s1, *q = &s2; unsigned char *end = p + size_of(s1); while (p < end) *p++ = *q++; s1 : 0x0a 0x00 ( b s1 , 0) 0 ( b s1 , 0) 1 ( b s1 , 0) 2 ( b s1 , 0) 3 p end s2 : 0x0a 0x00 q Previously undefined, need to allow copying indeterminate bytes 8

  27. Byte-wise copying of objects (problem) struct { short x; short *r; } s1 = {10, &s.x}, s2; unsigned char *p = &s1, *q = &s2; unsigned char *end = p + size_of(s1); while (p < end) *p++ = *q++; s1 : 0x0a 0x00 ( b s1 , 0) 0 ( b s1 , 0) 1 ( b s1 , 0) 2 ( b s1 , 0) 3 p end s2 : 0x0a 0x00 q Previously undefined, need to allow copying symbolic pointer bytes 8

  28. Byte-wise copying of objects (problem) struct { short x; short *r; } s1 = {10, &s.x}, s2; unsigned char *p = &s1, *q = &s2; unsigned char *end = p + size_of(s1); while (p < end) *p++ = *q++; s1 : 0x0a 0x00 ( b s1 , 0) 0 ( b s1 , 0) 1 ( b s1 , 0) 2 ( b s1 , 0) 3 p end s2 : 0x0a 0x00 ( b s1 , 0) 0 q Previously undefined, need to allow copying symbolic pointer bytes 8

  29. Byte-wise copying of objects (problem) struct { short x; short *r; } s1 = {10, &s.x}, s2; unsigned char *p = &s1, *q = &s2; unsigned char *end = p + size_of(s1); while (p < end) *p++ = *q++; s1 : 0x0a 0x00 ( b s1 , 0) 0 ( b s1 , 0) 1 ( b s1 , 0) 2 ( b s1 , 0) 3 p end s2 : 0x0a 0x00 ( b s1 , 0) 0 ( b s1 , 0) 1 q Previously undefined, need to allow copying symbolic pointer bytes 8

  30. Byte-wise copying of objects (problem) struct { short x; short *r; } s1 = {10, &s.x}, s2; unsigned char *p = &s1, *q = &s2; unsigned char *end = p + size_of(s1); while (p < end) *p++ = *q++; s1 : 0x0a 0x00 ( b s1 , 0) 0 ( b s1 , 0) 1 ( b s1 , 0) 2 ( b s1 , 0) 3 p end s2 : 0x0a 0x00 ( b s1 , 0) 0 ( b s1 , 0) 1 ( b s1 , 0) 2 q Previously undefined, need to allow copying symbolic pointer bytes 8

Recommend

Mechanized semantics for Clight Sandrine Blaxy, Xavier Leroy Pim Jager - Type Theory and Coq The

Mechanized semantics for Clight Sandrine Blaxy, Xavier Leroy Pim Jager - Type Theory and Coq The

Mechanized semantics for Clight Sandrine Blaxy, Xavier Leroy Pim Jager - Type Theory and Coq The CompCert C project Formally proving a compiler The CompCert project investigates the formal verification of realistic compilers usable

948 views • 26 slides
Formal Semantics of SQL (and Cypher) Paolo Guagliardo SQL Standard query language for

Formal Semantics of SQL (and Cypher) Paolo Guagliardo SQL Standard query language for

Formal Semantics of SQL (and Cypher) Paolo Guagliardo SQL Standard query language for relational databases $30B/year business Implemented in all major RDBMSs (free and commercial) First standardized in 1986 (ANSI) and 1987 (ISO)

471 views • 13 slides
Formal semantics of Cypher: towards a standard language for querying property graphs N. Francis 1

Formal semantics of Cypher: towards a standard language for querying property graphs N. Francis 1

Formal semantics of Cypher: towards a standard language for querying property graphs N. Francis 1 A. Green 2 M. Rydberg 2 P. Guagliardo 3 V. Marsault 1 T. Lindaaker 2 P. Selmer 2 L. Libkin 3 S. Plantikow 2 A. Taylor 2 M. Schuster 3 1. Univ.

1.46k views • 111 slides
Introductory Notes Jigsaw Semantics or: Dynamic Semantics Put Together Again Formal semantics

Introductory Notes Jigsaw Semantics or: Dynamic Semantics Put Together Again Formal semantics

Jigsaw Semantics Introduction Introductory Notes Jigsaw Semantics or: Dynamic Semantics Put Together Again Formal semantics and formal pragmatics: the disciplines are much scattered and seriously challenged, or so it seems. Formal

164 views • 12 slides
Lexical Semantics in Formal Semantics: History and Challenges . Barbara H. Partee

Lexical Semantics in Formal Semantics: History and Challenges . Barbara H. Partee

Lexical Semantics in Formal Semantics: History and Challenges . Barbara H. Partee partee@linguist.umass.edu ESSLLI RefSemPlus Workshop, August 2016 1. Introduction n The early important achievements of formal semantics that made it of

1.01k views • 36 slides
Introduction to formal semantics - Enrico Leonhardt Introduction to formal semantics 1 / 25

Introduction to formal semantics - Enrico Leonhardt Introduction to formal semantics 1 / 25

Introduction to formal semantics - Enrico Leonhardt Introduction to formal semantics 1 / 25 Enrico Leonhardt | Motivation | Semiotics | Formal semantics in CS | structure Motivation - Philosophy paradox antinomy

710 views • 25 slides
Formal Semantics in Modern Type Theories (and Event Semantics in MTT-Framework) Zhaohui Luo

Formal Semantics in Modern Type Theories (and Event Semantics in MTT-Framework) Zhaohui Luo

Formal Semantics in Modern Type Theories (and Event Semantics in MTT-Framework) Zhaohui Luo Royal Holloway University of London This talk I. Formal semantics in Modern Type Theories: overview MTT-semantics is both model-theoretic and

564 views • 30 slides
More Theories, Formal semantics Jirka Hana Parts are based on slides by Carl Pollard Charles

More Theories, Formal semantics Jirka Hana Parts are based on slides by Carl Pollard Charles

More Theories Formal Semantics A Logical Grammar More Theories, Formal semantics Jirka Hana Parts are based on slides by Carl Pollard Charles University, 2011-11-12 Jirka Hana More Theories, Formal semantics More Theories Formal Semantics

732 views • 56 slides
11/19/10 Introduction Semantics can mean quite different things in different

11/19/10 Introduction Semantics can mean quite different things in different

11/19/10 Introduction Semantics can mean quite different things in different contexts; fields concerned with semantics are as diverse as psychology, law, Formal Semantics and Pragmatics: computer science, lexicography, logic,

393 views • 10 slides
Programming Languages Third Edition Chapter 12 Formal Semantics Objectives Become familiar

Programming Languages Third Edition Chapter 12 Formal Semantics Objectives Become familiar

Programming Languages Third Edition Chapter 12 Formal Semantics Objectives Become familiar with a sample small language for the purpose of semantic specification Understand operational semantics Understand denotational semantics

789 views • 48 slides
Towards a Formal Semantics for FHM, Part I FPL Away Days 2011 Henrik Nilsson Joint work with

Towards a Formal Semantics for FHM, Part I FPL Away Days 2011 Henrik Nilsson Joint work with

Towards a Formal Semantics for FHM, Part I FPL Away Days 2011 Henrik Nilsson Joint work with Joey Capper School of Computer Science University of Nottingham Towards a Formal Semantics for FHM, Part I p.1/31 Hybrid Systems Hybrid system:

511 views • 49 slides
A Formal Semantics for PLEX Johan Erikson; johan.erikson@idt.mdh.se Bjrn Lisper;

A Formal Semantics for PLEX Johan Erikson; johan.erikson@idt.mdh.se Bjrn Lisper;

A Formal Semantics for PLEX Johan Erikson; johan.erikson@idt.mdh.se Bjrn Lisper; bjorn.lisper@mdh.se Mlardalen University Department of Computer Science and Engineering Vsters Sweden A Formal Semantics for PLEX The AXE telephone

267 views • 9 slides
Bridging formal and conceptual semantics Tillmann Pross (joint work with Antje Rodeutscher)

Bridging formal and conceptual semantics Tillmann Pross (joint work with Antje Rodeutscher)

Bridging formal and conceptual semantics Tillmann Pross (joint work with Antje Rodeutscher) Institute for Natural Language Processing, University of Stuttgart IMS IV 28/10/2015 Formal vs. Conceptual Semantics: Over the last decades,

553 views • 29 slides
A concrete memory model for CompCert Frdric Besson Sandrine Blazy Pierre Wilke Rennes,

A concrete memory model for CompCert Frdric Besson Sandrine Blazy Pierre Wilke Rennes,

A concrete memory model for CompCert Frdric Besson Sandrine Blazy Pierre Wilke Rennes, France P . Wilke A concrete memory model for CompCert 1 / 28 CompCert real-world C to ASM compiler used in industry (commercialised by AbsInt)

563 views • 40 slides
Extending the CompCert certified C compiler with instruction scheduling and control-flow integrity

Extending the CompCert certified C compiler with instruction scheduling and control-flow integrity

Extending CompCert S. Boulm e ( Verimag , Grenoble-INP) RISC-V week @ Paris2019 Extending the CompCert certified C compiler with instruction scheduling and control-flow integrity (CFI) October 2019 Sylvain.Boulme@univ-grenoble-alpes.fr

557 views • 19 slides
CompCert guarantees for low-level C programs Sandrine Blazy joint work with Frdric Besson and

CompCert guarantees for low-level C programs Sandrine Blazy joint work with Frdric Besson and

CompCert guarantees for low-level C programs Sandrine Blazy joint work with Frdric Besson and Pierre Wilke IFIP W.G. 2.11, Bloomington, 2016-08-23 1 The CompCert C verified compiler Compiler + proof that the compiler does not introduce bugs

471 views • 24 slides
Formal, Executable Semantics of Web Languages: JavaScript and PHP Sergio Ma ff eis Imperial

Formal, Executable Semantics of Web Languages: JavaScript and PHP Sergio Ma ff eis Imperial

Formal, Executable Semantics of Web Languages: JavaScript and PHP Sergio Ma ff eis Imperial College London In collaboration with: J. Mitchell (Stanford), A. Taly (Google), K. Bhargavan, M. Bodin, A. Charugeraud, A. Delignat-Lavaud, A. Schmitt

784 views • 26 slides
Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What is semantics? 2 / 21 What is the meaning of a program? Recall: aspects of a language syntax : the structure of its programs semantics : the

551 views • 21 slides
Logic and Natural Language Semantics: Formal Semantics Raffaella Bernardi DISI, University of

Logic and Natural Language Semantics: Formal Semantics Raffaella Bernardi DISI, University of

Logic and Natural Language Semantics: Formal Semantics Raffaella Bernardi DISI, University of Trento e-mail: bernardi@disi.unitn.it Contents First Last Prev Next Contents 1 Logic . . . . . . . . . . . . . . . . . . . . . . . . . . .

952 views • 45 slides
Why formalize? n ML is tricky, particularly in corner cases Formal Semantics n generalizable type

Why formalize? n ML is tricky, particularly in corner cases Formal Semantics n generalizable type

Why formalize? n ML is tricky, particularly in corner cases Formal Semantics n generalizable type variables? n polymorphic references? n exceptions? n Some things are often overlooked for any language n evaluation order? side-effects? errors? n

371 views • 17 slides
Why formalize? ! ML is tricky, particularly in corner cases Formal Semantics ! generalizable type

Why formalize? ! ML is tricky, particularly in corner cases Formal Semantics ! generalizable type

Why formalize? ! ML is tricky, particularly in corner cases Formal Semantics ! generalizable type variables? ! polymorphic references? ! exceptions? ! Some things are often overlooked for any language ! evaluation order? side-effects? errors? !

603 views • 3 slides
ORIGINS AND IMPACT OF FORMAL SEMANTICS Troy Kaighin Astarte t.astarte @

ORIGINS AND IMPACT OF FORMAL SEMANTICS Troy Kaighin Astarte t.astarte @

ORIGINS AND IMPACT OF FORMAL SEMANTICS Troy Kaighin Astarte t.astarte @ ncl.ac.uk 1 INTRODUCTION Programming in the1950s: machine code systems Computation in terms of machinemeaning fairly clear FORTRAN: FORmula

540 views • 20 slides
CSC 530 Lecture Notes Week 5 More on Formal Semantics with Attribute Grammars CSC530-W02-L5

CSC 530 Lecture Notes Week 5 More on Formal Semantics with Attribute Grammars CSC530-W02-L5

CSC530-W02-L5 Slide 1 CSC 530 Lecture Notes Week 5 More on Formal Semantics with Attribute Grammars CSC530-W02-L5 Slide 2 I. Attribute semantics of real programming languages A. Last weeks pretty trivial B. These notes investigate SIL

790 views • 53 slides
CompCert : C compilers you can formally trust March 2020 Sylvain.Boulme@univ-grenoble-alpes.fr

CompCert : C compilers you can formally trust March 2020 Sylvain.Boulme@univ-grenoble-alpes.fr

Introduction to the CompCert Certified Compiler S. Boulm e March 2020 CompCert : C compilers you can formally trust March 2020 Sylvain.Boulme@univ-grenoble-alpes.fr 1/24 Introduction to the CompCert Certified Compiler S. Boulm e

1.01k views • 65 slides

More recommend