the c standard formalized in coq what s next
play

The C standard formalized in Coq, whats next? Robbert Krebbers - PowerPoint PPT Presentation

Sep 01, 2022 •432 likes •1.2k views

The C standard formalized in Coq, whats next? Robbert Krebbers Aarhus University, Denmark May 13, 2016 @ Cambridge Computer Laboratory, UK 1 What is this program supposed to do? The C quiz, question 1 int main() { int x; int y = (x = 3)

  1. The C standard formalized in Coq, what’s next? Robbert Krebbers Aarhus University, Denmark May 13, 2016 @ Cambridge Computer Laboratory, UK 1

  2. What is this program supposed to do? The C quiz, question 1 int main() { int x; int y = (x = 3) + (x = 4); printf("x=%d,y=%d\n", x, y); } 2

  3. What is this program supposed to do? The C quiz, question 1 int main() { int x; int y = (x = 3) + (x = 4); printf("x=%d,y=%d\n", x, y); } Let us try some compilers ◮ Clang prints x=4,y=7 , seems just left-right 2

  4. What is this program supposed to do? The C quiz, question 1 int main() { int x; int y = (x = 3) + (x = 4); printf("x=%d,y=%d\n", x, y); } Let us try some compilers ◮ Clang prints x=4,y=7 , seems just left-right ◮ GCC prints x=4,y=8 , does not correspond to any order 2

  5. What is this program supposed to do? The C quiz, question 1 int main() { int x; int y = (x = 3) + (x = 4); printf("x=%d,y=%d\n", x, y); } Let us try some compilers ◮ Clang prints x=4,y=7 , seems just left-right ◮ GCC prints x=4,y=8 , does not correspond to any order This program violates the sequence point restriction ◮ due to two unsequenced writes to x ◮ resulting in undefined behavior ◮ thus both compilers are right 2

  6. Underspecification in C11 ◮ Unspecified behavior : two or more behaviors are allowed For example: order of evaluation in expressions (+57 more) ◮ Implementation defined behavior : like unspecified behavior, but the compiler has to document its choice For example: size and endianness of integers (+118 more) ◮ Undefined behavior: the standard imposes no requirements at all, the program is even allowed to crash For example: dereferencing a NULL or dangling pointer, signed integer overflow, . . . (+201 more) 3

  7. Underspecification in C11 ◮ Unspecified behavior : two or more behaviors are allowed For example: order of evaluation in expressions (+57 more) Non-determinism ◮ Implementation defined behavior : like unspecified behavior, but the compiler has to document its choice For example: size and endianness of integers (+118 more) Parametrization ◮ Undefined behavior: the standard imposes no requirements at all, the program is even allowed to crash For example: dereferencing a NULL or dangling pointer, signed integer overflow, . . . (+201 more) No semantics/crash state 3

  8. Why does C use underspecification that heavily? Pros for optimizing compilers: ◮ More optimizations are possible ◮ High run-time efficiency ◮ Easy to support multiple architectures 4

  9. Why does C use underspecification that heavily? Pros for optimizing compilers: ◮ More optimizations are possible ◮ High run-time efficiency ◮ Easy to support multiple architectures Cons for programmers/formal methods people: ◮ Portability and maintenance problems ◮ Hard to capture precisely in a semantics ◮ Hard to formally reason about 4

  10. Approaches to underspecification CompCert (Leroy et al. ) / VST (Appel et al. ) ◮ Main goal: verification of/w.r.t. CompCert compiler in Coq ◮ Semantics only needs to be correct for CompCert compiler For example: integer overflow and aliasing violations not UB KCC (Ellison & Rosu, Hathhorn et al. ) ◮ Main goal: compiler independent C11 semantics in K ◮ Describes most unspecified and undefined behavior ◮ No proof assistant support CH 2 O (Krebbers & Wiedijk) ◮ Main goal: compiler independent C11 semantics in Coq ◮ Describes all unspecified and undefined behavior ◮ Describes some implementation-defined behavior For example: no legacy architectures with 1s’ complement Cerberus (Sewell et al. ) ◮ Main goal: ‘ defacto ’ C11 semantics in LEM ◮ Improve standard to match the way C is used in practice 5

  11. The CH 2 O project OCaml part Coq part C sources CH 2 O CH 2 O core C abstract C 6

  12. The CH 2 O project OCaml part Coq part C sources Operational CH 2 O semantics CH 2 O core C abstract C Γ , δ ⊢ S 1 � S 2 6

  13. The CH 2 O project OCaml part Coq part Typing judgment Γ ⊢ S : f main Type preservation C sources Type soundness & progress Operational CH 2 O semantics CH 2 O core C abstract C Γ , δ ⊢ S 1 � S 2 6

  14. The CH 2 O project OCaml part Coq part Typing judgment Γ ⊢ S : f main Type preservation C sources Type soundness & progress Operational CH 2 O semantics CH 2 O core C abstract C Γ , δ ⊢ S 1 � S 2 Soundness & Completeness Executable semantics S 2 ∈ exec Γ ,δ S 1 6

  15. The CH 2 O project OCaml part Coq part Typing judgment Γ ⊢ S : f main Type preservation C sources Type soundness & progress Operational CH 2 O semantics CH 2 O core C abstract C Γ , δ ⊢ S 1 � S 2 Soundness & Soundness & Completeness Completeness Pure expression Executable evaluation semantics [ [ e ] ] Γ ,ρ, m = ν S 2 ∈ exec Γ ,δ S 1 6

  16. The CH 2 O project OCaml part Coq part Typing judgment Γ ⊢ S : f main Type preservation C sources Type soundness & progress Axiomatic Operational semantics Soundness CH 2 O semantics CH 2 O core C abstract C R , J , T ⊢ Γ ,δ Γ , δ ⊢ S 1 � S 2 { P } s { Q } Soundness & Soundness & Completeness Completeness Pure expression Executable evaluation semantics [ [ e ] ] Γ ,ρ, m = ν S 2 ∈ exec Γ ,δ S 1 6

  17. The CH 2 O project OCaml part Coq part Refinement Typing judgment judgment S 1 ⊑ f Γ ⊢ S : f main Γ S 2 : f main Type preservation C sources Invariance Type soundness & progress Axiomatic Operational semantics Soundness CH 2 O semantics CH 2 O core C abstract C R , J , T ⊢ Γ ,δ Γ , δ ⊢ S 1 � S 2 { P } s { Q } Soundness & Soundness & Completeness Completeness Pure expression Executable evaluation semantics [ [ e ] ] Γ ,ρ, m = ν S 2 ∈ exec Γ ,δ S 1 6

  18. Non-local control flow and block scope variables The C quiz, question 2 int *p = NULL; l: if (p) { return (*p); } else { int j = 17; p = &j; goto l; } 7

  19. Non-local control flow and block scope variables The C quiz, question 2 int *p = NULL; memory: l: if (p) { p return (*p); } else { NULL int j = 17; p = &j; goto l; } 7

  20. Non-local control flow and block scope variables The C quiz, question 2 int *p = NULL; memory: l: if (p) { p return (*p); } else { NULL int j = 17; p = &j; goto l; } 7

  21. Non-local control flow and block scope variables The C quiz, question 2 int *p = NULL; memory: l: if (p) { p j return (*p); } else { NULL 17 int j = 17; p = &j; goto l; } 7

  22. Non-local control flow and block scope variables The C quiz, question 2 int *p = NULL; memory: l: if (p) { p j return (*p); } else { • 17 int j = 17; p = &j; goto l; } 7

  23. Non-local control flow and block scope variables The C quiz, question 2 int *p = NULL; memory: l: if (p) { p j return (*p); } else { • 17 int j = 17; p = &j; goto l; } 7

  24. Non-local control flow and block scope variables The C quiz, question 2 int *p = NULL; memory: l: if (p) { p return (*p); } else { • int j = 17; p = &j; goto l; } 7

  25. Non-local control flow and block scope variables The C quiz, question 2 int *p = NULL; memory: l: if (p) { p return (*p); } else { • int j = 17; p = &j; goto l; } C11, 6.2.4p2: the value of a pointer becomes indeterminate when the object it points to (or just past) reaches the end of its lifetime. = ⇒ Undefined behavior 7

  26. Non-local control flow and block scope variables Goto considered harmful? http://xkcd.com/292/ 8

  27. Non-local control flow and block scope variables Goto considered harmful? http://xkcd.com/292/ Not necessarily: ⊢ { P } . . . goto main_sub3; . . . { Q } 8

  28. Non-local control flow and block scope variables Separation logic for non-local control Statement judgment: R , J , T ⊢ { P } s { Q } 9

  29. Non-local control flow and block scope variables Separation logic for non-local control Statement judgment: R , J , T ⊢ { P } s { Q } where: ◮ { P } s { Q } is a Hoare triple, as usual 9

  30. Non-local control flow and block scope variables Separation logic for non-local control Statement judgment: R , J , T ⊢ { P } s { Q } where: ◮ { P } s { Q } is a Hoare triple, as usual ◮ R has to hold to execute a return 9

  31. Non-local control flow and block scope variables Separation logic for non-local control Statement judgment: R , J , T ⊢ { P } s { Q } where: ◮ { P } s { Q } is a Hoare triple, as usual ◮ R has to hold to execute a return ◮ J maps labels to their jumping condition When executing a goto l , the assertion J l has to hold 9

  32. Non-local control flow and block scope variables Separation logic for non-local control Statement judgment: R , J , T ⊢ { P } s { Q } where: ◮ { P } s { Q } is a Hoare triple, as usual ◮ R has to hold to execute a return ◮ J maps labels to their jumping condition When executing a goto l , the assertion J l has to hold ◮ T maps break s/ continue s to their jumping condition 9

Recommend

Formalized Search for FC-Families c, Miodrag Filip Mari c, Bojan Vu ckovi Zivkovi

Formalized Search for FC-Families c, Miodrag Filip Mari c, Bojan Vu ckovi Zivkovi

Formalized Search for FC-Families Formalized Search for FC-Families c, Miodrag Filip Mari c, Bojan Vu ckovi Zivkovi c Faculty of Mathematics, University of Belgrade FATPA Workshop, 2. 2. 2012. Formalized Search for

600 views • 42 slides
A Separation Logic for Non-determinism and Sequence Points in C Formalized in Coq Robbert

A Separation Logic for Non-determinism and Sequence Points in C Formalized in Coq Robbert

A Separation Logic for Non-determinism and Sequence Points in C Formalized in Coq Robbert Krebbers Radboud University Nijmegen May 14, 2014 @ TYPES, Paris, France 1 What is this program supposed to do? int main() { int x; int y = (x = 3) +

378 views • 16 slides
How to Leverage a Large Dataset of Formalized Mathematics with Machine Learning? uller 1 Michael

How to Leverage a Large Dataset of Formalized Mathematics with Machine Learning? uller 1 Michael

1 How to Leverage a Large Dataset of Formalized Mathematics with Machine Learning? uller 1 Michael Kohlhase 1 Florian Rabe 1,2 Dennis M Computer Science, FAU Erlangen-N urnberg LRI, Universit e Paris Sud April 10, 2019 2 So, how?

343 views • 10 slides
Adult Learning: the Saint Marys University of Minnesota importance of formalized Schools of

Adult Learning: the Saint Marys University of Minnesota importance of formalized Schools of

Meghan Baker, Spring 2017 Adult Learning: the Saint Marys University of Minnesota importance of formalized Schools of Graduate and Professional Programs mentorship programs OL655 Capstone Symposium Jeffrey Eng Introduction of topic

528 views • 20 slides
A Formalized Hierarchy of Probabilistic System Types Proof Pearl olzl 1 , Andreas Lochbihler 2 ,

A Formalized Hierarchy of Probabilistic System Types Proof Pearl olzl 1 , Andreas Lochbihler 2 ,

A Formalized Hierarchy of Probabilistic System Types Proof Pearl olzl 1 , Andreas Lochbihler 2 , and Dmitriy Traytel 1 , 2 Johannes H 1 Institut f ur Informatik 2 Institute of Information Security TU M unchen, Germany ETH Zurich,

1.03k views • 85 slides
April 19, 2012 Formalized plan and process that involves students setting learning goals

April 19, 2012 Formalized plan and process that involves students setting learning goals

April 19, 2012 Formalized plan and process that involves students setting learning goals based on personal, academic and career interests, beginning in the middle school grades and continuing throughout high school with the close

413 views • 39 slides
Flexary Operators for Formalized Mathematics Fulya Horozal Florian Rabe Michael Kohlhase Jacobs

Flexary Operators for Formalized Mathematics Fulya Horozal Florian Rabe Michael Kohlhase Jacobs

Flexary Operators for Formalized Mathematics Fulya Horozal Florian Rabe Michael Kohlhase Jacobs University, Bremen, Germany Mathematical Knowledge Management Conferences on Intelligent Computer Mathematics July 07, 2014 Coimbra, Portugal 1

272 views • 24 slides
how to build a library of formalized mathematics mathematics Freek Wiedijk Radboud University

how to build a library of formalized mathematics mathematics Freek Wiedijk Radboud University

how to build a library of formalized mathematics mathematics Freek Wiedijk Radboud University Nijmegen MathWiki Workshop University of Edinburgh 2007 10 31, 11: 00 0 state of the art top 100 http://www.cs.ru.nl/~freek/100/ google 100

733 views • 24 slides
Reading Strand and Ideas Standard Statement 9 Range of Reading and Standard Statement 10 Level

Reading Strand and Ideas Standard Statement 9 Range of Reading and Standard Statement 10 Level

Standard Statement 1 Standard Statement 2 Key Ideas and Details Standard Statement 3 Reading: Literature Standard Statement 4 Standard Statement 5 Craft and Structure Standard Statement 6 Standard Statement 7 Integration of Knowledge

391 views • 16 slides
IsarMathLib a formalized mathematics library for Isabelle/ZF Slawomir Kolodynski 11th

IsarMathLib a formalized mathematics library for Isabelle/ZF Slawomir Kolodynski 11th

IsarMathLib a formalized mathematics library for Isabelle/ZF Slawomir Kolodynski 11th Conference on Intelligent Computer Mathematics CICM 2018 August 13, 2018 RISC, Hagenberg, Austria What is IsarMathLib? What is IsarMathLib? Isabelle

235 views • 19 slides
Conjecturing over large corpora Thibault Gauthier Cezary Kaliszyk Josef Urban April 6, 2016 1

Conjecturing over large corpora Thibault Gauthier Cezary Kaliszyk Josef Urban April 6, 2016 1

Conjecturing over large corpora Thibault Gauthier Cezary Kaliszyk Josef Urban April 6, 2016 1 Goal Automatically discover conjectures in formalized libraries. Which formalized libraries ? theorems constants types theories Mizar 51086

587 views • 22 slides
Conjecturing over large corpora Thibault Gauthier Cezary Kaliszyk Josef Urban July 14, 2017 1

Conjecturing over large corpora Thibault Gauthier Cezary Kaliszyk Josef Urban July 14, 2017 1

Conjecturing over large corpora Thibault Gauthier Cezary Kaliszyk Josef Urban July 14, 2017 1 Goal Automatically discover conjectures in formalized libraries. Which formalized libraries ? theorems constants types theories Mizar 51086

449 views • 27 slides
Formalized Timed Automata Simon Wimmer Fakultt fr Informatik, Technische Universitt

Formalized Timed Automata Simon Wimmer Fakultt fr Informatik, Technische Universitt

Formalized Timed Automata Simon Wimmer Fakultt fr Informatik, Technische Universitt Mnchen ITP Talk on August 24, 2016 Timed Automata Timed Automata (TA) Finite Automata with clocks Clock guards on transitions and clock

735 views • 35 slides
The Standard C Library 1 The C Standard Library 2 The C Standard Library I/O stdio.h

The Standard C Library 1 The C Standard Library 2 The C Standard Library I/O stdio.h

The Standard C Library 1 The C Standard Library 2 The C Standard Library I/O stdio.h printf, scanf, puts, gets, open, close, read, write, fprintf, fscanf, fseek, Memory and string operations string.h memcpy, memcmp, memset,

1.02k views • 54 slides
Standard 3. Accreditation and Assessment Standard 8. Compliance Standard 9. Virginia Index of

Standard 3. Accreditation and Assessment Standard 8. Compliance Standard 9. Virginia Index of

The Standards of Quality (SOQ) Standard 3. Accreditation and Assessment Standard 8. Compliance Standard 9. Virginia Index of Performance Recognition Program Dr. Cynthia A. Cave Assistant Superintendent for Policy and Communications

626 views • 31 slides
Standard Seven: The blood standard quality improvement cycle Philippa Kirkpatrick The NSQHS

Standard Seven: The blood standard quality improvement cycle Philippa Kirkpatrick The NSQHS

Standard Seven: The blood standard quality improvement cycle Philippa Kirkpatrick The NSQHS Standards Standard 1 Standard 2 Governance for Safety and Partnering with Quality in Health Consumers Service Organisations Standard 3 Healthcare

649 views • 32 slides
Standard Error & Confidence Interval Standard Error A particular kind of standard

Standard Error & Confidence Interval Standard Error A particular kind of standard

Standard Error & Confidence Interval Standard Error A particular kind of standard deviation Standard Error := standard deviation of the sampling distribution of a statistic Statistic := a function of a dataset (e.g., mean, median,

578 views • 33 slides
Nature provides no standard of length Nature provides no standard of volume Nature provides no

Nature provides no standard of length Nature provides no standard of volume Nature provides no

THE PENDULUM AND THREE STANDARDS THAT MEASURED THE ANCIENT WORLD And the Mystery of the Parthenon revealed Nature provides no standard of length Nature provides no standard of volume Nature provides no standard of weight Nature provides three

567 views • 23 slides
THE STANDARD C LIBRARY THE STANDARD C LIBRARY Common functions we dont need to write

THE STANDARD C LIBRARY THE STANDARD C LIBRARY Common functions we dont need to write

THE STANDARD C LIBRARY THE STANDARD C LIBRARY Common functions we dont need to write ourselves Provides a portable interface to many system calls Analogous to class libraries in Java or C++ Function prototypes declared in standard

641 views • 40 slides
Oklahoma Standard @OP OPSRead eadines ess okschoolrea eadines ess.org Oklahoma Standard

Oklahoma Standard @OP OPSRead eadines ess okschoolrea eadines ess.org Oklahoma Standard

Oklahoma Standard @OP OPSRead eadines ess okschoolrea eadines ess.org Oklahoma Standard Origins Project HOPE Hopeful Futures COVID-19 Oklahoma Standard Story Gathering OTTAWA WOODS ALFALFA WASHINGTON KAY NOWATA HARPER

383 views • 10 slides
APT TECHNICAL CPD - MAF STANDARD COSTING Standard Costing Nicholas Riemer

APT TECHNICAL CPD - MAF STANDARD COSTING Standard Costing Nicholas Riemer

APT TECHNICAL CPD - MAF STANDARD COSTING Standard Costing Nicholas Riemer Nicholas.Riemer@firstrand.co.za Agenda Workflow to understanding standard costing What is standard costing? Generic Problem Industry considerations? What

808 views • 50 slides
Standard Introduction of the new Standard to key Stakeholders Welcome to the Builders Merchants

Standard Introduction of the new Standard to key Stakeholders Welcome to the Builders Merchants

Trade Supplier Level 2 Apprenticeship Standard Introduction of the new Standard to key Stakeholders Welcome to the Builders Merchants Federation (BMF) John Newcomb Chief Executive, BMF 2 Welcome and Introductions Margaret Fitzsimons

1.2k views • 84 slides
Standard Drilling Standard Drilling Company Presentation June 2012 PURPOSE S.D. Standard Drilling

Standard Drilling Standard Drilling Company Presentation June 2012 PURPOSE S.D. Standard Drilling

Standard Drilling Standard Drilling Company Presentation June 2012 PURPOSE S.D. Standard Drilling was established for the purpose of creating shareholder value by building a premium oilfield services company through superior assets, systems and

673 views • 33 slides
SQL Structured Query Language Standard for relational db systems History:

SQL Structured Query Language Standard for relational db systems History:

SQL Structured Query Language Standard for relational db systems History: Developed at IBM in late 70s First standard: SQL-86 Second standard: SQL-92 Third standard: SQL-99 or SQL3, well over 1000 pages! The nice things

320 views • 27 slides

More recommend