a concrete memory model for compcert
play

A concrete memory model for CompCert Frdric Besson Sandrine Blazy - PowerPoint PPT Presentation

Jan 22, 2024 •151 likes •563 views

A concrete memory model for CompCert Frdric Besson Sandrine Blazy Pierre Wilke Rennes, France P . Wilke A concrete memory model for CompCert 1 / 28 CompCert real-world C to ASM compiler used in industry (commercialised by AbsInt)

  1. A concrete memory model for CompCert Frédéric Besson Sandrine Blazy Pierre Wilke Rennes, France P . Wilke A concrete memory model for CompCert 1 / 28

  2. CompCert • real-world C to ASM compiler used in industry (commercialised by AbsInt) • proven correct in Coq: it does not introduce bugs! Clight C Cminor RTL ASM P . Wilke A concrete memory model for CompCert 2 / 28

  3. CompCert • real-world C to ASM compiler used in industry (commercialised by AbsInt) • proven correct in Coq: it does not introduce bugs! Clight C Cminor RTL ASM P . Wilke A concrete memory model for CompCert 2 / 28

  4. CompCert • real-world C to ASM compiler used in industry (commercialised by AbsInt) • proven correct in Coq: it does not introduce bugs! Clight C Cminor RTL ASM Each language has a Formal Semantics i.e. a mathematical meaning for programs P . Wilke A concrete memory model for CompCert 2 / 28

  5. CompCert • real-world C to ASM compiler used in industry (commercialised by AbsInt) • proven correct in Coq: it does not introduce bugs! Clight C Cminor RTL ASM Each language has a Formal Semantics i.e. a mathematical meaning for programs Proof of semantic preservation For every source program S that has a defined semantics, If the compiler succeeds to generate a target program T , Then T has the same behavior as S . P . Wilke A concrete memory model for CompCert 2 / 28

  6. CompCert • real-world C to ASM compiler used in industry (commercialised by AbsInt) • proven correct in Coq: it does not introduce bugs! Memory model Clight C Cminor RTL ASM Each language has a Formal Semantics i.e. a mathematical meaning for programs Proof of semantic preservation For every source program S that has a defined semantics, If the compiler succeeds to generate a target program T , Then T has the same behavior as S . P . Wilke A concrete memory model for CompCert 2 / 28

  7. Goal: Make the semantics of C more defined Why did C leave some behaviors undefined? • Portability • Performance Why do we want to make it more defined? • real-life programs use features that are undefined, according to C • the compilation theorem will be more useful What kind of undefined behaviors do we aim at? • undefined pointer arithmetic, i.e. bitwise operators • use of uninitialised memory Our starting point: CompCert P . Wilke A concrete memory model for CompCert 3 / 28

  8. An example of low-level C program in CompCert int main(){ int * p = ( int *) malloc ( sizeof ( int )); *p = 42; int * q = p | 5; int * r = (q » 3) « 3; return *r; } b p b q b r P . Wilke A concrete memory model for CompCert 4 / 28

  9. An example of low-level C program in CompCert int main(){ int * p = ( int *) malloc ( sizeof ( int )); *p = 42; int * q = p | 5; int * r = (q » 3) « 3; return *r; } b p b ( b , 0 ) b q b r P . Wilke A concrete memory model for CompCert 4 / 28

  10. An example of low-level C program in CompCert int main(){ int * p = ( int *) malloc ( sizeof ( int )); *p = 42; int * q = p | 5; int * r = (q » 3) « 3; return *r; } b p b ( b , 0 ) 42 b q b r P . Wilke A concrete memory model for CompCert 4 / 28

  11. An example of low-level C program in CompCert int main(){ int * p = ( int *) malloc ( sizeof ( int )); *p = 42; int * q = p | 5; int * r = (q » 3) « 3; return *r; } b p b ( b , 0 ) 42 b q Bitwise operators on pointers are b r undefined behavior! CompCert [JAR’09], KCC [POPL ’12], Krebbers [POPL ’14], Norrish [PhD’98]: undefined behavior Kang et al. [PLDI’15]: don’t model bitwise operators P . Wilke A concrete memory model for CompCert 4 / 28

  12. Contributions • Previous work [APLAS’14]: A memory model for low-level programs • This work: • integration of the memory model inside CompCert • correctness proofs of the memory model • correctness proofs of the transformations of the frontend (up to Cminor) P . Wilke A concrete memory model for CompCert 5 / 28

  13. Outline 1 CompCert’s memory model 2 New features of the memory model 3 Consistency of the memory models 4 CompCert proof: Overview 5 Conclusion P . Wilke A concrete memory model for CompCert 6 / 28

  14. Outline 1 CompCert’s memory model 2 New features of the memory model 3 Consistency of the memory models 4 CompCert proof: Overview 5 Conclusion P . Wilke A concrete memory model for CompCert 7 / 28

  15. New features of the memory model Symbolic expressions val ::= i | ( b , o ) not expressive enough We change the semantic domain to: expr ::= val | op 1 expr | expr op 2 expr P . Wilke A concrete memory model for CompCert 8 / 28

  16. New features of the memory model Symbolic expressions val ::= i | ( b , o ) not expressive enough We change the semantic domain to: expr ::= val | op 1 expr | expr op 2 expr Alignment constraints We need information about some bits of the concrete address of a pointer The alloc primitive takes an extra parameter mask , such that: A ( b ) & mask = A ( b ) P . Wilke A concrete memory model for CompCert 8 / 28

  17. Interaction with the memory model What is the semantics of reading from memory: *p ? In CompCert, p is evaluated into a pointer ( b , i ) , then we can use load ( M , b , i ) In our model, p is a symbolic expression. It needs to be transformed into a pointer so that we can use load . normalise : mem → expr → ⌊ val ⌋ We need to modify the semantics to include calls to normalise • memory accesses (load and store) • conditionnal branches P . Wilke A concrete memory model for CompCert 9 / 28

  18. Back to the example int main(){ int * p = ( int *) malloc ( sizeof ( int )); *p = 42; int * q = p | 5; int * r = (q » 3) « 3; return *r; } b p b 8 ( b , 0 ) 42 b q b r P . Wilke A concrete memory model for CompCert 10 / 28

  19. Back to the example int main(){ int * p = ( int *) malloc ( sizeof ( int )); *p = 42; int * q = p | 5; int * r = (q » 3) « 3; return *r; } b p b 8 ( b , 0 ) 42 b q ( b , 0 ) | 5 b r P . Wilke A concrete memory model for CompCert 10 / 28

  20. Back to the example int main(){ int * p = ( int *) malloc ( sizeof ( int )); *p = 42; int * q = p | 5; int * r = (q » 3) « 3; return *r; } b p b 8 ( b , 0 ) 42 b q ( b , 0 ) | 5 b r �� � � ( b , 0 ) | 5 ≫ 3 ≪ 3 P . Wilke A concrete memory model for CompCert 10 / 28

  21. Back to the example int main(){ int * p = ( int *) malloc ( sizeof ( int )); *p = 42; int * q = p | 5; int * r = (q » 3) « 3; return *r; } b p b 8 ( b , 0 ) 42 b q ( b , 0 ) | 5 b r normalise �� � � ( b , 0 ) | 5 ≫ 3 ≪ 3 ( b , 0 ) P . Wilke A concrete memory model for CompCert 10 / 28

  22. Back to the example int main(){ int * p = ( int *) malloc ( sizeof ( int )); *p = 42; int * q = p | 5; int * r = (q » 3) « 3; return *r; } b p b 8 ( b , 0 ) 42 b q ( b , 0 ) | 5 b r normalise �� � � ( b , 0 ) | 5 ≫ 3 ≪ 3 ( b , 0 ) P . Wilke A concrete memory model for CompCert 10 / 28

  23. Normalisation specification: concrete memories ( b 2 , 2 ) Abstract memory m 5 Concrete memories of m cm 1 cm 2 cm i ⊢ m cm 3 cm 4 • range : ] 0 ; 55 [ cm 5 • no overlap cm 6 • alignment 0 8 16 24 32 40 48 56 P . Wilke A concrete memory model for CompCert 11 / 28

  24. Normalisation: example 1 e = ((( b , 0 ) | 5 ) ≫ 3 ) ≪ 3 cm 1 = � ( b , o ) � cm 1 8 cm 2 = � ( b , o ) � cm 2 8 cm 3 = � ( b , o ) � cm 3 16 cm 4 = � ( b , o ) � cm 4 24 cm 5 = � ( b , o ) � cm 5 32 = � ( b , o ) � cm 6 cm 6 32 0 8 16 24 32 40 48 56 � e � cm 1 = ((( cm 1 ( b )+ 0 ) | 5 ) ≫ 3 ) = (( 8 | 5 ) ≫ 3 ) = (( 0b1000 | 5 ) ≫ 3 ) ≪ 3 = ( 0b1101 ≫ 3 ) ≪ 3 = 0b0001 ≪ 3 = 0b1000 = 8 = cm 1 ( b ) ∀ i , � e � cm i = cm i ( b ) , hence e normalises into ( b , 0 ) P . Wilke A concrete memory model for CompCert 12 / 28

  25. Normalisation: example 2 e = ( b , 0 ) > ( b ′ , 0 ) cm 1 true cm 2 true cm 3 true cm 4 false cm 5 false cm 6 false 0 8 16 24 32 40 48 56 There is no v such that ∀ i , � e � cm i = � v � cm i , hence e doesn’t normalise P . Wilke A concrete memory model for CompCert 13 / 28

  26. CompCert with symbolic expressions expr ::= val | op 1 expr | expr op 2 expr b 2 b 1 0 ( b 2 , 2 ) 5 b 3 7 5 ( b , o ) | 5 Memory model Clight C Cminor RTL ASM S S S S S P . Wilke A concrete memory model for CompCert 14 / 28

  27. Outline 1 CompCert’s memory model 2 New features of the memory model 3 Consistency of the memory models 4 CompCert proof: Overview 5 Conclusion P . Wilke A concrete memory model for CompCert 15 / 28

  28. How does our model compare to CompCert? x ( t ) x ( t ) t t Behaviors in CompCert Behaviors with symbolic expressions We are an extension of CompCert P . Wilke A concrete memory model for CompCert 16 / 28

  29. How does our model compare to CompCert? Formally, Lemma expr_add_ok : ∀ v 1 v 2 m v , sem_add v 1 v 2 m = ⌊ v ⌋ → ∃ e , sem_add_expr v 1 v 2 m = ⌊ e ⌋ ∧ normalise m e = v . If the addition of v 1 and v 2 succeeds in CompCert, Then it should succeed in our model as well, And the expression we compute should normalise into the same value. P . Wilke A concrete memory model for CompCert 17 / 28

  30. Discovery of bugs 2 cases where our model disagrees with CompCert • Bug in CompCert 2.4: Pointer comparison to NULL (fixed in CompCert 2.5) • Bug in our model: incorrect handling of pointers one past the end P . Wilke A concrete memory model for CompCert 18 / 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CompCert Memory Model Because we need some way to understand how C works Outline The

CompCert Memory Model Because we need some way to understand how C works Outline The

The CompCert Memory Model Because we need some way to understand how C works Outline The general idea Version 1 Limitations Version 2 Problems solved? The general idea Blocks and memory states The idea: blocks*

835 views • 42 slides
Extending the CompCert certified C compiler with instruction scheduling and control-flow integrity

Extending the CompCert certified C compiler with instruction scheduling and control-flow integrity

Extending CompCert S. Boulm e ( Verimag , Grenoble-INP) RISC-V week @ Paris2019 Extending the CompCert certified C compiler with instruction scheduling and control-flow integrity (CFI) October 2019 Sylvain.Boulme@univ-grenoble-alpes.fr

557 views • 19 slides
CompCert guarantees for low-level C programs Sandrine Blazy joint work with Frdric Besson and

CompCert guarantees for low-level C programs Sandrine Blazy joint work with Frdric Besson and

CompCert guarantees for low-level C programs Sandrine Blazy joint work with Frdric Besson and Pierre Wilke IFIP W.G. 2.11, Bloomington, 2016-08-23 1 The CompCert C verified compiler Compiler + proof that the compiler does not introduce bugs

471 views • 24 slides
Function Pointers Refined Memory Model 1 The C0 Memory Model so far Local Memory Allocated

Function Pointers Refined Memory Model 1 The C0 Memory Model so far Local Memory Allocated

Function Pointers Refined Memory Model 1 The C0 Memory Model so far Local Memory Allocated Memory Two memories main A apple 20 Local memory H o one frame per function call 5 3 pumpkin 10 o frame contains hdict_lookup

691 views • 25 slides
Introduction to OpenMP Lecture 8: Memory model Why do we need a memory model? On modern

Introduction to OpenMP Lecture 8: Memory model Why do we need a memory model? On modern

Introduction to OpenMP Lecture 8: Memory model Why do we need a memory model? On modern computers code is rarely executed in the same order as it was specified in the source code. Compilers, processors and memory systems reorder code to

309 views • 10 slides
CompCert : C compilers you can formally trust March 2020 Sylvain.Boulme@univ-grenoble-alpes.fr

CompCert : C compilers you can formally trust March 2020 Sylvain.Boulme@univ-grenoble-alpes.fr

Introduction to the CompCert Certified Compiler S. Boulm e March 2020 CompCert : C compilers you can formally trust March 2020 Sylvain.Boulme@univ-grenoble-alpes.fr 1/24 Introduction to the CompCert Certified Compiler S. Boulm e

1.01k views • 65 slides
Memory CS Basics Introduction: memory? 3) Memory Real mode flat model Registers

Memory CS Basics Introduction: memory? 3) Memory Real mode flat model Registers

Memory CS Basics Introduction: memory? 3) Memory Real mode flat model Registers Emmanuel Benoist Fall Term 2016-17 The three assembly programming models Real Mode Flat Model Real Mode Segmented Model Protected Mode Flat

301 views • 12 slides
The Java Memory Model Jaroslav Sev c k University of Edinburgh Supported by ITI

The Java Memory Model Jaroslav Sev c k University of Edinburgh Supported by ITI

The Java Memory Model Jaroslav Sev c k University of Edinburgh Supported by ITI Techmedia The Java Memory Model p. 1/30 Overview Part I : Motivation for weak memory models: Compromise between standard optimisations and

813 views • 46 slides
Debugging and improving the C/C++11 memory model Viktor Vafeiadis Max Planck Institute for

Debugging and improving the C/C++11 memory model Viktor Vafeiadis Max Planck Institute for

Debugging and improving the C/C++11 memory model Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) January 2016 The C11 memory model Defines the semantics of concurrent memory accesses in C/C++. Standardised by ISO C/C++

865 views • 48 slides
Motivation Originally a model of social information sharing Abstract vs. concrete spaces

Motivation Originally a model of social information sharing Abstract vs. concrete spaces

Part 3: Autonomous Agents 10/13/04 Motivation Originally a model of social information sharing Abstract vs. concrete spaces cannot occupy same locations in concrete space Particle Swarm Optimization can in abstract space (two

341 views • 5 slides
Cs Memory Model C0 C 1 Balance Sheet so far Lost Gained

Cs Memory Model C0 C 1 Balance Sheet so far Lost Gained

Cs Memory Model C0 C 1 Balance Sheet so far Lost Gained Contracts Preprocessor Safety Whimsical execution Garbage collection Explicit memory management Memory initialization

967 views • 63 slides
Lecture 13 The C++ Memory model Synchronization variables Implementing synchronization

Lecture 13 The C++ Memory model Synchronization variables Implementing synchronization

Lecture 13 The C++ Memory model Synchronization variables Implementing synchronization Announcements 2 Scott B. Baden / CSE 160 / Wi '16 Todays lecture Memory locality in the cardiac simulator C++ memory model

455 views • 28 slides
Von Neumann Execution Model Fetch: send PC to memory transfer instruction from memory

Von Neumann Execution Model Fetch: send PC to memory transfer instruction from memory

Von Neumann Execution Model Fetch: send PC to memory transfer instruction from memory to CPU increment PC Decode & read ALU input sources Execute an ALU operation memory operation branch target calculation

515 views • 22 slides
nineteen service loads x load factors concrete holds no tension failure criteria is

nineteen service loads x load factors concrete holds no tension failure criteria is

A RCHITECTURAL S TRUCTURES : Concrete Beam Design F ORM, B EHAVIOR, AND D ESIGN composite of concrete and steel A RCH 331 D R. A NNE N ICHOLS American Concrete Institute (ACI) S UMMER 2018 design for maximum stresses lecture limit

641 views • 9 slides
twenty one service loads x load factors concrete holds no tension failure criteria is

twenty one service loads x load factors concrete holds no tension failure criteria is

E LEMENTS OF A RCHITECTURAL S TRUCTURES : Concrete Beam Design F ORM, B EHAVIOR, AND D ESIGN composite of concrete and steel ARCH 614 D R. A NNE N ICHOLS American Concrete Institute (ACI) S PRING 2019 design for maximum stresses

253 views • 6 slides
twenty two service loads x load factors concrete holds no tension failure criteria is

twenty two service loads x load factors concrete holds no tension failure criteria is

A RCHITECTURAL S TRUCTURES : Concrete Beam Design F ORM, B EHAVIOR, AND D ESIGN composite of concrete and steel ARCH 331 D R. A NNE N ICHOLS American Concrete Institute (ACI) S PRING 2018 design for maximum stresses lecture limit

346 views • 9 slides
Generic absoluteness and universally Baire sets of reals Trevor Wilson Miami University, Ohio

Generic absoluteness and universally Baire sets of reals Trevor Wilson Miami University, Ohio

One-step generic absoluteness Two-step generic absoluteness Generic absoluteness and universally Baire sets of reals Trevor Wilson Miami University, Ohio July 18, 2016 Trevor Wilson Generic absoluteness and universally Baire sets of reals

464 views • 24 slides
Opportunities for Mathematicians in the Real World Rajeeva L. Karandikar Director , Chennai

Opportunities for Mathematicians in the Real World Rajeeva L. Karandikar Director , Chennai

Opportunities for Mathematicians in the Real World Rajeeva L. Karandikar Director , Chennai Mathematical Institute rlk@cmi.ac.in , rkarandikar@gmail.com Rajeeva L. Karandikar Chennai Mathematical Institute Opportunities for Mathematicians in the

510 views • 13 slides
Optimally L Leveraging D Densi sity a and L Locality for E Exploratory B Browsi sing a

Optimally L Leveraging D Densi sity a and L Locality for E Exploratory B Browsi sing a

Optimally L Leveraging D Densi sity a and L Locality for E Exploratory B Browsi sing a and S Sampling Albert Kim 1* , Liqi Xu 2* , Tarique Siddiqui 1 , Silu Huang 2 , Samuel Madden 1 , Aditya Parameswaran 2 1 MIT 2 University of Illinois

347 views • 12 slides
Abstract Automatic Device Model Synthesizer (ADMS) now provides the ability to create all

Abstract Automatic Device Model Synthesizer (ADMS) now provides the ability to create all

New enhancements in ADMS and Spectre CMI XML scripts Sergey Sukharev March 24, 2006, Workshop, Bblingen CADENCE CONFIDENTIAL CADENCE CONFIDENTIAL Abstract Automatic Device Model Synthesizer (ADMS) now provides the ability to create all

467 views • 15 slides
Introduction to Machine Learning Classification and Regression Trees (CART): Basics

Introduction to Machine Learning Classification and Regression Trees (CART): Basics

Introduction to Machine Learning Classification and Regression Trees (CART): Basics compstat-lmu.github.io/lecture_i2ml TREE MODEL AND PREDICTION Classification and Regression Trees, introduced by Breiman Binary splits are constructed top-down

415 views • 6 slides
Pulsed Dipole Design and Tests D. Summers, L. Perera, T. Hart, L. Cremaldi University of

Pulsed Dipole Design and Tests D. Summers, L. Perera, T. Hart, L. Cremaldi University of

Pulsed Dipole Design and Tests D. Summers, L. Perera, T. Hart, L. Cremaldi University of Mississippi-Oxford S. Hansen, M. L. Lopes, Fermilab 27-31 May 2014, MAP Collaboration Meeting Fermilab, Batavia, IL c c A e l e n r o a u t o

348 views • 8 slides
Heat Equation Fan Cheng John Hopcroft Center Computer Science and Engineering Shanghai Jiao

Heat Equation Fan Cheng John Hopcroft Center Computer Science and Engineering Shanghai Jiao

[Pop-up Salon, Maths, SJTU, 2019/01/10] On the Complete Monotonicity of Heat Equation Fan Cheng John Hopcroft Center Computer Science and Engineering Shanghai Jiao Tong University chengfan@sjtu.edu.cn Overview 2 2 2 ,

628 views • 25 slides
Bosons in optical lattices Subroto Mukerjee Department of Physics Indian Institute of Science

Bosons in optical lattices Subroto Mukerjee Department of Physics Indian Institute of Science

Bosons in optical lattices Subroto Mukerjee Department of Physics Indian Institute of Science Bangalore Current trends in frustrated magnetism, JNU 2015 Collaborators Arya Dhar Maheswar Maji Sayonee Ray Tapan Mishra Ramesh

588 views • 31 slides

More recommend