formal c semantics compcert and the c standard
play

Formal C semantics: CompCert and the C standard Robbert Krebbers 1 - PowerPoint PPT Presentation

Jun 11, 2023 •165 likes •511 views

Formal C semantics: CompCert and the C standard Robbert Krebbers 1 Xavier Leroy 2 Freek Wiedijk 1 1 ICIS, Radboud University Nijmegen, The Netherlands 2 Inria Paris-Rocquencourt, France July 17, 2014 @ ITP, Vienna, Austria 1 Underspecification

  1. Formal C semantics: CompCert and the C standard Robbert Krebbers 1 Xavier Leroy 2 Freek Wiedijk 1 1 ICIS, Radboud University Nijmegen, The Netherlands 2 Inria Paris-Rocquencourt, France July 17, 2014 @ ITP, Vienna, Austria 1

  2. Underspecification in C ◮ Unspecified behavior : two or more behaviors are allowed For example: order of evaluation in expressions ◮ Implementation defined behavior : like unspecified behavior, but the compiler has to document its choice For example: size and endianness of integers ◮ Undefined behavior: the standard imposes no requirements at all, the program is even allowed to crash For example: dereferencing a NULL or dangling pointer, signed integer overflow, . . . 2

  3. Underspecification in C ◮ Unspecified behavior : two or more behaviors are allowed For example: order of evaluation in expressions Non-determinism ◮ Implementation defined behavior : like unspecified behavior, but the compiler has to document its choice For example: size and endianness of integers Parametrization ◮ Undefined behavior: the standard imposes no requirements at all, the program is even allowed to crash For example: dereferencing a NULL or dangling pointer, signed integer overflow, . . . No semantics/crash state 2

  4. Pros and cons of underspecification Pros for optimizing compilers: ◮ More optimizations are possible ◮ High run-time efficiency ◮ Easy to support multiple architectures Cons for programmers/formal methods people: ◮ Portability and maintenance problems ◮ Hard to formally reason about 3

  5. Approaches to underspecification CompCert (Leroy et al. ) ◮ Main goal: verified optimizing compiler in ◮ Specific choices for unspecified/impl-defined behavior For example: 32-bits int s ◮ Describes some undefined behavior For example: dereferencing NULL, integer overflow defined ◮ Compiler correctness proof only for programs without undefined behavior Formalin (Krebbers & Wiedijk) ◮ Main goal: compiler independent separation logic in ◮ Describes some implementation-defined behavior For example: no legacy architectures with 0’s complement ◮ Aims to describe all unspecified and undefined behavior 4

  6. Defined behaviors in C11, Formalin and CompCert C CompCert C C11 Formalin integer overflow comparing subtle with end-of-array casts aliasing violations pointers subtle sequence point byte-wise type violations pointer copy punning use of dangling block scope pointers arithmetic on pointer bytes 5

  7. Defined behaviors in C11, Formalin and CompCert C CompCert C C11 Formalin integer overflow comparing subtle with end-of-array casts aliasing violations pointers subtle sequence point byte-wise type violations pointer copy punning use of dangling block scope pointers arithmetic on pointer bytes This talk: add to CompCert so we get Formalin ⊆ CompCert 5

  8. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } 6

  9. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } x 0 x 1 x n − 1 p end 6

  10. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } x 1 x n − 1 x 0 + 1 p end 6

  11. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } x n − 1 x 0 + 1 x 1 + 1 p end 6

  12. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } x n − 1 x 0 + 1 x 1 + 1 p end 6

  13. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } x n − 1 + 1 x 0 + 1 x 1 + 1 p end 6

  14. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } x n − 1 + 1 x 0 + 1 x 1 + 1 p end Bizarre: int x, y; if (&x + 1 == &y) printf("x and y are adjacent\n"); 6

  15. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } x n − 1 + 1 x 0 + 1 x 1 + 1 p end Bizarre: int x, y; if (&x + 1 == &y) printf("x and y are adjacent\n"); &x &y 6

  16. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } x n − 1 + 1 x 0 + 1 x 1 + 1 p end Bizarre: int x, y; if (&x + 1 == &y) printf("x and y are adjacent\n"); &x &x + 1 &y 6

  17. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } x n − 1 + 1 x 0 + 1 x 1 + 1 p end Bizarre: int x, y; if (&x + 1 == &y) printf("x and y are adjacent\n"); == ? &x &x + 1 &y 6

  18. Comparing with end-of-array pointers (problem) Useful: void inc_array(int *p, int n) { int *end = p + n; while (p < end) (*p++)++; } x n − 1 + 1 x 0 + 1 x 1 + 1 p end Bizarre: int x, y; if (&x + 1 == &y) printf("x and y are adjacent\n"); == ? &x &x + 1 &y Both undefined behavior in CompCert (1.12 and before) 6

  19. Comparing with end-of-array pointers (solution) Solution: Comparison of pointers is defined if: ◮ Same block: both should within block bounds � × 7

  20. Comparing with end-of-array pointers (solution) Solution: Comparison of pointers is defined if: ◮ Same block: both should within block bounds � × ◮ Different block: both should be strictly within block bounds × � 7

  21. Comparing with end-of-array pointers (solution) Solution: Comparison of pointers is defined if: ◮ Same block: both should within block bounds � × ◮ Different block: both should be strictly within block bounds × � Stable under compilation and gives a semantics to common programming practice with end-of-array pointers 7

  22. Byte-wise copying of objects (problem) struct { short x; short *r; } s1 = {10, &s.x}, s2; unsigned char *p = &s1, *q = &s2; unsigned char *end = p + size_of(s1); while (p < end) *p++ = *q++; 8

  23. Byte-wise copying of objects (problem) struct { short x; short *r; } s1 = {10, &s.x}, s2; unsigned char *p = &s1, *q = &s2; unsigned char *end = p + size_of(s1); while (p < end) *p++ = *q++; s1 : 0x0a 0x00 ( b s1 , 0) 0 ( b s1 , 0) 1 ( b s1 , 0) 2 ( b s1 , 0) 3 p end s2 : q 8

  24. Byte-wise copying of objects (problem) struct { short x; short *r; } s1 = {10, &s.x}, s2; unsigned char *p = &s1, *q = &s2; unsigned char *end = p + size_of(s1); while (p < end) *p++ = *q++; s1 : 0x0a 0x00 ( b s1 , 0) 0 ( b s1 , 0) 1 ( b s1 , 0) 2 ( b s1 , 0) 3 p end s2 : 0x0a q 8

  25. Byte-wise copying of objects (problem) struct { short x; short *r; } s1 = {10, &s.x}, s2; unsigned char *p = &s1, *q = &s2; unsigned char *end = p + size_of(s1); while (p < end) *p++ = *q++; s1 : 0x0a 0x00 ( b s1 , 0) 0 ( b s1 , 0) 1 ( b s1 , 0) 2 ( b s1 , 0) 3 p end s2 : 0x0a 0x00 q Previously undefined, need to allow copying indeterminate bytes 8

  26. Byte-wise copying of objects (problem) struct { short x; short *r; } s1 = {10, &s.x}, s2; unsigned char *p = &s1, *q = &s2; unsigned char *end = p + size_of(s1); while (p < end) *p++ = *q++; s1 : 0x0a 0x00 ( b s1 , 0) 0 ( b s1 , 0) 1 ( b s1 , 0) 2 ( b s1 , 0) 3 p end s2 : 0x0a 0x00 q Previously undefined, need to allow copying indeterminate bytes 8

  27. Byte-wise copying of objects (problem) struct { short x; short *r; } s1 = {10, &s.x}, s2; unsigned char *p = &s1, *q = &s2; unsigned char *end = p + size_of(s1); while (p < end) *p++ = *q++; s1 : 0x0a 0x00 ( b s1 , 0) 0 ( b s1 , 0) 1 ( b s1 , 0) 2 ( b s1 , 0) 3 p end s2 : 0x0a 0x00 q Previously undefined, need to allow copying symbolic pointer bytes 8

  28. Byte-wise copying of objects (problem) struct { short x; short *r; } s1 = {10, &s.x}, s2; unsigned char *p = &s1, *q = &s2; unsigned char *end = p + size_of(s1); while (p < end) *p++ = *q++; s1 : 0x0a 0x00 ( b s1 , 0) 0 ( b s1 , 0) 1 ( b s1 , 0) 2 ( b s1 , 0) 3 p end s2 : 0x0a 0x00 ( b s1 , 0) 0 q Previously undefined, need to allow copying symbolic pointer bytes 8

  29. Byte-wise copying of objects (problem) struct { short x; short *r; } s1 = {10, &s.x}, s2; unsigned char *p = &s1, *q = &s2; unsigned char *end = p + size_of(s1); while (p < end) *p++ = *q++; s1 : 0x0a 0x00 ( b s1 , 0) 0 ( b s1 , 0) 1 ( b s1 , 0) 2 ( b s1 , 0) 3 p end s2 : 0x0a 0x00 ( b s1 , 0) 0 ( b s1 , 0) 1 q Previously undefined, need to allow copying symbolic pointer bytes 8

  30. Byte-wise copying of objects (problem) struct { short x; short *r; } s1 = {10, &s.x}, s2; unsigned char *p = &s1, *q = &s2; unsigned char *end = p + size_of(s1); while (p < end) *p++ = *q++; s1 : 0x0a 0x00 ( b s1 , 0) 0 ( b s1 , 0) 1 ( b s1 , 0) 2 ( b s1 , 0) 3 p end s2 : 0x0a 0x00 ( b s1 , 0) 0 ( b s1 , 0) 1 ( b s1 , 0) 2 q Previously undefined, need to allow copying symbolic pointer bytes 8

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mechanized semantics for Clight Sandrine Blaxy, Xavier Leroy Pim Jager - Type Theory and Coq The

Mechanized semantics for Clight Sandrine Blaxy, Xavier Leroy Pim Jager - Type Theory and Coq The

Mechanized semantics for Clight Sandrine Blaxy, Xavier Leroy Pim Jager - Type Theory and Coq The CompCert C project Formally proving a compiler The CompCert project investigates the formal verification of realistic compilers usable

948 views • 26 slides
Formal Semantics of SQL (and Cypher) Paolo Guagliardo SQL Standard query language for

Formal Semantics of SQL (and Cypher) Paolo Guagliardo SQL Standard query language for

Formal Semantics of SQL (and Cypher) Paolo Guagliardo SQL Standard query language for relational databases $30B/year business Implemented in all major RDBMSs (free and commercial) First standardized in 1986 (ANSI) and 1987 (ISO)

471 views • 13 slides
Formal semantics of Cypher: towards a standard language for querying property graphs N. Francis 1

Formal semantics of Cypher: towards a standard language for querying property graphs N. Francis 1

Formal semantics of Cypher: towards a standard language for querying property graphs N. Francis 1 A. Green 2 M. Rydberg 2 P. Guagliardo 3 V. Marsault 1 T. Lindaaker 2 P. Selmer 2 L. Libkin 3 S. Plantikow 2 A. Taylor 2 M. Schuster 3 1. Univ.

1.46k views • 111 slides
Introductory Notes Jigsaw Semantics or: Dynamic Semantics Put Together Again Formal semantics

Introductory Notes Jigsaw Semantics or: Dynamic Semantics Put Together Again Formal semantics

Jigsaw Semantics Introduction Introductory Notes Jigsaw Semantics or: Dynamic Semantics Put Together Again Formal semantics and formal pragmatics: the disciplines are much scattered and seriously challenged, or so it seems. Formal

164 views • 12 slides
Lexical Semantics in Formal Semantics: History and Challenges . Barbara H. Partee

Lexical Semantics in Formal Semantics: History and Challenges . Barbara H. Partee

Lexical Semantics in Formal Semantics: History and Challenges . Barbara H. Partee partee@linguist.umass.edu ESSLLI RefSemPlus Workshop, August 2016 1. Introduction n The early important achievements of formal semantics that made it of

1.01k views • 36 slides
Introduction to formal semantics - Enrico Leonhardt Introduction to formal semantics 1 / 25

Introduction to formal semantics - Enrico Leonhardt Introduction to formal semantics 1 / 25

Introduction to formal semantics - Enrico Leonhardt Introduction to formal semantics 1 / 25 Enrico Leonhardt | Motivation | Semiotics | Formal semantics in CS | structure Motivation - Philosophy paradox antinomy

710 views • 25 slides
Formal Semantics in Modern Type Theories (and Event Semantics in MTT-Framework) Zhaohui Luo

Formal Semantics in Modern Type Theories (and Event Semantics in MTT-Framework) Zhaohui Luo

Formal Semantics in Modern Type Theories (and Event Semantics in MTT-Framework) Zhaohui Luo Royal Holloway University of London This talk I. Formal semantics in Modern Type Theories: overview MTT-semantics is both model-theoretic and

564 views • 30 slides
More Theories, Formal semantics Jirka Hana Parts are based on slides by Carl Pollard Charles

More Theories, Formal semantics Jirka Hana Parts are based on slides by Carl Pollard Charles

More Theories Formal Semantics A Logical Grammar More Theories, Formal semantics Jirka Hana Parts are based on slides by Carl Pollard Charles University, 2011-11-12 Jirka Hana More Theories, Formal semantics More Theories Formal Semantics

732 views • 56 slides
11/19/10 Introduction Semantics can mean quite different things in different

11/19/10 Introduction Semantics can mean quite different things in different

11/19/10 Introduction Semantics can mean quite different things in different contexts; fields concerned with semantics are as diverse as psychology, law, Formal Semantics and Pragmatics: computer science, lexicography, logic,

393 views • 10 slides
Programming Languages Third Edition Chapter 12 Formal Semantics Objectives Become familiar

Programming Languages Third Edition Chapter 12 Formal Semantics Objectives Become familiar

Programming Languages Third Edition Chapter 12 Formal Semantics Objectives Become familiar with a sample small language for the purpose of semantic specification Understand operational semantics Understand denotational semantics

789 views • 48 slides
Towards a Formal Semantics for FHM, Part I FPL Away Days 2011 Henrik Nilsson Joint work with

Towards a Formal Semantics for FHM, Part I FPL Away Days 2011 Henrik Nilsson Joint work with

Towards a Formal Semantics for FHM, Part I FPL Away Days 2011 Henrik Nilsson Joint work with Joey Capper School of Computer Science University of Nottingham Towards a Formal Semantics for FHM, Part I p.1/31 Hybrid Systems Hybrid system:

511 views • 49 slides
A Formal Semantics for PLEX Johan Erikson; johan.erikson@idt.mdh.se Bjrn Lisper;

A Formal Semantics for PLEX Johan Erikson; johan.erikson@idt.mdh.se Bjrn Lisper;

A Formal Semantics for PLEX Johan Erikson; johan.erikson@idt.mdh.se Bjrn Lisper; bjorn.lisper@mdh.se Mlardalen University Department of Computer Science and Engineering Vsters Sweden A Formal Semantics for PLEX The AXE telephone

267 views • 9 slides
Bridging formal and conceptual semantics Tillmann Pross (joint work with Antje Rodeutscher)

Bridging formal and conceptual semantics Tillmann Pross (joint work with Antje Rodeutscher)

Bridging formal and conceptual semantics Tillmann Pross (joint work with Antje Rodeutscher) Institute for Natural Language Processing, University of Stuttgart IMS IV 28/10/2015 Formal vs. Conceptual Semantics: Over the last decades,

553 views • 29 slides
A concrete memory model for CompCert Frdric Besson Sandrine Blazy Pierre Wilke Rennes,

A concrete memory model for CompCert Frdric Besson Sandrine Blazy Pierre Wilke Rennes,

A concrete memory model for CompCert Frdric Besson Sandrine Blazy Pierre Wilke Rennes, France P . Wilke A concrete memory model for CompCert 1 / 28 CompCert real-world C to ASM compiler used in industry (commercialised by AbsInt)

563 views • 40 slides
Extending the CompCert certified C compiler with instruction scheduling and control-flow integrity

Extending the CompCert certified C compiler with instruction scheduling and control-flow integrity

Extending CompCert S. Boulm e ( Verimag , Grenoble-INP) RISC-V week @ Paris2019 Extending the CompCert certified C compiler with instruction scheduling and control-flow integrity (CFI) October 2019 Sylvain.Boulme@univ-grenoble-alpes.fr

557 views • 19 slides
CompCert guarantees for low-level C programs Sandrine Blazy joint work with Frdric Besson and

CompCert guarantees for low-level C programs Sandrine Blazy joint work with Frdric Besson and

CompCert guarantees for low-level C programs Sandrine Blazy joint work with Frdric Besson and Pierre Wilke IFIP W.G. 2.11, Bloomington, 2016-08-23 1 The CompCert C verified compiler Compiler + proof that the compiler does not introduce bugs

471 views • 24 slides
Gasification India 2017 Synthesis Gas to Chemicals and Fuel Atul Shah Syngas to Chemicals and

Gasification India 2017 Synthesis Gas to Chemicals and Fuel Atul Shah Syngas to Chemicals and

Gasification India 2017 Synthesis Gas to Chemicals and Fuel Atul Shah Syngas to Chemicals and Fuel - JM Technologies and Catalysts NH 3 ammonia methylamines methanol methanol MTO polyolefins DME formaldehyde By others syngas C3= oxo

383 views • 23 slides
Purchasers As Change Agents- Healthier, Less Toxic Products Judy Levin, MSW Center for

Purchasers As Change Agents- Healthier, Less Toxic Products Judy Levin, MSW Center for

Purchasers As Change Agents- Healthier, Less Toxic Products Judy Levin, MSW Center for Environmental Health Diseases Linked to Environmental Exposure on the Rise Asthma up 100% Brain cancer up 20% Impaired fertility doubled

814 views • 28 slides
Corporate presentation Company overview Norwegian Corporate Sales 950 mill NOK (2014)

Corporate presentation Company overview Norwegian Corporate Sales 950 mill NOK (2014)

Corporate presentation Company overview Norwegian Corporate Sales 950 mill NOK (2014) 210 employees 3 own production sites 4 tolling sites 2 Dynea Corporate Presentation January 2015 Dynea History Innovation and expansion

88 views • 6 slides
Madeline Brambilla Northeastern University Massachusetts Breast Cancer Coalition &amp; Silent

Madeline Brambilla Northeastern University Massachusetts Breast Cancer Coalition &amp; Silent

Madeline Brambilla Northeastern University Massachusetts Breast Cancer Coalition &amp; Silent Spring Institute Northeastern University PlusOne Program MA expected September 2013 - Environmental Sociology Research Assistant at the

274 views • 8 slides
Disclaimer Important information Third party data General The information provided in this

Disclaimer Important information Third party data General The information provided in this

Abcam plc, 2018/19 Interim Results Presentation, 4 March 2019 Disclaimer Important information Third party data General The information provided in this presentation is for Some information contained herein has been obtained The distribution

869 views • 27 slides
Veterinary Services Real-time PCR used in U.S. Slaughter Surveillance Kevin D. Stokes, PhD

Veterinary Services Real-time PCR used in U.S. Slaughter Surveillance Kevin D. Stokes, PhD

Veterinary Services Real-time PCR used in U.S. Slaughter Surveillance Kevin D. Stokes, PhD Microbiologist U.S. Department of Agriculture Animal and Plant Health Inspection Service Veterinary Services October 27, 2015 Objectives Review

346 views • 18 slides
Epidemiology of Spongospora root infection Tamilarasan Thangavel Robert Tegg Calum Wilson UTAS

Epidemiology of Spongospora root infection Tamilarasan Thangavel Robert Tegg Calum Wilson UTAS

2 nd International Powdery Scab Workshop | Pretoria, South Africa | July 29 August 1, 2014 Epidemiology of Spongospora root infection Tamilarasan Thangavel Robert Tegg Calum Wilson UTAS 2 nd International Powdery Scab Workshop | Pretoria,

513 views • 27 slides
EARLY DETECTION OF ALIEN SPECIES IN THE GREAT LAKES Alexander Karatayev, Wendy Paterson, and

EARLY DETECTION OF ALIEN SPECIES IN THE GREAT LAKES Alexander Karatayev, Wendy Paterson, and

EARLY DETECTION OF ALIEN SPECIES IN THE GREAT LAKES Alexander Karatayev, Wendy Paterson, and Lyubov Burlakova Sampling Locations For our study we selected four Great Lakes ports from the 11 ports total identified as having the highest risk of

170 views • 12 slides

More recommend