Mechanized semantics for Clight Sandrine Blaxy, Xavier Leroy Pim - - PowerPoint PPT Presentation

▶

Sep 05, 2022 667 likes •950 views

Mechanized semantics for Clight Sandrine Blaxy, Xavier Leroy Pim Jager - Type Theory and Coq The CompCert C project Formally proving a compiler The CompCert project investigates the formal verification of realistic compilers usable

SLIDE 1

Mechanized semantics for Clight

Sandrine Blaxy, Xavier Leroy Pim Jager - Type Theory and Coq

SLIDE 2

The CompCert C project – Formally proving a compiler

” The CompCert project investigates the formal verification of realistic

compilers usable for critical embedded software”

Goal: Formally verify the transformation of C programs to machine

executable assembly.

SLIDE 3

Today we focus on Clight, a large subset of C

SLIDE 4

Clight is a (very large) subset of C

Including:

Most of C types
Most C operators
Pointers (and pointer arithmetic)
Function pointers
Structs
Unions
Almost all control structures

Differences:

No GOTO statement
Expressions must be pure
Ensures termination
Ensures deterministic evaluation

a = print(..) + print(..);

SLIDE 5

Clight Syntax: Types

SLIDE 6

Clight Syntax : Expressions

SLIDE 7

Clight syntax: Statements

SLIDE 8

C: calculating a least common multiple

int n1, n2; int main() { int lcm; n1 = 42; n2 = 34; lcm = (n1>n2) ? n1 : n2; while(1) { if(lcm%n1==0 && lcm%n2==0){ break; } lcm++; } return lcm; }

SLIDE 9

Clight: calculating a least common multiple

int(I32, Signed) n1; int(I32, Signed) n2; int f() { int(I32, Signed) lcm; n1 = 42; n2 = 34; lcm = (n1>n2) ? n1 : n2; while(1) { if(lcm%n1==0 ? (lcm%n2==0 ? 1 : 0) : 0){ break; } else { skip; } lcm = lcm + 1; } return lcm; } main = f

SLIDE 10

Semantics of Clight

Expression in left position Expression in right position Execution of terminating statement Execution of diverging statement

Big step semantics: 𝑑,𝑡 ⟹ 𝑡%

SLIDE 11

Judgment of terminating statements

G: Global environment
E: Local environment
s: statement to be executed
M: Current state of memory
t: trace of IO events
out: statement outcomes:
Normal
Continue
Break
Return
Return(v)
M’: new state of memory

SLIDE 12

Semantics of statements (except loops)

Coq

SLIDE 13

Recall: Semantics for IMP statements

Assignment:
Sequencing:

SLIDE 14

Semantics of while loops

Coq

SLIDE 15

Recall: while in IMP

SLIDE 16

Judgment of diverging statements

G: Global environment
E: Local environment
s: statement to be executed
M: Current state of memory
T: (infinite) trace of IO events

SLIDE 17

A statement diverges if any of its components diverges.

Coq

SLIDE 18

Just like commands in IMP diverge when any of their components diverge

SLIDE 19

Semantics are defined by 8 10 judgments

Calling of terminating functions Calling of diverging functions

SLIDE 20

Function calls

Coq

SLIDE 21

Function invocation

SLIDE 22

2009 to 2016 Big step to Small step

CompCert changed semantics model to small step: 𝑡, 𝑛 → (𝑡%, 𝑛%)
Small step based on continuations
Coq

SLIDE 23

Questions?

SLIDE 24

Judgment for expressions (in right position)

G: Global environment
E: Local environment
a: expression to be evaluated
M: Current state of memory
v: result value, either:
int(n)
float(f)
ptr(l)
undef

SLIDE 25

Semantics for expressions in right position

SLIDE 26