the c standard formalized in coq what s next
play

The C standard formalized in Coq, whats next? Robbert Krebbers - PowerPoint PPT Presentation

Sep 01, 2022 •432 likes •1.2k views

The C standard formalized in Coq, whats next? Robbert Krebbers Aarhus University, Denmark May 13, 2016 @ Cambridge Computer Laboratory, UK 1 What is this program supposed to do? The C quiz, question 1 int main() { int x; int y = (x = 3)

  1. The C standard formalized in Coq, what’s next? Robbert Krebbers Aarhus University, Denmark May 13, 2016 @ Cambridge Computer Laboratory, UK 1

  2. What is this program supposed to do? The C quiz, question 1 int main() { int x; int y = (x = 3) + (x = 4); printf("x=%d,y=%d\n", x, y); } 2

  3. What is this program supposed to do? The C quiz, question 1 int main() { int x; int y = (x = 3) + (x = 4); printf("x=%d,y=%d\n", x, y); } Let us try some compilers ◮ Clang prints x=4,y=7 , seems just left-right 2

  4. What is this program supposed to do? The C quiz, question 1 int main() { int x; int y = (x = 3) + (x = 4); printf("x=%d,y=%d\n", x, y); } Let us try some compilers ◮ Clang prints x=4,y=7 , seems just left-right ◮ GCC prints x=4,y=8 , does not correspond to any order 2

  5. What is this program supposed to do? The C quiz, question 1 int main() { int x; int y = (x = 3) + (x = 4); printf("x=%d,y=%d\n", x, y); } Let us try some compilers ◮ Clang prints x=4,y=7 , seems just left-right ◮ GCC prints x=4,y=8 , does not correspond to any order This program violates the sequence point restriction ◮ due to two unsequenced writes to x ◮ resulting in undefined behavior ◮ thus both compilers are right 2

  6. Underspecification in C11 ◮ Unspecified behavior : two or more behaviors are allowed For example: order of evaluation in expressions (+57 more) ◮ Implementation defined behavior : like unspecified behavior, but the compiler has to document its choice For example: size and endianness of integers (+118 more) ◮ Undefined behavior: the standard imposes no requirements at all, the program is even allowed to crash For example: dereferencing a NULL or dangling pointer, signed integer overflow, . . . (+201 more) 3

  7. Underspecification in C11 ◮ Unspecified behavior : two or more behaviors are allowed For example: order of evaluation in expressions (+57 more) Non-determinism ◮ Implementation defined behavior : like unspecified behavior, but the compiler has to document its choice For example: size and endianness of integers (+118 more) Parametrization ◮ Undefined behavior: the standard imposes no requirements at all, the program is even allowed to crash For example: dereferencing a NULL or dangling pointer, signed integer overflow, . . . (+201 more) No semantics/crash state 3

  8. Why does C use underspecification that heavily? Pros for optimizing compilers: ◮ More optimizations are possible ◮ High run-time efficiency ◮ Easy to support multiple architectures 4

  9. Why does C use underspecification that heavily? Pros for optimizing compilers: ◮ More optimizations are possible ◮ High run-time efficiency ◮ Easy to support multiple architectures Cons for programmers/formal methods people: ◮ Portability and maintenance problems ◮ Hard to capture precisely in a semantics ◮ Hard to formally reason about 4

  10. Approaches to underspecification CompCert (Leroy et al. ) / VST (Appel et al. ) ◮ Main goal: verification of/w.r.t. CompCert compiler in Coq ◮ Semantics only needs to be correct for CompCert compiler For example: integer overflow and aliasing violations not UB KCC (Ellison & Rosu, Hathhorn et al. ) ◮ Main goal: compiler independent C11 semantics in K ◮ Describes most unspecified and undefined behavior ◮ No proof assistant support CH 2 O (Krebbers & Wiedijk) ◮ Main goal: compiler independent C11 semantics in Coq ◮ Describes all unspecified and undefined behavior ◮ Describes some implementation-defined behavior For example: no legacy architectures with 1s’ complement Cerberus (Sewell et al. ) ◮ Main goal: ‘ defacto ’ C11 semantics in LEM ◮ Improve standard to match the way C is used in practice 5

  11. The CH 2 O project OCaml part Coq part C sources CH 2 O CH 2 O core C abstract C 6

  12. The CH 2 O project OCaml part Coq part C sources Operational CH 2 O semantics CH 2 O core C abstract C Γ , δ ⊢ S 1 � S 2 6

  13. The CH 2 O project OCaml part Coq part Typing judgment Γ ⊢ S : f main Type preservation C sources Type soundness & progress Operational CH 2 O semantics CH 2 O core C abstract C Γ , δ ⊢ S 1 � S 2 6

  14. The CH 2 O project OCaml part Coq part Typing judgment Γ ⊢ S : f main Type preservation C sources Type soundness & progress Operational CH 2 O semantics CH 2 O core C abstract C Γ , δ ⊢ S 1 � S 2 Soundness & Completeness Executable semantics S 2 ∈ exec Γ ,δ S 1 6

  15. The CH 2 O project OCaml part Coq part Typing judgment Γ ⊢ S : f main Type preservation C sources Type soundness & progress Operational CH 2 O semantics CH 2 O core C abstract C Γ , δ ⊢ S 1 � S 2 Soundness & Soundness & Completeness Completeness Pure expression Executable evaluation semantics [ [ e ] ] Γ ,ρ, m = ν S 2 ∈ exec Γ ,δ S 1 6

  16. The CH 2 O project OCaml part Coq part Typing judgment Γ ⊢ S : f main Type preservation C sources Type soundness & progress Axiomatic Operational semantics Soundness CH 2 O semantics CH 2 O core C abstract C R , J , T ⊢ Γ ,δ Γ , δ ⊢ S 1 � S 2 { P } s { Q } Soundness & Soundness & Completeness Completeness Pure expression Executable evaluation semantics [ [ e ] ] Γ ,ρ, m = ν S 2 ∈ exec Γ ,δ S 1 6

  17. The CH 2 O project OCaml part Coq part Refinement Typing judgment judgment S 1 ⊑ f Γ ⊢ S : f main Γ S 2 : f main Type preservation C sources Invariance Type soundness & progress Axiomatic Operational semantics Soundness CH 2 O semantics CH 2 O core C abstract C R , J , T ⊢ Γ ,δ Γ , δ ⊢ S 1 � S 2 { P } s { Q } Soundness & Soundness & Completeness Completeness Pure expression Executable evaluation semantics [ [ e ] ] Γ ,ρ, m = ν S 2 ∈ exec Γ ,δ S 1 6

  18. Non-local control flow and block scope variables The C quiz, question 2 int *p = NULL; l: if (p) { return (*p); } else { int j = 17; p = &j; goto l; } 7

  19. Non-local control flow and block scope variables The C quiz, question 2 int *p = NULL; memory: l: if (p) { p return (*p); } else { NULL int j = 17; p = &j; goto l; } 7

  20. Non-local control flow and block scope variables The C quiz, question 2 int *p = NULL; memory: l: if (p) { p return (*p); } else { NULL int j = 17; p = &j; goto l; } 7

  21. Non-local control flow and block scope variables The C quiz, question 2 int *p = NULL; memory: l: if (p) { p j return (*p); } else { NULL 17 int j = 17; p = &j; goto l; } 7

  22. Non-local control flow and block scope variables The C quiz, question 2 int *p = NULL; memory: l: if (p) { p j return (*p); } else { • 17 int j = 17; p = &j; goto l; } 7

  23. Non-local control flow and block scope variables The C quiz, question 2 int *p = NULL; memory: l: if (p) { p j return (*p); } else { • 17 int j = 17; p = &j; goto l; } 7

  24. Non-local control flow and block scope variables The C quiz, question 2 int *p = NULL; memory: l: if (p) { p return (*p); } else { • int j = 17; p = &j; goto l; } 7

  25. Non-local control flow and block scope variables The C quiz, question 2 int *p = NULL; memory: l: if (p) { p return (*p); } else { • int j = 17; p = &j; goto l; } C11, 6.2.4p2: the value of a pointer becomes indeterminate when the object it points to (or just past) reaches the end of its lifetime. = ⇒ Undefined behavior 7

  26. Non-local control flow and block scope variables Goto considered harmful? http://xkcd.com/292/ 8

  27. Non-local control flow and block scope variables Goto considered harmful? http://xkcd.com/292/ Not necessarily: ⊢ { P } . . . goto main_sub3; . . . { Q } 8

  28. Non-local control flow and block scope variables Separation logic for non-local control Statement judgment: R , J , T ⊢ { P } s { Q } 9

  29. Non-local control flow and block scope variables Separation logic for non-local control Statement judgment: R , J , T ⊢ { P } s { Q } where: ◮ { P } s { Q } is a Hoare triple, as usual 9

  30. Non-local control flow and block scope variables Separation logic for non-local control Statement judgment: R , J , T ⊢ { P } s { Q } where: ◮ { P } s { Q } is a Hoare triple, as usual ◮ R has to hold to execute a return 9

  31. Non-local control flow and block scope variables Separation logic for non-local control Statement judgment: R , J , T ⊢ { P } s { Q } where: ◮ { P } s { Q } is a Hoare triple, as usual ◮ R has to hold to execute a return ◮ J maps labels to their jumping condition When executing a goto l , the assertion J l has to hold 9

  32. Non-local control flow and block scope variables Separation logic for non-local control Statement judgment: R , J , T ⊢ { P } s { Q } where: ◮ { P } s { Q } is a Hoare triple, as usual ◮ R has to hold to execute a return ◮ J maps labels to their jumping condition When executing a goto l , the assertion J l has to hold ◮ T maps break s/ continue s to their jumping condition 9

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formalized Search for FC-Families c, Miodrag Filip Mari c, Bojan Vu ckovi Zivkovi

Formalized Search for FC-Families c, Miodrag Filip Mari c, Bojan Vu ckovi Zivkovi

Formalized Search for FC-Families Formalized Search for FC-Families c, Miodrag Filip Mari c, Bojan Vu ckovi Zivkovi c Faculty of Mathematics, University of Belgrade FATPA Workshop, 2. 2. 2012. Formalized Search for

600 views • 42 slides
A Separation Logic for Non-determinism and Sequence Points in C Formalized in Coq Robbert

A Separation Logic for Non-determinism and Sequence Points in C Formalized in Coq Robbert

A Separation Logic for Non-determinism and Sequence Points in C Formalized in Coq Robbert Krebbers Radboud University Nijmegen May 14, 2014 @ TYPES, Paris, France 1 What is this program supposed to do? int main() { int x; int y = (x = 3) +

378 views • 16 slides
How to Leverage a Large Dataset of Formalized Mathematics with Machine Learning? uller 1 Michael

How to Leverage a Large Dataset of Formalized Mathematics with Machine Learning? uller 1 Michael

1 How to Leverage a Large Dataset of Formalized Mathematics with Machine Learning? uller 1 Michael Kohlhase 1 Florian Rabe 1,2 Dennis M Computer Science, FAU Erlangen-N urnberg LRI, Universit e Paris Sud April 10, 2019 2 So, how?

343 views • 10 slides
Adult Learning: the Saint Marys University of Minnesota importance of formalized Schools of

Adult Learning: the Saint Marys University of Minnesota importance of formalized Schools of

Meghan Baker, Spring 2017 Adult Learning: the Saint Marys University of Minnesota importance of formalized Schools of Graduate and Professional Programs mentorship programs OL655 Capstone Symposium Jeffrey Eng Introduction of topic

528 views • 20 slides
A Formalized Hierarchy of Probabilistic System Types Proof Pearl olzl 1 , Andreas Lochbihler 2 ,

A Formalized Hierarchy of Probabilistic System Types Proof Pearl olzl 1 , Andreas Lochbihler 2 ,

A Formalized Hierarchy of Probabilistic System Types Proof Pearl olzl 1 , Andreas Lochbihler 2 , and Dmitriy Traytel 1 , 2 Johannes H 1 Institut f ur Informatik 2 Institute of Information Security TU M unchen, Germany ETH Zurich,

1.03k views • 85 slides
April 19, 2012 Formalized plan and process that involves students setting learning goals

April 19, 2012 Formalized plan and process that involves students setting learning goals

April 19, 2012 Formalized plan and process that involves students setting learning goals based on personal, academic and career interests, beginning in the middle school grades and continuing throughout high school with the close

413 views • 39 slides
Flexary Operators for Formalized Mathematics Fulya Horozal Florian Rabe Michael Kohlhase Jacobs

Flexary Operators for Formalized Mathematics Fulya Horozal Florian Rabe Michael Kohlhase Jacobs

Flexary Operators for Formalized Mathematics Fulya Horozal Florian Rabe Michael Kohlhase Jacobs University, Bremen, Germany Mathematical Knowledge Management Conferences on Intelligent Computer Mathematics July 07, 2014 Coimbra, Portugal 1

272 views • 24 slides
how to build a library of formalized mathematics mathematics Freek Wiedijk Radboud University

how to build a library of formalized mathematics mathematics Freek Wiedijk Radboud University

how to build a library of formalized mathematics mathematics Freek Wiedijk Radboud University Nijmegen MathWiki Workshop University of Edinburgh 2007 10 31, 11: 00 0 state of the art top 100 http://www.cs.ru.nl/~freek/100/ google 100

733 views • 24 slides
Reading Strand and Ideas Standard Statement 9 Range of Reading and Standard Statement 10 Level

Reading Strand and Ideas Standard Statement 9 Range of Reading and Standard Statement 10 Level

Standard Statement 1 Standard Statement 2 Key Ideas and Details Standard Statement 3 Reading: Literature Standard Statement 4 Standard Statement 5 Craft and Structure Standard Statement 6 Standard Statement 7 Integration of Knowledge

391 views • 16 slides
IsarMathLib a formalized mathematics library for Isabelle/ZF Slawomir Kolodynski 11th

IsarMathLib a formalized mathematics library for Isabelle/ZF Slawomir Kolodynski 11th

IsarMathLib a formalized mathematics library for Isabelle/ZF Slawomir Kolodynski 11th Conference on Intelligent Computer Mathematics CICM 2018 August 13, 2018 RISC, Hagenberg, Austria What is IsarMathLib? What is IsarMathLib? Isabelle

235 views • 19 slides
Conjecturing over large corpora Thibault Gauthier Cezary Kaliszyk Josef Urban April 6, 2016 1

Conjecturing over large corpora Thibault Gauthier Cezary Kaliszyk Josef Urban April 6, 2016 1

Conjecturing over large corpora Thibault Gauthier Cezary Kaliszyk Josef Urban April 6, 2016 1 Goal Automatically discover conjectures in formalized libraries. Which formalized libraries ? theorems constants types theories Mizar 51086

587 views • 22 slides
Conjecturing over large corpora Thibault Gauthier Cezary Kaliszyk Josef Urban July 14, 2017 1

Conjecturing over large corpora Thibault Gauthier Cezary Kaliszyk Josef Urban July 14, 2017 1

Conjecturing over large corpora Thibault Gauthier Cezary Kaliszyk Josef Urban July 14, 2017 1 Goal Automatically discover conjectures in formalized libraries. Which formalized libraries ? theorems constants types theories Mizar 51086

449 views • 27 slides
Formalized Timed Automata Simon Wimmer Fakultt fr Informatik, Technische Universitt

Formalized Timed Automata Simon Wimmer Fakultt fr Informatik, Technische Universitt

Formalized Timed Automata Simon Wimmer Fakultt fr Informatik, Technische Universitt Mnchen ITP Talk on August 24, 2016 Timed Automata Timed Automata (TA) Finite Automata with clocks Clock guards on transitions and clock

735 views • 35 slides
The Standard C Library 1 The C Standard Library 2 The C Standard Library I/O stdio.h

The Standard C Library 1 The C Standard Library 2 The C Standard Library I/O stdio.h

The Standard C Library 1 The C Standard Library 2 The C Standard Library I/O stdio.h printf, scanf, puts, gets, open, close, read, write, fprintf, fscanf, fseek, Memory and string operations string.h memcpy, memcmp, memset,

1.02k views • 54 slides
Standard 3. Accreditation and Assessment Standard 8. Compliance Standard 9. Virginia Index of

Standard 3. Accreditation and Assessment Standard 8. Compliance Standard 9. Virginia Index of

The Standards of Quality (SOQ) Standard 3. Accreditation and Assessment Standard 8. Compliance Standard 9. Virginia Index of Performance Recognition Program Dr. Cynthia A. Cave Assistant Superintendent for Policy and Communications

626 views • 31 slides
Standard Seven: The blood standard quality improvement cycle Philippa Kirkpatrick The NSQHS

Standard Seven: The blood standard quality improvement cycle Philippa Kirkpatrick The NSQHS

Standard Seven: The blood standard quality improvement cycle Philippa Kirkpatrick The NSQHS Standards Standard 1 Standard 2 Governance for Safety and Partnering with Quality in Health Consumers Service Organisations Standard 3 Healthcare

649 views • 32 slides
The Dual Simplex Method Combinatorial Problem Solving (CPS) Javier Larrosa Albert Oliveras

The Dual Simplex Method Combinatorial Problem Solving (CPS) Javier Larrosa Albert Oliveras

The Dual Simplex Method Combinatorial Problem Solving (CPS) Javier Larrosa Albert Oliveras Enric Rodr guez-Carbonell April 24, 2020 Basic Idea Abuse of terminology: Henceforth sometimes by optimal we will mean satisfying

711 views • 50 slides
Outline Introduction to Parsing Regular languages revisited Ambiguity and Syntax Errors

Outline Introduction to Parsing Regular languages revisited Ambiguity and Syntax Errors

Outline Introduction to Parsing Regular languages revisited Ambiguity and Syntax Errors Parser overview Context-free grammars (CFGs) Derivations Ambiguity Syntax errors Compiler Design 1 (2011) 2 Languages

353 views • 16 slides
Ubiquitous Computing Spring 2010 - Making Sense of Sensing

Ubiquitous Computing Spring 2010 - Making Sense of Sensing

Ubiquitous Computing Spring 2010 - Making Sense of Sensing Systems: Five questions for designers and Researchers - Distributed mediation of ambiguous

707 views • 18 slides
Arithmetic and Inference in a Large Theory Adam Pease, Infosys, Foothill Research Center

Arithmetic and Inference in a Large Theory Adam Pease, Infosys, Foothill Research Center

Arithmetic and Inference in a Large Theory Adam Pease, Infosys, Foothill Research Center adam.pease@infosys.com http://www.ontologyportal.org/ 1 Motivation Robot! Pick up my car Or Pick up my cart Disambiguate car/cart

601 views • 23 slides
Taaltheorie en Taalverwerking BSc Artificial Intelligence Raquel Fernndez Institute for Logic,

Taaltheorie en Taalverwerking BSc Artificial Intelligence Raquel Fernndez Institute for Logic,

Taaltheorie en Taalverwerking BSc Artificial Intelligence Raquel Fernndez Institute for Logic, Language, and Computation Winter 2012, lecture 3b Raquel Fernndez TtTv 2012 - lecture 3b 1 / 19 Plan for Today Theoretical session: PCFGs

585 views • 36 slides
Automatically Annotating Text with Linked Open Data Delia Rusu , Bla Fortuna, Dunja Mladeni

Automatically Annotating Text with Linked Open Data Delia Rusu , Bla Fortuna, Dunja Mladeni

Automatically Annotating Text with Linked Open Data Delia Rusu , Bla Fortuna, Dunja Mladeni Joef Stefan Institute ailab.ijs.si Motivation: Annotating Text with LOD DBpedia Open Cyc WordNet ailab.ijs.si Overview Related work

429 views • 17 slides
EQUAL Encyclopaedic QA for Lists Iustin Dornescu Research Group in Computational Linguistics,

EQUAL Encyclopaedic QA for Lists Iustin Dornescu Research Group in Computational Linguistics,

Semantic QA: my vision for the future EQUAL Implementation details EQUAL Encyclopaedic QA for Lists Iustin Dornescu Research Group in Computational Linguistics, University of Wolverhampton, UK October 2, 2009 Iustin Dornescu CLEF

365 views • 14 slides
Action recognition Cordelia Schmid INRIA Grenoble Action recognition examples Short

Action recognition Cordelia Schmid INRIA Grenoble Action recognition examples Short

Action recognition Cordelia Schmid INRIA Grenoble Action recognition examples Short actions, i.e. answer phone, shake hands answer phone hand shake Hollywood dataset Action recognition examples Activities/events, i.e.

615 views • 18 slides

More recommend