Formal verification of a realistic compiler
read more
Citations
An Approach for Proving the Correctness of Inspector/Executor Transformations
On the use of formal methods to model and verify neuronal archetypes
A trustworthy mechanized formalization of R
Binsec/Rel: Symbolic Binary Analyzer for Security with Applications to Constant-Time and Secret-Erasure
Towards Practical, Precise and Parametric Energy Analysis of IT Controlled Systems
References
Proof-carrying code
Interactive Theorem Proving and Program Development: Coq'Art: The Calculus of Inductive Constructions
CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs
Interactive Theorem Proving and Program Development
Register allocation & spilling via graph coloring
Related Papers (5)
Frequently Asked Questions (11)
Q2. What are the future works mentioned in the paper "Formal verification of a realistic compiler" ?
The CompCert experiment described in this paper is still ongoing, and much work remains to be done: handle a larger subset of C ( e. g. including goto ) ; deploy and prove correct more optimizations ; target other processors beyond PowerPC ; extend the semantic preservation proofs to shared-memory concurrency ; etc. However, the preliminary results obtained so far provide strong evidence that the initial goal of formally verifying a realistic compiler can be achieved, within the limitations of today ’ s proof assistants, and using only elementary semantic and algorithmic approaches. The techniques and tools the authors used are very far from perfect—more proof automation, higher-level semantics and more modern intermediate representations all have the potential to significantly reduce the proof effort—but good enough to achieve the goal. Composed with the CompCert back-end, these efforts could eventually result in a trusted execution path for programs written and verified in Coq, like CompCert itself, therefore increasing confidence further through a form of bootstrapping.
Q3. What are the behaviors the authors observe in CompCert?
The behaviors the authors observe in CompCert include termination, divergence, and “going wrong” (invoking an undefined operation that could crash, such as accessing an array out of bounds).
Q4. What is the strongest notion of semantic preservation in the CompCert experiment?
In the CompCert experiment and the remainder of this paper, the authors focus on source and target languages that are deterministic (programs change their behaviors only in response to different inputs but not because of internal choices) and on execution environments that are deterministic as well (the inputs given to the programs are uniquely determined by their previous outputs).
Q5. What is the impact of compiler bugs?
For low-assurance software, validated only by testing, the impact of compiler bugs is low: what is tested is the executable code produced by the compiler; rigorous testing should expose compiler-introduced errors along with errors already present in the source program.
Q6. What is the expected correctness property of the compiler?
The expected correctness property of the compiler is that it preserves the fact that the source code S satisfies the specification, a fact that has been established separately by formal verification of S:S |= Spec =⇒ C |= Spec (4)It is easy to show that property (2) implies property (4) for all specifications Spec.
Q7. How can a certifying compiler be constructed?
a certifying compiler can be constructed, at least theoretically, from a verified compiler, provided that the verification was conducted in a logic that follows the “propositions as types, proofs as programs” paradigm.
Q8. What is the correctness proof of the compiler?
provided the target language of the compiler has deterministic semantics, an appropriate specification for the correctness proof of the compiler is the combination of definitions (3) and (6):∀S, C, B /∈ Wrong, Comp(S) = OK(C) ∧
Q9. What is the way to test a compiler?
validation by testing reaches its limits and needs to be complemented or even replaced by the use of formal methods such as model checking, static analysis, and program proof.
Q10. What is the definition of a verified compiler?
By verified, the authors mean a compiler that is accompanied by a machine-checked proof of a semantic preservation property: the generated machine code behaves as prescribed by the semantics of the source program.
Q11. What is the way to test compilers?
Bugs in the compiler used to turn this formally verified source code into an executable can potentially invalidate all the guarantees so painfully obtained by the use of formal methods.