A concrete memory model for CompCert

Size: px

Start display at page:

Download "A concrete memory model for CompCert"

Eric Blankenship
6 years ago
Views:

1 A concrete memory model for CompCert Frédéric Besson Sandrine Blazy Pierre Wilke Rennes, France P. Wilke A concrete memory model for CompCert 1 / 28

2 CompCert real-world C to ASM compiler used in industry (commercialised by AbsInt) proven correct in Coq: it does not introduce bugs! C Clight Cminor RTL ASM P. Wilke A concrete memory model for CompCert 2 / 28

3 CompCert real-world C to ASM compiler used in industry (commercialised by AbsInt) proven correct in Coq: it does not introduce bugs! C Clight Cminor RTL ASM P. Wilke A concrete memory model for CompCert 2 / 28

4 CompCert real-world C to ASM compiler used in industry (commercialised by AbsInt) proven correct in Coq: it does not introduce bugs! C Clight Cminor RTL ASM Each language has a Formal Semantics i.e. a mathematical meaning for programs P. Wilke A concrete memory model for CompCert 2 / 28

5 CompCert real-world C to ASM compiler used in industry (commercialised by AbsInt) proven correct in Coq: it does not introduce bugs! C Clight Cminor RTL ASM Each language has a Formal Semantics i.e. a mathematical meaning for programs Proof of semantic preservation For every source program S that has a defined semantics, If the compiler succeeds to generate a target program T, Then T has the same behavior as S. P. Wilke A concrete memory model for CompCert 2 / 28

6 CompCert real-world C to ASM compiler used in industry (commercialised by AbsInt) proven correct in Coq: it does not introduce bugs! Memory model C Clight Cminor RTL ASM Each language has a Formal Semantics i.e. a mathematical meaning for programs Proof of semantic preservation For every source program S that has a defined semantics, If the compiler succeeds to generate a target program T, Then T has the same behavior as S. P. Wilke A concrete memory model for CompCert 2 / 28

7 Goal: Make the semantics of C more defined Why did C leave some behaviors undefined? Portability Performance Why do we want to make it more defined? real-life programs use features that are undefined, according to C the compilation theorem will be more useful What kind of undefined behaviors do we aim at? undefined pointer arithmetic, i.e. bitwise operators use of uninitialised memory Our starting point: CompCert P. Wilke A concrete memory model for CompCert 3 / 28

8 An example of low-level C program in CompCert b p int main(){ int * p = (int *) malloc (sizeof (int)); *p = 42; int * q = p 5; int * r = (q» 3) «3; return *r; } b q b r P. Wilke A concrete memory model for CompCert 4 / 28

9 An example of low-level C program in CompCert b p b q int main(){ int * p = (int *) malloc (sizeof (int)); *p = 42; int * q = p 5; int * r = (q» 3) «3; return *r; } (b,0) b b r P. Wilke A concrete memory model for CompCert 4 / 28

10 An example of low-level C program in CompCert b p b q int main(){ int * p = (int *) malloc (sizeof (int)); *p = 42; int * q = p 5; int * r = (q» 3) «3; return *r; } (b,0) b 42 b r P. Wilke A concrete memory model for CompCert 4 / 28

11 An example of low-level C program in CompCert b p b q int main(){ int * p = (int *) malloc (sizeof (int)); *p = 42; int * q = p 5; int * r = (q» 3) «3; return *r; } (b,0) b 42 b r Bitwise operators on pointers are undefined behavior! CompCert [JAR 09], KCC [POPL 12], Krebbers [POPL 14], Norrish [PhD 98]: undefined behavior Kang et al. [PLDI 15]: don t model bitwise operators P. Wilke A concrete memory model for CompCert 4 / 28

12 Contributions Previous work [APLAS 14]: A memory model for low-level programs This work: integration of the memory model inside CompCert correctness proofs of the memory model correctness proofs of the transformations of the frontend (up to Cminor) P. Wilke A concrete memory model for CompCert 5 / 28

13 Outline 1 CompCert s memory model 2 New features of the memory model 3 Consistency of the memory models 4 CompCert proof: Overview 5 Conclusion P. Wilke A concrete memory model for CompCert 6 / 28

14 Outline 1 CompCert s memory model 2 New features of the memory model 3 Consistency of the memory models 4 CompCert proof: Overview 5 Conclusion P. Wilke A concrete memory model for CompCert 7 / 28

15 New features of the memory model Symbolic expressions val ::= i (b, o) not expressive enough We change the semantic domain to: expr ::= val op 1 expr expr op 2 expr P. Wilke A concrete memory model for CompCert 8 / 28

16 New features of the memory model Symbolic expressions val ::= i (b, o) not expressive enough We change the semantic domain to: Alignment constraints expr ::= val op 1 expr expr op 2 expr We need information about some bits of the concrete address of a pointer The alloc primitive takes an extra parameter mask, such that: A(b) & mask = A(b) P. Wilke A concrete memory model for CompCert 8 / 28

17 Interaction with the memory model What is the semantics of reading from memory: *p? In CompCert, p is evaluated into a pointer (b,i), then we can use load(m,b,i) In our model, p is a symbolic expression. It needs to be transformed into a pointer so that we can use load. normalise : mem expr val We need to modify the semantics to include calls to normalise memory accesses (load and store) conditionnal branches P. Wilke A concrete memory model for CompCert 9 / 28

18 Back to the example b p int main(){ int * p = (int *) malloc (sizeof (int)); *p = 42; int * q = p 5; int * r = (q» 3) «3; return *r; } (b,0) b 8 42 b q b r P. Wilke A concrete memory model for CompCert 10 / 28

19 Back to the example b p b q int main(){ int * p = (int *) malloc (sizeof (int)); *p = 42; int * q = p 5; int * r = (q» 3) «3; return *r; } (b,0) (b,0) 5 b 8 42 b r P. Wilke A concrete memory model for CompCert 10 / 28

20 Back to the example b p b q b r int main(){ int * p = (int *) malloc (sizeof (int)); *p = 42; int * q = p 5; int * r = (q» 3) «3; return *r; } (b,0) (b,0) 5 ( ((b,0) 5 ) 3 ) 3 b 8 42 P. Wilke A concrete memory model for CompCert 10 / 28

21 Back to the example b p b q int main(){ int * p = (int *) malloc (sizeof (int)); *p = 42; int * q = p 5; int * r = (q» 3) «3; return *r; } (b,0) (b,0) 5 b 8 42 b r ( ((b,0) 5 ) 3 ) 3 normalise (b,0) P. Wilke A concrete memory model for CompCert 10 / 28

22 Back to the example b p b q int main(){ int * p = (int *) malloc (sizeof (int)); *p = 42; int * q = p 5; int * r = (q» 3) «3; return *r; } (b,0) (b,0) 5 b 8 42 b r ( ((b,0) 5 ) 3 ) 3 normalise (b,0) P. Wilke A concrete memory model for CompCert 10 / 28

23 Normalisation specification: concrete memories (b 2,2) 5 Abstract memory m cm 1 cm 2 Concrete memories of m cm i m cm 3 cm 4 cm 5 cm 6 range : ]0;55[ no overlap alignment P. Wilke A concrete memory model for CompCert 11 / 28

24 Normalisation: example 1 e = ((( b,0) 5) 3) 3 cm 1 8 = (b,o) cm1 cm 2 8 = (b,o) cm2 cm 3 16 = (b,o) cm3 cm 4 24 = (b,o) cm4 cm 5 32 = (b,o) cm5 cm 6 32 = (b,o) cm e cm1 = (((cm 1 (b) + 0) 5) 3) = ((8 5) 3) = ((0b1000 5) 3) 3 = (0b1101 3) 3 = 0b = 0b1000 = 8 = cm 1 (b) i, e cmi = cm i (b), hence e normalises into (b,0) P. Wilke A concrete memory model for CompCert 12 / 28

25 Normalisation: example 2 e = ( b,0) > ( b,0) cm 1 cm 2 cm 3 cm 4 cm 5 cm 6 true true true false false false There is no v such that i, e cmi = v cmi, hence e doesn t normalise P. Wilke A concrete memory model for CompCert 13 / 28

26 CompCert with symbolic expressions expr ::= val op 1 expr expr op 2 expr b 1 (b 2,2) b 3 5 b (b,o) 5 Memory model C Clight Cminor RTL ASM S S S S S P. Wilke A concrete memory model for CompCert 14 / 28

27 Outline 1 CompCert s memory model 2 New features of the memory model 3 Consistency of the memory models 4 CompCert proof: Overview 5 Conclusion P. Wilke A concrete memory model for CompCert 15 / 28

28 How does our model compare to CompCert? x(t) x(t) Behaviors in CompCert t Behaviors with symbolic expressions t We are an extension of CompCert P. Wilke A concrete memory model for CompCert 16 / 28

29 How does our model compare to CompCert? Formally, Lemma expr_add_ok: v 1 v 2 m v, sem_add v 1 v 2 m = v e, sem_add_expr v 1 v 2 m = e normalise m e = v. If the addition of v 1 and v 2 succeeds in CompCert, Then it should succeed in our model as well, And the expression we compute should normalise into the same value. P. Wilke A concrete memory model for CompCert 17 / 28

30 Discovery of bugs 2 cases where our model disagrees with CompCert Bug in CompCert 2.4: Pointer comparison to NULL (fixed in CompCert 2.5) Bug in our model: incorrect handling of pointers one past the end P. Wilke A concrete memory model for CompCert 18 / 28

31 Incorrect pointer comparison to NULL In CompCert: pointers are pairs (b, o) the NULL pointer is represented as the integer 0 p == 0 was incorrectly defined to always evaluate to false when p is a pointer. b But we need to check that o is a valid offset of b (b,o) cm = cm(b) + o is not zero only in that case otherwise (b, 8) evaluates to zero P. Wilke A concrete memory model for CompCert 19 / 28

32 Outline 1 CompCert s memory model 2 New features of the memory model 3 Consistency of the memory models 4 CompCert proof: Overview 5 Conclusion P. Wilke A concrete memory model for CompCert 20 / 28

33 Overview of CompCert architecture C Clight C minor Cminor frontend backend Linear LTL RTL CminorSel Mach ASM : conserves the memory layout : modifies the memory layout P. Wilke A concrete memory model for CompCert 21 / 28

34 Memory injections: a generic memory transformation In CompCert C, each local variable has its own block. During the compilation these variables are merged into a stack frame. mem_inject f m m m m f b b 1 b 2 1 (b 3,o) f f 1 (b,o + δ 2 ) 37 δ 1 δ 2 b 3 37 Adapting to symbolic expressions: generalization of the injection over values lots of proofs to adapt (relation with normalisation) P. Wilke A concrete memory model for CompCert 22 / 28

35 Memory injections - Central theorem Theorem norm_inject: f m m e e (Minj: inject f m m ) (Einj: expr_inject f e e ), val_inject f (normalise m e) (normalise m e ). We can show that: v,val_inject f (normalise m e) v Let s now prove that: normalise m e = v cm m, e cm = v cm From the specification of the normalisation of e in m we know: cm m, e cm = normalise m e cm We need a theorem relating evaluations in cm and cm! P. Wilke A concrete memory model for CompCert 23 / 28

36 Memory injections - Evaluation mem_inject f m m Concrete memories of m Concrete memories of m pre_cm(f,cm ): recovers a concrete memory as it was before injection Definition pre_cm f cm := fun (b: block) let (b, delta) := f b in cm b + delta. Theorem expr_inject_eval: f cm e e (Einj: expr_inject f e e ), e cm = e pre_cm(f,cm ). P. Wilke A concrete memory model for CompCert 24 / 28

37 Memory injections - Central theorem Theorem norm_inject: f m m e e (Minj: inject f m m ) (Einj: expr_inject f e e ), val_inject f (normalise m e) (normalise m e ). Concrete memories of m Concrete memories of m We are left to prove: cm m, e cm = v cm expr_inject_eval : expr_inject f e e e cm = e pre_cm(f,cm ) We rewrite both sides using expr_inject_eval, the goal becomes: cm m, e pre_cm(f,cm ) = normalise m e pre_cm(f,cm ) From the specification of the normalisation of e in m we know: which solves our goal. cm m, e cm = normalise m e cm P. Wilke A concrete memory model for CompCert 25 / 28

38 Outline 1 CompCert s memory model 2 New features of the memory model 3 Consistency of the memory models 4 CompCert proof: Overview 5 Conclusion P. Wilke A concrete memory model for CompCert 26 / 28

39 Conclusion A semantics for C more precise than CompCert s compatible with CompCert nearly as proven correct as CompCert Future directions finish the proof by adapting the last remaining unproven pass add a more concrete assembly language to the certified compilation chain plug back in optimizations at RTL level (precision improvement?, still sound?) P. Wilke A concrete memory model for CompCert 27 / 28

40 Questions? P. Wilke A concrete memory model for CompCert 28 / 28

An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code

An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code Yuting Wang 1, Pierre Wilke 1,2, Zhong Shao 1 Yale University 1, CentraleSupélec 2 POPL 19 January 18 th, 2019 Yuting