A Formalization of the C99 Standard in HOL, Isabelle And

A Formalization of the C99 Standard in HOL, Isabelle and Coq Robbert Krebbers Freek Wiedijk Institute for Computing and Information Sciences, Radboud University Nijmegen, The Netherlands

The C99 standard Related projects Some subtleties of C The official description issued by ANSI and ISO: Michael Norrish. C and C++ semantics (L4.verified) Undefined behavior due to unknown evaluation order: Written in English Xavier Leroy et al. Verified C compiler in Coq (Compcert) int i = 0; No mathematically precise formalism Chucky Ellison and Grigore Rosu. Executable C semantics in Maude i = ++i; // undefined Incomplete and ambiguous Overflow of signed integers is undefined: The formalizations The Formalin project int i = INT_MAX; Describe a space C semantics of all possible C semantics with relations return i < i + 1; May 2011 to May 2015 between these semantics // undefined: hence, a compiler is allowed to http://ch2o.cs.ru.nl/ And, a small step semantics, C99 : C semantics // optimize this to return 1 Create a formalization of the complete C99 standard On the other hand, unsigned integer arithmetic is modular In the theorem provers HOL4, Isabelle/HOL and Coq Undefined behavior due to jumping into a block with a variable length Which follow the standard closely array declaration: All derived from a common master formalization (e.g. in Ott) goto foo; // undefined Isabelle/ Features int a[n]; HOL4 label foo; printf("bar\n"); C preprocessor HOL Freeing memory makes pointers to it indeterminate C standard library int *x = malloc(sizeof(int)); Floating point arithmetic 99 free (x); Casts C printf("%p\n", x); // undefined Non-determinism Contiguously allocated objects Sequence points int x = 30, y = 31; Alignment requirements int *p = &x + 1, *q = &y; Non-local control flow ( , / , signal handling) goto setjmp longjmp if (memcmp(&p, &q, sizeof(p)) == 0) { volatile, restrict and const variables printf("%d\n", *p); Programs in a ‘freestanding environment’ COQ // the standard is unclear whether this is Purposes // defined (see Defect report #260). } Utterly precise version of the standard. Useful for compiler writers and programmers References Validate correctness of formal versions of subsets of C (e.g. Compcert) International Organization for Standardization. ISO/IEC 9899:1999: with respect to the whole standard Dissemination Programming languages – C. ISO Working Group 14, 1999. Verify correctness of verification conditions generated by tools (e.g. VCC Open source, under a BSD-style license Freek Wiedijk. Formalizing the C99 standard in HOL, Isabelle and Coq. or Frama-C) Using MKM tools like those being developed in the MathWiki project http://www.cs.ru.nl/~freek/notes/ch2o.pdf, 2010.

Research team Robbert Krebbers Freek Wiedijk Herman Geuvers James McKinna Erik Poll Michael Norrish Andreas Lochbihler Jean-Christophe Filliˆatre

PhD student Project leader Promotor Advisor Advisor HOL advisor Isabelle advisor Coq advisor RU, The Netherlands RU, The Netherlands RU, The Netherlands RU, The Netherlands RU, The Netherlands NICTA, Australia KIT, Germany CNRS, France