A Formalization of the C99 Standard in HOL, Isabelle and Coq

Robbert Krebbers Joint work with Freek Wiedijk

Radboud University Nijmegen

July 19, 2011 @ CICM, Bertinoro, Italy The C programming language

Among the two currently most used languages:

I LangPop.com - Programming Language Popularity

I TIOBE Software - Programming Community index

Used for the smallest microcontroller to the largest supercomputer. The C99 standard

The official description issued by ANSI and ISO:

I Written in English

I No mathematically precise formalism

I Incomplete and ambiguous int *p = &x + 1, *q = &y; if (memcmp(&p, &q, sizeof(p)) == 0) { printf("%d\n", *p); }

Example

int x = 30, y = 31;

30 31

&x &y int *p = &x + 1, *q = &y; if (memcmp(&p, &q, sizeof(p)) == 0) { printf("%d\n", *p); }

Example

int x = 30, y = 31;

30 31

&x &x+1 &y if (memcmp(&p, &q, sizeof(p)) == 0) { printf("%d\n", *p); }

Example

int x = 30, y = 31; int *p = &x + 1, *q = &y;

3030 31

p q printf("%d\n", *p);

Example

int x = 30, y = 31; int *p = &x + 1, *q = &y; if (memcmp(&p, &q, sizeof(p)) == 0) {

} 3030 31

p q Example

int x = 30, y = 31; int *p = &x + 1, *q = &y; if (memcmp(&p, &q, sizeof(p)) == 0) { printf("%d\n", *p); } 3030 31

p q Example

int x = 30, y = 31; int *p = &x + 1, *q = &y; if (memcmp(&p, &q, sizeof(p)) == 0) { printf("%d\n", *p); }

Defect report #260: The implementation is permitted to use the derivation of a pointer value in determining whether or not access through that pointer is undefined behaviour, . . . The Formalin project

I May 2011 to May 2015 Isabelle/ I Create a formalization of the OL4 H HOL complete C99 standard C99 I In the theorem provers HOL4, Isabelle/HOL and Coq

I Which follow the standard closely COQ I All derived from a common master formalization (e.g. in Ott) Features

I C preprocessor

I C standard library

I Floating point arithmetic

I Casts

I Non-determinism

I Sequence points

I Alignment requirements

I Non-local control flow (goto, setjmp/longjmp, signal handling)

I volatile, restrict and const variables

I Programs in a ‘freestanding environment’ Purposes

I Utterly precise version of the standard

I Validate correctness of formal versions of subsets of C (e.g. Compcert)

I Verify correctness of verification conditions generated by tools (e.g. VCC or Frama-C) Research team

Robbert Krebbers Freek Wiedijk Herman Geuvers James McKinna

PhD student Project leader Promotor Advisor RU, The RU, The RU, The RU, The Netherlands Netherlands Netherlands Netherlands

Jean-Christophe Erik Poll Michael Norrish Andreas Lochbihler Filliˆatre

Advisor HOL advisor Isabelle advisor Coq advisor RU, The NICTA, Australia KIT, Germany CNRS, France Netherlands Related projects

I Michael Norrish. C and C++ semantics (L4.verified)

I Xavier Leroy et al. Verified C compiler in Coq (Compcert)

I Chucky Ellison and Grigore Rosu. Executable C semantics in Maude (KCC) More information

http://ch2o.cs.ru.nl/