A Formalization of the C99 Standard in HOL, Isabelle and Coq Robbert Krebbers Joint work with Freek Wiedijk Radboud University Nijmegen July 19, 2011 @ CICM, Bertinoro, Italy The C programming language Among the two currently most used languages: I LangPop.com - Programming Language Popularity I TIOBE Software - Programming Community index Used for the smallest microcontroller to the largest supercomputer. The C99 standard The official description issued by ANSI and ISO: I Written in English I No mathematically precise formalism I Incomplete and ambiguous int *p = &x + 1, *q = &y; if (memcmp(&p, &q, sizeof(p)) == 0) { printf("%d\n", *p); } Example int x = 30, y = 31; 30 31 &x &y int *p = &x + 1, *q = &y; if (memcmp(&p, &q, sizeof(p)) == 0) { printf("%d\n", *p); } Example int x = 30, y = 31; 30 31 &x &x+1 &y if (memcmp(&p, &q, sizeof(p)) == 0) { printf("%d\n", *p); } Example int x = 30, y = 31; int *p = &x + 1, *q = &y; 3030 31 p q printf("%d\n", *p); Example int x = 30, y = 31; int *p = &x + 1, *q = &y; if (memcmp(&p, &q, sizeof(p)) == 0) { } 3030 31 p q Example int x = 30, y = 31; int *p = &x + 1, *q = &y; if (memcmp(&p, &q, sizeof(p)) == 0) { printf("%d\n", *p); } 3030 31 p q Example int x = 30, y = 31; int *p = &x + 1, *q = &y; if (memcmp(&p, &q, sizeof(p)) == 0) { printf("%d\n", *p); } Defect report #260: The implementation is permitted to use the derivation of a pointer value in determining whether or not access through that pointer is undefined behaviour, . The Formalin project I May 2011 to May 2015 Isabelle/ I Create a formalization of the OL4 H HOL complete C99 standard C99 I In the theorem provers HOL4, Isabelle/HOL and Coq I Which follow the standard closely COQ I All derived from a common master formalization (e.g. in Ott) Features I C preprocessor I C standard library I Floating point arithmetic I Casts I Non-determinism I Sequence points I Alignment requirements I Non-local control flow (goto, setjmp/longjmp, signal handling) I volatile, restrict and const variables I Programs in a `freestanding environment' Purposes I Utterly precise version of the standard I Validate correctness of formal versions of subsets of C (e.g. Compcert) I Verify correctness of verification conditions generated by tools (e.g. VCC or Frama-C) Research team Robbert Krebbers Freek Wiedijk Herman Geuvers James McKinna PhD student Project leader Promotor Advisor RU, The RU, The RU, The RU, The Netherlands Netherlands Netherlands Netherlands Jean-Christophe Erik Poll Michael Norrish Andreas Lochbihler Filli^atre Advisor HOL advisor Isabelle advisor Coq advisor RU, The NICTA, Australia KIT, Germany CNRS, France Netherlands Related projects I Michael Norrish. C and C++ semantics (L4.verified) I Xavier Leroy et al. Verified C compiler in Coq (Compcert) I Chucky Ellison and Grigore Rosu. Executable C semantics in Maude (KCC) More information http://ch2o.cs.ru.nl/.