Section: New Results

Certified Compilation

Participants : Sandrine Blazy, Frédéric Besson, Pierre Wilke, Alexandre Dang.

The CompCert C compiler provides the formal guarantee that the observable behaviour of the compiled code improves on the observable behaviour of the source code. A first limitation of this guarantee is that if the source code goes wrong, i.e.  does not have a well-defined behaviour, any compiled code is compliant. Another limitation is that CompCert 's notion of observable behaviour is restricted to IO events.

Over the past years, we have developed the semantics theory so that unlike CompCert but like Gcc , the binary representation of pointers can be manipulated much like integers and where memory is a finite resource. We have now a formally verified C compiler, CompCertS , which is essentially the CompCert compiler, albeit with a stronger formal guarantee. The semantics preservation theorem applies to a wider class of existing C programs and, therefore, their compiled version benefits from the formal guarantee of CompCertS . CompCertS preserves not only the observable behaviour of programs but also ensures that the memory consumption is preserved by the compiler. As a result, we have the formal guarantee that the compiled code requires no more memory than the source code. This ensures that the absence of stack-overflows is preserved by compilation.

The whole proof of CompCertS represents a significant proof-effort and the details can be found in Pierre Wilke's PhD thesis  [39].

CompCertS also implements the Portable Software Fault Isolation approach pioneered by Kroll et al. [38]. The advantage of CompCertS is that the masking operation of pointers has a defined semantics and can therefore be directly reasoned about.