The Trusted Computing Base of the CompCert Verified Compiler

Abstract: is the first realistic formally verified compiler: it provides a machine-checked mathematical proof that the code it generates matches the source code. Yet, there could be loopholes in this approach. We comprehensively analyze aspects of where errors could lead to incorrect code being generated. Possible issues range from the modeling of the source and the target languages to some techniques used to call external algorithms from within the compiler.

“…Furthermore, some instructions present in CompCert's "assembly" languages are actually macros expanded by trusted (unverified) OCaml code. Some of these macros were inexactly specified, for instance by forgetting a clobbered register-this went unnoticed as long as the compiler did not take advantage of the value in that register being preserved [13]. (6) Assembly language mis-expansion or misprinting: we also found rare miscompilations in the expansion or printing of macros-instructions.…”

Testing a Formally Verified Compiler

“…Furthermore, some instructions present in CompCert's "assembly" languages are actually macros expanded by trusted (unverified) OCaml code. Some of these macros were inexactly specified, for instance by forgetting a clobbered register-this went unnoticed as long as the compiler did not take advantage of the value in that register being preserved [13]. (6) Assembly language mis-expansion or misprinting: we also found rare miscompilations in the expansion or printing of macros-instructions.…”

Testing a Formally Verified Compiler

“…3 This proof of correctness, verified by the Coq proof assistant, ensures that the behavior of the assembly code produced by the compiler matches the behavior of the source code. Possibilities for code generation bugs in CompCert are extremely limited, and are typically found in unverified parts of the system such as the passes that prints assembly code [14]. In particular, CompCert does not have the middleend bugs usually found in compilers [21], notably in optimization passes.…”

“…5 This complicates implementation and limits efficiency. A workaround is to call OCaml code from Coq, but in doing so one must not increase the trusted computing base, or at most by a very small and controlled amount [14].…”

“…We thus run CompCert's typing analysis first and verify that the type of the chunk matches the type computed for r s . 14 12 Some arithmetic operations and conditions are also considered by CompCert to depend on memory. The simple solution we use is to discard them on a memory write.…”

“…We summarize here the findings of a recent study of CompCert's trusted computing base [14]. Official CompCert's trusted computing base consists of 11. the axiomatization of these pseudo-instructions (e.g., the registers they may clobber);…”

Formally Verified Loop-Invariant Code Motion and Assorted Optimizations

Pragmatics of formally verified yet efficient static analysis, in particular, for formally verified compilers