AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Language proof and logic world 7.1712/16/2023 ![]() If the pointer is invalid (NULL or a dangling pointer), the compiled program may do something arbitrary instead of having to exit with a NullPointerException as in Java. For example, when dereferencing a pointer, no code has to be generated to check whether the pointer is valid or not. Under-specification is used extensively to make C portable, and to allow compilers to generate fast code. For example: dereferencing a NULL pointer, or signed integer overflow. Undefined behavior: the standard imposes no requirements at all, the program is even allowed to crash. It uses the following notions of under-specification: Problem The C11 standard gives compilers a lot of freedom in what behaviors a program may have . Parts of this paper also appear in the author’s PhD thesis , which describes the entire CH 2O project including its operational, executable and axiomatic semantics, and metatheoretical results about these. The memory model now supports more features, various improvements to the definitions have been carried out, and more properties have been formally proven as part of the Coq development. In the time following these two publications, the memory model has been extended significantly and been integrated into an operational, executable and axiomatic semantics . This paper is an extended version of previously published conference papers at CPP and VSTTE . They also open the door to reasoning about program transformations, which is useful if one were to use the memory model as part of a verified compiler front-end. Memory refinements form a general way to validate many common-sense properties of the memory model in a formal way. All memory operations are proven invariant under this notion. ![]() Memory refinements CH 2O has an expressive notion of memory refinements that relates memory states. The key features of the CH 2O memory model are as follows: ![]() CH 2O provides an operational, executable and axiomatic semantics in Coq for a large part of the non-concurrent fragment of C, based on the official description of C as given by the C11 standard . See for example the message on the standard committee’s mailing list, Defect Reports #236, #260, and #451 , and the various examples in this paper.Ĭontribution This paper describes the CH 2O memory model, which is part of the the CH 2O project . This complication has lead to numerous ambiguities in the standard text related to aliasing, uninitialized memory, end-of-array pointers and type-punning that cause problems for C code when compiled with widely used compilers. The situation becomes more complicated as the C11 standard allows compilers to perform optimizations based on a high-level view of data access that are inconsistent with the traditional low-level view of data access. For example, more mathematically oriented languages such as Java and ML feature only high-level data access, in which case the memory can be modeled in a relatively simple and structured way, whereas assembly languages feature only low-level data access, in which case the memory can be modeled as an array of bits. This duality makes the memory model of C more complicated than the memory model of nearly any other programming language. Low-level data access involves unstructured and untyped byte representations whereas high-level data access involves typed abstract values such as arrays, structs and unions. Deallocating a previously allocated object.įormalizing the C11 memory model in a faithful way is challenging because C features both low-level and high-level data access.
0 Comments
Read More
Leave a Reply. |