Abstract
The core of a formal semantics of an imperative programming language is a memory model that describes the behavior of operations on the memory. Defining a memory model that matches the description of C in the C11 standard is challenging because C allows both high-level (by means of typed expressions) and low-level (by means of bit manipulation) memory accesses. The C11 standard has restricted the interaction between these two levels to make more effective compiler optimizations possible, at the expense of making the memory model complicated. We describe a formal memory model of the (non-concurrent part of the) C11 standard that incorporates these restrictions, and at the same time describes low-level memory operations. This formal memory model includes a rich permission model to make it usable in separation logic and supports reasoning about program transformations. The memory model and essential properties of it have been fully formalized using the Coq proof assistant.
Highlights
A memory model is the core of a semantics of an imperative programming language
We present a generalization of separation algebras that is well-suited for C verification in Coq and use this generalization to build the permission system and memory model compositionally
Besson et al (2014) Besson et al have proposed an extension of the CompCert memory model that assigns a defined semantics to operations that rely on the numerical values of uninitialized memory and pointers [8]
Summary
A memory model is the core of a semantics of an imperative programming language. It models the memory states and describes the behavior of memory operations. Low-level data access involves unstructured and untyped byte representations whereas high-level data access involves typed abstract values such as arrays, structs and unions This duality makes the memory model of C more complicated than the memory model of nearly any other programming language. Approach Most existing C formalizations (most notably Norrish [45], Leroy et al [39,40] and Ellison and Rosu [19]) use an unstructured untyped memory model where each object in the formal memory model consists of an array of bytes These formalizations cannot assign undefined behavior to violations of the rules for effective types, among other things. These conversions are used to define operations internal to the memory model None of these conversions are bijective because different information is materialized in these three data types: Permissions Padding Variants of union Mathematical values. The interested reader can find all details online as part of our Coq formalization at: http://robbertkrebbers.nl/research/ch2o/
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have