Section: New Results
Formal verification of compilers and static analyzers
Formal verification of static analyzers based on abstract interpretation
Participants : JacquesHenri Jourdan, Xavier Leroy, Sandrine Blazy [EPI Celtique] , Vincent Laporte [EPI Celtique] , David Pichardie [EPI Celtique] , Sylvain Boulmé [Grenoble INP, VERIMAG] , Alexis Fouilhe [Université Joseph Fourier de Grenoble, VERIMAG] , Michaël Périn [Université Joseph Fourier de Grenoble, VERIMAG] .
In the context of the ANR Verasco project, we are investigating the formal specification and verification in Coq of a realistic static analyzer based on abstract interpretation. This static analyzer handles a large subset of the C language (the same subset as the CompCert compiler, minus recursion and dynamic allocation); supports a combination of abstract domains, including relational domains; and should produce usable alarms. The longterm goal is to obtain a static analyzer that can be used to prove safety properties of realworld embedded C codes.
This year, JacquesHenri Jourdan continued the developpment of this static analyzer. He finished the proof of correctness of the abstract interpreter, using an axiomatic semantics for the C#minor intermediate language to decompose this proof in two manageable halves. He improved the precision and performance of the abstract iterator and of numerical abstract domains. He designed and verified a symbolic domain that helps analyzing sequential Boolean operators such as && and  that are encoded as Boolean variables and conditional constructs in the C#minor intermediate language. As a more flexible alternative to reduced products of domains, JacquesHenri Jourdan designed, implemented and proved correct a communication system between numerical abstract domains, based on communication channels and inspired by Astrée [56] .
In parallel, IRISA and VERIMAG, our academic partners on the Verasco project, contributed a verified abstract domain for memory states and pointer values (Vincent Laporte, Sandrine Blazy, and David Pichardie) and a polyhedric abstract domain for linear numerical inequalities (Alexis Fouilhe, Sylvain Boulmé, Michaël Périn) that uses validation a posteriori. Those various components were brought together by JacquesHenri Jourdan and Vincent Laporte, resulting in an executable static analyzer.
The overall architecture and specification of Verasco is described in a paper [29] accepted for presentation at the forthcoming POPL 2015 conference.
The CompCert formallyverified compiler
Participants : Xavier Leroy, JacquesHenri Jourdan.
In the context of our work on compiler verification (see section 3.3.1 ), since 2005 we have been developing and formally verifying a moderatelyoptimizing compiler for a large subset of the C programming language, generating assembly code for the PowerPC, ARM, and x86 architectures [5] . This compiler comprises a backend part, translating the Cminor intermediate language to PowerPC assembly and reusable for source languages other than C [4] , and a frontend translating the CompCert C subset of C to Cminor. The compiler is mostly written within the specification language of the Coq proof assistant, from which Coq's extraction facility generates executable Caml code. The compiler comes with a 50000line, machinechecked Coq proof of semantic preservation establishing that the generated assembly code executes exactly as prescribed by the semantics of the source C program.
This year, we improved the CompCert C compiler in several directions:

The parser, previously compiled to unverified OCaml code, was replaced by a parser compiled to Coq code and validated a posteriori by a validator written and proved sound in Coq. This validation step, performed when the CompCert compiler is compiled, provides a formal proof that the parser recognizes exactly the language described by the source grammar. This approach builds on the earlier work by JacquesHenri Jourdan, François Pottier and Xavier Leroy on verified validation of $LR\left(1\right)$ parsers [60] . JacquesHenri Jourdan succeeded in scaling this approach all the way up to the full ISO C99 grammar plus some extensions.

Two new static analyses, value analysis and neededness analysis, were added to the CompCert backend. As described in section 6.1.3 below, the results of these analyses enable more aggressive optimizations over the RTL intermediate form.

As part of the work on formalizing floatingpoint arithmetic (see section 6.1.4 below), the semantics and compilation of floatingpoint arithmetic in CompCert was revised to handle singleprecision floatingpoint numbers as firstclass values, instead of systematically converting them to double precision before arithmetic. This increases the efficiency and compactness of the code generated for applications that make heavy use of single precision.

Previously, the CompCert backend compiler was assuming a partitioned register set from the target architecture, where integer registers always contain 32bit integers or pointers, and floatingpoint registers always contain doubleprecision FP numbers. This convention on register uses simplified the verification of CompCert, but became untenable with the introduction of singleprecision FP numbers as firstclass values: FP registers can now hold either single or doubleprecision FP numbers. Xavier Leroy rearchitected the register allocator and the stack materialization passes of CompCert, along with their soundness proofs, to lift this limitation on register uses. Besides mixtures of single and doubleprecision FP numbers, this new architecture makes it possible to support future target processors with a unified register set, such as the SPE variant of PowerPC.

We added support for several features of ISO C99 that were not handled previously: designated initializers, compound literals, switch statements where the default case is not the last case, switch statements over arguments of 64bit integer type, and incomplete arrays as the last member of a struct . Also, variableargument functions and the <stdarg.h> standard include are now optionally supported, but their implementation is neither specified nor verified.

The ARM backend was extended with support for the EABIHF calling conventions (passing FP arguments and results in FP registers instead of integer registers) and with generation of Thumb2 instructions. Thumb2 is an alternate instruction set and instruction encoding for the ARM architecture that results in more compact machine code (up to 30% reduction in code size on our tests).
We released three versions of CompCert, integrating these enhancements: version 2.2 in February 2014, version 2.3 in April, and version 2.4 in September.
In June 2014, Inria signed a licence agreement with AbsInt Angewandte Informatik GmbH , a software publisher based in Saarbrucken, Germany, to market and provide support for the CompCert formallyverified C compiler. AbsInt will extend CompCert to improve its usability in the critical embedded software market, and also provide longterm maintenance as required in this market.
Value analysis and neededness analysis in CompCert
Participant : Xavier Leroy.
Xavier Leroy designed, implemented, and proved sound two new static analyses over the RTL intermediate representation of CompCert. Both analyses are of the intraprocedural dataflow kind.

Value analysis is a forward analysis that tracks pointsto information for pointers, constantness information for integer and FP numbers, and variation intervals for integer numbers, using intervals of the form $[0,{2}^{n})$ and $[{2}^{n},{2}^{n})$. This value analysis extends and generalizes CompCert's earlier constant analysis as well as the pointsto analysis of Robert and Leroy [68] . In particular, it tracks both the values of variables and the contents of memory locations, and it can take advantage of pointsto information to show that functionlocal memory does not escape the scope of the function.

Neededness analysis is a backward analysis that tracks which memory locations and which bits of the values of integer variables may be used later in a function, and which memory locations and integer bits are “dead”, i.e. never used later. This analysis extends CompCert's earlier liveness analysis to memory locations and to individual bits of integer values.
Compared with the static analyses developed as part of Verasco (section 6.1.1 ), value analysis is much less precise: every function is analyzed independently of its call sites, relations between variables are not tracked, and even interval analysis is coarser (owing to CompCert's lack of support for widened fixpoint iteration). However, CompCert's static analyses are much cheaper than Verasco's, and scale well to large source codes, making it possible to perform them at every compilation run.
Xavier Leroy then modified CompCert's backend optimizations to take advantage of the results of the two new static analyses, thus improving performance of the generated code:

Common subexpression elimination (CSE) takes advantage of nonaliasing information provided by value analysis to eliminate redundant memory loads more aggressively.

Many more integer casts (type conversions) and bit masking operations are discovered to be redundant and eliminated.

Memory stores and block copy operations that become useless after constant propagation and CSE can now be eliminated entirely.
Verified compilation of floatingpoint arithmetic
Participants : Sylvie Boldo [EPI Toccata] , JacquesHenri Jourdan, Xavier Leroy, Guillaume Melquiond [EPI Toccata] .
In 2012, we replaced the axiomatization of floatingpoint numbers and arithmetic operations used in early versions of CompCert by a fullyformal Coq development, building on the Coq formalization of IEEE754 arithmetic provided by the Flocq library of Sylvie Boldo and Guillaume Melquiond. This verification of FP arithmetic and of its compilation was further improved in 2013 with respect to the treatment of "Not a Number" special values.
This year, Guillaume Melquiond improved the algorithmic efficiency of some of the executable FP operations provided by Flocq. Xavier Leroy generalized the theorems over FP arithmetic used in CompCert's soundness proof so that these theorems apply both to single and doubleprecision FP numbers. JacquesHenri Jourdan and Xavier Leroy proved additional theorems concerning conversions between integers and FP numbers.
A journal paper describing this 3year work on correct compilation of floatingpoint arithmetic was accepted for publication at Journal of Automated Reasoning [14] .
Verified JIT compilation of Coq
Participants : Maxime Dénès, Xavier Leroy.
Evaluation of terms from Gallina, the functional language embedded within Coq, plays a crucial role in the performance of proof checking or execution of verified programs, and the trust one can put in them. Today, Coq provides various evaluation mechanisms, some internal, in the kernel, others external, via extraction to OCaml or Haskell. However, we believe that the specific performance tradeoffs and the delicate issues of trust are still calling for a better, more adapted, treatment.
That is why we started in October this year the Coqonut project, whose objective is to develop and formally verify an efficient, compiled implementation of Coq reductions. As a first step, we wrote an unverified prototype in OCaml producing x8664 machine code using a monadic intermediate form. We started to port it to Coq and to specify the semantics of the source, target and intermediate languages.