We present a formal model of Checked C, a dialect of C that aims to enforce spatial memory safety. Our model pays particular attention to the semantics of dynamically sized, potentially null-terminated arrays. We formalize this model in Coq, and prove that any spatial memory safety errors can be blamed on portions of the program labeled unchecked; this is a Checked C feature that supports incremental porting and backward compatibility. While our model's operational semantics uses annotated ("fat") pointers to enforce spatial safety, we show that such annotations can be safely erased: Using PLT Redex we formalize an executable version of our model and a compilation procedure from it to an untyped C-like language, and use randomized testing to validate that generated code faithfully simulates the original. Finally, we develop a custom random generator for well-typed and almost-well-typed terms in our Redex model, and use it to search for inconsistencies between our model and the Clang Checked C implementation. We find these steps to be a useful way to co-develop a language (Checked C is still in development) and a core model of it.
翻译:我们提出了一个正式的 C 检查模式, C 是 C 的方言, 目的是加强空间内存安全。 我们的模型特别注意动态大小的语义, 有可能是无效的阵列的语义。 我们在 Coq 中正式确定这个模式, 并证明任何空间内存安全错误都可以归责于被贴上标签的程序的某些部分; 这是用于支持递增移植和后向兼容的 C 功能。 我们的模型的操作语义使用一个附加说明的( “ 脂肪” 指针来强制空间安全, 我们显示这样的语句可以安全地被删除: 使用 PLT Redex 将一个可执行的模型版本和编译程序正式化为非类型C 类似语言, 并使用随机化测试来验证生成的代码忠实模拟原始的代码 。 最后, 我们开发了一个用于我们Redex 模型中精密类型和几乎完整类型的术语的定制随机生成器。 我们用它来搜索模型与 C 匹配 C 执行中的不一致之处。 我们发现这些步骤是共同开发一种有用的方法( 正在开发中) 。
相关内容
微信扫码咨询专知VIP会员