Verified compilation of C++ Multiple Inheritance
The work presented here, described in detail in Chapter 11 of my PhD thesis, is a formalization of a verified compiler for the object-oriented subset of C++ described in the object construction and destruction part of my PhD thesis, using an extension of the target language described in the object layout part of my PhD thesis. It is a step towards a formally verified, realistic compiler for a subset of the object-oriented part of C++, within the framework of the Compcert verified compiler.
Browse the Coq development
The languages and their semantics
The compiler involves three languages k++, Ds++, CVcm:
- k++ is the source language including fundamental C++ object-oriented features (virtual function dispatch, static and dynamic cast, access to data members) as well as object construction and destruction.
- Ds++ is an intermediate language including fundamental C++ object-oriented features but generalizing the notion of dynamic type to any objects without referring to any construction or destruction context.
- CVcm is the target language including 3-address-style low-level memory accesses along with read-only accesses to virtual tables and virtual table tables (VTT) to model C++-flavoured polymorphism.
Summary of theories
|Language-independent infrastructure (part of Compcert)
|Additional libraries complement to the Coq standard library.
|Applicative finite maps
|Language-independent infrastructure (unrelated to Compcert)
|Axiomatization of built-in types (booleans, numerical types...)
|"For" loops with bounds known at compile time
|Language-independent tools for name mangling
|Foundations of C++ object-oriented features
|Basic concepts of C++ multiple inheritance. Virtual base construction order.
|Well-formed hierarchies and decidability properties
|Dynamic (= polymorphic) classes
|If the hierarchy is well-formed, then it is decidable whether a class is dynamic.
|k++: C++ Object Construction and Destruction
|Syntax and operational semantics of a subset of C++ with object construction and destruction. The construction states of an object.
|Relations between subobjects: "direct subobject", "occurs before" and "subobject lifetime order" relations.
|Run-time invariant. Stack objects.
|Properties of subobject relations on states verifying the run-time invariant. Relations between subobject relations and lifetime.
|The generalized dynamic type of an object, if any, is unique.
|Proof of preservation for the run-time invariant. This proof takes more than 2 hours to compile. It is split into several files, namely:
|Properties about object lifetime during run-time executions (needing the proof of preservation of the invariant): construction state increase, intermediate values theorem, dynamic type evolution, subobjects destructed in the reverse order of their construction, RAII.
|A scalar field has a value only if it is Constructed.
|The following further properties are irrelevant to compilation.
|Further properties about the lifetime of subobjects of different complete objects.
|Construction (resp. destruction) progress for classes with nearly trivial constructors, (resp. trivial destructors). This proof does not need the invariant.
|More complete theorems about progress (stating that objects are constructed when entering a block, and destructed after exiting the block). This proof needs the Invariant.
|Ds++: C++ fundamental features with generalized dynamic type
|Specification of the "set dynamic type" operator
|Syntax and Semantics of the Ds++ intermediate language.
|If the class hierarchy is well-formed, then the "set dynamic type" operator is well-defined.
|k++-to-Ds++ verified compiler
|Compilation of k++ statements, and proof of semantics preservation. This proof takes more than half an hour to compile.
|Construction of an Ds++ program from k++ functions, constructors and destructors
|CVcm: low-level 3-address-style target language
|Axiomatization of a Compcert-like low-level memory model
|Syntax and Semantics of the CVcm target language.
|Ds++-to-CVcm verified compiler
|Soundness conditions for low-level layout of C++ objects, and their proofs of correctness. Unchanged since object layout (POPL 2011).
|A definition of dynamic classes, used only for layout algorithms
|Construction of virtual tables and virtual table tables.
|Compilation of the Ds++ "set dynamic type" operation
|Verified compilation of an Ds++ program to CVcm, expecting a layout algorithm compliant with the abovementioned soundness conditions
|A layout algorithm derived from the Common Vendor ABI for Itanium
|Our optimized version of this algorithm, to take empty member optimizations into account
|Other library files
|Settings for implicit arguments, etc. This file is used as a verbatim include for other files (using the Coq command Load), rather than as a library.
You can also download a TAr.BZ2 archive of the whole Coq development.
Note: you will need Coq 8.2pl1 (and an estimated 3 hours) to process the files.