CompCert is a formally verified optimizing C compiler. Its intended use is the compilation of safety-critical and mission-critical software written in C and meeting high levels of assurance. It accepts ISO C99 programs and produces machine code for PowerPC (32-bit/64-bit hybrid), ARM, IA32 (x86 32-bit), AMD64 (x86 64-bit), and RISC-V.
What sets CompCert apart?
Unlike any other production compiler, CompCert is formally verified, using machine-assisted mathematical proofs, to be exempt from miscompilation issues. In other words, the code it produces is proved to behave exactly as specified by the semantics of the source C program.
This level of confidence in the correctness of the compilation process is unprecedented and contributes to meeting the highest levels of software assurance.
The formal proof covers all transformations from the abstract syntax tree to the generated assembly code. To preprocess and produce object and executable files, an external C preprocessor, assemblers, linkers, and C libraries have to be used. However, these unverified stages are well-understood and robust from an implementation perspective, hence they can be covered well by traditional qualification kits. The reliability of CompCert has been demonstrated on a development version of CompCert by a 2011 study by Regehr, Yang et al.:
“The striking thing about our CompCert results is that the middle-end bugs we found in all other compilers are absent. As of early 2011, the under-development version of CompCert is the only compiler we have tested for which Csmith cannot find wrong-code errors. This is not for lack of trying: we have devoted about six CPU-years to the task. The apparent unbreakability of CompCert supports a strong argument that developing compiler optimizations within a proof framework, where safety checks are explicit and machine-checked, has tangible benefits for compiler users.”
• Using the CompCert C compiler is a natural complement to applying formal verification techniques (static analysis, program proof, model checking) at the source-code level. The correctness proof of CompCert guarantees that all safety properties verified on the source code automatically hold for the generated code as well.
• On typical embedded processors, the code generated by CompCert typically runs twice as fast as the code generated by GCC without optimizations, and only 20% slower than GCC at optimization level 3. (Details about the benchmark mix used to obtain these numbers are available on request.)
• Costs for finding and avoiding or fixing compiler bugs and shipping patches to the customers of the embedded system can be avoided.