5

Regarding the Standard ML compiler, my question is,even though ML itself is formally defined making it possible to prove deterministic evaluations of programs, isnt the compiler itself written in C, which is not formally defined, at least not all of it? I guess my question is say we write a program in Standard ML and can prove its correctness, how do we know the C written compiler is not performing in a way that could possibly alter the results?

Thanks

Hibou57
  • 6,870
  • 6
  • 52
  • 56
SJP
  • 1,330
  • 12
  • 21
  • 2
    Note that most ML compilers are _not_ written in C, except some small parts of their runtime systems. Most (all?) of them are actually bootstrapped in ML. Nevertheless, a good question. – Andreas Rossberg Dec 07 '13 at 08:40
  • 1
    Bugs can appear anywhere in any language. What if formal verifier has a bug? What if the compiler which compiled the formal verifier introduced a bug into it? It's ultimately hard to be mathematically certain about the behavior of complex systems. All of this is implemented using electronics vulnerable to cosmic rays, manufacturing defects, and good ol' quantum uncertainty. – Potatoswatter Dec 11 '13 at 10:21
  • @Potatoswatter: “What if formal verifier has a bug?”: that's a good question, ant that's to answer this there are provers relying on small trustable kernel (the smallest, the more trustable), like LCF, Isabelle, and some others LCF variants. All higher level proof must obviously pass though this small kernel and never bypass it. – Hibou57 Feb 06 '14 at 12:45
  • There is a formally verified implementation of SML called CakeML, check out https://cakeml.org/ – Morten Jensen Aug 25 '16 at 08:31

2 Answers2

3

It is a question of responsibility. Whatever the language your SML runtime or compiler is written in (SML is a specification and an SML compiler does not have to stand on C code, it could be anything else), your responsibility is to make your SML program work according to the SML specification. If the SML compiler is buggy, that is someone else's problem.

Have you thought about the processor the compiled instructions for your SML runtime run on? Who formally proved that? And what about the electrons that move inside the processor's transistors? Who tells them to work according to the physics “laws” on which the processor's design was predicated? Who formally proved those laws?

It is not your problem.

This said, there is at the time of this writing a C compiler written essentially in Coq, CompCert. This compiler defines formal semantics for both the input language (most of C) and the target assembly languages. The input language does not have to be exactly C as long as an SML implementation is designed to work when compiled with this flavor of C. If you implemented SML in CompCert's input language, following the formal definition as closely as possible, you would have an SML interpreter with a chain of confidence that goes down nearly uninterrupted to assembly.

Pascal Cuoq
  • 79,187
  • 7
  • 161
  • 281
  • I like this answer it makes complete sense, but I guess my question is all of the theorem proving software that runs with SML under the hood, isnt that all depending on the correctness of the C compiler it is using? So sure the SML used to prove something may be theoretically sound, but we are relying on C to compile successfully which cant be proven correct. – SJP Dec 06 '13 at 23:29
  • 1
    @SJP You will like this blog post then, if you haven't seen it already: http://blog.regehr.org/archives/903 . But we do not need absolute confidence in our programs anyway, because there is no machine we have absolute confidence in to execute them on. It only takes one alpha particle to change a bit in a computation. Formal methods of all kinds provide confidence way, way above traditional techniques. The problem that people who try to use them see is not so much the possibility of a compiler bug making the verification system unsound, but of the cost, and this is what we should focus on first – Pascal Cuoq Dec 06 '13 at 23:34
3

Just because you can write bad C programs doesn't mean you have to. It's perfectly possible to write a correct C program and deduce from the C language specification that the program performs correctly.

Kerrek SB
  • 464,522
  • 92
  • 875
  • 1,084
  • 1
    Additionally, there exist at least one formally proved C compiler, which is [CompCert](http://compcert.inria.fr/). – Hibou57 Feb 06 '14 at 12:49