forked from CertiKOS/compcert
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathChangelog
1497 lines (1209 loc) · 62.4 KB
/
Changelog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Release 3.6, 2019-09-17
=======================
New features and optimizations:
- New port targeting the AArch64 architecture: ARMv8 in 64-bit mode.
- New optimization: if-conversion. Some `if`/`else` statements
and `a ? b : c` conditional expressions are compiled to branchless
conditional move instructions, when supported by the target processor
- New optimization flag: `-Obranchless`, to favor the generation of
branchless instruction sequences, even if probably slower than branches.
- Built-in functions can now be given a formal semantics within
CompCert, instead of being treated as I/O interactions.
Currently, `__builtin_fsqrt` and `__builtin_bswap*` have semantics.
- Extend constant propagation and CSE optimizations to built-in
functions that have known semantics.
- New "polymorphic" built-in function: `__builtin_sel(a,b,c)`.
Similar to `a ? b : c` but `b` and `c` are always evaluated,
and a branchless conditional move instruction is produced if possible.
- x86 64 bits: faster, branchless instruction sequences are produced
for conversions between `double` and `unsigned int`.
- `__builtin_bswap64` is now available for all platforms.
Usability and diagnostics:
- Improved the DWARF debug information generated in -g mode.
- Added options -fcommon and -fno-common to control the generation
of "common" declarations for uninitialized global.
- Check for reserved keywords `_Complex` and `_Imaginary`.
- Reject function declarations with multiple `void` parameters.
- Define macros `__COMPCERT_MAJOR__`, `__COMPCERT_MINOR__`, and
`__COMPCERT_VERSION__` with CompCert's version number. (#284)
- Prepend `$(DESTDIR)` to the installation target. (#169)
- Extended inline asm: print register names according to the
types of the corresponding arguments (e.g. for x86_64,
`%eax` if int and `%rax` if long).
Bug fixing:
- Introduce distinct scopes for iteration and selection statements,
as required by ISO C99.
- Handle dependencies in sequences of declarations
(e.g. `int * x, sz = sizeof(x);`). (#267)
- Corrected the check for overflow in integer literals.
- On x86, __builtin_fma was producing wrong code in some cases.
- `float` arguments to `__builtin_annot` and `__builtin_ais_annot`
were uselessly promoted to type `double`.
Coq formalization and development:
- Improved C parser based on Menhir version 20190626:
fewer run-time checks, faster validation, no axioms. (#276)
- Compatibility with Coq versions 8.9.1 and 8.10.0.
- Compatibility with OCaml versions 4.08.0 and 4.08.1.
- Updated to Flocq version 3.1.
- Revised the construction of NaN payloads in processor descriptions
so as to accommodate FMA.
- Removed some definitions and lemmas from lib/Coqlib.v, using Coq's
standard library instead.
The clightgen tool:
- Fix normalization of Clight `switch` statements. (#285)
- Add more tracing options: `-dprepro`, `-dall`. (#298)
- Fix the output of `-dclight`. (#314)
Release 3.5, 2019-02-27
=======================
Bug fixing:
- Modeling error in PowerPC ISA: how register 0 is interpreted when
used as base register for indexed load/stores. The code generated
by CompCert was correct, but was proved correct against the wrong
specification.
- Modeling error in x86 ISA: how flag ZF is set by floating-point
comparisons. Here as well, the code generated by CompCert was
correct, but was proved correct against the wrong specification.
- Revised handling of attributes so that they behave more like in
GCC and Clang. CompCert now distinguishes between attributes that
attach to names (variables, fields, typedefs, structs and unions)
and attributes that attach to objects (variables). In particular,
the `aligned(N)` attribute now attaches to names, while the `_Alignas(N)`
modifier still attaches to objects. This fixes issue 256.
- Issue with NULL as argument to a variadic function on 64-bit platforms
(issue 265)
- Macro __bool_true_false_are_defined was missing from <stdbool.h> (issue 266)
Coq development:
- Can now be entirely rechecked using coqchk
(contributed by Vincent Laporte)
- Support Coq version 8.9.0
- Avoid using "refine mode" when defining Instance
(contributed by Maxime Dénès)
- Do not support Menhir versions more recent than 20181113, because
they will introduce an incompatibility with this CompCert release.
New feature:
- PowerPC port: add __builtin_isel (conditional move) at types int64, uint64,
and _Bool.
Release 3.4, 2018-09-17
=======================
Bug fixing:
- Redefinition of a typedef in a different scope was wrongly rejected.
- Attach `_Alignas(N)` and `__attribute((aligned(N)))` to names
instead of types, so that `_Alignas(16) int * p` means
"16-aligned pointer to int", not "pointer to 16-aligned int".
- For packed structs, fix a discrepancy between the size and alignment
computed during elaboration and those computed by the verified front-end
after expansion.
- Honor qualified array types in function parameters: if a parameter is
declared as e.g. `int t[const 4]`, it is now treated as `int * const t`
in the function body, not `int * t` like before.
- Reject `__builtin_offsetof(struct s, f)` if `f` is a bit-field.
- Wrong parsing of attributes having multiple arguments such as
`__attribute((packed(A,B,C)))`.
- If `__builtin_ais_annot` is followed immediately by a label (e.g. a
loop head), add a nop instruction to separate the annotation from
the label.
- Wrong parsing of the command-line options `-u <symbol>` and `-iquote`.
- PowerPC in hybrid 32/64 bit mode: reject %Q and %R register specifications
in inline assembly code, since 64-bit integer arguments are not split
in two registers.
- x86 64-bit mode: wrong expansion of __builtin_clzl and builtin_ctzl
(issue #127).
New checks for ISO C conformance:
- Removed support for `_Alignof(expr)`, which is not C11;
only `_Alignof(ty)` is part of C11.
- Reject occurrences of `_Alignas` in places that are not allowed by C11,
e.g. in `typedef`. `__attribute((aligned(N)))` can be used instead.
- Reject occurrences of `restrict` in places that are not allowed by
C99 and C11.
- Reject structs composed of a single flexible array `struct { ty []; }`.
- Check that qualified array types such as `int t[const 4]` occur only
as function parameters, but nowhere else.
- In function definitions, reject function parameters that have no names.
New warnings:
- Warn for flexible array types `ty[]` in places where they do not make sense.
- Warn for inline (not static inline) functions that declare
non-constant static variables.
- Optionally warn if the alignment of an object is reduced below its
natural alignment because of a _Alignas qualifier or an aligned attribute,
or a packed attribute.
- Warn for tentative static definitions with an incomplete type, e.g.
`static int x[];`.
- The warning about uses of C11 features is now off by default.
Semantic preservation proof:
- Model the fact that external functions can destroy caller-save registers
and Outgoing stack slots; adapt the proofs accordingly.
Coq and OCaml development:
- Support Coq versions 8.8.1 and 8.8.2.
- Support OCaml versions 4.7.0 and up.
- Support Menhir versions 20180530 and up.
Others:
- Improved error handling in "configure" script (issue #244)
- clightgen adds configuration information to the generated .v file (issue #226)
Release 3.3, 2018-05-30
=======================
New features:
- Introduced the __builtin_ais_annot built-in function to communicate
source-level annotations to AbsInt's a3 tool suite via a special
section in object and executable files.
- Improved C11 support: define the C11 conditional feature macros;
define the max_align_t type in stddef.h.
- PowerPC 64-bit port: new built-in functions for 64-bit load-store with
byte reversal and for 64-bit integer multiply high.
- x86 64 bits: add support for BSD.
Bug fixing:
- Wrong code generated for unions containing several bit fields.
- Internal compiler errors for some initializers for structs and
unions containing bit-fields, and for anonymous members of unions.
- Missing error reporting for <integer> - <ptr> subtraction,
causing an internal retyping error later during compilation.
- String literals are l-values.
- String literals have array types, not pointer types.
- Array sizes >= 2^32 were handled incorrectly on 64-bit platforms.
- Wrong code generated for global variables of size 2^31 bytes or more.
- struct and union arguments to annotation builtins must be passed by
reference, regardless of the ABI calling conventions.
- "e1, e2" has pointer type if "e2" has array type.
- x86 64 bits: in "symbol + ofs" addressing modes, the offset "ofs"
must be limited to [-2^24, 2^24) otherwise linking can fail.
New or improved diagnostics (errors and warnings):
- Warn for comparison of a pointer to a complete type and a pointer to
an incomplete type.
- More checks on variables declared in "for" loops: not static, not
extern, not function types.
- Reject empty declarations in K&R functions.
- Reject arrays of incomplete types.
- Reject duplicate 'case' or 'default' statements within a 'switch'.
- Reject 'case' and 'default' statements outside a 'switch'.
- Check that 'typedef' declares a name and doesn't contain '_Noreturn'.
- Function parameters are in the same scope as function local variables.
- More comprehensive constant-ness checks for initializers of global
or static local variables.
- Make sure an enum cannot have the same tag as a struct or an union.
- More checks on where the 'auto' storage class can be used.
- Accept empty enum declaration after nonempty enum definition.
- Reject pointers to incomplete types in ptr - ptr subtraction.
- When defining a function, take attributes (_Noreturn, etc) from
earlier declarations of the function into account.
- Better check for multiple definitions of functions or global variables.
- Reject illegal initializations of aggregates such as "char c[4] = 42;".
- Reject designated initializers where a member of a composite type is
re-initialized after the composite has been initialized as a whole.
- Reject casts to struct/union types.
- Reject sizeof(e) where e designates a bit-field member of a struct or union.
- "e1, e2" is not a compile-time constant expression even if e1 and e2 are.
- "main" function must not be "inline"
- Warn for functions declared extern after having been defined.
- Warn for function declarations after function definitions when the
declaration has more attributes than the definition.
- Warn for assignment of a volatile struct to a non-volatile struct.
- Warn for "main" function if declared _Noreturn.
Coq development:
- Added support for Coq versions 8.7.2 and 8.8.0.
- Rewrote "Implicit Arguments" and "Require" inside sections,
these are obsolete in 8.8.0.
- Upgraded Flocq to version 2.6.1.
- Optionally install the .vo files for reuse by other projects
(options -install-coqdev and -coqdevdir to configure script;
automatically selected if option -clightgen is given).
Release 3.2, 2018-01-15
=======================
Code generation and optimization:
- Inline static functions that are called only once.
Can be turned off by setting the "noinline" attribute on the function.
- More consistent detection and elimination of divisions by 1.
- ARM in Thumb mode: simpler instruction sequence for branch through jump table.
- ARM: support and use the "cmn" instruction.
- Issue #208: make value analysis of comparisons more conservative for
dubious comparisons such as "(uintptr_t) &global == 0x1234" which are
undefined behavior in CompCert.
Usability:
- Resurrected support for the Cygwin x86-32 port, which got lost at release 3.0.
- Support the "noinline" attribute on C function definitions.
- PowerPC port with Diab toolchain: support -t <target processor> option
and pass it to the Diab tools.
- Clightgen tool: add -o option to specify output file.
- Pull request #192: improve the printing of Clight intermediate code
so that it looks more like valid C source. (Frédéric Besson)
Bug fixing:
- Issue #P25: make sure sizeof(long double) = sizeof(double) in all contexts.
- Issue #211: wrong scoping for C99 declarations within a "for" statement.
Coq and Caml development:
- Pull request #191: Support Coq version 8.7.0 and 8.7.1 in addition
to Coq 8.6.1. Coq 8.6 (.0) is no longer supported owing to an
incompatibility with 8.7.0.
(Sigurd Schneider)
- ARM code generator: refactoring of constant expansions and EABI fixups.
- Resynchronized the list of dual-licensed files given in file LICENSE
and the copyright headers of the dual-licensed files.
Release 3.1, 2017-08-18
=======================
Major improvements:
- New port targeting the RISC-V architecture, in 32- and 64-bit modes.
- Improved support for PowerPC 64 processors: use 64-bit registers and
instructions for 64-bit integer arithmetic. Pointers remain 32 bits
and the 32-bit ABI is still used.
Code generation and optimization:
- Optimize leaf functions in the PowerPC back-end.
(Avoid reloading the return address from the stack.)
- Avoid generating useless conditional branches for empty if/else statements.
- Earlier elimination of redundant `&*expr` and `*&expr` addressings.
- Improve utilization of addressing modes for volatile loads and stores.
Usability:
- Add options -finline / -fno-inline to control function inlining.
- Removed the compilation of '.cm' files written in Cminor concrete syntax.
- More precise warnings about missing function returns.
- clightgen: add option "-normalize" to avoid memory loads deep inside
expressions.
Bug fixing:
- Issue #179: clightgen produces wrong output for "switch" statements.
- Issue #196: excessive proof times in .v files produced by clightgen.
- Do not generate code for functions with "inline" specifier that are
neither static nor extern, as per ISO C99.
- Some line number information was missing for some goto labels and
switch cases.
- Issue #P16: illegal PowerPC asm generated for unsigned division after
constant propagation.
- Issue #P18: ARM addressing overflows caused by 1- underestimation of
code size, causing mismanagement of constant pool, and 2- large stack
frames where return address and back link are at offsets >= 4Kb.
- Pass -no-pie flag to the x86 linker when -pie is the default.
Coq and Caml development:
- Support Coq 8.6.1.
- Improve compatibility with Coq working version.
- Always generate .merlin and _CoqProject files.
Release 3.0.1, 2017-02-14
=========================
- Ported to Coq 8.6.
Release 3.0, 2017-02-10
=======================
Major improvements:
- Added support for 64-bit target platforms, including pointers that
are 64-bit wide, and the ability to use 64-bit integer registers and
arithmetic operations. This support does not replace but comes in
addition to CompCert's original support for 32-bit target platforms,
with 32-bit pointers and emulation of 64-bit integer arithmetic
using pairs of 32-bit integers. In terms of C data models, CompCert
used to be restricted to the ILP32LL64 model; now it also supports
I32LP64 and IL32LLP64.
- The x86 port of CompCert was extended to produce x86-64 bit code in
addition to the original x86-32 bit (IA32) code. (This is the first
instantiation of the new support for 64-bit targets described
above.) Support for x86-64 is currently available for Linux and MacOS X.
(Run the configure script with 'x86_64-linux' or 'x86_64-macosx'.)
This is an early port: several ABI incompatibilities remain.
Language features:
- Support for anonymous structures and unions as members of
structures or unions. (ISO C11, section 6.7.2.1, para 13 and 19.)
- New built-in functions for ARM and PowerPC:
__builtin_ctz, __builtin_ctzl, __builtin_ctzll
(count trailing zeros, 32 and 64 bits).
Usability:
- Added options -Wxxx and -Wno-xxx (for various values of "xxx")
to control which warnings are emitted.
- Added options -Werror=xxx and -Wno-error=xxx (for various values of "xxx")
to control which warnings are treated as errors.
- Support response files where additional command-line arguments can
be passed (syntax: @file).
- Improved wording of warning and error messages.
- Improved handling of attributes, distinguishing attributes that apply
to types from attributes that apply to names. For example, in
__attribute((aligned(8),section("foo"))) int * p;
the "aligned" attribute is attached to type "int", while
the "section" attribute is attached to name "p".
Code generation:
- Support for ARM target processors in big-endian mode.
- Optimize 64-bit integer division by constants.
Bug fixing:
- Issue #155: on ARM, assembly errors caused by large jump tables for
"switch" statements and overflow in accessing constant pools.
- Issue #151: large inductive definition causes a fatal error in
32-bit versions of Coq.
- Issue #143: handle "%lf" printf() format in the reference interpreter
- Issue #138: struct declarations in K&R function parameters were ignored.
- Issues #110, #111, #113, #114, #115, #119, #120, #121, #122, #123, #124,
#125, #126, #127, #128, #129, #130, #133, #138, #144: various cases
of internal errors and failed assertions that should have been
proper errors instead.
- For __builtin_memcpy_aligned, size and alignment arguments of 64-bit
integer type were causing a fatal error on a 32-bit target.
- ARM and x86 ports: wrong register allocation for some calls to
function pointers.
Release 2.7.1, 2016-07-18
=========================
- Ported to Coq 8.5pl2.
Bug fixing:
- Fixed a compile-time assertion failure involving builtins
taking a 64-bit integer parameter and given an unsigned 32-bit integer
argument.
- Updates to the Cminor parser.
Release 2.7, 2016-06-29
=======================
Major improvement:
- The proof of semantic preservation now accounts for separate compilation
and linking, following the approach of Kang, Kim, Hur, Dreyer and
Vafeiadis, "Lightweight verification of separate compilation", POPL 2016.
Namely, the proof considers a set of C compilation units, separately
compiled to assembly then linked, and shows that the resulting
assembly program preserves the semantics of the C program that would
be obtained by syntactic linking of the source C compilation units.
Language features:
- Parse the _Noreturn function attribute from ISO C11.
- New standard includes files: <iso646.h> and <stdnoreturn.h> from ISO C11.
- New built-in functions: __builtin_clzl, __builtin_clzll
(count leading zeros, 32 and 64 bits) for ARM, IA32 and PowerPC;
__builtin_ctz, __builtin_ctzl, __builtin_ctzll
(count trailing zeros, 32 and 64 bits) for IA32.
Formal C semantics:
- The semantics of conversions from pointer types to _Bool
is fully defined (again).
Usability:
- The generation of DWARF debugging information in "-g" mode is now
supported for ARM and IA32 (in addition to PowerPC).
Coq development:
- Revised the Stacking pass and its proof to make it more extensible
later to e.g. 64-bit integer registers.
- Use register pairs in function calling conventions to control more
precisely the splitting of 64-bit integer arguments and results
into pairs of 32-bit quantities
- Revised the way register conventions are described in Machregs
and Conventions.
- Simulation diagrams now live in Prop instead of Type.
OCaml development:
- Code cleanup to remove warnings, support "safe strings" mode,
and be fully compatible with OCaml 4.02 and 4.03.
- Cminor parser: support for single-precision FP numbers and operators.
Bug fixing:
- Some declarations within C expressions were incorrectly ignored
(e.g. "sizeof(enum e {A})").
- ARM in Thumb mode: incorrect "movs" instructions involving the stack
pointer register were generated.
Release 2.6, 2015-12-21
=======================
Usability:
- Generation of full DWARF v2 debugging information in "-g" mode,
including function-local variables. This is fully supported
for the PowerPC target with GNU tools or Diab tools. Support
for IA32 and ARM is nearly there.
- Production of detailed explanations for syntax errors during parsing.
(Exploiting recent work by F. Pottier on the Menhir parser generator.)
- PowerPC port: added many new builtin functions.
Code generation and optimization:
- Support for PowerPC 64-bits (pointers are still 32-bit wide)
and Freescale's E5500 variant.
- More prudent alias analysis for operations over pointers that are
formally undefined, such as bit masking.
- New pass: Debugvar, to associate debug information to local variables.
Coq development:
- Richer representation of arguments and results to builtin operations.
- As a consequence, annotation builtins no longer need special handling.
- Added EF_debug builtins to transport debugging information throughout
the compiler back-end.
- Upgraded the Flocq library to version 2.5.0.
Bug fixing:
- Issue #71: incorrect initialization of an array of wchar_t
- Corrected the handling of bit-fields of type _Bool and width > 1
- Removed copy optimization when returning a struct from a function.
- Full parsing of unprototyped (K&R-style) function definitions.
(Before, the parsing was incomplete and would reject some definitions.)
Miscellaneous:
- The cchecklink tool (for a posteriori validation of assembly
and linking) was removed. It is replaced by the Valex tool,
available from AbsInt.
- Added a command-line option -conf <config file> to select
a different "compcert.ini" configuration file.
- Removed the command-line options -fstruct-passing=<convention>
and -fstruct-return=<convention>, more confusing than useful.
- Added a command-line option -fstruct-passing that activates
ABI-conformant by-value passing of structs and unions as
function arguments or results. If this option is not set,
passing a struct/union as function argument is now rejected.
- The -fstruct-return command-line option is deprecated and
becomes a synonymous for -fstruct-passing.
- The return type of __builtin_clz() is "int", as documented,
and not "unsigned int", as previously implemented.
Release 2.5, 2015-06-12
=======================
Language features:
- Extended inline assembly in the style of GCC. (See section 6.5
of the user's manual.) The implementation is not as complete
as that of GCC or Clang. In particular, the only constraints
supported over operands are "r" (register), "m" (memory), and
"i" (integer immediate).
Code generation and optimization:
- Revised translation of '||' and '&&' to Clight so as to
produce well-typed Clight code.
- More prudent value analysis of uninitialized declarations of
"const" global variables.
- Revised handling of "common" global declarations, fixes an issue
with uninitialized declarations of "const" global variables.
Improvements in confidence:
- Formalized the typing rules for CompCert C in Coq and verified
a type-checker, which is used to produce the type annotations
in CompCert C ASTs, rather than trusting the types produced by
the Elab pass.
- Coq proof of correctness for the Unusedglob pass (elimination
of unreferenced static global definitions). The Coq AST for
compilation units now records which globals are static.
- More careful semantics of comparisons between a non-null pointer
and the null pointer. The comparison is undefined if the non-null
pointer is out of bounds.
Usability:
- Generation of DWARF v2 debugging information in "-g" mode.
The information describes C types, global variables, functions,
but not yet function-local variables. This is currently available
only for the PowerPC/Diab target.
- Added command-line options to turn individual optimizations on or off,
and a "-O0" option to turn them all off.
- Revised handling of arguments to __builtin_annot so that no code
is generated for an argument that is a global variable or a local
variable whose address is taken.
- In string and character literals, treat illegal escape sequences
(e.g. "\%" or "\0") as an error instead of a warning.
- Warn if floating-point literals overflow or underflow when converted
to FP numbers.
- In "-g -S" mode, annotate the generated .s file with comments
containing the C source code.
- Recognize and accept more of GCC's alternate keywords, e.g. __signed,
__volatile__, etc.
- cchecklink: added option "-files-from" to read .sdump file names
from a file or from standard input.
ABI conformance:
- Improved ABI conformance for passing values of struct or union types
as function arguments or results. Full conformance is achieved on
IA32/ELF, IA32/MacOSX, PowerPC/EABI, PowerPC/Linux, and ARM/EABI.
- Support the "va_arg" macro from <stdarg.h> in the case of arguments
of struct or union types.
Coq development:
- In the CompCert C and Clight ASTs, struct and union types are now
represented by name instead of by structure. A separate environment
maps these names to struct/union definitions. This avoids
bad algorithmic complexity of operations over structural types.
- Introduce symbol environments (type Senv.t) as a restricted view on
global environments (type Genv.t).
- Upgraded the Flocq library to version 2.4.0.
Bug fixing:
- Issue #4: exponential behaviors with deeply-nested struct types.
- Issue #6: mismatch on the definition of wchar_t
- Issue #10: definition of composite type missing from the environment.
- Issue #13: improved handling of wide string literals
- Issue #15: variable-argument functions are not eligible for inlining.
- Issue #19: support empty "switch" statements
- Issue #20: ABI incompatibility wrt struct passing on IA32.
- Issue #28: missing type decay in __builtin_memcpy_aligned applied to arrays.
- Issue #42: emit error if "static" definition follows non-"static" declaration.
- Issue #44: OSX assembler does not recognize ".global" directive.
- Protect against redefinition of the __i64_xxx helper library functions.
- Revised handling of nonstandard attributes in C type compatibility check.
- Emit an error on "preprocessing numbers" that are invalid numerical literals.
- Added missing check for static redefinition following a non-static
declaration.
- Added missing check for redefinition of a typedef as an ordinary
identifier within the same scope.
Miscellaneous:
- When preprocessing with gcc or clang, use "-std=c99" mode to force
C99 conformance.
- Use a Makefile instead of ocamlbuild to compile the OCaml code.
Release 2.4, 2014-09-17
=======================
Language features:
- Support C99 compound literals (ISO C99 section 6.5.2.5).
- Support "switch" statements over an argument of type "long long".
Code generation and optimization:
- Revised and improved support for single-precision floating-point
arithmetic. Earlier, all FP arithmetic was performed at double
precision, with conversions to/from single precision as needed,
in particular when loading/storing a single-precision FP number
from/to memory. Now, FP operations whose arguments are of type
"float" are performed in single-precision, using the processor's
single FP instructions. Fewer conversions between double and
single precision are generated.
- Value analysis and constant propagation: more precise treatment of
comparisons against an integer constant.
Improvements in confidence:
- Full correctness proofs for the algorithms used in the runtime
support library for conversions between 64-bit integers and
floating-point numbers.
ARM port:
- Added support for Thumb2 instruction encoding (option -mthumb).
Thumb2 is supported on ARMv7 and up, and produces more compact
machine code.
- Exploit some VFPv3 instructions when available.
- Built-in function '__builtin_cntlz' (count leading zeros)
renamed '__builtin_clz' for GCC / Clang compatibility.
PowerPC port:
- Refactored the expansion of built-in functions and
pseudo-instructions so that it does not need to be re-done in
cchecklink.
- Updated the cchecklink validator accordingly.
- More efficient code generated for volatile accesses to small data areas.
- Built-in function '__builtin_cntlz' (count leading zeros)
renamed '__builtin_clz' for GCC / Clang compatibility.
IA32 port:
- Added built-in functions __builtin_clz and __builtin_ctz
(count leading / trailing zeros).
Coq development:
- The memory model was extended with two new "chunks", Many32 and Many64,
that enable storing any 32-bit value or 64-bit value using
an abstract, not bit-based encoding, and reloading these values exactly.
These new chunks are used to implement saving and restoring callee-save
registers that can contain data of unknown types (e.g. float32 or float64)
but known sizes.
- Refactored the library of FP arithmetic (lib/Floats.v) to support
both 64- and 32-bit floats.
Release 2.3pl2, 2014-05-15
==========================
Usability:
- Re-added support for "__func__" identifier as per ISO C99.
- Re-added some popular GCC extensions to ISO C99:
. alternate keywords __restrict, __inline__, etc,
. support for empty structs and unions
. support '\e' escape in char and string literals, meaning ESC
- Do not assume that the preprocessor removed all comments.
Bug fixing:
- Fixed regression on initializers of the form T x[N] = "literal";
where T is a typedef for a character type.
- "asm" statements were causing syntax errors.
- Better handling of "extern" and "extern inline" function definitions.
- Internal error on some octal escape sequences in string literals.
- Parsing of "#pragma section" directives made more robust and
with better error reporting.
Release 2.3, 2014-05-05
=======================
Language features:
- Support for C99 designated initializers. (ISO C99 section 6.7.8.)
Improvements in confidence:
- The parser is now formally verified against the ISO C99 grammar plus
CompCert's extensions. The verification proves that the parser
recognizes exactly the language specified by the grammar, and that
the grammar has no ambiguities. For more details, see the paper
"Validating LR(1) parsers" by Jacques-Henri Jourdan, François Pottier,
and Xavier Leroy, ESOP 2012, http://dx.doi.org/10.1007/978-3-642-28869-2_20
- More theorems proved about float<->integer conversions.
Optimizations:
- Optimize "x != 0", "x == 0", "x != 1", and "x == 1" when x is known
to be a boolean already, ranging over {0, 1, undef}.
- More systematic constant propagation in pass Selection, lightens
the work of later RTL optimisations.
- IA32: recognize and use the "not" instruction.
Usability:
- Option "-timings" to print compilation times for various passes.
- Various tweaks in IRC graph coloring to reduce compilation time.
- IA32: add built-in functions for fused multiply-add
(require a recent processor with FMA3 extensions).
Improvements in ABI conformance:
- New target platform: ARM with EABI "hard float" calling conventions
(armhf in Debian's classification).
- IA32 and ARM: revised handling of "common" variables to conform with ABI.
Bug fixing:
- In -fbitfields emulation: "a->f" was not properly rewritten if "a"
had "array of structs" type instead of "pointer to struct".
- Moved analysis of single-precision floats from RTLtyping to Machtyping.
(RTLtyping was incorrectly rejecting some functions involving
single-precision floats.) Simplified LTL semantics and Allocation
pass accordingly.
- Assignment to a l-value of "volatile float" type could cause
an internal error in RTLtyping/Machtyping.
- The case __builtin_fabs applied to integers was missing in the
C semantics and in C#minor generation.
- Fixed some type annotations on CompCert C expressions. These
annotations were incorrect but not in a way that impacted code
generation.
Release 2.2, 2014-02-24
=======================
Major improvements:
- Two new static analyses are performed on the RTL intermediate form:
. Value analysis, tracking constants, some integer range information,
and pointer aliasing information.
. Neededness analysis, generalizing liveness analysis to individual
bits of integer values and to stack memory locations.
- Improved RTL optimizations, exploiting the results of these analyses:
. Constant propagation can track constants across memory stores and loads.
. Common subexpression elimination exploits nonaliasing information.
. Dead code elimination can eliminate useless memory writes and
block copies, as well as integer operations that do not change
the needed bits.
. Redundant cast elimination is now performed globally (at
function level) rather than locally on individual expressions.
- Experimental support for defining and calling variable-argument functions,
including support for the <stdarg.h> interface.
(Option -fvararg-calls, "on" by default.)
Language features:
- In "switch" statements, "default" cases can now appear anywhere, not
just as the last case.
- Support for incomplete array as last field of a struct,
as specified in ISO C 99.
- Support for declarations within 'for' loops, as specified in ISO C 99.
(E.g. "for (int i = 0; i < 4; i++) ...")
- Revised semantics and implementation of _Alignas(N) attribute
to better match those of GCC and Clang.
- Better tolerance for functions declared without prototypes
(option -funprototyped, "on" by default).
- On PowerPC, support "far-data" sections
(register-relative addressing with 32-bit offsets).
Improvements in ABI conformance:
- For x86/IA32, align struct fields of types "double" or "long long" to 4
instead of 8, as prescribed by the x86 ELF ABI.
- For PowerPC and ARM, structs and unions returned as function results
are now passed in integer registers if their sizes are small enough
(<= 8 bytes for PowerPC, <= 4 bytes for ARM).
Usability:
- Revised parsing of command-line arguments to be closer to GCC and Clang.
In particular, "ccomp -c foo.c -o obj/foo.o" now works as expected,
instead of ignoring the "-o" option as in earlier CompCert versions.
- Recognize input files ending in .i and .p as C source files that
must not be preprocessed.
- Warn for uses of the following GCC extensions to ISO C:
zero-sized arrays, empty structs/unions, empty initializer braces.
- Option "-fno-fpu" to prevent the use of FP registers for some
integer operations such as block copies. (Replaces the previous
"-fno-sse" option which was x86/IA32-specific, and extends it to
PowerPC and ARM.)
- Option "-drtl" to record the RTL intermediate representation
at every stage of optimization. (Replaces "-dtailcall", "-dinlining",
"-dconstprop", and "-dcse".)
- Add CompCert version number and command-line arguments as comments
in the generated assembly files.
Other performance improvements:
- Recognize __builtin_fabs as a primitive unary operator instead of
a built-in function, enabling more optimizations.
- PowerPC: shorter code generated for "&global_variable + expr".
Improvements in compilation times:
- More efficient implementation of Kildall's dataflow equation solver,
reduces size of worklist and nomber of times a node is visited.
- Better OCaml GC settings significantly reduce compilation times
for very large source functions.
Bug fixing:
- Fixed incorrect hypothesis on __builtin_write{16,32}_reversed.
- Fixed syntax error in __attribute__((__packed__)).
- Emit clean compile-time error for 'switch' over a value of 64-bit
integer type (currently not supported).
- Recognize source files with .i or .p extension as C sources that
should not be preprocessed.
Coq development:
- Removed propositional extensionality axiom (prop_ext).
- Suppressed the Mfloat64al32 memory_chunk, no longer needed.
Release 2.1, 2013-10-28
=======================
Language semantics:
- More precise modeling of not-a-numbers (NaNs) in floating-point
arithmetic.
- The CompCert C language is now defined with reference to ISO C99
instead of ISO C90 ("ANSI C") as before. This affects mostly the
wording of the reference manual. However, the parsing of integer
constants and character constants was revised to follow the ISO C99
standard.
Language features:
- Support for _Alignas(N) attribute from ISO C 2011.
- Revised implementation of packed structs, taking advantage of _Alignas.
- Suppressed the pragma "packed", replaced by a struct-level attribute
__packed__(params) or __attribute__(packed(params)).
- Fixed typing rules for __builtin_annot() to avoid casting arguments
of small integer or FP types.
Performance improvements:
- Optimize integer divisions by positive constants, turning them into
multiply-high and shifts.
- Optimize floating-point divisions by powers of 2, turning them
into multiplications.
- Optimize "x * 2.0" and "2.0 * x" into "x + x".
- PowerPC: more efficient implementation of division on 64-bit integers.
Bug fixing:
- Fixed compile-time error when assigning a long long RHS to a bitfield.
- Avoid double rounding issues in conversion from 64-bit integers
to single-precision floats.
Miscellaneous:
- Minor simplifications in the generic solvers for dataflow analysis.
- Small improvements in compilation times for the register allocation pass.
- MacOS X port updated to the latest XCode (version 5.0).
Release 2.0, 2013-06-21
=======================
Major improvements:
- Support for C types "long long" and "unsigned long long", that is,
64-bit integers. Regarding arithmetic operations on 64-bit integers,
. simple operations are expanded in-line and proved correct;
. more complex operations (division, modulus, conversions to/from floats)
call into library functions written in assembly, heavily tested
but not yet proved correct.
- The register allocator was completely rewritten to use an "end-to-end"
translation validation approach, using a validation algorithm
described in the paper "Validating register allocation and spilling"
by Silvain Rideau and Xavier Leroy, Compiler Construction 2010,
http://dx.doi.org/10.1007/978-3-642-11970-5_13
This validation-based approach enables better register allocation, esp:
. live-range splitting is implemented
. two-address operations are treated more efficiently
. no need to reserve processor registers for spilling and reloading.
The improvements in quality of generated code is significant for
IA32 (because of its paucity of registers) but less so for ARM and PowerPC.
- Preliminary support for debugging information. The "-g" flag
causes DWARF debugging information to be generated for line numbers
and stack structure (Call Frame Information). With a debugger like
GDB, this makes it possible to step through the code, put breakpoints
by line number, and print stack backtraces. However, no information
is generated yet for C type definitions nor for variables; therefore,
it is not possible to print the values of variables.
Improvements in ABI conformance:
- For IA32 and ARM, function arguments of type "float"
(single-precision FP) were incorrectly passed as "double".
- For PowerPC, fixed alignment of "double" and "long long" arguments
passed on stack.
Improvements in code generation:
- More aggressive common subexpression elimination across some builtin
function calls, esp. annotations.
Improvements in compiler usability:
- Option -fno-taillcalls to turn off tail-call elimination.
(Some static analysis tools are confused by this optimization.)
- Reduced stack usage of the compiler by rewriting some key functions
in tail-recursive style.
- Reduced memory requirements of constant propagation pass by forgetting
compile-time approximations of dead variables.
- More careful elaboration of C struct and union types into CompCert C
types, avoiding behaviors exponential in the nesting of structs.
Bug fixing:
- Fixed parsing of labeled statements inside "switch" constructs,
which were causing syntax errors.
- The "->" operator applied to an array type was causing a type error.
- Nested conditional expressions "a ? (b ? c : d) : e" were causing
a compile-time error if "c", "d" and "e" had different types.
Coq development:
- Adapted the memory model to the needs of the VST project at Princeton:
. Memory block identifiers are now of type "positive" instead of "Z"
. Strengthened invariants in the definition of memory injections
and the specification of external calls.
- The LTL intermediate language is now a CFG of basic blocks.
- Suppressed the LTLin intermediate language, no longer used.
Release 1.13, 2013-03-12
========================
Language semantics:
- Comparisons involving pointers "one past" the end of a block are
now defined. (They used to be undefined behavior.)
(Contributed by Robbert Krebbers).
Language features:
- Arguments to __builtin_annot() that are compile-time constants
are now replaced by their (integer or float) value in the annotation
generated in the assembly file.
Improvements in performance:
- ARM and PowerPC ports: more efficient access to function parameters
that are passed on the call stack.
- ARM port; slightly better code generated for some indirect memory
accesses.
Bug fixing:
- Fixed a bug in the reference interpreter in -all mode causing some
reductions to be incorrectly merged.
- Wrong parsing of hexadecimal floating-point literals 0xMMMMpEEE.
Improvements in usability:
- Better error and warning messages for declarations of variables
of size >= 2^32 bits.
- Reference interpreter: more efficient exploration of states in -all mode.
Coq development:
- More efficient implementation of machine integers (module Integers)
taking advantage of bitwise operations defined in ZArith in Coq 8.4.
- Revised handling of return addresses in the Mach language
and the Stacking and Asmgen passes.
- A number of definitions that were opaque for no good reason are now
properly transparent.
Release 1.12.1, 2013-01-29
==========================
Ported to Coq 8.4pl1. Otherwise functionally identical to release 1.12.
Release 1.12, 2013-01-11
========================
Improvements in confidence:
- Floating-point literals are now parsed and converted to IEEE-754 binary
FP numbers using a provably-correct conversion function implemented on
top of the Flocq library.
Language semantics:
- Comparison between function pointers is now correctly defined
in the semantics of CompCert C (it was previously undefined behavior,
by mistake).
- Bit-fields of 'enum' type are now treated as either unsigned or signed,
whichever is able to represent all values of the enum.
(Previously: always signed.)
- The "&&" and "||" operators are now primitive in CompCert C and are
given explicit semantic rules, instead of being expressed in terms
of "_ ? _ : _" as in previous CompCert releases.
- Added a "Ebuiltin" expression form (invocation of built-in function)
to CompCert C, and a "Sbuiltin" statement form to Clight.
Used it to simplify the encoding of annotations, memcpy, and volatile
memory accesses.
Performance improvements:
- Better code generated for "&&" and "||" operators.
- More aggressive elimination of conditional branches during constant
propagation, taking better advantage of inferred constants.
Language features:
- By popular demand, "asm" statements for inline assembly are now supported
if the flag -finline-asm is set. Use with extreme caution, as the
semantic preservation proof assumes these statements have no effect
on the processor state.
Internal simplifications and reorganization:
- Clight, Csharpminor, Cminor: suppressed the "Econdition" conditional
expressions, no longer useful.
- Clight: a single loop form, the three C loops are derived forms.
- Clight: volatile memory accesses are materialized as builtin operations.