Questions: Certified Compilation

This is a theorem of the form: ∀ source, compiled. compile(source) = compiled → ∀ input. semantics(source, input) ~ semantics(compiled, input), where ~ is a simulation or bisimulation relation. The proof is done in a proof assistant (Coq, Isabelle, Agda), making it machine-checkable. The key is that semantic preservation is stronger than 'the compiler doesn't crash' — it says the compiler's output has the exact same behavior as the input.

This is a fundamental tension in certified compilation: completeness vs. tractability. A complete compiler for full C would be incredibly difficult to verify because the semantics is complex and sometimes underspecified. CompCert made a strategic choice: verify a safe subset thoroughly rather than attempt a fragile claim about the full language. In practice, many critical systems don't use the dangerous corners of C anyway, so CompCert's scope is reasonable. As proof assistant tooling and proof techniques improve, the scope of certified compilers expands.

In certified compilation, the source and target language semantics are **given** (formalized in the proof assistant, not proven). These are the inputs to the certification effort. The **transformation** — the actual compiler code and its optimization passes — is what is verified. Each pass (constant propagation, dead code elimination, register allocation, etc.) is verified to preserve semantics: given any source program satisfying the source semantics, the output of this pass satisfies the target semantics. CompCert formalizes C semantics and x86 (or PowerPC) semantics, then verifies each pass.

This illustrates the scope of certification: the proof is only as good as its inputs (the semantics) and the tool that checks it (the proof assistant's kernel). In practice, the semantics of C and x86 used in CompCert are carefully validated against the official specifications, and the Coq kernel is extensively tested. The result is compiler correctness with extremely high confidence — far higher than any compiler verified by testing alone.