CompCert is a formally verified optimizing C compiler. Its intended use is compiling safety-critical and mission-critical software written in C and meeting high levels of assurance. It accepts most of the ISO C 99 language, with some exceptions and some extensions. It produces machine code for a growing number of different architectures.
What sets CompCert apart?
CompCert is the only production compiler that is formally verified, using machine-assisted mathematical proofs, to be exempt from miscompilation issues. The code it produces is proved to behave exactly as specified by the semantics of the source C program.
This level of confidence in the correctness of the compilation process is unprecedented and contributes to meeting the highest levels of software assurance.

verified with Rocqvalidated with Valex
The formal proof covers all transformations from the abstract syntax tree to the generated assembly code. To preprocess and produce object and executable files, an external C preprocessor, assemblers, linkers, and C libraries have to be used. However, these unverified stages are well-understood and robust from an implementation perspective. This was demonstrated on an early version of CompCert in a 2011 study by Regehr, Yang et al.:
“We created a tool that generates random C programs, and then spent two and a half years using it to find compiler bugs. So far, we have reported more than 325 previously unknown bugs to compiler developers.
The striking thing about our CompCert results is that the middle-end bugs we found in all other compilers are absent.
As of early 2011, the under-development version of CompCert is the only compiler we have tested for which Csmith cannot find wrong-code errors. This is not for lack of trying: we have devoted about six CPU-years to the task.
The apparent unbreakability of CompCert supports a strong argument that developing compiler optimizations within a proof framework, where safety checks are explicit and machine-checked, has tangible benefits for compiler users.”
In 2022, the Association for Computing Machinery, ACM, presented the CompCert development team with the prestigious ACM Software System Award. Subsequently, the team also received the ACM SIGPLAN Programming Languages Software Award.
Your benefits
- CompCert is a natural complement to any verification techniques that you apply at the source-code level — be it model checking, program proof, or static analysis. Only with CompCert can you guarantee that all the safety properties verified on the source code also hold for the generated machine code.
- When using a conventional compiler to compile safety-critical applications, you typically have to disable compiler optimizations and run into resource problems as a result. With CompCert, you can significantly improve your applications’ performance, as you no longer have to switch off optimizations for safety reasons.
Formally verified optimizations
CompCert implements a variety of controlled non-aggressive optimizations, all of them formally verified:
- Register allocation using graph coloring and iterated register coalescing,
to keep local variables and temporaries in processor registers as much as possible; - Instruction selection with strength reduction,
to take advantage of combined instructions provided by the target architecture; - Constant propagation for integer and floating-point types,
to pre-evaluate constant computations at compile time; - Common subexpression elimination,
to avoid redundant recomputations and instead reuse previously-computed results; - Dead and redundant code elimination,
to remove useless arithmetic operations and memory loads and stores; - Function inlining,
to avoid function call overhead for functions declared inline; - Tail call elimination,
to implement tail recursion in constant stack space; - If-conversion,
to replace conditional branches by conditional move instructions.
Loop optimizations are currently not performed, but can be implemented on request.
Success stories
For over a decade now, Airbus France has been deploying CompCert at the Toulouse plant. Among other things, the compiler has helped meet performance-gain objectives by reducing the worst-case execution time of the targeted software.
The Institute of Flight System Dynamics at the Technical University of Munich uses CompCert in the development of flight control and navigation algorithms.
In 2017, CompCert was qualified by MTU Friedrichshafen according to IEC 60880, category A, and IEC 61508-3:2010, SCL 3 for a certification project in the nuclear energy domain. The switch to CompCert reduced development time and costs.
In 2026, CompCert was qualified for ATR 42/72 aircraft. CompCert deployment for critical avionics software gains certification credits for compliance with DO-178C, DO-333, and DO-330.
In the civil-aviation research project QSMA by the German Federal Ministry for Economic Affairs and Energy, CompCert was used to develop a TSO-C151b Terrain Avoidance and Warning System in accordance with DAL-C. The project was carried out in co-operation with the German Aerospace Center DLR.
Compilation with execution time in mind
On average, code generated by CompCert is:
- twice as fast as code generated by GCC without optimizations,
- only 10% slower than GCC code at optimization level 1,
- some 20% slower than GCC code at optimization level 3.
Due to the lack of aggressive loop optimizations, performance is lower on benchmarks that involve many matrix computations.

Execution times of 13 benchmarks from the Mibench suite, compiled with:
GCC -O0 (baseline)
GCC -O1
GCC -Os
CompCert -O0
CompCert -O
CompCert -Os

Execution times of 23 benchmarks from a homebrew suite, compiled with:
GCC -O0 (baseline)
GCC -O1
GCC -O3
CompCert -O

Execution times of 23 benchmarks from another homebrew suite, compiled with:
GCC -O0 (baseline)
GCC -O1
GCC -O2
CompCert

Evaluation on 9 benchmarks by X. Leroy, INRIA
GCC -O0 (baseline)
GCC -O1
CompCert

Evaluation on 13 common cryptographic programs by G. Barthe et al.,
ACM Open Access
GCC -O0 (baseline)
GCC -O1
GCC -O3
CompCert

Evaluation on SPEC benchmarks for PowerPC by D. Kästner et al., HAL open science
GCC -O0 (baseline)
GCC -O1
GCC -O2
CompCert

Evaluation on proprietary code by MTU Friedrichshafen, ERTS 2018
Conventional compiler
CompCert
“With CompCert it is possible to decrease the execution time of our flight control algorithms by a significant amount. The reduction of the execution time can be used for additional functionality.”
TU Munich, Institute of Flight System Dynamics
“Short-term need of performance: 11% WCET saving; performance gain with CompCert: 12% (so far)”
“The computed WCET bounds lead to a total processor load which is about 28% smaller with the CompCert-generated code than with the code generated by the conventional compiler. The main reason for this behaviour is the improved memory performance. The result is consistent with our expectations and with previously published CompCert research papers.”
Ease-of-use and interoperability
- From command-line options to error messages to the handling of built-in functions, many CompCert features are very deliberately implemented to feel familiar and intuitive to GCC and LLVM users.
- Another express goal is to generate object code that respects the ABI of the target platform, and thus can be linked with object code and libraries compiled by other C compilers. In this, CompCert succeeds to a great extent, with some target-specific exceptions that are thoroughly documented.
- CompCert is supported by the entire chain of AbsInt tools
for safety-critical and mission-critical applications:
- Astrée for sound static analysis of your C code
- RuleChecker for proving compliance with MISRA, CERT, CWE, and other standards
- ValueAnalyzer for uncovering illegal accesses from within third-party object code
- StackAnalyzer for static analysis of the worst-case stack usage
- EnergyAnalyzer for static analysis of the worst-case energy consumption
- aiT for static WCET analysis
- TimeWeaver for hybrid WCET analysis
- TimingProfiler for timing analysis at early stages of software development
A growing list of supported architectures and ABIs
CompCert produces machine code for PowerPC, ARM & AArch64, x86, RISC-V, and AURIX.
Try now, for free
Watch on YouTube
Introduction to CompCert
A 2021 recording of a joint webinar with Vector Informatik.
- Terminology: Compiler validation vs. compiler verification
- Introduction to formal compiler verification
- Benefits of formally verified compilation
- Experimental evaluation of CompCert performance
- Tool qualification strategy for industry norms such as ISO 26262
ACM Software System Award 2021
The 2021 Award goes to the CompCert developer team:
- Xavier Leroy, Collège de France
- Sandrine Blazy, University of Rennes 1, IRISA
- Zaynah Dargaye, Nomadic Labs
- Jacques-Henri Jourdan, CNRS, Formal Methods Laboratory
- Michael Schmidt, AbsInt
- Bernhard Schommer, Saarland University and AbsInt
- Jean-Baptiste Tristan, Boston College
Building blocks, not a black box
Thanks to the modularity of the formal proof, CompCert’s individual
components — notably, its clightgen frontend
for generating Clight — can be used separately, incorporated
into other applications, and/or extended as need be.
- For example, in 2025, researchers with the Cornell University
made use of
clightgento formally verify the correctness of a modular-inverse implementation in thelibsecp256k1cryptographic library used by Bitcoin. - Similarly, various research groups from around the globe have successfully extended CompCert’s optimization module with additional formally verified optimizations of their own, including loop optimizations, peephole optimizations, and more.
- Further work still was done by a joint group of researchers from China, France, and the US who modified and extended the compilation chain for 32-bit x86 with a verified assembler which further transforms assembly programs into ELF object files and supports verified separate compilation.
- Sandia National Laboratories, operated for the US Department of Energy, have presented an approach that reuses and extends CompCert’s single-threaded proofs for multithreaded programs.
- Several of CompCert’s intermediate representations, including Clight, can be used as basis for static analyses that help make the compiled code resilient to side-channel attacks. Much research on formally verified constant-time preserving compilation has been completed in France, and more is currently ongoing in Germany.
Strong roots in academia
AbsInt was founded in 1998 at the Chair for Compiler Construction at the University of Saarland, Germany. CompCert is developed and distributed by AbsInt since 2015 under license from INRIA, the French National Institute for Research in Digital Science and Technology.
Using CompCert for educational and research purposes is free of charge.
Additionally, we offer free academic evaluations of all our tools for static analysis of C, C++, and binary code. Have a browse through our extensive catalog and get in touch if anything catches your eye.
Community voices
“I have had the pleasure of visiting AbsInt and hearing talks on, amongst other things, CompCert. It really is a fascinating piece of software.”
anonymous, Hacker News
“The best part about CompCert, IMO, is the interpreter it comes with. It can easily expose nasty undefined behaviors, and also explore unspecified evaluation orders.”
anonymous, r/programming
“AbsInt’s involvement with CompCert is alluring; a project where engineering issues are handled in parallel with research questions seems to promise faster progress.”
Priya Srikumar
“When I was writing my proposal to get into a PhD program, I had to do a crash course in formally verified applications. I became slightly obsessed with CompCert; it felt like a ‘real’ program that was utilizing proper formal verification techniques. It seemed so cool to me that there can be an ‘objectively correct’ version of a C compiler. I still think it’s very cool; I wish people would geek out about this stuff as much as I would sometimes.”
anonymous, Hacker News
“CompCert isn‘t going to want to know
about any code that doesn‘t pass gcc -Wall -Werror, but there are
a few things LLVM thinks it‘s OK to warn you about that CompCert is cool with,
which feels like LLVM is wasting my time.”
Martin Keegan
“Most compiler bugs are not in their interpretation of the specification, but in various optimization passes. CompCert’s formal verification ensures that all optimizations retain semantics; that alone makes it worth whatever they’re charging.”
anonymous, Hacker News
Commercial version
Academic version
PDF downloads
- Product flyer
- Datasheet
- Valex datasheets: PPC, ARM












