The SECOMP compiler provides strong formal guarantees for compartmentalized C programs by restricting the scope of undefined behavior to the compartments that encounter it.
