Verification of C Programs Using Automated Reasoning

Lecture Notes in Computer Science, 2005

Symbolic software verification engines such as Slam and ESC/Java often use automatic theorem provers to implement forms of symbolic simulation. The theorem provers that are used, such as Simplify, usually combine decision procedures for the theories of uninterpreted functions, linear arithmetic, and sometimes bit vectors using techniques proposed by Nelson-Oppen or Shostak. Programming language constructs such as pointers, structures and unions are not directly supported by the provers, and are often encoded imprecisely using axioms and uninterpreted functions.

2004

Compositional verification and abstraction are the key tech- niques to address the state explosion problem associated with model checking of concurrent software. A promising compositional approach is to prove properties of a system by checking properties of its compo- nents in an assume-guarantee style. This article proposes a framework for performing abstraction and assume-guarantee reasoning of concurrent C code in an incremental and fully automated fashion. The framework uses predicate abstraction to extract and refine finite state models of software and it uses an automata learning algorithm to incrementally construct as- sumptions for the compositional verification of the abstract models. The framework can be instantiated with dierent assume-guarantee rules. We have implemented our approach in the ComFoRT reasoning framework and we show how ComFoRT out-performs several previous software model checking approaches when checking safety properties of non-trivial concurrent programs.

Lecture Notes in Computer Science, 2012

Static analyzers usually return partial results. They can assert that some properties are valid during all possible executions of a program, but generally leave some other properties to be verified by other means. In practice, it is common to combine results from several methods manually to achieve the full verification of a program. In this context, Frama-C is a platform for analyzing C source programs with multiple analyzers. Hence, one analyzer might conclude about properties assumed by another one, in the same environment. We present here the semantical foundations of validity of program properties in such a context. We propose a correct and complete algorithm for combining several partial results into a fully consolidated validity status for each program property. We illustrate how such a framework provides meaningful feedback on partial results.

This paper presents the formal verification of a compiler front-end that translates a subset of the C language into the Cminor intermediate language. The semantics of the source and target languages as well as the translation between them have been written in the specification language of the Coq proof assistant. The proof of observational semantic equivalence between the source and generated code has been machine-checked using Coq. An executable compiler was obtained by automatic extraction of executable Caml code from the Coq specification of the translator, combined with a certified compiler back-end generating PowerPC assembly code from Cminor, described in previous work.

National Technical Infornation Servici U. S. DEPARTMENT OF COMMERCE ' ■ mim mCLAüüIl IED SECURITY CLASSIFICATION OF THIS PAGEfHT,», D.I. Enl.r.rfJ lhe_paper investigates msthods for applying an on-line interactive vtnlication system derigned to prove properties or PASCAL programs. The methodology is intended to provide techniques for developing a debugged and verified version startin,: from a program, that (a) is possibly unfinished in some respects, (b) may not satisfy the given specmcations, e.g., may contain bugs, (c) may have incomplete documentation, (d) may be written in non-standard ways, e.g.. may depend on user-defined data structures. The methodology involves (i) interactive application of a verification condition generator, an algebraic simplifier and a theorem-prcver; Uij techniques for describing data structures, type constraints, and properties of programs and subprograms (i.e. lower level procedures); [Hi the use of (abstract) data types in structuring programs and proofs. Within each unit (i.e. segment of a problem), the interactive use is aimea at reducing verification conditions to manageable proportions so that the non-trivial factors may be analysed. Analysis of verification conditions attempts to localize errors in the program logic, to extend assertions inside the program, to spotlight additional assumptions on program subfunctions (beyond those already specified oy the programmer), and to generate appropriate lemmas that allow a verification to be completed. Methods for structuring correctness proofs are discussed that are similar to those of "structured programming-, A detailed case study of a pattern matching algorithm illustrating the various aspects of the methodology (including the role played by the user) is given. ii UNCLASSIFIED SECURITY CLASSIFICATION OF THIS PAGEfirh»n Oaf« Km.r.dJ " wmm'*^^*'*

International Journal on Software Tools for Technology Transfer, 2020

DepthK is a source-to-source transformation tool that employs bounded model checking (BMC) to verify and falsify safety properties in single- and multi-threaded C programs, without manual annotation of loop invariants. Here, we describe and evaluate a proof-by-induction algorithm that combines k-induction with invariant inference to prove and refute safety properties. We apply two invariant generators to produce program invariants and feed these into a k-induction-based verification algorithm implemented in DepthK, which uses the efficient SMT-based context-bounded model checker (ESBMC) as sequential verification back-end. A set of C benchmarks from the International Competition on Software Verification (SV-COMP) and embedded-system applications extracted from the available literature are used to evaluate the effectiveness of the proposed approach. Experimental results show that k-induction with invariants can handle a wide variety of safety properties, in typical programs with loop...

The paper presents a rather condensed survey of the Veri cation Support Environment VSE-II, a kind of CASE tool for formal software development. VSE-II is currently employed among others within the joint project FairPay on dependability of electronic payment systems. This has caused some remarkable interest in the VSE methodology which motivated the author to prepare the present tutorial introduction. The paper gives a summary of the methodology, the formalisms, the architecture, and the proof support of the system. The proof support is discussed in more detail.

2000

Much research in computer science, ever since its inception, has been devoted the problem:���How can we be sure that a computer program is correct?��� The general problem is extremely difficult, and the enormous variety of computer software in use demands a corresponding variety of approaches: eg structured design methods [YC86], automated testing [Ber91] and model checking [GL94].

Programming and Computer Software, 2002

The C-light language is described, which is a representative subset of C. C-light permits deterministic expressions, limited use of switch and goto statements, and, instead of library functions for work with dynamic memory, includes C++ statements new and delete. A survey of structured operational semantics of the C-light language in Plotkin's style is given.

Proceedings of the C/C++ Verification Workshop

This paper reports on the design of adequate on-machine formal semantics for a certified C compiler. This compiler is an optimizing compiler, that targets critical embedded software. It is written and formally verified using the Coq proof assistant. The main structure of the compiler is very strongly conditioned by the choice of the languages of the compiler, and also by the kind of semantics of these languages.

2002

Automated verification tools vary widely in the types of properties they are able to analyze, the complexity of their algorithms, and the amount of necessary user involvement. In this paper we propose a framework for step-wise automatic verification and describe a lightweight scalable program analysis tool that combines abstraction and model checking. The tool guarantees that its True and False answers are sound with respect to the original system.

Testing of Software and Communicating Systems, 2008

We present in this paper a framework, RMOR, for monitoring the execution of C programs against state machines, expressed in a textual (nongraphical) format in files separate from the program. The state machine language has been inspired by a graphical state machine language RCAT recently developed at the Jet Propulsion Laboratory, as an alternative to using Linear Temporal Logic (LTL) for requirements capture. Transitions between states are labeled with abstract event names and Boolean expressions over such. The abstract events are connected to code fragments using an aspect-oriented pointcut language similar to ASPECTJ's or ASPECTC's pointcut language. The system is implemented in the C analysis and transformation package CIL, and is programmed in OCAML, the implementation language of CIL. The work is closely related to the notion of stateful aspects within aspect-oriented programming, where pointcut languages are extended with temporal assertions over the execution trace.

2000

This paper presents the formal Isabelle/HOL framework we use to prove refinement between an executable, monadic specification and the C implementation of the seL4 microkernel. We describe the refinement framework itself, the automated tactics it supports, and the connection to our previous C verification framework. We also report on our experience in applying the framework to seL4. The characteristics of

2003

We present a new methodology for automatic verification of C programs against finite state machine specifications. Our approach is compositional, naturally enabling us to decompose the verification of large software systems into subproblems of manageable complexity. The decomposition reflects the modularity in the software design. We use weak simulation as the notion of conformance between the program and its specification. Following the abstractverify-refine paradigm, our tool MAGIC first extracts a finite model from C source code using predicate abstraction and theorem proving. Subsequently, simulation is checked via a reduction to Boolean satisfiability. MAGIC is able to interface with several publicly available theorem provers and SAT solvers. We report experimental results with procedures from the Linux kernel and the OpenSSL toolkit.

International Journal on Software Tools for Technology Transfer, 2011

Deductive software verification, also known as program proving, expresses the correctness of a program as a set of mathematical statements, called verification conditions. They are then discharged using either automated or interactive theorem provers. We briefly review this research area, with an emphasis on tools.