Formal Verification of C Systems Code

Systems code is almost universally written in the C programming language or a variant. C has a very low level of type and memory abstraction and formal reasoning about C systems code requires a memory model that is able to capture the semantics of C pointers and types. At the same time, proof-based verification demands abstraction, in particular from the aliasing and frame problems. In this paper we present a study in the mechanisation of two proof abstractions for pointer program verification in the Isabelle/HOL theorem prover, based on a low-level memory model for C. The language’s type system presents challenges for the multiple independent typed heaps (Burstall-Bornat) and separation logic proof techniques. In addition to issues arising from explicit value size/alignment, padding, type-unsafe casts and pointer address arithmetic, structured types such as C’s arrays and structs are problematic due to the non-monotonic nature of pointer and lvalue validity in the presence of the unary &-operator. For example, type-safe updates through pointers to fields of a struct break the independence of updates across typed heaps or ∧*-conjuncts. We provide models and rules that are able to cope with these language features and types, eschewing common over-simplifications and utilising expressive shallow embeddings in higher-order logic. Two case studies are provided that demonstrate the applicability of the mechanised models to real-world systems code; a working of the standard in-place list reversal example and an overview of the verification of the L4 microkernel’s memory allocator.

[1]  Robert Cartwright,et al.  The logic of aliasing , 1981, Acta Informatica.

[2]  Xavier Leroy,et al.  Formal Verification of a C-like Memory Model and Its Uses for Verifying Program Transformations , 2008, Journal of Automated Reasoning.

[3]  Peter W. O'Hearn,et al.  Beyond Reachability: Shape Abstraction in the Presence of Pointer Arithmetic , 2006, SAS.

[4]  John Harrison,et al.  A HOL Theory of Euclidean Space , 2005, TPHOLs.

[5]  Norbert Schirmer,et al.  Verification of sequential imperative programs in Isabelle-HOL , 2006 .

[6]  A. Bijlsma Calculating with Pointers , 1989, Sci. Comput. Program..

[7]  Akinori Yonezawa,et al.  Formal Verification of the Heap Manager of an Operating System Using Separation Logic , 2006, ICFEM.

[8]  Michael Norrish,et al.  Types, bytes, and separation logic , 2007, POPL '07.

[9]  Dawson R. Engler,et al.  A system and language for building system-specific, static analyses , 2002, PLDI '02.

[10]  Peter W. O'Hearn,et al.  Local Reasoning about Programs that Alter Data Structures , 2001, CSL.

[11]  Lawrence C. Paulson,et al.  The foundation of a generic theorem prover , 1989, Journal of Automated Reasoning.

[12]  Matthias Blume No-Longer-Foreign: Teaching an ML compiler to speak C "natively" , 2001, Electron. Notes Theor. Comput. Sci..

[13]  Peter W. O'Hearn,et al.  Computability and Complexity Results for a Spatial Assertion Language for Data Structures , 2001, APLAS.

[14]  Yannick Moy,et al.  Union and Cast in Deductive Verification ⋆ , 2007 .

[15]  Jochen Liedtke,et al.  On micro-kernel construction , 1995, SOSP.

[16]  Jonathan L. Shapiro Programming language challenges in systems codes: why systems programmers still use C, and what to do about it , 2006, PLOS '06.

[17]  Bjarne Stroustrup,et al.  The C++ programming language (2nd ed.) , 1991 .

[18]  Claude Marché,et al.  Multi-prover Verification of C Programs , 2004, ICFEM.

[19]  Harvey Tuch,et al.  Formal memory models for verifying C systems code , 2008 .

[20]  Daniel Kroening,et al.  Application Specific Higher Order Logic Theorem Proving , 2002 .

[21]  David Cock Bitfields and Tagged Unions in C: Verification through Automatic Generation , 2008, VERIFY.

[22]  Peter W. O'Hearn,et al.  BI as an assertion language for mutable data structures , 2001, POPL '01.

[23]  Peter W. O'Hearn,et al.  A Semantic Basis for Local Reasoning , 2002, FoSSaCS.

[24]  Stefan Kowalewski,et al.  Model checking C source code for embedded systems , 2009, International Journal on Software Tools for Technology Transfer.

[25]  Viorel Preoteasa,et al.  Mechanical Verification of Recursive Procedures Manipulating Pointers Using Separation Logic , 2006, FM.

[26]  Michael Norrish C formalised in HOL , 1998 .

[27]  Michael I. Schwartzbach,et al.  The pointer assertion logic engine , 2000, PLDI '01.

[28]  Thomas A. Henzinger,et al.  Software Verification with BLAST , 2003, SPIN.

[29]  Joseph M. Morris A General Axiom of Assignment , 1982 .

[30]  Norbert Schirmer,et al.  A Verification Environment for Sequential Imperative Programs in Isabelle/HOL , 2005, LPAR.

[31]  J. Liedtke On -Kernel Construction , 1995 .

[32]  Andrew W. Appel,et al.  Separation Logic for Small-Step cminor , 2007, TPHOLs.

[33]  Tobias Nipkow,et al.  Proving Pointer Programs in Higher-Order Logic , 2003, CADE.

[34]  Peter W. O'Hearn,et al.  A Decidable Fragment of Separation Logic , 2004, FSTTCS.

[35]  Hendrik Tews,et al.  Applying source-code verification to a microkernel: the VFiasco project , 2002, EW 10.

[36]  Tobias Nipkow,et al.  Term rewriting and beyond — theorem proving in Isabelle , 1989, Formal Aspects of Computing.

[37]  Markus Wenzel,et al.  Type Classes and Overloading in Higher-Order Logic , 1997, TPHOLs.

[38]  John C. Reynolds,et al.  Intuitionistic reasoning about shared mutable data structure , 1999 .

[39]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[40]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[41]  Gerwin Klein,et al.  Verified Java Bytecode Verification , 2003, Ausgezeichnete Informatikdissertationen.

[42]  David von Oheimb Information Flow Control Revisited: Noninfluence = Noninterference + Nonleakage , 2004, ESORICS.

[43]  Richard Bornat,et al.  Proving Pointer Programs in Hoare Logic , 2000, MPC.

[44]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[45]  Bjarne Stroustrup,et al.  C++ Programming Language , 1986, IEEE Softw..

[46]  Sriram K. Rajamani,et al.  Automatically validating temporal safety properties of interfaces , 2001, SPIN '01.

[47]  Tjark Weber Towards Mechanized Program Verification with Separation Logic , 2004, CSL.

[48]  Dennis Ritchie,et al.  The development of the C language , 1993, HOPL-II.