RefinedC: automating the foundational verification of C code with refined ownership types

Sammler, Michael; Lepigre, Rodolphe; Krebbers, Robbert; Memarian, Kayvan; Dreyer, Derek; Garg, Deepak

doi:10.1145/3453483.3454036

Cited by 50 publications

(29 citation statements)

References 100 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…(1) We first build a program logic that is sound under VIP and deploy it in RefinedC [Sammler et al 2021], a recently-developed verification framework for C that is both automated (via a refined ownership type system) and foundational (producing machine-checked proofs in Coq). RefinedC originally relied on an abstract, CompCert-like memory model, which did not support integer-pointer casts.…”

Section: Vip: a Practical Approach To Verifying C Programs Under Pnvi...mentioning

confidence: 99%

“…• A proof (ğ5) that VIP is a sound abstraction of PNVI-ae-udi (ğ4) [Gustedt et al 2020;Memarian et al 2019]: a realistic memory model that has been extensively validated as a potential update to the ISO C standard and against de facto practice [ Memarian et al 2016]. • An integration of our memory model into the RefinedC verification framework in Coq [Sammler et al 2021] to obtain the first (foundational and automated) program logic for C equipped to handle arbitrary pointer arithmetic via casts to integers and back (ğ6). • An evaluation of the verification capabilities of VIP through a variety of examples inspired or directly taken from real-world C code (ğ7.1), including a simple allocator from pKVM, a hypervisor being developed by Google [Deacon 2020; Edge 2020].…”

Section: Contributionsmentioning

confidence: 99%

“…Abstract model. Let us now consider the other side of the spectrum and see how this example is handled by abstract memory models like that of CompCert [Leroy and Blazy 2008;Leroy et al 2012] or the original version of RefinedC [Sammler et al 2021]. In such a model, pointers are represented as a pair of a block identifier (typically an integer), and an offset in the corresponding block.…”

Section: The Example Under Various Memory Modelsmentioning

confidence: 99%

“…We now explain how we can verify the pointer tagging library from Figure 1 using RefinedC-VIPÐ our new version of the RefinedC verification framework [Sammler et al 2021] built atop VIP. RefinedC-VIPÐlike the original RefinedCÐuses a type system featuring both ownership and refinement types to enable automated verification of C code.…”

Section: Verification Of a Pointer Tagging Librarymentioning

confidence: 99%

See 3 more Smart Citations

VIP: verifying real-world C idioms with integer-pointer casts

Lepigre

Sammler

Memarian

et al. 2022

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

Systems code often requires fine-grained control over memory layout and pointers, expressed using low-level ( e.g. , bitwise) operations on pointer values. Since these operations go beyond what basic pointer arithmetic in C allows, they are performed with the help of integer-pointer casts . Prior work has explored increasingly realistic memory object models for C that account for the desired semantics of integer-pointer casts while also being sound w.r.t. compiler optimisations, culminating in PNVI, the preferred memory object model in ongoing discussions within the ISO WG14 C standards committee. However, its complexity makes it an unappealing target for verification, and no tools currently exist to verify C programs under PNVI. In this paper, we introduce VIP, a new memory object model aimed at supporting C verification. VIP sidesteps the complexities of PNVI with a simple but effective idea: a new construct that lets programmers express the intended provenances of integer-pointer casts explicitly. At the same time, we prove VIP compatible with PNVI, thus enabling verification on top of VIP to benefit from PNVI’s validation with respect to practice. In particular, we build a verification tool, RefinedC-VIP, for verifying programs under VIP semantics. As the name suggests, RefinedC-VIP extends the recently developed RefinedC tool, which is automated yet also produces foundational proofs in Coq. We evaluate RefinedC-VIP on a range of systems-code idioms, and validate VIP’s expressiveness via an implementation in the Cerberus C semantics.

show abstract

Section: Vip: a Practical Approach To Verifying C Programs Under Pnvi...mentioning

confidence: 99%

Section: Contributionsmentioning

confidence: 99%

Section: The Example Under Various Memory Modelsmentioning

confidence: 99%

Section: Verification Of a Pointer Tagging Librarymentioning

confidence: 99%

See 2 more Smart Citations

VIP: verifying real-world C idioms with integer-pointer casts

Lepigre

Sammler

Memarian

et al. 2022

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

show abstract

“…Unlike our work, it achieves this reduction not by combining a type checker with a deductive verification system, but by providing a more powerful type system which combines refinement and ownership types. Sammler et al [2021] introduce RefinedC, another combination of refinement and ownership types. It is similar to our work in that the type refinements are translated into another language, in this case Coq [Bertot and Castéran 2004].…”

Section: Related Workmentioning

confidence: 99%

Scalability and precision by combining expressive type systems and deductive verification

Lanzinger¹,

Weigl²,

Ulbrich³

et al. 2021

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Type systems and modern type checkers can be used very successfully to obtain formal correctness guarantees with little specification overhead. However, type systems in practical scenarios have to trade precision for decidability and scalability. Tools for deductive verification, on the other hand, can prove general properties in more cases than a typical type checker can, but they do not scale well. We present a method to complement the scalability of expressive type systems with the precision of deductive program verification approaches. This is achieved by translating the type uses whose correctness the type checker cannot prove into assertions in a specification language, which can be dealt with by a deductive verification tool. Type uses whose correctness the type checker can prove are instead turned into assumptions to aid the verification tool in finding a proof.Our novel approach is introduced both conceptually for a simple imperative language, and practically by a concrete implementation for the Java programming language. The usefulness and power of our approach has been evaluated by discharging known false positives from a real-world program and by a small case study.

show abstract

Linearity and Uniqueness: An Entente Cordiale

Marshall

Vollmer

Orchard

2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Substructural type systems are growing in popularity because they allow for a resourceful interpretation of data which can be used to rule out various software bugs. Indeed, substructurality is finally taking hold in modern programming; Haskell now has linear types roughly based on Girard’s linear logic but integrated via graded function arrows, Clean has uniqueness types designed to ensure that values have at most a single reference to them, and Rust has an intricate ownership system for guaranteeing memory safety. But despite this broad range of resourceful type systems, there is comparatively little understanding of their relative strengths and weaknesses or whether their underlying frameworks can be unified. There is often confusion about whether linearity and uniqueness are essentially the same, or are instead ‘dual’ to one another, or somewhere in between. This paper formalises the relationship between these two well-studied but rarely contrasted ideas, building on two distinct bodies of literature, showing that it is possible and advantageous to have both linear and unique types in the same type system. We study the guarantees of the resulting system and provide a practical implementation in the graded modal setting of the Granule language, adding a third kind of modality alongside coeffect and effect modalities. We then demonstrate via a benchmark that our implementation benefits from expected efficiency gains enabled by adding uniqueness to a language that already has a linear basis.

show abstract

RefinedC: automating the foundational verification of C code with refined ownership types

Cited by 50 publications

References 100 publications

VIP: verifying real-world C idioms with integer-pointer casts

VIP: verifying real-world C idioms with integer-pointer casts

Scalability and precision by combining expressive type systems and deductive verification

Linearity and Uniqueness: An Entente Cordiale

Contact Info

Product

Resources

About