RV-Match: Practical Semantics-Based Program Analysis

Guth, Dwight; Hathhorn, Chris; Saxena, Manasvi; Roşu, Grigore

doi:10.1007/978-3-319-41528-4_24

Cited by 15 publications

(13 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…This takes 0.15s for 1000 iterations, 1.27s for 10 000, and 12.7s for 100 000, apparently scaling linearly. Guth et al [2016] report a compile-and-run time of 13s (on an 2.4 GHz Intel Xeon) for 10 000 iterations. int ret = 0; for (int i = 0; i <= [...]; i++) { ret++; } More importantly, the time needed to run most of the above test suites is quite reasonable: 22.5s to run our pointer provenance tests and many others (189 in total); 3 minutes to run the GCC Torture tests; and 25 minutes for those Csmith tests.…”

Section: Experimental Validationmentioning

confidence: 99%

“…We discuss much of this in detail in [Chisnall et al 2016, ğ10, p66ś83], and [Krebbers 2015, Ch.10] gives a useful survey. Work to formalise aspects of the standards includes Batty et al [2011]; Cook and Subramanian [1994]; Ellison and Roşu [2012]; Gurevich and Huggins [1993]; Guth et al [2016]; Hathhorn et al [2015]; Krebbers and Wiedijk [2012]; Krebbers [2013Krebbers [ , 2014Krebbers [ , 2015; Wiedijk [2013, 2015]; Norrish [1998Norrish [ , 1999; Papaspyrou [1998]. Memory object models include those for CompCert by Leroy et al [2012]; Leroy and Blazy [2008] and Besson et al [2014Besson et al [ , 2015, for CompCertTSO by Ševčík et al [2013], the model used for seL4 verification by Tuch et al [2007], and the model used for VCC by Cohen et al [2009].…”

Section: Related Workmentioning

confidence: 99%

“…The most closely related work to Cerberus as a whole is the KCC work of Ellison and Hathhorn, et al This has been developed into a commercial product, RV-Match [Guth et al 2016; Runtime Verification Inc. 2017], which claims to be a "complete formal ISO C11 semanticsž. RV-Match aims…”

Section: Related Workmentioning

confidence: 99%

“…Cerberus now also identifies many of the clauses of the ISO C standard text captured by its definitions of type-checking and elaboration, displaying these in the GUI. The project page includes data for various compilers and other tools for these tests: GCC 8.1, Clang 6.0, ICC 19, UBSAN, ASAN, MSAN, CompCert [Leroy 2009;Leroy et al 2018], RV-Match [Guth et al 2016], CH2O [Krebbers 2015], and CHERI Watson et al 2018Woodruff et al 2014]. We include extensive validation of the combination of Cerberus and our provenance semantics on various existing test suites (ğ9): the GCC torture tests [FSF 2018a], the ITC Toyota benchmark [Shiraishi et al 2015], the KCC example test suite [Hathhorn et al 2015;KCC 2018], and a family of Csmith tests [Regehr et al 2012].…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Exploring C semantics and pointer provenance

Memarian

Gomes

Davis

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

The semantics of pointers and memory objects in C has been a vexed question for many years. C values cannot be treated as either purely abstract or purely concrete entities: the language exposes their representations, but compiler optimisations rely on analyses that reason about provenance and initialisation status, not just runtime representations. The ISO WG14 standard leaves much of this unclear, and in some respects differs with de facto standard usage Ð which itself is difficult to investigate.In this paper we explore the possible source-language semantics for memory objects and pointers, in ISO C and in C as it is used and implemented in practice, focussing especially on pointer provenance. We aim to, as far as possible, reconcile the ISO C standard, mainstream compiler behaviour, and the semantics relied on by the corpus of existing C code. We present two coherent proposals, tracking provenance via integers and not; both address many design questions. We highlight some pros and cons and open questions, and illustrate the discussion with a library of test cases. We make our semantics executable as a test oracle, integrating it with the Cerberus semantics for much of the rest of C, which we have made substantially more complete and robust, and equipped with a web-interface GUI. This allows us to experimentally assess our proposals on those test cases. To assess their viability with respect to larger bodies of C code, we analyse the changes required and the resulting behaviour for a port of FreeBSD to CHERI, a research architecture supporting hardware capabilities, which (roughly speaking) traps on the memory safety violations which our proposals deem undefined behaviour. We also develop a new runtime instrumentation tool to detect possible provenance violations in normal C code, and apply it to some of the SPEC benchmarks. We compare our proposal with a source-language variant of the twin-allocation LLVM semantics proposal of Lee et al. Finally, we describe ongoing interactions with WG14, exploring how our proposals could be incorporated into the ISO standard.

show abstract

Section: Experimental Validationmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Exploring C semantics and pointer provenance

Memarian

Gomes

Davis

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

show abstract

“…We build here on Cerberus [28,29,31], a web-interface tool that computes the allowed behaviours (interactively or exhaustively) for moderate-sized tests in a substantial fragment of sequential C, incorporating various memory object models (an early version supported Nienhuis's operational model for C11 concurrency [33], but that is no longer integrated). KCC and RV-Match [19,21,22] provide a command-line semantics tool for a substantial fragment of C, again without concurrency. Krebbers gives a Coq semantics for a somewhat smaller fragment [24].…”

Section: The Thread-local Sequential Semanticsmentioning

confidence: 99%

Cerberus-BMC: A Principled Reference Semantics and Exploration Tool for Concurrent and Sequential C

Lau

Gomes

Memarian

et al. 2019

Computer Aided Verification

View full text Add to dashboard Cite

C remains central to our infrastructure, making verification of C code an essential and much-researched topic, but the semantics of C is remarkably complex, and important aspects of it are still unsettled, leaving programmers and verification tool builders on shaky ground. This paper describes a tool, Cerberus-BMC, that for the first time provides a principled reference semantics that simultaneously supports (1) a choice of concurrency memory model (including substantial fragments of the C11, RC11, and Linux kernel memory models), (2) a modern memory object model, and (3) a well-validated thread-local semantics for a large fragment of the language. The tool should be useful for C programmers, compiler writers, verification tool builders, and members of the C/C++ standards committees.

show abstract

A Language-Independent Program Verification Framework

Chen

Roşu

2018

Leveraging Applications of Formal Methods, Verification and Validation. Verification

View full text Add to dashboard Cite

RV-Match: Practical Semantics-Based Program Analysis

Cited by 15 publications

References 9 publications

Exploring C semantics and pointer provenance

Exploring C semantics and pointer provenance

Cerberus-BMC: A Principled Reference Semantics and Exploration Tool for Concurrent and Sequential C

A Language-Independent Program Verification Framework

Contact Info

Product

Resources

About