Semi-automated Reasoning About Non-determinism in C Expressions

Frumin, Dan; Gondelman, Léon; Krebbers, Robbert

doi:10.1007/978-3-030-17184-1_3

Cited by 6 publications

(3 citation statements)

References 50 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They either fix an evaluation order and can (wrongly) prove a stronger result, i.e., that the result is always the nth Fibonacci number (Frama-C, RV-match), do not support specification of global invariants of ACSL (Frama-C) or do not support verification at all(Cerberus). We do not compare our approach explicitly with the theory presented by Frumin et al [17], which does treat underspecification correctly, but not for C and requires manual translation and manual specification of the translated program in the target formalism and an interactive proof.…”

Section: Case Studymentioning

confidence: 99%

“…Cerberus [4,33] is an analysis tool for undefined and underspecified behavior; however, it cannot utilize any specifications and its treatment of unspecified evaluation order of side effects does not match the C standard, as demonstrated in [37]. The separation logic system of Frumin et al [17], based on small-step semantics in Coq [30] correctly treats underspecification. They give a formal system to verify a program in their toy language λ MC and check effects of underspecified behavior with a modified separation logic.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

The Right Kind of Non-Determinism: Using Concurrency to Verify C Programs with Underspecified Semantics

Kamburjan

Wasser²

2022

Electron. Proc. Theor. Comput. Sci.

View full text Add to dashboard Cite

We present a novel and well automatable approach to formal verification of C programs with underspecified semantics, i.e., a language semantics that leaves open the order of certain evaluations. First, we reduce this problem to non-determinism of concurrent systems, automatically extracting a distributed Active Object model from underspecified, sequential C code. This translation process provides a fully formal semantics for the considered C subset. In the extracted model every non-deterministic choice corresponds to one possible evaluation order. This step also automatically translates specifications in the ANSI/ISO C Specification Language (ACSL) into method contracts and object invariants for Active Objects. We then perform verification on the specified Active Objects model, using the Crowbar theorem prover, which verifies the extracted model with respect to the translated specification and ensures the original property of the C code for all possible evaluation orders. By using model extraction, we can use standard tools, without designing a new complex program logic to deal with underspecification. The case study used is highly underspecified and cannot be handled correctly by existing tools for C.

show abstract

Section: Case Studymentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

The Right Kind of Non-Determinism: Using Concurrency to Verify C Programs with Underspecified Semantics

Kamburjan

Wasser²

2022

Electron. Proc. Theor. Comput. Sci.

View full text Add to dashboard Cite

show abstract

“…Cerberus [4,35] is an analysis tool for undefined and underspecified behavior; however, it cannot utilize any specifications and its treatment of unspecified evaluation order of side effects does not match the C standard, as demonstrated in [39]. The separation logic system of Frumin et al [20], based on small-step semantics in Coq [33] correctly treats underspecification. They give a formal system to verify a program in their toy language λMC and check effects of underspecified behavior with a modified separation logic.…”

Section: Introductionmentioning

confidence: 99%

Deductive Verification of Programs with Underspecified Semantics by Model Extraction

Kamburjan¹,

Wasser²

2021

Preprint

View full text Add to dashboard Cite

We present a novel and well automatable approach to formal verification of programs with underspecified semantics, i.e., a language semantics that leaves open the order of certain evaluations. First, we reduce this problem to non-determinism of distributed systems, automatically extracting a distributed Active Object model from underspecified, sequential C code. This translation process provides a fully formal semantics for the considered C subset. In the extracted model every nondeterministic choice corresponds to one possible evaluation order. This step also automatically translates specifications in the ANSI/ISO C Specification Language (ACSL) into method contracts and object invariants for Active Objects. We then perform verification on the specified Active Objects model. For this we have implemented a theorem prover Crowbar based on the Behavioral Program Logic (BPL), which verifies the extracted model with respect to the translated specification and ensures the original property of the C code for all possible evaluation orders. By using model extraction, we can use standard tools, without designing a new complex program logic to deal with underspecification. The case study used is highly underspecified and cannot be verified with existing tools for C.

show abstract

Semi-automated Reasoning About Non-determinism in C Expressions

Frumin

Gondelman

Krebbers

2019

Programming Languages and Systems

Self Cite

View full text Add to dashboard Cite

Research into C verification often ignores that the C standard leaves the evaluation order of expressions unspecified, and assigns undefined behavior to write-write or read-write conflicts in subexpressionsso called "sequence point violations". These aspects should be accounted for in verification because C compilers exploit them.We present a verification condition generator (vcgen) that enables one to semi-automatically prove the absence of undefined behavior in a given C program for any evaluation order. The key novelty of our approach is a symbolic execution algorithm that computes a frame at the same time as a postcondition. The frame is used to automatically determine how resources should be distributed among subexpressions.We prove correctness of our vcgen with respect to a new monadic definitional semantics of a subset of C. This semantics is modular and gives a concise account of non-determinism in C.We have implemented our vcgen as a tactic in the Coq interactive theorem prover, and have proved correctness of it using a separation logic for the new monadic definitional semantics of a subset of C.

show abstract

Semi-automated Reasoning About Non-determinism in C Expressions

Cited by 6 publications

References 50 publications

The Right Kind of Non-Determinism: Using Concurrency to Verify C Programs with Underspecified Semantics

The Right Kind of Non-Determinism: Using Concurrency to Verify C Programs with Underspecified Semantics

Deductive Verification of Programs with Underspecified Semantics by Model Extraction

Semi-automated Reasoning About Non-determinism in C Expressions

Contact Info

Product

Resources

About