Verified Software Units

Abstract: Modularity - the partitioning of software into units of functionality that interact with each other via interfaces - has been the mainstay of software development for half a century. In case of the C language, the main mechanism for modularity is the compilation unit / header file abstraction. This paper complements programmatic modularity for C with modularity idioms for specification and verification in the context of Verifiable C, an expressive separation logic for CompCert . Technical innovations include (… Show more

“…Consider sets of positive numbers. The usual representation of sets as lists is neither canonical nor extensional: the set {1, 2} has several representations, [1,2] or [2,1] or [1,1,2,1,2]. We can recover extensionality by using a subset type { l : list positive | sorted l }, where the sorted predicate ensures that the list is increasing and without repetitions.…”

“…However, a canonical representation exists, as the list of (positive) differences from one set element to the next greater element. For instance, the set {1, 4, 9, 11} is uniquely represented by the list [1, 4 − 1, 9 − 4, 11 − 9], that is, [1,3,5,2]. This encoding is not only canonical, but also slighty more memory efficient than the usual sorted list representation, as the numbers stored in the list of differences are smaller than those stored in the sorted list.…”

“…But this is not suitable for purely functional implementations, since the update operation is destructive. 2 Therefore one turns naturally to trees-for example, binary search trees. The lookup operator in a balanced BST takes log N comparisons, and achieves asymptotic complexity of log N per operation only if comparison takes constant time.…”

“…But the Z type is of no further concern in this paper; we will use positive as the type of keys for lookup tables. 2 Persistent arrays give a functional semantics layered on an imperative (destructive-update) implementation, but these are not suitable because they would require extending the logic's kernel of axioms. 3 In fact, no programming language has a primitive integer type with constant-time comparisons; they typically have a range-limited integer type −2 k ≤ i < 2 k or a modular integer type (i mod 2 k ).…”

“…A recent addition to VST is Verified Software Units [2], a system for modular verification of modular C programs. The VSU system represents each software unit as a set of finite maps: function names to bodies, function names to specs, global variable names to types, global variable names to initializers, and so on.…”

Efficient Extensional Binary Tries

“…Consider sets of positive numbers. The usual representation of sets as lists is neither canonical nor extensional: the set {1, 2} has several representations, [1,2] or [2,1] or [1,1,2,1,2]. We can recover extensionality by using a subset type { l : list positive | sorted l }, where the sorted predicate ensures that the list is increasing and without repetitions.…”

“…However, a canonical representation exists, as the list of (positive) differences from one set element to the next greater element. For instance, the set {1, 4, 9, 11} is uniquely represented by the list [1, 4 − 1, 9 − 4, 11 − 9], that is, [1,3,5,2]. This encoding is not only canonical, but also slighty more memory efficient than the usual sorted list representation, as the numbers stored in the list of differences are smaller than those stored in the sorted list.…”

“…But this is not suitable for purely functional implementations, since the update operation is destructive. 2 Therefore one turns naturally to trees-for example, binary search trees. The lookup operator in a balanced BST takes log N comparisons, and achieves asymptotic complexity of log N per operation only if comparison takes constant time.…”

“…But the Z type is of no further concern in this paper; we will use positive as the type of keys for lookup tables. 2 Persistent arrays give a functional semantics layered on an imperative (destructive-update) implementation, but these are not suitable because they would require extending the logic's kernel of axioms. 3 In fact, no programming language has a primitive integer type with constant-time comparisons; they typically have a range-limited integer type −2 k ≤ i < 2 k or a modular integer type (i mod 2 k ).…”

“…A recent addition to VST is Verified Software Units [2], a system for modular verification of modular C programs. The VSU system represents each software unit as a set of finite maps: function names to bodies, function names to specs, global variable names to types, global variable names to initializers, and so on.…”

Efficient Extensional Binary Tries

Verified Software Units for Simple DFA Modules and Objects in C

Efficient Extensional Binary Tries