• ERTOS Home
•  
• News
• Events
• Jobs
• Research
• People
• Publications
  • ERTOS Publication
  • Non-NICTA Publications
  • Selected undergraduate student theses
• Software
• Hardware
• Education
• Collaboration and Commercialisation
• Contact
• Search

Formal verification of C systems code: Structured types, separation logic and theorem proving

Authors

Harvey Tuch

School of Computer Science and Engineering
University of NSW
Sydney 2052
Australia

NICTA
Sydney
Australia

now at VMWare

Abstract

Systems code is almost universally written in the C programming language or a variant. C has a very low level of type and memory abstraction and formal reasoning about C systems code requires a memory model that is able to capture the semantics of C pointers and types. At the same time, proof-based verification demands abstraction, in particular from the aliasing and frame problems.

In this paper we present a study in the mechanisation of two proof abstractions for pointer program verification in the Isabelle/HOL theorem prover, based on a low-level memory model for C. The language's type system presents challenges for the multiple independent typed heaps (Burstall-Bornat) and separation logic proof techniques. In addition to issues arising from explicit value size/alignment, padding, type-unsafe casts and pointer address arithmetic, structured types such as C's arrays and structs are problematic due to the non-monotonic nature of pointer and lvalue validity in the presence of the unary &-operator. For example, type-safe updates through pointers to fields of a struct break the independence of updates across typed heaps or separating-and-conjuncts. We provide models and rules that are able to cope with these language features and types, eschewing common over-simplifications and utilising expressive shallow embeddings in higher-order logic. Two case studies are provided that demonstrate the applicability of the mechanised models to real-world systems code; a working of the standard in-place list reversal example and an overview of the verification of the L4 microkernel's memory allocator.

BibTeX Entry

  @article{Tuch_09,
    publisher        = {Springer},
    author           = {Harvey Tuch},
    journal          = {Journal of Automated Reasoning: Special Issue on Operating System Verification},
    title            = {Formal verification of {C} systems code: Structured types, separation logic and theorem proving},
    number           = {2--4},
    month            = {Apr},
    volume           = {42},
    editor           = {Gerwin Klein and Ralf Huuck and Bastian Schlich},
    year             = {2009},
    pages            = {125--187}
  }

Download Paper

• Tuch_09.pdf