Volume 5: Verifiable C
Table of Contents
Index
Preface
Welcome
Practicalities
System Requirements
Downloading the Coq Files
Installation
Exercises
Recommended Citation Format
For Instructors and Contributors
Thanks
Check that we have the right version of VST
Introduction to Verifiable C (
Verif_sumarray
)
Verified Software Toolchain
How to use this textbook
A C program to add up an array
Workflow
Let's verify!
API spec for the sumarray.c program
Packaging the Gprog and Vprog
Proof of the sumarray program
Global variables and main()
Tying all the functions together
Additional recommended reading
Linked lists in Verifiable C (
Verif_reverse
)
Running Example
Inductive definition of linked lists
Hint databases for spatial operators
Specification of the
reverse
function.
Proof of the
reverse
function
The loop invariant
Why separation logic?
Stack ADT implemented by linked lists (
Verif_stack
)
Let's verify!
Malloc and free
Specification of linked lists
Specification of stack data structure
Function specifications for the stack operations
Proofs of the function bodies
A client of the stack functions (
Verif_triang
)
Proofs with integers
Specification of the stack-client functions
Proofs of the stack-client function-bodies
List segments (
Verif_append1
)
Specification of the
append
function.
List segments.
Proof of the
append
function
Additional exercises: more proofs about list segments
Additional exercises: loop-free list segments
Magic wand, partial data structure (
Verif_append2
)
Separating Implication
List segments by magic wand
Proof of the
append
function by
wlseg
The general idea: magic wand as frame
Case study: list segments for linked list box
Comparison and connection:
lseg
vs.
wlseg
String functions (
Verif_strlib
)
Standard boilerplate
Representation of null-terminated strings.
Reasoning about the contents of C strings
Function specs
A digression about size_t
Proof of the
strlen
function
Proof of the
strcpy
function
data_at is not injective!
Functional model of hash tables (
Hashfun
)
A functional model
Functional model satisfies the high-level specification
Correctness proof of hash.c (
Verif_hash
)
Function specifications
Proofs of the functions
hash
,
copy_string
,
new_cell
Proof of the
new_table
function
Auxiliary lemmas about data-structure predicates
Proof of the
get
function
Proof of the
incr_list
function
field_compatible
Where does field_compatible come from?
Proof of the
incr
function
Introduction to Verified Software Units (
VSU_intro
)
Looking back: single-module programs
Next: modular verification of modular programs
A Stack/Triang program to verify
Let's verify!
Warning
Next Chapter:
Spec_stack
VSU specification of the Stack module (
Spec_stack
)
Let's verify!
Abstract Predicate Declaration (APD)
Abstract Specification Interface (ASI)
Next Chapter:
Spec_triang
VSU specification of the Triang module (
Spec_triang
)
Let's verify!
Abstract Predicate Declaration (APD)
Abstract Specification Interface (ASI)
Next Chapter:
Spec_stdlib
Specification of external malloc, free, exit functions (
Spec_stdlib
)
Abstract Predicate Definition
Abstract Specification Interface
Type-based specification of malloc and free
How to use the type-based
malloc_spec
Next Chapter:
VSU_stack
VSU verification of the Stack module (
VSU_stack
)
stack2.c
Building the VSU
First, instantiate the APD
Internal functions
Constructing Vprog and Gprog
Proofs of the function bodies
Construction of the VSU
Next Chapter:
VSU_triang
VSU verification of the Triang module (
VSU_triang
)
Imports
Parameters for the VSU
Next Chapter:
VSU_stdlib
Axiomatization of malloc/free/exit (
VSU_stdlib
)
Internal functions
Definining the pieces of a VSU
Constructing the Component and the VSU
Next Chapter:
VSU_main
linking all the VSUs together with main VSU (
VSU_main
)
The VSU for main
Funspec for main function
Proof of body_main
The Main Component, the Whole Component
Soundness!
Next Chapter:
VSU_stdlib2
Malloc/free/exit programmed in C (
VSU_stdlib2
)
The C program
The normal boilerplate
malloc_token
Defining the mem_mgr APD
Constructing Vprog and Gprog
Initializers for global data
Defining the pieces of a VSU
Constructing the Component and the VSU
Next Chapter:
VSU_main2
linking with stdlib2 instead of with stdlib (
VSU_main2
)
The VSU for main
An alternate way to adjust the Exports of a VSU
End of digression about restrictExports
Postcript and bibliography (
Postscript
)
Small examples
Modules
Input/output
Looking around
Static analyzers
Functional correctness verifiers -- functional languages
Functional correctness verifiers -- imperative languages
Functional correctness verifiers -- C
Foundational soundness
Conclusion
Bibliography (
Bib
)
Resources cited in this volume