Wang Ji-min,Ping Ling-di,Pan Xue-zeng,Shen Hai-bin,Yan Xiao-lang

DOI: https://doi.org/10.1007/bf02842479

2005-01-01

Journal of Zhejiang University SCIENCE A

Abstract:The C programming language is expressive and flexible, but not safe; as its expressive power and flexibility are obtained through unsafe language features, and improper use of these features can lead to program bugs whose causes are hard to identify. Since C is widely used, and it is impractical to rewrite all existing C programs in safe languages, so ways must be found to make C programs safe. This paper deals with the unsafe features of C and presents a survey on existing solutions to make C programs safe. We have studied binary-level instrumentation tools, source checkers, source-level instrumentation tools and safe dialects of C, and present a comparison of different solutions, summarized the strengths and weaknesses of different classes of solutions, and show measures that could possibly improve the accuracy or alleviate the overhead of existing solutions.

Junyan Qian,Baowen Xu

DOI: https://doi.org/10.15388/informatica.2007.178

2007-01-01

Informatica

Abstract:Iterative abstraction refinement has emerged in the last few years as the leading approach to software model checking. We present an approach for automatically verifying C programs against safety specifications based on finite state machine. The approach eliminates unneeded variables using program slicing technique, and then automatically extracts an initial abstract model from C source code using predicate abstraction and theorem proving. In order to reduce time complexities, we partition the set of candidate predicates into subsets, and construct abstract model independently. On the basis of a counterexample-guided abstraction refinement scheme, the abstraction refines incrementally until the specification is either satisfied or refuted. Our methods can be extended to verifying concurrency C programs by parallel composition.

Zhang Cheng,Jiyang Wu,Di Wang,Qinxiang Cao

2024-05-16

Abstract:A desired but challenging property of compiler verification is compositionality in the sense that the compilation correctness of a program can be deduced from that of its substructures ranging from statements, functions, and modules incrementally. Previously proposed approaches have devoted extensive effort to module-level compositionality based on small-step semantics and simulation theories. This paper proposes a novel compiler verification framework based on denotational semantics for better compositionality. Specifically, our denotational semantics is defined by semantic functions that map a syntactic component to a semantic domain composed of multiple behavioral \emph{sets}, and compiler correctness is defined by the behavioral refinement between semantic domains of the source and the target programs. Therefore, when proving compiler correctness, we can extensively leverage the algebraic properties of sets. Another important contribution is that our formalization of denotational semantics captures the full meaning of a program and bridges the gap between those based on conventional powerdomains and what realistic compiler verification actually needs. We demonstrate our denotation-based framework viable and practical by applying it to the verification of the front-end of CompCert and showing that the compositionality from the compilation correctness of sub-statements to statements, from functions to modules, and from modules to the whole program (i.e., module-level compositionality) can be achieved similarly.

Programming Languages

CHEN Feng,LI Weihua,CHEN Hao,L(U) Zheng

2011-01-01

Abstract:In order to improve the analysis and design of software safety,on the basis of current researches on safety model and verification technology,a modeling and checking method is proposed for object-oriented software safety.Establishing non-formal UML models of software safety,safety extended deterministic finite automata and linear temporal logic are used to create the formal models and describe the safety properties separately.Through a model checker,we get the verification result.This approach realizes the combination of software safety model and verification technology.Experimental results show that the method can analyze and verify the safety properties effectively in the early stage of software design.

Ling Zhang,Yuting Wang,Jinhua Wu,Jérémie Koenig,Zhong Shao

DOI: https://doi.org/10.1145/3632914

2023-11-18

Abstract:Verified compilation of open modules (i.e., modules whose functionality depends on other modules) provides a foundation for end-to-end verification of modular programs ubiquitous in contemporary software. However, despite intensive investigation in this topic for decades, the proposed approaches are still difficult to use in practice as they rely on assumptions about the internal working of compilers which make it difficult for external users to apply the verification results. We propose an approach to verified compositional compilation without such assumptions in the setting of verifying compilation of heterogeneous modules written in first-order languages supporting global memory and pointers. Our approach is based on the memory model of CompCert and a new discovery that a Kripke relation with a notion of memory protection can serve as a uniform and composable semantic interface for the compiler passes. By absorbing the rely-guarantee conditions on memory evolution for all compiler passes into this Kripke Memory Relation and by piggybacking requirements on compiler optimizations onto it, we get compositional correctness theorems for realistic optimizing compilers as refinements that directly relate native semantics of open modules and that are ignorant of intermediate compilation processes. Such direct refinements support all the compositionality and adequacy properties essential for verified compilation of open modules. We have applied this approach to the full compilation chain of CompCert with its Clight source language and demonstrated that our compiler correctness theorem is open to composition and intuitive to use with reduced verification complexity through end-to-end verification of non-trivial heterogeneous modules that may freely invoke each other (e.g., mutually recursively).

Programming Languages

Si-min YANG,Zhao-peng LI,Zhong ZHUANG,Zhen-ting ZHANG

2011-01-01

Abstract:Recently,as an important way to build high-confidence software,certifying compiler is becoming the research focus of the compiler and formal verification.In its theoretical framework,the compiler proves the verification conditions and generates the machine-checkable proof automatically with automated theorem prover,so a good automated theorem prover is essential for certifying compiler.This paper describes a linear arithmetic prover based on the Simplex algorithm,and proposes an innovative method of proof generation,which is applied to our automated theorem prover to build the Coq-checkable proof.

Wenjing Xu,Dianfu Ma

DOI: https://doi.org/10.3390/electronics10161934

IF: 2.9

2021-01-01

Electronics

Abstract:As the scale and complexity of safety-critical software continue to grow, it is necessary to ensure safety and reliability to avoid minor errors leading to catastrophic disasters. Meantime, the traditional method, such as testing and simulation alone is insufficient to ensure the correctness of systems. This leads to using formal methods to provide sufficient evidence for systems. However, design a high assurance safety-critical system by formal methods is challenging due to the complexity of operating systems. In addition, the traditional interactive theorem prover used in system verification requires hand-written proofs, which are more expensive. Therefore, the efforts of providing a standardized formal framework as well as safety proofs, are notable for the develop a safety-critical system. The purpose of this paper is to provide a safety framework to establish a highly reliable and safety-critical operating system based on the ARINC653 standard, a multilevel and standardized formal model. To verify the functional correctness of this model, we propose a context-based formal proof method for programs. To achieve this goal, we first model 57 core services of ARINC653 and define the high-level requirements as pre-and post-conditions. Then, we construct a set of specification statements a formal axiom system transformed into logical sentences, and the core service model is transformed into a logical sentence sequence to be proved. Finally, a context-based formal proof system for specification correctness is developed. We have verified the correctness of safety-critical operating system core services with this system. Experience shows that the verification system we developed can be achieved the functional correctness of a complete OS with a low implement burden, and that can simplify the difficulty of automated verification and increase the degree of automation of proof.

Zhang Yuzhuo,Hong Chunhua,Cao Yuan,Ma Lianchuan,Wen Yinghong

DOI: https://doi.org/10.1049/cje.2018.02.016

IF: 1.019

2018-01-01

Chinese Journal of Electronics

Abstract:The extensive application of Commercial off-the-shelf (COTS) components into safety computers in train control systems has caused safety problems. Aiming at the parallel programs, a concurrent program safety management mechanism based on transactional memory is proposed. The proposed mechanism implements concurrent behaviors of the application in the safe policy. A verification framework based on invariant proof and parallel separation logic theory is designed and operating system operation semantics are given for mathematical reasoning and proving. An example of code execution process is demonstrated to explain the safety control process of concurrent safety mechanism. The results indicate that the program can meet the safety and reliability requirements of concurrent safety computer platforms.

Zhaopeng Li,Zhong Zhuang,Yiyun Chen,Simin Yang,Zhenting Zhang,Dawei Fan

DOI: https://doi.org/10.1109/tase.2010.8

2010-01-01

Abstract:Proof-carrying code (PCC) is a technique that allows code consumers to check whether the code is safe to execute or not through a formal safety proof provided by the code producer. And a certifying compiler makes PCC practical by compiling annotated source code into low-level code and proofs. In this paper we present a certifying compiler for a subset of the C programming language, named Clike, with built-in automated theorem provers. Clike programs can be compiled by ANSI C compiler without any modification. Our compiler is intended to deal with data structures such as singly-linked lists, doubly-linked lists and trees. At the source level, we have designed a program logic combining a constrained first-order logic and a fragment of separation logic. We use a verification-condition-based method, and the generated verification conditions are sent to the built-in automated theorem prover. Our prover will generate proof terms when the input formula is valid. The low-level verification framework follows Hoare-style verification methods. The assembly code, its specification and proofs are generated automatically based on a variant of Stack-based Certifying Assembly Programming (SCAP). We implement our certifying compiler prototype in SML/NJ and build our prover libraries using the meta logic provided by Coq. We have used our prototype to successfully certify a considerable number of programs manipulating linked-lists and binary trees.

Yiyun Chen,Lin Ge,Baojian Hua,Zhaopeng Li,Cheng Liu

DOI: https://doi.org/10.1109/TASE.2007.19

2007-01-01

Abstract:Symmetry reduction is a technique that can help alleviate the problem of state space explosion in model checking. The idea is to verify only a subset of states from each class (orbit) of symmetric states. This paper presents a framework for symmetry ...

Junyan Qian,Baowen Xu

2007-01-01

Abstract:we present a methodology for automatically verifying programs against safety specifications based on finite state machine. Firstly, computing the abstract transition between abstract states is done by calling a theorem prover, and then an initial abstract model automatically is extracted from concrete program using predicate abstraction. However, the process of abstraction can be exponential in the number of predicates used. Program slicing, predicate inference and partitioning the set of candidate predicates into subsets make abstract model construction effective. By counterexample-guided abstraction refinement scheme, the abstraction refines incrementally until the specification is either satisfied or refuted. Finally, our methods can be extended to verifying concurrency programs by parallel composition.

David Monniaux

2024-07-11

Abstract:Formally verified compilers and formally verified static analyzers are a solution to the problem that certain industries face when they have to demonstrate to authorities that the object code they run truly corresponds to its source code and that it satisfies certain properties. From a scientific and technological point of view, they are a challenge: not only a number of nontrivial invariants and algorithms must be proved to be correct, but also the implementation must be reasonably effective so that the tools operate within reasonable time. Many optimizations in compilers rely on static analysis, and thus a formally verified compiler entails formally verified static <a class="link-external link-http" href="http://analyses.In" rel="external noopener nofollow">this http URL</a> this article, we explain some difficulties, possible solutions, design choices and trade-offs pertaining to verified static analysis, in particular when the solution of the analysis is expressed as some form of tree, map or set.

Logic in Computer Science,Programming Languages

Christine Rizkallah,Japheth Lim,Yutaka Nagashima,Thomas Sewell,Zilin Chen,Liam O'Connor,Toby C. Murray,Gabriele Keller,Gerwin Klein

DOI: https://doi.org/10.1007/978-3-319-43144-4_20

2016-01-01

Abstract:Our language Cogent simplifies verification of systems software using a certifying compiler, which produces a proof that the generated C code is a refinement of the original Cogent program. Despite the fact that Cogent itself contains a number of refinement layers, the semantic gap between even the lowest level of Cogent semantics and the generated C code remains large.In this paper we close this gap with an automated refinement framework which validates the compiler's code generation phase. This framework makes use of existing C verification tools and introduces a new technique to relate the type systems of Cogent and C.

Xi Wang,Lei Ma,Tao Tang

DOI: https://doi.org/10.1177/1687814016649115

2016-01-01

Abstract:With the development of automatic control and communication technology, communication-based train control system is adopted by more and more urban mass transit system to automatically supervise the train speed to follow a desired trajectory. Taking reliability, availability, maintainability, and safety into consideration, 2 × 2-out-of-2 safety computer platform is usually utilized as the hardware platform of safety-critical subsystem in communication-based train control. To enhance the safety integrity level of safety computer platform, safety-related logics have to be verified before integrating them into practical systems. Therefore, a significant problem of developing safety computer platform is how to guarantee that system behaviors will satisfy the function requirements as well as responding to external events and processes within the limit of right time. Based on the qualitative and quantitative analysis of function and timing characteristics, this article introduces a formal modeling and verification approach for this real-time system. In the proposed method, timed automata network model for 2 × 2-out-of-2 safety computer platform is built, and system requirements are specified and formalized as computation tree logic properties which can be verified by UPPAAL model checker.

Dexi Wang,Chao Zhang,Guang Chen,Ming Gu,Jiaguang Sun

2016-01-01

Abstract:The C programming language is widely used in safety-critical software systems. With its large appliance and increasing complexity, the need of ensuring the correctness of C codes emerged. This paper presents Ceagle , a fully automated program verifier for finding assertion violations in C programs. It is decent in both accuracy and efficiency by using a semantically equivalent program model language that is specifically designed for C program, together with various optimizations that make the satisfiability checking faster and memoryfriendly. More specifically, Ceagle uses LLVM clang as front-end parser, an extended labeled transition system as program model, and Z3 SMT solver as the back-end satisfiability checker. Ceagle is designed to be fully automatic and requires no user interaction as long as the assertions are provided. For evaluation, we compare Ceagle with existing C program verifiers based on open benchmarks. Ceagle outperforms others in terms of accuracy, and time and memory consumption.

Xinyu Feng,Zhong Shao,Yu Guo,Yuan Dong

DOI: https://doi.org/10.1007/978-3-540-87873-5_8

2008-01-01

Abstract:A major challenge for verifying completesoftware systems is their complexity. A complete software system consists of program modules that use many language features and span different abstraction levels (e.g. user code and run-time system code). It is extremely difficult to use one verification system (e.g. type system or Hoare-style program logic) to support all these features and abstraction levels. In our previous work, we have developed a new methodology to solve this problem. We apply specialized "domain-specific" verification systems to verify individual program modules and then link the modules in a foundational open logical framework to compose the verified complete software package. In this paper, we show how this new methodology is applied to verify a software package containing implementations of preemptive threads and a set of synchronization primitives. Our experience shows that domain-specific verification systems can greatly simplify the verification process of low-level software, and new techniques for combining domain-specific and foundational logics are critical for the successful verification of complete software systems.

LUO Xiao-Guang,WANG Sheng-Yuan,DONG Yuan,ZHANG Su-Qin

DOI: https://doi.org/10.3969/j.issn.1002-137X.2007.02.070

2007-01-01

Computer Science

Abstract:Using certifying compiler for the the safety solution of mobile codes is a new approache in the literature,featured with that a large percentage of the load for checking the safty policy can be transfered from a code consumer to a code producer so that the much run-time load at the code consumer can be reduced.Besides,it is more trustworthy and can support the verification of anonymous codes because the code itself instead of the authority of a code producer is verified.An analysis for such a reasearch is presented in the paper.It can be seen that supporting a higher level safety policy would be one of the potential focused directions in this area to get more widely applications.Our preliminary work on this direction is introduced briefly between the lines,in order to share it with other researchers.

YIN Wei,WANG Hui,SUN Haiying,DING Guohuan,KANG Jiexiang,LIU Jing

DOI: https://doi.org/10.16615/j.cnki.1674-8190.2023.04.19

2023-01-01

Abstract:The high integration of the civil aircraft avionics systems will lead to an exponential rise in the size of airborne safety-critical software, and cause the numerous and inconsistent sources of its requirements, the transfer of requirements at each level of the avionics system software has duality and other problems. Therefore, how to ensure the consistency of the avionics software has become one of the core issues to be solved during the development of the system. On the basis of the syntax of Safety_SysML state machine, the Safety_SysML consistency verifier is designed, including static data detection and dynamic data detection. The test cases are designed for unit and integration test of the core algorithm and system. Based on the error inference and boundaries, the functional tests are designed and executed to find the defects in the verifier. The results show that the Safety_SysML consistency verifier can effectively identify the problem of duality in avionics system software, and is of significant importance for improving the reliability of the avionics software.

Mike Dodds,Mark Batty,Alexey Gotsman

2018-02-16

Abstract:A valid compiler optimisation transforms a block in a program without introducing new observable behaviours to the program as a whole. Deciding which optimisations are valid can be difficult, and depends closely on the semantic model of the programming language. Axiomatic relaxed models, such as C++11, present particular challenges for determining validity, because such models allow subtle effects of a block transformation to be observed by the rest of the program. In this paper we present a denotational theory that captures optimisation validity on an axiomatic model corresponding to a fragment of C++11. Our theory allows verifying an optimisation compositionally, by considering only the block it transforms instead of the whole program. Using this property, we realise the theory in the first push-button tool that can verify real-world optimisations under an axiomatic memory model.

Programming Languages

Ning Ge,Eric Jenn,Nicolas Breton,Yoann Fonteneau

DOI: https://doi.org/10.1007/s10009-017-0475-0

2017-01-01

International Journal on Software Tools for Technology Transfer

Abstract:This work presents a formal verification process based on the Systerel Smart Solver (S3) toolset for the development of safety-critical embedded software. In order to guarantee the correctness of the implementation of a set of textual requirements, the process integrates different verification techniques (inductive proof, bounded model checking, test cases generation, and equivalence proof) to handle different types of properties at their best capacities. It is aimed at the verification of properties at system, design, and code levels. To handle the floating-point arithmetic (FPA) in both the design and the code, an FPA library is designed and implemented in S3. This work is illustrated on an Automatic Rover Protection system implemented onboard a robot. Focus is placed on the verification of safety and functional properties and on the equivalence proof between the design model and the generated code.