A CIL Tutorial - Department of Computer Science - ETH Zürich
Share Embed Flag
Download ePaper

A CIL Tutorial - Department of Computer Science - ETH Zürich

A CIL Tutorial - Department of Computer Science - ETH Zürich A CIL Tutorial - Department of Computer Science - ETH Zürich

inf.ethz.ch
29.01.2014 Views

CHAPTER 11. PROGRAM VERIFICATION 98 (∗ The other cases are unimplemented ∗) | → Em.s(Em.error "No support for try-finally, or try-except") For the C if statement, the function term of if we creates a Why3 if-then-else term. We convert the condition of the if statement (e) to a term. The expression translation code gives an integer term, which we convert to a boolean term using bterm of iterm. Next, we obtain the VC continuations for the true and false blocks, and nally construct the VC continuation for the if term. and term of if (wc : wctxt) (e : exp) (tb : block) (fb : block) : T.term → T.term = let te = e | > term of exp wc | > bterm of iterm in let tbf = term of block wc tb in let fbf = term of block wc fb in (fun t → T.t if te (tbf t) (fbf t)) For a loop statement, we use the following translation: V C(loop(inv, c, b), t) = inv ∧ ∀ x1 ,...,x n (inv ⇒ (c ⇒ V C(b, inv)) ∧ (¬c ⇒ t)) Where inv is the loop invariant, c is the termination condition, b is the body of the loop, t is the postcondition for the loop, and x 1 , . . . , x n are the loop variants. Furthermore, V C(b, inv) is the verication condition of the loop invariant with respect to the body. This asserts, essentially, that the invariant is true before the rst iteration, that each nonterminal iteration maintains the invariant, and that when the loop exits, the postcondition is true. CIL transforms all loops into the form: while(1) { if(!cond) break; { ... } } where the innermost block statement is the original loop body. In the syntax extensions to C used for this tutorial, the loop invariant goes on this loop body block. Therefore, we must take apart the loop a bit to reach the invariant. Then, we must generate the continuation calculating the VC for the loop body, excluding the break statement (since we can't handle it correctly). Finally, we generate the continuation for the VC for the loop statement, which employs the loop invariant, and quanties over the loop variant variables, including the memory. The function term of loop performs the above translation.

CHAPTER 11. PROGRAM VERIFICATION 99 and term of loop (wc : wctxt) (b : block) : T.term → T.term = let test, body = L.hd b.bstmts, L.tl b.bstmts in let body block = body | > L.hd | > force block in let bf = term of block wc (mkBlock (body block.bstmts @ (L.tl body))) in let ct, li, lvl = inv of attrs wc body block.battrs in let lvl' = wc.memory :: lvl in (fun t → t |> T.t if ct (bf li) (∗ if c then V C(b, inv) else t ∗) |> T.t implies li (∗ inv => previous line ∗) |> T.t forall close lvl' [ ] (∗ ∀ x1,...,x n (previous line) ∗) |> T.t and li) (∗ inv ∧ previous line ∗) The function term of block folds over the statements of a block, processing the last statement rst, to generate a continuation for the VC. and term of block (wc : wctxt) (b : block) : T.term → T.term = L.fold right (term of stmt wc) b.bstmts The function vsymbols of function collects the Why3 symbols for the formal parameters to a function in addition to the symbol for the memory. let vsymbols of function (wc : wctxt) (fd : fundec) : T.vsymbol list = fd.sformals |> L.map (fun vi → vi.vname) |> sm find all wc.vars |> L.append [wc.memory] If there is a precondition, the function pre impl t returns a continuation that generates a term in which the precondition implies the VC generated for the function body and the term. Otherwise, it simply gives the continuation that generates the VC for the function body and the term. let pre impl t (wc : wctxt) (fd : fundec) (pre : T.term option) : T.term → T.term = match pre with | None → term of block wc fd.sbody | Some pre → (fun t → T.t implies pre (term of block wc fd.sbody t)) Finally the function vcgen generates a function that will take the function postcondition as the argument and produce the verication condition for the function. It does this by quantifying over the memory and formal parameters as given by vsymbols of function, with the VC continuation for the function body given by pre impl t.

CHAPTER 11. PROGRAM VERIFICATION 98<br />

(∗ The other cases are unimplemented ∗)<br />

| → Em.s(Em.error "No support for try-finally, or try-except")<br />

For the C if statement, the function term <strong>of</strong> if we creates a Why3 if-then-else term. We<br />

convert the condition <strong>of</strong> the if statement (e) to a term. The expression translation code gives an<br />

integer term, which we convert to a boolean term using bterm <strong>of</strong> iterm. Next, we obtain the VC<br />

continuations for the true and false blocks, and nally construct the VC continuation for the if<br />

term.<br />

and term <strong>of</strong> if (wc : wctxt) (e : exp) (tb : block) (fb : block) : T.term → T.term =<br />

let te = e | > term <strong>of</strong> exp wc | > bterm <strong>of</strong> iterm in<br />

let tbf = term <strong>of</strong> block wc tb in<br />

let fbf = term <strong>of</strong> block wc fb in<br />

(fun t → T.t if te (tbf t) (fbf t))<br />

For a loop statement, we use the following translation:<br />

V C(loop(inv, c, b), t) = inv ∧ ∀ x1 ,...,x n<br />

(inv ⇒ (c ⇒ V C(b, inv)) ∧ (¬c ⇒ t))<br />

Where inv is the loop invariant, c is the termination condition, b is the body <strong>of</strong> the loop, t is<br />

the postcondition for the loop, and x 1 , . . . , x n are the loop variants. Furthermore, V C(b, inv) is the<br />

verication condition <strong>of</strong> the loop invariant with respect to the body.<br />

This asserts, essentially, that the invariant is true before the rst iteration, that each nonterminal<br />

iteration maintains the invariant, and that when the loop exits, the postcondition is true.<br />

<strong>CIL</strong> transforms all loops into the form:<br />

while(1) {<br />

if(!cond) break;<br />

{<br />

...<br />

}<br />

}<br />

where the innermost block statement is the original loop body. In the syntax extensions to C used<br />

for this tutorial, the loop invariant goes on this loop body block. Therefore, we must take apart<br />

the loop a bit to reach the invariant. Then, we must generate the continuation calculating the VC<br />

for the loop body, excluding the break statement (since we can't handle it correctly). Finally, we<br />

generate the continuation for the VC for the loop statement, which employs the loop invariant, and<br />

quanties over the loop variant variables, including the memory.<br />

The function term <strong>of</strong> loop performs the above translation.

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!