A CIL Tutorial - Department of Computer Science - ETH ZÃ¼rich

29.01.2014 Views
CHAPTER 11. PROGRAM VERIFICATION 100 let vcgen (wc : wctxt) (fd : fundec) (pre : T.term option) : T.term → T.term = (fun t → T.t forall close (vsymbols of function wc fd) [ ] (pre impl t wc fd pre t)) The function validateWhyCtxt Adds the term p to the Why3 context as a proof goal, and invokes the external prover. In this example the prover is given a timeout of two minutes, and the result is echoed to the terminal. One might also choose to use a proof assistant such as Coq [2] as the back-end to Why3, in which case, we could enter into an interactive proof session. Alternately, there are a range of options for what could be done here. We could do anything from simply directing Why3 to emit all of the proof obligations for a program for examination o-line, to halting compilation and emitting an error if a proof obligation is not discharged during compilation. The right choice likely depends on the stage of development the code is in, not to mention the goals of the t let validateWhyCtxt (w : wctxt) (p : T.term) : unit = (∗...∗) The function processFunction initializes the Why3 context with fresh variables for the local variables and formal parameters of the function before checking to see if it has any postconditions. If so, it tries to nd a precondition, generates the verication condition for the postcondition, and nally invokes validateWhyCtxt on the resulting term. let processFunction (wc : wctxt) (fd : fundec) (loc : location) : unit = wc.vars ← L.fold left (fun m vi → SM.add vi.vname (make symbol vi.vname) m) SM.empty (fd.slocals @ fd.sformals); match post of function wc fd with | None → () | Some g → let pre = pre of function wc fd in let vc = vcgen wc fd pre g in validateWhyCtxt wc vc The function tut11 is the entry point for this module. It initializes the Why3 context and then iterates over all functions in the le. let tut11 (f : file) : unit = let wc = initWhyCtxt (!Ciltutoptions.prover) (!Ciltutoptions.prover version) in iterGlobals f (onlyFunctions (processFunction wc)); eraseAttrs f

CHAPTER 11. PROGRAM VERIFICATION 101 11.2 test/tut11.c This C source le contains an example function that we will use to demonstrate the features developed in tut11.ml. In particular we will verify that a function will successfully initialize an integer array to contain the number 4 at each entry. ../test/tut11.c # include // For the pre, post and invariant annotations. The function arr init loops over the given array setting each element to 4. The precondition to the function states that the parameter n must be positive. The postcondition states that each element of the array is 4. The loop invariant states that the loop index stays in bounds, and that the array up to the value of the loop index is initialized to be 4. ../test/tut11.c void (pre(n > 0) post(forall(j,implies(j>=0 && j < n,*(a+j)==4))) arr_init)(int *a, int n) { int i; for (i = 0; i < n; i++) { invariant(i != n, i >= 0 && i =0 && j

Page 1 and 2: A CIL Tutorial Using CIL for langua

Page 3 and 4: Contents Preface 4 Introduction 5 0

Page 5 and 6: CONTENTS 3 13 Whole-program Analysi

Page 7 and 8: Introduction The C Intermediate Lan

Page 9 and 10: References [1] clang: a C language

Page 11 and 12: CHAPTER 0. OVERVIEW AND ORGANIZATIO

Page 13 and 14: Chapter 1 The AST The Concrete Synt

Page 15 and 16: CHAPTER 1. THE AST 13 1.2 Printing

Page 17 and 18: References [1] Andrew W. Appel. Mod

Page 19 and 20: CHAPTER 2. VISITING THE AST 17 open

Page 21 and 22: CHAPTER 2. VISITING THE AST 19 $ ci

Page 23 and 24: Chapter 3 Dataow Analysis Dataow An

Page 25 and 26: CHAPTER 3. DATAFLOW ANALYSIS 23 Cod

Page 27 and 28: CHAPTER 3. DATAFLOW ANALYSIS 25 let

Page 29 and 30: CHAPTER 3. DATAFLOW ANALYSIS 27 and

Page 31 and 32: CHAPTER 3. DATAFLOW ANALYSIS 29 let

Page 33 and 34: CHAPTER 3. DATAFLOW ANALYSIS 31 DoC

Page 35 and 36: CHAPTER 3. DATAFLOW ANALYSIS 33 tes

Page 37 and 38: References [1] Aws Albarghouthi, Ra

Page 39 and 40: CHAPTER 4. INSTRUMENTATION 37 type

Page 41 and 42: CHAPTER 4. INSTRUMENTATION 39 metho

Page 43 and 44: CHAPTER 4. INSTRUMENTATION 41 $ cil

Page 45 and 46: CHAPTER 5. INTERPRETED CONSTRUCTORS

Page 47 and 48: CHAPTER 5. INTERPRETED CONSTRUCTORS

Page 49 and 50: Chapter 6 Overriding Functions When

Page 51 and 52: CHAPTER 6. OVERRIDING FUNCTIONS 49

Page 53 and 54: References [1] Kumar Avijit, Pratee

Page 55 and 56: CHAPTER 7. TYPE QUALIFIERS 53 let c

Page 57 and 58: CHAPTER 7. TYPE QUALIFIERS 55 let w

Page 59 and 60: CHAPTER 7. TYPE QUALIFIERS 57 $ cil

Page 61 and 62: Chapter 8 Dependant Type Qualiers O

Page 63 and 64: CHAPTER 8. DEPENDANT TYPE QUALIFIER





Page 73 and 74: Chapter 9 Type Qualier Inference In

Page 75 and 76: CHAPTER 9. TYPE QUALIFIER INFERENCE




Page 83 and 84: Chapter 10 Adding a New Kind of Sta

Page 85 and 86: CHAPTER 10. ADDING A NEW KIND OF ST




Page 93 and 94: Chapter 11 Program Verication In th

Page 95 and 96: CHAPTER 11. PROGRAM VERIFICATION 93



Page 101: CHAPTER 11. PROGRAM VERIFICATION 99


Page 107 and 108: Chapter 12 Comments CIL has a very

Page 109 and 110: CHAPTER 12. COMMENTS 107 let printC

Page 111 and 112: References [1] Lin Tan, Ding Yuan,

Page 113 and 114: CHAPTER 13. WHOLE-PROGRAM ANALYSIS

Page 115 and 116: CHAPTER 13. WHOLE-PROGRAM ANALYSIS

Page 117 and 118: CHAPTER 14. IMPLEMENTING A SIMPLE D





Page 127 and 128: Chapter 15 Automated Test Generatio

Page 129 and 130: CHAPTER 15. AUTOMATED TEST GENERATI



Page 135 and 136: Index A (module), 10, 13, 15, 10, 1

Page 137 and 138: INDEX 135 isCacheReportType, 11, 11

functions

analysis

varmap

module

node

visitor

oekind

context

global

array

tutorial

www.inf.ethz.ch

A CIL Tutorial - Department of Computer Science - ETH ZÃ¼rich

A CIL Tutorial - Department of Computer Science - ETH ZÃ¼rich ... View more A CIL Tutorial - Department of Computer Science - ETH ZÃ¼rich

Delete template?

Save as template ?

A CIL Tutorial - Department of Computer Science - ETH ZÃ¼rich A CIL Tutorial - Department of Computer Science - ETH ZÃ¼rich