A CIL Tutorial - Department of Computer Science - ETH Zürich

Chapter 11
Program Verication
In this tutorial, we will use the Why3 [3] verication framework to prove things about C code. In
particular we will generate verication conditions (VCs) from preconditions, postconditions, and
loop invariants given by an annotation syntax that we will add to C using function type attributes
and block attributes. Suppose a function f is annotated with precondition pre and postcondition
post. We ask Why3 to prove the validity of pre → V C(f, post).
An introduction to the generation of verication conditions for imperative languages can be
found in the textbook by Winskel [6]. In this example we will use the backwards method of VC
generation. This will preclude a straightforward handling of C constructs like goto, break, and
continue statements. For these, a forwards method of VC generation is more suitable. However,
the backwards method is able to handle all the other features of C including while loops, for loops,
if statements, and switch statements.
This module allows expression preconditions, postconditions, and loop invariants in C code with
syntax extensions embodied in the following example:
void (pre(p1) post(p2) f)(...) {
while(c) { invariant(c, p3, v1, ..., vn)
}
}
Here, p1, p2, and p3 are propositions that may include universal quantications and implications.
Universal quantication is written as forall(v1,...,vn,p) where v1 through vn are the
variables being quantied over, and p is the formula being quantied over. Implication is written
as implies(p1,p2), where p1 is the antecedent and p2 is the consequent. In the loop invariant annotation,
c is the loop termination condition, p3 is the loop invariant proposition, and v1 through
textttvn are the loop variant variables. Except for forall and implies, C expression syntax is
used for the propositions.
91