skip to main content

VIP: verifying real-world C idioms with integer-pointer casts

Published:12 January 2022Publication History
Skip Abstract Section

Abstract

Systems code often requires fine-grained control over memory layout and pointers, expressed using low-level (e.g., bitwise) operations on pointer values. Since these operations go beyond what basic pointer arithmetic in C allows, they are performed with the help of integer-pointer casts. Prior work has explored increasingly realistic memory object models for C that account for the desired semantics of integer-pointer casts while also being sound w.r.t. compiler optimisations, culminating in PNVI, the preferred memory object model in ongoing discussions within the ISO WG14 C standards committee. However, its complexity makes it an unappealing target for verification, and no tools currently exist to verify C programs under PNVI.

In this paper, we introduce VIP, a new memory object model aimed at supporting C verification. VIP sidesteps the complexities of PNVI with a simple but effective idea: a new construct that lets programmers express the intended provenances of integer-pointer casts explicitly. At the same time, we prove VIP compatible with PNVI, thus enabling verification on top of VIP to benefit from PNVI’s validation with respect to practice. In particular, we build a verification tool, RefinedC-VIP, for verifying programs under VIP semantics. As the name suggests, RefinedC-VIP extends the recently developed RefinedC tool, which is automated yet also produces foundational proofs in Coq. We evaluate RefinedC-VIP on a range of systems-code idioms, and validate VIP’s expressiveness via an implementation in the Cerberus C semantics.

Skip Supplemental Material Section

Supplemental Material

Auxiliary Presentation Video

This is a short presentation video of our POPL 2022 paper on VIP, a new memory object model for C supporting integer-pointer casts and targeted at program verification.

References

  1. Mark Batty, Scott Owens, Susmit Sarkar, Peter Sewell, and Tjark Weber. 2011. Mathematizing C++ concurrency. In POPL. 55–66. https://doi.org/10.1145/1926385.1926394 Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Frédéric Besson, Sandrine Blazy, and Pierre Wilke. 2014. A Precise and Abstract Memory Model for C Using Symbolic Values. In APLAS (LNCS, Vol. 8858). Springer, 449–468. https://doi.org/10.1007/978-3-319-12736-1_24 Google ScholarGoogle ScholarCross RefCross Ref
  3. Frédéric Besson, Sandrine Blazy, and Pierre Wilke. 2015. A Concrete Memory Model for CompCert. In ITP (LNCS, Vol. 9236). Springer, 67–83. https://doi.org/10.1007/978-3-319-22102-1_5 Google ScholarGoogle ScholarCross RefCross Ref
  4. Frédéric Besson, Sandrine Blazy, and Pierre Wilke. 2019. CompCertS: A Memory-Aware Verified C Compiler Using a Pointer as Integer Semantics. J. Autom. Reason., 63, 2 (2019), 369–392. https://doi.org/10.1007/s10817-018-9496-y Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Qinxiang Cao, Lennart Beringer, Samuel Gruetter, Josiah Dodds, and Andrew W. Appel. 2018. VST-Floyd: A separation logic tool to verify correctness of C programs. JAR, 61, 1-4 (2018), 367–422. issn:1573-0670 https://doi.org/10.1007/s10817-018-9457-5 Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Adam Chlipala. 2011. Mostly-automated verification of low-level programs in computational separation logic. PLDI, isbn:9781450306638 https://doi.org/10.1145/1993498.1993526 Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Ernie Cohen, Michal Moskal, Stephan Tobies, and Wolfram Schulte. 2009. A Precise Yet Efficient Memory Model For C. Electron. Notes Theor. Comput. Sci., 254 (2009), 85–103. https://doi.org/10.1016/j.entcs.2009.09.061 Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Jeffrey Cook and Sakthi Subramanian. 1994. A Formal Semantics for C in Nqthm. Trusted Information Systems.Google ScholarGoogle Scholar
  9. Will Deacon. 2020. Virtualization for the Masses: Exposing KVM on Android. https://www.youtube.com/watch?v=wY-u6n75iXc KVM Forum Talk.Google ScholarGoogle Scholar
  10. Jake Edge. 2020. KVM for Android. https://lwn.net/Articles/836693/Google ScholarGoogle Scholar
  11. Chucky Ellison and Grigore Rosu. 2012. An executable formal semantics of C with applications. In POPL. ACM, 533–544. https://doi.org/10.1145/2103656.2103719 Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. David Greenaway, Japheth Lim, June Andronick, and Gerwin Klein. 2013. Don’t sweat the small stuff: Formal verification of C code without the pain. PLDI, isbn:9781450327848 https://doi.org/10.1145/2594291.2594296 Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Ronghui Gu, Jérémie Koenig, Tahina Ramananandro, Zhong Shao, Xiongnan (Newman) Wu, Shu-Chun Weng, Haozhong Zhang, and Yu Guo. 2015. Deep Specifications and Certified Abstraction Layers. In POPL. ACM, 595–608. https://doi.org/10.1145/2676726.2676975 Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Ronghui Gu, Zhong Shao, Hao Chen, Jieung Kim, Jérémie Koenig, Xiongnan (Newman) Wu, Vilhelm Sjöberg, and David Costanzo. 2019. Building certified concurrent OS kernels. Commun. ACM, 62, 10 (2019), 89–99. https://doi.org/10.1145/3356903 Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Ronghui Gu, Zhong Shao, Jieung Kim, Xiongnan (Newman) Wu, Jérémie Koenig, Vilhelm Sjöberg, Hao Chen, David Costanzo, and Tahina Ramananandro. 2018. Certified concurrent abstraction layers. PLDI, isbn:9781450356985 https://doi.org/10.1145/3192366.3192381 Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Yuri Gurevich and James K. Huggins. 1992. The Semantics of the C Programming Language. In CSL (LNCS, Vol. 702). Springer, 274–308. https://doi.org/10.1007/3-540-56992-8_17 Google ScholarGoogle ScholarCross RefCross Ref
  17. Jens Gustedt, Peter Sewell, Kayvan Memarian, Victor B. F. Gomes, and Martin Uecker. 2020. N2577: A Provenance-aware Memory Object Model for C. Working Draft Technical Specification TS 6010. ISO/IEC JTC1/SC22/WG14 N2577. http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2577.pdfGoogle ScholarGoogle Scholar
  18. Hafnium. 2020. Hafnium. https://review.trustedfirmware.org/plugins/gitiles/hafnium/hafnium/+/HEAD/README.mdGoogle ScholarGoogle Scholar
  19. Chris Hathhorn, Chucky Ellison, and Grigore Rosu. 2015. Defining the undefinedness of C. In PLDI. ACM, 336–345. https://doi.org/10.1145/2737924.2737979 Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Bart Jacobs, Jan Smans, Pieter Philippaerts, Frédéric Vogels, Willem Penninckx, and Frank Piessens. 2011. VeriFast: A powerful, sound, predictable, fast verifier for C and Java. In NFM (LNCS, Vol. 6617). 41–55. http://dx.doi.org/10.1007/978-3-642-20398-5_4 Google ScholarGoogle ScholarCross RefCross Ref
  21. Jonas Braband Jensen, Nick Benton, and Andrew Kennedy. 2013. High-level separation logic for low-level code. In POPL. ACM, 301–314. https://doi.org/10.1145/2429069.2429105 Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2018. RustBelt: Securing the foundations of the Rust programming language. PACMPL, 2, POPL (2018), 1–34. issn:2475-1421 https://doi.org/10.1145/3158154 Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer. 2016. Higher-order ghost state. In ICFP. 256–269. https://doi.org/10.1145/2951913.2951943 Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Ales Bizjak, Lars Birkedal, and Derek Dreyer. 2018. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. JFP, 28 (2018), e20. https://doi.org/10.1017/S0956796818000151 Google ScholarGoogle ScholarCross RefCross Ref
  25. Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and invariants as an orthogonal basis for concurrent reasoning. POPL, isbn:9781450333009 https://doi.org/10.1145/2676726.2676980 Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Jeehoon Kang, Chung-Kil Hur, William Mansky, Dmitri Garbuzov, Steve Zdancewic, and Viktor Vafeiadis. 2015. A formal C memory model supporting integer-pointer casts. In PLDI. ACM, 326–335. https://doi.org/10.1145/2737924.2738005 Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Florent Kirchner, Nikolai Kosmatov, Virgile Prevosto, Julien Signoles, and Boris Yakobowski. 2015. Frama-C: A software analysis perspective. In SEFM (LNCS, Vol. 7504). 233–247. http://dx.doi.org/10.1007/s00165-014-0326-7 Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Gerwin Klein, June Andronick, Kevin Elphinstone, Toby C. Murray, Thomas Sewell, Rafal Kolanski, and Gernot Heiser. 2014. Comprehensive formal verification of an OS microkernel. ACM Trans. Comput. Syst., 32, 1 (2014), 2:1–2:70. https://doi.org/10.1145/2560537 Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2009. seL4: Formal verification of an OS kernel. In SOSP. ACM, 207–220. https://doi.org/10.1145/1629575.1629596 Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Robbert Krebbers. 2013. Aliasing Restrictions of C11 Formalized in Coq. In CPP (LNCS, Vol. 8307).Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Robbert Krebbers. 2015. The C standard formalized in Coq. Ph.D. Dissertation. Radboud University Nijmegen.Google ScholarGoogle Scholar
  32. Robbert Krebbers, Ralf Jung, Aleš Bizjak, Jacques-Henri Jourdan, Derek Dreyer, and Lars Birkedal. 2017. The essence of higher-order concurrent separation logic. In ESOP (LNCS, Vol. 10201). 696–723. https://doi.org/10.1007/978-3-662-54434-1_26 Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Robbert Krebbers, Xavier Leroy, and Freek Wiedijk. 2014. Formal C Semantics: CompCert and the C Standard. In ITP (LNCS, Vol. 8558). Springer, 543–548. https://doi.org/10.1007/978-3-319-08970-6_36 Google ScholarGoogle ScholarCross RefCross Ref
  34. Robbert Krebbers and Freek Wiedijk. 2015. A Typed C11 Semantics for Interactive Theorem Proving. In CPP. ACM, 15–27. https://doi.org/10.1145/2676724.2693571 Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Juneyoung Lee, Chung-Kil Hur, Ralf Jung, Zhengyang Liu, John Regehr, and Nuno P. Lopes. 2018. Reconciling high-level optimizations and low-level code in LLVM. Proc. ACM Program. Lang., 2, OOPSLA (2018), 125:1–125:28. https://doi.org/10.1145/3276495 Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Rodolphe Lepigre, Michael Sammler, Kayvan Memarian, Robbert Krebbers, Derek Dreyer, and Peter Sewell. 2021. VIP: Verifying Real-World C Idioms Involving Integer-Pointer Casts (Appendix). https://doi.org/10.5281/zenodo.5662349 Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Rodolphe Lepigre, Michael Sammler, Kayvan Memarian, Robbert Krebbers, Derek Dreyer, and Peter Sewell. 2021. VIP: Verifying Real-World C Idioms Involving Integer-Pointer Casts (Artifact). https://doi.org/10.5281/zenodo.5662349 Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Xavier Leroy. 2006. Formal certification of a compiler back-end or: programming a compiler with a proof assistant. In POPL. ACM, 42–54. https://doi.org/10.1145/1111037.1111042 Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Xavier Leroy, Andrew Appel, Sandrine Blazy, and Gordon Stewart. 2012. The CompCert memory model, version 2. Inria.Google ScholarGoogle Scholar
  40. Xavier Leroy and Sandrine Blazy. 2008. Formal verification of a C-like memory model and its uses for verifying program transformations. JAR, 41, 1 (2008), 1–31. https://doi.org/10.1007/s10817-008-9099-0 Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Xavier Leroy and Damien Doligez. 1996. OCaml runtime representation of values. https://github.com/ocaml/ocaml/blob/trunk/runtime/caml/mlvalues.hGoogle ScholarGoogle Scholar
  42. Shih-Wei Li, Xupeng Li, Ronghui Gu, Jason Nieh, and John Zhuang Hui. 2021. A Secure and Formally Verified Linux KVM Hypervisor. In IEEE Symposium on Security and Privacy.Google ScholarGoogle ScholarCross RefCross Ref
  43. Kayvan Memarian, Victor B. F. Gomes, Brooks Davis, Stephen Kell, Alexander Richardson, Robert N. M. Watson, and Peter Sewell. 2019. Exploring C semantics and pointer provenance. PACMPL, 3, POPL (2019), 67:1–67:32. https://doi.org/10.1145/3290380 Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Kayvan Memarian, Justus Matthiesen, James Lingard, Kyndylan Nienhuis, David Chisnall, Robert N. M. Watson, and Peter Sewell. 2016. Into the depths of C: elaborating the de facto standards. 1–15. https://doi.org/10.1145/2908080.2908081 Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Magnus Oskar Myreen. 2009. Formal verification of machine-code programs. Ph.D. Dissertation. University of Cambridge, UK. http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.611450Google ScholarGoogle Scholar
  46. Michael Norrish. 1998. C formalised in HOL. Ph.D. Dissertation. University of Cambridge.Google ScholarGoogle Scholar
  47. Peter W. O’Hearn, John C. Reynolds, and Hongseok Yang. 2001. Local reasoning about programs that alter data structures. In CSL (LNCS, Vol. 2142). 1–19. https://doi.org/10.1007/3-540-44802-0_1 Google ScholarGoogle ScholarCross RefCross Ref
  48. Nikolaos Papaspyrou. 1998. A Formal Semantics for the C Programming Language. Ph.D. Dissertation. National Technical University of Athens.Google ScholarGoogle Scholar
  49. pKVM developers. 2020. Initial allocator of the pKVM hypervisor. https://github.com/torvalds/linux/blob/master/arch/arm64/kvm/hyp/nvhe/early_alloc.cGoogle ScholarGoogle Scholar
  50. John C. Reynolds. 2002. Separation logic: A logic for shared mutable data structures. 55–74. https://doi.org/10.1109/LICS.2002.1029817 Google ScholarGoogle ScholarCross RefCross Ref
  51. Patrick Maxim Rondon, Ming Kawaguchi, and Ranjit Jhala. 2010. Low-level liquid types. In POPL. 131–144. https://doi.org/10.1145/1706299.1706316 Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Michael Sammler, Rodolphe Lepigre, Robbert Krebbers, Kayvan Memarian, Derek Dreyer, and Deepak Garg. 2021. RefinedC: automating the foundational verification of C code with refined ownership types. 158–174. https://doi.org/10.1145/3453483.3454036 Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Jaroslav Sevcík, Viktor Vafeiadis, Francesco Zappa Nardelli, Suresh Jagannathan, and Peter Sewell. 2013. CompCertTSO: A Verified Compiler for Relaxed-Memory Concurrency. J. ACM, 60, 3 (2013), 22:1–22:50. https://doi.org/10.1145/2487241.2487248 Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Thomas Arthur Leck Sewell, Magnus O. Myreen, and Gerwin Klein. 2013. Translation validation for a verified OS kernel. In PLDI. ACM, 471–482. https://doi.org/10.1145/2491956.2462183 Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. Andrei Stefanescu. 2014. MatchC: A Matching Logic Reachability Verifier Using the K Framework. Electron. Notes Theor. Comput. Sci., 304 (2014), 183–198. https://doi.org/10.1016/j.entcs.2014.05.010 Google ScholarGoogle ScholarCross RefCross Ref
  56. Harvey Tuch, Gerwin Klein, and Michael Norrish. 2007. Types, bytes, and separation logic. In POPL. ACM, 97–108. https://doi.org/10.1145/1190216.1190234 Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Shengyi Wang, Qinxiang Cao, Anshuman Mohan, and Aquinas Hobor. 2019. Certifying graph-manipulating C programs via localizations within data structures. Proc. ACM Program. Lang., 3, OOPSLA (2019), 171:1–171:30. https://doi.org/10.1145/3360597 Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Yuting Wang, Pierre Wilke, and Zhong Shao. 2019. An abstract stack based approach to verified compositional compilation to machine code. Proc. ACM Program. Lang., 3, POPL (2019), 62:1–62:30. https://doi.org/10.1145/3290375 Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. WG14. 2004. Defect Report #260: Indeterminate values and identical representations. http://www.open-std.org/jtc1/sc22/wg14/www/docs/dr_260.htmGoogle ScholarGoogle Scholar

Index Terms

  1. VIP: verifying real-world C idioms with integer-pointer casts

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!