Abstract
Systems code often requires fine-grained control over memory layout and pointers, expressed using low-level (e.g., bitwise) operations on pointer values. Since these operations go beyond what basic pointer arithmetic in C allows, they are performed with the help of integer-pointer casts. Prior work has explored increasingly realistic memory object models for C that account for the desired semantics of integer-pointer casts while also being sound w.r.t. compiler optimisations, culminating in PNVI, the preferred memory object model in ongoing discussions within the ISO WG14 C standards committee. However, its complexity makes it an unappealing target for verification, and no tools currently exist to verify C programs under PNVI.
In this paper, we introduce VIP, a new memory object model aimed at supporting C verification. VIP sidesteps the complexities of PNVI with a simple but effective idea: a new construct that lets programmers express the intended provenances of integer-pointer casts explicitly. At the same time, we prove VIP compatible with PNVI, thus enabling verification on top of VIP to benefit from PNVI’s validation with respect to practice. In particular, we build a verification tool, RefinedC-VIP, for verifying programs under VIP semantics. As the name suggests, RefinedC-VIP extends the recently developed RefinedC tool, which is automated yet also produces foundational proofs in Coq. We evaluate RefinedC-VIP on a range of systems-code idioms, and validate VIP’s expressiveness via an implementation in the Cerberus C semantics.
Supplemental Material
- Mark Batty, Scott Owens, Susmit Sarkar, Peter Sewell, and Tjark Weber. 2011. Mathematizing C++ concurrency. In POPL. 55–66. https://doi.org/10.1145/1926385.1926394 Google Scholar
Digital Library
- Frédéric Besson, Sandrine Blazy, and Pierre Wilke. 2014. A Precise and Abstract Memory Model for C Using Symbolic Values. In APLAS (LNCS, Vol. 8858). Springer, 449–468. https://doi.org/10.1007/978-3-319-12736-1_24 Google Scholar
Cross Ref
- Frédéric Besson, Sandrine Blazy, and Pierre Wilke. 2015. A Concrete Memory Model for CompCert. In ITP (LNCS, Vol. 9236). Springer, 67–83. https://doi.org/10.1007/978-3-319-22102-1_5 Google Scholar
Cross Ref
- Frédéric Besson, Sandrine Blazy, and Pierre Wilke. 2019. CompCertS: A Memory-Aware Verified C Compiler Using a Pointer as Integer Semantics. J. Autom. Reason., 63, 2 (2019), 369–392. https://doi.org/10.1007/s10817-018-9496-y Google Scholar
Digital Library
- Qinxiang Cao, Lennart Beringer, Samuel Gruetter, Josiah Dodds, and Andrew W. Appel. 2018. VST-Floyd: A separation logic tool to verify correctness of C programs. JAR, 61, 1-4 (2018), 367–422. issn:1573-0670 https://doi.org/10.1007/s10817-018-9457-5 Google Scholar
Digital Library
- Adam Chlipala. 2011. Mostly-automated verification of low-level programs in computational separation logic. PLDI, isbn:9781450306638 https://doi.org/10.1145/1993498.1993526 Google Scholar
Digital Library
- Ernie Cohen, Michal Moskal, Stephan Tobies, and Wolfram Schulte. 2009. A Precise Yet Efficient Memory Model For C. Electron. Notes Theor. Comput. Sci., 254 (2009), 85–103. https://doi.org/10.1016/j.entcs.2009.09.061 Google Scholar
Digital Library
- Jeffrey Cook and Sakthi Subramanian. 1994. A Formal Semantics for C in Nqthm. Trusted Information Systems.Google Scholar
- Will Deacon. 2020. Virtualization for the Masses: Exposing KVM on Android. https://www.youtube.com/watch?v=wY-u6n75iXc KVM Forum Talk.Google Scholar
- Jake Edge. 2020. KVM for Android. https://lwn.net/Articles/836693/Google Scholar
- Chucky Ellison and Grigore Rosu. 2012. An executable formal semantics of C with applications. In POPL. ACM, 533–544. https://doi.org/10.1145/2103656.2103719 Google Scholar
Digital Library
- David Greenaway, Japheth Lim, June Andronick, and Gerwin Klein. 2013. Don’t sweat the small stuff: Formal verification of C code without the pain. PLDI, isbn:9781450327848 https://doi.org/10.1145/2594291.2594296 Google Scholar
Digital Library
- Ronghui Gu, Jérémie Koenig, Tahina Ramananandro, Zhong Shao, Xiongnan (Newman) Wu, Shu-Chun Weng, Haozhong Zhang, and Yu Guo. 2015. Deep Specifications and Certified Abstraction Layers. In POPL. ACM, 595–608. https://doi.org/10.1145/2676726.2676975 Google Scholar
Digital Library
- Ronghui Gu, Zhong Shao, Hao Chen, Jieung Kim, Jérémie Koenig, Xiongnan (Newman) Wu, Vilhelm Sjöberg, and David Costanzo. 2019. Building certified concurrent OS kernels. Commun. ACM, 62, 10 (2019), 89–99. https://doi.org/10.1145/3356903 Google Scholar
Digital Library
- Ronghui Gu, Zhong Shao, Jieung Kim, Xiongnan (Newman) Wu, Jérémie Koenig, Vilhelm Sjöberg, Hao Chen, David Costanzo, and Tahina Ramananandro. 2018. Certified concurrent abstraction layers. PLDI, isbn:9781450356985 https://doi.org/10.1145/3192366.3192381 Google Scholar
Digital Library
- Yuri Gurevich and James K. Huggins. 1992. The Semantics of the C Programming Language. In CSL (LNCS, Vol. 702). Springer, 274–308. https://doi.org/10.1007/3-540-56992-8_17 Google Scholar
Cross Ref
- Jens Gustedt, Peter Sewell, Kayvan Memarian, Victor B. F. Gomes, and Martin Uecker. 2020. N2577: A Provenance-aware Memory Object Model for C. Working Draft Technical Specification TS 6010. ISO/IEC JTC1/SC22/WG14 N2577. http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2577.pdfGoogle Scholar
- Hafnium. 2020. Hafnium. https://review.trustedfirmware.org/plugins/gitiles/hafnium/hafnium/+/HEAD/README.mdGoogle Scholar
- Chris Hathhorn, Chucky Ellison, and Grigore Rosu. 2015. Defining the undefinedness of C. In PLDI. ACM, 336–345. https://doi.org/10.1145/2737924.2737979 Google Scholar
Digital Library
- Bart Jacobs, Jan Smans, Pieter Philippaerts, Frédéric Vogels, Willem Penninckx, and Frank Piessens. 2011. VeriFast: A powerful, sound, predictable, fast verifier for C and Java. In NFM (LNCS, Vol. 6617). 41–55. http://dx.doi.org/10.1007/978-3-642-20398-5_4 Google Scholar
Cross Ref
- Jonas Braband Jensen, Nick Benton, and Andrew Kennedy. 2013. High-level separation logic for low-level code. In POPL. ACM, 301–314. https://doi.org/10.1145/2429069.2429105 Google Scholar
Digital Library
- Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2018. RustBelt: Securing the foundations of the Rust programming language. PACMPL, 2, POPL (2018), 1–34. issn:2475-1421 https://doi.org/10.1145/3158154 Google Scholar
Digital Library
- Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer. 2016. Higher-order ghost state. In ICFP. 256–269. https://doi.org/10.1145/2951913.2951943 Google Scholar
Digital Library
- Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Ales Bizjak, Lars Birkedal, and Derek Dreyer. 2018. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. JFP, 28 (2018), e20. https://doi.org/10.1017/S0956796818000151 Google Scholar
Cross Ref
- Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and invariants as an orthogonal basis for concurrent reasoning. POPL, isbn:9781450333009 https://doi.org/10.1145/2676726.2676980 Google Scholar
Digital Library
- Jeehoon Kang, Chung-Kil Hur, William Mansky, Dmitri Garbuzov, Steve Zdancewic, and Viktor Vafeiadis. 2015. A formal C memory model supporting integer-pointer casts. In PLDI. ACM, 326–335. https://doi.org/10.1145/2737924.2738005 Google Scholar
Digital Library
- Florent Kirchner, Nikolai Kosmatov, Virgile Prevosto, Julien Signoles, and Boris Yakobowski. 2015. Frama-C: A software analysis perspective. In SEFM (LNCS, Vol. 7504). 233–247. http://dx.doi.org/10.1007/s00165-014-0326-7 Google Scholar
Digital Library
- Gerwin Klein, June Andronick, Kevin Elphinstone, Toby C. Murray, Thomas Sewell, Rafal Kolanski, and Gernot Heiser. 2014. Comprehensive formal verification of an OS microkernel. ACM Trans. Comput. Syst., 32, 1 (2014), 2:1–2:70. https://doi.org/10.1145/2560537 Google Scholar
Digital Library
- Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2009. seL4: Formal verification of an OS kernel. In SOSP. ACM, 207–220. https://doi.org/10.1145/1629575.1629596 Google Scholar
Digital Library
- Robbert Krebbers. 2013. Aliasing Restrictions of C11 Formalized in Coq. In CPP (LNCS, Vol. 8307).Google Scholar
Digital Library
- Robbert Krebbers. 2015. The C standard formalized in Coq. Ph.D. Dissertation. Radboud University Nijmegen.Google Scholar
- Robbert Krebbers, Ralf Jung, Aleš Bizjak, Jacques-Henri Jourdan, Derek Dreyer, and Lars Birkedal. 2017. The essence of higher-order concurrent separation logic. In ESOP (LNCS, Vol. 10201). 696–723. https://doi.org/10.1007/978-3-662-54434-1_26 Google Scholar
Digital Library
- Robbert Krebbers, Xavier Leroy, and Freek Wiedijk. 2014. Formal C Semantics: CompCert and the C Standard. In ITP (LNCS, Vol. 8558). Springer, 543–548. https://doi.org/10.1007/978-3-319-08970-6_36 Google Scholar
Cross Ref
- Robbert Krebbers and Freek Wiedijk. 2015. A Typed C11 Semantics for Interactive Theorem Proving. In CPP. ACM, 15–27. https://doi.org/10.1145/2676724.2693571 Google Scholar
Digital Library
- Juneyoung Lee, Chung-Kil Hur, Ralf Jung, Zhengyang Liu, John Regehr, and Nuno P. Lopes. 2018. Reconciling high-level optimizations and low-level code in LLVM. Proc. ACM Program. Lang., 2, OOPSLA (2018), 125:1–125:28. https://doi.org/10.1145/3276495 Google Scholar
Digital Library
- Rodolphe Lepigre, Michael Sammler, Kayvan Memarian, Robbert Krebbers, Derek Dreyer, and Peter Sewell. 2021. VIP: Verifying Real-World C Idioms Involving Integer-Pointer Casts (Appendix). https://doi.org/10.5281/zenodo.5662349 Google Scholar
Digital Library
- Rodolphe Lepigre, Michael Sammler, Kayvan Memarian, Robbert Krebbers, Derek Dreyer, and Peter Sewell. 2021. VIP: Verifying Real-World C Idioms Involving Integer-Pointer Casts (Artifact). https://doi.org/10.5281/zenodo.5662349 Google Scholar
Digital Library
- Xavier Leroy. 2006. Formal certification of a compiler back-end or: programming a compiler with a proof assistant. In POPL. ACM, 42–54. https://doi.org/10.1145/1111037.1111042 Google Scholar
Digital Library
- Xavier Leroy, Andrew Appel, Sandrine Blazy, and Gordon Stewart. 2012. The CompCert memory model, version 2. Inria.Google Scholar
- Xavier Leroy and Sandrine Blazy. 2008. Formal verification of a C-like memory model and its uses for verifying program transformations. JAR, 41, 1 (2008), 1–31. https://doi.org/10.1007/s10817-008-9099-0 Google Scholar
Digital Library
- Xavier Leroy and Damien Doligez. 1996. OCaml runtime representation of values. https://github.com/ocaml/ocaml/blob/trunk/runtime/caml/mlvalues.hGoogle Scholar
- Shih-Wei Li, Xupeng Li, Ronghui Gu, Jason Nieh, and John Zhuang Hui. 2021. A Secure and Formally Verified Linux KVM Hypervisor. In IEEE Symposium on Security and Privacy.Google Scholar
Cross Ref
- Kayvan Memarian, Victor B. F. Gomes, Brooks Davis, Stephen Kell, Alexander Richardson, Robert N. M. Watson, and Peter Sewell. 2019. Exploring C semantics and pointer provenance. PACMPL, 3, POPL (2019), 67:1–67:32. https://doi.org/10.1145/3290380 Google Scholar
Digital Library
- Kayvan Memarian, Justus Matthiesen, James Lingard, Kyndylan Nienhuis, David Chisnall, Robert N. M. Watson, and Peter Sewell. 2016. Into the depths of C: elaborating the de facto standards. 1–15. https://doi.org/10.1145/2908080.2908081 Google Scholar
Digital Library
- Magnus Oskar Myreen. 2009. Formal verification of machine-code programs. Ph.D. Dissertation. University of Cambridge, UK. http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.611450Google Scholar
- Michael Norrish. 1998. C formalised in HOL. Ph.D. Dissertation. University of Cambridge.Google Scholar
- Peter W. O’Hearn, John C. Reynolds, and Hongseok Yang. 2001. Local reasoning about programs that alter data structures. In CSL (LNCS, Vol. 2142). 1–19. https://doi.org/10.1007/3-540-44802-0_1 Google Scholar
Cross Ref
- Nikolaos Papaspyrou. 1998. A Formal Semantics for the C Programming Language. Ph.D. Dissertation. National Technical University of Athens.Google Scholar
- pKVM developers. 2020. Initial allocator of the pKVM hypervisor. https://github.com/torvalds/linux/blob/master/arch/arm64/kvm/hyp/nvhe/early_alloc.cGoogle Scholar
- John C. Reynolds. 2002. Separation logic: A logic for shared mutable data structures. 55–74. https://doi.org/10.1109/LICS.2002.1029817 Google Scholar
Cross Ref
- Patrick Maxim Rondon, Ming Kawaguchi, and Ranjit Jhala. 2010. Low-level liquid types. In POPL. 131–144. https://doi.org/10.1145/1706299.1706316 Google Scholar
Digital Library
- Michael Sammler, Rodolphe Lepigre, Robbert Krebbers, Kayvan Memarian, Derek Dreyer, and Deepak Garg. 2021. RefinedC: automating the foundational verification of C code with refined ownership types. 158–174. https://doi.org/10.1145/3453483.3454036 Google Scholar
Digital Library
- Jaroslav Sevcík, Viktor Vafeiadis, Francesco Zappa Nardelli, Suresh Jagannathan, and Peter Sewell. 2013. CompCertTSO: A Verified Compiler for Relaxed-Memory Concurrency. J. ACM, 60, 3 (2013), 22:1–22:50. https://doi.org/10.1145/2487241.2487248 Google Scholar
Digital Library
- Thomas Arthur Leck Sewell, Magnus O. Myreen, and Gerwin Klein. 2013. Translation validation for a verified OS kernel. In PLDI. ACM, 471–482. https://doi.org/10.1145/2491956.2462183 Google Scholar
Digital Library
- Andrei Stefanescu. 2014. MatchC: A Matching Logic Reachability Verifier Using the K Framework. Electron. Notes Theor. Comput. Sci., 304 (2014), 183–198. https://doi.org/10.1016/j.entcs.2014.05.010 Google Scholar
Cross Ref
- Harvey Tuch, Gerwin Klein, and Michael Norrish. 2007. Types, bytes, and separation logic. In POPL. ACM, 97–108. https://doi.org/10.1145/1190216.1190234 Google Scholar
Digital Library
- Shengyi Wang, Qinxiang Cao, Anshuman Mohan, and Aquinas Hobor. 2019. Certifying graph-manipulating C programs via localizations within data structures. Proc. ACM Program. Lang., 3, OOPSLA (2019), 171:1–171:30. https://doi.org/10.1145/3360597 Google Scholar
Digital Library
- Yuting Wang, Pierre Wilke, and Zhong Shao. 2019. An abstract stack based approach to verified compositional compilation to machine code. Proc. ACM Program. Lang., 3, POPL (2019), 62:1–62:30. https://doi.org/10.1145/3290375 Google Scholar
Digital Library
- WG14. 2004. Defect Report #260: Indeterminate values and identical representations. http://www.open-std.org/jtc1/sc22/wg14/www/docs/dr_260.htmGoogle Scholar
Index Terms
VIP: verifying real-world C idioms with integer-pointer casts
Recommendations
RefinedC: automating the foundational verification of C code with refined ownership types
PLDI 2021: Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and ImplementationGiven the central role that C continues to play in systems software, and the difficulty of writing safe and correct C code, it remains a grand challenge to develop effective formal methods for verifying C programs. In this paper, we propose a new ...
DimSum: A Decentralized Approach to Multi-language Semantics and Verification
Prior work on multi-language program verification has achieved impressive results, including the compositional verification of complex compilers. But the existing approaches to this problem impose a variety of restrictions on the overall structure of ...
VST-Floyd: A Separation Logic Tool to Verify Correctness of C Programs
The Verified Software Toolchain builds foundational machine-checked proofs of the functional correctness of C programs. Its program logic, Verifiable C, is a shallowly embedded higher-order separation Hoare logic which is proved sound in Coq with ...






Comments