324d48b53f
|
||
|---|---|---|
| .. | ||
| doc/quickstart | ||
| experiments/alloc-proof | ||
| tests | ||
| tools | ||
| AbstractArrays.thy | ||
| AutoCorres.thy | ||
| AutoCorresAttributes.thy | ||
| AutoCorresSimpset.thy | ||
| Auto_Separation_Algebra.thy | ||
| CCorresE.thy | ||
| CorresXF.thy | ||
| DataStructures.thy | ||
| ExceptionRewrite.thy | ||
| ExecConcrete.thy | ||
| HeapLift.thy | ||
| L1Defs.thy | ||
| L1Peephole.thy | ||
| L1Valid.thy | ||
| L2Defs.thy | ||
| L2Opt.thy | ||
| L2Peephole.thy | ||
| L4VerifiedLinks.thy | ||
| LegacyAutoCorres.thy | ||
| LocalVarExtract.thy | ||
| Makefile | ||
| MonadMono.thy | ||
| NonDetMonadEx.thy | ||
| Polish.thy | ||
| README.md | ||
| ROOT | ||
| SimplBucket.thy | ||
| SimplConv.thy | ||
| TestSEL4.thy | ||
| TypHeapSimple.thy | ||
| TypeStrengthen.thy | ||
| WordAbstract.thy | ||
| attributes.ML | ||
| autocorres.ML | ||
| autocorres_data.ML | ||
| autocorres_trace.ML | ||
| autocorres_util.ML | ||
| exception_rewrite.ML | ||
| function_info.ML | ||
| heap_lift.ML | ||
| heap_lift_base.ML | ||
| l2_opt.ML | ||
| legacy.ML | ||
| local_var_extract.ML | ||
| mkterm_antiquote.ML | ||
| monad_convert.ML | ||
| monad_types.ML | ||
| pretty_bound_var_names.ML | ||
| prog.ML | ||
| program_info.ML | ||
| record_utils.ML | ||
| simpl_conv.ML | ||
| simple_lazy.ML | ||
| statistics.ML | ||
| trace_antiquote.ML | ||
| type_strengthen.ML | ||
| utils.ML | ||
| word_abstract.ML | ||
README.md
Note to maintainer: sync with tools/release_files/README
AutoCorres
AutoCorres is a tool that assists reasoning about C programs in Isabelle/HOL. In particular, it uses Norrish's C-to-Isabelle parser to parse C into Isabelle, and then abstracts the result to produce a result that is (hopefully) more pleasant to reason about.
Contents of this README
- Installation
- Quickstart
- Development and reporting bugs
- Options
- Examples
- Publications
Installation
AutoCorres is packaged as a theory for Isabelle2015:
http://isabelle.in.tum.de
To build it, type
isabelle build -d . AutoCorres
in the root of the L4v repository. This builds the C parser and AutoCorres itself. There is also a test suite, which can be run using:
make AutoCorresTest
in tools/autocorres.
Quickstart
A brief tutorial can be found in doc/quickstart.
Run make AutoCorresDoc to generate a readable PDF document of
the tutorial.
Development and reporting bugs
AutoCorres is currently maintained by Japheth Lim Japheth.Lim@nicta.com.au.
Additionally, the latest development version is available on GitHub as part of the L4.verified project:
https://github.com/NICTA/l4v (in tools/autocorres)
Options
AutoCorres supports a variety of options, which are used as follows:
autocorres [option, key=val, list=a b c d] "file.c"
The options are:
-
unsigned_word_abs = FUNC_NAMES: Use word abstraction on unsigned integers in the given functions. -
no_signed_word_abs = FUNC_NAMES: Disable signed word abstraction on the given list of functions. -
skip_word_abs: Completely disable word abstraction. -
ts_rules = RULES: Enable type strengthening to the following types. Possible types includepure(pure functional),option(option monad without state),gets(option monad with state) andnondet(non-deterministic state monad). -
ts_force RULE_NAME = FUNC_NAMES: Force the given functions to be type-strengthened to the given type, even if a "better" type could otherwise be used. Seetests/examples/type_strengthen_tricks.thy. -
no_heap_abs = FUNC_NAMES: Disable heap abstraction on the given list of functions. -
force_heap_abs = FUNC_NAMES: Attempt heap abstraction on the given list of functions, even if AutoCorres' heuristics believes that they cannot be lifted. -
heap_abs_syntax: Enable experimental heap abstraction syntactic sugar. -
skip_word_abs: Completely disable heap abstraction.
Name compatibility options (see tests/examples/AC_Rename.thy):
-
lifted_globals_field_prefix="foo",lifted_globals_field_suffix="foo": Override generated names for global variables during heap abstraction. The default isf->f_''(i.e. prefix="", suffix="_''"). -
function_name_prefix="foo",function_name_suffix="foo": Override generated names for abstracted functions. The default isf->f'(i.e. prefix="", suffix="'").
Less common options (mainly for debugging):
-
keep_going: Attempt to ignore certain non-critical errors. -
scope: Only parse the given functions and their callees, up to depthscope_depth. -
trace_heap_lift = FUNC_NAMES: Trace the heap abstraction process for each of the given functions. The traces are stored in the Isabelle theory and can be quite large. Seetests/examples/TraceDemo.thy. -
trace_word_abs = FUNC_NAMES: As above, but traces word abstraction. -
trace_opt: As above, but traces internal simplification phases (for all functions). -
no_opt: Disable some optimisation passes that simplify the AutoCorres output. -
gen_word_heaps: Force heap abstraction to create abstract heaps for standardwordtypes (word8,word16,word32,word64) even if they are not needed.
An example of invoking AutoCorres with all of the options is as follows:
autocorres [
unsigned_word_abs = f g h,
no_signed_word_abs = i j k,
skip_word_abs, (* mutually exclusive with previous rules *)
ts_rules = pure nondet,
ts_force nondet = l m n,
no_heap_abs = a b,
force_heap_abs = c d,
gen_word_heaps,
skip_heap_abs, (* mutually exclusive with previous rules *)
heap_abs_syntax,
keep_going,
scope = o p q,
scope_depth = 5,
trace_heap_lift = c d,
trace_word_abs = f h i,
no_opt,
lifted_globals_name_prefix="my_global_",
lifted_globals_name_suffix="",
function_name_prefix="my_func_",
function_name_suffix=""
] "filename.c"
Examples
Some examples are in the tests/examples directory.
Many of these examples are quick-and-dirty proofs, and should not necessary be considered the best style.
None-the-less, some of the examples available are, in approximate increasing level of difficulty:
-
Simple.thy: Proofs of some simple functions, includingmaxandgcd. -
Swap.thy: Proof of a simpleswapfunction. -
MultByAdd.thy: Proof of a function that carries out multiplication using addition. -
Factorial.thy: Proof of a factorial function, using several different methods. -
FibProof.thy: Proof of the Fibonacci function, using several different methods. -
ListRev.thy: Proof of a function that carries out an in-place linked list reversal. -
CList.thy: Another list reversal, based on a proof by Mehta and Nipkow. See [the paper][3]. -
IsPrime.thy: Proof of a function that determines if the input number is prime. -
Memset.thy: Proof of a Cmemsetimplementation. -
Quicksort.thy: Proof of a simple quicksort implementation on an array ofints. -
BinarySearch.thy: Proof of a function that determines if a sorted input array ofunsigned intcontains the givenunsigned int. -
SchorrWaite.thy: Proof a C implementation of the Schorr-Waite algorithm, using Mehta and Nipkow's high-level proof. See [the paper][3]. -
Memcpy.thy: Proof of a Cmemcpyimplementation. The proof connects the C parser's byte-level heap with AutoCorres's type-safe heap representation.
There are also some examples that aren't about program proofs, but demonstrate AutoCorres features:
-
AC_Rename.thy: how to change AutoCorres-generated names. -
TraceDemo.thy: how to use the (experimental) tracing. -
type_strengthen_tricks.thy: configuring type-strengthening.
Publications
L1 (SimplConv), L2 (LocalVarExtract) and TS (TypeStrengthen) were described in
"Bridging the gap: Automatic verified abstraction of C"
David Greenaway, June Andronick, Gerwin Klein
Proceedings of the Third International
Conference on Interactive Theorem Proving (ITP), August 2012.
http://ssrg.nicta.com.au/publications/nictaabstracts/5662.pdf
HL (heap abstraction) and WA (word abstraction) were described in
[3]: "Don’t sweat the small stuff --- Formal verification of C code without the pain" David Greenaway, Japheth Lim, June Andronick, Gerwin Klein Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM, June 2014. http://ssrg.nicta.com.au/publications/nictaabstracts/7629.pdf
A more comprehensive source is
"Automated proof-producing abstraction of C code"
David Greenaway
PhD thesis, March 2015.
http://ssrg.nicta.com.au/publications/nictaabstracts/8758.pdf