Allan Blanchard Introduction to C program proof with Frama-C and its WP plugin July 1, 2020 0 Contents 1. Introduction 4 2. Program proof and our tool for this tutorial: Frama-C 6 2.1. Program proof . 6 2.1.1. Ensure program reliability . 6 2.1.2. A bit of context . 8 2.1.3. Hoare triples . 10 2.1.4. Weakest precondition calculus . 11 2.2. Frama-C . 11 2.2.1. Frama-C? WP? . 12 2.2.2. Installation . 13 2.2.3. Verify installation . 15 2.2.4. (Bonus) Some more provers . 17 3. Function contract 21 3.1. Contract definition . 21 3.1.1. Postcondition . 22 3.1.2. Precondition . 29 3.1.3. Exercises . 33 3.2. Well specified function . 36 3.2.1. Correctly write what we expect . 36 3.2.2. Inconsistent preconditions . 37 3.2.3. Pointers . 38 3.2.4. Writing the right contract . 45 3.2.5. Exercises . 46 3.3. Behaviors . 49 3.3.1. Exercises . 51 3.4. WP Modularity . 54 3.4.1. Exercises . 56 4. Basic instructions and control structures 61 4.0.1. Inference rules . 61 4.0.2. Hoare triples . 62 4.1. Basic concepts . 63 4.1.1. Assignment . 63 4.1.2. Composition of statements . 67 4.1.3. Conditional rule . 68 4.1.4. Bonus Stage - Consequence rule . 70 4.1.5. Bonus Stage - Constancy rule . 71 4.1.6. Exercices . 72 1 Contents 4.2. Loops . 74 4.2.1. Induction and invariant . 74 4.2.2. The assigns clause … for loops . 78 4.2.3. Partial correctness and total correctness - Loop variant . 79 4.2.4. Create a link between postcondition and invariant . 82 4.2.5. Early termination of loop . 83 4.2.6. Exercises . 85 4.3. More examples on loops . 87 4.3.1. Example with read-only arrays . 87 4.3.2. Examples with mutable arrays . 89 4.3.3. Exercises . 91 4.4. Function calls . 94 4.4.1. Calling a function . 94 4.4.2. Recursive functions . 98 5. ACSL - Properties 101 5.1. Some logical types . 101 5.2. Predicates . 101 5.2.1. Syntax . 102 5.2.2. Abstraction . 104 5.2.3. Exercises . 105 5.3. Logic functions . 107 5.3.1. Syntax . 107 5.3.2. Recursive functions and limits of logic functions . 109 5.3.3. Exercises . 110 5.4. Lemmas . 112 5.4.1. Syntax . 112 5.4.2. Example: properties of linear functions . 113 5.4.3. Example: arrays and labels . 114 5.4.4. Exercises . 115 6. ACSL - Logic definitions and ghost code 119 6.1. Inductive definitions . 119 6.1.1. Syntax . 119 6.1.2. Recursive predicate definitions . 123 6.1.3. Example: sort . 124 6.1.4. Exercises . 127 6.2. Axiomatic definitions . 131 6.2.1. Syntax . 131 6.2.2. Recursive function or predicate definitions . 132 6.2.3. Consistency . 133 6.2.4. Example: counting occurrences of a value . 135 6.2.5. Example: The strlen function . 136 6.2.6. Exercises . 139 6.3. Ghost code . 141 6.3.1. Syntax . 141 6.3.2. Ghost code validity, what Frama-C checks . 143 6.3.3. Ghost code validity, what remains to be verified . 150 2 Contents 6.3.4. Make a logical state explicit . 150 6.3.5. Exercises . 153 6.4. Hidden content . 156 6.4.1. Coq Proof of the no_changes lemma . 156 6.4.2. Specified sort functions . 157 6.4.3. An important axiom . 157 6.4.4. Sum axioms . 158 7. Proof methodologies 160 7.1. Absence of runtime errors: Minimal contracts . 160 7.1.1. Principle . 160 7.1.2. Example: the search function . 161 7.1.3. Advantages and limitations . 164 7.1.4. Exercises . 164 7.2. Guiding assertions and triggering of lemmas . 166 7.2.1. Proof context . 166 7.2.2. Triggering lemmas . 172 7.2.3. A more complex example: sort, again . 174 7.2.4. How to correctly use assertions? . 181 7.2.5. Exercises . 181 7.3. More on ghost code: lemma functions and lemma macros . 185 7.3.1. Proof by induction . 185 7.3.2. Lemma function . 188 7.3.3. Lemma macro . 192 7.3.4. Limitations . 196 7.3.5. Back to the insertion sort . 197 7.3.6. Exercises . ..