## A case study of C source code verification: the SchorrWaite algorithm (2005)

Venue: | In 3rd IEEE Intl. Conf. SEFM’05 |

Citations: | 14 - 0 self |

### BibTeX

@INPROCEEDINGS{Hubert05acase,

author = {Thierry Hubert and Claude Marché},

title = {A case study of C source code verification: the SchorrWaite algorithm},

booktitle = {In 3rd IEEE Intl. Conf. SEFM’05},

year = {2005},

pages = {190--199},

publisher = {IEEE Computer Society}

}

### OpenURL

### Abstract

We describe an experiment of formal verification of C source code, using the CADUCEUS tool. We performed a full formal proof of the classical Schorr-Waite graph-marking algorithm, which has already been used several times as a case study for formal reasoning on pointer programs. Our study is original with respect to previous experiments for several reasons. First, we use a general-purpose tool for C programs: we start from a real source code written in C, specified using an annotation language for arbitrary C programs. Second, we use several theorem provers as backends, both automatic and interactive. Third, we indeed formally establish more properties of the algorithm than previous works, in particular a formal proof of termination is made 1. Keywords: Formal verification, Floyd-Hoare logic, Pointer programs, Aliasing, C programming language. The Schorr-Waite algorithm is the first moutain that any formalism for pointer aliasing should climb. — Richard Bornat ([4], page 121) 1.

### Citations

735 | Separation logic: A logic for shared mutable data objects
- Reynolds
- 2002
(Show Context)
Citation Context ...tion of data appear to be crucial for large programs: we are currently investigating improvements, in particular by integration of advanced static analysis techniques, and ideas from separation logic =-=[20]-=-. Generally speaking adding static analysis techniques to our setting is a major goal. Among more academic future work, we wonder what would be the next “mountain to climb” for pointer program verific... |

564 | Parametric Shape Analysis via 3-Valued Logic
- Sagiv, Reps, et al.
(Show Context)
Citation Context ...r dereferencing, it has to be said that advanced static analysis techniques are able to establish it also. The Schorr-Waite algorithm is one of the examples automatically handled by the TVLA approach =-=[21, 19]-=-, where a powerful analysis of reachability in pointer structures is done. But until now, as far as we know, only our approach is able to handle both the pointer dereferencing checks and the validity ... |

215 |
CVC Lite: A new implementation of the cooperating validity checker
- Barrett, Berezin
- 2004
(Show Context)
Citation Context ...tions. An original CADUCEUS feature is its independence with respect to the prover. It currently supports Coq [7] and PVS [17] interactive proof assistants, and Simplify [1], haRVey [18] and CVC-lite =-=[3]-=- automatic provers. Coherence between all prover outputs is obtained by first producing each verification condition in a common logical setting: first-order logic with equality and arithmetic on integ... |

105 | Proving pointer programs in hoare logic
- Bornat
- 2000
(Show Context)
Citation Context ...ication, Floyd-Hoare logic, Pointer programs, Aliasing, C programming language. The Schorr-Waite algorithm is the first moutain that any formalism for pointer aliasing should climb. — Richard Bornat (=-=[4]-=-, page 121) 1. Introduction Using formal methods for verifying properties of programs at their source code level has gained more interest with the increased use of embedded programs, which are short p... |

85 | JML: notations and tools supporting detailed design in Java
- Leavens, Leino, et al.
- 2000
(Show Context)
Citation Context ...rmerly mentioned systems, CADUCEUS takes as input real source code in the C programming language, where specifications are given inside regular C comments, in the spirit of the Java Modeling Language =-=[11]-=-. It is not the purpose of this paper to describe CADUCEUS internal technology, which already have been presented in another conference [9]. Roughly speaking, CADUCEUS is a verification condition gene... |

79 |
Some techniques for proving correctness of programs which alter data structures
- Burstall
- 1972
(Show Context)
Citation Context ...ive data structures. In 2000, Bornat [4] was able to perform a computeraided formal proof of the Schorr-Waite algorithm using the Jape system [5]. To make the proof tractable, an old idea by Burstall =-=[6]-=- for reasoning on pointer programs was reused, called the ‘component-as-array’ trick: the heap memory is not modelled by a single large array, but by several ones, separating the memory into parts whe... |

71 | Proving pointer programs in higher-order logic
- Mehta, Nipkow
(Show Context)
Citation Context ...s. These parts correspond to differents fields of records (i.e. structures in C, or instance variables in Java). In 2003, the Schorr-Waite algorithm was used again as a case study by Mehta and Nipkow =-=[14]-=-, this time for verification of pointer programs in the higher-logic system Isabelle/HOL. In 2003 also, Abrial [2] performed another verification of this algorithm, this time based on refinement, usin... |

70 | On-line construction of suffix-trees - Ukkonen - 1995 |

69 | The Krakatoa tool for certification of Java/JavaCard programs annotated with JML annotations
- Marché, Paulin-Mohring, et al.
(Show Context)
Citation Context ...ssful case study, which provides a clear evidence that the CADUCEUS methodology [9] is powerful. Since we proposed a specification language inspired from JML, and since we also develop a similar tool =-=[12, 13]-=- for Java programs annotated in JML, it would be natural to perform the same case study on an Java/JML version of the Schorr-Waite algorithm. We already made attempts into this direction, indeed we tr... |

66 |
W.M.: An efficient machine-independent procedure for garbage collection in various list structures
- Schorr, Waite
- 1967
(Show Context)
Citation Context ...s partly supported by the “projet GECCOO de l’ACI Sécurité Informatique”, http://gecco.lri.fr, the AVERROES RNTL project http://www-verimag.imag.fr/ AVERROES/, CNRS & INRIA The Schorr-Waite algorithm =-=[22]-=- is a graph-marking algorithm intended to be used in garbage collectors. It performs a depth-first traversal of an arbitrary graph structure (hence a structure where aliasing may occur), without using... |

63 |
Multi-Prover Verification of C Programs
- Filliâtre, Marché
- 2004
(Show Context)
Citation Context ...OL. In 2003 also, Abrial [2] performed another verification of this algorithm, this time based on refinement, using the B system. In 2004, we proposed a new verification method for ANSI C source code =-=[9]-=-. A prototype tool has been implemented, called CADUCEUS, freely available for experimentation [8]. Unlike formerly mentioned systems, CADUCEUS takes as input real source code in the C programming lan... |

48 | Light-Weight Theorem Proving for Debugging and Verifying Units of Code
- Déharbe, Ranise
- 2003
(Show Context)
Citation Context ...verification conditions. An original CADUCEUS feature is its independence with respect to the prover. It currently supports Coq [7] and PVS [17] interactive proof assistants, and Simplify [1], haRVey =-=[18]-=- and CVC-lite [3] automatic provers. Coherence between all prover outputs is obtained by first producing each verification condition in a common logical setting: first-order logic with equality and ar... |

43 | The C Programming Language (2nd Ed - Kernighan, Ritchie - 1988 |

35 | Finite differencing of logical formulas for static analysis
- Reps, Sagiv, et al.
- 2010
(Show Context)
Citation Context ...r dereferencing, it has to be said that advanced static analysis techniques are able to establish it also. The Schorr-Waite algorithm is one of the examples automatically handled by the TVLA approach =-=[21, 19]-=-, where a powerful analysis of reachability in pointer structures is done. But until now, as far as we know, only our approach is able to handle both the pointer dereferencing checks and the validity ... |

29 | Event based sequential program development: Application to constructing a pointer program
- Abrial
(Show Context)
Citation Context ... 2003, the Schorr-Waite algorithm was used again as a case study by Mehta and Nipkow [14], this time for verification of pointer programs in the higher-logic system Isabelle/HOL. In 2003 also, Abrial =-=[2]-=- performed another verification of this algorithm, this time based on refinement, using the B system. In 2004, we proposed a new verification method for ANSI C source code [9]. A prototype tool has be... |

21 | Animating formal proof at the surface: the Jape proof calculator 12 - Bornat, Sufrin - 1999 |

13 |
Reasoning about java programs with aliasing and frame conditions
- Marché, Paulin-Mohring
(Show Context)
Citation Context ...ssful case study, which provides a clear evidence that the CADUCEUS methodology [9] is powerful. Since we proposed a specification language inspired from JML, and since we also develop a similar tool =-=[12, 13]-=- for Java programs annotated in JML, it would be natural to perform the same case study on an Java/JML version of the Schorr-Waite algorithm. We already made attempts into this direction, indeed we tr... |

11 |
The Correctness of the Schorr-Waite List Marking Algorithm
- Topor
- 1979
(Show Context)
Citation Context ...), without using additional memory, but using the pointers in the graph structure itself as a backtracking stack. A first (non computeraided) proof of correctness of this algorithm was given by Topor =-=[24]-=- in 1979, and in 1982 Morris [16] presented a semi-formal proof using a general mechanism for dealing with inductive data structures. In 2000, Bornat [4] was able to perform a computeraided formal pro... |

9 |
A Proof of the Schorr-Waite Algorithm
- Morris
- 1981
(Show Context)
Citation Context ...y, but using the pointers in the graph structure itself as a backtracking stack. A first (non computeraided) proof of correctness of this algorithm was given by Topor [24] in 1979, and in 1982 Morris =-=[16]-=- presented a semi-formal proof using a general mechanism for dealing with inductive data structures. In 2000, Bornat [4] was able to perform a computeraided formal proof of the Schorr-Waite algorithm ... |

2 |
The Caduceus tool for the verification of C programs. http://why.lri. fr/caduceus
- Filliâtre, Hubert, et al.
(Show Context)
Citation Context ...refinement, using the B system. In 2004, we proposed a new verification method for ANSI C source code [9]. A prototype tool has been implemented, called CADUCEUS, freely available for experimentation =-=[8]-=-. Unlike formerly mentioned systems, CADUCEUS takes as input real source code in the C programming language, where specifications are given inside regular C comments, in the spirit of the Java Modelin... |

2 | Q.: Proof pearl: Dijkstra’s shortest path algorithm verified with ACL2 - Moore, Zhang - 2005 |

2 |
The JavaCard tm application programming interface (API), http://java.sun.com/products/javacard
- Microsystems
(Show Context)
Citation Context ...re short programs where a high-level of confidence is required. Such embedded programs are no longer written in assembly language but rather in C (plane command control, cars, etc.) or in JavaCard TM =-=[23]-=- (mobile phones, smart cards, etc.). To perform formal verification of C or Java programs, one faces the general issue of verification of pointer programs: aliasing, that is referencing a memory locat... |