1

I'm trying to figure out what subset of C is supported by Verifiable C from Verified Software Toolchain. "Program Logics For Certified Compilers" (p. 143) states that it is subset of Clight. But CompCert compiler transforms program from CompCert C to Clight. Does that mean that it is possible to verify any CompCert C program by Verifiable C?

Artem Kokorin
  • 27
  • 5
  • Please provide some URLs for us un-enlighted to CompCert, Verifiable C, and so on. You don't want us to spend time to search for the correct ones, do you? Additionally, please tell us what you already tried to find out, including asking "them" who provide that resources. – the busybee Aug 19 '21 at 07:43
  • I've found out that clightgen actually transforms C into Clight. Not sure what I should do now with the question – Artem Kokorin Aug 19 '21 at 08:02

2 Answers2

0

Verifiable C manual (see page 9) states that the instrument works with subset of C with number of restrictions. But clightgen tool that comes with CompCert installation translates C into CompCert’s Clight intermediate language, so the subset with which Verifiable C can work is almost entire C.

Artem Kokorin
  • 27
  • 5
  • Since Verifiable C is a subset of Clight, Clight is a superset of Verifiable C. So Clight might have properties that prevent verification. – the busybee Aug 19 '21 at 08:59
0

Indeed, using Verifiable C one first uses CompCert's parser/typechecker to transform C into Clight, so it's not really about "What's in C but not in Clight", it really is about "which features of C are not supported." Page 9 of the reference manual says, basically:

  • Goto is not supported in Verifiable C (but CompCert supports goto).
  • Struct-copy (by struct assignment, struct parameters) is not supported in Verifiable C (but I think it's supported in CompCert)
  • Only structured switch statements (no Duff's device in either VC or CompCert)
  • Can't cast pointers to integers then do arithmetic on the result.

Those are the main limitations.

Andrew Appel
  • 453
  • 3
  • 4
  • Does that mean that it is harder to verify programs with goto (because one should verify transformed, not original program? – Artem Kokorin Aug 21 '21 at 07:52
  • Source programs with goto cannot be verified using VST, at present. The CompCert front-end translates these programs into Clight programs with goto, which Verifiable C cannot handle. – Andrew Appel Aug 22 '21 at 20:17
  • I guess it is possible to eliminate `goto` before running clightgen (see [this answer](https://stackoverflow.com/a/25885890/4227829)). It just becomes even harder to verify such programs. – Artem Kokorin Aug 23 '21 at 07:01
  • From what I understand, a major restriction in CompCertC is that objects of pointer type may only be accessed by lvalues of pointer type, *and not by lvalues of character type*. This would make the language unsuitable for some purposes, but for many other purposes a statically-verifiable dialect would be more useful than one that can't be statically verified. – supercat Sep 23 '21 at 22:09
  • One more thing I forgot to mention above: VST does not support bitfields. – Andrew Appel Sep 28 '21 at 17:44