Formal Proofs of Code Generation and Verification Tools [chapter]

Xavier Leroy
2014 Lecture Notes in Computer Science  
Tool-assisted verification of critical software has great potential but is limited by two risks: unsoundness of the verification tools, and miscompilation when generating executable code from the sources that were verified. A radical solution to these two risks is the deductive verification of compilers and verification tools themselves. In this invited talk, I describe two ongoing projects along this line: CompCert, a verified C compiler, and Verasco, a verified static analyzer based on
more » ... t interpretation. Abstract of invited talk Tool-assisted formal verification of software is making inroads in the critical software industry. While full correctness proofs for whole applications can rarely be achieved [6, 12] , tools based on static analysis and model checking can already establish important safety and security properties (memory safety, absence of arithmetic overflow, unreachability of some failure states) for large code bases [1] . Likewise, deductive program verifiers based on Hoare logic or separation logic can verify full correctness for crucial algorithms and data structures and their implementations [11] . In the context of critical software that must be qualified against demanding regulations (such as DO-178 in avionics or Common Criteria in security), such tool-assisted verifications provide independent evidence, complementing that obtained by conventional verification based on testing and reviews. The trust we can put in the results of verification tools is limited by two risks. The first is unsoundness of the tool: by design or by mistake in its implementation, the tool can fail to account for all possible executions of the software under verification, reporting no alarms while an incorrect execution can occur. The second risk is miscompilation of the code that was formally verified. With a few exceptions [3], most verification tools operate over source code (C, Java, . . . ) or models (Simulink or Scade block diagrams). A bug in the compilers or code generators used to produce the executable machine code can result in an incorrect executable being produced from correct source code [13] . Both unsoundness and miscompilation risks are known in the critical software industry and accounted for in . It is extremely difficult, however, to verify an optimizing compiler or sophisticated static analyzer using conventional testing. Formal verification of compilers, static analyzers, and related tools provides a radical, mathematically-grounded answer to
doi:10.1007/978-3-319-10431-7_1 fatcat:qbj2jm72gfdy5crez3seavzys4