Library
One of our main goals in dening a formal model for a widely used processor was to study the correctness of real programs executed on that particular processor. The results reported in the preceding chapters have demonstrated the potential to apply our verication methodology to some small programs that are in real use. We now investigate applying our verication system to some small, but real programs.
After studying carefully several possible candidate applications, we de- cided to study the Berkeley Unix C String Library|an implementation of the C string library of ANSI/ISO standard. The reasons for this choice were very simple: the library has been widely used and publicly released as part of the Berkeley Unix Operating System; and the string functions are quite simple and self-contained, and hence a good target for experimentation. We are quite pleased by the results of this small verication project; twenty one out of twenty-two functions specied in the ISO standard have been me- chanically veried. The functionstrerror, though mathematically trivial, is the only one left out because of the need of formalizing IO, to which we have not attended. There were three programming errors revealed in the process of the verication. The machine code for these string functions was generated by the Gnu C compiler.
This chapter reports our work on proving mathematical theorems about the Berkeley Unix C String Library. We rst give a very brief and informal
introduction to the functions in the Berkeley Unix C String Library that we have considered and the mathematical theorems about these functions that we have proved. This should give the reader an overview of this small verication project. To formalize our discussion, we next look into the formal verication of the Berkeley C String Library. We present only the mechanical proofs of a couple of the most interesting and tricky functions in the library: memmove and strstr. Finally, we discuss the two programming errors we have discovered in studying this C string library. The complete proof script of all the string functions is given in [53].
7.1 The Berkeley Unix C String Library
The Berkeley Unix C string library is intended to be an implementation of the C string library of the ANSI/ISO standard, and is publicly released as part of the Berkeley Unix Operating System.1 There are twenty-two string
functions specied in the ANSI/ISO standard, and we have veried the binary of the Berkeley implementation of twenty-one of them. The binary was generated by the Gnu C Compiler for the MC68020. In this section, we give an informal description of this small verication project. For each of the string functions veried, we provide the formal syntax of the function, a paraphrase of the informal English specication of the ISO standard [27, 43], and an informal description of the theorems we proved about the function. We adopt an informal, conventional notation to describe the theorems we have proved about these C string functions. We use s;s1, ands2 to denote strings, s[i] to denote the ith character in the string s, and x0 to denote
the value of x in the post state. We also informally introduce an predicate
disjoint(s1;s2) to assert that the strings s1 and s2 do not overlap.
Our presentation below of the C string library is highly informal but follows closely the ISO standard [27], where the reader may nd a more ac- curate and verbose English description of these functions. Still more formal is the treatment in [53].
7.1.1 The
memcpyFunction
Synopsis
. void *memcpy (void *s1, const void *s2, size t n)1The copy of the Berkeley C string library used in this work was obtained by anonymous
Description
. Thememcpyfunction copies ncharacters from the object s2 into the objects1, and returns the value ofs1. The behavior of the function is undened ifs1and s2 overlap.Theorem
. We have: i < n)s10[i] =s2[i].2
7.1.2 The
memmoveFunction
Synopsis
. void *memmove (void *s1, const void *s2, size t n)Description
. Thememmovefunction copiesncharacters from the objects2 into the objects1, and returns the value ofs1. Thememmovefunction works correctly on any two objects.Theorem
. We have: i < n)s10[i] =s2[i].
7.1.3 The
strcpyFunction
Synopsis
. char *strcpy (char *s1, const char *s2)Description
. The strcpyfunction copies the string s2 into the array s1, and returns the value ofs1. The behavior of the function is undened if the stringss1and s2 overlap.Theorem
. Assumingdisjoint(s1;s2), we have:jjs2j)s1
0[j] =s2[j].
7.1.4 The
strncpyFunction
Synopsis
. char *strncpy (char *s1, const char *s2, size t n)Description
. Thestrncpy function copies at most ncharacters from the array s2 to the array s1, and returns the value of s1. The behavior of the function is undened if the stringss1 ands2 overlap.Theorem
. Assumingdisjoint(s1;s2), we have: 1. j < min(n;js2j))s10[j] =s2[j].
2. js2jj < n)s1
0[j] = 0.
7.1.5 The
strcatFunction
Synopsis
. char *strcat (char *s1, const char *s2)Description
. The strcat function appends a copy of the string s2 to the end of the string s1, and returns the value of s1. The behavior of the function is undened ifs1 ands2 overlap.Theorem
. Assume disjoint(s1;s2), we have: 1. j <js1j)s1 0[j] =s1[j]. 2. js1jj <js1j+js2j)(s1 0[j] =s2[j js1j].7.1.6 The
strncatFunction
Synopsis
. char *strncat (char *s1, const char *s2, size t n)Description
. The strncat function appends at most n characters from the array s2 to the end of the string s1, and returns the value of s1. The behavior of the function is undened if s1 and s2overlap.Theorem
. Assumingdisjoint(s1;s2), we have: 1. j <js1j)s10[j] =s1[j].
2. js1jj <js1j+min(js2j;n))s1
0[j] =s2[j
js1j].
7.1.7 The
memcmpFunction
Synopsis
. int memcmp (const void *s1, const void *s2, size t n)Description
. The memcmp function compares the rst n characters of the objectss1ands2, and returns an integer greater than, equal to, or less than zero, according to the lexical order of the objects s1and s2.Theorem
. We have: 1. memcmp(s1;s2;n) = 0)8j < n(s1[j] =s2[j]). 2. memcmp(s1;s2;n)6= 0)9i < n(memcmp(s1;s2;n) =s1[i] s2[i]^ 8j < i(s1[j] =s2[j])) 3. memcmp(s2;s1;n)<0$memcmp(s1;s2;n) >07.1.8 The
strcmpFunction
Synopsis
. int strcmp (const char *s1, const char *s2)Description
. Thestrcmpfunction compares the strings1to the strings2, and returns an integer greater than, equal to, or less than zero, according to the lexical order of the strings s1and s2.Theorem
. We have:1. strcmp(s1;s2) = 0)8jjs1j(s1[j] =s2[j]).
2. strcmp(s1;s2) = 06 ) 9i <js1j(strcmp(s1;s2) =s1[i] s2[i]^8j <
i(s1[j] =s2[j]))
7.1.9 The
strcollFunction
Synopsis
. int strcoll (const char *s1, const char *s2)Description
. SinceLC COLLATEis not implemented, the function strcoll is equivalent tostrcmp.Theorem
. We have: strcoll(s1;s2) =strcmp(s1;s2).7.1.10 The
strncmpFunction
Synopsis
. int strncmp (const char *s1, const char *s2, size t n)Description
. Thestrncmp function compares at mostncharacters of the arrayss1ands2, and returns an integer greater than, equal to, or less than zero, according to the lexical order of the arrayss1 and s2.Theorem
. We have: 1. strncmp(s1;s2;n) = 0)8j < min(js1j;n)(s1[j] =s2[j]). 2. strncmp(s1;s2;n) 6= 0 ) 9i < min(js1j;n)(strncmp(s1;s2;n) = s1[i] s2[i]^8j < i(s1[j] =s2[j])) 3. strncmp(s2;s1;n)<0$strncmp(s1;s2;n)>07.1.11 The
strxfrmFunction
Synopsis
. size t strxfrm (char *s1, const char *s2, size t n)Description
. SinceLC COLLATEis not implemented, thestrxfrm function simply copies the string s2 to the array s1, and returns the length of the string s2. At most ncharacters are copied to the array s1. If nis zero, s1 is permitted to be a null pointer.Theorem
. Assumingdisjoint(s1;s2), we have: 1. j < min(n;js2j))s10[j] =s2[j].
2. strxfrm(s1;s2;n) =js2j. 3