A Certifiable Formal Semantics of C

This paper presents a formalisation of a subset of the C programming language, and a corresponding verification calculus, in the theorem prover Isabelle. There are of course many and varied approaches to the verification of safety-critical programs. The characteristics of our approach stem from the application domain: the certification of control software for autonomous mobile robots [3]. This means that firstly, our verification techniques need to stand up to certification by an external agency such as the TÜV; secondly, we can restrict ourselves to a subset of C tailored for safety-critical applications, such as MISRA C [5] (in fact, this is even required by the relevant standard IEC 61508); and thirdly, the algorithms to be verified are comparatively sophisticated for a safety function, involving the calculation of safety zones from a model of the braking behaviour of the robot. Our verification is based on a formalisation of a subset of MISRA C in the theorem prover Isabelle in typed higher-order logic (HOL). Using Isabelle is crucial to our approach: based on the C semantics, we can build a proof calculus and verify its correctness inside Isabelle. Thus, the validation of our verification can focus on the semantics of C as presented here. Further, using Isabelle allows us to use higher-order logic to express our specifications, so we are not tied to a specific specification language.