What does HackerNews think of c-semantics?

Two others worth checking out that focus on soundness with low to no false positives are RV-Match and TrustinSoft Analyzer:

https://runtimeverification.com/match/

https://trust-in-soft.com/products/

The RTV people are the one's behind K framework and an executable semantics for C with a GCC-like interface:

http://www.kframework.org/index.php/Main_Page

https://github.com/kframework/c-semantics

That RV-Match builds on an open framework, does well on benchmarks (yeah skepticism here), and has little to no noise (most important) is what I like most about it. I say most important since digging through false positives makes developers not want to use a tool. I haven't tried either product myself, though.

Here's a list of open tools that did well in small-scale experiments with and without false positives:

https://klee.github.io

http://www.cprover.org/cbmc/

https://cseweb.ucsd.edu/~rjhala/blast.html

http://www.splint.org

http://spinroot.com/uno/

http://cppcheck.sourceforge.net/#features

https://en.wikipedia.org/wiki/Sparse

https://cpachecker.sosy-lab.org

This is the same underlying tool that powers KCC and RVMatch.

https://github.com/kframework/c-semantics

https://runtimeverification.com/match/

Exactly what I’d hoped someone would do. Well, the first step anyway. The second step was doing a Rust semantics in terms of the C semantics already done. That allows quite a few things like Rust-to-C compilers, defeating Karger-Thompson attack, and potentially verification of interactions of Rust and C FFI code. On my end down the line, also use of C tooling for verification of equivalent Rust code.

Check out KCC, too, since the foundation is open-source, offers extra benefits for languages modeled in it, and has a commercial tool for C with either low or no false positives depending on how it measures up to claims. No affiliation. I just find the K framework plus an executable, formal semantics for C cool as heck. :)

https://github.com/kframework/c-semantics

https://runtimeverification.com/match/

They also have an article comparing it to Tis-interpreter here:

https://runtimeverification.com/blog/?p=307

Their K has been used for languages from Scheme to Prolog to C. More recently, they also did a semantics for a VM for smart contracts. They're doing a lot of interesting stuff. Builds on Maude and rewriting logic if anyone is curious.

Both @adamnemecek and I have said the blockchain ventures might be a good way to get money into formal methods development. Rosu's group is wisely doing just that: using their K Framework [1] to build a VM for blockchains both as a demo of its utility and way to possibly get funding into it. The K Framework is the tool they used to build an executable, formal semantics for C setup to work like GCC compiler. Since it uses K, Rosu et al say those developments automatically "yield an interpreter, debugger, state space search tool, and model checker 'for free.'" Before blockchain stuff, Rosu spun off the tool into a company for static analysis of C and Java programs with the one for C claiming to catch a lot of bugs. They claim they get no false positives [3] thanks to the semantics.

What makes me bring K up more than some tools is that the rewriting/equational tools such as Maude [4] and K (originally done on Maude) get a lot less attention than HOL or Coq. That's despite their model making some kinds of verifications really easy in comparison to how people typically use the others. Anyone wanting to play with a different style of formal method might want to check out Maude and/or K. Rosu also keeps a list of project ideas for K, the simplest being a new language. Rust or Nim with a translator to their C semantics would be a nice one with a lot of benefits on the language using K's tools or output using C-oriented tools.

[1] http://www.kframework.org/index.php/Main_Page

[2] https://github.com/kframework/c-semantics

[3] https://runtimeverification.com/match/1.0-SNAPSHOT/docs/benc...

[4] http://maude.cs.illinois.edu/w/index.php?title=The_Maude_Sys...

Note on title: Changed it to indicate what part of the work stands out a bit since there's too many blockchain languages and VM's to track at this point. People who'd like the capabilities for blockchains or a totally-unrelated use-case might filter prematurely with original title.

That team’s awesome. One of few groups in formal methods using rewriting logic (Maude) instead of things like Coq or Isabelle/HOL. They seem to move faster on semantics as a result. They also build their own modified logic called matching logic on top that they claim is better than separation logic.

http://www.kframework.org/index.php/Main_Page

More interesting, their use of these tools allowed them to make their C semantics executable in a style similar to GCC:

https://github.com/kframework/c-semantics

I want this group to do one for Rust and SPARK as a reference spec for certifying compilers for those. Also useful for the diverse compilation concept to counter Karger's compiler/compiler subversion. On a side note, they also have a company that they use to fund and apply their work:

https://runtimeverification.com/

I wonder why he mentions this TIS interpreter but not the development of complete semantics for C and specifically the k framework (https://github.com/kframework/c-semantics).

Afaik, kcc is also really good at finding undefined behavior. Regehr even wrote about it in the past (https://blog.regehr.org/archives/523).

Also see the work done in the under-utilized K Framework which captures & rejects undefined behavior as well:

http://fsl.cs.illinois.edu/index.php/Defining_the_Undefinedn...

Since it's K, they were able to turn it into a GCC-like compiler for you verifying things about your application. If it even compiles, you have no undefined behavior.

https://github.com/kframework/c-semantics

On concurrency side, it's built on top of Maude tool that an inexperienced student was able to use to find errors in Eiffel's SCOOP model for concurrency. So, it can probably handle that aspect as well.

Note that this formalization is substantially incomplete: check page 195. CH2O does not formalize variadic function, float, bit field, setjmp/longjmp. All of them are formalized in KCC.

https://github.com/kframework/c-semantics