Formally Proved Anti-tearing Properties of Embedded C Code

In smart card embedded programs, some operations must not be suddenly interrupted, because if they are, the card is left in an inconsistent state. Since the card can be removed at any time from the terminal, which interrupts any running program, some instructions must be executed at each reset in order to verify if a tearing occurred and to restore a consistent state if necessary. In this case, the card is said to ensure the anti-tearing property. This paper presents a method to formally prove that a C program verifies the anti-tearing property for a given "tearing- sensitive" operation. The background methodology, presented in (J. Andronick, 2006), (J. Andronick et al., 2005), enables to prove global properties from source code. It is here illustrated by the proof of anti-tearing properties, which requires an extension of the method in order to specify and verify functions behaviour in the case of a sudden interruption of their execution.