diffblue · tautschnig · Mar 30, 2026 · Copilot · Mar 30, 2026 · Copilot
@@ -24,6 +24,7 @@
    * [Floating Point](modeling/floating-point/)
    * [Generating Environments](goto-harness/)
    * [Memory-mapped I/O](modeling/mmio/)
+   * [Inline Assembly](modeling/inline-asm/)
    * [Shadow Memory](modeling/shadow-memory/)
 
 8. Build Systems

@@ -0,0 +1,58 @@
+[CPROVER Manual TOC](../../)
+
+## Modeling Inline Assembly
+
+CBMC supports GCC-style (`asm`/`__asm__`) and MSVC-style (`__asm {}`)
+inline assembly syntax. During verification, the `remove_asm` pass
+translates recognized instructions into equivalent goto-program
+operations. **Unrecognized instructions are silently removed**, which
+may lead to unsound results if the assembly has side effects that
+matter for the property being verified.
+
+### Supported Instructions
+
+#### x86
+
+| Instruction | Effect in CBMC |
+|---|---|
+| `mfence` | Full memory fence |
+| `lfence` | Load memory fence |
+| `sfence` | Store memory fence |
-| `lfence` | Load memory fence |
-| `sfence` | Store memory fence |
+| `lfence` | Full memory fence (modeled same as `mfence`) |
+| `sfence` | Full memory fence (modeled same as `mfence`) |
-| `lfence` | Load memory fence |
-| `sfence` | Store memory fence |
+| `lfence` | Full memory fence (modeled same as `mfence`) |
+| `sfence` | Full memory fence (modeled same as `mfence`) |
+| `fstcw` / `fnstcw` | Store FP control word (maps to `__CPROVER_rounding_mode`) |
+| `fldcw` | Load FP control word (maps to `__CPROVER_rounding_mode`) |
+| `xchg` / `xchgl` | Exchange; wrapped in atomic section with full fence |
+| `lock` prefix | Wraps the following instruction in an atomic section with full fence |
+
+#### ARM
+
+| Instruction | Effect in CBMC |
+|---|---|
+| `dmb` | Data memory barrier (full fence) |
+| `dsb` | Data synchronization barrier (full fence) |
+| `isb` | Instruction synchronization barrier |
+
+#### Power
+
+| Instruction | Effect in CBMC |
+|---|---|
+| `sync` | Full memory barrier |
+| `lwsync` | Lightweight sync (all fences except WR) |
+| `isync` | Instruction sync (no fence effect on its own) |
+
+### Operand Handling
+
+For GCC extended assembly, CBMC processes the output (`=r`, `+r`) and
+input (`r`, `m`) operand lists. Output operands are assigned
+nondeterministic values when the instruction is not otherwise modeled.
-For GCC extended assembly, CBMC processes the output (`=r`, `+r`) and
-input (`r`, `m`) operand lists. Output operands are assigned
-nondeterministic values when the instruction is not otherwise modeled.
+For GCC extended assembly, CBMC parses the output (`=r`, `+r`) and
+input (`r`, `m`) operand lists, but in most cases the operands do not
+directly influence the generated goto program. For recognized fence
+instructions (for example, `mfence`, `lfence`, `sfence`, `dmb`), the
+inline assembly is replaced by appropriate fence operations and the
+C-level output operands are not written. For unrecognized instructions,
+the entire asm statement is removed (translated to `skip`) with no
+assignments to outputs and no introduction of nondeterministic values.
+Output operands only have an effect when the modeled helper for a
+particular instruction reads or writes through a memory operand
+(pointer) associated with that output, such as in the handling of
+`fstcw` / `fnstcw` / `fldcw`, which map to `__CPROVER_rounding_mode`.
-For GCC extended assembly, CBMC processes the output (`=r`, `+r`) and
-input (`r`, `m`) operand lists. Output operands are assigned
-nondeterministic values when the instruction is not otherwise modeled.
+For GCC extended assembly, CBMC parses the output (`=r`, `+r`) and
+input (`r`, `m`) operand lists, but in most cases the operands do not
+directly influence the generated goto program. For recognized fence
+instructions (for example, `mfence`, `lfence`, `sfence`, `dmb`), the
+inline assembly is replaced by appropriate fence operations and the
+C-level output operands are not written. For unrecognized instructions,
+the entire asm statement is removed (translated to `skip`) with no
+assignments to outputs and no introduction of nondeterministic values.
+Output operands only have an effect when the modeled helper for a
+particular instruction reads or writes through a memory operand
+(pointer) associated with that output, such as in the handling of
+`fstcw` / `fnstcw` / `fldcw`, which map to `__CPROVER_rounding_mode`.
+Clobber lists are parsed but do not affect verification.
+
+### Limitations
+
+- Only the instructions listed above are modeled. All other assembly
+  instructions are silently ignored (removed from the program).
+- No diagnostic is emitted for unrecognized instructions. Use
+  `goto-instrument --show-goto-functions` to inspect whether assembly
+  was translated or dropped.
+- Complex atomic operations beyond `lock`/`xchg` are not modeled.
+- MSVC-style `__asm` blocks are parsed but instruction support is the
+  same as for GCC-style.
- Complex atomic operations beyond `lock`/`xchg` are not modeled.
- MSVC-style `__asm` blocks are parsed but instruction support is the
-  same as for GCC-style.
+- For GCC-style inline assembly, complex atomic operations beyond the
+  basic `lock`/`xchg` patterns listed above are not modeled as single
+  atomic operations.
+- MSVC-style `__asm` blocks are parsed; currently only the x86
+  `mfence`/`lfence`/`sfence`, `fstcw`/`fnstcw`, and `fldcw` instructions
+  are modeled. ARM/Power instructions and `lock`-prefixed / `xchg`
+  instructions are not modeled for MSVC-style inline assembly.
- Complex atomic operations beyond `lock`/`xchg` are not modeled.
- MSVC-style `__asm` blocks are parsed but instruction support is the
-  same as for GCC-style.
+- For GCC-style inline assembly, complex atomic operations beyond the
+  basic `lock`/`xchg` patterns listed above are not modeled as single
+  atomic operations.
+- MSVC-style `__asm` blocks are parsed; currently only the x86
+  `mfence`/`lfence`/`sfence`, `fstcw`/`fnstcw`, and `fldcw` instructions
+  are modeled. ARM/Power instructions and `lock`-prefixed / `xchg`
+  instructions are not modeled for MSVC-style inline assembly.