Deductive Program Verification with Why3, Past and Future

Size: px

Start display at page:

Download "Deductive Program Verification with Why3, Past and Future"

Brandon Chandler
6 years ago
Views:

1 Deductive Program Verification with Why3, Past and Future Claude Marché ProofInUse Kick-Off Day February 2nd, 2015

2 A bit of history 1999: Jean-Christophe Filliâtre s PhD Thesis Proof of imperative programs, using Coq

3 A bit of history 1999: Jean-Christophe Filliâtre s PhD Thesis Proof of imperative programs, using Coq 2001: standalone Why tool produces proof goals for Coq or for PVS

4 A bit of history 1999: Jean-Christophe Filliâtre s PhD Thesis Proof of imperative programs, using Coq 2001: standalone Why tool produces proof goals for Coq or for PVS 2002: EU project VerifiCard JavaCard, Krakatoa tool, compiling Java/JML to Why Inspired by ESC/Java: we produce goals for the Simplify theorem prover

5 A bit of history 1999: Jean-Christophe Filliâtre s PhD Thesis Proof of imperative programs, using Coq 2001: standalone Why tool produces proof goals for Coq or for PVS 2002: EU project VerifiCard JavaCard, Krakatoa tool, compiling Java/JML to Why Inspired by ESC/Java: we produce goals for the Simplify theorem prover 2004: Caduceus tool Like Krakatoa for C (In French: pour traiter le cas du C)

6 A bit of history 1999: Jean-Christophe Filliâtre s PhD Thesis Proof of imperative programs, using Coq 2001: standalone Why tool produces proof goals for Coq or for PVS 2002: EU project VerifiCard JavaCard, Krakatoa tool, compiling Java/JML to Why Inspired by ESC/Java: we produce goals for the Simplify theorem prover 2004: Caduceus tool Like Krakatoa for C (In French: pour traiter le cas du C) , ANR CAT project, beginning of Frama-C Lead by CEA (B. Monate) Caduceus replaced by the Jessie plug-in

7 A bit of history 1999: Jean-Christophe Filliâtre s PhD Thesis Proof of imperative programs, using Coq 2001: standalone Why tool produces proof goals for Coq or for PVS 2002: EU project VerifiCard JavaCard, Krakatoa tool, compiling Java/JML to Why Inspired by ESC/Java: we produce goals for the Simplify theorem prover 2004: Caduceus tool Like Krakatoa for C (In French: pour traiter le cas du C) , ANR CAT project, beginning of Frama-C Lead by CEA (B. Monate) Caduceus replaced by the Jessie plug-in , ANR U3CAT project Support for floating-point within Jessie , FUI Hi-Lite Project 2011, birth of Why3 Used as intermediate language for SPARK2014

8 Birth of Why3 2011, full re-implementation of Why: Why3 Many new features Richer specification language algebraic data types inductive predicates since 2013, higher-order functions Richer programming language records with mutable fields More generic interface with theorem provers notion of proof task, transformations driver for each prover Proof sessions OCaml API etc.

9 Why3 kernel: a Simple Example theory T use import int.int goal g: forall x:int. (x+7)*(x+6) = x*x + 13*x + 42 end Alt-Ergo driver Alt-Ergo goal Alt-Ergo Why3 theories Proof tasks Coq driver Coq goal Coq Transformations

10 Why3 graphical interface > why3 ide simple.why

11 Provers supported by Why3 How many provers supported?

12 Provers supported by Why3 How many provers supported? SMT solvers: Alt-Ergo CVC3 CVC4 Z3

13 Provers supported by Why3 How many provers supported? SMT solvers: Alt-Ergo CVC3 CVC4 Z3 Interactive proof assistants: Coq Isabelle PVS

14 Provers supported by Why3 How many provers supported? SMT solvers: Alt-Ergo CVC3 CVC4 Z3 Interactive proof assistants: Coq Isabelle PVS TPTP provers: Eprover Metis Vampire Princess Beagle Zenon iprover SPASS

15 Provers supported by Why3 How many provers supported? SMT solvers: Alt-Ergo CVC3 CVC4 Z3 Interactive proof assistants: Coq Isabelle PVS TPTP provers: Eprover Metis Vampire Princess Beagle Zenon iprover SPASS more SMT solvers: Simplify Yices verit MathSAT5

16 Provers supported by Why3 How many provers supported? SMT solvers: Alt-Ergo CVC3 CVC4 Z3 Interactive proof assistants: Coq Isabelle PVS TPTP provers: Eprover Metis Vampire Princess Beagle Zenon iprover SPASS more SMT solvers: Simplify Yices verit MathSAT5 Solvers for arithmetic: Gappa Mathematica MetiTarski

17 Provers supported by Why3 How many provers supported? SMT solvers: Alt-Ergo CVC3 CVC4 Z3 Interactive proof assistants: Coq Isabelle PVS TPTP provers: Eprover Metis Vampire Princess Beagle Zenon iprover SPASS more SMT solvers: Simplify Yices verit MathSAT5 Solvers for arithmetic: Gappa Mathematica MetiTarski currently 22 supported provers, constantly increasing

18 Why3 programming language ML-style functional language with Mutable references, aliasing control by static typing Annotations: contracts, loop invariants, etc. VC generator: weakest preconditions calculus let isqrt (x:int) : int requires { x >= 0 } ensures { result >= 0 } ensures { sqr result <= x < sqr (result + 1) } = let count = ref 0 in let sum = ref 1 in while!sum <= x do invariant {!count >= 0 } invariant { x >= sqr!count } invariant {!sum = sqr (!count+1) } variant { x -!count } count :=!count + 1; sum :=!sum + 2 *!count + 1 done;!count

19 Why3 as a development environment Proof replay in batch Documentation generator Execution by internal interpreter Extraction to OCaml

20 Programs developed with Why3 Gallery of verified programs: 109 examples today mainly small but smart algorithms proved formally various domains: data-structures: lists, arrays, trees, graphs, matrices... various algorithms e.g. searching, sorting... arithmetic (integer, floating-point), mathematical puzzles solutions to past verification competitions increasing use of Why3 for teaching largest example so far: a certified prover

21 Example: a certified prover [Clochard, Marché, Paskevich, PLPV 2014] Initial concern: Formalisation of binders Solution: a small tool on top of Why3 input: declaration of algebraic data types with binders outputs a Why3 source providing types for specifications and for code functions for opening/closing binder, for substitution general lemmas on fresh variables, substitution, etc. Applications An interpreter for pure lambda-calculus, various strategies A first-order theorem prover, tableau-based

22 A general issue: automation of proofs Terms, formulas: inductive types Substitution: recursive definition Proofs require reasoning by induction Induction is out of reach of automated provers Possible solutions: Use interactive proof assistants: Coq, Isabelle, PVS Use SMT solvers inside PA: Isabelle s sledgehammer, why3 tactic of Coq Use lemma functions

23 The why3 tactic of Coq Alt-Ergo driver Alt-Ergo goal Alt-Ergo Why3 Theories Proof tasks why3 tactic Coq driver Coq goal Coq Transformations Typical form of a proof Require Import Why3. Ltac altergo := why3 "alt-ergo" timelimit 5 intros x1 x2 h1 h2 h3. induction h2; altergo.

24 Lemma functions A program without side-effects of the form let rec lemma f (arguments) : unit requires { p } ensures { q } variant { v } =... is a proof (by induction) of the lemma lemma f : forall arguments. p -> q

25 Lemma functions: example Pigeon-hole principle [team ProofInUse, VScomp 2014] predicate range (f: int -> int) (n: int) (m:int) = forall i: int. 0 <= i < n -> 0 <= f i < m (** [range f n m] true when [f] maps [(0..n-1)] into [(0..m-1)] *) predicate injective (f: int -> int) (n: int) (m:int) = forall i j: int. 0 <= i < j < n -> f i <> f j (** [injective f n m] true when [f] is an injection from [(0..n-1)] to [(0.. let rec lemma pigeon_hole (n m:int) (f: int -> int) requires { range f n m } requires { n > m >= 0 } variant { m } ensures { not (injective f n m) } = try for i = 0 to n-1 do invariant { forall k. 0 <= k < i -> f k <> m-1 } if f i = m-1 then begin (* we have found index i such that f i = m-1 *) for j = i+1 to n-1 do...

26 Tableau-based prover: summary data types with binders for first-order logic automatically generated Formalisation of the semantics Implementation of a proof engine, including Skolemization Unification Proof of soundness val prove_unsat (l:formula_list) : unit requires { formula_list_ok l } ensures { forall rho:interpretation fsymb psymb varsymb. not(formula_list_conjunction l rho) } Why3 loc verification conditions generated manual Provers needed: Alt-Ergo, CVC3, CVC4, Eprover, Spass, Z3 (time limit: 20s)

27 Prover performance Compiled to binary via extraction to OCaml Family of examples: ( x.r x R(f x)) x.r x R (f 2n x) n time (sec.) nb of nodes 502 9,506 42, ,244 generated per 25,134 17,316 12,779 10,028 sec.

28 Why3 as a development environment Why3 is becoming mature enough to be used as an environment for developing certified code Perspectives on the core language: Better integration of logic specification and code Improve the module system (refinement) Improve support for higher-order functions Improve support for machine integers... Other perspectives: Improve extraction, extraction to other languages (C, Ada) Develop more reusable certified libraries Certification of transformations, drivers Provide feedback from provers counter-examples...

29 Why3 as an intermediate language Why3 should become easier to use/more powerful as an intermediate language for Ada, C, Java provide support for bit-wise arithmetic Interpret counter-examples feedback into the source language Allow the use of Why3 libraries as specification libraries for front-end language on-going experiment within Frama-C/WP

Why3 where programs meet provers

Why3 where programs meet provers Jean-Christophe Filliâtre CNRS KeY Symposium 2017 Rastatt, Germany October 5, 2017 history started in 2001, as an intermediate language in the process of verifying C and