A Coq Framework For Verified Property-Based Testing (part of QuickChick)

Similar documents
Property-Based Testing for Coq. Cătălin Hrițcu

Verifying Cache Coherence in ACL2. Ben Selfridge Oracle / UT Austin

A Certified Reduction Strategy for Homological Image Processing

Blockchains: new home for proven-correct software. Paris, Yoichi Hirai formal verification engineer, the Ethereum Foundation

Work-in-progress: "Verifying" the Glasgow Haskell Compiler Core language

Compartmentalizing Formally Secure Compilation

Theorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214

Work-in-progress: Verifying the Glasgow Haskell Compiler Core language

Programming with dependent types: passing fad or useful tool?

Packaging Theories of Higher Order Logic

Chapter 1. Introduction

Proof-by-Instance for Embedded Network Design From Prototype to Tool Roadmap. Marc Boyer, Loïc Fejoz. 1, Stephan Merz 3

Turning proof assistants into programming assistants

An Extensible Programming Language for Verified Systems Software. Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012

Distributed Systems Programming (F21DS1) Formal Verification

Micro- Policies A Framework for Tag- Based Security Monitors

LYREBIRD David Cock

Refinements for free! 1

Coq, a formal proof development environment combining logic and programming. Hugo Herbelin

How much is a mechanized proof worth, certification-wise?

From Crypto to Code. Greg Morrisett

Formal proofs and certified computation in Coq

Importing HOL-Light into Coq

Introduction to Axiomatic Semantics

IronFleet. Dmitry Bondarenko, Yixuan Chen

Testing! Prof. Leon Osterweil! CS 520/620! Spring 2013!

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Lecture 11 Lecture 11 Nov 5, 2014

The SAFE Machine An Architecture for Pervasive Information Flow

Integrating verification in programming languages

Provably Correct Software

Isabelle/HOL:Selected Features and Recent Improvements

Ready, Set, Verify! Applying hs-to-coq to Real-World Haskell Code (Experience Report)

Improving Coq Propositional Reasoning Using a Lazy CNF Conversion

Deductive Verification in Frama-C and SPARK2014: Past, Present and Future

Browser Security Guarantees through Formal Shim Verification

Formal Verification! Prof. Leon Osterweil! Computer Science 520/620! Spring 2012!

Integration of SMT Solvers with ITPs There and Back Again

Scenario Week 4: Art Gallery Competition

Proof Pearl: Substitution Revisited, Again

Assuring Software Protection in Virtual Machines

Formally Certified Satisfiability Solving

A CRASH COURSE IN SEMANTICS

Introduction to Coq Proof Assistant

Verification Condition Generation via Theorem Proving

Vector Clocks in Coq

SECOMP Efficient Formally Secure Compilers to a Tagged Architecture. Cătălin Hrițcu INRIA Paris

Formal Verification in Industry

Software verification using proof assistants

Lecture 4: examples of topological spaces, coarser and finer topologies, bases and closed sets

Correctness of specifications. Correctness. Correctness of specifications (2) Example of a Correctness Proof. Testing versus Correctness Proofs

Sciduction: Combining Induction, Deduction and Structure for Verification and Synthesis

The design of a programming language for provably correct programs: success and failure

Formal Verification. Lecture 10

COMP 410 Lecture 1. Kyle Dewey

Static and User-Extensible Proof Checking. Antonis Stampoulis Zhong Shao Yale University POPL 2012

Appendix G: Some questions concerning the representation of theorems

Marketer s Guide to Website Redesign

Numerical Computations and Formal Methods

A NEW PROOF-ASSISTANT THAT REVISITS HOMOTOPY TYPE THEORY THE THEORETICAL FOUNDATIONS OF COQ USING NICOLAS TABAREAU

Securing Complex Software Systems Using Formal Verification and Specification

Programming and Proving with Distributed Protocols Disel: Distributed Separation Logic.

An Industrially Useful Prover

Formal Technology in the Post Silicon lab

locales ISAR IS BASED ON CONTEXTS CONTENT Slide 3 Slide 1 proof - fix x assume Ass: A. x and Ass are visible Slide 2 Slide 4 inside this context

Structures in Coq January 27th 2014

Outline. Analyse et Conception Formelle. Lesson 7. Program verification methods. Disclaimer. The basics. Definition 2 (Specification)

Verifiable Hierarchical Protocols with Network Invariants on Parametric Systems

An Overview of the DE Hardware Description Language and Its Application in Formal Verification of the FM9001 Microprocessor

Reasoning About Programs Panagiotis Manolios

Testing. Wouter Swierstra and Alejandro Serrano. Advanced functional programming - Lecture 2. [Faculty of Science Information and Computing Sciences]

A Roadmap for High Assurance Cryptography

/633 Introduction to Algorithms Lecturer: Michael Dinitz Topic: Sorting lower bound and Linear-time sorting Date: 9/19/17

Computer-Aided Program Design

Lectures 20, 21: Axiomatic Semantics

Machine-checked proofs of program correctness

Areas of QA. Code Design Browser/Device Admin Interaction Strategy

B vs. Coq to prove a Garbage Collector

Outline. Proof Carrying Code. Hardware Trojan Threat. Why Compromise HDL Code?

Code BEAM SF Hype For Types. Using Dialyzer to bring type checking to your Elixir code

Why3 where programs meet provers

Validating LR(1) parsers

Formal verification of an optimizing compiler

10 Years of Partiality and General Recursion in Type Theory

VERIFICATION OF CRYPTO PRIMITIVES MIND THE GAPS. Lennart Beringer, Princeton University

Topic 1: What is HoTT and why?

Quality Assurance = Testing? SOFTWARE QUALITY ASSURANCE. Meaning of Quality. How would you define software quality? Common Measures.

Deductive Program Verification with Why3

Towards Coq Formalisation of {log} Set Constraints Resolution

Introduction to Formal Methods

Interactive Theorem Proving in Higher-Order Logics

SMTCoq: A plug-in for integrating SMT solvers into Coq

TESTING. Overview Slide 6.2. Testing (contd) Slide 6.4. Testing Slide 6.3. Quality issues Non-execution-based testing

First Order Logic in Practice

CS 161 Computer Security

Hyperkernel: Push-Button Verification of an OS Kernel

Have we Learned from the Vasa Disaster?

Combining Coq and Gappa for Certifying FP Programs

Formal Verification! Prof. Leon Osterweil! Computer Science 520/620! Spring 2011!

Synchronous Specification

Transcription:

A Coq Framework For Verified Property-Based Testing (part of QuickChick) Cătălin Hrițcu INRIA Paris-Rocquencourt (Prosecco team, Place d Italie office)

Problem: proving in Coq is very costly My proofs are boring, but designing security mechanisms is not definitions and properties often broken, and evolve over time 2

Problem: proving in Coq is very costly My proofs are boring, but designing security mechanisms is not definitions and properties often broken, and evolve over time Proving does aid design... but only at a very high cost most enlightenment comes from failed, not from successful proofs a failed proof attempt is a very costly way to discover a design flaw fixing flaws not always easy, might require serious redesign failed proof attempt will generally not convince an engineer proving while designing is frustrating, tedious, time consuming 3

Problem: proving in Coq is very costly My proofs are boring, but designing security mechanisms is not definitions and properties often broken, and evolve over time Proving does aid design... but only at a very high cost most enlightenment comes from failed, not from successful proofs a failed proof attempt is a very costly way to discover a design flaw fixing flaws not always easy, might require serious redesign failed proof attempt will generally not convince an engineer proving while designing is frustrating, tedious, time consuming Even when design correct & stable, proving still costly countless iterations for discovering lemmas and invariants my proofs are often fragile, so the cost of each iteration is high 4

Problem: proving in Coq is very costly My proofs are boring, but designing security mechanisms is not definitions and properties often broken, and evolve over time Proving does aid design... but only at a very high cost most enlightenment comes from failed, not from successful proofs a failed proof attempt is a very costly way to discover a design flaw This is the itch I m trying to scratch fixing flaws not always easy, might require serious redesign failed proof attempt will generally not convince an engineer many people seem to have similar itches though proving while designing is frustrating, tedious, time consuming Even when design correct & stable, proving still costly countless iterations for discovering lemmas and invariants my proofs are often fragile, so the cost of each iteration is high 5

Could testing help with this problem? Can property-based testing lower the cost of formal proofs? become an important part of the theorem proving process in Coq? 6

Could testing help with this problem? Can property-based testing lower the cost of formal proofs? become an important part of the theorem proving process in Coq? Yes, I believe / hope so own recent positive experience with testing I m not the only one (e.g. Isabelle, FocalTest,...) 7

Could testing help with this problem? Can property-based testing lower the cost of formal proofs? become an important part of the theorem proving process in Coq? Yes, I believe / hope so own recent positive experience with testing I m not the only one (e.g. Isabelle, FocalTest,...) We are basically just starting on this A lot of research & engineering work left 8

Collaborators Arthur Azevedo de Amorim (UPenn, recent Inria intern) Maxime Dénès (Inria) John Hughes (Chalmers) Leo Lampropoulos (UPenn) Zoe Paraskevopoulou (ENS Cachan, MPRI,.. recent Inria intern) Benjamin Pierce (UPenn) Antal Spector-Zabusky (UPenn) Dimitris Vytiniotis (MSR Cambridge) 9

This talk Property-based testing with QuickChick Our QuickCheck clone for Coq (prototype plugin) Everything at https://github.com/quickchick Framework for verified property-based testing Other things we are doing that I won t discuss today Case studies: noninterference, security monitors, type-checkers Relating executable and declarative artifacts in Coq/SSReflect Language for property-based generators Evaluating testing quality: polarized mutation testing 10

Zoe Paraskevopoulou (ENS Cachan, MPRI,.. recent Inria intern) Maxime Dénès (Inria) Leo Lampropoulos (UPenn) Property-based testing with QuickChick TESTING RED-BLACK TREES 11

Red-Black Tree Implementation 12

Red-Black Trees Implementation 13

Declarative Proposition 14

Executable Definitions 15

Property Checker 16

Custom Generator for Trees 17

Running QuickChick 18

Finding a Bug 19

Property-Based Generator... 20

Property-Based Generator at Work in less than 4 seconds 22

Zoe Paraskevopoulou (ENS Cachan, MPRI,.. recent Inria intern) Are we testing the right property? VERIFIED PROPERTY-BASED TESTING 23

Testing Code Can Be Wrong QuickChick user has to write effective checkers and generators by hand [working on a new language in which one can write both generator and checker as a single program] errors can result in testing the wrong conjecture randomness makes finding and fixing errors hard 24

Testing Code Can Be Wrong QuickChick user has to write effective checkers and generators by hand [working on a new language in which one can write both generator and checker as a single program] errors can result in testing the wrong conjecture randomness makes finding and fixing errors hard User generators and checkers + most of QuickChick itself written in Coq Can formally we verify them? 25

Verified Property-Based Testing Verification framework on top of QuickChick Prove correctness of generators and checkers with respect to their declarative specs Main novelty: set of outcomes abstraction sem. of generator (Gen A) is an Ensemble (A -> Prop) the set of values that can be generated with >0 probability semantics of checker is a Coq proposition (Prop) internally checkers are also generators (Gen Result) all results are successful 26

27

Proving correctness of generators 28

Proving correctness of generators 29

Proving correctness of generators 30

Proving correctness of generators 31

Proving correctness of generators 32

Proving correctness of generators 33

Proving correctness of checkers Relating Executable and Declarative Definitions (SSReflect Style) 34

35

Axioms for Primitive Combinators 36

Lemmas for Derived Generators 37

Lemmas for Checkers 38

Future Work More proof automation and infrastructure changing to efficient data representations SMT-based verif. for set of outcome abstraction? The first verified QuickCheck implementation reduce the number of axioms probabilistic verification? Verify property-based generator language in general, manually verify reusable infrastructure Motto: premature automation is the root of all evil 39

THANK YOU Code at https://github.com/quickchick 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback