Deductive Program Verification with Why3, Past and Future

Similar documents
Why3 where programs meet provers

Deductive Program Verification with Why3

Deductive Verification in Frama-C and SPARK2014: Past, Present and Future

Why3 A Multi-Prover Platform for Program Verification

Why. an intermediate language for deductive program verification

Numerical Computations and Formal Methods

Simple proofs of simple programs in Why3

Why3 Where Programs Meet Provers

The Why/Krakatoa/Caduceus Platform for Deductive Program Verication

Reminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture

Coq, a formal proof development environment combining logic and programming. Hugo Herbelin

Combining Coq and Gappa for Certifying FP Programs

An Introduction to Deductive Program Verification

Let s Verify This with Why3

WP Plug-in (Draft) Manual

Producing All Ideals of a Forest, Formally (Verification Pearl)

Lost in translation. Leonardo de Moura Microsoft Research. how easy problems become hard due to bad encodings. Vampire Workshop 2015

Formally Certified Satisfiability Solving

Advances in Programming Languages

Software verification using proof assistants

SMT-LIB for HOL. Daniel Kroening Philipp Rümmer Georg Weissenbacher Oxford University Computing Laboratory. ITP Workshop MSR Cambridge 25 August 2009

Deductive Program Verification with Why3 A Tutorial

Isabelle/HOL:Selected Features and Recent Improvements

Formal Verification of Floating-Point programs

GNATprove a Spark2014 verifying compiler Florian Schanda, Altran UK

Formal Verification of MIX Programs

Verifying Java Programs. Verifying Java Programs. The Krakatoa/Why Tool Suite

Strongly Connected Components in graphs, formal proof of Tarjan1972 algorithm

Verifying Java Programs

Type Theory meets Effects. Greg Morrisett

The Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England

Adam Chlipala University of California, Berkeley ICFP 2006

A CRASH COURSE IN SEMANTICS

Improving Coq Propositional Reasoning Using a Lazy CNF Conversion

Provably Correct Software

Contents. Program 1. Java s Integral Types in PVS (p.4 of 37)

Deductive Program Verification with WHY3

Verification of Selection and Heap Sort Using Locales

BOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH

From Z3 to Lean, Efficient Verification

Research project proposal ProVal: Proof of Programs

Verification Condition Generation

WP 0.6 (Draft Manual)

Verifying Java Programs Verifying Java Programs with KeY

Specification, Verification, and Interactive Proof

WP Plug-in Manual. Version 0.9 for Magnesium Patrick Baudin, François Bobot, Loïc Correnson, Zaynah Dargaye

Verification of the Functional Behavior of a Floating-Point Program: an Industrial Case Study

WP 0.4 (Draft Manual)

CSC313 High Integrity Systems/CSCM13 Critical Systems. CSC313/CSCM13 Chapter 2 1/ 221

Verified Programs with Binders

Chapter 11 :: Functional Languages

Functional Programming in Coq. Nate Foster Spring 2018

LOGIC AND DISCRETE MATHEMATICS

Coq projects for type theory 2018

Towards certification of TLA + proof obligations with SMT solvers

Formalizing Semantics with an Automatic Program Verifier

A Case Study on Model Checking and Deductive Verification Techniques of Safety-Critical Software

Frama-C WP Tutorial. Virgile Prevosto, Nikolay Kosmatov and Julien Signoles. June 11 th, 2013

Technical presentation

An Annotated Language

Practical introduction to Frama-C (without Mathematical notations ;-) )

Isabelle Tutorial: System, HOL and Proofs

The design of a programming language for provably correct programs: success and failure

Chapter 1. Introduction

Com S 541. Programming Languages I

Proving SPARK Verification Conditions with SMT solvers

The Why3 platform. Version 0.81, March 2013

Introduction to OCaml

Automated Theorem Proving in a First-Order Logic with First Class Boolean Sort

A Verified Implementation of the Bounded List Container

Verification of Goroutines using Why3

Simon Peyton Jones Microsoft Research August 2012

Satisfiability Modulo Theories. DPLL solves Satisfiability fine on some problems but not others

CSCI-GA Scripting Languages

Formally Proved Anti-tearing Properties of Embedded C Code

Satisfiability Modulo Theories: ABsolver

Coq. LASER 2011 Summerschool Elba Island, Italy. Christine Paulin-Mohring

Java Modelling Language (JML) References

Readable semi-automatic formal proofs of Depth-First Search in graphs using Why3

Software Verification of Safety-Critical Aerospace Systems1

Formalization of Incremental Simplex Algorithm by Stepwise Refinement

A Modular Way to Reason About Iteration

A Formally Proved, Complete Algorithm for Path Resolution with Symbolic Links

Rockwell Collins Evolving FM Methodology

Reasoning about Java Programs with Aliasing and Frame Conditions

Combining Static and Dynamic Contract Checking for Curry

Chapter 3 (part 3) Describing Syntax and Semantics

Program Verification (6EC version only)

Formal C semantics: CompCert and the C standard

6. Hoare Logic and Weakest Preconditions

Ideas over terms generalization in Coq

Towards Coq Formalisation of {log} Set Constraints Resolution

Analysis of dependent types in Coq through the deletion of the largest node of a binary search tree

Formal Verification of a Floating-Point Elementary Function

FreePascal changes: user documentation

Induction in Coq. Nate Foster Spring 2018

CS 242. Fundamentals. Reading: See last slide

Verifying Java Programs Verifying Java Programs with KeY

A Formal Proof of a Unix Path Resolution Algorithm

Jessie Plug-In Tutorial

Transcription:

Deductive Program Verification with Why3, Past and Future Claude Marché ProofInUse Kick-Off Day February 2nd, 2015

A bit of history 1999: Jean-Christophe Filliâtre s PhD Thesis Proof of imperative programs, using Coq

A bit of history 1999: Jean-Christophe Filliâtre s PhD Thesis Proof of imperative programs, using Coq 2001: standalone Why tool produces proof goals for Coq or for PVS

A bit of history 1999: Jean-Christophe Filliâtre s PhD Thesis Proof of imperative programs, using Coq 2001: standalone Why tool produces proof goals for Coq or for PVS 2002: EU project VerifiCard JavaCard, Krakatoa tool, compiling Java/JML to Why Inspired by ESC/Java: we produce goals for the Simplify theorem prover

A bit of history 1999: Jean-Christophe Filliâtre s PhD Thesis Proof of imperative programs, using Coq 2001: standalone Why tool produces proof goals for Coq or for PVS 2002: EU project VerifiCard JavaCard, Krakatoa tool, compiling Java/JML to Why Inspired by ESC/Java: we produce goals for the Simplify theorem prover 2004: Caduceus tool Like Krakatoa for C (In French: pour traiter le cas du C)

A bit of history 1999: Jean-Christophe Filliâtre s PhD Thesis Proof of imperative programs, using Coq 2001: standalone Why tool produces proof goals for Coq or for PVS 2002: EU project VerifiCard JavaCard, Krakatoa tool, compiling Java/JML to Why Inspired by ESC/Java: we produce goals for the Simplify theorem prover 2004: Caduceus tool Like Krakatoa for C (In French: pour traiter le cas du C) 2005-2008, ANR CAT project, beginning of Frama-C Lead by CEA (B. Monate) Caduceus replaced by the Jessie plug-in

A bit of history 1999: Jean-Christophe Filliâtre s PhD Thesis Proof of imperative programs, using Coq 2001: standalone Why tool produces proof goals for Coq or for PVS 2002: EU project VerifiCard JavaCard, Krakatoa tool, compiling Java/JML to Why Inspired by ESC/Java: we produce goals for the Simplify theorem prover 2004: Caduceus tool Like Krakatoa for C (In French: pour traiter le cas du C) 2005-2008, ANR CAT project, beginning of Frama-C Lead by CEA (B. Monate) Caduceus replaced by the Jessie plug-in 2009-2012, ANR U3CAT project Support for floating-point within Jessie 2010-2013, FUI Hi-Lite Project 2011, birth of Why3 Used as intermediate language for SPARK2014

Birth of Why3 2011, full re-implementation of Why: Why3 Many new features Richer specification language algebraic data types inductive predicates since 2013, higher-order functions Richer programming language records with mutable fields More generic interface with theorem provers notion of proof task, transformations driver for each prover Proof sessions OCaml API etc.

Why3 kernel: a Simple Example theory T use import int.int goal g: forall x:int. (x+7)*(x+6) = x*x + 13*x + 42 end Alt-Ergo driver Alt-Ergo goal Alt-Ergo Why3 theories Proof tasks Coq driver Coq goal Coq Transformations

Why3 graphical interface > why3 ide simple.why

Provers supported by Why3 How many provers supported?

Provers supported by Why3 How many provers supported? SMT solvers: Alt-Ergo CVC3 CVC4 Z3

Provers supported by Why3 How many provers supported? SMT solvers: Alt-Ergo CVC3 CVC4 Z3 Interactive proof assistants: Coq Isabelle PVS

Provers supported by Why3 How many provers supported? SMT solvers: Alt-Ergo CVC3 CVC4 Z3 Interactive proof assistants: Coq Isabelle PVS TPTP provers: Eprover Metis Vampire Princess Beagle Zenon iprover SPASS

Provers supported by Why3 How many provers supported? SMT solvers: Alt-Ergo CVC3 CVC4 Z3 Interactive proof assistants: Coq Isabelle PVS TPTP provers: Eprover Metis Vampire Princess Beagle Zenon iprover SPASS more SMT solvers: Simplify Yices verit MathSAT5

Provers supported by Why3 How many provers supported? SMT solvers: Alt-Ergo CVC3 CVC4 Z3 Interactive proof assistants: Coq Isabelle PVS TPTP provers: Eprover Metis Vampire Princess Beagle Zenon iprover SPASS more SMT solvers: Simplify Yices verit MathSAT5 Solvers for arithmetic: Gappa Mathematica MetiTarski

Provers supported by Why3 How many provers supported? SMT solvers: Alt-Ergo CVC3 CVC4 Z3 Interactive proof assistants: Coq Isabelle PVS TPTP provers: Eprover Metis Vampire Princess Beagle Zenon iprover SPASS more SMT solvers: Simplify Yices verit MathSAT5 Solvers for arithmetic: Gappa Mathematica MetiTarski currently 22 supported provers, constantly increasing

Why3 programming language ML-style functional language with Mutable references, aliasing control by static typing Annotations: contracts, loop invariants, etc. VC generator: weakest preconditions calculus let isqrt (x:int) : int requires { x >= 0 } ensures { result >= 0 } ensures { sqr result <= x < sqr (result + 1) } = let count = ref 0 in let sum = ref 1 in while!sum <= x do invariant {!count >= 0 } invariant { x >= sqr!count } invariant {!sum = sqr (!count+1) } variant { x -!count } count :=!count + 1; sum :=!sum + 2 *!count + 1 done;!count

Why3 as a development environment Proof replay in batch Documentation generator Execution by internal interpreter Extraction to OCaml

Programs developed with Why3 Gallery of verified programs: 109 examples today mainly small but smart algorithms proved formally various domains: data-structures: lists, arrays, trees, graphs, matrices... various algorithms e.g. searching, sorting... arithmetic (integer, floating-point), mathematical puzzles solutions to past verification competitions increasing use of Why3 for teaching largest example so far: a certified prover

Example: a certified prover [Clochard, Marché, Paskevich, PLPV 2014] Initial concern: Formalisation of binders Solution: a small tool on top of Why3 input: declaration of algebraic data types with binders outputs a Why3 source providing types for specifications and for code functions for opening/closing binder, for substitution general lemmas on fresh variables, substitution, etc. Applications An interpreter for pure lambda-calculus, various strategies A first-order theorem prover, tableau-based

A general issue: automation of proofs Terms, formulas: inductive types Substitution: recursive definition Proofs require reasoning by induction Induction is out of reach of automated provers Possible solutions: Use interactive proof assistants: Coq, Isabelle, PVS Use SMT solvers inside PA: Isabelle s sledgehammer, why3 tactic of Coq Use lemma functions

The why3 tactic of Coq Alt-Ergo driver Alt-Ergo goal Alt-Ergo Why3 Theories Proof tasks why3 tactic Coq driver Coq goal Coq Transformations Typical form of a proof Require Import Why3. Ltac altergo := why3 "alt-ergo" timelimit 5 intros x1 x2 h1 h2 h3. induction h2; altergo.

Lemma functions A program without side-effects of the form let rec lemma f (arguments) : unit requires { p } ensures { q } variant { v } =... is a proof (by induction) of the lemma lemma f : forall arguments. p -> q

Lemma functions: example Pigeon-hole principle [team ProofInUse, VScomp 2014] predicate range (f: int -> int) (n: int) (m:int) = forall i: int. 0 <= i < n -> 0 <= f i < m (** [range f n m] true when [f] maps [(0..n-1)] into [(0..m-1)] *) predicate injective (f: int -> int) (n: int) (m:int) = forall i j: int. 0 <= i < j < n -> f i <> f j (** [injective f n m] true when [f] is an injection from [(0..n-1)] to [(0.. let rec lemma pigeon_hole (n m:int) (f: int -> int) requires { range f n m } requires { n > m >= 0 } variant { m } ensures { not (injective f n m) } = try for i = 0 to n-1 do invariant { forall k. 0 <= k < i -> f k <> m-1 } if f i = m-1 then begin (* we have found index i such that f i = m-1 *) for j = i+1 to n-1 do...

Tableau-based prover: summary data types with binders for first-order logic automatically generated Formalisation of the semantics Implementation of a proof engine, including Skolemization Unification Proof of soundness val prove_unsat (l:formula_list) : unit requires { formula_list_ok l } ensures { forall rho:interpretation fsymb psymb varsymb. not(formula_list_conjunction l rho) } Why3 loc verification conditions generated 16.000 3.051 manual 6.000 4.303 Provers needed: Alt-Ergo, CVC3, CVC4, Eprover, Spass, Z3 (time limit: 20s)

Prover performance Compiled to binary via extraction to OCaml Family of examples: ( x.r x R(f x)) x.r x R (f 2n x) n 3 4 5 6 time (sec.) 0.02 0.55 3.36 19.67 nb of nodes 502 9,506 42,898 197,244 generated per 25,134 17,316 12,779 10,028 sec.

Why3 as a development environment Why3 is becoming mature enough to be used as an environment for developing certified code Perspectives on the core language: Better integration of logic specification and code Improve the module system (refinement) Improve support for higher-order functions Improve support for machine integers... Other perspectives: Improve extraction, extraction to other languages (C, Ada) Develop more reusable certified libraries Certification of transformations, drivers Provide feedback from provers counter-examples...

Why3 as an intermediate language Why3 should become easier to use/more powerful as an intermediate language for Ada, C, Java provide support for bit-wise arithmetic Interpret counter-examples feedback into the source language Allow the use of Why3 libraries as specification libraries for front-end language on-going experiment within Frama-C/WP

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback