Deductive Verification in Frama-C and SPARK2014: Past, Present and Future

Similar documents
Deductive Program Verification with Why3, Past and Future

Why3 where programs meet provers

Deductive Program Verification with Why3

Why3 A Multi-Prover Platform for Program Verification

Why. an intermediate language for deductive program verification

Numerical Computations and Formal Methods

Jessie Plug-In Tutorial

Jessie Plugin Tutorial

Simple proofs of simple programs in Why3

GNATprove a Spark2014 verifying compiler Florian Schanda, Altran UK

Practical introduction to Frama-C (without Mathematical notations ;-) )

Software Verification of Safety-Critical Aerospace Systems1

Advances in Programming Languages

Combining Coq and Gappa for Certifying FP Programs

Verification Condition Generation

Why3 Where Programs Meet Provers

Program Verification (6EC version only)

Lecture 10 Design by Contract

WP Plug-in (Draft) Manual

A Comparison of SPARK with MISRA C and Frama-C

The Why/Krakatoa/Caduceus Platform for Deductive Program Verication

The Java Modeling Language (Part 1)

Frama-C WP Tutorial. Virgile Prevosto, Nikolay Kosmatov and Julien Signoles. June 11 th, 2013

A Verified Implementation of the Bounded List Container

Java Modelling Language (JML) References

A Case Study on Model Checking and Deductive Verification Techniques of Safety-Critical Software

Reminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture

A Lesson on Runtime Assertion Checking with Frama-C

Overview The Java Modeling Language (Part 1) Related Work

Formal Verification in Aeronautics: Current Practice and Upcoming Standard. Yannick Moy, AdaCore ACSL Workshop, Fraunhofer FIRST

From Event-B Models to Dafny Code Contracts

WP 0.4 (Draft Manual)

Automating the Verification of Floating-Point Programs

Formal Verification of Floating-Point programs

SPARK Update Ada Europe 2012

Improving Coq Propositional Reasoning Using a Lazy CNF Conversion

The Krakatoa Verification Tool

Verifying Java Programs Verifying Java Programs with KeY

Frama-C A Collaborative Framework for C Code Verification

Sequential generation of structured arrays and its deductive verification

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

GNAT Pro Innovations for High-Integrity Development

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

CSC313 High Integrity Systems/CSCM13 Critical Systems. CSC313/CSCM13 Chapter 2 1/ 221

Formal Methods in Software Development

Contents. Program 1. Java s Integral Types in PVS (p.4 of 37)

Runtime Checking for Program Verification Systems

SPARK 2014 User s Guide

The SMT-LIB 2 Standard: Overview and Proposed New Theories

VS 3 : SMT Solvers for Program Verification

Producing All Ideals of a Forest, Formally (Verification Pearl)

A Lesson on Proof of Programs with Frama-C. Invited Tutorial Paper

Formal Verification of a Floating-Point Elementary Function

Static program checking and verification

ESC/Java 2. Checker for Java 2. Extended. Static. B y K ats man Andrey S oftware E ngineering S em inar

Verifying Java Programs. Verifying Java Programs. The Krakatoa/Why Tool Suite

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Verifying Java Programs

WP Plug-in Manual. Version 0.9 for Magnesium Patrick Baudin, François Bobot, Loïc Correnson, Zaynah Dargaye

Proving SPARK Verification Conditions with SMT solvers

Formal Verification of MIX Programs

How to Compute the Area of a Triangle: a Formal Revisit

oating-point implementation in C

Technical presentation

Verification Condition Generation via Theorem Proving

Coq. LASER 2011 Summerschool Elba Island, Italy. Christine Paulin-Mohring

WP 0.6 (Draft Manual)

Integrating verification in programming languages

Verification of the Functional Behavior of a Floating-Point Program: an Industrial Case Study

Built-in Treatment of an Axiomatic Floating-Point Theory for SMT Solvers

The design of a programming language for provably correct programs: success and failure

BOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH

Automatic Software Verification

Automatic Generation of Program Specifications

Type Theory meets Effects. Greg Morrisett

Deductive Program Verification with WHY3

SMT-LIB for HOL. Daniel Kroening Philipp Rümmer Georg Weissenbacher Oxford University Computing Laboratory. ITP Workshop MSR Cambridge 25 August 2009

A Formally Proved, Complete Algorithm for Path Resolution with Symbolic Links

Incremental Proof Development in Dafny

Advances in Programming Languages

openetcs OETCS/WP4/D4.2.2 Preliminary Validation and Verification Report on Implementation/Code ITEA2 Project Call

Isabelle Tutorial: System, HOL and Proofs

Verifying Java Programs Verifying Java Programs with KeY

Cover Page. The handle holds various files of this Leiden University dissertation

Formally Certified Satisfiability Solving

An Introduction to Deductive Program Verification

Enhance Verification using Ghost Code

The Krakatoa Verification Tool

Outline. Analyse et Conception Formelle. Lesson 7. Program verification methods. Disclaimer. The basics. Definition 2 (Specification)

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

How to get an efficient yet verified arbitrary-precision integer library

Automatic Verification of Loop Invariants

SPARKSkein A Formal and Fast Reference Implementation of Skein

Reasoning About Loops Using Vampire

Hybrid Verification in SPARK 2014: Combining Formal Methods with Testing

Adam Chlipala University of California, Berkeley ICFP 2006

Separation Analysis for Weakest Precondition-based Verification

Sciduction: Combining Induction, Deduction and Structure for Verification and Synthesis

Let s Verify This with Why3

Introduction to Axiomatic Semantics

Transcription:

Deductive Verification in Frama-C and SPARK2014: Past, Present and Future Claude Marché (Inria & Université Paris-Saclay) OSIS, Frama-C & SPARK day, May 30th, 2017 1 / 31

Outline Why this joint Frama-C and SPARK day? common history of Frama-C and SPARK ACSL and SPARK 2014: how they differ? static versus runtime checking specification languages: design choices advertisement: ghost code Recent and Future Trends bit-wise, floating-point computations proof debugging, counterexamples interactively discharging VCs 2 / 31

Outline Why this joint Frama-C and SPARK day? common history of Frama-C and SPARK ACSL and SPARK 2014: how they differ? static versus runtime checking specification languages: design choices advertisement: ghost code Recent and Future Trends bit-wise, floating-point computations proof debugging, counterexamples interactively discharging VCs 3 / 31

Around 1990 Deductive Verification Formal Specification of functional behaviors using contracts Generation of Verification Conditions Computer-Assisted Theorem Proving SPARK Examiner for Ada 83 Univ. Southampton, Praxis, then Altran home-made VC generator, simplifier, checker CAVEAT, static analyzer for C code CEA home-made VC generator and solver 4 / 31

Around 2000 The Why tool for deductive verification team ProVal (Inria & CNRS & Univ. Paris Sud) a ML-style programming language with contracts VC discharged using Coq then later with Simplify then with Alt-Ergo then with several others Why front-ends: for Java: Krakatoa annotations Java Modeling Language for C: Caduceus annotation language JML 5 / 31

2005-2010 Frama-C CEA and ProVal ACSL language plug-in architecture to support various kind of analyses Jessie Deductive Verification plug-in Use Why as intermediate language Alias analysis using memory regions 6 / 31

2010-2014 Why3, new generation of Why module system, rich standard library of theories region-based type system for alias control generic architecture to plug in back-end provers Jessie plug-in adapted to Why3 WP Frama-C plug-in various memory models and aliasing conditions call provers through Why3 SPARK 2014: SPARK new generation AdaCore - Altran Why3 as intermediate programming language Non-aliasing conditions to ease VC generation and proof call provers through Why3 7 / 31

Why3 ecosystem today C programs Ada programs Frama-C SPARK 2014 Why3 SMT solvers Alt-Ergo CVC4 verit Z3 etc. Interactive provers Coq Isabelle PVS Other provers E prover Gappa SPASS Vampire etc. 8 / 31

Outline Why this joint Frama-C and SPARK day? common history of Frama-C and SPARK ACSL and SPARK 2014: how they differ? static versus runtime checking specification languages: design choices advertisement: ghost code Recent and Future Trends bit-wise, floating-point computations proof debugging, counterexamples interactively discharging VCs 9 / 31

Static versus Runtime Checking Contracts can be used either for runtime assertion checking (RAC): assertions executed and checked valid during execution, tests for static verification (VC generation + theorem proving) code can be proved correct w.r.t. contracts Example: Java Modeling Language JML RAC: turns assertions into regular Java code Static verification: ESC/Java, using solver Simplify 10 / 31

From JML to Krakatoa and ACSL JML was designed with RAC in mind Consequence: assertions are Java Boolean expressions Extensions to Java expressions: meant to be executable e.g. quantification must be bounded (\forall int i; 0 <= i && i < a.length; P(i)) Models for specifications can be designed using extra pure classes methods need to be terminating they should not raise exceptions they should not have side-effects 11 / 31

Why3/Krakatoa/ACSL Specification Languages Specification language is classical first-order logic with types (polymorphism) equality, built-in arithmetic user-defined theories to design abstract models introducing new data-types, logic functions, predicates either defined or axiomatized Specification language distinct from programming language adequate for use of external provers does not need to be executable 12 / 31

Example: sorting algorithms /*@ requires \valid(a+(0..n-1)); @ assigns a[0..n-1]; @ ensures sorted(a,0,n); @ ensures permut{pre,post}(a,0,n-1); @*/ void sort(int *a, int n) { 13 / 31

Example: sorting algorithms /*@ predicate sorted(int *a, integer l, integer h) = @ \forall integer i j; l <= i <= j < h ==> a[i] <= a[j] ; @*/ Not executable a priori Could be executed if ranges of i and j are somehow computed In JML, it should be written (\forall int i; l <= i && i < h ; (\forall int j; i <= j && j < h; a[i] <= a[j]))) ; Notice also the type integer for mathematical, unbounded integers 14 / 31

Example: sorting algorithms /*@ predicate swap{l1,l2}(int *a, integer i, integer j) = @ \at(a[i],l1) == \at(a[j],l2) && \at(a[j],l1) == \at(a[i],l2) && @ \forall integer k; k!= i && k!= j ==> \at(a[k],l1) == \at(a[k],l2); @ @ inductive permut{l1,l2}(int *a, integer l, integer h) { @ case permut_refl{l}: @ \forall int *a, integer l h; permut{l,l}(a, l, h) ; @ case permut_sym{l1,l2}: @ \forall int *a, integer l h; @ permut{l1,l2}(a, l, h) ==> permut{l2,l1}(a, l, h) ; @ case permut_trans{l1,l2,l3}: @ \forall int *a, integer l h; @ permut{l1,l2}(a, l, h) && permut{l2,l3}(a, l, h) ==> permut{l1,l3}(a, l, h); @ case permut_swap{l1,l2}: @ \forall int *a, integer l h i j; @ l <= i < h && l <= j < h && swap{l1,l2}(a, i, j) ==> permut{l1,l2}(a, l, h) ; @ } @*/ Important points Why3/ACSL spec. lang. significantly diverged from JML Spec. language can be more powerful when RAC is not intended Yet, RAC may be useful to complement proofs 15 / 31

Design of E-ACSL E-ACSL: Need for run-time checking in Frama-C Executable subset of ACSL assertions turned into regular C code: mathematical integers handled using GMP built-in memory-related predicates (\valid, \initialized) handled using a specific memory management library axiomatic models not supported ACSL and E-ACSL have slightly different semantics Undefined expressions: assert { 1/0 == 1/0 } assert { *p == *p } // when p == NULL valid in ACSL (logic of total functions) raise errors in E-ACSL Note: similar differences between JML RAC and ESC/Java 16 / 31

Ada contracts and SPARK 2014 Ada 2012: add contracts as part of regular Ada assertions are Boolean expressions Expression-functions can be used in assertions Bounded quantification now part of Ada expressions: for all I in <range> => P(I) Ada compiler generates corresponding run-time checks for preand post-conditions 17 / 31

Static Verification in SPARK 2014 Important design choice Semantics of annotations is fixed by the execution semantics VC are generated for well-definedness: 1/0, array index in bounds, etc. abstract models, unbounded integers: not possible since it would forbids RAC indeed possible via an SPARK-specific extension ( external axiomatization ) 18 / 31

Summary Why3 Frama-C SPARK ACSL E-ACSL 2014 Executable contracts no no yes yes Only total functions in logic yes yes no 1 no 2 Unbounded integers in logic yes yes yes no 3 Unbounded quantification yes yes no no Ghost code yes yes 4 yes 4 yes 1 run-time checks for well-definedness are generated 2 run-time checks and VCs for well-definedness are generated 3 possible through external axiomatization 4 restrictions: only executable C code, and non-interference with regular code is not checked (See [Kosmatov et al., ISOLA 2016] for more details) 19 / 31

Advertisement: be Afraid of no Ghost! ghost variable: added to the regular, for the purpose of formal specification ghost code, subprograms: extra code added to operate on ghost variables Ghost code Commonly used in most non-trivial examples keeping track of previous values of variables attach some abstract state (a kind of data refinement) etc. Example: a sorting algorithm may return a ghost array of indices, giving the permutation of elements done by sorting. procedure sort(a:array) returns (ghost p:array of integer) assigns a ensures \forall integer i; a[i]=\old(a)[p[i]] 20 / 31

Ghost code in Why3, Frama-C and SPARK 2014 Ghost code is possible in all of them Pros Very useful in practice/for complex cases A kind of executable specification Compatible with both static and run-time checking Cons Tools should check non-interference between ghost code and regular code Why3, SPARK 2014 do it thanks to strong non-aliasing policy Frama-C doesn t do it yet 21 / 31

Bonus: Lemma Functions Proving theorems using ghost code! ghost f (x 1 : τ 1,..., x n : τ n ) returns r : τ requires Pre ensures Post if this function has no side-effect and is proved terminating then it is a constructive proof of Examples: x 1,..., x n, r, Pre Post proving lemmas by induction (with automated provers only!) proving existential properties Note: similar feature exists in other environments, e.g. Dafny 22 / 31

Outline Why this joint Frama-C and SPARK day? common history of Frama-C and SPARK ACSL and SPARK 2014: how they differ? static versus runtime checking specification languages: design choices advertisement: ghost code Recent and Future Trends bit-wise, floating-point computations proof debugging, counterexamples interactively discharging VCs 23 / 31

The ProofInUse project Joint Lab between Inria and AdaCore Main Goal Spread the use of formal proof in SPARK users community Help for debugging when proof fails Counterexamples Simple interactive prover Enlarge language support Bit-wise operators Floating-point arithmetic Increase automation Better exploit SMT solvers 24 / 31

Bit-Wise Operators New Why3 theory for bit-wise operations Use of SMT-LIB bit-vector theory (CVC4, Z3) Case study: BitWalker Original C code by Siemens, ITEA 2 project OpenETCS Rewritten by Jens Gerlach for Frama-C/WP Formal specification in ACSL proved with Alt-Ergo+Coq Version in SPARK 2014 proved with Alt-Ergo+CVC4+Z3 See [Fumex et al., NFM 2016] 25 / 31

Counterexample Generation in SPARK 26 / 31

Counterexample Generation in SPARK Instrumentation of VC generation for tracing variables Query a model when SMT solver answers SAT Reinterpret the model in the source code Display counterexample in the graphical interface See [Hauzar et al., SEFM 2016] 27 / 31

Proof Debugging (Frama-C plug-in StaDy) C code + annotations Transformation A (non-compliance) Transformation B (contract weakness) C code Dynamic Symbolic Execution Report on annotations failures Non-compliance: code does not satisfy annotations subcontract weakness: contracts of called functions, loop invariants, not powerful enough to prove the annotations correct See [Petiot et al., TAP 2016] 28 / 31

Discharging VCs interactively Goal (hopefully simple) user interactions to assist automatic provers when proof fails On-going work for SPARK within ProofInUse joint lab Recently available in Frama-C/WP See the talk by Loïc Correnson today! 29 / 31

Floating-Point Computations Goals better handling Floating-Point in specifications and VC generation improve success rate of automated provers SOPRANO project involves both Frama-C and SPARK developers solvers Alt-Ergo FP and COLIBRI recent progress in SPARK support for FP in SPARK 17.1, using CodePeer interval analysis FP support in prover Z3 on-going: use of Alt-Ergo FP and COLIBRI See the talk by François Bobot today! 30 / 31

Conclusions Frama-C and SPARK share not only a common history but A will to transfer academic research to the industry of critical software Common challenges, approaches, technical solutions OSIS Frama-C and SPARK day Enjoy the talks, exchange ideas during breaks! 31 / 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback