GNATprove a Spark2014 verifying compiler Florian Schanda, Altran UK

Similar documents
Why. an intermediate language for deductive program verification

Deductive Program Verification with Why3

Why3 where programs meet provers

Deductive Verification in Frama-C and SPARK2014: Past, Present and Future

Type Checking. Outline. General properties of type systems. Types in programming languages. Notation for type rules.

Outline. General properties of type systems. Types in programming languages. Notation for type rules. Common type rules. Logical rules of inference

BOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH

SPARKSkein A Formal and Fast Reference Implementation of Skein

Deductive Program Verification with Why3, Past and Future

Proving SPARK Verification Conditions with SMT solvers

Why3 A Multi-Prover Platform for Program Verification

An Introduction to Satisfiability Modulo Theories

Satisfiability Modulo Theories. DPLL solves Satisfiability fine on some problems but not others

Spark verification features

In Our Last Exciting Episode

Rockwell Collins Evolving FM Methodology

SPARK 2014 User s Guide

Combining Static and Dynamic Contract Checking for Curry

Abstract Interpretation

Generating Small Countermodels. Andrew Reynolds Intel August 30, 2012

Working with Z3 (10 points)

Formally Certified Satisfiability Solving

The SMT-LIB 2 Standard: Overview and Proposed New Theories

An Annotated Language

Testing & Symbolic Execution

Testing, Debugging, and Verification

SMT-LIB for HOL. Daniel Kroening Philipp Rümmer Georg Weissenbacher Oxford University Computing Laboratory. ITP Workshop MSR Cambridge 25 August 2009

Satisfiability Modulo Theories: ABsolver

How to get an efficient yet verified arbitrary-precision integer library

Verification Conditions. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

Alive: Provably Correct InstCombine Optimizations

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

Hardware versus software

Verification Condition Generation

Testing, Fuzzing, & Symbolic Execution

Automated Proof with Caduceus: Recent Industrial Experience

Type Inference Systems. Type Judgments. Deriving a Type Judgment. Deriving a Judgment. Hypothetical Type Judgments CS412/CS413

A Comparison of SPARK with MISRA C and Frama-C

Simple proofs of simple programs in Why3

Evaluating the SMT-LIB repository as a benchmark source for software verification

SMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva

Formal Verification of Floating-Point programs

Counterexample-Driven Genetic Programming

CSC313 High Integrity Systems/CSCM13 Critical Systems. CSC313/CSCM13 Chapter 2 1/ 221

Encoding functions in FOL. Where we re at. Ideally, would like an IF stmt. Another example. Solution 1: write your own IF. No built-in IF in Simplify

Verifying C & C++ with ESBMC

Verifying Java Programs Verifying Java Programs with KeY

ESC/Java2 vs. JMLForge. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

Programming Languages Third Edition

7. Introduction to Denotational Semantics. Oscar Nierstrasz

A short manual for the tool Accumulator

VS 3 : SMT Solvers for Program Verification

Directions in ISA Specification. Anthony Fox. Computer Laboratory, University of Cambridge, UK

Runtime Checking and Test Case Generation for Python

CS 320: Concepts of Programming Languages

The Prototype Verification System PVS

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Formal semantics and other research around Spark2014

Chapter 1. Introduction

Lost in translation. Leonardo de Moura Microsoft Research. how easy problems become hard due to bad encodings. Vampire Workshop 2015

Chapter 11 :: Functional Languages

The design of a programming language for provably correct programs: success and failure

LECTURE 3. Compiler Phases

SPARK Update Ada Europe 2012

Numerical Computations and Formal Methods

The SMT-LIB Standard Version 2.0

At build time, not application time. Types serve as statically checkable invariants.

The Low-Level Bounded Model Checker LLBMC

Lecture 10 Design by Contract

Integration of SMT-LIB Support into Maple

Lecture 3 Notes Arrays

Why3 Where Programs Meet Provers

Main Goal. Language-independent program verification framework. Derive program properties from operational semantics

Rethinking Automated Theorem Provers?

A LISP Interpreter in ML

Lecture Notes on Ints

Advances in Programming Languages

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

The HOL-SPARK Program Verification Environment. Stefan Berghofer secunet Security Networks AG

Supporting multiple proof engines by translating between intermediate verification languages

CS 11 Haskell track: lecture 1

Hybrid Verification in SPARK 2014: Combining Formal Methods with Testing

Deductive Methods, Bounded Model Checking

Deductive Program Verification with WHY3

Lecture Notes on Arrays

Dafny: An Automatic Program Verifier for Functional Correctness Paper by K. Rustan M. Leino (Microsoft Research)

FreePascal changes: user documentation

Symbolic and Concolic Execution of Programs

Semantic Analysis. CSE 307 Principles of Programming Languages Stony Brook University

CVC4 - the SMT Solver

Program Verification (6EC version only)

CS 11 Ocaml track: lecture 6

Applied Theorem Proving: Modelling Instruction Sets and Decompiling Machine Code. Anthony Fox University of Cambridge, Computer Laboratory

A3. Programming Languages for Writing Safety-Critical Software

1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.

Lecture Outline. Code Generation. Lecture 30. Example of a Stack Machine Program. Stack Machines

CSE450. Translation of Programming Languages. Lecture 11: Semantic Analysis: Types & Type Checking

Arithmetic and Bitwise Operations on Binary Data

Lecture Notes on Intermediate Representation

Combining program verification with component-based architectures. Alexander Senier BOB 2018 Berlin, February 23rd, 2018

Transcription:

1 GNATprove a Spark2014 verifying compiler Florian Schanda, Altran UK

Tool architecture User view Source gnatprove Verdict 2

Tool architecture More detailed view... Source Encoding CVC4 gnat2why gnatwhy3 SMTLIB Z3 AltErgo Verdict 3

GNAT Frontend Overview Ada 2012 and Spark2014 lexer, parser, semantic analyser, expander, code generator (with gcc via intermediate language) 4

gnat2why Overview Just another GNAT back-end An elaborate semantic analysis pass over the AST: filter Note which areas of the program are in Spark globals Generate frame conditions (global contracts if they have not been specified) at varying levels of details flow Check initialization, non-aliasing, global contracts, and information flow contracts translation Transform Spark subprograms into WhyML subprograms 5

gnat2why Overview Source gnat2why ALI gnat2why Messages WhyML 6

gnat2why Translation to WhyML Spark is still an extremely complicated language Key properties need to be proven for a program to be correct ( verification conditions, or VCs ) Translation to a smaller, intermediate language WhyML Simpler control flow Simpler types Verification condition generation based on this IL 7

gnat2why Translation to WhyML Example (A, B : Natural ) r e t u r n Natural f u n c t i o n is b e g i n R : Natural ; if A < B then R := A + 1; else end R := B - 1; if; r e t u r n R; end Example ; 8

gnat2why Translation to WhyML Example (A, B : Natural ) r e t u r n Natural f u n c t i o n is b e g i n R : Natural ; if A < B then R := A + 1; else end R := B - 1; if; r e t u r n R; end Example ; let example ( a: int ) ( b: int ) requires { a >= 0 /\ a <= 2147483647 } requires { b >= 0 /\ b <= 2147483647 } returns { r -> r >= 0 /\ r <= 2147483647 } = let r = ref 0 in if a < b then r := a + 1 else r := b - 1; (!r) 8

gnat2why Translation to WhyML Another traversal over AST (for Spark), building another AST (for Why3) Tree is pretty printed, but not meant to be human readable One or more Why3 modules per Spark entity Types Entity definitions, axioms Subprogram definitions, axioms, bodies All of which are dumped into a single file for gnatwhy3. Not as nice as the previous example, a lot of extra information embedded: Original source locations of all VCs Checks (x 0, or x < 2 32, etc.) 9

gnat2why Translation to WhyML Yep, not very readable... VC fragment for r = a/b: ( ( " GP_Sloc : overflow. adb :7:7" ( #" overflow. adb " 7 0 0# overflow example result. int content <- ( ( #" overflow. adb " 7 0 0# " GP_Sloc : overflow. adb :7:16" " GP_Shape : return div " " keep_on_simp " " model_vc " " GP_Reason : VC_OVERFLOW_CHECK " " GP_Id :1" ( Standard integer. range_check_ (( #" overflow. adb " 7 0 0# " GP_Reason : VC_DIVISION_CHECK " " GP_Id :0" " GP_Sloc : overflow. adb :7:16" " GP_Shape : return div " " keep_on_simp " " model_vc " ( Int_Division. div_ ( Overflow example a.a) ( Overflow example b.b)) ))) ) ); #" overflow. adb " 7 0 0# raise Return exc ) ); #" overflow. adb " 3 0 0# raise Return exc ) 10

gnat2why Translation to WhyML Yep, not very readable... VC fragment for r = a/b: ( ( " GP_Sloc : overflow. adb :7:7" ( #" overflow. adb " 7 0 0# overflow example result. int content <- ( ( #" overflow. adb " 7 0 0# " GP_Sloc : overflow. adb :7:16" " GP_Shape : return div " " keep_on_simp " " model_vc " " GP_Reason : VC_OVERFLOW_CHECK " " GP_Id :1" ( Standard integer. range_check_ (( #" overflow. adb " 7 0 0# " GP_Reason : VC_DIVISION_CHECK " " GP_Id :0" " GP_Sloc : overflow. adb :7:16" " GP_Shape : return div " " keep_on_simp " " model_vc " ( Int_Division. div_ ( Overflow example a.a) ( Overflow example b.b)) ))) ) ); #" overflow. adb " 7 0 0# raise Return exc ) ); #" overflow. adb " 3 0 0# raise Return exc ) But we eventually get nice output... overflow.adb:7:16: medium: divide by zero might fail (e.g. when B = 0) overflow.adb:7:16: medium: overflow check might fail 10

gnat2why Translation to WhyML Features of the IL: Based on first order logic + theories In vague ML syntax with programming constructs: (mutable) variables sequences loops, if, etc. assertions exceptions Built-in types are Boolean, Int, Real, Arrays, Records, Lists, Sets, etc. but more can be defined 11

gnat2why Translation to WhyML All checks come from a specification: Some checks are user defined (user asserts, postconditions) Ada RM defines basic checks (overflow, range, index, division by zero, discriminants, etc.) Spark RM defines more (LSP checks, loop variants and invariants, etc.)... we just follow that spec, and err on side of redundant checks. 12

SAT, SMT and SMTLIB Recap: we now have the Spark program in a different language (WhyML), but have not verified much... It s still difficult to prove anything, so we need to start talking to (automatic) theorem provers Language of choice is SMTLIB, but others exist So, next step is another language transformation 13

SAT, SMT and SMTLIB Theories Many theories have been implemented: Boolean Integer Reals Quantifiers Arrays Uninterpreted functions Bitvectors IEEE-754 Floating Point Strings Sets Algebraic Datatypes 14

SAT, SMT and SMTLIB Overview of SMTLIB In the beginning all SMT solvers used their own input language This made it hard to compare solvers SMTLIB is both a standard language and a huge library of benchmarks SMTLIB only describes a search problem No control flow (if statements, loops, etc.) - so very far away from programming language 15

SAT, SMT and SMTLIB SMTLIB is just s-expressions I hope you remember your LISP? ; quantifier-free linear integer arithmetic ( s e t - l o g i c QF_LIA ) ; declarations ( d e c l a r e - c o n s t x Int ) ( d e c l a r e - c o n s t y Int ) ; hypothesis - things we know are true ( a s s e r t ( <= 1 x 10)) ; 1 x 10 ( a s s e r t ( <= 1 y 10)) ; 1 y 10 ; goal - what we want to prove ( d e f i n e - c o n s t goal Bool (< (+ x y) 15)) ; x + y < 15 ; search for a model where the goal is not true ( a s s e r t ( not goal )) ( check-sat ) 16

SAT, SMT and SMTLIB SMTLIB is just s-expressions I hope you remember your LISP? ; quantifier-free linear integer arithmetic ( s e t - l o g i c QF_LIA ) ; declarations ( d e c l a r e - c o n s t x Int ) ( d e c l a r e - c o n s t y Int ) ; hypothesis - things we know are true ( a s s e r t ( <= 1 x 10)) ; 1 x 10 ( a s s e r t ( <= 1 y 10)) ; 1 y 10 ; goal - what we want to prove ( d e f i n e - c o n s t goal Bool (< (+ x y) 15)) ; x + y < 15 ; search for a model where the goal is not true ( a s s e r t ( not goal )) ( check-sat ) CVC4 output sat ((x 10) (y 5)) 16

SAT, SMT and SMTLIB SMTLIB language overview Functions ( d e f i n e - f u n double ( Int ) Int ) ( d e c l a r e - f u n triple (( x Int )) Int (+ x x x)) Assertions and function calls ( a s s e r t ( forall ((x Int )) (= ( double x) (+ x x )))) Predefined functions for theories Core =, =>, and, or, xor, not, ite,... Ints +, -, *, /, >, >=,... Arrays select, store BV bvadd, bvudiv, bvsdiv, bvlte,... FP fp.add, fp.mul, fp.eq, fp.isinfinite,... 17

SAT, SMT and SMTLIB You can encode difficult problems with this... ( d e c l a r e - f u n fib ( Int ) Int ) ( a s s e r t (= ( fib 0) 0)) ( a s s e r t (= ( fib 1) 1)) ; read this as: x Int x 2 = fib(x) = fib(x 2) + fib(x 1) ( a s s e r t ( forall ((x Int )) (= > ( >= x 2) (= ( fib x) (+ ( fib (- x 2)) ( fib (- x 1))))))) ; let s try to prove fib(10) < 10 ( a s s e r t ( not (< ( fib 10) 10))) ( check-sat ) 18

SAT, SMT and SMTLIB You can encode difficult problems with this... ( d e c l a r e - f u n fib ( Int ) Int ) ( a s s e r t (= ( fib 0) 0)) ( a s s e r t (= ( fib 1) 1)) ; read this as: x Int x 2 = fib(x) = fib(x 2) + fib(x 1) ( a s s e r t ( forall ((x Int )) (= > ( >= x 2) (= ( fib x) (+ ( fib (- x 2)) ( fib (- x 1))))))) ; let s try to prove fib(10) < 10 ( a s s e r t ( not (< ( fib 10) 10))) ( check-sat ) CVC4 output unknown ((( fib 10) 55)) 18

SAT, SMT and SMTLIB Solvers Many solvers exist - (partial) table from Wikipedia:... different strengths and logic support. 19

Why3 and WP So - Spark/WhyML and SMTLIB are quite different Last step is to go from the intermediate language to verification conditions expressed in SMTLIB 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback