Program Derivation by Correctness Enhacements

Relative correctness is the property of a program to be more-correct than another program with respect to a given specification. Among the many properties of relative correctness, that which we found most intriguing is the property that program P' refines program P if and only if P' is more-correct than P with respect to any specification. This inspires us to reconsider program derivation by successive refinements: each step of this process mandates that we transform a program P into a program P' that refines P, i.e. P' is more-correct than P with respect to any specification. This raises the question: why should we want to make P' more-correct than P with respect to any specification, when we only have to satisfy specification R? In this paper, we discuss a process of program derivation that replaces traditional sequence of refinement-based correctness-preserving transformations starting from specification R by a sequence of relative correctness-based correctness-enhancing transformations starting from abort.Comment: In Proceedings Refine'15, arXiv:1606.0134

A formally verified compiler back-end

This article describes the development and formal verification (proof of semantic preservation) of a compiler back-end from Cminor (a simple imperative intermediate language) to PowerPC assembly code, using the Coq proof assistant both for programming the compiler and for proving its correctness. Such a verified compiler is useful in the context of formal methods applied to the certification of critical software: the verification of the compiler guarantees that the safety properties proved on the source code hold for the executable compiled code as well

Computer-aided verification in mechanism design

In mechanism design, the gold standard solution concepts are dominant strategy incentive compatibility and Bayesian incentive compatibility. These solution concepts relieve the (possibly unsophisticated) bidders from the need to engage in complicated strategizing. While incentive properties are simple to state, their proofs are specific to the mechanism and can be quite complex. This raises two concerns. From a practical perspective, checking a complex proof can be a tedious process, often requiring experts knowledgeable in mechanism design. Furthermore, from a modeling perspective, if unsophisticated agents are unconvinced of incentive properties, they may strategize in unpredictable ways. To address both concerns, we explore techniques from computer-aided verification to construct formal proofs of incentive properties. Because formal proofs can be automatically checked, agents do not need to manually check the properties, or even understand the proof. To demonstrate, we present the verification of a sophisticated mechanism: the generic reduction from Bayesian incentive compatible mechanism design to algorithm design given by Hartline, Kleinberg, and Malekian. This mechanism presents new challenges for formal verification, including essential use of randomness from both the execution of the mechanism and from the prior type distributions. As an immediate consequence, our work also formalizes Bayesian incentive compatibility for the entire family of mechanisms derived via this reduction. Finally, as an intermediate step in our formalization, we provide the first formal verification of incentive compatibility for the celebrated Vickrey-Clarke-Groves mechanism

Towards a Rule-level Verification Framework for Property-Preserving Graph Transformations

International audienceWe report in this paper a method for proving that a graph transformation is property-preserving. Our approach uses a relational representation for graph grammar and a logical representation for graph properties with first-order logic formulas. The presented work consists in identifying the general conditions for a graph grammar to preserve graph properties, in particular structural properties. We aim to implement all the relevant notions of graph grammar in the Isabelle/HOL proof assistant in order to allow a (semi) automatic verification of graph transformation with a reasonable complexity. Given an input graph and a set of graph transformation rules, we can use mathematical induction strategies to verify statically if the transformation preserves a particular property of the initial graph. The main highlight of our approach is that such a verification is done without calculating the resulting graph and thus without using a transformation engine

Automatically correcting syntactic and semantic errors in ATL transformations using multi-objective optimization

L’ingénierie dirigée par les modèles (EDM) est un paradigme de développement logiciel qui promeut l’utilisation de modèles en tant qu’artefacts de première plan et de processus automatisés pour en dériver d’autres artefacts tels que le code, la documentation et les cas de test. La transformation de modèle est un élément important de l’EDM puisqu’elle permet de manipuler les représentations abstraites que sont les modèles. Les transformations de modèles, comme d’autres programmes, sont sujettes à la fois à des erreurs syntaxiques et sémantiques. La correction de ces erreurs est difficile et chronophage, car les transformations dépendent du langage de transformation comme ATL et des langages de modélisation dans lesquels sont exprimés les modèles en entrée et en sortie. Les travaux existants sur la réparation des transformations ciblent les erreurs syntaxiques ou sémantiques, une erreur à la fois, et définissent manuellement des patrons de correctifs. L’objectif principal de notre recherche est de proposer un cadre générique pour corriger automatiquement de multiples erreurs syntaxiques et sémantiques. Afin d’atteindre cet objectif, nous reformulons la réparation des transformations de modèles comme un problème d’optimisation multiobjectif et le résolvons au moyen d’algorithmes évolutionnaires. Pour adapter le cadre aux deux catégories d’erreurs, nous utilisons différents types d’objectifs et des stratégies sophistiquées pour guider l’exploration de l’espace des solutions.Model-driven engineering (MDE) is a software development paradigm that promotes the use of models as first-class artifacts and automated processes to derive other artefacts from them such as code, documentation and test cases. Model transformation is an important element of MDE since it allows to manipulate the abstract representations that are models. Model transformations, as other programs are subjects to both syntactic and semantic errors. Fixing those errors is difficult and time consuming as the transformations depend on the transformation language such as ATL, and modeling languages in which input and output models are expressed. Existing work on transformation repair targets either syntactic or semantic errors, one error at a time, and define patch templates manually. The main goal of our research is to propose a generic framework to fix multiple syntactic and semantic errors automatically. In order to achieve this goal, we reformulate the repair of model transformations as a multi-objective optimization problem and solve it by means of evolutionary algorithms. To adapt the framework to the two categories of errors, we use different types of objectives and sophisticated strategies to guide the search

Mechanized semantics

The goal of this lecture is to show how modern theorem provers---in this case, the Coq proof assistant---can be used to mechanize the specification of programming languages and their semantics, and to reason over individual programs and over generic program transformations, as typically found in compilers. The topics covered include: operational semantics (small-step, big-step, definitional interpreters); a simple form of denotational semantics; axiomatic semantics and Hoare logic; generation of verification conditions, with application to program proof; compilation to virtual machine code and its proof of correctness; an example of an optimizing program transformation (dead code elimination) and its proof of correctness