FoCaLiZe: Inside an F-IDE

For years, Integrated Development Environments have demonstrated their usefulness in order to ease the development of software. High-level security or safety systems require proofs of compliance to standards, based on analyses such as code review and, increasingly nowadays, formal proofs of conformance to specifications. This implies mixing computational and logical aspects all along the development, which naturally raises the need for a notion of Formal IDE. This paper examines the FoCaLiZe environment and explores the implementation issues raised by the decision to provide a single language to express specification properties, source code and machine-checked proofs while allowing incremental development and code reusability. Such features create strong dependencies between functions, properties and proofs, and impose an particular compilation scheme, which is described here. The compilation results are runnable OCaml code and a checkable Coq term. All these points are illustrated through a running example.Comment: In Proceedings F-IDE 2014, arXiv:1404.578

ML Pattern-Matching, Recursion, and Rewriting: From FoCaLiZe to Dedukti

International audienceThe programming environment FoCaLiZe allows the user to specify, implement, and prove programs with the help of the theorem prover Zenon. In the actual version, those proofs are verified by Coq. In this paper we propose to extend the FoCaLiZe compiler by a backend to the Dedukti language in order to benefit from Zenon Modulo, an extension of Zenon for Deduction modulo. By doing so, FoCaLiZe can benefit from a technique for finding and verifying proofs more quickly. The paper focuses mainly on the process that overcomes the lack of local pattern-matching and recursive definitions in Dedukti

Mécanismes Orientés-Objets pour l'Interopérabilité entre Systèmes de Preuve

Dedukti is a Logical Framework resulting from the combination ofdependent typing and rewriting. It can be used to encode many logicalsystems using shallow embeddings preserving their notion of reduction.These translations of logical systems in a common format are anecessary first step for exchanging proofs between systems. Thisobjective of interoperability of proof systems is the main motivationof this thesis.To achieve it, we take inspiration from the world of programminglanguages and more specifically from object-oriented languages becausethey feature advanced mechanisms for encapsulation, modularity, anddefault definitions. For this reason we start by a shallowtranslation of an object calculus to Dedukti. The most interestingpoint in this translation is the treatment of subtyping.Unfortunately, it seems very hard to incorporate logic in this objectcalculus. To proceed, object-oriented mechanisms should be restrictedto static ones which seem enough for interoperability. Such acombination of static object-oriented mechanisms and logic is alreadypresent in the FoCaLiZe environment so we propose a shallow embeddingof FoCaLiZe in Dedukti. The main difficulties arise from theintegration of FoCaLiZe automatic theorem prover Zenon and from thetranslation of FoCaLiZe functional implementation language featuringtwo constructs which have no simple counterparts in Dedukti: localpattern matching and recursion.We then demonstrate how this embedding of FoCaLiZe to Dedukti can beused in practice for achieving interoperability of proof systemsthrough FoCaLiZe, Zenon, and Dedukti. In order to avoid strengtheningto much the theory in which the final proof is expressed, we useDedukti as a meta-language for eliminating unnecessary axioms.Dedukti est un cadre logique résultant de la combinaison du typagedépendant et de la réécriture. Il permet d'encoder de nombreuxsystèmes logiques au moyen de plongements superficiels qui préserventla notion de réduction.Ces traductions de systèmes logiques dans un format commun sont unepremière étape nécessaire à l'échange de preuves entre cessystèmes. Cet objectif d'interopérabilité des systèmes de preuve estla motivation principale de cette thèse.Pour y parvenir, nous nous inspirons du monde des langages deprogrammation et plus particulièrement des langages orientés-objetparce qu'ils mettent en œuvre des mécanismes avancés d'encapsulation,de modularité et de définitions par défaut. Pour cette raison, nouscommençons par une traduction superficielle d'un calcul orienté-objeten Dedukti. L'aspect le plus intéressant de cette traduction est letraitement du sous-typage.Malheureusement, ce calcul orienté-objet ne semble pas adapté àl'incorporation de traits logiques. Afin de continuer, nous devonsrestreindre les mécanismes orientés-objet à des mécanismes statiques,plus faciles à combiner avec la logique et apparemment suffisant pournotre objectif d'interopérabilité. Une telle combinaison de mécanismesorientés-objet et de logique est présente dans l'environnementFoCaLiZe donc nous proposons un encodage superficiel de FoCaLiZe dansDedukti. Les difficultés principales proviennent de l'intégration deZenon, le prouveur automatique de théorèmes sur lequel FoCaLiZerepose, et de la traduction du langage d'implantation fonctionnel deFoCaLiZe qui présente deux constructions qui n'ont pas decorrespondance simple en Dedukti : le filtrage de motif local et larécursivité.Nous démontrons finalement comment notre encodage de FoCaLiZe dansDedukti peut servir en pratique à l'interopérabilité entre dessystèmes de preuve à l'aide de FoCaLiZe, Zenon et Dedukti. Pour éviterde trop renforcer la théorie dans laquelle la preuve finale estobtenue, nous proposons d'utiliser Dedukti en tant que méta-langagepour éliminer des axiomes superflus

Dedukti: a Logical Framework based on the λ\lambdaΠ\Pi-Calculus Modulo Theory

Dedukti is a Logical Framework based on the $\lambda$$\Pi$-Calculus Modulo Theory. We show that many theories can be expressed in Dedukti: constructive and classical predicate logic, Simple type theory, programming languages, Pure type systems, the Calculus of inductive constructions with universes, etc. and that permits to used it to check large libraries of proofs developed in other proof systems: Zenon, iProver, FoCaLiZe, HOL Light, and Matita

Formal Reasoning Using an Iterative Approach with an Integrated Web IDE

This paper summarizes our experience in communicating the elements of reasoning about correctness, and the central role of formal specifications in reasoning about modular, component-based software using a language and an integrated Web IDE designed for the purpose. Our experience in using such an IDE, supported by a 'push-button' verifying compiler in a classroom setting, reveals the highly iterative process learners use to arrive at suitably specified, automatically provable code. We explain how the IDE facilitates reasoning at each step of this process by providing human readable verification conditions (VCs) and feedback from an integrated prover that clearly indicates unprovable VCs to help identify obstacles to completing proofs. The paper discusses the IDE's usage in verified software development using several examples drawn from actual classroom lectures and student assignments to illustrate principles of design-by-contract and the iterative process of creating and subsequently refining assertions, such as loop invariants in object-based code.Comment: In Proceedings F-IDE 2015, arXiv:1508.0338

Compiling Programs and Proofs: FoCaLiZe Internals

Designing a tool to ease the development of high-level security or safety systems must consider to facilitate not only design and coding but also formal demonstrations of correctness and compliance to standards. This entails some requirements on the tool as these demonstrations ask to link together computational and logical aspects of the development. These requirements are briefly considered and a solution is proposed: functions, statements and proofs are handled in a unique language, offering inheritance and parametrized modules. The FoCaLiZe environment implements this language, which remains simple enough to be used in a usual engineering process. The code generation produces an executable functional code (in OCaml) and a checkable term of a logical Type Theory (verified by Coq), close enough to truly ease traceability. It ensures that OCaml and Coq produced codes are error-free and provides compact generated code. The main contribution of this paper is a detailed presentation of the compilation scheme, which is supported by an original treatment of the dependencies induced by the combination of computational and logical constructs. As the whole source code is translated to a logical term verified by Coq, we get a strong assurance in the correctness of the generated code, hence avoiding the need to prove correctness of the compiler itself

Towards the Formal Specification and Verification of Maple Programs

In this paper, we present our ongoing work and initial results on the formal specification and verification of MiniMaple (a substantial subset of Maple with slight extensions) programs. The main goal of our work is to find behavioral errors in such programs w.r.t. their specifications by static analysis. This task is more complex for widely used computer algebra languages like Maple as these are fundamentally different from classical languages: they support non-standard types of objects such as symbols, unevaluated expressions and polynomials and require abstract computer algebraic concepts and objects such as rings and orderings etc. As a starting point we have defined and formalized a syntax, semantics, type system and specification language for MiniMaple

Objects and subtyping in the λΠ-calculus modulo

We present a shallow embedding of the Object Calculus of Abadi and Cardelli in the λΠ-calculus modulo, an extension of the λΠ-calculus in which conversion is considered modulo a rewrite system. This embedding may be used as an example of translation of subtyping, a feature also present in some proof assistants like Coq and PVS. This embedding is proved correct with respect to the operational semantics and the type system of the Object Calculus. It has been implemented as a translation tool from the Object Calculus to Dedukti, a type-checker for the λΠ-calculus modulo