Automating the Verification of Floating-Point Programs

International audienceIn the context of deductive program verification, handling floating-point computations is challenging. The level of proof success and proof automation highly depends on the way the floating-point operations are interpreted in the logic supported by back-end provers. We address this challenge by combining multiple techniques to separately prove different parts of the desired properties. We use abstract interpretation to compute numerical bounds of expressions, and we use multiple automated provers, relying on different strategies for representing floating-point computations. One of these strategies is based on the native support for floating-point arithmetic recently added in the SMT-LIB standard. Our approach is implemented in the Why3 environment and its front-end SPARK 2014 for the development of safety-critical Ada programs. It is validated experimentally on several examples originating from industrial use of SPARK 2014

Lightweight Checkers in a New Light

International audienceThe value of lightweight checkers, aka linters, for finding bugs in C or C++ programshas long been recognized. Their value for strongly typed languages like Ada or OCaml has notbeen so evident, as the compiler for these languages typically rules out most classes of bugsthat C/C++ linters find, either by issuing errors for non-compliance with language rules, or moreprecise warnings thanks to the additional information available to the compiler. In particular, theavailability of deep static analysis tools for these languages makes it uncertain that linters canbe of interest too, as the power of their analysis fits between compilers and deep static analysistools. We have investigated this question for the language Ada, and we have found that linterscan play an important role for such languages as well, which is more focused than the role theytraditionally play for weaker languages. Our findings are based on the creation of a set of lintersfor Ada that we applied to multiple industrial active codebases that we maintain at AdaCore. Theresults of these experiments were eye opening on the value of linters for stronger languages. Inthis article, we also describe the technology that allows the easy development and deploymentof​ ​ linters,​ ​ as​ ​ well​ ​ as​ ​ our​ ​ strategy​ ​ for​ ​ adapting​ ​ linters​ ​ to​ ​ the​ ​ analysis​ ​ context

Vérification automatique de programmes Ada effectuant des calculs en virgule flottante

In critical software systems like the ones related to transport and defense, it is common toperform numerical computations implemented using floating-point arithmetic. Safety conditions for suchsystems typically require strong guarantees on the functional behavior of the performed computations.Automatically verifying that these guarantees are fulfilled is thus desirable.Deductive program verification is a promising approach for verifying that a given code fulfills a functionalspecification, with a very high level of confidence. Yet, formally proving correct a program performingfloating-point computations remains a challenge, because floating-point arithmetic is not easily handled byautomated theorem provers.We address this challenge by combining multiple techniques to separately prove parts of the desired proper-ties. On the one hand, abstract interpretation computes numerical bounds for expressions that appear eitherin the original program, or in the ghost code added to instrument the program. On the other hand, we gen-erate verification conditions for different automated provers, relying on different strategies for representingfloating-point computations. Among these strategies, we try to exploit the native support for floating-pointarithmetic recently added in the SMT-LIB standard.Our approach is partly implemented in the Why3 environment for deductive program verification, and partlyimplemented in its front-end environment SPARK for the development of safety-critical Ada programs. Wereport on several examples and case studies used to validate our approach experimentally.Dans les logiciels critiques comme ceux liés aux transports et à la défense, il est courant d’effectuer des calculs numériques implémentés à l’aide de l’arithmétique à virgule flottante. Les exigences de sûreté de ces systèmes requièrent généralement des garanties fortes sur le comportement fonctionneldes calculs ainsi exécutés. Vérifier automatiquement que ces garanties sont remplies est donc souhaitable.La vérification déductive des programmes est une approche prometteuse pour vérifier formellementqu’un code donné satisfait une spécification fonctionnelle, avec un haut niveau de confiance. Néanmoins, prouver formellement qu’un programme qui effectue des calculs en virgule flottante est correct reste un défi, car l’arithmétique à virgule flottante n’est pas facilement traitée par les prouveurs automatiques.Nous abordons ce défi en combinant plusieurs techniques pour prouver séparément chaque partie despropriétés souhaitées. D’une part, l’interprétation abstraite calcule les bornes numériques pour les expressions qui apparaissent dans le programme d’origine, ou dans le code fantôme ajouté pour instrumenter le code. D’autre part, nous générons des obligations de preuve pour plusieurs prouveurs automatiques différents, s’appuyant sur différentes représentations des calculs en virgule flottante. En particulier, nous exploitons le support natif de l’arithmétique en virgule flottante récemment apparue dans le standard SMT-LIB.Notre approche est mise en oeuvre en partie dans la boîte à outils générique Why3 pour la vérificationdéductive, et en partie dans l’environnement SPARK pour le développement de programmes Ada critiques. Nous présentons des exemples et études de cas qui ont été utilisées pour valider notre approche expérimentalement

Propriétés fonctionnelles de haut-niveau pour des programmes opérant au niveau des bits: spécifications formelles et preuves automatiques

In a computer program, basic functionalities may be implemented using bit-wise operations. This can be motivated by the need to be close to the underlying architecture, or the need of efficiency, both in term of time and memory space. If one wants to formally specify the expected behavior of such a low-level program, it is desirable that the specification should be at a more abstract level. Formally proving that a low-level code conforms to a higher-level specification is challenging, because of the gap between the different levels of abstraction.Our approach to address this challenge is to design a rich formal theory of fixed-sized bit-vectors, which on the one hand allows a user to write abstract specifications close to the human---or mathematical---level of thinking, while on the other hand permits a close connection to decision procedures and tools for bit-vectors, as they exist in the context of the Satisfiability Modulo Theory framework. This approach is implemented in the Why3 environment for deductive program verification, and also in its front-end environment SPARK for the development of safety-critical Ada programs. We report on several case studies used to validate our approach experimentally.Dans un programme informatique, des fonctionalités de base sont parfois implémentées par des opérations bit-à-bit, par exemple à cause d'un besoin d'être proche de l'architecture matérielle sous-jacente, ou bien pour des questions d'efficacité, aussi bien en temps de calcul qu'en place mémoire. Si l'on cherche à spécifier formellement le comportement attendu d'un tel programme, il est souhaitable que la spécification se place à un niveau plus abstrait que celui des bits. Prouver formellement qu'un programme bas niveau est conforme à une spécification de plus haut niveau est un défi, à cause de l'écart important entre les niveaux d'abstraction en jeu.Notre approche pour résoudre ce défi consiste à concevoir une théorie formelle des vecteurs de bits, qui d'une part permet à un utilisateur d'écrire des spécifications proches d'un niveau de conception humain (ou bien disons, mathématique), et d'autre part peut se connecter aux procédures de décision et aux outils sachant traiter les vecteurs de bits,comme ceux qui sont développés dans le cadre SMT (Satisfia-bility Modulo Theory). Cette approche est implémentée dans le cadre de l’environnement généraliste Why3 pour la preuve déprogramme, ainsi que dans l’environnement SPARK pour le développement de codes critiques en Ada, qui utilise Why3 en interne. Nous présentons plusieurs études de cas afin de valider notre approche

Specification and Proof of High-Level Functional Properties of Bit-Level Programs

International audienceIn a computer program, basic functionalities may be implemented using bit-wise operations. To formally specify the expected behavior of such a low-level program, it is desirable that the specification should be at a more abstract level. Formally proving that low-level code conforms to a higher-level specification is challenging, because of the gap between the different levels of abstraction. We address this challenge by designing a rich formal theory of fixed-sized bit vectors , which on the one hand allows a user to write abstract specifications close to the human—or mathematical—level of thinking, while on the other hand permits a close connection to decision procedures and tools for bit vectors, as they exist in the context of the Satisfiability Modulo Theory framework. This approach is implemented in the Why3 environment for deductive program verification, and also in its front-end environment SPARK for the development of safety-critical Ada programs. We report on several case studies used to validate our approach