Algebraic types and pattern matching in the logical language of the Why verification platform

We introduce an extension of the logical language of a software verification tool Why with algebraic types and pattern matching expressions. We describe the corresponding additions to the syntax of Why and give the semantics of the new constructions in terms of first-order logic with polymorphic types as it is adopted in Why and the Alt-Ergo prover.On introduit une extension du langage logique de l'outil de vérification des logiciels Why avec des types algébriques et des expressions de filtrage par motif. On décrit les modifications correspondantes de la syntaxe de Why et on donne la sémantique des nouvelles constructions dans la logique du premier ordre avec des type polymorphes telle qu'elle est adoptée dans Why et dans le démonstrateur automatique Alt-Ergo

Continuation Passing as an Abstract Syntax for Deductive Verification

Continuation-passing style allows us to devise an extremely economical abstract syntax for a generic algorithmic language. This syntax is flexible enough to naturally express conditionals, loops, (higher-order) function calls, and exception handling. It is type-agnostic and state-agnostic, which means that we can combine it with a wide range of type and effect systems. We argue that this syntax is also well suited for the purposes of deductive verification. Indeed, we show how it can be augmented in a natural way with specification annotations, ghost code, and side-effect discipline. We define the rules of verification condition generation for this syntax, and we show that the resulting formulas are nearly identical to what traditional approaches, like the weakest precondition calculus, produce for the equivalent algorithmic constructions. To sum up, we propose a minimalistic yet versatile abstract syntax for annotated programs for which we can compute verification conditions without sacrificing their size, legibility, and amenability to automated proof, compared to more traditional methods. We believe that it makes it an excellent candidate for internal code representation in program verification tools

L'arithmétique de séparation

National audienceNous, praticiens de la preuve de programmes, souhaitons que le processus de la vérification soit le plus automatique possible. Les meilleurs outils pour cela sont à l'heure actuelle les démonstrateurs SMT, qui combinent notamment la logique du premier ordre et l'arithmétique linéaire. Par opposition, le raisonnement inductif n'est pas un point fort des démonstrateurs automatiques. Or, les programmes utilisant des pointeurs le font souvent pour manipuler des structures récursives : listes, arbres, etc. Dans cet article, nous décrivons une approche qui permet d'amener la preuve de programmes avec pointeurs à la portée des démonstrateurs automatiques. L'idée consiste à projeter une structure récursive sur un domaine numérique, de sorte que les propriétés de possession et de séparation deviennent exprimables en terme de simples inégalités arithmétiques. En plus de simplifier la preuve, cela permet une spécification claire et naturelle. On illustre cette approche avec l'exemple classique du renversement en place d'une liste simplement chaînée

Evidential Paradigm as Formal Knowledge Presentation and Processing

Abstract. Investigations on the design and creation of high-performance information systems based on a number of paradigms supporting a human activity in formalized text processing were started in the beginning of 1960s -the time of the appearance of computers of such a high performance that programming of complex intelligent processes became possible. The so-called evidential paradigm is among them and it can be considered as a certain way of the integration of all reasonable paradigms intended for the development of languages for presenting formalized text in the form most appropriate for a user, formalization and evolutional development of a computer-made proof step, information environment having an influence on a current evidence of a computer-made proof step, and interactive man-assistant search of a proof. This paper contains a short description of the evidential paradigm and its implementation in the form of systems for presenting and processing formal knowledge

The Spirit of Ghost Code

Extended version of https://hal.inria.fr/hal-00873187International audienceIn the context of deductive program verification, ghost code is a part of the program that is added for the purpose of specification. Ghost code must not interfere with regular code, in the sense that it can be erased without observable difference in the program outcome. In particular, ghost data cannot participate in regular computations and ghost code cannot mutate regular data or diverge. The idea exists in the folklore since the early notion of auxiliary variables and is implemented in many state-of-the-art program verification tools. However, ghost code deserves rigorous definition and treatment, and few formalizations exist. In this article, we describe a simple ML-style programming language with muta-ble state and ghost code. Non-interference is ensured by a type system with effects, which allows, notably, the same data types and functions to be used in both regular and ghost code. We define the procedure of ghost code erasure and we prove its safety using bisimulation. A similar type system, with numerous extensions which we briefly discuss, is implemented in the program verification environment Why3

A Pragmatic Type System for Deductive Verification

In the context of deductive verication, it is customary today to handle programs with pointers using either separation logic, dynamic frames, or explicit memory models. Yet we can observe that in numerous programs, a large amount of code ts within the scope of Hoare logic, provided we can statically control aliasing. When this is the case, the code correctness can be reduced to simpler verication conditions which do not require any explicit memory model. This makes verication conditions more amenable both to automated theorem proving and to manual inspection and debugging. In this paper, we devise a method of such static aliasing control for a programming language featuring nested data structures with mutable components. Our solution is based on a type system with singleton regions and eects, which we prove to be sound

Des transformations logiques passent leur certicat

National audienceDans un contexte de vérification formelle de programmes, utilisant des démonstrateurs automatiques, la base de confiance des environnements de vérification est typiquement très large. Ainsi, un outil de vérification de programmes tel que Why3 comporte de nombreuses procédures complexes : génération de conditions de vérification, transformations logiques de tâches de preuve et interactions avec des démonstrateurs externes. En ne considérant que les transformations logiques dans Why3, leur implantation comporte déjà plus de 17000 lignes de code OCaml. Afin d'augmenter notre confiance dans la correction d'un tel outil de vérification, nous proposons un mécanisme de transformations certifiantes, produisant des certificats pouvant être validés par un outil externe, selon l'approche sceptique. Nous présentons ce mécanisme de génération de certificats et explorons deux méthodes pour les valider : une fondée sur un vérificateur dédié développé en OCaml, l'autre reposant sur le vérificateur de preuves universel Dedukti. Une spécificité de nos certificats est d'être « à petits grains » et composables, ce qui rend notre approche incrémentale, permettant d'ajouter graduellement de nouvelles transformations certifiantes

Verification of Programs with Pointers in SPARK

In the field of deductive software verification, programs with pointers present a major challenge due to pointer aliasing. In this paper, we introduce pointers to SPARK, a well-defined subset of the Ada language , intended for formal verification of mission-critical software. Our solution uses a permission-based static alias analysis method inspired by Rust's borrow-checker and affine types. To validate our approach, we have implemented it in the GNAT Ada compiler and the SPARK toolset. In the paper, we give a formal presentation of the analysis rules for a core version of SPARK and discuss their implementation and scope

Preserving User Proofs Across Specification Changes

International audienceIn the context of deductive program veri cation, both the speci fication and the code evolve as the veri fication process carries on. For instance, a loop invariant gets strengthened when additional properties are added to the specifi cation. This causes all the related proof obligations to change; thus previous user verifi cations become invalid. Yet it is often the case that most of previous proof attempts (goal trans- formations, calls to interactive or automated provers) are still directly applicable or are easy to adjust. In this paper, we describe a technique to maintain a proof session against modifi cation of verifi cation conditions. This technique is implemented in the Why3 platform. It was successfully used in developing more than a hundred verifi ed programs and in keeping them up to date along the evolution of Why3 and its standard library. It also helps out with changes in the environment, e.g. prover upgrades