Normalized Rewriting: an Alternative to Rewriting modulo a Set of Equations

AbstractIn the first part of this paper, we introducenormalized rewriting, a new rewrite relation. It generalizes former notions of rewriting modulo a set of equationsE, dropping some conditions onE. For example,Ecan now be the theory of identity, idempotence, the theory of Abelian groups or the theory of commutative rings. We give a new completion algorithm for normalized rewriting. It contains as an instance the usual AC completion algorithm, but also the well-known Buchberger algorithm for computing Gröbner bases of polynomial ideals. In the second part, we investigate the particular case of completion of ground equations. In this case we prove by a uniform method that completion moduloEterminates, for some interesting theoriesE. As a consequence, we obtain the decidability of the word problem for some classes of equational theories, including the AC-ground case (a result known since 1991), the ACUI-ground case (a new result to our knowledge), and the cases of ground equations modulo the theory of Abelian groups and commutative rings, which is already known when the signature contains only constants, but is new otherwise. Finally, we give implementation results which show the efficiency of normalized completion with respect to completion modulo AC

Specifying Generic Java Programs: two case studies

International audienceThis work investigates the question of modular specification of generic Java classes and methods. We propose extensions to the Krakatoa Modeling Language, a part of the Why platform for proving that a Java or C program is a correct implementation of some specification. The new constructs we propose for the specification of generic Java programs are presented through two significant examples: the specification of the generic method for sorting arrays which comes from the java.util.Arrays class in the Java API, and the specification of the java.util.HashMap class defining a generic hash map and its use for memoization. The main ingredient is the notion of theories and the instantiation relation between them. We discuss soundness conditions and their verification

Modular Specification of Java Programs

This work investigates the question of modular specification of generic Java classes and methods. The first part introduces a specification language for Java programs. In the second part the language is used to specify an array sorting algorithm by selection. The third and the fourth parts define a syntax proposal for the specification a generic Java programs, through two examples. The former is the specification of the generic method for sorting arrays which comes in the java.util.Arrays class of the Java API. The latter is the specification of the java.util.HashMap class and its use for memoization

Static versus Dynamic Verification in Why3, Frama-C and SPARK 2014

International audienceWhy3 is an environment for static verification, generic in the sense that it is used as an intermediate tool by different front-ends for the verification of Java, C or Ada programs. Yet, the choices made when designing the specification languages provided by those front-ends differ significantly, in particular with respect to the executability of specifications. We review these differences and the issues that result from these choices. We emphasize the specific feature of ghost code which turns out to be extremely useful for both static and dynamic verification. We also present techniques, combining static and dynamic features, that help users understand why static verification fails

Separation Analysis for Weakest Precondition-based Verification

International audienceThe component-as-array model is a widely used technique for modeling heap memory in Weakest Precondition-based deductive verification of pointer programs. We propose a separation analysis which can be integrated in the core of this model. This allows to greatly simplify the verification conditions generated, and thus greatly helps in proving such pointer programs. We illustrate the improvements both in term of scaling up for codes of large size, and in term of simplification of the reasoning for establishing advanced behaviors

Binary Heaps Formally Verified in Why3

The VACID-0 benchmarks is a set of small programs which pose challenges for formal verification of their functional behavior. This paper reports on the formal verification of one of these challenges: binary heaps. The solution given here is performed using the Why3 environment for program verification. The expected behavior of the program is specified in Why3 logic, structured using the constructs for building hierarchies of theories provided by Why3. The proofs are achieved by a significant amount of automation, using SMT solvers for a large majority of the verification conditions generated, whereas the remaining verification conditions are discharged by interactive constructions of proof scripts using the Coq proof assistant. The general aim of this case study is to demonstrate the usability and efficiency of both the Why3 specification language and the accompanying tools, which offer a fairly advanced environment for specification while keeping a significant amount of automation of proofs.Les benchmarks VACID-0 forment une collection de petits programmes qui posent des défis pour la vérification formelle de leur comportement fonctionnel. Ce rapport présente la vérification formelle de l'un de ces exemples: les tas binaires. La solution présentée utilise l'environnement pour la vérification Why3. Le comportement attendu est spécifié dans la logique de Why3, de façon structurée grâce aux constructions hiérarchiques de théories proposées par Why3. Les preuves sont effectuées de façon largement automatiques, car les prouveurs SMT disponibles en sortie de Why3 résolvent un pourcentage significatif des obligations de preuves engendrées, le reste étant prouvé interactivement avec l'assistant de preuve Coq. La motivation de cette étude de cas est de démontrer l'utilisabilité et l'efficacité à la fois du langage de spécification de Why3 et des outils associés, qui fournissent un langage puissant de spécification tout en permettant une automatisation importante des preuves

Le langage CoLiS : syntaxe, sémantique et outillage

This report presents the design choices of the CoLiS language, conceived within the ANRproject of the same name. We present the syntax of the language, both in an abstract and in a concreteform, then we give typing rules, and finally its operational semantics. We describe a tool that implementsvarious operations applicable on CoLiS programs, mainly an interpreter and a translator to the shell language.Operational semantics is defined formally within Why3, with which a formal proof of correctionof the interpreter is performed. Finally, we present some tooling for the execution of test campaigns fornon-regression and the detection of inconsistencies between direct interpretation and translation to theshell.Ce document présente les choix de conception du langage CoLiS, conçu dans le cadre du projetANR du même nom. On présente la syntaxe du langage, à la fois sous une forme abstraite et une formeconcrète, puis des conditions de bon typage et enfin sa sémantique opérationnelle. On décrit ensuite unoutil qui implémente différentes opérations applicables sur les programmes CoLiS, principalement un interpréteuret un traducteur vers le langage shell. La sémantique opérationnelle est définie formellement ausein de l’environnement Why3, avec lequel une preuve formelle de correction de l’interpréteur est réalisée.Enfin, on présente un outillage visant à l’exécution de campagnes de test de non-régression et de détectiond’incohérences entre l’interprétation directe et la traduction vers le shell

Regions and Permissions for Verifying Data Invariants

To formally verify behavioral properties of programs, stating complex first-order formulas as data invariants proves useful. In the context of pointer programs, such invariants are hard to maintain because of aliasing. We propose a type system based on memory regions and linear permissions which allows to reduce preservation of invariants to first-order verification conditions in a sound way. It further allows data abstraction and effect hiding. It thus provides an approach to modular verification of behavioral properties of pointer programs.Les invariants de données sont nécessaires pour établir des propriétés fonctionnelles avancées des programmes. Leur vérification par preuve demande de les exprimer dans un langage logique expressif comme les formules du premier ordre. Dans le cas des programmes avec pointeurs, la vérification de ces invariants est rendue encore plus complexe à cause du partage. Nous proposons un système de typage statique basé sur des régions mémoire et des permissions d'accès linéaires, afin de réduire, de façon sure, la vérifaction de preservation des invariants à des obligations de preuve. Notre approche permet l'abstraction de données et le masquage des effets de bords internes aux modules de programmes. Ainsi, cette approche est une méthode de vérification modulaire de propriétés de programmes avec pointeurs et partage

Reasoning about Java Programs with Aliasing and Frame Conditions

International audienceSeveral tools exist for reasoning about Java programs annotated with JML specifications. A main issue is to deal with possible aliasing between objects and to handle correctly the frame conditions limiting the part of memory that a method is allowed to modify. Tools designed for automatic use (like ESC/Java) are not complete and even not necessarily correct. On the other side, tools which offer a full modeling of the program require a heavy user interaction for discharging proof obligations. In this paper, we present the modeling of Java programs used in the Krakatoa tool, which generates proof obligations expressed in a logic language suitable for both automatic and interactive reasoning. Using the Simplify automatic theorem prover, we are able to establish automatically more properties than static analysis tools, with a method which is guaranteed to be sound, assuming only the correctness of our logical interpretation of programs and specifications